Earn CEU credit Cathy Garrey, Connect with your - Health Care ...

Volume Ten
Number Ten
October 2008
Published Monthly
Meet
Cathy Garrey,
Compliance and Quality
Assurance Manager,
McHenry County Mental
Health Board
page 14
Connect with your
Peers—Use HCCA’s
Compliance & Ethics
Social Network
Fi n d o u t h o w o n p a g e 9
Earn CEU credit
see i n s e rt
Exploring the question:
Does this really m a k e
a compliance program
“effective”
page 27
Feature Focus:
Coordinating
external requests for
information in the
Compliance Office
page 38

What’s Your Ethical Climate
Organizational climates change as
organizations grow and evolve. So, how can
you ensure attitudes and behaviors remain
consistent with core values Look to Global
Compliance, the single provider offering a
comprehensive framework to protect your
organization from financial, legal, and
reputational harm.
• Ethics and compliance risk
assessment
• Code of conduct
• Communication campaigns
• Online, computer-based, and
instructor-led training
• Hotlines/Helplines
• Case management
• Investigations
• Data analytics
• Mystery shopping
• Ethics and compliance evaluations
• Employee exit interviews
Contact the ethics and compliance leader
that is already serving over one-half of
America’s Fortune 100 and one-third of
America’s Fortune 1000 along with colleges,
universities, and government entities. And,
we’re proud to claim greater than 450
health care organizations as clients.
With 27 years of experience and the most
comprehensive product and service offering
in the industry, Global Compliance can
help you develop and maintain an ethical
climate that’s appealing to employees,
patients, and stakeholders.
Making the world a better workplace TM
13950 Ballantyne Corporate Place • Charlotte, NC, USA 28277
866-434-7009 • contactus@globalcompliance.com
www.globalcompliance.com
© 2008 Global Compliance. All Rights Reserved.

INSIDE
Publisher:
Health Care Compliance Association, 888-580-8373
Executive Editor:
Roy Snell, CEO, roy.snell@hcca-info.org
Contributing Editor:
Gabriel Imperato, JD, CHC, 888-580-8373
Manager, Articles and Advertisments:
Margaret R. Dragon, 781-593-4924, margaret.dragon@hcca-info.org
Communications Editor:
Patricia Mees, CHC, CCEP, 888-580-8373, patricia.mees@hcca-info.org
Layout:
Gary DeVaan, 888-580-8373, gary.devaan@hcca-info.org
HCCA Officers:
Rory Jaffe, MD, MBA, CHC
HCCA President
Julene Brown, RN, BSN, CHC, CPC
HCCA 1st Vice President
Billing Compliance Manager
MeritCare Health System
Jennifer O’Brien, JD, CHC
HCCA 2nd Vice President
Shareholder
Halleland Lewis Nilan & Johnson PA
Urton Anderson, PhD, CCEP
HCCA Treasurer
Chair, Department of Accounting and
Clark W. Thompson Jr. Professor in
Accounting Education
McCombs School of Business
University of Texas
Gabriel Imperato, Esq, CHC
HCCA Secretary
Managing Partner
Broad and Cassel
Shawn Y. DeGroot, CHC-F, CCEP
Non-Officer Board Member of
Executive Committee
Vice President Of Corporate Responsibility
Regional Health
Steven Ortquist, JD, CHC-F, CCEP, CHRC
HCCA Immediate Past President
Partner
Meade & Roach
CEO/Executive Director:
Roy Snell, CHC, CCEP
Health Care Compliance Association
Counsel:
Keith Halleland, Esq.
Halleland Lewis Nilan & Johnson PA
Board of Directors:
Marti Arvin, JD, CHC-f, CPC, CCEP, CHRC
Privacy Officer
University of Louisville
Angelique P. Dorsey, CHRC
Research Compliance Director
MedStar Health
Dave Heller
Chief Ethics & Compliance Officer
Qwest Communications
Joseph Murphy, JD, CCEP
Co-Founder Integrity Interactive
Co-Editor ethikos
Karen A. Murray, MBA, FACHE, CHC, CHA
Corporate Compliance Officer
Yale New Haven Hospital
F. Lisa Murtha, JD, CHC
Managing Director
Huron Consulting Group
Daniel Roach, Esq.
Vice President Compliance and Audit
Catholic Healthcare West
Frank Sheeder, JD, CCEP
Partner
Jones Day
Debbie Troklus, CHC-F, CCEP, CHRC
Assistant Vice President
for Health Affairs/Compliance
University of Louisville
Sheryl Vacca, CHC-F, CCEP, CHRC
Senior Vice President/Chief Compliance
and Audit Officer
University of California
Greg Warner, CHC
Director for Compliance
Mayo Clinic
Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Compliance
Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription
rate is $295 a year for nonmembers. Periodicals postage-paid at Minneapolis, MN
55435. Postmaster: Send address changes to Compliance Today, 6500 Barrie Road,
Suite 250, Minneapolis, MN 55435. Copyright 2008 Health Care Compliance Association.
All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this
publication may be reproduced, in any form or by any means without prior written consent
of the HCCA. For subscription information and advertising rates, call Margaret Dragon
at 781-593-4924. Send press releases to M. Dragon, PO Box 197, Nahant, MA 01908.
Opinions expressed are not those of this publication or the HCCA. Mention of products and
services does not constitute endorsement. Neither the HCCA nor CT is engaged in rendering
legal or other professional services. If such assistance is needed, readers should consult
professional counsel or other professional advisors for specific legal or ethical questions.
4 Cultural competency standards: Using the GAO Yellow Book
elements — By Maria B.J. Chun
9 Introducing Compliance & Ethics Social Networking
— By Shawn Leonard
10 What CMS gives, the courts take way: Patients in ambulances
and EMTALA — By Jeffrey Fitzgerald
14 Meet Cathy Garrey, Compliance and Quality Assurance Manager,
McHenry County Mental Health Board
— an interview by Gabriel L. Imperato
19 Letter from the CEO — By Roy Snell
21 Organizational compliance culture: What message is your board
and senior management sending — By Jeff Sinaiko
23 Medicare’s medical necessity criteria: A mystery in the making
— By Lester J. Perling
27 Exploring the question: Does this really make a compliance
program “effective” — By Catherine Boerner
30 Newly Certified CHCs
31 Certification – The recognized mark of a professional
— By Margaret Dragon
32 CEU: The 1-2-3s of claims sampling to resolve overpayment
errors — By B. Bo Martin
36 Improving competitiveness and compliance through agent/broker
online training — By Susan Mollet and Martha Braunstein
38 Feature focus: Coordinating external requests for information in
the Compliance Office — By Cornelia M. Dorfschmid
43 The what, why, and how of Medicare Coverage Analysis – Part 1
— By Ofer Amit
46 CEU: Quality of care and compliance: Existing challenges
and first steps for hospitals — By Cheryl L. Wagonhurst and
Nathaniel M. Lacktman
48 Conference Calendar 2009
53 SEC Disclosure: Managing information at FDA-regulated
companies — By Elizabeth P. Gray and Jessica Matelis
54 Go Local – Upcoming Regional Conferences
59 CEU: Complying with the HIPAA Privacy Rule: What you need to
know — By Rebecca C. Fayed
72 New principles can help advance independent corporate
monitoring — By Vincent L. DiCianni.
78 Newly Certified CHRC
82 Compliance Today Editorial Board
83 Ask Leadership
84 Corruption enforcement actions target foreign doctors and hospital
employees — By Robert Christopher Cook and Louis P. Gabel
86 Category B device trials: Looking forward and backward
— By Sumathy Sundarababu
90 New HCCA Members
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
3
October 2008

Affinity Group
Meetings
Hold your own
meeting in conjunction
with HCCA’s 2009
Compliance Institute!
Planning on attending the
Compliance Institute Need to
hold a meeting of your own
Affinity group meetings are now
available in conjunction with the
Compliance Institute.
Not only do you get the benefit
of holding your meeting alongside
the most comprehensive
compliance conference for
compliance professionals, but
you also receive complimentary
meeting room space at the
conference site, your choice of
a complimentary continental
breakfast or an a m or pm
break, and registration at the
HCCA Member rate for your
attendees.
Affinity Group Meetings may
be held on one of the following
days:
Saturday, April 25, 2009
Wednesday, April 29,
2009 (afternoon)
Thursday, April 30, 2009
To apply, please visit
www.compliance-institute.org
(conference tab) and fill out the
Affinity Group Meeting form.
Please return the completed
form to the HCCA office.
Questions Contact Jennifer
Jansen at 952.405.7922 or
email her at
jennifer.jansen@hcca-info.org
Cultural competency
standards: Using the
GAO Yellow Book
elements
Editor’s note: Maria B. J. Chun is the Associate
Chair, Administration and Finance in the
Department of Surgery at John A. Burns School
of Medicine at the University of Hawaii. Dr.
Chun may be reached in Honolulu by telephone
at 808/586-2925 or by e-mail at
mariachu@hawaii.edu.
Due to the growing diversity of the
US population, the need for culturally
competent health care has been
emphasized, and even required, by various
oversight agencies and accrediting bodies. 1
Although Title VI of the Civil Rights Act was
passed in 1964, confusion over how to translate
the law into actual practice has only been
seriously addressed over the past decade. 2 The
Department of Health and Human Services
has taken the lead by putting forth mandates,
guidelines, and recommendations (referred
to collectively as the National Standards for
Culturally and Linguistically Appropriate
Services or CLAS standards) as a means to
formalize what it expects in terms of “cultural
competency” in health care and how it can be
implemented. The Centers for Medicare and
Medicaid Services (CMS) has issued a CLAS
implementation guide and a cultural competency
crosswalk that links the CLAS standards
with the standards of the Joint Commission
(formerly JCAHO), the National Committee
for Quality Assurance (NCQA), and URAC
(formerly Utilization Review Accreditation
Commission). 3,4 Included in these documents
are numerous toolkits and resources providing
further guidance.
By Maria B. J. Chun, PhD
The 14 CLAS standards are organized into
three themes:
n Culturally competent care (standards 1-3)
n Language access services (standards 4-7)
n Organizational supports for cultural competence
(standards 8-14)
The first two themes deal directly with the
actual provision of health care, and the
third theme addresses administrative and
infrastructural issues related to providing
culturally competent care. 1,3 The standards
are classified as mandates, guidelines, and
recommendations. 5 Mandates are defined as
current federal requirements that must be
followed by both individuals and entities, as
specified, who receive federal funds. These
mandates are tied to ensuring linguistically
appropriate access to health care for those
with limited English proficiency. The Office
of Minority Health then deems the remaining
standards as guidelines and recommendations.
Guidelines are activities that should be
adopted. Recommendations are suggestions
that a health care organization may want to
consider implementing. Table 1 (on page 7)
lists the 14 CLAS standards.
Particularly in the case of the four mandated
standards, how can an organization assess
compliance Given that Standard 9 makes
specific reference to auditing as a method
to evaluate CLAS implementation, the U.S.
Government Accountability Office’s (GAO)
Government Auditing Standards (aka Yellow
Book) provides a helpful risk assessment tool
through its “elements of a finding” approach,
October 2008
4
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

which ensures that the understanding of an
issue/area of concern is complete. 6 The elements
of a finding are comprised of Criteria,
Condition, Cause, Effect, and Recommendation
(CCCER).
Definitions
Criteria - defines the what should be and
include laws, regulations, contracts, grant
agreements, standards, measures, expected
performance, and so on.
Condition - describes what is or the current
situation.
Cause - refers to the why or an explanation
for the current situation, which may be due
to such factors as lack of or poorly designed
policies and procedures or incomplete or
incorrect implementation.
Effect - describes what will happen or
the impact and spells out the discrepancy
between the criteria (what should be) versus
the condition (what is).
Recommendation - refers to what will
be done or what action(s) will be taken to
correct the situation.
To provide an example, of how the CCCER
approach may be applied to the CLAS standards,
we present the following hypothetical
situation utilizing Standard 7:
You are the manager of one of seven
outpatient clinics that are part of a large
hospital. The Chief Operating Officer (COO)
of the hospital has tasked all clinic managers
with determining whether each of the clinics
are meeting CLAS standards. The COO
has provided you with verbal and written
instructions on how to utilize CCCER and
has asked that you start your assessment with
Standard 7.
Criteria (what should be)
Standard 7 (Mandate)
Health care organizations must make
available easily understood patient-related
materials and post signage in the languages
of the commonly encountered groups and/or
groups represented in the service area.
Condition (what is)
After reviewing patient data, you determine
that your patient population consists of a
large number of recent immigrants from the
Philippines and Korea. But, you notice that
all patient-related materials (e.g., consent
forms, conflict and grievance procedures,
informational/educational brochures) are
available only in English.
Cause (why this happened)
You and your staff were unaware that these
materials were mandated by the federal government.
The hospital administration had not
provided any guidance in this area. Because
some of your staff are bilingual and have been
able to converse in the native languages of the
patients, there was an assumption that this
was sufficient.
Effect (why this matters)
Not only is the clinic out of compliance with
a federal mandate, more importantly, it has
not been culturally competent or sensitive
to its patients’ needs. A patient may have
consented to a procedure or a payment
plan without fully understanding what was
actually involved. This puts the clinic under
potential legal and/or fiscal liability.
Recommendation (what will be done)
You immediately report your finding to the
hospital COO and recommend that you
and your staff be provided with cultural
competency training with a focus on CLAS
standards. You also request a more detailed
needs assessment to determine exactly what
patient-related materials and signage are
needed, and in what languages, to properly
assist your patient population.
The above scenario simplifies the complexities
faced when trying to deal with cultural competency
issues. However, utilizing CCCER is
a good starting point and serves as a means to
identify potential risk areas without overwhelming
those tasked with ensuring cultural
competency compliance. This should not
replace a comprehensive organizational assessment,
but once again, can serve as a basis for
such an endeavor. Cultural competency will
continue to grow in significance. What the
federal government now deems as guidelines
and suggestions, may soon become mandates.
If you have already, or are planning to, assess
cultural competency in your organization,
please contact me (mariachu@hawaii.edu)
and let me know what methods you have
used or are planning to use. n
1 Brannigan, M.C. 2008. Connecting the dots in cultural competency:
Institutional strategies and conceptual caveats. Cambridge Quarterly of
Healthcare Ethics, 17: 173-184.
2 Beamon C, Devisetty V, Forcina Hill JM, et al: A Guide to Incorporating
Cultural Competency into Medical Education and Training.
December 2005, National Health Law Program.
3 http://www.qsource.org/uqiosc/CLASGuide.pdf. Accessed 7/1/08.
4 http://www.qsource.org/uqiosc/CLAS_Standards_Crosswalk_v3.pdf.
Accessed 7/1/08.
5 http://www.omhrc.gov/templates/browse.aspx1v1=2&1v1ID=15.
Accessed 7/2/08.
6 United States Government Accountability Office. July 2007. Government
Auditing Standards, July 2007 Revision. Also available online at:
http://www.gao.gov/govaud/ybk01.htm.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
5
October 2008

The HCCA HIPAA Training Handbook
The Health Insurance Portability and Accountability Act (HIPAA) has had
lasting impact on U.S. health care providers since its passage in 1996. This 36-
page handbook is intended for anyone who needs a basic understanding of the
privacy and security regulations established by the HIPAA. Suitable for staff
training courses, it covers:
• Who must comply with the HIPAA
• When and by whom is the use or disclosure of protected health
information (PHI) permitted
• What rights does an individual have regarding his or her PHI
• What are the basic safeguards required to protect the security of PHI
• Which security safeguards are required, which are recommended, and
what’s the difference between those standards
This handbook can prepare all health care professionals to help protect the
privacy and security of their patients’ health information.
Order Now
hcca MEMBER Discounts
# of handbooks cost per book
1–9............................$25
10–24........................$23
25–49........................$20
50–74........................$18
75–99........................$16
100+..........................$15
Qty
________ HCCA Members ($25 or see chart at left)
________ Non-Members ($30 per handbook)
________ Join HCCA!
Cost
$ __________
$ __________
$ __________
Non-members, add $200 to join HCCA, and pay
member prices for your order (regular dues $295/year)
Bulk discounts available for HCCA members only. See chart at left to
figure cost. All purchases receive free FedEx Ground shipping within
continental U.S.
Please type or print:
HCCA Member ID
First Name M.I. Last Name
Title
Organization
Street Address
City State Zip
Telephone
Mail check to: 6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Fax order to: 952-988-0146
Total: $
My organization is tax exempt
Check enclosed
Invoice me PO #
Charge my credit card:
Mastercard VISA American Express
Account number
Expiration date
Cardholder’s name
Cardholder’s signature
Federal Tax ID: 23-2882664
Prices subject to change without notice. HCCA is required to charge sales
tax on purchases from Minnesota and Pennsylvania. Please calculate this
in the cost of your order. The required sales tax in Pennsylvania is 7% and
Minnesota is 6.5%.
Fax
October 2008
6
E-mail
Please make your check payable to HCCA.
For more information, call 888-580-8373.
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Phone 888-580-8373 | Fax 952-988-0146
www.hcca-info.org | info@hcca-info.org

Table 1:
14 CLAS
Standards
U.S. Department of Health and Human
Services, Office of Minority Health
Standard 1 (Guideline)
Health care organizations should ensure
that patients/consumers receive from all
staff member’s effective, understandable,
and respectful care that is provided in a
manner compatible with their cultural
health beliefs and practices and preferred
language.
Standard 2 (Guideline)
Health care organizations should implement
strategies to recruit, retain, and
promote at all levels of the organization a
diverse staff and leadership that are representative
of the demographic characteristics
of the service area.
Standard 3 (Guideline)
Health care organizations should ensure
that staff at all levels and across all
disciplines receive ongoing education and
training in culturally and linguistically
appropriate service delivery.
Standard 4 (Mandate)
Health care organizations must offer and
provide language assistance services, including
bilingual staff and interpreter services,
at no cost to each patient/consumer with
limited English proficiency at all points
of contact, in a timely manner during all
hours of operation.
to patients/consumers in their preferred
language both verbal offers and written
notices informing them of their right to
receive language assistance services.
Standard 6 (Mandate)
Health care organizations must assure the
competence of language assistance provided
to limited English proficient patients/consumers
by interpreters and bilingual staff.
Family and friends should not be used to
provide interpretation services (except on
request by the patient/consumer).
Standard 7 (Mandate)
Health care organizations must make
available easily understood patient-related
materials and post signage in the languages
of the commonly encountered groups and/
or groups represented in the service area.
Standard 8 (Guideline)
Health care organizations should develop,
implement, and promote a written strategic
plan that outlines clear goals, policies,
operational plans, and management
accountability/oversight mechanisms
to provide culturally and linguistically
appropriate services.
Standard 9 (Guideline)
Health care organizations should conduct
initial and ongoing organizational selfassessments
of CLAS-related activities and
are encouraged to integrate cultural and
linguistic competence-related measures
into their internal audits, performance
improvement programs, patient satisfaction
assessments, and outcomes-based evaluations.
consumer’s race, ethnicity, and spoken and
written language are collected in health
records, integrated into the organization’s
management information systems, and
periodically updated.
Standard 11 (Guideline)
Health care organizations should maintain
a current demographic, cultural, and epidemiological
profile of the community as well
as a needs assessment to accurately plan for
and implement services that respond to the
cultural and linguistic characteristics of the
service area.
Standard 12 (Guideline)
Health care organizations should develop
participatory, collaborative partnerships
with communities and utilize a variety
of formal and informal mechanisms to
facilitate community and patient/consumer
involvement in designing and implementing
CLAS-related activities.
Standard 13 (Guideline)
Health care organizations should ensure
that conflict and grievance resolution processes
are culturally and linguistically sensitive
and capable of identifying, preventing,
and resolving cross-cultural conflicts or
complaints by patients/consumers.
Standard 14 (Suggestion)
Health care organizations are encouraged
to regularly make available to the public
information about the progress and
successful innovations in implementing
the CLAS standards and to provide public
notice in their communities about the
availability of this information.
Standard 5 (Mandate)
Health care organizations must provide
Standard 10 (Guideline)
Health care organizations should ensure
that data on the individual patient’s/
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
7
October 2008

We are pleased to introduce
The Duane Morris, LLP
Certified in Healthcare Compliance (CHC) Scholarship
Health Care Compliance Association
Beginning in 2008, Duane Morris, LLP will sponsor four Certified in Healthcare Compliance (CHC)
Scholarships annually.
The Duane Morris, LLP CHC Scholarship is intended to offer health care professionals the opportunity to expand their
knowledge and advance their careers by obtaining the Certified in Healthcare Compliance (CHC) credential. Obtaining
the CHC credential demonstrates an advanced knowledge of compliance and ethics principles and practice.
Each recipient of the Duane Morris LLP CHC Scholarship will be awarded $4,000 to cover the HCCA Compliance Academy
tuition and CHC test fees, as well as a portion of travel expenses to attend the Academy. (Both Academy tuition and test fees
have member and non-member pricing, so the portion of travel expenses covered will vary based on membership status.)
All applicants must successfully demonstrate financial need of their employer, as this scholarship is designed to provide
educational assistance to health care professionals in organizations that may not otherwise be able to fund Academy
attendance and CHC testing. Applicants must also meet the following criteria for consideration:
v Do not presently hold the CHC credential
v Have worked in the Health Care Compliance field for at least one year
v Meet the criteria to sit for the CHC exam
v Commit to prepare and sit for the CHC exam through the professional testing service
or at the conclusion of the HCCA Academy
Background: The CHC credential is awarded to candidates who pass
the Healthcare Compliance Certification Board CHC Examination.
The Examination is offered at the conclusion of the HCCA Compliance
Academy. The Compliance Academy offers four days of intense sessions
covering the seven elements of health care compliance.
Duane Morris LLP and HCCA encourage equal opportunity for all CHC Scholarship
applicants and candidates.
Applications are available at www.hcca-info.org, please call 888-580-8373
to receive an application.
October 2008
8
If you have questions about the scholarship or the Compliance Academy program please contact
Jennifer Power at 952/405-7916 or by email at jennifer.power@hcca-info.org
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Scholarship
Recipients
The Four Duane Morris LLP
HCCA Health Care Compliance
Scholarships for 2008 were
awarded to:
Kimberly Carroll
Compliance Analyst
LSU Health Sciences Center – Shreveport
Shreveport, LA
Michele Gildener
Compliance & Privacy Officer
Kona Community Hospital
Kealakekua, Hawaii
Roger Lowe
Privacy Officer
Yukon Kuskokwim Health Corp
Bethel, Alaska
Sharon Taylor
Director of Risk Management/Accreditation Services
Burgess Health Center
Castana, IA
To submit an application for the 2009 Duane
Morris LLP HCCA Scholarship please visit
www.hcca-info.org
Introducing
Compliance &
Ethics Social
Networking
By Shawn Leonard
Editor’s note: Shawn Leonard is the Webmaster/Privacy Officer at HCCA. He
can be reached by phone at 952/567-6220 or by e-mail at shawn.leonard@
hcca-info.org.com.
When it comes to social networking, many compliance and
ethics professionals tend to grow deeply concerned: Visions of
questionable content on Facebook and MySpace pages haunt
their dreams.
Despite the high profile disasters, social networking has grown to be an
important part of business networking. LinkedIn, which helps professionals
network with each other, now has more than 25 million members. The
Health Care Compliance Association even has its own group on that site.
To help bring online collaboration among ethics and compliance professionals
to the next level, HCCA, along with our sister organization the
Society of Corporate Compliance and Ethics, has invested in creating a
social networking site just for compliance and ethics professionals. This
site will enable you to connect with others in the profession year round.
You’ll be able to expand your network of peers and won’t need to wait until
the next industry meeting to connect directly.
The site is designed to make it easy for you to find other ethics and
compliance professionals who share the same interests and challenges you
do, whether it’s dealing with the complexities of the federal Anti-kickback
and Stark Laws or a general ethics issue. Asking a question of your peers is
easy (e.g., Do you have a policy that covers x What’s a best practice for y).
Giving an answer is just as simple.
Here’s how it works.
Go to the HCCA site (www.hcca-info.org) and log in. Then click on the
Network link, which will take you directly to the Compliance & Ethics
Exchange. Once there, you will see a list of various social networks you
can join, based on areas of interest. Simply click on an e-group or groups
that interest you. Then indicate how you want to learn about what’s going
on with it (i.e, you might want an e-mail whenever someone posts to the
Continued on page 35
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
9
October 2008

What CMS gives, the
courts take away:
Patients in ambulances
and EMTALA
By Jeffrey Fitzgerald
Editor’s note: Jeffrey Fitzgerald is a partner EMTALA compliance strategies to ensure that
in the Health Law group at Faegre & Benson they meet both CMS bright–line standards
LLP. He provides proactive compliance counseling
and represents health care providers who
and the judicially-created intent standard.
are targets of fraud and abuse investigations. EMTALA statute and regulations
He may be reached at 303-607-3740 or The concept behind EMTALA is simple
jfitzgerald@faegre.com.
enough: Congress was worried that hospitals—
organizations to which the government makes
A
hospital’s first step in ensuring significant payments through the Medicare
compliance with the federal mandate
called the Emergency Medical patients, including patients who arrived at an
program—were refusing to treat uninsured
Treatment and Labor Act (EMTALA) 1 is emergency department (ED) in need of urgent
to understand what events trigger the law’s medical care. So Congress mandated, through
application. To help in this process, the EMTALA, that all hospitals enrolled in Medicare
that have an ED must provide a medical
Centers for Medicare and Medicaid Services
(CMS) issued regulations that provide screening exam to all individuals who come to
bright–line tests that define when EMTALA the ED and request examination or treatment.
applies. 2 In the case of individuals in ambulances,
many hospitals may think that the individual has an emergency medical condition
If the medical screening exam finds that the
rules are pretty clear: for a hospital-owned (which includes active labor), then the hospital
ambulance, EMTALA applies once the individual
is “in” the ambulance; and for a non-
capacity and capability of the hospital. Further,
must provide stabilizing treatment within the
hospital ambulance, EMTALA applies once if the individual has an emergency medical
the ambulance is “on hospital property.” 3 condition, the hospital may not transfer the
individual to another hospital unless certain
Unfortunately, hospitals cannot rely exclusively conditions are met (generally, a transfer is
on CMS’ bright–line tests because earlier this permitted only if the hospital lacks the ability
year, the US Court of Appeals for the First to care for the individual and a physician
Circuit concluded that, notwithstanding the certifies that the benefits of transfer outweigh
CMS regulations, EMTALA can be violated the risks). Additionally, EMTALA specifically
where a hospital diverts a non-hospital ambulance
that is not yet on hospital property. In so screening exam or stabilizing treatment “in
prohibits a hospital from delaying the medical
doing, the Court of Appeals essentially added order to inquire about the individual’s method
an intent-based test to CMS’ bright–line test. of payment or insurance status.” 4
A similar decision was issued by the Court
of Appeals for the Ninth Circuit a few years Under the statute, hospital’s duties under
ago. As such, hospitals should structure their EMTALA are triggered once a person (1)
“comes to the emergency department,” and
(2) requests or “a request is made on the individual’s
behalf for examination or treatment.”
In the implementing regulations, CMS
specifies four different standards for
determining when an individual “comes to
the emergency department” based upon four
different situations:
n Individuals in a dedicated emergency
department;
n Individuals on the hospital property, but
not in the ED;
n Individuals in a hospital-owned ambulance;
and
n Individuals in a non-hospital ambulance.
For an individual who presents at a hospital’s
dedicated emergency department (i.e., a
traditional ED), EMTALA applies if the
individual requests examination or treatment
for a “medical condition” (or if a prudent
layperson observer would believe, based on
the individual’s appearance or behavior, that
the individual needs treatment for a “medical
condition”). The regulations do not define
“medical condition,” but the clear implication
is that EMTALA applies to all individuals in
an ED who request medical care.
For an individual who is somewhere on hospital
property other than the ED, EMTALA
applies if the individual requests examination
or treatment for an “emergency medical
condition” (or if a prudent layperson observer
would believe, based on the individual’s
appearance or behavior, that the individual
needs emergency examination or treatment).
This definition is intended to exclude from
the scope of EMTALA individuals who are
on the hospital property to obtain non-emergency
care, such as lab tests, physical therapy,
scheduled surgery, or physician visits. This
definition makes clear that EMTALA applies
to individuals who are on hospital property
October 2008
10
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

and need emergency care (e.g., an individual
who collapses in the hospital parking lot).
to the emergency department” when the
individual is “on hospital property.” 6 The
manual defines “hospital property” to include
when they had more information about the
suspected abortion. In the second conversation,
the ED physician inquired as to whether
The EMTALA regulations apply different standards
to individuals in ambulances (ground
and air) based upon whether the hospital owns
the ambulance. If an ambulance is owned by a
hospital, EMTALA applies to an individual in
the ambulance (regardless of the ambulance’s
location), unless the ambulance is operated
under communitywide emergency medical
service (EMS) protocol (and the EMS protocol
directs the ambulance to another hospital).
hospital-owned ambulances, thereby making
EMTALA apply to individuals in hospitalowned
ambulances. In contrast, the manual
states that an individual in “a non-hospital
owned ambulance not on the hospital’s
property is not considered to have come to
the hospital’s emergency department”.
CMS’ interpretation of the “comes to the
emergency department” threshold creates a
bright–line in the context of individuals in
the patient had medical coverage, and when
the paramedics gave no assurance of coverage,
he abruptly terminated the call (an action
that the paramedics interpreted as requiring a
diversion of the patient to another hospital).
The patient brought a personal injury
lawsuit against the hospital, alleging that the
hospital violated EMTALA by diverting her
ambulance to another hospital. The trial court
ruled in favor of the hospital on the basis that
If an ambulance is not owned by the hospital,
then EMTALA applies to an individual in the
non-hospital ambulance once the “ambulance
[is] on hospital property.” To emphasize
that the ambulance must be on the hospital
property in order for EMTALA to apply, the
regulation specifically states that an individual
in a non-hospital ambulance that is not on
hospital property is not deemed to have
come to the ED. However, an individual in a
non-hospital owned ambulance off hospital
property is not considered to have come to
the hospital’s emergency department, even if
a member of the ambulance staff contacts the
hospital by telephone or telemetry communications
and informs the hospital that
they want to transport the individual to the
hospital for examination and treatment. 5
ambulances: EMTALA applies to individuals
in hospital-owned and controlled ambulances
(unless an EMS protocol applies); and
EMTALA does not apply to individuals in a
non-hospital ambulance until the ambulance
is on hospital property.
Courts’ view of EMTALA
In April, 2008, the US Court of Appeals
for the First Circuit issued an opinion
that found that an individual can allege
a violation of EMTALA when a hospital
diverts a non-hospital ambulance that is not
on hospital property to a different hospital
because the patient is uninsured. Morales v.
Sociedad Española De Auxilio Mutuo Y
Beneficencia, 524 F.3d 54 (1st Cir. 2008).
In that case, the plaintiff had an ectopic
the patient had not “come to the ED,” and
thus the hospital’s duties under EMTALA had
not been triggered. The US Court of Appeals
for the First Circuit, in a 2-1 decision,
reversed the trial court ruling.
The First Circuit concluded that for
EMTALA to apply, the plaintiff must “come to”
the ED. The First Circuit noted that the statute
did not provide a definition for that term, and
concluded that the term itself was not selfelucidating.
As such, the First Circuit looked to
CMS regulations for guidance. The First Circuit
found the regulations to be ambiguous on the
basis that the regulations do not state “whether a
hospital may divert an approaching ambulance
only when it is in diversionary status, or whether
it may do so under other circumstances.” 7
The First Circuit also found the CMS State
CMS’ interpretation, that an individual in an
non-hospital ambulance has not “come to”
the ED until the ambulance is on hospital
property, has a common-sense appeal—a
hospital cannot provide a screening exam or
stabilizing treatment to an individual that is
not at the hospital.
pregnancy and began experiencing severe
abdominal pain while at work. She was placed
in an ambulance that set off for the defendant
hospital. The ambulance was not owned by
the hospital, and the paramedics who manned
it were not hospital employees. While in
transit to the hospital, the paramedics called
ahead to the ED twice. In the first conversation,
Operations Manual guidance to be ambiguous.
By finding CMS’ regulations and guidance to
be ambiguous, the court concluded that there
was no clear interpretation of the statute upon
which the court could rely.
Ultimately, the court concluded that the intent
behind EMTALA was to ensure that individuals
The guidance issued by CMS in the State
Operations Manual applies a slightly different
analysis to reach the same conclusion. The
the ED physician expressed concern that
the plaintiff might voluntarily have induced
an abortion. He also stated that he was very
were not turned away by hospital EDs on the
basis of their financial status. As such, the First
Circuit ruled that EMTALA would be violated
manual provides that an individual “comes busy and asked the paramedics to call back
Continued on page 13
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
11
October 2008

October 2008
12
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Court analyzes first case under Stark’s academic medical center exception ...continued from page 11
where a hospital diverts a nonhospital ambulance
because of the individual is uninsured.
A dissenting opinion was filed in the case. The
dissenting judge found that the statute and
regulations were clear and that “comes to an
emergency department” unambiguously means
“arrives” at the ED, such that an individual in
an ambulance who has not yet arrived at the
hospital is not within the scope of the statute.
The dissenting judge also found CMS regulations
to reflect the agency’s interpretation that
“the patient must, at the least, be physically on
hospital property” and CMS’ interpretation is
“eminently plausible” and should have been
deferred to by the Court of Appeals.
The First Circuit’s decision is consistent with
the only other Court of Appeals decision
on this issue, a 2001 decision from the US
Court of Appeals for the Ninth Circuit. 8 In a
case with similar facts, the Ninth Circuit also
concluded that an individual in a non-hospital
ambulance that was diverted specifically
because of the individual’s insurance coverage
was a violation of EMTALA. Interestingly, the
2001 decision from the Ninth Circuit was also
a 2-1 decision, and the dissenting judge in the
Ninth Circuit case shared the same view as the
dissenting judge in the First Circuit case.
Hospital compliance strategies
In light of the tension between the regulations
and court decisions, hospitals should structure
their existing EMTALA policies and procedures
to account for both the bright–line rules
set by CMS and the courts’ intent-based interpretation.
Hospitals should have a comprehensive
EMTALA policy specifically addressing
ambulance issues, including the following:
n If the hospital owns an ambulance service,
the hospital should have a process to ensure
that all patients placed into a hospitalowned
ambulance receive a screening
examination and stabilizing treatment;
n The hospital should identify a process for
ensuring that a screening examination
and stabilizing treatment is provided to all
patients in a non-hospital ambulance that
comes onto hospital property;
n When communicating with a nonhospital
ambulance, the hospital should
not inquire about the patient’s insurance
coverage or the patient’s ability to pay; and
n Hospitals should not divert an ambulance
to another hospital based upon the
patient’s (real or perceived) insurance
coverage or financial status.
Following these suggestions will allow a hospital
to ensure that it meets its EMTALA obligations,
as interpreted by CMS and the courts. Hospital
policies that focus on whether the individual is
on hospital property and prohibit consideration
of ability to pay are consistent with the intent
behind EMTALA, as they ensure that individuals
seeking emergency care are treated regardless
of their financial status.
Conclusion
In the regulations implementing EMTALA,
CMS states that an individual in a nonhospital
ambulance has not “come to the ED”
for purposes of triggering the hospital’s duties
of providing a medical exam and stabilizing
treatment. Out of an apparent fear that hospitals
would divert ambulances with uninsured
individuals to other hospitals, some courts
have added an additional requirement, namely,
that a hospital may not divert an ambulance
purely because of the individual financial
status. This additional requirement blurs the
clear “on hospital property” standard set by
CMS, but prudent hospitals should structure
their EMTALA compliance activities to ensure
that both standards are met. n
1 42 U.S.C. § 1395dd.
2 42 C.F.R. 489.24.
3 42 C.F.R. 489.24(b).
4 42 U.S.C. § 1395dd(h).
5 42 C.F.R. 489.24(b).
6 CMS, State Operations Manual, App. V, at 32.
7 524 F.3d at 59.
8 Arrington v. Wong, 237 F.3d 1066 (9th Cir. 2001).
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Be Sure to Get Your
CHC CEUs
Inserted in this issue of Compliance
Today is a quiz related to the articles:
n The 1-2-3s of claims sampling to
resolve overpayment errors —
By B. Bo Martin, page 32
n Quality of care and compliance:
Existing challenges and first
steps for hospitals — By Cheryl
L. Wagonhurst and Nathaniel M.
Lacktman, page 46
n Complying with the HIPAA Privacy
Rule: What you need to know —
By Rebecca C. Fayed, page 59
To obtain your CEUs, take the quiz and
print your name at the top of the form.
Fax it to Liz Hergert at 952/988-0146,
or mail it to Liz’s attention at HCCA,
6500 Barrie Road, Suite 250,
Minneapolis, MN 55435. Questions
Please call Liz Hergert at 888/580-8373.
Compliance Today readers taking the
CEU quiz have one year from the
published date of the CEU article to
submit their completed quiz.
13
October 2008

feature article
Meet Cathy Garrey, MA, CHC
Compliance and Quality Assurance Manager,
McHenry County Mental Health Board
Editor’s note: This interview with Cathy Garrey
was conducted in late summer by Gabriel L.
Imperato, Esq, CHC, Managing Partner of
the Fort Lauderdale office of Broad and Cassel,
where he is Chairman of the firm’s White-Collar
criminal and Civil Fraud Defense Practice
Group. He personally represents individuals
and organizations accused of criminal or civil
fraud in the areas of health care, securities,
and other corporate fraud and compliance and
governance matters. He is board certified as a
specialist in health care law by the Florida Bar;
is a member of the Illinois, Florida, and District
of Columbia bars. Mr. Imperato can be reached
at 954/745-5223 or by e-mail at gimperato@
broadandcassel.com.
Cathy Garrey may be reached at telephone at
815/455-2828 or by e-mail at cgarrey@mc708.org.
GI: Cathy, thank you for agreeing to this
interview for Compliance Today. Please tell
our readers a little about your background
and how you became Compliance and
Quality Assurance Manager for the McHenry
County Mental Health Board.
CG: Although I earned a degree in
education from Drake University in Iowa,
I found more job opportunities in case
management for individuals with severe
and persistent mental illness. My first job
as a case manager at a not-for-profit human
service agency in northern Illinois led me
into a Quality Assurance and Training
Manager position. Here I discovered that
conducting record reviews and preparing
for audits was something that I enjoyed.
This job centered on monitoring compliance
with government rules and laws and
program policies, and it included overseeing
the organization’s Training department to
ensure compliance for all the programs in
the agency. Coordinating the organization’s
CARF (Commission on Accreditation of
Rehabilitation Facilities) accreditation was
another part of the job. During this time, I
also worked toward an MA in Management.
After getting the degree, I moved into the
position of Director of Quality Assurance
and Training.
Shortly after this appointment, I changed
jobs. An opportunity to focus more on compliance
and less on training and development
opened in another agency, so I took the
position to expand on my interests. Over the
next year or so, as the Compliance Officer, I
developed the corporate compliance program
with the help of a consortium of compliance
professionals and a national consultant.
At about that time a position opened at
the McHenry County Mental Health Board
(MHB) that called for someone with my
qualifications. The position required a background
in mental health as well as significant
experience in compliance and accreditation
work. It was not only a perfect fit, but also
it offered an opportunity to return to the
county where I had developed wonderful collaborative
relationships. Since starting, about
a year and a half ago, I have been developing
a compliance program at MHB, preparing the
organization for its first CARF survey, and
working with county providers to make sure
that everyone meets the new Illinois Medicaid
Rehabilitation Option regulations.
GI: Please describe the McHenry County
Mental Health Board, and tell us about
your responsibilities as the Compliance and
Quality Assurance Manager.
CG: The McHenry County Mental Health
Board funds services for individuals who
have a mental illness, developmental disability,
and/or drug or alcohol dependence.
October 2008
14
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

It was established in 1969 in response to the
Community Mental Health Act, and since
then it has built a history of success in managing
a comprehensive community human
service system of care that includes collaborative
and financial relationships with federal
and state mental health and welfare agencies,
as well as with public and private agencies.
My responsibilities include ensuring that
our funded agencies are compliant with
Medicaid-Medicare rules and regulations.
The MHB audits agencies for compliance
triggered by utilization trends that are over
or under the expected norm by about 15%
based on monthly reports. If a problem with
compliance emerges during a routine audit,
audits may take place monthly until the
problem is resolved.
During an audit, charts and case notes are
examined to review all required information.
I look for trends in billing records that reflect
the need to develop a plan to ensure quality
of care. An audit also examines treatment
plans, which are reviewed every six months.
All provided services should be part of the
plan. We also make sure that new clients have
a mental health assessment.
Once an audit is completed, we arrange for
an exit conference, and then we structure a
formal report.
GI: What attracted you to the compliance
profession and why do you remain in the
compliance profession
CG: I became a compliance professional
quite by accident. While working as the
Assistant Manager of a community mental
health program, the organization received
notice of an upcoming state Medicaid audit.
At the time, I was the only one available to
review charts and make sure we were ready. I
found that I enjoyed the challenge and had a
knack for the work. Eventually, I became the
Director of Quality Assurance and Training at
that organization. I remain in the compliance
profession because it is challenging. Things
are forever changing. No two days are the
same, and the work is very rewarding. There
are always new things to learn and new
networking opportunities.
GI: I see that you have been Certified
in Healthcare Compliance (CHC) by the
Health Care Compliance Association. When
did you become certified, and why you chose
to do so
CG: I became Certified in Healthcare
Compliance in 2006. At the time, I was
developing a corporate compliance program
for an organization and came across the
Health Care Compliance Association website.
I signed up for This Week in Corporate
Compliance, and within a few weeks, I
joined the association. When I presented
the idea of getting certified to my supervisor,
he was supportive. We agreed that the
certification would enhance my credentials
as a Compliance Officer. I signed up to
attend a Compliance Academy and had the
opportunity to meet people from all over the
country. The training was excellent. I sat for
the certification exam on the Friday morning
after completing the four-day training. The
many resource materials presented at the
training proved quite useful.
GI: How has CHC helped you as a compliance
professional, generally and specifically,
in your role at the McHenry County
Mental Health Board Has CHC certification
brought you professional recognition within
your organization How has this helped you
to be an effective compliance professional
CG: Certification necessitates staying
abreast of what is happening in the health
care field in matters of compliance, because
continuing education is one of the requirements.
CHC also allows access to HCCA
website information developed by experts in
the field, offering opportunities to conduct
Gabriel L. Imperato
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
research on compliance issues. Additionally,
it provides networking opportunities that put
me in touch with professionals around the
country, and that offers a much larger base of
knowledge and information. When we have
a difficult question regarding compliance, I
can connect with experts who are willing to
share their knowledge and tools. Certification
means that I can count on other professionals
to help resolve specific problems.
Here in McHenry County, I meet with
compliance professionals on a monthly basis.
Reading Compliance Today and attending
Compliance Institute training sessions
provides up-to-date information that I can
share with my colleagues. They appreciate my
access to professionals around the country,
which expands their knowledge base as they
develop their compliance programs.
Recently, three compliance professionals
and I developed a comprehensive training for
executive directors, finance managers, and
human resource managers. Information in the
portion that I covered came from materials
that I received at the recent Compliance Institute
and from articles in Compliance Today.
A month later, my executive director showed
me an article she had read on corporate
compliance. Our group had covered it all.
GI: What value does CHC certification
Continued on page 16
15
October 2008

Meet Rita A. Scichilone ...continued from page 15
bring to the workplace with employees of
the organization How about with management
and the governing authority of the
organization
CG: My supervisors have expressed appreciation
for my CHC certification. They have
confidence that when I say to them that we
need to develop a new compliance tool or add
something to our quality checklists, I have
a good reason. My supervisor told me that
although the Mental Health Board has always
been concerned about compliance, prior to
my joining the organization no one had this
level of certification. He and the executive
director have been supportive as we develop
our compliance program. The MHB Board of
Directors attends training sessions on compliance
during the national conferences they
attend. They, too, are supportive, and recently
they approved a new compliance position to
enhance our program.
GI: Would you recommend that your
fellow compliance professionals seek CHC
certification If so, why What did you do to
become eligible for the CHC, and how did
you prepare for the certification exam
CG: I would certainly recommend that
compliance professionals seek the CHC. As
the government sends out more auditing
groups, certification is going to become
increasingly important, because CHC provides
a comprehensive base for learning about
compliance. Additionally, certification boosts
credibility, not only for compliance professionals,
but also for the organizations that
employ them.
To be eligible for certification, a person
must be an active compliance professional
and meet the guidelines presented in the
CHC handbook. Before deciding to work for
certification, I became quite familiar with the
HCCA website. The more familiar I became
with the information on the website, the
more I realized the value of CHC.
The certification exam was quite extensive.
Before the test, I read everything available on
the HCCA website; I scoured the Internet
for information on compliance; I looked at
federal OIG guidelines on health care compliance;
and I brushed up on HIPAA information.
I attended the academy the week
before the test. Those attending the academy
attended classes during the day, and continued
to review and read the material on our
own into the evenings. On the day before the
test, we finished at noon and continued to
study through the evening.
When you sit through that exam, and then
finally learn that you have passed it, you can
be proud. When I got that letter informing
me that I passed the exam and earned certification,
I was happy, proud, and relieved.
GI: Please tell us how compliance and
quality are managed in your organization,
since you are the Compliance and Quality
Assurance Manager for McHenry County
Mental Health Board.
CG: At the Mental Health Board, we
have a strong Leadership Team that meets
bi-weekly. During these meetings, we discuss
risk issues, compliance issues, and set a
course of action to resolve any problems that
we have. If specific issues arise that require
immediate action, those in the need to know
are informed of the problem. Decisions are
made and acted upon by the Leadership
Team, which monitors the situation to ensure
that the problem gets resolved.
Staff members come to me, as the compliance
officer, with questions and concerns,
and I confer with the deputy director, executive
director, or legal counsel as needed for
resolution. In addition, as the compliance
officer, I do have access to the board of directors,
and the executive director reports to the
board on a monthly basis.
The McHenry County Mental Health
Board is unique in that we provide
coordination and access to services; we also
fund agencies to provide treatment services.
This means that we not only have to ensure
that we are in compliance with all funding
requirements, but we also have to be
sure that our funded agencies comply with
federal, state, and county funding requirements,
including coordination of benefits.
As Compliance Officer, I conduct internal
as well as external audits. As a funder, the
Mental Health Board has an obligation to
the constituents of the county to ensure that
quality services are provided.
GI: Do you believe the quality of health
care in an organization is a compliance issue
CG: I absolutely believe that quality of
health care is a compliance issue. When
I conduct audits of providers, I am very
aware of the types of services provided, and
the quality of care that is extended to the
populations that are served. Many of our
organizations utilize an outside firm to collect
discharge satisfaction data, and when we
receive a call that someone is dissatisfied, that
information is followed up on immediately.
I also receive calls from individuals who are
unhappy with services they are receiving from
providers. These complaints are documented
and followed up on, and if need be, we bring
the client and the team together to resolve the
problem.
GI: What advice would you give to
someone just starting out as a compliance
professional and setting up a compliance
program
CG: The first bit of advice I would offer
is to ask questions. Reach out to other
compliance professionals in the specific field
and seek their input. Know that one person
does not have to reinvent the wheel. Others
have developed policies and procedures,
compliance programs, and risk management
plans. Read as much information as possible
October 2008
16
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

and get linked up with e-newsletters and the
federal OIG Public Affairs updates. Reading
industry journals is critical. Another very
important piece of advice is to maintain a
sense of humor. Things come up; people
make mistakes; and sometimes, it all happens
at once. Take a deep breath and move on.
GI: Having an “effective” compliance
program is critical for health care organizations.
How would you define compliance
effectiveness
CG: An effective compliance program
starts at the top. It acknowledges that events
will occur, corrective action will take place,
and both will be reported immediately as
required. The compliance process requires
careful and complete documentation every
step of the way.
GI: What do you feel have been major
challenges for the health care compliance
industry What do you believe will be the
challenges for the future
CG: The most recent challenges have
included the new auditing bodies coming
out of the federal government – ZPICs
[Zone Program Integrity Contractors],
RACs [Recovery Audit Contractors], MIPs
[Medicaid Integrity Progam contractors],
and the lack of communication between the
federal auditors and state programs. I don’t
see things changing in the foreseeable future
in this area. I do believe that more states will
follow New York and Texas and develop state
OIG programs.
The biggest challenges for the behavioral
health care compliance industry – and the
biggest vulnerabilities – are in documentation.
About a year ago, the State of Illinois
made significant changes in Illinois Medicaid
Rule 132, and recently it made more changes.
Health care workers are not confident that
they are capturing everything that is required
in their case notes.
Behavioral health care bills Medicaid using
medical codes. Practicing the science of
physical medicine is much more exact than
working in behavioral health care. An x-ray
verifies a broken arm, and a cast is part of
the treatment. Healing generally takes place
within a period of six weeks. Diagnosis and
treatment of behavior health issues is much
less black-and-white. It is much more difficult
to define in medical terms the need to
teach someone to balance a checkbook or to
maneuver in a grocery store while hearing
voices in their heads. Documentation is crucial.
Treatments can be quite varied, and all
treatments need to clearly relate to the diagnosis.
Behavioral health care professionals not
only need specialized training in their field,
they also need continued training in meeting
compliance requirements.
Providers in McHenry County are committed
to quality and collaboration. For example,
they recently committed to working with an
independent national consultant hired by the
Mental Health Board to receive additional
training in federal and state compliance
regulations.
GI: What tools does the McHenry County
Mental Health Board have in place to help
with compliance issues
CG: Our compliance program includes
open discussion of ethical dilemmas, questions,
and concerns at monthly staff meetings,
or if an employee prefers, privately with
a supervisor. Difficult questions are encouraged.
We strive for an environment in which
people feel comfortable coming forth with
their concerns. We have worked to create
trust between coworkers.
Additionally, we provide regular compliance
training during these monthly meetings,
and we offer access to Webinars and
teleconferences as they become available.
GI: How do you capture staff support for
compliance
CG: By creating an environment of trust.
At the MHB, starting with the board of
directors on down, issues of compliance are
taken very seriously. Our leadership team is
dedicated to an effective compliance plan that
includes an open door to communication.
We send out ongoing e-mail alerts that offer
new information. We focus on doing the
right thing rather then centering attention on
what is wrong. We work hard to incorporate
compliance in a manner in which people are
not threatened, fostering an environment of
openness.
GI: Is the board of directors trained in
issues of compliance
CG: We have developed training for the
MHB Board of Directors as well as for the
boards of our funded agencies. They attend
conferences that offer a wealth of information
and opportunities to network with
people across the country. Members of our
board of directors participate in our compliance
committees, which include an ethics
committee and a finance committee. n
Contact Us!
www.hcca-info.org
info@hcca-info.org
Fax: 952/988-0146
HCCA
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Phone: 888/580-8373
To learn how to place an advertisment
in Compliance Today, contact
Margaret Dragon:
e-mail: margaret.dragon@hcca-info.org
phone: 781/593-4924
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
17
October 2008

2300 lawyers in 30 locations. www.jonesday.com
October 2008
18
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Social networking
Many compliance professionals are frustrated by compliance industry
articles, conferences, and books that speak in general terms because
they don’t apply to their specific segment of healthcare compliance.
One of the most common complaints I receive is “All I hear about is
hospital compliance.” Many people want to network with people who
are dealing with issues specific to their segment of health care compliance.
There are many segments of health care compliance with unique
issues, such as long-term care, hospitals, group practice, research,
behavioral health, pharma, med device, quality of care, etc. Special
interest groups cut across all segments, such as ethics, social responsibility,
privacy, security, etc. Compliance professionals are clamoring
to get together in special interest groups. What we need is an easy and
affordable way to get that done. We now have it.
The Web is still in its infancy. Many benefits of the Web have yet to
be realized. Buried in the morass of “features” or benefits of the Web
are many emerging trends. One such trend is social networking. Social
networking sites used by children have already exploded on the scene.
Facebook can often be unprofessional and tawdry, but it is a sign of
things to come for professionals. We have a great need to network
more efficiently and effectively than we have in the past. Social
networking software is about to explode on the scene for compliance
professionals and the benefits are greater than you might expect.
We all use some form of social networking now. There are blogs, Wiki
technology, list serves, document sharing, and much more. Social
networking is uncoordinated, inefficient, limited, and not always easy
to use. However, solutions now exist that incorporate all of these social
networking features into one package.
Set up correctly, social networking software can have many benefits.
These benefits allow special interest groups to communicate regularly
and efficiently.
Benefits
n Improves communications
n Keeps people connected
n Facilitates networking to answer member questions and solve problems
ROY sNELL
n Saves time by sharing documents
n Promotes collaboration and community
n Professionally done social networking
n Significant control of who you want to
have access to you
n Gives members the tools and lets them
run them
n Unlimited number of ways to subdivide
large groups of people in the compliance and ethics profession
into “special interest groups”
The Health Care Compliance Association is implementing a social
networking package that accomplishes all those benefits. There are
seven integrated components. Within each component are multiple
features. All of this is designed to solve the age-old desire for compliance
professionals to network in special interest groups.
n Member Directory
o Name, address, photo, bio, communities of interest you belong to
o Certification(s) you have achieved
o Create your own personal networks
o Find people with similar certification, interests, or classes you
jointly attended, job history, education
o Similar to, but more capable/professional than Facebook or
LinkedIn
o Brings business networking online
o Members promote themselves online
o Members can start their own blog
n Forums
o Threaded discussion
o Permanent storage of previous discussions
o Searchable content
n Listserves
o User definable
o Can attach and “tag” documents (attach searchable key words)
o More readable e-mails
o Real time e-mail or daily summary
n Document Library
o Videos, photos, presentations, documents, pod casts, handouts,
session recordings
o Can be “tagged” with keywords by anyone
o Link to contributor profile to assess credibility
n Glossary of terms with Wiki technology
Continued on page 78
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
19
October 2008

EXPERIENCE.
INTEGRITY.
RESULTS.
October 2008
20
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Focus on
Organizational Compliance Culture
Organizational
compliance culture:
What message is
your board and
senior management
sending
By Jeff Sinaiko
Editor’s note: Jeff Sinaiko is president of Sinaiko
Healthcare Consulting, one of the nation’s leading
independent healthcare management consulting
firms. He works with healthcare organizations
nationwide on a diverse range of compliance issues.
For more information, please e-mail
jeff@sinaikohc.com or go to www.sinaikohc.com.
This is not a test of the emergency
broadcast system (it worked just fine
in our recent earthquake, you will all
be happy to know). But, I do interrupt this
series of articles on lab compliance and auditing
to address an issue that has been weighing
heavily on my mind - compliance culture and
its determinant impact on whether an organization
can achieve compliance effectiveness.
In the July issue of Compliance Today, Scott
Kelly wrote very capably on the subject of
what compliance officers can do to maintain
a culture of compliance in their organizations.
I agree that compliance officers have
a critical role in ensuring that a compliance
program is executed, and that compliance
culture must be fostered and reinforced by
what occurs at the operating level every day.
In my column this month, I want to build
on that subject by addressing the issue of
creating a culture of compliance, which
can not be done by the compliance officers
among us, and which experience indicates is
the source of many organizations’ ongoing
struggles with compliance.
Creating a compliance culture must have at
its base the focus, example, sponsorship, and
stewardship of the board and the most senior
level executives within any organization. A
clear message must be sent to every member
of an organization through the tangible and
identifiable actions of leadership: doing the
right thing will inform all business conducted
in the organization’s name.
The compliance community focuses heavily
on the tactical – the what, how, and when
to do the myriad of tasks required to achieve
compliance effectiveness (present company
included). I’ve come to believe, however,
that all the specific activity executed under
the aegis of the compliance program can not
truly generate a compliant organization and
a culture of compliance without this serious
commitment and example set by the board
and senior management.
Any organization ultimately reflects such
examples and the priorities set, not just
through words, but most of all, through
actions. If the organization’s board and most
senior management fail to set this example
through their own actions, the message will
be clear, regardless of anything the Compliance
Office and officer do.
So, what specifically can be done on this
level First, determine what message is sent
to the organization via the board and senior
management in this regard. Ask yourself, for
example, what your organization would do
when a serious compliance issue is identified:
n What is the priority If making budget,
protecting a given physician relationship
and/or limiting the cost of addressing
the issue take precedence over diligently
addressing the issue as the organization’s
compliance officer or advisors may recommend,
what message does that send
n If the business people are allowed to
establish the priorities for how the issue is
addressed, perhaps even contrary to what
the compliance officer knows to be the
right way to address it, what message does
that send
n If the board and CEO (or other appropriate
member of senior management) are not
asking questions to assure themselves it is
being handled appropriately, and are not
involved in any of the discussions of resolution,
how seriously is the organization really
taking its compliance obligations
I am not unrealistic as to economic mandates.
We spend a huge amount of our time
assisting clients to focus on and improve
the critical elements of revenue capture and
bottom-line performance. I am not suggesting
that the organization has to spend money
indiscriminately in order to be compliant,
or that due diligence can not be applied in
evaluating options. But, at the end of the day,
the message sent by example must reflect the
foundational principle that doing the right
thing is the organization’s top priority. This
is ultimately the only way to truly build a
culture of compliance and, ultimately, to have
an effective compliance program.
There are times when these various priorities
may be at odds. What choice will your
organization make
Some concrete measures can be used as a basic
evaluation of the board’s role in compliance.
In 2004, the Federal Sentencing Guidelines
(the source of the definition of current compliance
programs) were revised to include
specific functions of the board as a de facto
eighth element of compliance programs. The
Continued on page 22
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
21
October 2008

WE HOLD OUR EMPLOYEES TO
THE HIGHEST
STANDARDS.
THEIR
OWN.
I stand for
Annalie, Database Coordinator
We all strive to become the best at what we do. But it
helps to have like-minded people surrounding you. At
Stanford, forward thinking and a passion for advancement
are things we all have in common. It's the standard we
hold for our hospital, and one we each take great pride in.
Compliance Facility Fee Auditor
You will be a member of the Compliance Department
team and conduct independent audits to determine
organizational integrity of billing facility and technical
hospital fees for inpatient and/or outpatient services,
including detecting and correcting documentation, coding
and billing errors. These audits consist of evaluating the
adequacy and accuracy of documentation in support of
services billed, including ICD-9/CPT/HCPCS and other
third party payor codes, DRG assignment, APC code
assignment, medical necessity of services and
reimbursement overpayments and underpayments.
We prefer a Bachelor's degree (Master's a plus) in Health
Information Management, Nursing or a healthcare related
field or equivalent education/experience and at least 1 year
of experience in facility fee coding, auditing or related
work. The facility fee auditor positions are tiered positions
providing growth opportunities as audit skills improve.
Current opportunities include positions for candidates
with intermediate documentation and coding skills as well
as advanced skills, with experience in one or more of the
following hospital/technical documentation and coding
areas: DRG/MSDRG, APC, ICD/HCPCS/CPT, Medi-Cal
and/or medical necessity determinations. Five years of
recent, professional experience as an RN in a managed
care/HMO, complex hospital or ambulatory care setting
would also be considered, as well as case management
or utilization review experience. Within six months of
employment, all candidates must obtain CCS or CPC-H
certification. Must have strong knowledge of Medicare
and Medi-Cal documentation and coding rules/guidelines,
ICD-9/CPT/HCPS/DRG coding rules, facility fee charge
capture and reimbursement methodologies, including
DRG, APC, CPT, ICD, HCPCS, etc. A CA RN license, CCS,
CPC-H or CHC is preferred. Continuous documentation
and coding education and skill advancement is provided
in a team setting.
To ensure your application is captured in our official files,
you MUST apply online at: www.WeStandForCare.com.
Organizational compliance culture: ...continued from page 21
OIG and AHLA jointly published a terrific white paper on the subject,
available on the OIG Website, which provides considerable concrete guidance
for directors. Without going into all of them, some examples of such
guidance and the implications include:
n The board must be responsible for assuring there is an effective compliance
program. Are they
n Is the board actively involved in creating and updating the organization’s
Code of Conduct
n The members must be educated and take responsibility for being educated
on the subject. There is a difference between being independently
educated on the organization’s compliance risks, risk assessment,
and compliance program effectiveness, and passively enduring the
occasional perfunctory update. One allows the board independently
to fulfill their obligations as directors and ensure that a compliance
culture is created and maintained by those responsible for doing so,
the other does not. There are HCCA programs specifically for board
members, for example. Are those attended
n Has the board assured that the Compliance Office and officer are as
independent as possible from both an organizational structure and a
practical, day-to-day perspective
n Has the board ensured that the compliance program has the resources
it needs to meet its full obligations relative to the size and scope of
the operation it is charged with protecting Has the board and/or
senior management ensured that a budget exists for compliance that
allows for such resources, and that it is not in conflict with operations
managers’ own budget goals If the organization is a 400-physician
medical group that has one coder in the Compliance department (not
an uncommon finding) and does not use significant outside resources
to supplement its efforts, can there really be a reasonable expectation
that appropriate monitoring and resolution of the issues that will inevitably
arise are occurring What message is sent to all those involved
who must know full well that the Compliance Office can not meet its
obligations with insufficient resources
So, if you are a board member or a member of the “C-suite” what
message are you sending and what are you doing to establish a culture of
compliance from the top
We now return to our regularly scheduled programming. n
www.WeStandForCare.com
October 2008
22
EOE
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Medicare’s medical
necessity criteria: A
mystery in the making
By: Lester J. Perling, Esq.
Editor’s Note: Lester J. Perling is a partner promulgating formal policies like NCDs
in Broad and Cassel in the Fort Lauderdale, and LCDs, the process of making coverage
Florida office. He is a board-certified health law and medical necessity determinations in the
attorney and author of the Medicare Claims absence of formal policy is not governed by
Appeals Process Handbook, which is available statute or regulation. What evidence can
at www.aspenpublishers.com. He can be reached contractors and subsequent adjudicators rely
at 954/764-7060 or by e-mail at lperling@ on in making individual claim determinations
in the absence of written policy Of the
broadandcassel.com.
significant amount of available medical and
Many of the claim determinations scientific evidence on any particular item
made by Medicare contractors or service, which evidence can adjudicators
on a day-to-day basis involve throughout the appeals process use to support
the application of national or local coverage decisions to either affirm or reverse the denial
determinations (NCDs or LCDs), statements
of national or local policy that describe does Medicare ensure that the evidence
of a claim Perhaps most importantly, how
whether and under what circumstances ultimately used is reliable
Medicare will cover particular items and services.
Because these policies are promulgated The answers to these questions have become
pursuant to strict statutory procedures and particularly relevant of late as a result of
must be developed based on reliable scientific a problematic trend in Medicare appeal
evidence, Medicare contractors’ decisions determinations. Recently, Medicare appeal
about coverage and medical necessity, made adjudicators have been relying on articles and
as a result of these policies, should in turn be information featured on Internet Websites
the result of reliable scientific evidence. The as bases for denying Medicare coverage for
existence of these policies is intended to provide
for greater consistency in Medicare claim two recent QIC reconsideration notices ref-
health care items and services. For example,
determinations, if not on a national scale, erencing Internet links to information posted
then at least at the local level.
on www.audiologyonline.com, www.entlink.
net, and www.vestibularmedicine.com, to
But in cases where no NCD, LCD, or other support their denial of reimbursement for
formal written policy is applicable, contractors
must make individual determinations the point made in this article regarding the
services. Interestingly, and perhaps supporting
based on the facts of the particular case. reliability (or lack thereof) of information
If these claims are appealed, adjudicators posted online, two of the three web links
such as qualified independent contractors referenced are either no longer accessible or
(QICs) and administrative law judges (ALJs) temporarily unavailable.
must also make determinations without
the guidance of formal written policies. In One would think that Medicare would forbid
contrast to the highly regulated process of contractors’ and adjudicators’ use of on-line
medical or scientific evidence, not only
because of its inherent unreliability, but also
because of the lack of predictability in claim
determinations created by contractors’ and
appeal adjudicators’ use of such Websites.
But Medicare rules do not appear to prohibit
the practice. In fact, Medicare standards for
contractors’ and appeal adjudicators’ coverage
and medical necessity determinations in the
absence of formal written policy are vague or
non-existent.
Standards for determining coverage
The Medicare Act confers on beneficiaries
entitlement to a range of medical services
defined only by broad categories. For
example, Medicare Part A hospital insurance
provides coverage for in-patient hospital
services, hospice services, skilled nursing
facility services, and some home health
services. Medicare Part B covers physician’s
services, diagnostic services, durable medical
equipment, and a variety of other services not
covered under the hospital insurance plan.
The Medicare Act also sets forth certain statutory
exclusions from coverage. For example,
cosmetic procedures, custodial care, and
dental care are never covered under Medicare.
By far the most expansive statutory exclusion
from coverage is the prohibition on “payment
for items and services . . . not reasonable and
necessary for the diagnosis or treatment of
illness or injury or to improve the functioning
of a malformed body member.” 1 Aside
from the limited statutory exclusions just
described, Congress did not define what is
considered “not reasonable and necessary.”
Instead, it vested authority in the Secretary
of Health and Human Services to determine
what is “medically necessary.” In turn, the
Medicare Act authorizes the Secretary to enter
into contracts with entities providing that
the latter will determine whether a particular
Continued on page 24
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
23
October 2008

Medicare’s medical necessity criteria: A mystery in the making ...continued from page 23
medical service is covered by Medicare, and
if so, the amount of the reimbursable expense
for that service. That is the role of Medicare
contractors.
Medicare has developed a complex system for
developing coverage policies. Contractors first
look to NCDs, which state whether Medicare
will cover a particular item or service on a
national basis, and often, the circumstances
under which it will be covered. NCDs are
binding on all Medicare contractors and
on adjudicators throughout the Medicare
appeals process. If no applicable NCD exists,
Medicare contractors look to coverage provisions
in Medicare’s interpretive manuals, or
develop LCDs. LCDs serve the same purpose
as NCDs, but apply only on a contractorwide
basis and do not have a binding effect
on adjudicators in the claims appeals process,
although adjudicators must give “substantial
deference” to an LCD that applies in a
particular case.
Numerous rules exist regarding the development
and promulgation of NCDs and LCDs.
For example, LCDs must be based on “the
strongest evidence available,” including
www.broadandcassel.com
clinical trials, scientific data, or the consensus
of expert medical opinion. Similarly, NCDs
must be supported by a compilation of objective
clinical scientific evidence that measures
the medical benefits of the item or service.
These and other guidelines ensure that
determinations based on NCDs and LCDs
are supported by reliable evidence.
In the absence of a NCD or LCD, or other
formal written policy, a contractor may still
make a determination on a claim, but must
do so based on the individual’s particular
factual situation. 2 In contrast to the numerous
requirements and guidelines for the
development of NCDs and LCDs, very little
published guidance exists regarding the procedures
a contractor must undertake or the
evidence a contractor is authorized to use
in making individual claim determinations.
Medicare policies do, however, state that
contractors may not make automated claim
denials (i.e., computer-generated denials that
involve no personal review) in the absence
of a clear written policy such as an NCD or
LCD. In addition, Medicare policies require
that, in making individual claim determinations,
contractors follow standard guidelines
We’ve made it a practice
to deal with solutions.
Our attorneys are available to handle
a full range of services including:
Health and Hospital Law
Regulatory and Transactional Work for Physicians,
Ambulatory Surgical Centers and Hospitals
Medical Practice Consolidation
White Collar Criminal and Civil Health Fraud Defense
Corporate Liability, Compliance and Governance
and Corporate Investigations and Voluntary Disclosure
Litigation and Administrative Proceedings
for Health Care Organizations and Professionals
For more information, please contact:
Gabriel Imperato, Managing Partner
One Financial Plaza, Suite 2700, Fort Lauderdale, FL 33394
954-764-7060 | gimperato@broadandcassel.com
BOCA RATON DESTIN FT. LAUDERDALE MIAMI ORLANDO
TALLAHASSEE TAMPA WEST PALM BEACH
for determining that a service is reasonable
and necessary. Those guidelines require that
contractors conclude that a service is reasonable
and necessary only when the item or
service is:
n Safe and effective;
n Not experimental or investigational; and
n Appropriate, including the duration and
frequency that is considered appropriate
for the service, in terms of whether it is:
o Furnished in accordance with accepted
standards of medical practice for the
diagnosis or treatment of the patient’s
condition or to improve the function of
a malformed body member;
o Furnished in a setting appropriate to
the patient’s medical needs and condition;
o Ordered and furnished by qualifying
personnel;
o One that meets, but does not exceed,
the patient’s medical need; and
o At least as beneficial as an existing and
available medically appropriate alternative.
3
There appear to be no guidelines that address
how a contractor should determine when
an item or service is “safe and effective,”
“appropriate,” etc., and what evidence it is
permitted to rely upon in order to come to
that conclusion. This poses a problem for
providers and suppliers, who benefit from
anticipating which items and services receive
Medicare coverage and which do not.
The absence of NCDs and LCDs impacts not
just a contractor’s initial determination on a
claim. When claims initially adjudicated on
a case-by-case basis are appealed, subsequent
adjudicators will also make determinations
without the aid of NCDs or LCDs. In those
situations, Medicare guidance as to what
evidence or authority those adjudicators may
rely on is virtually nonexistent.
October 2008
24
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Is no notice enough notice
Legal principles require that the government
afford certain procedures (known as “due
process”) before depriving individuals of
important life, liberty, or property interests.
Among those procedures is the right to
receive adequate notice before the government
undertakes to deprive an individual of
one of these protected interests. Providers’
and suppliers’ right to receive reimbursement
from the Medicare program is arguably one of
the important property interests to which the
protections of due process apply, especially
when providers or suppliers have already
performed the services for which they are
being denied payment. It is for this reason
that Medicare and its contractors are subject
to strict rules requiring that proposed NCDs
and LCDs be published before they become
effective.
Notice of this sort should also be required in
the case of individual claim determinations.
Providers and suppliers have an important
property interest at stake, that being their
right to reimbursement by the Medicare program,
at least for services which have already
been performed. They should not be deprived
of that right without adequate notice of the
information and evidence a contractor will
use in making coverage determinations.
Adequate notice would allow providers and
suppliers to make informed recommendations
to beneficiaries and adjust their treatment
options accordingly.
Instead, it appears that Medicare contractors
and adjudicators are systematically denying
claim reimbursement to providers and
suppliers, whose remuneration and benefits
under the Medicare program will be affected,
without adequate notice of the kinds of evidence
they use to make those determinations.
The notice problem is magnified when the
type of authority contractors and adjudicators
may use includes Internet Websites, because
of the vast amount of information available
on-line. It is unreasonable to charge providers
and suppliers with a duty of knowing which
information on what Websites that Medicare
will use to support its coverage and medical
necessity determinations.
Medicare’s vague or non-existent coverage and
medical necessity standards and inadequate
guidance in making individual claim determinations
ultimately threaten providers’ and
suppliers’ ability to practice and earn income.
Without meaningful standards and useful,
reliable, and consistent guidance, providers
and suppliers are often left with no choice
but to assume the risk of non-payment if a
contractor or adjudicator deems the item or
service not to be covered, or worse still, not
furnish the item or service at all. Beneficiaries
also have an interest in access to clear
information regarding what the Medicare
program will cover to foster confidence in
the health care system and to allow informed
decision-making on their part.
Limitations on liability
The Medicare Act provides financial relief to
providers and suppliers by permitting Medicare
to make payment for items and services
for which Medicare payment would otherwise
be denied in instances where the provider or
supplier knew, or could reasonably have been
expected to know, that the items or services
were not covered. These rules are known
as the “limitation on liability” provisions.
Medicare contractors determine whether the
provider or supplier had prior knowledge
that services or items would likely be denied
or whether knowledge reasonably could have
been expected.
Aside from having received notice from
Medicare (in the form of either actual written
notice to the provider or supplier, or manual
instructions, bulletins, directives, etc.) that
the same or similar items or services are
not covered, the only other evidence of a
provider’s or supplier’s fault that a contractor
can consider is the provision of items
and services in a manner “inconsistent with
acceptable standards of practice in the local
medical community.” Medicare policy states
that “acceptable standards of practice in the
medical community” are determined by
looking to:
published medical literature, a consensus
of expert medical opinion, and consultations
with their medical staff, medical
associations, including local medical societies,
and other health experts. “Published
medical literature” refers generally to
scientific data or research studies that have
been published in peer-reviewed medical
journals or other specialty journals that
are well recognized by the medical profession,
such as the New England Journal
of Medicine and the Journal of the
American Medical Association. 4
Providers or suppliers who are found at fault
under the limitation on liability provisions
may appeal that determination. Those whose
individual claims have been denied based
on evidence from Internet Websites (in the
absence of formal written policy) and who
did not receive any other form of written
notice from Medicare that the same or similar
claims were not covered, may have a good
argument that their fault determination
should be reversed. In order to argue this successfully,
the on-line information referenced
in a contractor’s notice of decision cannot be
material reprinted from a source which could
be considered “published medical literature.”
In addition, providers or suppliers should
be prepared to present evidence, perhaps by
medical associations or health experts, that
the consensus of medical opinion and/or
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
25
October 2008

ONLINE WITH RESIDENCIES AT
GW’s ALEXANDRIA, VA CENTER
Graduate Certificate in
Healthcare
Corporate
Compliance
Acquire the compliance officer
knowledge in demand today.
Unique Format. Seven-month,
12 credit program, with two short
residencies and online distance
learning between residencies.
Master the key concepts of
high-priority healthcare laws
including federal fraud and
abuse law, governance and
corporate responsibility, HIPAA,
federal tax law, and more.
Enjoy unparalleled access.
Learn from a world-class faculty
teamed with senior regulators,
legislators, patient advocates and
legal experts.
Stackable Credentials. Apply
this certificate toward a Master’s
of Public Health degree.
Program offered by the College
of Professional Studies and
School of Public Health &
Health Services, in partnership
with the law firm of Feldesman
Tucker Leifer Fidell LLP.
Information Sessions
Wednesday, Oct. 29
1:00 pm ET
Online
Thursday, Nov. 20
1:00 pm ET
Online
Rsvp Today!
1.800.JoinGWU
nearyou.gwu.edu/hcc
CCB
Accredited
CCB
Medicare’s medical necessity criteria: A mystery in the making
...continued from page 25
community standards do, in fact, support coverage of the items or
services at issue.
Conclusion
Under the current system, Medicare is not prevented from infinitely
expanding the sources of information upon which its contractors’
and adjudicators’ individual claim determinations are based. The
fact that Medicare appeal adjudicators have begun to use articles
posted on Internet Websites as bases to support adverse claim
determinations only reinforces that conclusion. Challenging this
practice based on Medicare’s limitation on liability provisions may
or may not prove successful. In any case, that would provide only
a temporary fix. A permanent solution to this problem is needed.
Medicare’s formal written policies delineate the type of medical
and scientific evidence NCDs and LCDs may be based on. Similar
guidance should be applicable to contractors’ individual claim
determinations. This would prevent contractors from resorting to
Internet Websites to support their claim determinations, a practice
which is detrimental to providers, suppliers, and the Medicare
system as a whole. n
1 42 U.S.C. § 1395y(a)(1)(A).
2 See Heckler v. Ringer, 466 U.S. 602, 617 (1984) (acknowledging that the Secretary has discretion to either
establish a generally applicable rule or allow claim adjudication on a case-by-case basis).
3 Centers For Medicare And Medicaid Services, Medicare Program Integrity Manual (Pub. 100-08), Chapter
13, §§ 13.3, 13.5.1.
4 Centers for Medicare and Medicaid Services, Medicare Claims Processing Manual (Pub. 100-04), Chapter
30, § 40.1.3.
Be Sure to Get Your CHC CEUs
Inserted in this issue of Compliance Today is a quiz related to
the articles:
n The 1-2-3s of claims sampling to resolve overpayment
errors — By B. Bo Martin, page 32
n Quality of care and compliance: Existing challenges and
first steps for hospitals — By Cheryl L. Wagonhurst and
Nathaniel M. Lacktman, page 46
n Complying with the HIPAA Privacy Rule: What you need to
know — By Rebecca C. Fayed, page 59
To obtain your CEUs, take the quiz and print your name at the
top of the form. Fax it to Liz Hergert at 952/988-0146, or mail
it to Liz’s attention at HCCA, 6500 Barrie Road, Suite 250,
Minneapolis, MN 55435. Questions Please call Liz Hergert at
888/580-8373.
33170
www.gwu.edu/gradinfo
THE GEORGE WASHINGTON UNIVERSITY IS AN EQUAL OPPORTUNITY/
AFFIRMATIVE ACTION INSTITUTION CERTIFIED TO OPERATE IN VA BY SCHEV.
Compliance Today readers taking the CEU quiz have one
year from the published date of the CEU article to submit
their completed quiz.
October 2008
26
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Exploring the question:
Does this really make
a compliance program
“effective”
Editor’s note: Catherine Boerner is president
of Boerner Consulting, LLC, a health care
consulting firm in New Berlin, Wisconsin. Ms.
Boerner was President of the HIPAA Collaborative
of Wisconsin (HIPAA COW) for three years
from 2005-2007 and helped revise the Hospital
Payment Monitoring Program (HPMP)
Compliance Workbook for the QIO community
and acute-care PPS hospitals. She may be
reached by telephone at 414/ 427-8263 or by
e-mail at cboerner@boernerconsultingllc.com.
From the US Sentencing Guidelines,
the Office of the Inspector General
(OIG) Guidance and Supplemental
Compliance Program Guidance documents,
American Health Lawyers Association
(AHLA) and OIG resource documents as
well as Corporate Integrity Agreements, I
think we all have a pretty good idea what the
government is looking for in a compliance
program. The structures and processes outlined
in these documents clearly show what
is expected of the infrastructure of a compliance
program, but still many people have
questions, especially within organizations.
Do all of these structures and processes really
make the compliance program effective If
we have these structures and processes, what
outcome measures can we look to in order
to demonstrate that the structures and processes
are working or are effective And even
if these structures and processes are working,
based upon these outcome measures, is our
compliance program, as a whole, really “effective”
in detecting and preventing regulatory
compliance risks
By Catherine Boerner, JD, CHC
Compliance culture
If you want to make the argument that you
do not need all of the structures and processes
(otherwise known as the seven elements)
outlined in the OIG Supplemental Guidance
to be “effective,” you would need to start by
demonstrating that you have achieved some
of the most important outcome measures of
the compliance program, perhaps despite the
lack of certain structures and processes.
The most important outcome measures
involve demonstrating that a strong culture
of compliance has formed and is sustainable.
This strong culture of compliance needs to be
evident not only throughout the workforce,
but especially at the management level. I
think it is important to explore what a strong
culture of compliance means and explore
how you prove it to an external auditor or the
government.
Cultures can be difficult to measure as they
evolve. I like to quote Roy Snell, CEO,
HCCA when he said “Many people get into
trouble more often because of the way they
deal with or react to their mistakes, rather
than for the mistakes themselves.” This speaks
directly to culture. How does your organization
respond to mistakes or issues that it
becomes aware of Many of you experience
(even within a strong compliance culture)
that as compliance issues get raised, a sense
of urgency follows to investigate and bring
the issue to resolution. However, you lose
steam at the end of the process and weeks
turn into months, and before you know it,
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
six months have gone by without obtaining
the corrective action and follow-up necessary
to prevent it from happening again; let alone
putting it on next year’s compliance work
plan to monitor the resolution (if you have an
annual work plan) or putting it on next years
compliance audit plan to actually perform a
follow-up audit (if you have an annual audit
plan). Other priorities present themselves and
if you don’t have the structure and process
to track the issue in your compliance log
and have a compliance committee follow its
progress and receive updates, the outcome of
concluding the investigation appropriately
will not be achieved. Here I would argue that
the structure and process of the reporting
mechanism is part of an effective compliance
program and will help improve the outcomes
of consistently resolving the issues promptly
and following up on corrective action.
I have seen evidence of a strong compliance
culture measured through employee survey
results; however, behind the scenes, the
compliance program infrastructure lacked the
Compliance department or management proactively
addressing compliance risks. Serious
gaps were identified with sustaining compliance
with the changing billing regulations. If
key managers are not engaged or, more likely,
do not have the support and/or budget within
their department to keep up with regulatory
change and risk, a compliance culture alone
will not keep you out of trouble.
Therefore, even with the compliance culture
being a main goal, you would have to concede
that without the structures and processes, it
is very difficult to keep up with the changing
regulatory environment and continue to focus
upon and proactively mitigate compliance risks
in the organization. So, I would argue that the
compliance culture is really not enough, by
itself, to demonstrate compliance.
Continued on page 29
27
October 2008

Streamline workflow
Enhance compliance
Reduce costs
MediTract helps healthcare professionals reduce the
cost of doing business so they can focus on their
primary objective – providing the highest
levels of patient care.
MediTract’s Conflict of Interest Disclosure Statement
(COIDS) tracking system automates the distribution,
submission and management of conflict of interest
disclosure statements, and provides a way to track conflicts
disclosed and report the resolution of those conflicts.
Authorized user control
Real-time access
Centralized, secure database
REGAIN
CONTROL
OF YOUR
CONTRACTS
DEMONSTRATE CONTROL
EMPOWER STAFF
STREAMLINE OPERATIONS
MONITOR COMPLIANCE
IMPROVE ACCESS
The TractManager® solution
and patented process
MediTract’s flagship product, TractManager®, is a complete turnkey process
that provides all the labor necessary to scan, build, maintain and update a
hospital’s contract files that have been built into a customized and centralized
contract document database.
October 2008
28
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
www.meditract.com
1-877-492-8490

“Does this really make a compliance program “effective”” ...continued from page 27
Effectiveness is the important link between
the structure and process measures and
the outcome measures. The more you can
demonstrate that you have the structures
and processes of the seven elements and that
they are working by demonstrating outcome
measures, the closer you are to arguing that
you have an effective compliance program.
Structure measures refer to how the elements
of the compliance program are organized and
the capacity of the organization to prevent
and detect violations of law. Process measures
refer to the manner in which the organization
seeks to prevent and detect violations of
law. Outcome measures refer to observable,
measurable indications of preventing and
detecting violations of law and creating a
compliant culture. The compliance culture
outcome measures can be tied directly into
whether there is awareness of these structures
and processes and how to use them. For
example, you have the structure of a reporting
mechanism, a hotline. You have a process to
record in a compliance log concerns reported
and take appropriate action, and from an
employee survey you can demonstrate that
90% of employees surveyed knew about the
compliance reporting hotline. This demonstrates
one of many links of the effectiveness
of the reporting mechanism.
I find it helpful to measure effectiveness by
breaking the compliance program down into
its elements and measuring the effectiveness
of each element. For example, I have broken
down the elements of a compliance program
into the following phases:
Phase I: Authorization
Phase II: Code of Conduct
Phase III: Policies and Procedures
Phase IV: General Training Programs
Phase V: Specialized Training
Programs
Phase VI: Reporting Mechanism
Phase VII: Monitoring and Auditing
Phase VIII: Response and Prevention
Phase IX: Enforcement and Discipline
Each phase has many structure, process, and
outcome measures to help demonstrate the
effectiveness of that element of the compliance
program. This process makes it easy to
determine areas of strength and weakness
within the compliance program in more of an
objective manner.
Boerner Consulting, LLC, through its partnership
with Mediregs, is using its effectiveness
assessment, ComplyMark TM , to also start
scoring compliance programs in an effort to
one day provide a benchmark. An example is
provided below:
This heatmap can help you see that you may
have acceptable structures and outcomes, but
if your processes are weak, it may be difficult
to sustain the outcomes of your compliance
program overtime. It can also help you
demonstrate results in areas of your program
where you have been focusing your efforts
and how to further obtain balance in your
compliance program.
Regulatory risks
In discussing the effectiveness of the
structures and processes of your compliance
program tied to outcome measures, you may
be wondering: What if, despite our compliance
program infrastructure, we don’t discover
our lack of compliance with an important
regulation Does an “effective” compliance
program mean you are in compliance with
every regulation Are there certain regulations
that mean your compliance program should
be deemed not “effective” if you find out you
are not complying with them
This leads you back to: What are the
structures and processes you can point to in
order to demonstrate that you have reacted
appropriately to regulatory compliance
concerns reported, conducted investigation,
taken corrective action, etc.
Continued on page 30
Phase Description Structure Process Outcome Score
Phase I Authorization 22 of 28 6 of 6 12 of 14 40 of 48
Phase II Code of Conduct 2 of 2 10 of 12 8 of 8 20 of 22
Phase III Policies and Procedures 2 of 4 1 of 4 13 of 22 16 of 30
Phase IV General Training 10 of 10 6 of 6 10 of 10 26 of 26
Phase V Specialized Training 4 of 8 3 of 12 4 of 6 11 of 26
Phase VI Reporting Mechanisms 3 of 4 4 of 6 18 of 18 25 of 28
Phase VII Monitoring and Auditing 5 of 12 10 of 16 8 of 8 23 of 36
Phase VIII Response and Prevention 2 of 2 5 of 10 6 of 8 13 of 20
Phase IX Enforcement and Discipline 2 of 2 4 of 4 9 of 10 15 of 16
Overall Score 52 of 72 49 of 76 88 of 104 189 of 252
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
29
October 2008

“Does this really make a compliance
program “effective””
...continued from page 29
Also, what are the structures and processes
you can point to in order to demonstrate that
you have been proactive in trying to address
regulatory risk by performing an annual risk
assessment based upon the OIG Work Plan,
Conditions of Participation, etc, prioritized
areas to monitor and audit each year and
completed such activities.
certified in
CHC
healthcare
compliance
The Compliance
Professional’s Certification
The Compliance Certification Board (CCB) compliance
certification examination is available in all 50 states. Join your
peers and become Certified in Healthcare Compliance (CHC).
In conclusion, this is not about being
perfect. This is about having the structures
and processes in place to proactively address
on-going regulatory risks and react and
respond appropriately to reported concerns of
potential non-compliance. n
Be Sure to Get Your
CHC CEUs
Inserted in this issue of Compliance
Today is a quiz related to the articles:
n The 1-2-3s of claims sampling to
resolve overpayment errors —
By B. Bo Martin, page 32
n Quality of care and compliance:
Existing challenges and first
steps for hospitals — By Cheryl
L. Wagonhurst and Nathaniel M.
Lacktman, page 46
n Complying with the HIPAA Privacy
Rule: What you need to know —
By Rebecca C. Fayed, page 59
To obtain your CEUs, take the quiz and
print your name at the top of the form.
Fax it to Liz Hergert at 952/988-0146,
or mail it to Liz’s attention at HCCA,
6500 Barrie Road, Suite 250,
Minneapolis, MN 55435. Questions
Please call Liz Hergert at 888/580-8373.
Compliance Today readers taking the
CEU quiz have one year from the
published date of the CEU article to
submit their completed quiz.
CHC certification benefits:
n Enhances the credibility of the
compliance practitioner
n Enhances the credibility of the
compliance programs staffed by
these certified professionals
n Assures that each certified
compliance practitioner has the
broad knowledge base necessary to
perform the compliance function
n Establishes professional standards
and status for compliance
professionals
n Facilitates compliance work for
compliance practitioners in dealing
with other professionals in the
industry, such as physicians and
attorneys
n Demonstrates the hard work and
dedication necessary to perform the
compliance task
Since June 26, 2000, when CHC
certification became available, hundreds of
your colleagues have become Certified in
Healthcare Compliance. Linda Wolverton,
CHC, says she sought CHC certification
because “many knowledgeable people work
in compliance and I wanted my peers to
recognize me as one of their own.”
For more information about CHC
certification, please call 888/580-8373,
e-mail ccb@hcca-info.org or click on the
CCB Certification button on the HCCA
Web site at www.hcca-info.org. n
Congratulations on achieving
CHC status! The Compliance
Certification Board announces
that the following individuals have
recently successfully completed the
Certified in Healthcare Compliance
examination, earning CHC
designation:
Catherine M. Duffy
Carol A, Kriebel
Marshall Vernon Preddy
Beth-Ann Nmn Saul
Amy Katherine Terrell
CHC-F
Debbie Troklus
Steve Ortquist
Shawn DeGroot
Rita Scichilone
Christine Bachrach
Sheryl Vacca
Marti Arvin
John Falcetano
October 2008
30
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Certification – the
recognized mark of a
professional
By Margaret Dragon
The survey also indicates a 6% increase for
the compliance certification requirement for
attorneys. (Survey results are available on the
HCCA website at www.hcca-info.org under
the “Compliance Info” tab).
Editor’s note: Margaret Dragon is Director of
Communication for the Society or Corporate
Compliance and the Health Care Compliance
Association. She may be reached by e-mail at
margaret.dragon@corporatecompliance.org or by
telephone at 781/593-4924.
Why go through the preparation and process
of becoming certified Why do so many
employers prefer certification when hiring
Compliance department staff What value
does certification hold for the compliance
and ethics professional Compliance Today
asked a number of compliance and ethics
professionals these and other questions about
compliance and ethics certification, and here
are the results.
Employers take notice
It is common knowledge that certification
indicates a certain level of competency in a
specific profession, so it is no surprise that,
more and more, compliance certification
is becoming preferred or even required.
According to Compliance Certification Board
(CCB) President Debbie Troklus, CHC-F
“Employers believe compliance and ethics
professionals, who have taken the time to
obtain certification, demonstrate a high level
of knowledge in the field and dedication to
the profession.”
Professional certification provides employers
with “assurance of competency and also
demonstrates a personal commitment to
excellence,” explains Rita Scichilone, MHSA,
RHIA, CCS, CCS-P, CHC-F, Director,
Practice Leadership with the American Health
Information Management Association.
With an increasingly competitive workforce,
employers can and are requiring professional
credentials, explains Scichilone. “Some
employers may widen their search by listing
a compliance position as CHC [Certified in
Healthcare Compliance] or CCEP [Certified
Compliance and Ethics Professional]
preferred, since it can be a negotiation factor
for the right individual,” said Scichilone.
“Compliance certification lends credibility to
the candidate,” adds Troklus.
Compliance and ethics professional Shawn
DeGroot, CHC-F, CCEP, Vice President of
Corporate Responsibility for Regional Health
in Rapid City, South Dakota points out that
during her interview with Regional Health
Board of Directors, the compliance credential
“relayed the point that I was personally and
professional motivated to continue to learn
and improve.” DeGroot says that she requires
compliance certification for the Director
position [at Regional Health] or [requires]
that he/she “attain the credential within two
years.”
Survey confirms trend
Recent survey results agree with Scichilone
and DeGroot. According to a national survey
conducted by the Health Care Compliance
Association (HCCA) in 2008, the compliance
certification requirement has steadily
increased since it first began tracking this
information in 2006. For example, the 2008
survey indicated that 21% of the respondents
require Assistant Compliance Officers be
CHC, up from 17% in 2006; during that
same time, the certification requirement for
Compliance Generalists increased by 7%.
John Falcetano, CCEP, CHC, CHC-F,
CHRC, CIA, Chief Audit & Compliance
Officer for the University Health Systems of
Eastern Carolina, says he prefers certification
when hiring Compliance department staff.
“I have worked with my staff and encourage
them to become certified. In fact, one of my
staff just completed the Research Academy in
June 2008 and became Certified in Healthcare
Research Compliance (CHRC).”
Heightened credibility
Employers are hiring certified compliance and
ethics professionals. “The credential provides
increased credibility in the industry on both
the individual and organizational levels,” says
Robert Lesser, Deputy Director, McHenry
County Mental Health Board, in Crystal
Lake, Illinois... “Having a credentialed staff
demonstrates that both the individual and the
organization are committed to ensuring that
they will be meeting the required standards,
whether they related to financial, clinical,
legal, or licensure requirements,” he added.
Lesser suggests that having a certified compliance
officer “facilitates confidence in the
minds of monitoring entities. The regulators
who monitor know that their monitoring
activities will likely occur with greater ease,
because of the increased likelihood of finding
record keeping performed in a manner that
facilitates easier review and accuracy.”
Compliance certification is a job requirement
and it “was a factor in the decision to interview
me for the job,” said Danna Teicheira,
CHC, CCEP, Compliance Specialist/Privacy
Continued on page 88
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
31
October 2008

The 1-2-3s of claims
sampling to resolve
overpayment errors
By B. Bo Martin, PhD
Recovery Audit Contractors or other payer
agents) present their allegations and quantifications
of significant overpayment errors.
Other parties should be held to the same
minimum standard of rigor and scientific
validity as health care providers.
Editor’s note: B. Bo Martin is Associate Director
with Navigant Consulting. He may be reached
by telephone in Chicago at 312/583-6921 or by
e-mail at bmartin@navigantconsulting.com.
Sampling claims to resolve overpayment
errors is now a common practice
in the health care industry. The
measurement of error rates and the quantification
of overpayments no longer require that
every potential error be reviewed. It is also, in
some ways, a practice unique to this industry.
Many health care providers routinely rely on
claims sampling to test for potential errors
and to quantify overpayments that they have
received from government payers in order to
self-disclose these errors. 1
Claims sampling adds rigor and scientific
validity to a health care providers’ compliance
program. This article assesses when claims
sampling can be most helpful and outlines
the major considerations in implementing a
claims sampling process.
Why sample
Before initiating claims sampling, it is critical
to address certain questions that concern the
overall process: Why use claims sampling
instead of a review of an entire claims
population If sampling is preferred, why
are the results acceptable as representative
in measuring an error rate and quantifying
an overpayment for the entire population
The answer to the first question is practical:
sampling should be used when it is more
cost-effective, quicker, or less disruptive,
and still sufficiently precise for resolving an
investigation or dispute concerning overpayment
errors.
The answer to the second question, about
accepting a claims sample as representative
for a population, concerns two statistical
principles: bias and precision. The method
of randomly drawing a claims sample helps
to prevent the introduction of biases into the
final results. Random sampling removes the
proverbial “hand on the scales”—either as
too light or too heavy—for the measurement
and quantification by those conducting the
review. Furthermore, the larger the sample
size, the greater the sample’s precision for
measuring an error rate and quantifying an
overpayment in the population. (We will
explore the determination of sample size in
the next section.)
After a claims sampling process is completed,
other critical questions may arise about the
details in the process. Unfortunately, a flaw
in one step in the process can impact the
scientific validity of any final measurement or
quantification for a population. It is therefore
important to have a comprehensive plan
from the outset that can address practical
issues when they arise, because addressing
them later may not be possible. Several steps
should be considered in developing a claims
sampling plan.
How to sample
A health care provider should generally follow
certain major steps for sampling claims to
resolve payment errors. These steps should
also be assessed when other parties (e.g.,
There are six major steps or milestones in
the overall process for claims sampling, and
critical considerations within these steps. The
following practical observations and relevant
case examples are not meant to be all-inclusive,
but rather alert the reader to the types of
questions that should be asked and answered
as fully as possible in advance. Claims
sampling will never be a strictly cookie-cutter
process in which the same actions are taken
and the same formulas are used. It is essential
to document the questions and answers that
occur during a specific sampling exercise.
Much of scientific validity is based on the
ability to re-create the process at each step.
Step 1: Define the potential error
This first step of defining the potential error
that led to a potential overpayment has the
important effect of regulating all of the subsequent
steps. It can become very difficult to
quantify an error from the collected, sampled,
and analyzed data if the error was not defined
at the beginning. This definition can be based
on non-statistical observations about how a
health care provider’s operations may cause
errors in claims and lead to corresponding
overpayments. Conversely, it can be misrepresentative
to quantify overpayments from
sampled claims for a potential error that has
no other reasonable indication of occurring.
For example, consider the current issue of
potential errors in one-day stay admissions.
Not every one-day stay admission needs to
be reviewed in order to measure the rate at
which some stays were admitted in error.
Instead, sampling a portion of claims may
October 2008
32
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

suffice. This potential error can be considered
broadly, (i.e., for all one-day stay admissions
at a hospital) or narrowly (i.e., for one-day
stay admissions only for a certain type of
care). Both have advantages in terms of
measuring an error rate and quantifying
overpayments. Yet, if this potential error is
defined broadly, it might be difficult later to
confirm common root-causes for stays that
were incorrectly coded as an admission. If
this potential error is defined narrowly for
a certain type of care, it will be improper
to later extrapolate the sample results to all
admissions at a hospital.
Step 2: Create sampling units and a
sampling frame
Sampling units and a sampling frame are
technical terms that should be easy to define
in any review. A sampling unit is what will
be individually reviewed (e.g., a one-day stay
admission that may be in error). A sampling
frame is an “enumerated listing” of all the
sampling units for the review (i.e., a listing
of all one-day stay admissions with each
assigned a unique and identifying number).
A sampling frame can be as simple as a
spreadsheet with each claim listed in its own
row and with its identifying number.
A sampling frame should be validated against
contemporaneous reports. For example, if a
review defined errors in overpayments only
for one-day stay admissions for pneumonia
cases during a certain year, then the number
of units in the sampling frame should be
validated to the number of admissions that
had been recorded for this type of case during
that year. This validation helps to establish the
reasonableness of the final extrapolation of
the sample results to a certain population.
Step 3: Randomly draw and analyze a
probe sample
RAT-STAT statistical software, freely available
from the OIG, 2 is very helpful for randomly
drawing samples, calculating a full sample
size, and extrapolating sample results for a
population.
A probe sample has a relatively small size,
typically 30 to 50 sampling units. The
analysis of the probe sample will enable the
reviewer to roughly measure the error rate
and roughly quantify the overpayments. Neither
this measurement nor the quantification
will be sufficient to report final results about
a population. Rather, the analysis of a probe
sample can be a decision-point for continuing
or stopping the review.
If the error rate or average overpayment is de
minimus in the probe sample, then it might
be considered very unlikely for the population’s
error rate or total overpayments to be
sufficiently large to merit reporting. Even by
this step, the beneficial (and, hopefully, not
frustrating) consequences of defining the
potential error in overpayments will be fully
apparent to the reviewer.
Step 4: Calculate the size for a full sample
Several factors are used to calculate the size
for a full sample. The reviewer must choose a
desired confidence level and desired precision,
and the probe sample can provide the
roughly estimated variation with respect to
the error rate and the overpayments among
the sampling units in the sampling frame.
The greater the desired confidence level, the
greater the desired precision, or the greater
the variation among the sampling units, then
the larger the full sample will be. Precision
is occasionally expressed only as a precision
percentage during this step. The precision
percentage is the width of the confidence
interval divided by the rate or average. This
can be confusing, because a smaller value
implies greater precision.
The following question is often asked about
the necessary size for a full sample: How small
is still big enough Abraham Lincoln was
reportedly once asked how long a person’s legs
needed to be in order for the person to be a
strong leader. His response was that the person’s
legs needed to be long enough to reach
the ground. Analogously, the size for a full
sample will be large enough for the desired
confidence level, the desired precision, and
the variation among the sampling units. If an
initially calculated sample size is considered
to be too big for practical reasons, then it
can only become smaller if the requirements
for the desired confidence level or desired
precision are diminished.
In the example of a review of one-day stay
admissions, overpayments among one-day
stay admissions for pneumonia cases may
have less variation than the overpayments
among all one-day stay admissions. The
sample size for a review of one-day stay
admissions for pneumonia would, therefore,
be smaller. As an aside that appears almost
paradoxical, the size of the population has a
rapidly diminishing effect on this calculation
the larger that the population becomes.
Step 5: Randomly draw and analyze a full
sample
By step 5, most of the statistical criteria
underlying the scientific validity of the claims
sampling process have been completed. Put
another way, planning for all of the prior
steps is essential to avoid regrets as considerably
more information about the error rate
and overpayments is learned by the analysis of
a large number of sampling units at this stage.
A full sample can be used to measure the
error rate and quantify the overpayments
for a population. This may be done by a
straightforward process of extrapolation – the
Continued on page 69
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
33
October 2008

Innovative Services.
Delivering Solutions.
Meade & Roach, LLP is dedicated to delivering health care regulatory
compliance solutions. We have earned a reputation for providing hands-on
solutions to complex compliance needs. We not only understand the law,
we understand our clients. Together with our affiliate, Aegis Compliance &
Ethics Center, LLP, our firms are dedicated to health care compliance.
Our clients represent a broad array of health care organizations, from
academic medical centers to hospital systems to stand-alone specialty
facilities as well as large physician practice groups and public health
organizations.
• Medicare/Medicaid Compliance
• Clinical Research Compliance
• Fraud & Abuse/Stark Analysis
• Voluntary Disclosure Representation
• Compliance Training & Education
• HIPAA Privacy & Security
• Corporate Compliance Program Effectiveness Reviews
• Internal Investigations
• Compliance Auditing & Monitoring
For more information, contact one of our partners listed below or visit
meaderoach.com.
October 2008
34
Ryan Meade Michael Roach Steve Ortquist
Health Care 312.498.7004 Compliance Association • 888-580-8373 312.286.4501 • www.hcca-info.org 312.285.4850
rmeade@meaderoach.com mroach@meaderoach.com sortquist@meaderoach.com

Introducing Compliance & Ethics Social Networking ...continued from page 9
network or maybe just a daily digest), and
then click “save.” Your e-mail address is never
shared with other users, unless you send it to
them directly.
After that, you’ll be notified, based on your
communications preferences, whenever something
new is posted. You can stay abreast on
how people are handling issues, or better yet,
get into the discussion yourself.
And, posting your own question is easy. Just
fill out the simple, online form and your
question goes out to members of the e-group.
What if there isn’t a group that meets your
needs You can easily create a new group.
Just make sure it’s a broad enough topic so
that there are lots of others who share your
challenge. For example, compliance with a
specific issue posed by one state is probably
too narrow, but dealing with a law that has
national or global impact is highly worthwhile.
To make it easier for you to connect with
others in the ethics and compliance community,
be sure also to fill out your personal
profile while you are on the site. You can list
past job experience and areas of interest and
expertise. That way, when you reach out with
a question, other users will be better able to
respond to your needs. And, the more people
fill out their profiles, the easier it will be for
you to find someone with the expertise you
need to answer your questions. You might
also want to keep in touch with people you
met at a Compliance Academy, the Compliance
Institute, or other training.
While you are on the site, be sure to check
out the document library, where you will
find more than 2,000 documents to draw
upon to help improve the effectiveness of
your program. The information you need will
be at your fingertips, so you won’t have to
reinvent the wheel when writing a new policy
or regulation.
Over the next few months, we’ll be turning
on additional functionality, such as the ability
to create your own blog. All of this gives you
more value from your HCCA membership
and helps you collaborate with your peers.
Getting started with the Compliance &
Ethics Social Network is easy. Just come to
www.hcca-info.org, click on Network, and
start exploring. Once you’ve had a chance
look around, we welcome your feedback and
insights for improving the site. If you are
having difficulties with the site, please don’t
hesitate to ask for assistance! n
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
35
October 2008

Improving
competitiveness and
compliance through
agent/broker online
training
Editor’s note: Susan Mollet is an MMA Unit
Manager at Health Care Services Corporation
in Chicago. She may be reached by telephone at
312/819-1627.
Martha Braunstein is a Health Care Practice
Leader at Kaplan EduNeering in Princeton,
NJ. She may be reached by telephone at
609/627-5300.
When it was introduced, the
Medicare prescription drug benefit
was heralded as the most significant
government-sponsored health benefit
since the start of the Medicare program. For
those of us in the health insurance industry,
the new program represented both a business
opportunity and a pathway to expanding the
way in which we could fulfill our primary
commitment to providing critical health care
coverage to millions of Americans.
During the three years since the program’s
inception, the Centers for Medicare and
Medicaid (CMS) has revised its compliance
requirements and begun publishing audit
findings on its website. These findings have
driven changes in the regulatory environment,
including a strong focus on the training of
downstream entities, specifically the brokers
and agents who sell Medicare Advantage,
Medicare Advantage prescription drug plans
(MAPD), and stand-alone prescription drug
plans (PDPs).
By Susan Mollet and Martha Braunstein
Compliance training responsibilities
In its Draft 2009 Call Letter, CMS repeated
its compliance expectations for MAPD and
PDP plans, saying “…we remind organizations
that they are responsible for the actions
and sales agents/brokers, whether they are
employee or contracted.” In the same call letter,
CMS stated, “Organizations must ensure
agents/brokers are properly trained in both
Medicare requirements and the details of the
products being offered.” New regulations
clarified and expanded health plan responsibilities
related to agent and broker training.
With the addition of the new requirements,
both MAPD and PDP plans must comply
with the compliance regulations for brokers
and agents including:
n Effective training, education, and lines of
communication between their compliance
officers and all of their first-tier, downstream,
and related entities, including
brokers and agents regardless of whether
they are employees or subcontractors;
n Appropriate oversight of the compliance
training requirements are delegated to
outside parties, with sponsors expected to
have training logs and copies of attestations
from first-tier, downstream, or related entities
about compliance with the training and
education requirements. Section 422.2 and
423.4 define downstream entities to include
(but are not limited to) pharmacy benefit
managers, mail-order pharmacies, retail
pharmacies, firms providing agent/broker
services, agents, brokers, marketing firms,
and call center firms;
n A January 1, 2009 deadline that all
elements of the compliance plan must
include measures to detect, correct, and
prevent fraud, waste, and abuse (FWA);
n A January 1, 2009 deadline that all
compliance plans must include voluntary
self-reporting procedures for potential
fraud and abuse;
n Voluntary self-reporting procedures for
potential fraud and misconduct, with selfreports
going to CMS or its designee;
n MAPDs and PDPs must assure that
brokers and agents pass a written test with
a minimum score of 80% and to report
to states that they are using brokers and
agents consistent with state licensing
requirements.
Compliance and business
Inevitably, regulatory compliance must be
achieved regardless of economic or market
conditions, but today’s MAPD and PDP
health plans face particular challenges to ensure
that brokers and agents are properly trained in
Medicare requirements and the details of each
product being offered. First, health plans are
turning to brokers with networks of hundreds
or thousands of dispersed agents, some who
are employed by the brokerage agency and
others who are subcontracted or sell policies
on a freelance basis. Until now, the plan had
no need to communicate directly with those
individual agents.
Second, this dispersion of agents and an
agent turnover rate of about 20% caused
by intense competition for qualified sales
personnel, creates growing opportunities for
non-compliance and increases the difficulty of
tracking agents authorized to sell an organization’s
health plans. Equally significant for
training professionals committed to ensuring
comprehension of the subject matter, agents
October 2008
36
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

who typically sell multiple plans or change
agencies have become increasingly resistant
to “another compliance training program.”
Absent guidance from CMS, agents may be
required to take several compliance-mandated
training courses that have not always been
inspiring.
The final complicating factors are the market
and the need for all companies to be efficient
and cost-effective in their operations. Competition
among health plans to retain current
members and attract new members will only
increase as the pool of unaffiliated Medicare
beneficiaries decreases. In order for health
plans to comply with regulations and budgets,
training has to produce demonstrable
cost, compliance, and learning results beyond
merely achieving regulatory requirements.
The MAPD and PDP compliance training
program at Health Care Services Corporation
(HCSC) is achieving all three objectives.
n Comply with CMS requirements for
broker and agent training, ensuring that
all agents were trained and that all broker
agencies agreed to HCSC’s business
contract;
n Ensure consistent training throughout
the HCSC organization, including both
internal and external audiences;
n Create a database of agents authorized to
sell our products. (Among the states we
serve, only Texas does not require such a
database.) We needed to track not just the
employees of each agency, but the subcontractors
who were selling our policies.
n Optimize compliance training through its
use as a tool to develop and support agent
loyalty;
n Reduce training costs, which had previously
relied on in-person training that
required virtually non-stop travel by
HCSC employees throughout our fourstate
service region.
they can be automatically authenticated and
approved for training.
The capabilities of the solution were familiar
to HCSC because it was already being used
for other in-house compliance training. The
solution uses the application service provider
(ASP) or hosted model, which allows data
to be stored securely outside our firewall and
virtually eliminated the capital, administrative,
and maintenance costs associated with
purchasing new infrastructure. This was key,
because we could not allow non-employees,
such as agents, brokers, or other downstream
entities to enter our firewall to take the training.
Finally, the solution creates the documentation
required by CMS, including e-signature
validation that all learners have received the
training courses and have been tested for
comprehension of each course’s subject matter.
The documentation of all training activities is
available in audit-ready format.
HCSC business and compliance goals
HCSC serves members in four states through
our Blue Cross/Blue Shield divisions in Illinois,
Texas, New Mexico and Oklahoma. Our
MAPD and PDP plans are offered through
our subsidiary HCSC Insurance Company
(HISC).
In September 2007, we launched a training
program that was offered through November
14. In compliance with CMS’ rules, we
stopped the training on November 14, the
day prior to the beginning of the enrollment
period for 2008 MAPD and PDP plans. Our
training program was developed to achieve
well-defined goals that supported the HCSC
commitment to “best in class” service to our
members. Our objectives included:
n Provide our members with unequalled
service by ensuring that all agents are
equipped to accurately explain our plan to
current or potential members;
Achieving our training objectives
The MAPD and PDP compliance training
program at HCSC reflects an enterprise-wide,
long-term approach. Because of the number
and diverse locations of agents, we chose an
online training system that supported remote
workers, met CMS’ documentation needs, and
provided the critical management capabilities
for an efficient, cost-effective program.
The program was built on the decision to
create a single program that would be used by
all brokerage agencies, regardless of their state
locations. We developed a program based
on an enterprise-wide, compliance-specific,
learning management system and MAPD and
PDP specific-training courses (herein referred
to as the solution). Agents with authorization
to sell our Medicare-regulated prescription
drug plans are required to self-register for the
training. All 21,000 HCSC-authorized agents
have been pre-loaded into the system, so that
Before receiving any training material, each
broker is required to sign a contract (i.e.,
licensing agreement) with HCSC’s specific
conditions for performance. Only after signing
the agreement does the agent then receive
an online “package” containing a producer
training course, three forms, and a survey
that must be completed as the final element
of the training program. The producer
training course is broken into seven chapters:
Overview, enrollment, plans, formulary,
prescription policy, marketing guidelines,
and fraud, waste, and abuse. The three forms
contained in the agent’s training package are
the company’s Medicare and Government
Contracts Compliance Program, a Compliance
Checklist, and the HISC Amendment,
which includes the commission structure.
Each chapter of the seven courses concludes
with a learning activity and challenge. An 80%
Continued on page 69
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
37
October 2008

focus
feature
Coordinating external requests for
information in the Compliance Office
October 2008
38
By Cornelia M. Dorfschmid, PhD
is conducted. Health care providers who have effective compliance
programs will avoid meeting these demands one at a time. Instead,
Editor’s note: Cornelia M. Dorfschmid is Executive Vice President
they will develop a solid response strategy to process external requests
with Strategic Management in Alexandria, VA. She may be reached by
for information and data from government agencies, CMS contractors,
oversight bodies, accreditation organizations, and independent
telephone at 703/683-9600, ext. 419 or by e-mail at cdorfschmid@
strategicm.com.
auditors in a manner that coordinates efforts across departments and,
as part of effective compliance risk management, leverages their own
The need for organization-wide strategies for coordination of requests
data analysis and review capabilities.
for data, records, and patient information has taken higher priority in
the Compliance Office these days. Despite of increased automation
Request for information
and software tools available to compliance officers, the handling of
Health care providers can receive a host of requests for data, medical
records, billing information and claims data, the Disclosure of
particular external requests for information warrants a fresh look.
Financial Relationships Reports (DFRR) on physician arrangements,
A Compliance Office is faced with a multitude of coordination
or policies and procedures from a myriad of requestors, including:
challenges. Examples include the coordination of compliance training
efforts with other training initiatives across the organization, compliance
investigations with legal counsel and the Human Resources
Medicare
n Zone Program Integrity Contractors (ZPIC) [formerly Program
department, and risk assessments related to regulatory requirements
Safeguard Contractors (PSC)] that focus on billing fraud
and quality-of-care issues. Facilitating the coordination and cooperation
across departments is nothing new to an effective Compliance
n Medicare Administrative Contractors (MACs) [formerly Carriers
and Fiscal Intermediaries] that process all types of Medicare claims
Office. It is part of the compliance officer’s job. However, a new
n Recovery Audit Contractors (RACs) that audit for Medicare claims,
coordination challenge has moved to the forefront.
focus on billing errors and overpayments, and work on contingency
basis
The Deficit Reduction Act of 2005 (DRA) strengthened Medicaid
n Comprehensive Error Rate Testing (CERT) contractors that conduct
random post-payment reviews of Medicare claims
enforcement. A change in the enforcement landscape and Medicare
reform brought a shift in the Center for Medicare & Medicaid
n Medicare Quality Improvement Organizations (QIO) [successors
Services (CMS) strategy to fight fraud and abuse. The Medicare
of Peer Review Organizations (PRO)] that focus on quality of care
Integrity Program and new national Medicaid Integrity Program are
at the center of CMS’s long-term antifraud and abuse strategy, which
Medicaid/State
is focused on return on investment of enforcement efforts. In this
n Medicaid Integrity Contractors (MICs) that audit claims of providers
of Medicaid services to identify overpayments
context, new CMS contractors will request claims data and medical
records, aggressively use data mining and statistical analysis to find
n Payment Error Rate Measurement (PERM) auditors that review
payment errors, and have access to a powerful data warehouse containing
vast amounts of information on providers and payment data. At
Medicaid claims and beneficiary eligibility
n State Medicaid Fraud Control Units (MFCUs) that investigate state
the same time, boards of directors and external auditors are calling for
Medicaid fraud
increased transparency of how organization-wide risk management
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

n State OIG that fight Medicaid fraud and abuse (e.g., New York,
Texas) and investigate and analyze claims – a growing trend to
implement State OIG offices has been noted
General
n Department of Health and Human Services Office of Inspector
General (OIG)
n Joint Commission [formerly Joint Commission on Accreditation of
Healthcare Organizations (JCAHO)]
Requests are most commonly made by a “demand letter” via mail or
fax, but may also involve e-mails, phone calls, and scheduled or unannounced
site visits by an investigator or auditor. Subpoenas and search
warrants are also a possibility. Unless there is coordination across
the organization (based on written procedures) when these requests
are made, unnecessary legal and compliance risks can arise or be
aggravated. For example, a communication failure due to a non-timely
response or a submission of a response letter that misses input, informational
material, or prompt corrective action from some departments
because they may remain unaware of the request or were inadequately
informed, can pose legal, financial, and compliance risks. Such failures
typically also involve a waste of resources, and even delay corrective
action of detected or alleged systemic problems. When responding
to an allegation or billing problem stated in the demand letter, being
aggressively proactive is also important. Corrective measures should be
put in place or at least be underway if substantial overpayments or lack
of adequate controls are alleged. It is critical that “the left hand knows
what the right hand is doing” to be proactive.
Taking responsibility to master the challenge
Two types of coordination challenges are associated with external
requests for information: (1) the communication and handling of
the incoming request, and (2) the coordination of the response and
appropriate corrective action. The Compliance Office may want to
take the lead in facing the coordination challenge.
A critical success factor in mastering the communication challenges is to
engage various departments and assign responsibility, especially in larger
health systems. Health care providers may consider the following:
n Designate an initial coordination response team (ICRT) with members
of the senior leadership. The Chief Financial Officer (CFO),
Legal Counsel (LC), Chief Operating Officer (COO), Chief
Information Officer (CIO), and Compliance Officer (CO) should
be considered as members of the ICRT.
n Ensure that the ICRT takes responsibility for coordinating the processing
the external requests. Their responsibility is to notify each
other when they become aware of an external request and ensure a
concerted effort.
n Assign responsibility for maintaining a central tracking system, and
n Educate employees about requestors and the proper reporting of
requests up the chain or to ICRT members.
Auditing & monitoring
The Compliance Office is a logical choice for taking on the responsibility
of logging requests and responses. Alternatively, the Legal
department may take on the task. As a quality assurance measure, the
Internal Audit department and/or Compliance Office should periodically
audit the request handling process and provide the executive-level
Compliance Committee with a report on the major external requests
and request-processing statistics (e.g., turnaround time and outcome,
appeals involved, monetary impact, facilities affected, etc).
Getting Started. The Compliance Office that leads the charge of
coordination may want to consider the following to get organized:
1. Develop a policy and procedure on coordinating, communicating,
and handling requests for information from government
entities and external organizations. The policy includes the role
of an ICRT or similar task unit and is approved by the executive
Compliance Committee.
2. Flowchart the process to illustrate clearly how a request and related
documents are to be routed. Include regular status updates on the
requests.
3. Make an inventory of current requests in process and categorize
them, if not already done.
4. Develop a communication and training strategy to make employees
aware of how to report any incoming requests for information
and educate them on the new policy and procedure. Educate
employees on the common types of requests with examples, the
role of the ICRT, new types of contractors and sources of requests,
and the basic reporting expected of them. Incorporate this effort
into the compliance training program.
5. Dedicate staff in the Compliance Office to maintain a request
tracking and logging system in accordance with a written procedure.
6. Implement an electronic request tracking system that can be easily
maintained long-term. Categorize the requests into routine and
non-routine and severity of potential problems, payment errors, or
control weaknesses.
7. Use software that includes a database (e.g., a Microsoft Access
Continued on page 41
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
39
October 2008

Online Compliance Training
authored by
Developed by eHealthcareIT
authored and updated by
CORPORATE COMPLIANCE (76 COURSES)
HIPAA COMPLIANCE (13 COURSES)
Admissions & Registration (3)
Coding & Pricing in the Laboratory
Allied Health Services (6) Processing Laboratory Orders (3)
Patient Relationships
Management Responsibilities in
HIM Coding Compliance (2) the Health Care Environment (4)
HIM General Compliance (2) Nursing Documentation (4)
HIM Compliance Management (3) Patient Financial Services (3)
Home Care (3) Physician Coding (2)
Home Health (3) Physician Documentation (9)
Hospice (4) Skilled Nursing (5)
Home Medical Equipment (2)
Medical Necessity Requirements
Intro to the Regulatory Environment (3) in the Laboratory (2)
Laboratory Administration (2) EMTALA (9)
HIPAA (13)
CUSTOM COURSES (Organizational General Compliance, Code of Conduct,
DRA, Ethics, etc)
CLIENTS RECEIVE:
• Customization to all courses including introductory pages
from your compliance department.
• Interactive Courseware with Compliance Case Studies & Scenarios
• Option to utilize your facilities current eLearning system or
eHealthcareIT's award winning eLearning system that features
discussion forums, compliance alerts, multiple communication
tools and automatic reports.
• Subject matter experts with functional and operational expertise:
PricewaterhouseCoopers.
• Custom Corporate Compliance Administrators manual
COURSEWARE DESIGNED FOR THE
FOLLOWING AUDIENCES:
Coders • Billing/Financial Services • Pharmacy • Admitting • Home Care
Nurses/Patient Care Providers • Finance • Physicians-Employed • Discharge
Planning • Compliance/Audit Laboratory • Hospice
ER Support Staff • Cardiac Services • ER Nursing • Therapies
Registration • HIM • Physicians-Not Employed • Volunteers • Board Members
Skilled Nursing/Long Term Care • Nursing Management
Additional online training curriculums available include:
HFMA: Billing, Finance, Avoiding Claims Denials, & Cost Control, Coding,
Reimbursement, Disaster Preparedness, Clinical CE’s & Joint Commission
eHealthcareIT
eLearning & IT Solutions
For further information or to arrange
a product demonstration please
email: info@ehealthcareit.com
or call 1-800-806-0874.
www.ehealthcareit.com
October 2008
40
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Coordinating external requests for information in the Compliance Office ...continued from page 39
database and Excel worksheet; off-the-shelf vendor software application;
a Web application that allows for tracking of compliance
incidents/events; document management software that logs documents
and assigns responsibilities for follow-up).
Discuss with the Information Technology (IT) department the options
for a implementing a request tracking system that fits the organization’s
needs, configuration, and update issues. Include the possibility
of integrating the requested correspondence files as electronic attachments.
Explore how to implement secure access controls.
Review major data fields carefully when organizing the request
tracking system. Activities, dates, documents, and responsibilities
typically need to be logged in some type of field. Fields that hyperlink
or electronically reference the main requestor documents and final
response documents (e.g., demand letter by the government agency,
provider’s response correspondence) would be helpful.
Resources
CERT is a federally mandated program-integrity activity established
by CMS to monitor and report the accuracy of Medicare fee-forservice
(FFS) payments to physicians and non-physician practitioners.
CERT contractors use CERT program information to determine
which services are experiencing high error rates. See http://www.cms.
hhs.gov/CERT/
DFRR (Disclosure of Financial Relationships Reports) are used by
HHS as part of a “strategic and implementing plan.” DFRR are meant
to address certain issues relating to physician investment in specialty
hospitals. HHS also stated that it would require all hospitals to
provide information on a periodic basis concerning their investment
and compensation relationships with physicians pursuant to 42 CFR
§411.361. See http://www.cms.hhs.gov/PhysicianSelfReferral/05b_
Disclosure.asp
Consider keeping all correspondence documents electronically. For
example, scan all paper documents into Adobe PDF files (or similar
format) and maintain these as electronic document attachments in the
database of the request tracking system or in a dedicated drive on the
network. Maintain version control between draft documents and final
documents.
The data fields in a robust request tracking system should capture
data, such as the date of initial request, requestor name and contact
information, and any response due dates. The system should also log
who at the provider was first contacted and which department and
person is assigned to lead the effort to prepare the response. A date
field to capture the day the ICRT was alerted and a data field for
ICRT action taken may be helpful. In addition, fields that organize
dates and documents related to the correspondence with the requestor
(e.g., demand letter, response letter(s), appeal, etc.) help organize
the tracking. Finally, data fields that capture internal actions taken,
final outcome, closure date, and whether attorney-client privilege is
applicable, may be needed. n
MACs (Medicare Administrative Contractors). CMS is in the process
of replacing current contracting authority with MACs to administer
the Medicare Part A and Part B FFS programs. MACs will also take
on payment error review functions previously carried out by Quality
Improvement Organizations (QIOs). See http://www.cms.hhs.gov/
MedicareContractingReform/ and http://www.cms.hhs.gov/AcuteInpatientPPS/downloads/InpatientReviewFactSheet.pdf
PERM (Payment Error Rate Measurement) auditors operate in a
three-part sequence: sampling, collecting, and reviewing FFS and
managed care Medicaid claims from providers in each state. Each state
only participates in PERM once every 3 years. See http://www.cms.
hhs.gov/PERM/ and http://www.cms.hhs.gov/PERM/Downloads/
StatesSelectedForPERM.pdf
RACs (Recovery Audit Contractors) are a demonstration program
and strategy begun by CMS to identify overpayments and underpayments
to Medicare in New York, Massachusetts, Florida, South
Carolina, and California. The RAC Program is being expanded to a
50-state permanent program. By 2010, CMS plans to have 4 RACs in
place, each responsible for approximately one quarter of the country.
See http://www.cms.hhs.gov/RAC/ and http://www.cms.hhs.gov/
RAC/10_ExpansionStrategy.asp
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
41
October 2008

Academies
of
Health Care
Compliance
Upcoming Compliance Academies in 2008 and 2009
November 3-6
Hard Rock Hotel | Orlando, FL
December 1-4
Westin Horton Plaza | San Diego, CA
February. 2-5, 2009
The Argonaut | San Francisco, CA
March 9-12, 2009
Dallas, TX
June 1-4, 2009
Scottsdale, AZ
August 10-13, 2009
Chicago, IL
November 16-19, 2009
Orlando, FL
November 31 – December 3, 2009
San Diego, CA
Advanced Compliance
HCCA’s Advanced Compliance Academy
offers four days of intensive, in-depth health care compliance education
for the experienced compliance professional!
Dallas, TX
October 20-23, 2008
Westin City Center
San Francisco, CA
June 22-25, 2009
San Antonio, TX
October 26-29, 2009
October 2008
42
Register online at www.hcca-info.org

The what, why and
how of Medicare
Coverage Analysis –
Part I
Editor’s Note: Ofer Amit is a manager at Huron
Consulting Group, Clinical Research Solutions
and Healthcare Compliance practice in Chicago.
He may be reached by telephone at 312/451-
5628 and via email at
oamit@huroncosultinggroup.com.
This is Part I of a two-part article.
Clinical research has become an
integral part of modern clinical
medicine. It is critical to the effective
practice of medicine, essential to the improvement
of patient care and to the development
of novel therapies, and instrumental in affording
patients access to therapies that would
not be otherwise available to them. However,
clinical research billing presents a regulatory
and operational challenge to clinical trial
sites: private practices, community hospitals,
health systems, and academic medical centers
alike. The challenge is embedded in a precise
balance that a clinical trial billing operation
must strike between billing third-party payers
for all that is allowed, and yet only for what
is allowed. A compliant and effective clinical
research operation is dependent upon three
major elements:
n A clear and consistent definition of allowable
charges;
n A reliable and consistent method to
identify and document the legitimacy of
billing for items and services provided in
the course of each clinical trial; and
n A dependable and verifiable research trial
billing system that can correctly account for
and execute informative billing instructions.
By Ofer Amit
In Part I of this article we lay the statutory
foundations, provide background, and offer
definitions for clinical research billing when
Medicare is the third-party payer. Many
other third-party payers follow Medicare’s
rules and regulations. Hence, in practicality,
this article discusses coverage analysis for
clinical research at large.
The roots of the Medicare Coverage Analysis
(MCA) – the systematic review of a clinical
trial’s documentation and a determination of
chargeability of items and services provided in
the course and as part of a trial – are embedded
in the Medicare Bill 1 which was passed
by Congress in 1965 as part of the Social
Security Act (SSA). 2 Title XVIII to the SSA
vests the authority to determine Medicare
coverage in the Secretary of Health and
Human Services (HHS) and provides a scope
of benefits. The SSA specifically excludes
Medicare coverage for items or services which
“…are not reasonable and necessary for the
diagnosis or treatment of illness or injury or
to improve the functioning of a malformed
body member.” 3 In addition, the law lays the
responsibility for billing the federal government
only for allowable items and services
on the billing entity’s shoulders. The False
Claims Act, also known as the “Lincoln
Law” and originally passed by Congress in
March 1863, 4 establishes the responsibilities
of persons or entities presenting claims
(in the context of this discussion, a request
for payment) to the federal government. It
imposes civil and criminal liabilities against
a person or entity which knowingly submits
(or causes another to submit) a false claim for
payment and/or uses a false record to obtain
a payment (where “knowingly” is defined
as demonstration of reckless disregard or
deliberate ignorance.)
The Health Insurance Portability and
Accountability Act of 1996 (HIPAA), known
for its provisions regarding security and
privacy of health information, addresses
specifically the application of the False Claims
Act (FCA) in the health care arena and allows
for the exclusion from Medicare participation
of a provider convicted in FCA violation. 5
Congress, in turn and as part of the Balanced
Budget Act of 1997,6 directed the Health
Care Financing Administration (HCFA) to
study preventive and enhanced benefits under
Medicare with specific focus on “…routine
patient care costs for beneficiaries enrolled in
approved clinical trial programs.” 7 The study
by HCFA (now called the Centers for Medicare
and Medicaid or CMS) led to President
Clinton’s executive memorandum of June
7, 2000 directing the Secretary of HSS to
“…explicitly authorize payment for routine
patient care costs...and costs due to medical
complications associated with participation in
clinical trials.”
CMS subsequently responded by issuing a
National Coverage Decision on the Routine
Costs of Clinical Trials in September 2000
(known as NCD 310.1, Routine Costs in
Clinical Trials). CMS issued the most recent
version of NCD 310.1 effective July 2007,
naming it the Medicare Clinical Trial Policy
(CTP). 8
The CTP includes requirements and limitations
on coverage. In addition, it reiterates
the policy to not withdraw coverage for items
or services that may be otherwise covered
by (what was once called) Local Medical
Continued on page 45
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
43
October 2008

Every day, clinical and research
programs face pressure to
enhance operations and strengthen
controls and compliance.
Intense government focus on fraud
and abuse as well as the enhancement
of compliance programs are critical
areas for all healthcare organizations
and research sites.
Huron can help alleviate these pressures. With
more than 40 experienced professionals devoted
to healthcare compliance and clinical research
solutions, our team is well prepared to help you
benefi t from our expertise. Our services include:
• Investigations
• Operations improvement
• Responsible conduct of research
• Budgeting, contracting, and Medicare
coverage analysis
• Accreditation Process
• IRB and Human Research Protections
Compliance
• Medicare Coverage Analysis (MCA)
• Documentation, coding, and billing services
• Compliance effectiveness
Huron Consulting Group helps clients effectively address complex challenges that arise in litigation, disputes, investigations, regulatory compliance, procurement,
financial distress, and other sources of significant conflict or change. The Company also helps clients deliver superior customer and capital market performance through
integrated strategic, operational, and organizational change. Huron provides services to a wide variety of both financially sound and distressed organizations, including
Fortune 500 companies, medium-sized businesses, leading academic institutions, healthcare organizations, and the law firms that represent these various organizations.
www.huronconsultinggroup.com
1-866-229-8700
October 2008
44
© 2008 Huron Consulting Group Inc. All Rights Reserved
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
01/08

The what, why and how of Medicare Coverage Analysis – Part I ...continued from page 43
Review Policies (LMRPs), now named Local
Coverage Determination or LCDs). 9 LCDs
are crafted by Medicare contractors – Carriers,
Fiscal Intermediaries (FIs), and Medicare
Administrative Contractors (MACs) – to
address national or local policy gaps that
may result in billing for services or items that
could be considered neither reasonable nor
necessary. LCDs make up the majority of
current coverage determinations; they contain
decisions that supplement the CTPs; LCDs
may differ between contractors. A National
Coverage Analysis (NCA) may be initiated
to set rules that settle inconsistencies or vast
differences between LCDs.
A National Coverage Analysis (NCA), a
formal evidence-based evaluation process,
may also be triggered by industry, Carriers,
beneficiaries, and others. 10 The NCA considers
input from the Medicare & Coverage Advisory
Committee (MCAC), experts, and the
public in formulating rules about coverage. 11
Guidance about coverage is also available
from certain compendia. 12 The American
Medical Association Drug Evaluations and the
American Hospital Formulary Service (AHFS)
Drug Information, for example, are acceptable
as authoritative sources for the determination
of a “medically-accepted indication” for a drug.
The Medicare Coverage Database (MCD) 13
contains all NCDs, LCDs, local policy articles,
NCA reports, Coding Analyses for Labs
(CALs), MCAC proceedings, and additional
coverage guidance documents, which are
available to the MCA professional as a resource
in determining Medicare coverage for an item
or service.
Of special interest is Medicare coverage for
clinical trials involving medical devices.
Although the CTP allows reimbursement
for items and services that are “…reasonable
and necessary…” and are for “…diagnosis or
treatment…” these provisions were historically
interpreted as requiring that the service
or item (i.e., the device) is also safe and effective,
medically necessary and appropriate, and
not experimental (where experimental was
interchangeably used with investigational).
In September 1995, the regulator [the Food
and Drug Administration (FDA)], and the
purchaser [CMS] thus entered an interagency
agreement 14 that:
n Grouped medical devices, for coverage determination
purposes, into two categories
(A and B), and
n Extended Medicare coverage to select
Category A devices and, to a larger extent,
to certain Category B devices.
Category A devices are defined as “Innovative
devices believed to be in class III medical
device for which absolute risk of the device
type has not been established.” Category
B devices are defined as “Nonexperimental
and/or investigational devices believed to be
in classes I or II medical device 15 or devices
believed to be in class III where the incremental
risk is the primary risk in question or it is
known that the device type can be safe and
effective.... 16
Medicare coverage determinations are embedded
in a complex and, at-times, inconsistent
array of guidelines, manuals, Prospective
Payment Systems (PPS), and publications
– many of which are available at CMS’ website.
17 Criteria for coverage, on the other hand,
are derived from the regulations. 18 They state
that a clinical trial considered for potential
Medicare coverage for routine costs must:
1. Have the purpose of evaluating an item or
service that belongs to a Medicare benefit
category,
2. Have a therapeutic intent, and
3. Enroll patients with a diagnosed disease.
However, Medicare coverage is extended only
to routine costs in a trial that is:
1. Deemed as automatically qualified; or
2. Qualified by virtue of a certification by
the Principal Investigator (PI) that it
meets qualification criteria; or
3. Its routine costs are allowed under Coverage
with Evidence Development (CED).
Although option 2 above (certification by the
PI) is allowed per the regulations, no steps
were taken to date to implement it and, from
a practical standpoint, the option is currently
unavailable. A clinical trial is automatically
deemed as qualified if it is:
1. Funded by the National Institute of
Health (NIH), the Center for Disease
Control and Prevention (CDC), the
Agency for Healthcare Research and
Quality (AHRQ), CMS, the Department
of Defense (DOD), or the US Department
of Veterans Affairs (VA); or
2. Supported by a center or cooperative
group which is funded by the NIH,
CDC, AHRQ, CMS, DOD or VA; or
3. Conducted under an Investigational New
Drug application (IND) reviewed by the
FDA; or
4. Exempt from having an IND and until qualifying
criteria are developed and the process
for certifying trials by the PIs is in place.
To qualify a trial that is not deemed automatically
qualified, a PI is required to certify
that it meets the following criteria:
1. It tests whether the intervention potentially
improves the participants’ health
outcomes.
2. It is well-supported by scientific and
medical information or intends to clarify
or establish the health outcomes of interventions
already in common clinical use.
3. It does not unjustifiably duplicate an
existing trial.
4. It is properly designed to address the corresponding
hypothesis.
Continued on page 52
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
45
October 2008

Quality of care and
compliance: Existing
challenges and first
steps for hospitals
By Cheryl L. Wagonhurst, Esq, CCEP and Nathaniel M. Lacktman, Esq, CCEP
members, key leadership, and physicians
need, at a minimum, a general understanding
of the government’s quality-of-care efforts
regarding payments, public reporting, and
enforcement. Educating these key leaders on
quality- of-care compliance is an essential first
step in the process.
Cheryl L. Wagonhurst is a partner with the Los
Angeles office of Foley & Lardner LLP, where she
is a member of the Health Care Industry Team
and the White Collar Defense and Corporate
Compliance Practice, and focuses primarily on
internal investigations, compliance, and health
care regulatory matters. Ms. Wagonhurst is a
member of the advisory board of the Society of
Corporate Compliance and Ethics. She may
be reached at 310/975-7839 or by e-mail at
CWagonhurst@Foley.com.
Nathaniel M. Lacktman is an associate in the
Tampa, Florida office of Foley & Lardner LLP,
where he is a member of the Health Care Industry
Team and its White Collar Crime and Corporate
Compliance Practice Group and focuses on health
care litigation, medical staff peer review, qui
tam actions, internal investigations, and defense
against enforcement actions by state and federal
regulators. He may be reached at 813/225-4127
or by e-mail at NLacktman@Foley.com.
Compliance officers, in-house counsel,
and other health care professionals
should by now be aware that
the government has made quality of care a
top priority. The government’s three-prong
approach seeks to:
n incentivize quality of care through payment
reform,
n drive quality of care transparency through
public reporting, and
n enforce quality of care through the False
Claims Act and other federal and state
mechanisms.
Many of these professionals understand
that quality of care poses significant compliance
risks to hospitals, including potential
individual liability for the high-ranking
executives, board members, physicians, and
owners. Despite their awareness, these same
professionals are struggling to figure out how
to address quality of care and minimize its
attendant compliance risks.
Foley & Lardner LLP is providing Compliance
Today with an ongoing series of articles
designed to address these questions. This
article, the first in the series, highlights the
challenges hospitals face when managing
quality-of-care compliance. It also discusses
the first steps a hospital should take to address
the compliance implications of quality-of-care
failures, including education and a quality
of care/legal risks audit. Several topics are
broadly discussed, including Recovery Audit
Contractor (RAC) audits, all of which will
be addressed in greater depth as this series
of articles unfolds. Forthcoming articles will
include: (1) tools and mechanics of a quality
of care/legal risks audit; (2) quality of care
enforcement; (3) quality-based payments
and reimbursement; (4) quality of care
compliance and the medical staff; (5) public
reporting and quality of care; and (6) quality
of care, data mining, and RAC audits.
Awareness and education challenges
Before a hospital can address the compliance
implications of quality of care, its leadership
must understand the connections between
quality and compliance. Executives, board
The lack of board education and oversight on
quality issues is troubling. A Joint Commission
research effort conducted interviews
with CEOs and Board Chairs at 30 hospitals
in 14 states, and revealed that “the level of
knowledge of landmark Institute of Medicine
(IOM) quality reports among CEOs and
board chairs was remarkably low” and that
there were significant differences between the
CEOs’ perception of the knowledge of board
chairs and the board chairs’ self-perception. 1
This disconnect has not been lost on the
Office of Inspector General (OIG), that is
beginning to look to boards to ensure fiscal
integrity and oversight. 2
One approach to education would divide
key personnel into categories (e.g., executives,
board members, physicians, and care
staff) and provide tailored education to each
group. Certain quality-of-care issues are more
appropriate for the board, whereas other
issues would resonate better with physicians.
Use education modules (again tailored to each
group) for the training. This approach can
help standardize the education process, collect
feedback from the trainees, and create a
documented record of the hospital’s qualityof-care
education efforts.
The order in which personnel are trained is
also an important aspect to consider. Certain
key executive positions (e.g., CEO, general
counsel, director of quality) will be the champions
for a compliance officer who is seeking
resources for quality of care efforts, and
therefore, it is important for those individuals
October 2008
46
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

to hear the message first. Educating the
board is the next step and there is already an
excellent resource available for board education:
Corporate Responsibility and Health
Care Quality: A Resource for Health Care
Boards of Directors. 3 This resource, issued
jointly by the OIG and the American Health
Lawyers Association (AHLA), should be
required reading for boards, senior management,
and compliance officers. According to
the report, a “new era of focus on quality and
patient safety [is] rapidly emerging, and oversight
of quality also is becoming more clearly
recognized as a core fiduciary responsibility of
health care organization directors.” 4
Boards must provide an appropriate level of
oversight of health care services to satisfy their
core fiduciary duties to the hospital. Board
members who breach these duties may be
exposed to personal liability. Board members
owe a duty of care, requiring them to exercise
appropriate care in their decision-making
process. Generally, the duty of care is satisfied
when directors act in good faith, with the
care that an ordinarily prudent person would
exercise in similar circumstances, and in a
manner they reasonably believe to be in the
best interests of the hospital.
Because the duty of care has been interpreted
to require that directors actively inquire
into the hospital’s operations, educational
materials should be designed to help board
members ask knowledgeable and appropriate
questions related to quality and quality
reporting requirements, as well as the metrics
employed. Education and active involvement
will help board members establish, and affirmatively
demonstrate, that they have followed
a reasonable process for quality oversight.
Boards need not approach these issues alone.
Once the board is “on board” with the
compliance officer’s quality-of-care efforts,
the board should seek periodic updates from
executive staff on hospital quality-of-care
initiatives and how the hospital intends to
address legal issues associated with those
initiatives. When quality shortcomings are
identified, the board should allocate appropriate
resources to address the gaps including,
for example, enlisting the help of outside
attorneys and consultants to evaluate quality
risk areas within the hospital.
Organizational challenges
Hospitals are large, complex organizations
created (like many other large businesses)
in a bureaucratic structure with specialized
departments and groups, each focusing on a
different aspect of the hospital. This structure
is useful for efficiency and specialization,
but has limited capabilities to readily share
information across and between departments.
This problem is known as “siloing.” Lewis
Morris, Chief Counsel to the Department of
Health and Human Services (HHS) OIG,
recognized the issue when he said,
“When looking at some of these very large
[health care] corporations, there is a siloing
of responsibility, which has the effect
of inadequate cross[ing] of information
between the peer review/quality people
and the compliance people. The different
components of a health care organization
need to communicate and exchange
information with each other and boards
of directors can encourage this process.” 5
Compliance, Quality, and Peer Review
departments each deal, to a certain degree,
with quality-of-care issues, and there is an
overlap of subject matter. Yet, a hospital’s
compliance program traditionally is separate
and distinct from its quality assurance and
peer review programs. That type of structure
does not permit the information exchange
necessary to recognize and address the
compliance risks that can arise from poor
quality of care. Hospitals need to develop
structures that can transcend the department
silos and exchange quality-of-care information,
at least among the three departments for
which this exchange has become critical.
Challenges in the peer review process
Critics of the medical staff peer-review
process claim it has proven itself an ineffective
tool to resolve quality and safety issues, both
from the physician and the hospital perspective.
They contend that the current peer
review process is subject to bias and political
motive and cannot adequately help a hospital
meet government-imposed mandates on quality
of care. Of course, the peer review process
offers certain benefits. It enables physicians
to speak frankly, at a peer-to-peer level, on
quality issues and care processes. They are
sometimes more persuasive and receptive
when dealing with each other and often show
greater respect to the clinical judgment of
trained, experienced peers.
The most significant limitation in the traditional
peer review process, and the one which
poses the greatest compliance risk, is that the
process is largely retrospective and based on
isolated, past incidents. Constantly looking
backward, rather than identifying patterns
of care failures, the process is always reactive,
not proactive. The hearings are often lengthy
and can suffer significant delay caused by the
subject physician or simply the unavailability
of the hearing panel. These delays can permit
a pattern of poor quality or unnecessary care
to persist before the peer review process is
able to react.
Hospitals must consider new approaches
to integrate into the peer review process.
Consider real-time chart audits based on daily
monitoring of key quality indicators. If a
Continued on page 50
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
47
October 2008

HCCA’s 2009
Conferences
Education and networking
opportunities for you in 2009
Start planning now…
NATIONAL CONFERENCES
Audit & Compliance Committee Conference
February 23–25
Scottsdale, AZ
Managed Care Compliance Conference
February 22–24
Scottsdale, AZ
Fraud & Compliance Forum
October 3–5
Baltimore, MD
Quality of Care Compliance Conference
October 11–13
Philadelphia, PA
Physician Practice Compliance Conference
October 14–16
Philadelphia, PA
Research Compliance Conference
October 19–21
Chicago, IL
Compliance Institute
April 26–29
Caesars Palace | Las Vegas, NV
2 0 0 9
CAESARS PALACE
Las Vegas, NV
April 26–29, 2009
October 2008
48
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

COMPLIANCE ACADEMIES
February 2–5
San Francisco, CA
March 9–12
Dallas, TX
June 1–4
Scottsdale, AZ
August 10–13
Chicago, IL
November 16–19
Orlando, FL
November 30—December 3
San Diego, CA
ADVANCED ACADEMIES
June 22–25
San Francisco, CA
October 26–29
San Antonio, TX
RESEARCH
COMPLIANCE
ACADEMIES
June 15–18
San Francisco, CA
September 21–24
Orlando, FL
REGIONAL CONFERENCES
AUDIO/WEB CONFERENCES
Atlanta, GA | January 9
Orlando, FL | January 30
Dallas, TX | February 20
Anchorage, AK | February 26–27
Columbus, OH | May 8
New York, NY | May 15
Seattle, WA | June 5
Los Angeles, CA | June 26
Boston, MA | September 11
Minneapolis, MN | September 18
Kansas City, MO | September 25
Chicago, IL | October 2
Pittsburgh, PA | October 9
Honolulu, HI | October 15–16
Denver, CO | October 23
Nashville, TN | November 6
Louisville, KY | November 13
Phoenix, AZ | November 20
HCCA’s Audio/Web Conferences cover
hot topics throughout the year. Visit
www.hcca–info.org for up-to-date info
on upcoming conferences and to register.
www.hcca-info.org
888-580-8373
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
49
October 2008

Quality of care and compliance: Existing challenges and first steps for hospitals ...continued from page 47
pattern emerges, the hospital can take action.
Also consider a greater emphasis on patterns
(and projected patterns) of care. Physicians
should be permitted a degree of freedom
in their treatment style, but certain care
approaches pose a higher risk than others.
Treatments and medications constantly
evolve, and the hospital should identify
and address physicians who use outdated,
high-risk processes before bad outcomes are
manifested. Because nearly half of physicians
do not report medical incompetence by their
peers, the hospital cannot rely on physicians
to police themselves. 6
Challenges in the traditional medical staff
structure
As physician roles continue to change, the
traditional medical staff structure finds itself
ill-equipped to adapt to emerging compliance
and quality-of-care challenges. There
are an increasing number of hospital-based
physicians, including hospitalists, intensivists,
obstetrical hospitalists, and pediatric hospitalists.
Specialty lines have begun to blur with
cross-credentialed physicians playing multiple
roles on the care team (e.g., interventional
radiology/cardiology/neurology). The growing
number of outpatient-based physicians has
complicated the credentialing process and led
to reduced collegiality with the specialists and
hospital-based physicians.
As hospitals adapt to these physician-driven
changes, regulators mandate further change,
such as competency-based credentialing, standardization
of care processes, and increased
medical staff oversight of quality.
Another key change is the increased public
reporting of quality data, both on the hospital
level and the individual physician level.
Hospitals must crunch their own data and
understand it, not wait for the government
to do so first. Additional transparency by
the medical staff, who share quality data, is
essential and can be achieved with a better
medical staff infrastructure, improved design,
and aligned incentives to address national
patient safety and quality mandates.
Need for effective incentive strategies
Many would argue that a lack of effective
hospital-physician collaboration strategies
exist to provide incentives based on quality of
care. In this respect, hospitals and physicians
are co-dependent and should collaborate
on new structures. Hospitals must enlist
physician support to meet quality targets
and earn pay-for-performance incentives.
Similarly, physicians must enlist hospitals
to offer systems that drive quality across the
continuum of care.
Current, traditional equity joint-ventures
often fail to align physician and hospital
interests in improving quality of care.
Consumer-driven health care and increased
access to quality data will eventually lead to
greater patient choice and create consumers
who are better informed and more discerning
about the hospital and physician they choose.
Hospitals need to develop viable, compliant
incentive structures to connect physicians
and reward desirable behavior patterns and
quality-of-care efforts. New structures need to
focus on quality, reducing waste, and promoting
transparency to assist the hospital’s own
data mining efforts. These new joint ventures
should also account for coordinating the care
delivered by providers outside the venture.
Quality of care/legal risks audit
Many hospitals are hampered in providing
consistent quality of care and are simply
unaware of their compliance vulnerabilities,
because they have not subjected their qualityof-care
“processes” to the level of scrutiny
they devote to other compliance concerns,
such as billing and claims submission or
physician financial relationships. This requires
a broad-based, coordinated approach among
the administration, the medical staff, physicians,
nursing staff, risk managers, utilization
review, Quality department, Compliance
department and legal counsel.
A quality-of-care/legal risks audit is an
important step in addressing quality of care
and compliance. Such an audit identifies
areas of potential quality breakdowns and
helps establish internal quality controls,
two key areas a hospital should immediately
address to reduce the risk of an adverse
government-enforcement action. A qualityof-care/legal
risks audit, ideally performed by
objective outside health care counsel under
the attorney-client privilege, can reveal the
true operational landscape of a hospital.
Because of siloing and the various structural
and operational challenges discussed above,
it is difficult to imagine a hospital adequately
addressing its quality-of-care compliance risks
without this broad-based approach.
Patient care is the heart of a hospital’s
enterprise, and some key personnel may
hesitate to scrutinize their hospital’s quality
of care. They might fear an audit will reveal a
slew of previously unknown problems, which
the hospital would then need to remedy. They
might also believe (with regard to liability)
that ignorance is bliss, and would rather not
know of existing problems. Such attitudes are
understandable but misguided.
In light of the OIG/AHLA guidance,
board members have an affirmative duty to
understand their hospital’s quality-of-care
risks. Affirmatively choosing not to conduct
a quality-of-care compliance audit, simply
because the hospital fears the results, could
constitute willful ignorance or reckless
disregard of the failures, if the problems later
become known in a government investigation
October 2008
50
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

or whistleblower lawsuit. Moreover, the
underlying quality-of-care failures will continue
to exist and can pose an ever-increasing
compliance risk (false claims, malpractice, or
otherwise), whether or not the hospital knows
about the failures.
A responsible, less-invasive alternative to
the audit process would be to perform a risk
assessment based on key quality-of care-and
compliance factors. The underlying concepts
would be the same as those in the quality-ofcare/legal
risks audit, but the investigation
would not run as deep as an audit. This
process would give the compliance officer a
general understanding of the hospital’s risks.
The results would highlight and prioritize key
risk areas, which the compliance officer can
then report to the board. A quality-of-care/
legal risks audit could then be performed on
selected, priority risk areas.
Quality of care and RAC audits
As the RAC programs start again, hospitals
should be particularly concerned about
quality-of-care compliance risks. In the
time since the RAC audits were temporarily
suspended, the government has announced a
significant number of quality-of-care initiatives
regarding reimbursement methodology.
Commencing October 1, 2008, Medicare
will no longer reimburse for certain hospitalacquired
conditions unless the condition was
present on admission. 7 Where previously,
hospitals were required to report only certain
quality indicators, Medicare’s impending
Value-Based Purchasing plan will deny payment
altogether. 8 State Medicaid programs,
including Massachusetts, Minnesota, and
New York, have announced plans to deny
payment for medical errors and/or certain
hospital-acquired conditions. These are just a
few of the quality-of-care payment changes,
to say nothing of the growing enforcement
focus on quality-of-care failures.
RAC auditors are aware that hospitals have
invested significant resources to address and
reduce traditional billing errors. They are
also aware that many of these same hospitals
have not invested the resources to address and
reduce quality-of-care errors. It should be no
surprise when RAC auditors focus their data
mining efforts on quality-of-care issues. The
RAC audits might reveal patterns of substandard
care or medically unnecessary surgeries,
all submitted for reimbursement. Hospitals
must ready themselves to address and defend
against quality-of-care issues brought by RAC
auditors.
Conclusion
Quality of care, with its attendant impact on
payments, public reporting, and enforcement,
should be a major concern for hospitals.
Traditional structures and business models
are not designed to best respond to the
government’s mandates on quality of care and
compliance. Hospitals will need to work with
the compliance officer, the Quality department,
and legal counsel, who are experienced
in these quality of care issues, to implement
new models and incentives to promote
quality of care.
The first step in the process is to educate key
personnel and board members. After enlisting
their support, the hospital should consider
undergoing a quality-of-care/legal risks audit
or, at least, a risk assessment based on those
same factors.
Addressing quality of care proactively, and
integrating it with compliance, will give a
hospital a financial and operational advantage.
Those same investments in qualityof-care
compliance can provide additional
returns by minimizing litigation exposure and
enforcement actions based on poor quality.
Hospitals that refuse to recognize and address
quality-of-care risks and failures should not
be surprised to find themselves subjected to
whistleblower suits, RAC audits on quality
of care, or (worse yet) excluded from federal
programs. n
1 “Getting the Board on Board: Engaging Patient Boards in Quality and
Patient Safety,” 32 Joint Commission Journal on Quality and Patient
Safety 179-187 (April 2006)
2 “Driving for Quality in Long-Term Care: A Board of Directors Dashboard,”
HHS and HCCA joint report (January 2008)
3 Arianne N. Callender, et al., The Office of the Inspector General of the
U.S. Department of Health and Human Services and The American
Health Lawyers Association, Corporate Responsibility and Health Care
Quality: A Resource for Health Care Boards of Directors (2007)
4 See footnote No. 3
5 Lewis Morris, Chief Counsel to the Office of United States Inspector
General of Health and Human Services, on September 25, 2007
6 According to Institute of Medicine as a Profession, “Survey on Medical
Professionalism,” Annals of Internal Medicine (December 4, 2007)
7 Medicare Program: Changes to the Hospital Inpatient Prospective Payment
Systems and Fiscal Year 2008 Rules, 72 Fed. Reg. 47130, 47200
(Aug. 22, 2007)
8 The Deficit Reduction Act of 2005 authorized CMS to develop for
Medicare a hospital pay for performance model (known as Value-Based
Purchasing). Pub. L. 107-191
Be Sure to Get Your
CHC CEUs
Inserted in this issue of Compliance
Today is a quiz related to the articles:
n The 1-2-3s of claims sampling to
resolve overpayment errors —
By B. Bo Martin, page 32
n Quality of care and compliance:
Existing challenges and first
steps for hospitals — By Cheryl
L. Wagonhurst and Nathaniel M.
Lacktman, page 46
n Complying with the HIPAA Privacy
Rule: What you need to know —
By Rebecca C. Fayed, page 59
To obtain your CEUs, take the quiz and
print your name at the top of the form.
Fax it to Liz Hergert at 952/988-0146,
or mail it to Liz’s attention at HCCA,
6500 Barrie Road, Suite 250,
Minneapolis, MN 55435. Questions
Please call Liz Hergert at 888/580-8373.
Compliance Today readers taking the
CEU quiz have one year from the
published date of the CEU article to
submit their completed quiz.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
51
October 2008

The what, why and how of Medicare Coverage Analysis – Part I ...continued from page 45
5. It is sponsored by a credible organization/
individual who is capable of executing the
trial successfully.
6. It complies with federal regulations
regarding human subject protections.
7. It is conducted in accordance with appropriate
standards of academic integrity.
This certification process also requires that
the PI enrolls the trial in the Medicare clinical
trials registry. The registry, per CMS, is under
development and the option to qualify a
trial on the basis of the PI’s certification is,
as stated above, not practically available at
this time. Once a trial meets the criteria as
“qualifying” for Medicare coverage and in
order to be reimbursable by Medicare, each of
its items and services must be (1) identified as
a “routine cost” and (2) declared reasonable
and necessary. (The criteria and the review
process for each item and service to determine
if it is a “routine cost” will be covered in detail
by Part 2 of this article.)
The elaborate statutory environment and
intricate coverage issues present clinical trial
sites with complex regulatory requirements
and, potentially, far-reaching consequences for
non-compliance. In 1995, the Rush University
Medical Center settlement with the HHS
Office of Inspector General (OIG) for allegations
of research-related Medicare over-billing
included $1 million in reimbursement and
penalties and a Certification of Compliance
Full Name:
Title:
Organization:
Address:
City/State/Zip:
Telephone:
Fax:
E-mail:
Agreement (CCA.) Furthermore, the OIG
identified “…reporting of financial support
from other sources…” as a risk area in its 2004
Medicare Work Plan and the item remains a
priority in OIG’s annual work plans.
Evaluation of research billing operations is,
therefore, an integral part of any high-level
risk assessment of a clinical trial-participating
health care facility. In this context, an
inadequately performed and/or ineffectively
deployed MCA may represent a substantial
compliance risk. An analysis that does not
clearly identify a therapeutic intent; performs
an ad hoc classification of routine care;
or does not provide adequate support for
routine care classifications by an NCD and/or
LCD, rules, manuals, guidance documents,
compendia, etc could lead to allegations of
False Claims Act violation and subsequent
enforcement and legal action.
By contrast, a properly performed and
implemented MCA demonstrates careful
consideration and provides significant protection
against charges of FCA violation. The
MCA, therefore, has a vital role in a health
care entity’s risk management and compliance
programs as a key compliance control.
The MCA may be conducted by and within
a variety of business units in a health care
enterprise. It should also be performed by an
adequately-trained professional. The MCA
is, additionally, a product of a partnership
between key trial and operations stakeholders:
the PI, research staff, providers, the
Institutional Review Board (IRB), sponsors,
coders, billing staff, Financial, Compliance,
Contracts and Grants offices, and many more.
The correctly-conducted MCA is, therefore,
not only an essential billing compliance
control; it is also a cornerstone of a clinical
trial’s financial analysis and budget process.
In summary, Part I of this article about
Medicare Coverage Analysis, provided
statutory context, illustrated the need for and
benefits of the MCA process, and discussed
potential consequences for non-compliance.
It highlighted certain processes and a variety
of documents that jointly define coverage,
presented criteria for Medicare coverage,
and introduced key participants of the MCA
process. Part 2 of this article will focus on
the methodology and tools for conducting a
Medicare Coverage Analysis. n
1 42 U.S.C. §1395
2 P.L. 74-271
3 42 U.S.C. §1395y (a)(1)(A)
4 31 U.S.C. §3729-3733
5 P.L. 104-191
6 P.L. 105-33
7 P.L. 105-33, Section 4108 (b)(2)(D)
8 Pub 100-03, Medicare National Coverage Determinations for Routine
Costs in Clinical Trials (310.1)
9 Benefits Improvement and Protection Act (BIPA)
10 68 Fed Reg. 55634
11 63 Fed Reg. 68780
12 Social Security Act, Section 1861(t)(2)(B)(ii)(I)
13 http://www.cms.hhs.gov/mcd/overview.asp accessed June 23, 2008
14 FDA/HCFA Interagency Agreement Regarding Reimbursement Categorization
of Investigational Devices September 15, 1995 (D95-2)
15 21 CFR 860
16 Medicare Prescription Drug, Improvement, and Modernization Act of
2003 (MMA), section 731(b)
17 http://www.cms.hhs.gov/center/coverage.asp accessed June 23, 2008
18 Pub 100-03, Medicare National Coverage Determinations for Routine
Costs in Clinical Trials (310.1)
Complete this coupon to order Compliance Today (CT)
HCCA individual membership costs $295; corporate membership
(includes 4 individual memberships, and more) costs $2,500.
CT subscription is complimentary with membership.
HCCA non-member subscription rate is $295/year.
Payment enclosed
Pay by charge: AmEx MasterCard Visa
Card #:
Exp. Date:
Signature:
Please bill my organization: PO#
Please make checks payable to HCCA and return subscription coupon to: HCCA,
6500 Barrie Road, Suite 250, Minneapolis, MN 55435
October 2008
52
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

SEC Disclosure:
Managing information
at FDA-regulated
companies
By Elizabeth P. Gray, Esq. and Jessica L. Matelis, Esq.
Editor’s note: Elizabeth P. Gray is a partner and
Jessica L. Matelis is an associate in the Washington,
DC office of Willkie Farr & Gallagher LLP where
their practices include securities law enforcement
and litigation matters. Ms. Gray can be reached at
202/303-1207 or by email at egray@willkie.com.
Ms. Matelis can be reached at 202/303-1132 or
by email at jmatelis@willkie.com.
Four years ago, the Securities and
Exchange Commission (SEC) and
the Food and Drug Administration
(FDA) announced steps to enhance cooperation
between the two agencies, with the FDA
agreeing to support the SEC in its mission
to protect the public from false and misleading
statements by public companies. 1 At that
time, the agencies developed a centralized
process through which the FDA could refer
potential disclosure matters to the Division
of Enforcement at the SEC and also identified
specific FDA point persons and procedures
for the SEC to use when seeking information
from the FDA about publicly traded
companies regulated by the FDA. Recent
SEC cases evidence the continued existence
of the relationship between these two regulatory
bodies. 2
In addition to the scrutiny from government
agencies, FDA-regulated companies, like
medical device developers and manufacturers,
have proven to be frequent defendants in
private securities class actions. Consequently,
given the relationship between the SEC and
the FDA, the consistent flow of information
between regulated companies and the
FDA, and the frequency with which many
FDA-regulated companies utilize the public
markets to raise funds, companies in this area
are well-advised to develop and implement a
robust set of disclosure policies and procedures
to ensure that material information
is not only being disclosed, but is being
disclosed promptly and accurately.
Although a public company has no general
affirmative duty to disclose nonpublic information,
SEC rules and regulations, such as
the revised disclosure obligations under Form
8-K, may require disclosure under certain
circumstances. Even when disclosure is not
required, however, a company that receives
news from the FDA or through one of its
clinical investigations may want to disclose
that information to the public. And, when a
company speaks, whether because of a regulation
or voluntarily, it must provide complete
and accurate disclosure to avoid misleading
the investing public. 3 Additionally, after a
company discloses information regarding a
certain matter, it may have a “duty to update”
or a “duty to correct” the information in
that disclosure if new information becomes
available. Because of the importance of
getting accurate information to the investing
public in a timely fashion, even small
public companies that are regulated by the
FDA need to focus not just on their clinical
investigations and FDA applications, but on
making sure that information regarding those
areas is flowing both within the company and
then to the public through its SEC filings and
public statements.
Standard Operating Procedures
One approach for FDA-regulated companies
is to develop and utilize standard operating
procedures (SOP) for encouraging the timely
and accurate exchange of information. Just as
a company would develop and follow an SOP
for reporting adverse effects during a clinical
trial or investigation, it can develop SOPs
for communicating with regulatory bodies,
for dealing with clinical investigation or trial
developments and for drafting SEC filings,
including Forms 10-K, 10-Q, and 8-K.
Regulatory bodies
Communications with the FDA and other
similar regulatory bodies are fertile ground
for information that either needs to be publicly
disclosed or that the company would
like to disclose. Consequently, a formal written
SOP for dealing with communications
from the FDA can help a company identify
and disclose pertinent information. Such an
SOP may include the following guidelines:
n Any written communication to or from
the FDA should be promptly circulated
(within 24 hours) to not only members of
the regulatory affairs and clinical divisions,
but to someone in the General Counsel’s
office and to a member of corporate communications.
n Two or more people should participate in
all oral communications with the FDA.
n Oral communications should be promptly
documented in a written summary and
circulated to the same group of people
who would receive written communication.
n Specific personnel should be responsible
for drafting and distributing these communications.
Clinical trials
Developments from clinical investigations
are another area likely to generate material
Continued on page 57
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
53
October 2008

HCCA Regional Conferences
Join us at HCCA’s 2008-2009 Regional Conferences
HCCA’s regional conferences take place throughout the year, all over the United States.
You’re sure to find one that works for you!
2008 Regional Conferences
Chicago, IL.......................October 3
Pittsburgh, PA................October 10
Honolulu, HI............. October 16-17
Denver, CO.....................October 24
Nashville, TN................November 7
Louisville, KY.............November 14
2009 Regional Conference
Atlanta, GA.......................January 9
Orlando, FL....................January 30
Dallas, TX..................... February 20
Columbus, OH....................... May 8
New York, NY....................... May 15
Seattle, WA........................... June 5
Los Angeles, CA................. June 26
Anchorage, AK............... July 9 - 10
Boston, MA.................September 5
Minneapolis, MN......September 12
Kansas City, KS........September 26
Chicago, IL.......................October 2
Pittsburgh, PA..................October 9
Honolulu, HI.............October 15–16
Denver, CO.....................October 23
Nashville, TN................November 6
Louisville, KY.............November 13
Phoenix, AZ................November 20
October 2008
54
Visit www.hcca-info.org for registration information
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Upcoming Regional Conferences
October 24
Denver, CO
October 3
Chicago, IL
October 10
Pittsburgh, PA
November 7
Nashville, TN
November 14
Louisville, KY
October 16-17
Honolulu, HI
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
55
October 2008

Compliance Policies/
Document Sharing Project
OUR GOAL: to make
1,000 documents
available to members
THE INDIVIDUAL THAT SUBMITS THE MOST DOCUMENTS
TO THE LIBRARY EACH MONTH, RECEIVES ONE OF 12
IPOD NANOS OR AN HCCA AUDIO CONFERENCE!
Contribute a document and enter the
iPod/Audio Conference Giveaway!
Contribute the most compliance-related documents to the SCCE
Document Library and receive an iPod Nano or an SCCE Audio
conference. Each month, an iPod Nano or an HCCA Audio
conference is given away beginning in July 2008. Giveaways
will be held on a monthly basis through June 2009, so there are
many opportunities for YOU to contribute.
E-mail your document(s) to Caroline Lee
Bivona at caroline.leebivona@hcca-info.org
October 2008
56
With 2,300 lawyers in 30
locations, Jones Day One
Firm Worldwide is a proud
law firm sponsor of this
giveaway!
www.jonesday.com
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org www.hcca-info.org | 888-580-8373

SEC Disclosure: Managing information at FDA-regulated companies. ...continued from page 53
information that a company may need to
disclose, particularly if the company has
previously disclosed information regarding
a clinical investigation or trial. Significant
changes or results from investigations previously
discussed with the public will likely
warrant prompt and accurate disclosure.
Again, in order to accomplish this efficiently,
the creation and implementation of an SOP
regarding clinical investigation developments
may be beneficial.
For each ongoing clinical investigation,
create a distribution list which includes at
least one member from the regulatory affairs
department, the General Counsel’s office and
the corporate communications or investor
relations department. Use this distribution list
to promptly communicate any new and significant
developments so that people outside
the clinical investigation group are not only
informed of the new information, but can
make an assessment regarding whether or not
disclosure is necessary. Consider including
as part of this SOP a procedure for calling
meetings among the distribution list on short
notice, thus allowing for discussion about the
new information across various segments of
the company.
SEC filings
Creating SOPs for the drafting, review, and
filing of any SEC filings is also an important
component for disclosure policies and
procedures. For each periodic filing on Form
10-K or 10-Q, implement an SOP that not
only sets forth the timeline for drafting the
filing, but also includes the necessary sign-offs
for each section. Of particular importance for
many FDA-regulated companies, including
medical device developers and manufacturers,
is a section appearing in each periodic
report called management’s discussion and
analysis of financial conditions and results of
operations (MD&A). This section requires
management to discuss information that may
cause the current financial condition to not
be indicative of future financial condition.
For medical device companies, this may
include indications from the FDA regarding
status of a pending application or events
from a clinical investigation. Consequently,
an SOP regarding the drafting and review of
periodic filings needs to allow for review by
members of the regulatory affairs and clinical
investigation divisions to ensure that information
pertinent to those divisions is included
and accurately described.
Similarly, SOPs for Forms 8-K and registration
statements can be drafted to allow for
review by relevant divisions at the company.
These SOPs, however, may need to be streamlined
because often time is of the essence
when filing a disclosure on Form 8-K or a
registration statement for an equity offering.
In August 2004, revisions for the filing of
Forms 8-K became effective, requiring that
companies file disclosures regarding specified
information within four business days. And,
although registration statements can integrate
prior filings, a company must still ensure that
it describes “any and all material changes in
the registrant’s affairs” that were not previously
reported on a Form 10-Q or 8-K.
Regulation Fair Disclosure
Finally, because many FDA regulated companies
are frequently communicating with
the investing public, particularly institutional
investors, developing an SOP that covers
Regulation Fair Disclosure (Reg FD) may
be useful. Under Reg FD, companies are
prohibited from selectively disclosing material
nonpublic information to certain parties,
such as securities market professionals, institutional
investors, and investment companies.
If material nonpublic information is disclosed
to a select party, Reg FD requires that the
information be simultaneously disclosed to
the public or if the disclosure is inadvertent,
the information must be disclosed to the
public as soon as practicable after discovering
the disclosure. SOPs regarding communications
with the investment community can be
a valuable way to prevent running afoul of
Reg FD. For example, an SOP to assist with
Reg FD compliance might require that:
n All staff who interact with the investment
community complete regular training
about FD.
n All communication with investors be
logged into a central system, which includes
the date of the communication and
a description of the information provided
to the investor.
n All “road show” materials be reviewed and
approved by specified personnel.
Conclusion
SEC disclosure requirements may not always
be given the necessary attention at developing
public companies that are regulated by the
FDA. However, the cooperation between the
FDA and the SEC, as well as the risk of civil
suits, suggest that FDA-regulated companies
need to take care when disclosing information
to the investing public because the potential
damage from making inaccurate disclosures
can be significant. Using SOPs, a familiar
format of control at FDA-regulated companies,
is one possible way to make disclosure
policies and procedures functional for these
dynamic companies. n
1 See “SEC and FDA Take Steps to Enhance Inter-Agency Cooperation,”
SEC Press Rel. 2004-13 (Feb. 5, 2004) and “FDA and SEC Work to
Enhance Public’s Protection from False and Misleading Statements,”
P04-15 (Feb. 5, 2004).
2 See SEC v. Shashikant C. Shah, Lit. Rel. No. 20034 (March 8, 2007)
(“The staff acknowledges the assistance and cooperation of . . . the FDA
in the investigation of this matter”).
3 See Backmun v. Polaroid Corp., 910 F. 2d 10, 13 (1st Cir. 1990) (en
banc).
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
57
October 2008

Improving Governance Practices
Buy one
registration for
$695 and
get one
for $395*
Au d i t
&
Co m p l ia n c e
Committee
Conference
October 27–29, 2008
Hilton Fort Lauderdale Beach Resort
Fort Lauderdale, FL
This conference is designed for board members and audit committee members of
not-for-profit healthcare organizations who serve on an organization’s audit and/or
compliance committee. Compliance officers may attend with their board member. CEO,
CFO, and other senior officers are welcome to attend.
“Outstanding! This conference is geared for board members—should be a
requirement for chairmen of audit committee, a must for compliance officers,
and also should be attended by CEO & CFO.”
H. James Mueller, Treasures board of Trustees-Chair Audit & Finance Committees,
Cheyenne Regional Medical Center
“The conference presented a realistic view of the importance of the role
of compliance as it relates to the core operations of a hospital as well as
joint ventures and physician relationships.”
Jake Easton III, Audit and Compliance Committee Chair,
Hoag Memorial Hospital Presbyterian, Newport Beach, CA
October 2008
58 Register online at www.hcca-info.org

Complying with the
HIPAA Privacy Rule
– What you need to
know
Editor’s note: Rebecca C. Fayed is an associate
in the Washington law offices of Sonnenschein,
Nath & Rosenthal LLP. Rebecca is a member
of Sonnenschein’s Health Care Group. She may
be reached by telephone at 202/408-6351 or by
e-mail at rcfayed@sonnenschein.com.
The Health Insurance Portability
and Accountability Act of 1996
(HIPAA) 1 , among other things,
directed the Department of Health and
Human Services (HHS) to adopt regulations
regarding the privacy of health information.
After a series of proposed and final rules and
modifications, on August 14, 2002, HHS
published what is now commonly referred
to as the Privacy Rule. 2 Most covered entities
have been required to comply with the
Privacy Rule since April 14, 2003.
As a general matter, the Privacy Rule requires
that covered entities not use or disclose
protected health information (PHI) without
an individual’s authorization unless that use
or disclosure is specifically permitted under
the Privacy Rule. In addition, the Privacy
Rule provides individuals with a number of
rights with respect to their PHI and requires
covered entities to comply with certain
administrative requirements.
In order to comply with the Privacy Rule, a person
or entity must, at a minimum, determine:
n If the Privacy Rule applies (i.e., whether
the person or entity is a covered entity or a
business associate);
n What information is considered PHI; and
By Rebecca C. Fayed, JD
n What uses and disclosures of PHI are
permitted.
In addition, covered entities must have
procedures in place to allow individuals to
exercise their rights with respect to their PHI
and must implement the requisite administrative
requirements under the Privacy Rule.
Who must comply with HIPAA
Only people or entities that meet the definition
of a covered entity are required to comply
with the Privacy Rule. A covered entity is a
health plan, a health care clearinghouse, or a
health care provider who transmits any health
information in electronic form in connection
with a standard transaction. In terms of health
care providers, generally this includes any health
care provider who submits claims electronically.
Health care providers who may be covered
entities include, for example, hospitals, physicians,
dentists, nursing homes, and pharmacies
(assuming that these entities submit claims electronically).
Health plans that may be covered
entities include, for example, health insurance
companies, HMOs, and employer group health
plans (but not the employer plan sponsor).
In addition, people or entities who are not
part of a covered entity’s workforce, but who
provide certain services for or on behalf of
a covered entity and receive PHI from the
covered entity when providing those services,
may be considered business associates under
the Privacy Rule and contractually required
to comply with certain Privacy Rule requirements.
Specifically, if a covered entity is
disclosing PHI to a business associate in order
for the business associate to provide services
for the covered entity, the covered entity must
obtain “reasonable assurances” from the business
associate that the business associate will
appropriately safeguard the PHI that it receives
when providing services. These reasonable
assurances must be in the form of a written
agreement, commonly referred to as a business
associate agreement or BA agreement.
BA agreements must contain a number of
provisions set forth in the Privacy Rule,
including, for example, a provision that establishes
the permitted and required uses and
disclosures of PHI, a prohibition against any
further use or disclosure except as permitted
by the agreement or as required by law, and
provisions that require the business associate
to permit individuals to exercise their rights
with respect to their PHI (either directly or
through the covered entity).
To comply with the Privacy Rule’s requirements
regarding disclosure of PHI to a business associate,
covered entities should analyze their business
relationships to determine who is a business
associate. Covered entities should enter into
BA agreements with any people or entities that
meet the definition of a business associate. Some
common examples of business associates include
lawyers, consultants, CPA firms, and third-party
administrators. In contrast, a person or entity is
not a business associate if that person or entity’s
services do not involve the use or disclosure of
PHI or only involve incidental disclosures of
PHI. For example, janitors, electricians, or couriers
generally are not business associates, because
they only incidentally come into contact with
PHI during the course of providing services.
What is protected
PHI is the only information protected by the
Privacy Rule. PHI is information (including
Continued on page 62
59
October 2008

October 2008
60
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
61
October 2008

Complying with the HIPAA Privacy Rule – What you need to know
...continued from page 59
demographic information) that is created or received by a health care provider,
health plan, employer, or health care clearinghouse that relates to:
n The past, present, or future health of an individual;
n The provision of health care to an individual; or
n The past, present, or future payment for health care to an individual AND
that either
o identifies the individual, or
o there is a reasonable basis to be believe that the information could be
used to identify the individual.
In contrast, information that has been de-identified is not protected under
the Privacy Rule. De-identification, however, is not simply removing the
individual’s name from the information. In fact, in order for information
to be truly “de-identified” for purposes of the Privacy Rule (and therefore
outside of the Privacy Rule’s scope), either all eighteen identifiers enumerated
in the Privacy Rule must be removed from the information or a person
with “appropriate knowledge of and experience with” accepted principles
and methods must determine that the risk is very small that the information
could be used alone or in combination with other available information to
identify the individual to whom the PHI relates.
What uses and disclosures are permitted
A covered entity may not use or disclose PHI unless that use or disclosure is
permitted by the Privacy Rule. A covered entity may disclose, and in fact, is
required to disclose PHI to the individual or the individual’s representative
and to the Secretary of HHS for purposes of determining compliance with
the Privacy Rule.
Uses and disclosures that are “incident to” an otherwise permitted use or
disclosure are also permitted under the Privacy Rule. For example, the Privacy
Rule does not prohibit a physician from discussing a patient’s medical condition
with that patient in a hospital room that is shared with another patient.
Any PHI that the other patient may hear is an incidental disclosure of PHI
and is permissible under the Privacy Rule.
Perhaps most important in terms of most day-to-day uses and disclosures of
PHI, the Privacy Rule permits covered entities to use and disclose PHI for purposes
of treatment, payment, and health care operations (commonly referred
to as TPO). Treatment includes the provision, coordination, or management of
health care, the consultation between health care providers, and the referral of
patients to other health care providers. Payment includes activities undertaken
by a health plan to obtain premiums or to determine or fulfill obligations
related to coverage and the provision of benefits. Payment also includes activities
undertaken by a health care provider or health plan to obtain or provide
reimbursement for health care. In defining payment, the Privacy Rule includes
October 2008
62
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

HM-MDaudit_1_08.qxd 1/25/08 4:10 PM Page 1
several specific examples, including, for example, determinations
of coverage, billing, claims management, collection activities, and
utilization review. Finally, health care operations is a very broad
category of non-treatment and non-payment business activities
undertaken by a covered entity. The Privacy Rule sets forth several
specific examples of health care operations, including quality
assessment and improvement activities, credentialing activities,
arranging for legal services, medical review and auditing functions,
and business planning and development.
A covered entity may use or disclose PHI for its own TPO purposes.
It also may disclose PHI for the treatment purposes of
another health care provider or to another covered entity or health
care provider for the recipient’s payment purposes. Moreover,
albeit more limited in scope, a covered entity may disclose PHI for
another covered entity’s health care operations purposes if:
n The health care operations purposes are quality assessment,
credentialing, training activities, or fraud and abuse detection;
and
n Both entities have or have had a relationship with the person
to whom the PHI relates.
In addition to these more day-to-day uses and disclosures, the
Privacy Rule permits covered entities to use or disclose PHI for
the following purposes, provided that the covered entity meets
the applicable requirements for the particular use or disclosure
as specifically set forth in the Privacy Rule:
n To create or maintain a facility directory
n To individuals involved in a person’s care or payment for that care
n As required by law
n For public health activities
n For victims of abuse, neglect, or domestic violence
n For health oversight activities
n During the course of judicial and administrative proceedings
n To law enforcement officials
n For decedents
n For organ donation
n For research purposes
n To avert a serious threat to public health or safety
n For specialized government functions
n For workers’ compensation purposes
Manage
your risk.
Protect your revenue.
Seven of the top 15 healthcare organizations as ranked by
US News & World Report are using MDaudit to automate
the administrative tasks of compliance auditing. Using
strategic, risk-based audit methodology, they:
• Increase audit productivity: More providers are
audited in less time, allowing your staff to focus on
changing provider behavior.
• Quickly target risk areas: Risk-based audit scheduling
helps you easily target non-conforming providers.
• Improve reporting capabilities and consistency:
Professional reports quickly illustrate areas of concern.
• Monitor audit status across departments:
Audit status and productivity is assessed at a glance.
• Allow staff to focus on value-added activities:
With more time and actionable information, your staff can
focus on provider education to eliminate incorrect coding.
To find out more and to schedule a free ROI analysis, call
Hayes’ MDaudit team at 617-559-0404 or send an email to
mdaudit@hayesmanagement.com.
For all other uses and disclosures, that is, for all uses and
disclosures that the Privacy Rule does not specifically permit, a
Continued on page 65
www.HayesManagement.com
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
63
October 2008

October 2008
An Independent Member of Baker Tilly International • 24,000+ personnel • 104 countries • 505 affiliate offices worldwide
64
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Complying with the HIPAA Privacy Rule – What you need to know ...continued from page 63
covered entity first must obtain an individual’s
authorization before using or disclosing PHI.
Under the Privacy Rule, an authorization
must contain certain provisions, including a
description of the information to be used or
disclosed, the name of the person or entity
authorized to make the use or disclosure, the
person or entity who may receive the information,
a description of the purpose of the use or
disclosure, an expiration date, a signature, and
other provisions related to individual rights.
In addition to those provisions required by the
Privacy Rule, many state laws also have specific
requirements related to what must be included
in an authorization. Covered entities should
confirm that their authorization forms contain
all required provisions under the Privacy Rule
and under state law.
There are many purposes for which a covered
entity may use or disclose PHI, but the vast
majority of these uses and disclosures are
subject to the Privacy Rule’s minimum necessary
requirement. That is, with few exceptions
(e.g., treatment purposes), when a covered
entity uses or discloses PHI, the covered
entity must use or disclose only the minimum
amount of PHI necessary to effectuate the
purpose of the use or disclosure.
Individual rights
In addition to governing a covered entity’s
use and disclosure of PHI, the Privacy Rule
created certain individual rights with respect
to PHI. Simultaneously, the Privacy Rule
created certain obligations for covered entities
to allow individuals to exercise these rights.
Notice of privacy practices. Under the Privacy
Rule, an individual has the right to adequate
notice of a covered entity’s uses and disclosures
of PHI, his or her rights with respect to PHI,
and a covered entity’s legal obligations regarding
PHI. Accordingly, covered entities must
provide individuals with a written notice of their
privacy practices. Generally, the notice of privacy
practices must contain a description of the
covered entity’s uses and disclosures, a statement
of the individual’s rights, the covered entity’s legal
duties with respect to the PHI, a description of
the process for filing a complaint, and contact
information for purposes of asking additional
questions. In addition, health care providers
must make a good faith effort to obtain a written
acknowledgement that a patient received the
notice of privacy practices. If the health care
provider is unable to obtain the acknowledgement,
the health care provider must document
its good faith efforts and the reasons why such
acknowledgement was not obtained.
Access to PHI. The Privacy Rule provides that
individuals have a right to inspect and obtain a
copy of their PHI. This means that covered entities
have a corresponding obligation to provide
access to and copies of PHI to individuals who
make such a request. The Privacy Rule does
permit a covered entity to limit this right under
certain circumstances. In addition, a covered
entity does not have to comply immediately
upon receiving a request. That is, generally,
a covered entity has 30 days to respond to a
request for access and may have up to 60 days
under certain circumstances. Moreover, covered
entities are permitted to charge a reasonable,
cost-based fee for fulfilling these requests.
Amendment of PHI. Under the Privacy Rule,
individuals have the right to have a covered
entity amend their PHI, and covered entities
have the obligation to fulfill these requests.
As with the right to access PHI, the right to
have PHI amended is limited under certain
circumstances. For example, if the PHI is
accurate and complete, the covered entity is
not required to amend the PHI. Again, as with
the right to access, the right to amendment
is not immediate. As a general rule, a covered
entity has 60 days to respond to a request for
amendment and has up to 90 in some cases.
Accounting of disclosures. Individuals have
the right to receive an accounting of certain
disclosures made by a covered entity in the
prior six year period. Accordingly, to fulfill
their obligation, covered entities must have a
process in place, for example an accounting
log, to track information related to certain
disclosures and must have a way to provide
such information to an individual upon
request. Many disclosures do not need to be
accounted for, including disclosures made for
TPO purposes, disclosures made pursuant
to an authorization, disclosures made to the
individual, and disclosures incident to an
otherwise permitted disclosure. Examples of
disclosures that must be accounted for include
unauthorized disclosures of PHI, disclosures
required by law, those made for public health
purposes, and disclosures for health oversight.
Similar to the access and amendment rights,
the right to an accounting is not immediate.
Rather, covered entities have up to 60 days,
and up to 90 days in some cases, to respond to
the request. In addition, while a covered entity
must provide an individual with an accounting
free of charge, for any additional request
within the same 12-month period, a covered
entity may charge a reasonable cost-based fee.
Right to request restrictions. The Privacy
Rule provides individuals with the right to
request restrictions on the way a covered entity
uses or discloses PHI for purposes of TPO and
to an individual involved in the individuals care
or payment for that care. The covered entity,
however, is not obligated to comply with the
request. Therefore, this is the only individual
right under the Privacy Rule that does not have
a corresponding obligation for the covered
entity. However, if the covered entity does
agree to the request, the covered entity may not
violate the restriction (unless under emergency
treatment circumstances).
Continued on page 66
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
65
October 2008

Complying with the HIPAA Privacy Rule – What you need to know
...continued from page 65
Confidential communications. Under the Privacy Rule, individuals have
the right to request that communications of PHI be made by alternative
means (e.g., by mail instead of by telephone) or at alternative locations
(e.g., at work instead of at home). Health care providers are required to
accommodate all reasonable requests. Health plans must accommodate
reasonable requests only if the individual clearly states that the disclosure
of PHI could endanger the individual.
Is your rehabilitation program ready
to face the auditor’s microscope
Inpatient and outpatient rehab providers are
experiencing increased scrutiny from their
fiscal intermediaries and others. The 75%
Rule, the Recovery Audit Contractor (RAC)
project, and focused reviews for medical
necessity have changed the way rehabilitation
providers operate.
Most rehab providers have not established
effective mechanisms to assure the integrity
of their operating and billing practices when
viewed by a third party. The full consequences
may only be apparent when it is too late.
Noblis provides solutions-focused services
across the post-acute care continuum and we
can help solve the IRF compliance puzzle and
help you face the future of rehab.
Contact Noblis’ Center for Health Innovation
Post-Acute Strategy experts (404.231.4422)
to discuss customized solutions to your
compliance needs. We will help you to climb
out from under the auditor’s microscope.
www.noblis.org/healthcare • 404.231.4422
Administrative requirements
The Privacy Rule requires covered entities to implement certain administrative
requirements. In effect, these requirements create an obligation for covered
entities to establish a privacy compliance program. That is, many of the
requirements are similar to the elements of a general health care compliance
program. For example, covered entities must:
n Designate a privacy officer.
n Develop and implement privacy policies and procedures.
n Provide training to all members of the workforce.
n Have a process in place for individuals to make complaints regarding
privacy issues, including issues related to the covered entity’s compliance
with the Privacy Rule and its own privacy policies and procedures.
n Have and apply appropriate sanctions against employees who violate
the Privacy Rule and/or the covered entity’s privacy policies and procedures.
n Refrain from intimidating or engaging in any retaliatory acts against
individuals who exercise their rights under the Privacy Rule or who file
a complaint against the covered entity.
n Mitigate any harmful effect that results because of an act of noncompliance
with the Privacy Rule or the covered entity’s privacy policies and
procedures.
n Implement appropriate administrative, technical, and physical safeguards
to protect the privacy of PHI.
n Maintain documentation as required by the Privacy Rule.
Enforcement
The HHS Office for Civil Rights (OCR) is responsible for enforcing the
Privacy Rule. OCR has the authority to impose civil monetary penalties
(CMPs) for violations of the Privacy Rule. CMPs are limited to $100 per
violation with a maximum of $25,000 per year for each identical Privacy
Rule requirement that is violated.
The United States Department of Justice (DoJ) has the authority to impose
criminal penalties for violations of the Privacy Rule. Specifically, if a person
or entity knowingly obtains or discloses PHI in violation of the Privacy
Rule, the person or entity may be liable for up to $50,000 and/or may be
imprisoned for up to one year. If a person or entity obtains or discloses the
October 2008
66
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

PHI under false pretenses, that person or entity may be subject
to $100,000 in fines and/or five years in prison. In addition, if
the individual obtains or discloses PHI with an intent to sell,
transfer, or use it for commercial advantage, commercial gain,
or malicious harm, that individual or entity may be fined up to
$250,000 and/or be imprisoned for up to 10 years.
It is important to note that there is no private right of action
under HIPAA. Therefore, an individual may file a complaint
with HHS with respect to a covered entity’s compliance with
the Privacy Rule, but he or she may not file an action against the
covered entity for violating the Privacy Rule.
Conclusion
As stated above, in order to comply with the Privacy Rule, a
person or entity must, at a minimum, determine:
n if the Privacy Rule applies,
n what information is protected, and
n what uses and disclosures of PHI are permitted.
In addition, covered entities must have procedures in place to
allow individuals to exercise their rights with respect to their
PHI. Finally, and perhaps most importantly, covered entities
must implement the administrative requirements required
under the Privacy Rule. These administrative requirements create
a HIPAA privacy compliance program infrastructure that is
necessary to ensure compliance with the Privacy Rule’s requirements.
Because Privacy Rule enforcement is a complaint-driven
process, it is important to have this infrastructure in place, not
only to comply with the law, but also to:
n Reduce the potential for incidents to occur that may give rise
to complaints; and
n Be able to show OCR or DoJ that PHI is properly safeguarded
by the covered entity. Such proof may be essential to avoid
civil or criminal penalties should a Privacy Rule violation
occur. n
1. Public Law 104-191.
2 67 Fed. Reg. 53182 (Aug. 14, 2002) codified at 45 C.F.R. Parts 160 and 164.
To Register visit www.hcca-info.org
Whistleblower Claims in Healthcare
October 8
Part 1: A Compliance Perspective
Available on CD
Part 2: The Enforcement Perspective
Carmen Wolf, Principal, BlickenWolf LLC
Patrick Coffey, Partner, Locke Lord Bissell & Liddell
Linda Wawzenski, Assistant United States Attorney, Deputy Chief,
Civil Division, United States Attorney’s Office
2008 MACS and RACS: What It
Means For The Lab — October 14, 2008
In this presentation you will learn about Medicare
Administrative Contractors (“MAC’s”) and the MACs process
both Part A and B claims allowing for increased program
integrity. The full fee-for-service workload is scheduled to be
transitioned to the MACs by October 2009.
2009 OIG Work Plan for Hospitals &
Physicians — October 23 & 24
Be prepared for the year ahead by taking advantage of
the HCCA’s presentation of the 2009 OIG Work Plan for
Hospitals. Outstanding speakers combine with engaging
interaction for a serious, in-depth look at the OIG’s key
compliance concerns for fiscal year 2009. If you’re looking for
OIG Work Plan coverage that is substantial and to‐the‐point
don’t miss this conference
An Insider’s Guide to
Workplace Investigations
October 30, 2008
Meric Craig Bloch,
Vice President–Corporate
Compliance, Adecco S.A.
Past Audio/Web conferences
are available on CD at
www.hcca-info.org/ pastweb
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
67
October 2008

AUTOMATE YOUR COMPLIANCE AND RISK MANAGEMENT PROGRAM
•
Enforce Consistency
Cost
Streamline Processes
•
Mitigate Risk
•
•
Reduce
Policy Management
Contract Management
Remediation Projects
Enterprise Risk Management
Incident Management & Reporting
Audit Management
Regulation Management
Surveys
Liability
•
• Increase Productivity
Decrease
•
Drive Accountability
Enhance Compliance Visibility
•
Contact us today to view a free demo.
Compliance 360 assists Healthcare Organizations comply with:
October 2008
68

Improving competitiveness and compliance through agent/broker online training
...continued from page 37
proficiency level is required before the system The success of the training program offers
allows the user to move to the next chapter opportunities for HCSC to expand and
or to complete the course. Agents who fail improve the program. We are now working
to complete all components of the training/ to equip the agent certification program with
certification program are prohibited from more teeth by preventing any agent from
selling the Medicare products. If an agent who using the online enrollment application or
was not certified did sell a Medicare policy, marketing materials without first completing
the commission system would automatically our training program. This will not only
prevent the agent from being paid.
add another layer of compliance assurance,
but will help our marketing team develop
The survey results from the 2007 training valuable collateral for use by agents. We also
program have been very positive about the are working on ways to leverage the training
training program. An average of 89% of program to promote agent loyalty and are
surveyed agents in the four-state service area investigating additional uses of our new
rated the training program as Excellent/Good. database.
Perhaps most promising, the majority of our
agents answered positively when asked if they The MAPD and PDP compliance training
would like to have access to other HCSC program we implemented has enabled us to
training courses for Medicare-related products. meet multiple objectives, including costefficiency
and compliance. It has provided a
These results, along with specific agent
feedback, will be used to develop the next level versatile system that can support a range of
of training, which will include topics suggested additional communication and education
by the agents in our follow-up surveys. initiatives to our employees, brokers, agents
and members. As regulations change, HCSC
Measuring the results
feels that it is well-positioned to meet new
HCSC’s new, online MA and MAPD training
program has already produced substantial Plan Sponsors will be required to include
requirements. For example, in January 2009,
results—in compliance and in efficiency: a written or computer-based test in their
n Cost. Training costs were significantly training programs. Agents and brokers will
reduced by instituting an online program be required to successfully complete the
and eliminating the need for in-person test(s) with a minimum score of 80% to
training.
demonstrate their knowledge of the Medicare
n Time. More than 3,800 agents who sell program and the plan-specific products they
MAPD or PDP were trained and tested intend to sell. These requirements will apply
between late September and November to both employed and contracted agents and
14, 2007.
brokers. CMS believes the requirement is necessary
to ensure that beneficiaries are receiving
n Compliance. We achieved compliance
with CMS’ training requirements for the information needed to make informed
agents and brokers and consider ourselves decisions and that agents understand the
well-positioned to achieve CMS’ next set plans they are marketing and are prepared
of requirements.
to provide recommendations. CMS will
n Database. The database of agents adds continue to provide information necessary to
value to our business by enabling direct conduct such oversight. n
communications and providing advanced
training to agents who sell our products.
The 1-2-3s of claims sampling to resolve
overpayment errors
...continued from page 33
quantification of the total overpayments
is equal to the average overpayment in the
sample times the number of sampling units
in the sampling frame. This measurement
and quantification should be stated with a
confidence interval that is set by the desired
confidence level. The final precision (i.e., the
width of the confidence interval) will depend
on this, the variation in the error rate, and the
overpayments among the sampling units in
the full sample.
Step 6: Report the final results
Reporting the final results is basically an
exercise in documentation. An executive
summary should begin with the definition
of the potential error that was reviewed
and end with the measurement of the error
rate, if found, and the quantification of the
overpayments, if any. All of the intermediary
steps should be preserved, as appropriate, as
work papers, so that any other reviewer could
confirm what was done. For example, the
sampling frame (i.e., the list of one-day stay
admissions either for pneumonia cases or all
cases in this example) should be kept as well
as the probe sample and the full sample.
Conclusion
The sampling claims process requires
statistical expertise, but it is best not left to
statisticians alone. Compliance officers who
decide to initiate a claims sampling process
will benefit by the step-by-step planning that
is as important for scientific validity as the
correct application of the statistical formulas
that are recommended to them. n
1 Catherine Sreckovich, Alan Peterson, B. Bo Martin: “Keeping the
Sampling Gains Going” in Monitoring & Auditing for Effective
Compliance, edited by John E. Steiner, JD. Philadelphia: Health Care
Compliance Association, 2008. (Chapter contains a history on the
contribution of sampling methods to advancements in health care
compliance)
2 Available at http://www.oig.hhs.gov/organization/OAS/ratstat.html
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
69
October 2008

Register before
January 6, 2009,
and save $200!
February 22–24, 2009 | Scottsdale, AZ
Managed Care
Compliance Conference
HCCA’s Managed Care Compliance Conference provides essential information for individuals involved
with the management of compliance at health plans. Plan to attend if you are a compliance professional
from a health plan (all levels from officers to consultants); in-house and external counsel for a health plan;
internal auditor from a health plan; regulatory compliance personnel; or managed care lawyer.
Topics to be covered may include: compliance risk monitoring and auditing; application of Sarbanes Oxley
requirements to non-profit health plans; ethics and building an ethical culture; board involvement in
compliance; Medicare Prescription Drug Plan compliance and audit experience; New York's Medicaid compliance
guidance for managed care plans; and HIPAA privacy and security challenges at health plans.
888-580-8373 | www.hcca-info.org

Speakers
Sharon Anolik
Blue Cross Blue Shield of
California
San Francisco, CA
General Session Speaker:
Hot Topics from the
Medicare & Medicaid
Services
Kim Brandt
Director, Program Integrity Group
Center for Medicare and
Medicaid Services
Baltimore, MD
Elizabeth Browning, CHC
Compliance Manager
Fallon Community Health Plan
Worcester, MA
Steve Bunde CPA, CFE, CHC
Sr. Director of Corporate Integrity
& Internal Audit
Health Partners
Minneapolis, MN
Leila A. Daiuto
Director, Life Sciences &
Healthcare
Axentis, Inc.
Cleveland, OH
Dorothy DeAngelis
Managing Director
Huron Consulting Group
Charlotte, NC
Anne Doyle
Executive VP/
Chief Compliance Officer
Fallon Community Health Plan
Worcester, MA
Lori Dutcher
Vice President Compliance MSSA
Kaiser Foundation Health Plan
Pasadena, CA
Libby Easton-May
Manager
Huron Consulting Group
Simsbury, CT
Gary Fitzgerald
Director Compliance &
Regulatory Affairs
Harmony Health Plan of IL, Inc.
Chicago, IL
Jeannette Frey
Privacy Officer
Fallon Community Health Plan
Waltham, MA
Dan Garcia
Senior Vice President
Kaiser Permanente
Oakland, CA
William Gedman
VP Audit, Fraud & Abuse
UPMC Health Plan
Pittsburg, PA
Annmarie Gover
Medicare Compliance Officer
Capital BlueCross
Harrisburg, PA
Kim Green
Compliance Officer
Blue Cross Blue Shield of
Minnesota
Minneapolis, MN
Lucia Guidice
Director, Healthcare Advisory
Practice
PricewaterhouseCoopers, LLP
Boston, MA
Jason Hall
Interim Regional Compliance
Officer
Hawaii Region, Kaiser Permanente
Hawaii
Rebecca Learner
Senior VP & Compliance Officer
SCAN Health Plan
Long Beach, CA
Sandra Miller
Director of Government
Compliance
Blue Cross Blue Shield of
Minnesota
St. Paul, MN
Christian Presley
Compliance Officer
Blue Cross Blue Shield of
Massachusetts
Boston, MA
Rick Shackelford
Partner
King & Spalding, LLP
Atlanta, GA
General Session Speaker:
NYS–OMIG Compliance
Guidance for Medicaid
Managed Care Jim Sheehan
Associate U.S. Attorney
Office of the Medicaid
Inspector General
Albany, NY
Linda Tomaselli
Partner
Epstein Becker & Green PC
Washington, DC
General Session Speaker:
Hot Topics from the
Medicare & Medicaid
Services
Brenda Tranchida
Program Compliance and
Oversight Group, Center for
Drug and Health Plan Choice
Centers for Medicare
and Medicaid Services
Baltimore, MD
Matt Weber
Partner
Holland & Hart LLP
Denver, CO
Deb Ziegler
Corporate Compliance Officer
Capital Blue Cross
Harrisburg, PA
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
71
October 2008

New principles can
help advance
independent corporate
monitoring
Editor’s note: Vincent L. DiCianni is President
and founder of Affiliated Monitors, Inc. (AMI)
of Boston. Mr. DiCainni may be reached at
617/275-0620 or toll free at 866/201-0903
or by e-mail at vdicianni@affiliatedmonitors.
com. For additional information, please visit the
AMI Web site at www.affiliatedmonitors.com.
As government regulators and federal
and state prosecutors search for
effective alternatives to prosecutions,
they are increasingly using Deferred
Prosecution Agreements (DPAs) or nonprosecution
agreements, which include some
form of monitoring. Unfortunately, the
frequent appointment of former government
officials to serve as monitors has left some
questioning the independence and integrity
of the monitoring process used in such agreements.
To address these concerns, the U.S.
Department of Justice (DoJ) recently issued
a memorandum outlining the “best practice”
principles for choosing monitors.
Explaining the reasons for issuing the
principles in his March 7, 2008 memo to US
attorneys, Acting Deputy Attorney General
Craig S. Morford wrote: “The corporation
benefits from expertise in the area of corporate
compliance from an independent third party.
The corporation, its shareholders, employees
and the public at large then benefit from
reduced recidivism of corporate crime and the
protection of the integrity of the marketplace.” 1
The memo’s intent is to provide “a series of
principles for drafting provisions,” so the
By Vincent L. DiCianni
principles are not an end in themselves, but a
guide to potential provisions of an agreement.
The memo’s stated purpose is to provide “only
internal Department of Justice guidance” and a
further limitation notes that the memo “applies
only to criminal matters and does not apply to
agencies other than the Department of Justice.”
Yet the principles stated can also provide useful
guidance for state courts, regulatory agencies,
and other oversight authorities that may use or
advocate the use of monitors.
Standard principles are warranted, as the
use of independent corporate monitors has
become “almost commonplace” 2 in recent
years. Monitors are commonly associated
with DPAs and other pretrial agreements,
which “have been used with more frequency
recently to resolve a wide variety of criminal
investigations, ranging from accounting
fraud to tax fraud to violations of the FCPA
(Foreign Corrupt Practices Act).” 3
Monitors have been used in high-profile
cases involving well-known companies, such
as America Online (AOL), Bristol-Myers
Squibb, and American Insurance Group
(AIG). The Securities and Exchange Commission
(SEC) also is using them frequently
in enforcement actions, such as in its action
against WorldCom. 4
The use of monitors is increasingly common
in state courts as well, and they are sometimes
used in cases when no prosecution is involved.
Monitors have been used in high-profile cases,
such as the 2002 case against Arthur Andersen
Vincent L. DiCianni
executives involved with Enron, 5 but they are
also used by administrative agencies in cases
involving regulatory violations.
So what is a monitor
An independent corporate monitor is a person
or entity who has in-depth knowledge and
experience with regulatory schemes and oversees
businesses that have been sanctioned for
violating one or more regulations. The monitor’s
role is to provide both oversight to protect
the public and guidance to help the corporation
comply with regulations on an ongoing
basis. The corporation pays the monitor and,
in exchange for agreeing to ongoing oversight,
typically avoids other sanctions, such as
having a license to practice suspended. In this
respect, monitors can help the courts save time
and reduce their backlog, as well as provide
employee compliance training and oversight to
reduce the likelihood of recidivism.
Describing the monitor’s role, the Morford
memo says that, once an agreement is reached
for how to prevent future misconduct, “A
monitor’s primary responsibility is to assess and
monitor a corporation’s compliance with the
terms of the agreement specifically designed to
address and reduce the risk of recurrence of the
corporation’s misconduct, and not to further
punitive goals.” More specifically, the memo
says the monitor should “oversee a company’s
October 2008
72
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

commitment to overhaul deficient controls,
procedures and culture.” 6
Origins of corporate monitoring
Although receiving increasing attention today,
corporate monitoring is not a new concept. It
has its roots in the late 1960s, when monitoring
programs were created to help rehabilitate
juveniles and first offenders. Pilot programs in
Washington, DC and New York City provided
offenders with counseling, training, and job
placement in lieu of prosecution, in the hope
that the programs would reduce recidivism. 7
Corporate monitoring was further inspired
by the federal Inspector General Act of
1978, which created an Inspector General to
prevent and detect fraud, waste, and abuse
for each of 12 major federal civilian agencies.
The Inspector Generals’ combination
of auditing and investigating responsibilities
and statutory guarantee of independence are
key characteristics of today’s independent
corporate monitors. 8
Perhaps the most successful pioneering
program for corporate monitoring is the
Independent Private Sector Inspector General
(IPSIG) program developed in New York in
response to the 1989 report, “Corruption
and Racketeering in the New York City
Construction Industry.” 9 The issuing of the
Federal Sentencing Guidelines in November
1991, shifting policing responsibilities from
the government to the corporation, provided
a boost for the IPSIG model by recommending
less stringent penalties for companies that
took steps to detect and prevent fraud, report
misconduct promptly, and create a culture in
which high-level officials did not participate
in or condone criminal activity. 10
The IPSIG program, which was used to
investigate the theft of scrap materials from
The World Trade Center site after 9-11,
created an ongoing monitoring program
for construction companies with large state
contracts. It requires the contractors to
maintain a 24-hour hotline that employees
and others can use to report any wrongdoing;
it also provides monitors with ongoing access
to financial reports and other records, and to
employees. IPSIG monitors professionals in
the health care, accounting, and insurance
industries, and businesses and individuals that
contract with the state government.
The IPSIG model utilizes private sector
resources and expertise as
“an independent, private sector firm (as
opposed to a governmental agency) that
possesses legal, auditing, investigative, and
loss prevention skills, that is employed
by an organization (i) to ensure that
organization’s compliance with relevant
laws and regulations, and (ii) to deter,
prevent, uncover, and report unethical
and illegal conduct committed by the
organization itself, occurring within the
organization, or committed against the
organization. Notably, an IPSIG may be
hired voluntarily by an organization or
it may be imposed upon an organization
by compulsory process such as a licensing
order issued by a governmental agency, by
court order, or pursuant to the terms of a
deferred prosecution agreement.” 11
The independent monitoring model that has
evolved differs somewhat from the IPSIG
model, which has been criticized by some
who feel that IPSIGs can be too intrusive into
areas of a company that have nothing to do
with the matter at hand.
The increased focus on corporate scrutiny
resulting from the 2001 Enron scandal
created another boost for the use of corporate
monitors. Until recently, “a prosecutor’s
choices, when faced with corporate wrongdoing,
were essentially binary: he or she could
either bring charges or decline prosecution,
with no middle ground allowing for continued
supervision or enforced remediation.” 12
Because of the rigidity of existing standards,
prosecutors sought
“a way that would enable them to exercise
their discretion not to charge a corporation
in appropriate circumstances but
that would, at the same time, give them
sufficient leverage to require significant
changes in corporate culture, compliance
and controls and, as importantly, monitor
those changes for a reasonable period of
time. Thus was born the corporate Deferred
Prosecution Agreement (DPA) and
its adjunct, the independent monitor.” 13
Monitoring the health care profession
Although the DoJ memo focuses specifically
on monitoring in a corporate setting, its
guiding principles and model are applicable
in most regulated businesses and professions.
Monitoring is especially appropriate for highly
regulated, service-intensive industries, such as
the health care industry. And while it has been
used for high-level corporate crime, it also can
be effective for inadvertent and minor regulatory
violations, which have clogged the courts
and regulatory agencies, and have resulted in
delayed and protracted proceedings.
Few regulated businesses face the level of
regulatory obligations and oversight that
medical practitioners face, where a violation
could result in the loss of a license to practice.
In addition to patient care responsibilities,
practitioners must navigate the complexities
of healthcare billing and record-keeping
requirements, Occupational Safety and Health
Administration (OSHA), Health Insurance
Portability and Accountability Act (HIPAA),
Continued on page 77
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
73
October 2008

October 5–7, 2008
Renaissance Harborplace Hotel | Baltimore, MD
Keynote Speakers:
John D. Ashcroft, Esq. Former U.S. Attorney General, Chairman,
The Ashcroft Group LLC
Kevin O. Connor, Esq., Associate Attorney General, U.S.
Department of Justice
HCCA and AHLA are going green! Attendees will
receive electronic access to the course materials
prior to the program as well as an electronic version
of the materials at the program. Attendees
will not, however, automatically receive a binder.
If you would like to purchase a binder for $45,
please indicate that on the registration form.
HealthCare Appraisers, Inc. and
PricewaterhouseCoopers have provided
sponsorship in support of this program
October 2008
74
Health Care Compliance Association
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
888-580-8373 (p) • 952-988-0146 (f)
info@hcca-info.org • www.hcca-info.org
American Health Lawyers Association
Suite 600, 1025 Connecticut Avenue NW
Washington, DC 20036-5405
202-833-1100 (p) • 202-833-1105 (f)
www.heatlhlawyers.org
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

e g i s t e r n o w f o r HCCA’s
Physician Pr a c t i c e
Co m p l ia n c e Co n f e r e n c e
October 1–3, 2008
Philadelphia, PA | Doubletree Hotel Philadelphia
Sponsored by
Visit www.hcca-info.org or call 888-580-8373
General Session Topics and Speakers:
Can Compliance Programs Help Physicians
Improve Quality of Care
Rory Jaffe, MD, MBA, CHC
President, HCCA Board of Directors
How Compliance Efforts Can Help Avoid
Enforcement Actions
Sean R. McKenna
Assistant U.S. Attorney
Department of Justice
Medicaid Enforcement
James Sheehan
Medicaid Inspector General
New York State Office of the Medicaid Inspector
General
Physician Practice Enforcement Initiatives
Laura Ellis
Senior Counsel
U.S. Department of Health
& Human Services
Office of Counsel &
Office of the Inspector General

General Session Topics and Speakers:
Handling Research Misconduct Correctly: Your First Chance
and Last Chance May Be One and the Same
Jo An Rochez
Senior Attorney
U.S. Department of Health and Human Services
Office of the General Counsel
Counsel to the Office of Research Integrity
Register now for HCCA's
Research
Compliance
Conference
October 20–22, 2008 | Chicago, IL | Westin Michigan Avenue
Research Compliance Oversight in the Department of
Veterans Affairs
Karen M. Smith, PhD
Director, Midwestern Region
VA Office of Research Oversight
Anti-Kickback Stark and Related Fraud & Abuse Issues in
Research: What Every Compliance Officer Needs to Know!
Gadi Weinreich
Partner
Sonnenschein, Nath & Rosenthal
Medicare Contractor’s Perspective on Coverage
Ryan Meade
Partner
Meade & Roach, LLP
Richard K. Baer, MD
Medical Director, Medicare Part A
National Government Services, Inc.
Medicare Prescription Drug
Part D Compliance Conference
December 7–9, 2008
Baltimore, MD | Renaissance Baltimore Harborplace Hotel
Register before
October 17, 2008,
and save $200!
Featuring expert speakers:
Kim Brandt, Director of Program Integrity
Centers for Medicare & Medicaid Services
Cynthia Tudor, Medicare Drug Benefit Group
Centers for Medicare & Medicaid Services
Brenda Tranchida, Centers for Medicare and
Medicaid Services
October 2008
76
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

New principles can help advance independent corporate monitoring ...continued from page 73
Centers for Disease Control (CDC) guidelines,
and other government regulatory obligations
and network provider responsibilities.
A single complaint to a state licensing board
or federal regulatory agency, an intensive peer
review, or an audit by a third-party payer, can
trigger a series of inquiries and investigations
that could lead to loss of network provider
status, suspension or loss of license, loss of
malpractice insurance coverage, steep fines, or
forced closure of a practice.
Today, as an alternative, monitors are being
used with increasing frequency to address
compliance issues in matters involving
provider-patient boundary violations,
Medicaid and Medicare fraud, record keeping
deficiencies, improper delegation of patientcare
functions, over-prescribing of medications,
and many other types of cases.
The Morford Principles
Independent corporate monitors will never be
the right option for every case, but requiring
independent oversight can be appropriate in a
number of instances. In determining whether
a case is suitable for the use of a monitor, the
Morford memo suggests that, “In negotiating
agreements with corporations, prosecutors
should be mindful of both: (1) the potential
benefits that employing a monitor may have
for the corporation and the public, and (2)
the cost of a monitor and its impact on the
operations of a corporation.” 14
When a cost-benefit analysis makes monitoring
a viable option, the Morford memo sets
out nine principles covering the selection of
monitors, scope of duties, communications, and
duration of any agreement to retain monitors.
Selection of monitors
Independence, experience, and integrity
of the monitor are the key elements in the
selection process, as monitoring has come
under justified criticism in some cases where
the independence of the monitor was in
question. Some corporate defense attorneys
have expressed concern over the appointment
of monitors who may not be completely
impartial, and the attorneys have maintained
that monitors who are put in place by government
officials represent government agencies
to the potential detriment of corporations.
For example, the US Attorney for the District
of New Jersey, Christopher Christie, who
worked for former US Attorney General John
Ashcroft, came under scrutiny recently for
appointing Ashcroft as a monitor for Zimmer
Holdings. 15 In addition to the perceived conflict,
critics cited the cost, which is predicted to
range between $28 million and $52 million. 16
When the deal came to light, the chairmen
of the US Senate and House Judiciary
Committees requested an inquiry by the US
Government Accountability Office. Soon
after, US Congressman Frank Pallone (D-NJ)
introduced legislation that would require the
Attorney General to issue guidelines to help
determine when US attorneys should enter
into a DPA. 17 The action may have influenced
the decision by the Office of the Deputy
Attorney General to issue the memo containing
principles for appointing monitors. The
Morford memo focuses on the application of
criteria for preventing such conflicts.
Given the monitor’s responsibilities, it is vital
that monitors be impartial when performing
their duties. Biases are typically the result of
the unilateral selection of monitors, which
would be avoided by following the DoJ’s principles.
A monitor’s independence is, of course,
as important as the independence of a judge
or juror. Monitoring should be considered as a
valid legal option only when a monitor can be
appointed whose independence is established.
As such, the memo’s principles begin with the
following:
Principle 1. “Before beginning the process
of selecting a monitor in connection with
deferred prosecution agreements and nonprosecution
agreements, the corporation and
the Government should discuss the necessary
qualifications for a monitor based on the
facts and circumstances of the case.”
While recognizing that flexibility is necessary,
the DOJ memo also notes the necessity for
the monitor to be truly independent. The
principle denunciated requires that monitors
be selected based on their merits, rather than
being political appointments. The selection
process must, “at a minimum, be designed
to: (1) select a highly qualified and respected
person or entity based on suitability for the
assignment and all of the circumstances;
(2) avoid potential and actual conflicts of
interests, and (3) otherwise instill public
confidence by implementing the steps set
forth in this Principle.”
The memo requires that the following steps
be taken during the selection process. Those
steps include:
n Attorneys selecting monitors must comply
with the conflict-of-interest guidelines set
forth in 18 U.S.C. § 208 and 5 C.F.R.
Part 2635.
n US Attorneys and Assistant Attorneys
General cannot unilaterally select monitors,
or accept or veto their selection.
n No monitor will be appointed who has an
interest in, or relationship with, the corporation
or its employees, officers or directors
“that would cause a reasonable person to
question the monitor’s impartiality.”
n The corporation cannot employ or be affiliated
with the monitor for at least a year
after the monitoring relationship ends.
Continued on page 79
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
77
October 2008

Letter from CEO ...continued from page 19
n Microsites
o User definable Websites
o Can be used for special interest
groups
o Easy to set up, although
they have somewhat limited
flexibility
n Event Calendar
o Highlight by event type
o Filter events by location
o Search the calendar by keyword
This is one of the biggest advantages to
compliance professionals to come along
in many years. Our profession will be
more effective and successful. Many
other professions have yet to adopt this
technology. The key to its success is
simply a numbers game, particularly for
small special interest groups. If small
groups don’t get enough people to
participate, questions will go unanswered,
documents will not be shared
as effectively, etc. Do whatever you can
to support the compliance community
and become involved. Each group will
benefit only if there are an adequate
number of people to participate. I have
been getting complaints for years from
people who say “All I hear about is the
hospital perspective.” I agree more must
be done. In some ways, the ball is in
their court. This is an obvious case of,
“If you don’t give, you will not receive.”
This will be a great step in the right
direction. n
Reprinted from Journal of Health Care
Compliance, Volume 10, Number 5,
September-October 2008, pages 3-4,
with permission from CCH and Aspen
Publishers, WoltersKluwer businesses,
New York, NY, 1-800-638-8437,
www.aspenpublishers.com.
CHRC
certified in
healthcare
Research
compliance
The Research Compliance
Professional’s Certification
The CCB Research Compliance Certification exam will be available in
all 50 U.S. states. Join your peers and become Certified in Healthcare
Research Compliance (CHRC).
Enjoy the benefits of CHRC
certification:
n Demonstrate professional
standards and status
for healthcare research
compliance professionals
n Heighten the credibility of
compliance practitioners and
the compliance programs
staffed by these certified
professionals
n Ensure that each certified
practitioner has the knowledge
base necessary to perform the
compliance function
n Facilitate communication with
other industry professionals,
such as government officials
and attorneys
n Demonstrate the hard work
and dedication necessary to
succeed in the compliance
field
For more information
on how you can
become CHRC
Certified, please call
888-580-8373 or
e-mail
ccb@hcca-info.org.
Congratulations on achieving CHRC
status! The Compliance Certification Board
announces that the following individuals
have recently successfully completed the
Certified in Healthcare Research Compliance
examination, earning CHRC designation:
Ofer Amit
Marti Arvin
Thomas Bechert
Brenda Chapman
Dwight Claustre
Kendra Dimond
John Falcetano
Susan Golembeski
Joy Hardee
Lucinda Hopewell
Stuart Horowitz
Lori Kam
Carole Klove
Heather Kopeck
Amy Latulipe
Sarah McHugh
Angela McMahill
Ryan Meade
Stacey Medeiros
Rachel Nosowsky
Mary Prather
Terry Reeves
Barbara Scott
Jonathan Seltzer
Lindsay Sondergeld
Katherine Tarvestad
Debbie Troklus
Sheryl Vacca
Kelly Willenberg
The certification in Healthcare Research Compliance (CHRC) is
developed and managed by the Compliance Certification Board (CCB)
October 2008
78
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

New principles can help advance independent corporate monitoring ...continued from page 77
The memo notes that no one method of selection
will cover every case, because a monitor’s
role may vary. However, whatever method is
used, the government should determine what
selection process is most effective as early in
the negotiations as possible, and “endeavor to
ensure that the process is designed to produce
a high-quality and conflict-free monitor and
to instill public confidence.” 18
The memo suggests that both sides in the
matter discuss what role the monitor will
play, and the skills and experience needed.
The memo anticipates that, depending on the
case, monitors may include former government
attorneys, accountants, technical or
scientific experts, and compliance experts.
It recommends that at least three qualified
candidates be considered in each case.
Scope of Duties
Critics of monitoring also express concern over
the authority of the monitor. In some cases,
monitors have been able to override the decision-making
authority of the company CEO
and the Board of Directors. In the WorldCom
case, for example, the monitor participated
in the company’s business operations and was
described unofficially as a company executive.
19 To address these concerns, the Morford
memo spells out the breadth of the monitors’
responsibilities to prevent the monitor from
overstepping his or her authority, while also
reinforcing the monitor’s independence.
Principle 2. “A monitor is an independent
third-party, not an employee or agent of the
corporation or of the Government.”
By definition, the independent monitor is
distinct and independent from the directors,
officers, employees, and other representatives
of the corporation. The monitor is not the
corporation’s attorney. Similarly, the monitor
is not an arm of the government. While open
dialogue with the monitor throughout the
agreement is essential, all parties must understand
the corporation cannot seek legal advice
from the monitor, nor can the government
direct the monitor.
Principle 3. “A monitor’s primary responsibility
should be to assess and monitor a
corporation’s compliance with those terms of
the agreement that are specifically designed
to address and reduce the risk of recurrence
of the corporation’s misconduct, including,
in most cases, evaluating (and where appropriate,
proposing) internal controls and
corporate ethics and compliance programs.”
The type of misconduct being monitored and
the skills required of the monitor will vary
from one case to another, but a common
thread in any case where the use of an
independent monitor is under consideration
includes the existence of an effective compliance
program. As such, “A monitor’s primary
role is to evaluate whether a corporation has
both adopted and effectively implemented
ethics and compliance programs to address
and reduce the risk of recurrence of the
corporation’s misconduct. A well-designed
corporate code of ethics and compliance
program that is not effectively implemented
will fail to lower the risk of recidivism.” 20
The memo recommends that the corporation
should design its own compliance program,
but subject to the monitor’s “input, evaluation
and recommendations.”
Principle 4. “In carrying out his or her
duties, a monitor will often need to
understand the full scope of the corporation’s
misconduct covered by the agreement,
but the monitor’s responsibilities should be
no broader than necessary to address and
reduce the risk of recurrence of the corporation’s
misconduct.”
In other words, the role of the monitor should
be clearly defined and focused on reducing the
risk of recurring misconduct. According to the
memo,
“Neither the corporation nor the public
benefits from employing a monitor whose
role is too narrowly defined (and, therefore,
prevents the monitor from effectively
evaluating the reforms intended by the
parties) or too broadly defined (and,
therefore, results in the monitor engaging
in activities that fail to facilitate the corporation’s
implementation of the reforms
intended by the parties).”
Just as a business is more likely to succeed
when it has a business plan with clearly
defined goals, corporate monitors will be
more likely to succeed if their duties and ultimate
goals are clearly defined. The scope of
the monitor’s duties should be fully described
in the terms of the agreement.
The memo points out that an understanding
of historical misconduct may inform a
monitor’s evaluation of the effectiveness of the
corporation’s compliance with the agreement.
Communication
How and what a monitor communicates
to the government agency prosecuting the
case or the corporation being monitored
can be challenging. The monitor must
maintain impartiality, while keeping in
mind the ultimate goal of helping the
corporation to achieve ongoing regulatory
compliance.
What happens, though, when the monitor
discovers previously unknown misconduct
And what if the corporation is lax in following
the monitor’s recommendations
Continued on page 80
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
79
October 2008

New principles can help advance independent corporate monitoring ...continued from page 79
As outlined in the Morford memo, communication
on any wrongdoing is, of course,
necessary, but so is communication of
progress made by the corporation. Reporting
is a key responsibility of the monitor.
Principle 5. “Communication among
the Government, the corporation and the
monitor is in the interest of all the parties.
Depending on the facts and circumstances,
it may be appropriate for the monitor to
make periodic written reports to both the
Government and the corporation.”
Among the issues the monitor is likely to
cover in a monitoring report about the party
to be monitored are:
n The progress of the corporation;
n The degree of cooperation provided;
n Whether the corporation is complying
with the terms of the agreement and its
internal compliance program; and
n Any recommended changes that would
help achieve compliance.
Principle 6. “If the corporation chooses not
to adopt recommendations made by the
monitor within a reasonable time, either
the monitor or the corporation, or both,
should report that fact to the Government,
along with the corporation’s reasons. The
Government may consider this conduct when
evaluating whether the corporation has
fulfilled its obligations under the agreement.”
If the corporation declines to adopt a recommendation
by the monitor, the Government
should consider both the monitor’s recommendation
and the corporation’s reasons
in determining whether the corporation is
complying with the agreement. A flexible
timetable should be established to ensure that
both a monitor’s recommendations and the
corporation’s decision to adopt or reject them
are made well before the expiration of the
agreement. Sometimes the implementation
of a recommendation is cost prohibitive;
other times, it may interfere with legitimate
business purposes. The agreement must be
flexible enough to address potential barriers
to full implementation of the monitor’s
recommendations.
Principle 7. “The agreement should clearly
identify any types of previously undisclosed
or new misconduct that the monitor
will be required to report directly to the
Government. The agreement should also
provide that as to evidence of other such
misconduct, the monitor will have the
discretion to report this misconduct to the
Government or the corporation or both.”
In many cases, when the monitor discovers
new misconduct, it should be reported
directly to the government and not to the
corporation, particularly if the behavior is
substantive and:
n poses a risk to public health or safety or
the environment;
n involves senior management of the corporation;
n involves obstruction of justice;
n involves criminal activity that the government
has the opportunity to investigate
proactively and/or covertly; or
n otherwise poses a substantial risk of harm.
However, the monitor should use some
discretion in determining whether to report
allegations that may not be credible or that
involve actions outside the scope of the
corporation’s business.
Duration
The memo notes that “any guidance regarding
monitors must be practical and flexible.” That
flexibility extends to the duration of the agreement.
In some cases, extending the agreement
may be warranted. Likewise, there may be
circumstances in which the monitoring agreement
should be terminated early or altered. The
Morford memo anticipates both circumstances.
Principle 8. “The duration of the agreement
should be tailored to the problems that
have been found to exist and the types of
remedial measures needed for the monitor
to satisfy his or her mandate.”
Criteria to consider when determining how
long the agreement should last include:
n the nature and seriousness of the misconduct;
n the pervasiveness and duration of misconduct;
n the involvement of senior management;
n the corporation’s history of misconduct;
n the corporate culture;
n the scale and complexity of any remedial
measures, factoring in the size of the business;
and
n any progress in implementing remedial
measures before the monitoring agreement
begins.
Principle 9. “In most cases, an agreement
should provide for an extension of the
monitor provision(s) at the discretion of the
Government in the event that the corporation
has not successfully satisfied its obligations
under the agreement. Conversely, in
most cases, an agreement should provide
for early termination if the corporation can
demonstrate to the Government that there
exists a change in circumstances sufficient to
eliminate the need for a monitor.”
A monitoring agreement may be extended if
warranted by circumstances, such as when a
compliance program has not yet been fully
implemented. Conversely, the agreement
may end early when warranted as well, such
as when a business unit responsible for
misconduct ceases operations.
October 2008
80

When to use a monitor
Although some argue the new DoJ guidelines may not go far enough
to ensure uniformity in DPAs themselves, 21 taken as a whole, even
critics of monitoring likely will see value in considering the principles
for choosing an independent monitor as described in the Morford
memo. For example, some commentators who view monitoring as
an intrusion on corporate board authority wrote that, “The Morford
memo does, at a minimum, provide counsel with some new arguments
when negotiating with prosecutors over whether or not such a
monitorship is appropriate in a particular case, and, if so, how such
monitors should be selected, supervised and compensated, and what
the scope and term of their monitoring activities should be.” 22
In practice, the Morford guidelines should help standardize corporate
monitoring, while at the same time, allow the degree of flexibility
needed to accommodate a broad range of cases. As a result,
the new guidelines could foster confidence in monitoring by both
prosecutors and defense teams as an alternative method for resolving
both criminal charges and regulatory matters involving businesses
and professionals. The ultimate success will always depend, however,
on the commitment to compliance by the offending party and the
transparent behavior it will be required to demonstrate. n
1 Craig S. Morford, Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution
Agreements with Corporations, U.S. Department of Justice, Office of the Deputy Attorney General, March 7,
2008.
2 Christopher J. Gunther and Robert M. Pollak, “Scrutiny of Corporate Monitors Is on the Rise,” The National
Law Journal, March 31, 2008.
3 James K. Robinson, Phillip E. Urofsky and Christopher R. Pantel, “Deferred prosecutions and the independent
monitor,” International Journal of Disclosure and Governance, v .2, #4, September 28, 2005.
4 Jennifer O’Hare, “The Use of the Corporate Monitor in SEC Enforcement Actions,” Villanova School of Law,
paper 106, The Berkeley Electronic Press, 2008.
5 Tittle v. EnronCorp., 284. F.Supp. 2d 511, 553 n.59 (S.D.Tex. 2003).
6 Morford memo, supra note 1.
7 Harvard Law Review Association, “Developments in the law: Alternatives to incarceration,” Harvard Law
Review, 111, 1863, 1902 (1998).
8 Stanley N. Lupkin and Edgar J. Lewandowski, “Independent Private Sector Inspectors General: Privately
Funded Overseers of the Public Integrity,” NY Litigator Journal, v. 10, #1, Summer 2005.
9 Id.
10 Id.
11 International Association of Independent Private Sector Inspectors General, www.iaipsig.org.
12 Robinson, et al., supra note 3.
13 James K. Robinson, Phillip E. Urofsky and Christopher R. Pantel, “Deferred prosecutions and the independent
monitor,” International Journal of Disclosure and Governance, v .2, #4, September 28, 2005.
14 Morford memo, supra note 1
15 Terry Frieden, CNN Money, “Deals For Corporate Monitors Reined in By Justice Department,” March 10,
2008.
16 Philip Shenon, “Ashcroft Deal Brings Scrutiny in Justice Dept.,” The New York Times, page A1, Jan. 10,
2008.
17 H.R. 5086, currently in the Judiciary Committee, http://www.house.gov/list/press/nj06_pallone/pr_jan22_
deferredpros.html.
18 Morford memo, supra note 1.
19 Jennifer O’Hare, “The Use of the Corporate Monitor in SEC Enforcement Actions,” Villanova School of Law,
paper 106, The Berkeley Electronic Press, 2008.
20 Morford memo, supra note 1.
21 See Hearing on Deferred Prosecution: Should Corporate Settlement Agreements Be Without Guidelines,
March 11. 2008 (statement of Judiciary Committee Chairman John Conyers, Jr. (D-NJ)).
22 John F. Savarese and David B. Anders, “DOJ Issues Memo on Corporate Monitors,” Directorship, April 28,
2008.
A Valuable
Resource!
Get the week’s compliance news
right at your desk! Subscribe to
This Week in
Corporate
Compliance
HCCA’s free weekly news update.
It’s just a click away when you
use this link to subscribe:
www.hcca-info.org/subscribe
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
81
October 2008

Compliance Today Editorial Board
The following individuals make up the Compliance Today Editorial Advisory Board:
Gabriel Imperato, JD, CHC
CT Contributing Editor
Managing Partner
Broad and Cassel
Eric Klavetter, JD, MS, MA
Privacy and Compliance Officer
Mayo Clinic
Lisa Silveria, RN BSN
Home Care Compliance
Catholic Healthcare West
Christine Bachrach, CHC
Senior Vice President –
Compliance Officer
HealthSouth
F. Lisa Murtha, JD, CHC
Managing Director
Huron Consulting Group
Jeffrey Sinaiko
President
Sinaiko Healthcare Consulting, Inc.
Bonnie-Lou Bennig
Director of Corporate Compliance
& Quality Improvement
Vanguard Healthcare Services, LLC
Deborah Randall, JD
Partner
Arent Fox LLP
José A. Tabuena,
JD, CFE, CHC
VP Integrity and Compliance/
Corporate Secretary
MedicalEdge Healthcare Group, Inc.
Cynthia Boyd, MD, MBA
Associate Vice President
Chief Compliance Officer
Rush University Medical Center
Kirk Ruddell, CHC, MBA
Compliance Officer
Island Hospital
Debbie Troklus, CHC, CCEP
Assistant Vice President for
Health Affairs/Compliance
University of Louisville
School of Medicine
Becky Cornett, PhD, CHC
Director, Fiscal Integrity
Finance Administration
The Ohio State University
Medical Center
James G. Sheehan, JD
New York State
Medicaid Inspector General
Cheryl Wagonhurst, JD, CCEP
Partner
Foley & Lardner LLP
David Hoffman, JD
President
David Hoffman & Associates
October 2008
82
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

ASKLEADERSHIP
John asks the leadership
your questions
Editor’s note: John Falcetano,
CCEP, CHC-F, CHRC is Chief
Audit/Compliance Officer for
University Health Systems of
Eastern Carolina and a long-time
member of HCCA. This column
has been created to give members the opportunity to submit their
questions by e-mail to jfalcetano@suddenlink.net and have John
contact members of HCCA leadership for their response.
John Falcetano
Question: What is the difference between attorney-client
protection/privilege and attorney-client work product Does it
make a difference if you get legal advice from in-house counsel or
external counsel when you identify a potential compliance issue
The answer was provided by Frank E. Sheeder III, JD, CCEP, Partner,
Jones Day and member of the HCCA Board of Directors
Both of these doctrines are long-standing ways to protect the confidentiality
of communications between lawyers and clients, and the work that
lawyers and their agents generate. The attorney-client privilege generally
protects communications between a client and an attorney where the
client is seeking, and the lawyer is providing, legal advice. The privilege
dates back to Elizabethan times (the 1500s) and is designed to facilitate
the candid exchange of facts, which should lead to better legal advice.
If clients were not assured that the information they shared with their
lawyers, and the ensuing discussions, were not confidential, this would
have a chilling effect on the efficacy of the legal advice process.
The attorney work product doctrine protects the confidentiality of an
attorney’s thought processes, analyses, memoranda, notes, and the like. It
is likewise designed to facilitate the rendition of legal advice. In the health
care compliance realm, it is important to note that when attorneys engage
consultants or experts to assist them in rendering legal advice, their work
can be protected under the auspices of the work-product doctrine.
It does not make any difference whether you get advice from an in-house
lawyer or outside counsel when you identify a potential compliance issue.
The important thing is for compliance professionals to recognize
circumstances in which it is prudent to seek legal advice. n
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
83
October 2008

Corruption
enforcement actions
target foreign doctors
and hospital employees
By Robert Christopher Cook, JD and Louis P. Gabel, JD
Editor’s note: Christopher Cook is a partner
with the international law firm Jones Day in
Washington in DC, where he advises clients
regarding compliance with the Foreign Corrupt
Practices Act. He may be reached by telephone
at 202/879-3734 or by e-mail at christophercook@JonesDay.com.
Louis Gabel has recently accepted a position as an
Assistant United States Attorney in Detroit, Michigan.
He was an associate at Jones Day in Washington,
DC at the time this article was written.
Companies with operations outside
the United States, including health
care suppliers and providers, are
increasingly at risk of being investigated or
prosecuted for corruption that occurs in
foreign marketplaces. The US Department
of Justice (DoJ) and the Securities and
Exchange Commission (SEC) are the government
agencies with authority to conduct
enforcement investigations and institute
criminal or civil actions pursuant to the
Foreign Corrupt Practices Act (FCPA). Both
have stepped up scrutiny of corrupt foreign
dealings across all industries. The health care
industry is a particularly ripe target for such
investigations.
Health care companies face an acute risk of
exposure to public corruption (and attendant
enforcement investigations) due to their sales
and marketing in foreign countries because
health care customers in those countries are
oftentimes government-owned hospitals or
government-employed physicians. When
physicians and hospital employees are in a
position to influence purchasing decisions,
payments or gifts that could influence their
judgment run the risk of being considered
unlawful under the FCPA. Health care
companies thus must endeavor to create compliance
programs and controls that are robust
enough to minimize the risk of violating the
FCPA or other public corruption laws when
dealing with such situations. They must also
be prepared to act decisively and swiftly once
a potential violation is discovered.
The good news is that health care companies
are in a better position than many to address
these issues overseas. Laws governing physician
relationships in the United States, such
as the Anti-kickback Statute and the Stark
Law, are similar in many important respects
to the FCPA. To the extent that health
care companies have in place policies and processes
to comply with such requirements in
the United States, they are closer to ensuring
FCPA compliance overseas.
Anti-corruption laws
The FCPA makes it a crime to pay, offer,
authorize, or promise to award anything of
value to a foreign government official in order
to assist in obtaining business. The FCPA
applies to companies with formal ties to the
United States and those who take action in
furtherance of a violation while in the United
States. Companies and individuals who are
otherwise subject to the FCPA can even be
held liable for bribes paid to foreign officials
if no actions or decisions take place within
the United States. That is, the FCPA controls
the conduct of US persons and US companies
anywhere in the world. As a result, the FCPA
potentially applies to a wide range of companies
and individuals who have expanded their
operations beyond this country’s borders.
Criminal penalties under the FCPA can reach
$2 million per violation, and individuals can
face up to five years in prison per violation.
In addition to criminal liability, civil penalties
can include a fine of up to $500,000 per
violation or disgorgement of profits that were
obtained as a result of the violation. Other
consequences could follow from an FCPA
conviction, such as exclusion from certain
federal programs (including Medicare and
Medicaid) or ineligibility to receive export
licenses.
In addition to US anti-corruption laws such
as the FCPA, an increasing number of foreign
countries have enacted laws aimed at curbing
bribery. For instance, the thirty member
countries of the Organisation for Economic
Co-operation and Development (OECD)
and five non-member countries adopted
the Convention on Combating Bribery of
Foreign Public Officials in International
Transaction in 1997. The OECD Convention
obligates these signatory countries to enact
and enforce laws similar to the United States’
FCPA. Similarly, 170 countries have now
signed on to the United Nations Convention
against Corruption, which contains
measures for preventing and criminalizing
corruption. China in particular has become
more aggressive in its attempts to stamp out
public corruption, with top Chinese officials
announcing that the country’s anti-corruption
efforts were to be treated as a top priority.
Indeed, in July 2007, China executed the
former head of China’s Food and Drug
Administration for taking bribes from eight
drug companies.
October 2008
84
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Enforcement actions in health care
Recent enforcement actions by the DoJ and
SEC demonstrate the peril that health care
providers and suppliers face when conducting
business in foreign marketplaces.
In June 2008, AGA Medical Corporation
agreed to pay a $2 million criminal penalty
and entered into a Deferred Prosecution
Agreement (DPA) with the DoJ to settle a
criminal investigation of potential FCPA
violations. AGA Medical, a privately-held
medical device manufacturer that employs
approximately 350 people worldwide, was
charged with two counts (one alleging that it
conspired to violate the FCPA and the other
alleging that it actually did violate the FCPA)
in connection with bribes paid to doctors
and patent office officials in China. According
to the DoJ’s allegations, AGA Medical
employees authorized AGA Medical’s Chinese
distributor to make payments to doctors in
government-owned hospitals to encourage
them to purchase the company’s products
over those of its competitors. The payments,
which were called “commissions” by the
distributor, spanned from 1997 through 2005
and totaled at least $460,000. AGA Medical’s
sales in China for that time totaled approximately
$13.5 million. The DoJ also alleged
that, between 2000 and 2002, AGA Medical
agreed to make corrupt payments through
the same Chinese distributor to Chinese
government officials employed in the State
Intellectual Property Office in order to secure
approval for AGA Medical’s patents.
Along with the payment of the $2 million
penalty, a three-year DPA requires AGA Medical
to appoint an independent compliance
monitor who must be approved by the DoJ.
It also requires AGA Medical to continue its
implementation of corporate compliance and
ethics programs throughout the company’s
operations, including its contractors and
subcontractors. The compliance obligations
of the DPA apply to any successor company
that acquires the business or assets of AGA
Medical. The DoJ cited the company’s
voluntary self-disclosure and thorough review
of the improper payments, the company’s
cooperation with the DoJ’s investigation, and
the company’s implementation of enhanced
compliance policies as factors that influenced
the agency’s decision to defer prosecution.
In September 2007, the SEC filed a civil
injunctive action against Monty Fu, the
former chairman of Syncor International
Corp., stemming from payments Syncor’s
subsidiary made to doctors employed by
government-owned hospitals in Taiwan
between 1985 and 2002. The payments,
which amounted to commissions and referral
fees for the doctors, averaged over $170,000
per year from 1997 through 2002. They were
recorded as “advertising and promotions”
expenses in the subsidiary’s accounting books
and records. The SEC alleged that Mr. Fu was
aware that such payments were being made
and did not exercise his authority to ensure
that appropriate accounting controls were in
place and to make sure that such payments
were executed and recorded in compliance
with the FCPA. Mr. Fu consented to a final
judgment imposing a permanent injunction
and a civil penalty of $75,000.
In 2005, the DOJ undertook separate
enforcement actions against two medical
equipment companies, Micrus Corporation
and the Chinese subsidiary of Diagnostic
Products Corporation (DPC), for payments
those companies made to doctors and
hospital personnel working in governmentowned
hospitals. In each case, the payments
were made in order to influence the hospitals’
purchasing decisions. Citing Micrus’ selfdisclosure
of the matter, the DoJ declined
to charge the company criminally, instead
entering into a two-year DPA under which
Micrus was required to pay $450,000 in
civil penalties and adopt an FCPA internal
compliance program. DPC’s subsidiary was
charged by the DoJ. It pled guilty and paid a
$2 million criminal fine. DPC itself settled a
related civil action by the SEC for $2.8 million,
an amount that equaled the company’s
net profit in China, plus interest, for the
period of alleged misconduct. DPC was also
required to adopt internal compliance policies
and hire an independent consultant to audit
and monitor its adherence to these policies.
Compliance considerations
Health care companies can reduce their risk of
running afoul of the FCPA and enduring the
scrutiny of an enforcement investigation by
taking several discrete, yet meaningful, steps.
First, companies should review their current
compliance and ethics policies to ensure that
they adequately detect and prevent violations
of the FCPA. Particular attention should be
given to areas within the company that are
most likely at risk of violating the FCPA, such
as marketing and sales personnel whose customers
include foreign doctors or hospitals.
The company’s policies should make clear
what constitutes appropriate (and inappropriate)
marketing and sales activity when
dealing with such customers. Again, health
care companies likely have such policies in
place already for US operations and will only
need to modify and extend these policies, as
necessary, to foreign operations.
Second, companies should ensure that their
employees receive training on compliance with
anti-corruption laws, including the FCPA, and
document the fact that the company has provided
such training. Employees who are in a
position to make payments to foreign officials
should certify that they know the company’s
Continued on page 87
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
85
October 2008

Category B Device
Trials: Looking
backward and forward
Editor’s note: Sumathy Sundarababu is Clinical
Trial Manager in the Office of Clinical Trials,
New York University Medical Center, Veterans Administration
Hospital in New York City. Sumathy
may be reached by e-mail at sumathy.sundarababu@nyumc.org
or by phone at 212-263-4206.
Today we are witnessing a significant
increase in the number of device trials
all over the country. Device trials
unlock a variety of compliance and regulatory
issues, leaving many hospitals and healthcare
providers wondering if they should ever take
a risk and run a device trial at their site.
Medicare guidelines specify that a bill may
be submitted for services related to use of
a Category B device, but only if specific
information has been previously submitted
to Medicare and if Medicare has provided
a billing authorization. In some instances,
vendors may chose to provide a device free
of charge to the site. Under those circumstances,
institutional providers have an obligation
to report the no cost item by placing a
token charge in the charge field. By doing so,
hospitals/providers are making sure they are
transparent to the eyes of Medicare, compliant
with Medicare billing regulations, and
accomplishing the following four things:
1. Communicating to the contractor that
the provider is not seeking reimbursement
for the no cost item,
2. Reflecting with completeness and accuracy
all services provided to the patient,
3. Preventing the claim from being rejected/
denied by system edits that require an
item to be billed in conjunction with an
associative procedure, and
By Sumathy Sundarababu, PhD
4. Assuring that patient and provider are not
held liable for any charges for the no cost
item.
Although many institutional healthcare
providers have developed their own comprehensive
process of auditing, reconciliation,
and monitoring to ensure that billing for
research services is accurate, device trials
continue to be a challenge, even for the most
compliant site. Many sites fear that they
would jeopardize their billing compliance by
receiving reimbursement from Medicare for
the diagnosis-related group (DRG) expenses,
including the cost of the device, for devices
that are already paid by another source.
In the CY 2007 Outpatient Prospective Payment
System (OPPS) Final Rule, a policy was
adopted to pay a hospital less when a device is
provided to them at no cost. CMS expanded
this policy to the Inpatient Prospective Payment
System (IPPS) in the FY 2008 rule.
Under the rule, hospitals will be required
to identify when they receive a replacement
device and CMS will reduce the DRG
payment to reflect the hospital’s lower cost.
However, CMS does not believe that the
IPPS policy should apply to all DRGs and all
situations in which a device is replaced without
cost to the hospital for the device or with
full or partial credit for the removed device.
For this reason, CMS is applying the policy
only to those DRGs under the IPPS where
the implantation of the device determines the
base DRG assignment and situations where
the hospital received a credit equal to 50% or
more of the cost of the device. Heart rhythmrelated
Medicare-severity DRGs (MS-DRGs)
are subject to the final policy.
Although, CMS acknowledges the fact that
institutional providers are allowed to seek
devices free of charge from the vendors,
Medicare DRG payment doesn’t actually
distinguish devices provided free of charge
from those that are not. In addition, the FY
2008 IPPS rule seems to apply for “replacement
devices” only.
Until CMS comes up with ways to carve out
appropriate charges from the DRG payment
for the “free” devices, the sites have no choice
but continue following the current Medicare
billing guidelines on the UBO4 form:
1. To place the IDE # of the category B
device in form locator 43 (along with a
description of the investigational device)
on the CMS-1450 paper form, or the
electronic equivalent.
2. For part A, the revenue code 624 (IDE)
must be entered in the form locator 42, or
the electronic equivalent
3. To place a token charge of $”1”or $”0”on
the claim form for devices provided free
of charge.
4. Physicians must place the IDE # in item
23 of the CMS-1500 claim form, or the
electronic equivalent
5. Appropriate ICD-9 and CPT/HCPCS
codes that relate to IDE must be reported
on the claim.
6. The modifier Q0 / Q1 must be appended
to the CPT/HCPCS codes.
Furthermore, if CMS is utilizing the annual
cost reports submitted by Institutions to calculate
payment adjustment/carve out device
charges to sites, how do they determine how
much to carve out How is the implantable
device distinguished from other disposable
surgical supplies (for example, ablation
probes & catheters) that are not integral
October 2008
86
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Corruption enforcement actions target foreign doctors and hospital employees
...continued from page 85
part of device but are required for successful
implantation of device Will that reimbursement
reasonable enough to cover the direct
and indirect costs involved in the surgery
and hospitalization Will this give rise to
charge compression Questions like this will
continue to daunt the service providers until
CMS provides further clarification on the
“Medicare cost report”.
On April 14, the Centers for Medicare &
Medicaid Services (CMS) released its fiscal
year (FY) 2009 proposed rule for the hospital
inpatient prospective payment system (PPS).
Comments are due June 13. A final rule will
be released by August 1, and changes will take
effect October 1. The FY 2009 IPPS rule may
hold the key to some of our questions. n
The information presented here express the views
of the author and not necessarily the Institution’s.
policy against such payments and have not
made any. Additionally, companies should
consider whether agents, distributors, dealers,
and other third-parties who are engaged in
connection with the company’s business operations
should be required to certify in writing
that they will not engage in corrupt activity.
Third, companies should assess the adequacy of
their internal monitoring programs to ensure
that sufficient resources are dedicated to the
implementation and enforcement of the companies’
FCPA policies. As with all compliance
efforts, careful documentation is important,
because it will evidence the company’s commitment
to anti-corruption efforts in the event
a violation does occur and an investigation by
the DoJ or SEC is undertaken.
Fourth, when a potential violation is uncovered,
the company should conduct a prompt,
thorough investigation of relevant facts and
examine whether the problem is isolated or
systemic. As the investigation proceeds, management
should consider whether compliance policies
or practices need modification in light of
what is uncovered, and should determine, with
the assistance of counsel, whether it is appropriate
to disclose the results of the investigation to
the DoJ and SEC.
Even the very best anti-corruption policies
and practices cannot always prevent rogue
employees from violating the law. Nonetheless,
health care companies should recognize
that a little advanced effort in anti-corruption
compliance can go a long way in minimizing
the risk of violation, and detecting and
containing such violations if they occur. All of
these are important factors when enforcement
agencies consider a companies’ culpability for
the conduct of its employees. n
2 0 0 9
CAESARS PALACE
Las Vegas, NV
April 26–29, 2009
It’s never too early to register for
The Largest
Health Care Compliance
Meeting in the Country
Health Care Compliance Association’s
2009 Compliance Institute
April 26 - 29, 2009 | Las Vegas, NV | Caesars Palace
Register Now at www.compliance-institute.org
Register NOW, and SAVE $425!
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
87
October 2008

Certification — the recognized mark of a professional ...continued from page 31
Officer with Southcentral Foundation, in
Anchorage, Alaska. “My organization will
fund the continuing education required to
maintain the required certification,” adds
Teicheira.
Bill Hensley, CCEP, Principle
Corporate Compliance Specialist,
Office of Ethics & Compliance
with Medtronic, Inc. in Minneapolis
is not the hiring manager
for the Ethics and Compliance
team, but he points out that a
candidate “with a CCEP would
certainly have an advantage from
my perspective.” Falcetano adds,
“Hiring qualified compliance
professionals is a concern of
many organizations. Being certified
in your profession not only
increases your credibility within
your organization, but also with
your peers.”
Value of compliance certification
Compliance and ethics professionals find
personal and professional value in becoming
compliance and ethics certified. “Credentials
from reputable sources garner respect, from
the industry at large and within organizations,”
says Scichilone. Teicheira agrees.
“Certainly certification has enhanced my
I consider compliance
professionals walking, talking
insurance policies for an
organization. SCCE and HCCA
help ensure we meet our
obligations, never losing sight
of the fact that at the end of
the day, it’s all about doing the
right thing.”
– Danna Teicheira
job skills and expanded my knowledge of
compliance. To be clear, I would say that
the education and training that I received
and continue to receive in order to earn and
maintain certification helps me every day,”
says Teicheira.
Professional certification brings credibility
and helps edge out the competition. “Competition
in the workforce is a way of
life, and obtaining a professional
certification helps me demonstrate
my commitment to the profession.
I would say certification is an
investment in my career,” explains
Falcetano.
Cheryl Wagonhurst, JD, CCEP,
Partner in the Los Angeles office
of Foley and Lardner says that the
“CCEP helps me in developing
myself as an expert in the compliance
field….It lends credibility to
me as a compliance professional.”
Wagonhurst adds that “anyone
working in the compliance
profession should become certified. It helps in
establishing compliance as a profession.”
Glossary of Certification Acronyms
CCB – Compliance Certification Board.
(The independent CCB is governed by a
board of directors appointed by the HCCA
board. The President and Immediate Past
President of HCCA are ex-officio members
of the CCB Board of Directors. The mission
of the CCB is to develop criteria for the
determination of competence in the practice
of health care compliance at a variety of
levels and to recognize individuals who meet
these criteria.)
CCEP – Certified Compliance and Ethics
Professional
Society of Corporate Compliance and
Ethics (SCCE). For more information,
visit the Website at www.corporatecompliance.org.
CHC – Certified in Healthcare
Compliance
CHC-F – Certified in Healthcare
Compliance – Fellowship
CHRC - Certified in Healthcare Research
Compliance
Health Care Compliance Association
(HCCA). For more information, visit the
Website at www.hcca-info.org.
CCS - Certified Coding Specialist
CCS-P - Certified Coding Specialist--
Physician-based
RHIA - Registered Health Information
Administrator
American Health Information
Management Association. For more information,
visit the Website at www.ahima.org.
CIA® - The Certified Internal Auditor®
Institute of Internal Auditors. For more
information, visit the Website at
www.theiaa.org.
October 2008
88
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

“I am a compliance professional and proud
of it,” adds Teicheira. She says that at a
recent conference she attended, a U.S.
Attorney applauded HCCA’s Code of Ethics.
“Such praise reminds me why I have chosen
to work in compliance. I consider compliance
professionals walking, talking insurance
policies for an organization. SCCE [Society
of Corporate Compliance and Ethics] and
HCCA help to ensure we meet our obligations,
never losing sight of the fact that at
the end of the day, it’s all about doing the
right thing.” n
To learn more about compliance certification
options, including CCEP, CHC, CHC-F, and
CHRC, please contact Liz Hergert by e-mail at liz.
hergert@corporatecompliance.org or visit www.
corporatecompliance.org or www.hcca-info.org
Be Sure to Get Your
CHC CEUs
Inserted in this issue of Compliance
Today is a quiz related to the articles:
n The 1-2-3s of claims sampling to
resolve overpayment errors —
By B. Bo Martin, page 32
n Quality of care and compliance:
Existing challenges and first
steps for hospitals — By Cheryl
L. Wagonhurst and Nathaniel M.
Lacktman, page 46
n Complying with the HIPAA Privacy
Rule: What you need to know —
By Rebecca C. Fayed, page 59
To obtain your CEUs, take the quiz and
print your name at the top of the form.
Fax it to Liz Hergert at 952/988-0146,
or mail it to Liz’s attention at HCCA,
6500 Barrie Road, Suite 250,
Minneapolis, MN 55435. Questions
Please call Liz Hergert at 888/580-8373.
CHC Fellowship
On May 1, 2008 HCCA introduced Certified
in Healthcare Compliance Fellowship
(CHC-F), an advanced level of certification.
The purpose of the fellowship level of certification
is to promote the profession of
healthcare compliance practice by:
1. Formally recognizing health care compliance
professionals who demonstrate
an advanced knowledge of health care
compliance.
2. Encouraging continued personal and
professional growth in the practice of
health care compliance, and
3. Providing a national standard of requisite
knowledge required for advanced
certification; thereby assisting employers,
the public, and members of the
health professions in the assessment of a
health care compliance professional.
For a candidate to begin the fellowship
process, an application (which demonstrates
that all requirements are met) must be completed.
“Candidates should keep in mind
that this is an advanced credential and it has
many requirements,” said Debbie Troklus,
Compliance Certification Board President.
Requirements to apply for CHC-Fellowship
1. Maintain the CHC credential for a
minimum of three years (can be nonconsecutive
years);
2. Certificates of credit documenting 40
hours of CCB CEUs within the two years
preceding application with 20 hours within
the 12 months preceding application;
3. Three references
n No immediate family members
n One character reference
n One reference from an HCCA member
who is also a CHC
4. One reference from your current immediate
supervisor;
4. HCCA membership for at least three
years preceding application (these need
not be consecutive years);
5. A written statement that details knowledge
and experience in the operation
of all necessary elements of an effective
compliance program;
6. Minimum of a bachelor’s degree verified
by a certified transcript;
7. At least five years experience as a health
care compliance professional;
8. Detailed written description of the Fellowship
project proposal for approval by
the CCB Fellowship Certification Board;
9. A completed authorization form allowing
the CCB Certification Board to
complete a background check including
a criminal background check; and
10. Submission of $150.00 non-refundable
application fee
PLEASE NOTE: An application to CHC-F
will require approval of the CCB Fellowship
Certification Panel. Prior to approval
of the application, an in-person screening
interview with the CCB Fellowship
Certification Panel may be required.
Your application will not be reviewed until all
required forms and documents are received by
the CCB Fellowship Certification Board.
After the candidate’s application for fellowship
status has been accepted, the first step
is the successful completion of a simulation
examination.
For further information, please contact
Liz Hergert, Certification Coordinator for
SCCE/HCCA, at 952/405-7905.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
89
October 2008

New HCCA Members
The Health Care Compliance Association
welcomes the following new members and
organizations. Please update any contact
information using the Member Center on the
Web site, or e-mail Karrie Hakenson
(karrie.hakenson@hcca-info.org) with
changes or corrections.
Minnesota
n Lucinda Jesson, Hamline University
School of Law
n Kari Myrold
n Nancy L. Ohlenberg, Prime Therapeutics
n Roberta C. Patrow, Prime Therapeutics
Missouri
n Susan Cejka, Grant Cooper
n Linda K. Eickmann, HCA Midwest
Division
n Jennifer Koepke, Western Missouri
Medical Center
n Angie Lantz, Ranken Jordan Pediatric
Specialty Hospital
n Mary F. Sneed, Interim HealthCare
New Mexico
n Charmaine Quintana, RHIT CCS,
Christus/St Vincent Reg Med Ctr
n Gail Walsh, Compliance,
New York
n Cassandra Andrews Jackson, CHC,
MetroPlus Health Plan, Inc.
n Nirmala Beharry, Albert Einstein College
of Medicine/Dept of Psychiatry
n Myrna Cuevas, Hudson Valley Hospital
Center
n Ludomir J. Czynski, Bronx Lebanon
Highbridge Woodycrest Ctr
n Mrs. Tamara M. Dickey, CMBS, BS, St
James Mercy Hospital
n William Friedel, Memorial Sloan Kettering
Cancer Center
n Todd M. Hinman, CIPP, Capital District
Hlth Plan Inc
n Anthony R. Lisske, CPHQ CPSO CHPS,
New York Downtown Hospital
n Barbara A. McDermott, Madison
Cortland ARC
n Jayshree M. Negandhi, Hillside Family of
Agencies
n Nicky O’Connor, Westchester Medical Center
n Renee K. Olmsted, RHIA, Oneida
Healthcare Center
n Najarian Peters, Weill Cornell Medical
College
n Lisa Serotta, Schenectady ARC
North Carolina
n Kenneth A. DeVille, PhD JD, Brody
School of Medicine
n Joy Hardee, CHRC, Univ Health Systems
n Beth Lyle, Mission Hospital Inc
n Lisa D. McDonald, Boice - Willis Clinic
n Lisa A. Shaeffer, BCBS NC
n Bratic Stanislavka, Omni Home Health
Services, LLC
n Mrs. Mava Webster, BCBS of NC
Ohio
n Eric Sandkuhl, Molina Healthcare of Ohio Inc
n Dave Snow, Molina Healthcare of OH
Oklahoma
n Ann Cole, CPA, Comprehensive Med
Billing Solutions Inc
Oregon
n Dori J. Dawson, Kaiser Permanente
n James Gilson, Kaiser Permanente
n Maria E. Goodrich, RHIT, Kaiser
Permanente NW Region
n Laura L. Martinez, Kaiser Permanente
Pennsylvaia
n Lisa Adams Muhler, JD, MBA, MSN,
Merck & CO., Inc.
n Susan L. Fields, Marshall Dennehey
Warner Coleman & Coggin
n Christy L. Gilchrist, PhD CRA, WellSpan
Health
n Linda Harris, RN, Titusville Area Hosp
ADM
n Julie Hughes, Geisinger Health Plan
n Monica Johnson, Burman’s Medical
Supplies, Inc
n Randall J. Laubach, Geisinger Health Plan
n Melissa K. Schlenker, MS CCRC,
Wellspan Health
n Mrs. Sharon E. Sherwood, Hahnemann
Univ Hospital
n Robert J. Simon, Home Hlth Corp of
America
n David Weader, Geisinger Health Plan
Puerto Rico
n Myriam Derieux-Boria, CCP, VA
Caribbean Health Care Sys
South Carolina
n Dennis G. O’Connor, Lexington Medical
Center
n Joan C. Padgett, Spartanburg Regional
n Mary Prather, RN BSN MPH, CHRC,
Palmetto Health
n Judy W. Wallace, Spartanburg Regional
Med Ctr
South Dakota
n Ann Bain, Avera Health Plans, Inc.
n Ms. Sharon J. Hoon, RN, BSN, CCRC,
Sanford Research/USN
Tennessee
n Jennifer B. Baldock, Ambulatory Srvs of
America Inc
n Jeremy W. Banks, United Regional Med Ctr
n Linda Earhart, Ambulatory Services of
America
n Adam Nunn, Aim Healthcare
n Nancy N. Orndorff, Ambulatory Srvs of
America Inc
n Stephen V. Roberts, Dialysis Clinic, Inc
n Julie A. Sellers, PHP Companies, Inc
October 2008
90
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

n M. Michelle Walker, LifePoint Hospitals Inc
n Beth Wampler, Ambulatory Services of
America
Texas
n Joan B. Bell, Brazosport Regional Health
Sys
n Charlotte Blakely-Frazier, ValueOptions
n Brenda Chapman, Baylor Research
Institute
n Rocio Chavez, El Paso First Health Plans, Inc
n Noralene Corder, CPA-CFO, Smithville
Regional Hospital
n Janet Daylong, West Texas VA Healthcare
System
n David Everitt, The Compliance Division,
LLC
n Sara K. Fletcher, MSN, RN, Val Verde Reg
Med Ctr
n Monica Frazer, CPA, CHC, Children’s
Medical
n Candace Martinez, US Oncology
n Lois Pierson, University of Texas Health
Science Center at Houston
n Martha Porinchak, Huntsville Memorial
Hospital
n Beverly Prudhomme, City of Austin/
Patient Services
n Jeffrey Quade, Healthtronics, Inc.
n Ms. Marion T. Richardson, PMP,
Community First Health Plans
n Trae D. Rohan
n Daisy Seebach
n Andrew Whitacre Smith, Huron
Consulting Group
n Lindsay J. Sondergeld, MHA, CHRC,
Cancer Therapy & Research Ctr
n Anchi Angie Wang, BS, UT MD
Anderson Cancer Center
Virgina
n John Benson, Government Management
Svcs Inc
n Jittra Charnrissuragul, Georgetown
University Hospital
n Tammy L. Danek, CCS CPC CPC-H
CRS, Medicorp Health System
n Mark Erath, PricewaterhouseCoopers
Washington
n Mrs. Melania Antonio, CPC, Derry Nolan
& Associates
n Vincent Driano, Group Health Cooperative
n Julie Fry, Virginia Mason Medical Center
n Rebecca Marsh, CHC, Accuro Healthcare
Solutions
n Joseph Vessey, Whidbey General Hospital
n Clinton C. Vickers, Seattle Children’s
Hospital Research Institute
n Lisa Werlech, MBA, Proliance Surgeons
Inc PS
Wisconsin
n Cindy Ann Beran, Memorial Health
Center
n Crystal J. Laven, CPA CIA, Children’s
Hospital & Hlth System
n Penny Osmon, WI Medical Society
n Lori P. Peck, Memorial Health Center
L
Westlaw
Compliance Advisor
Compliance doesn’t have to be so hard.
Presenting Westlaw Compliance Advisor, SM
and not a
moment too soon. In a single location, it delivers the
resources you need to assure your organization knows
and complies with current state and federal statutes
and regulations.
Call 1-800-248-2449 or visit west.thomson.com/compliance
comp
L
Easy to use – easy to navigate. No search terms
to enter, no databases to learn. Instead, Compliance
Advisor is completely menu driven, so you point and
click to the answers you need. It’s loaded with other
features that save you time. See for yourself:
iance
© 2008 West, a Thomson Reuters business L-342781/8-08
Answer. Advise. Comply.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
91
October 2008

Your HCCA Staff
888-580-8373 | 952-988-0141 | fax 952-988-0146
Sarah Anondson
Graphic Artist
sarah.anondson@hcca-info.org
Gary DeVaan
IT Manager/Graphic Artist
gary.devaan@hcca-info.org
Margaret Dragon
Director of Communications
margaret.dragon@hcca-info.org
Darin Dvorak
Director of Conferences
and Exhibits
darin.dvorak@hcca-info.org
Wilma Eisenman
HR Director/Office Manager/
Compliance Officer
wilma.eisenman@hcca-info.org
Nancy G. Gordon
Managing Editor
nancy.gordon@hcca-info.org
Melanie Gross
Conference Planner
melanie.gross@hcca-info.org
Karrie Hakenson
Data Entry/Member Relations
karrie.hakenson@hcca-info.org
Elizabeth Hergert
Certification Coordinator
elizabeth.hergert@hcca-info.org
Patti Hoskin
Database Associate/
Member Relations
patti.hoskin@hcca-info.org
Jennifer Jansen
Conference Planner
jennifer.jansen@hcca-info.org
April Kiel
Database Administrator/
Member Relations/Marketing
april.kiel@hcca-info.org
Meghan Kosowski
Receptionist
meghan.kosowski@hcca-info.org
Caroline Lee Bivona
Project Specialist
caroline.leebivona@hcca-info.org
Shawn Leonard
Webmaster/Privacy Officer
shawn.leonard@hcca-info.org
Amy Macias
Member Services
amy.macias@hcca-info.org
Patricia Mees
Communications Editor
patricia.mees@hcca-info.org
Jennifer Power
Conference Planner
jennifer.power@hcca-info.org
Marlene Robinson
Audio Conference Planner
marlene.robinson@hcca-info.org
Beckie Smith
Conference Planner
beckie.smith@hcca-info.org
Roy Snell
Chief Executive Officer
roy.snell@hcca-info.org
Charlie Thiem
Chief Financial Officer
charlie.thiem@hcca-info.org
Adam Turteltaub
VP Member Relations
adam.turteltaub@hcca-info.org
Nancy Vang
Administrative Assistant
nancy.vang@hcca-info.org
Allison Willford
Accountant
allison.willford@hcca-info.org
Julie Wolbers
Accountant
julie.wolbers@hcca-info.org
October 2008
92
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

600 U.S. BANK PLAZA SOUTH 220 SOUTH SIXTH STREET MINNEAPOLIS, MN 55402 PHONE: 612.338.1838 FAX: 612.338.7858