Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Volume Ten<br />
Number Ten<br />
October 2008<br />
Published Monthly<br />
Meet<br />
<strong>Cathy</strong> <strong>Garrey</strong>,<br />
Compliance and Quality<br />
Assurance Manager,<br />
McHenry County Mental<br />
<strong>Health</strong> Board<br />
page 14<br />
<strong>Connect</strong> <strong>with</strong> <strong>your</strong><br />
Peers—Use HCCA’s<br />
Compliance & Ethics<br />
Social Network<br />
Fi n d o u t h o w o n p a g e 9<br />
<strong>Earn</strong> <strong>CEU</strong> <strong>credit</strong><br />
see i n s e rt<br />
Exploring the question:<br />
Does this really m a k e<br />
a compliance program<br />
“effective”<br />
page 27<br />
Feature Focus:<br />
Coordinating<br />
external requests for<br />
information in the<br />
Compliance Office<br />
page 38
What’s Your Ethical Climate<br />
Organizational climates change as<br />
organizations grow and evolve. So, how can<br />
you ensure attitudes and behaviors remain<br />
consistent <strong>with</strong> core values Look to Global<br />
Compliance, the single provider offering a<br />
comprehensive framework to protect <strong>your</strong><br />
organization from financial, legal, and<br />
reputational harm.<br />
• Ethics and compliance risk<br />
assessment<br />
• Code of conduct<br />
• Communication campaigns<br />
• Online, computer-based, and<br />
instructor-led training<br />
• Hotlines/Helplines<br />
• Case management<br />
• Investigations<br />
• Data analytics<br />
• Mystery shopping<br />
• Ethics and compliance evaluations<br />
• Employee exit interviews<br />
Contact the ethics and compliance leader<br />
that is already serving over one-half of<br />
America’s Fortune 100 and one-third of<br />
America’s Fortune 1000 along <strong>with</strong> colleges,<br />
universities, and government entities. And,<br />
we’re proud to claim greater than 450<br />
health care organizations as clients.<br />
With 27 years of experience and the most<br />
comprehensive product and service offering<br />
in the industry, Global Compliance can<br />
help you develop and maintain an ethical<br />
climate that’s appealing to employees,<br />
patients, and stakeholders.<br />
Making the world a better workplace TM<br />
13950 Ballantyne Corporate Place • Charlotte, NC, USA 28277<br />
866-434-7009 • contactus@globalcompliance.com<br />
www.globalcompliance.com<br />
© 2008 Global Compliance. All Rights Reserved.
INSIDE<br />
Publisher:<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association, 888-580-8373<br />
Executive Editor:<br />
Roy Snell, CEO, roy.snell@hcca-info.org<br />
Contributing Editor:<br />
Gabriel Imperato, JD, CHC, 888-580-8373<br />
Manager, Articles and Advertisments:<br />
Margaret R. Dragon, 781-593-4924, margaret.dragon@hcca-info.org<br />
Communications Editor:<br />
Patricia Mees, CHC, CCEP, 888-580-8373, patricia.mees@hcca-info.org<br />
Layout:<br />
Gary DeVaan, 888-580-8373, gary.devaan@hcca-info.org<br />
HCCA Officers:<br />
Rory Jaffe, MD, MBA, CHC<br />
HCCA President<br />
Julene Brown, RN, BSN, CHC, CPC<br />
HCCA 1st Vice President<br />
Billing Compliance Manager<br />
Merit<strong>Care</strong> <strong>Health</strong> System<br />
Jennifer O’Brien, JD, CHC<br />
HCCA 2nd Vice President<br />
Shareholder<br />
Halleland Lewis Nilan & Johnson PA<br />
Urton Anderson, PhD, CCEP<br />
HCCA Treasurer<br />
Chair, Department of Accounting and<br />
Clark W. Thompson Jr. Professor in<br />
Accounting Education<br />
McCombs School of Business<br />
University of Texas<br />
Gabriel Imperato, Esq, CHC<br />
HCCA Secretary<br />
Managing Partner<br />
Broad and Cassel<br />
Shawn Y. DeGroot, CHC-F, CCEP<br />
Non-Officer Board Member of<br />
Executive Committee<br />
Vice President Of Corporate Responsibility<br />
Regional <strong>Health</strong><br />
Steven Ortquist, JD, CHC-F, CCEP, CHRC<br />
HCCA Immediate Past President<br />
Partner<br />
Meade & Roach<br />
CEO/Executive Director:<br />
Roy Snell, CHC, CCEP<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association<br />
Counsel:<br />
Keith Halleland, Esq.<br />
Halleland Lewis Nilan & Johnson PA<br />
Board of Directors:<br />
Marti Arvin, JD, CHC-f, CPC, CCEP, CHRC<br />
Privacy Officer<br />
University of Louisville<br />
Angelique P. Dorsey, CHRC<br />
Research Compliance Director<br />
MedStar <strong>Health</strong><br />
Dave Heller<br />
Chief Ethics & Compliance Officer<br />
Qwest Communications<br />
Joseph Murphy, JD, CCEP<br />
Co-Founder Integrity Interactive<br />
Co-Editor ethikos<br />
Karen A. Murray, MBA, FACHE, CHC, CHA<br />
Corporate Compliance Officer<br />
Yale New Haven Hospital<br />
F. Lisa Murtha, JD, CHC<br />
Managing Director<br />
Huron Consulting Group<br />
Daniel Roach, Esq.<br />
Vice President Compliance and Audit<br />
Catholic <strong>Health</strong>care West<br />
Frank Sheeder, JD, CCEP<br />
Partner<br />
Jones Day<br />
Debbie Troklus, CHC-F, CCEP, CHRC<br />
Assistant Vice President<br />
for <strong>Health</strong> Affairs/Compliance<br />
University of Louisville<br />
Sheryl Vacca, CHC-F, CCEP, CHRC<br />
Senior Vice President/Chief Compliance<br />
and Audit Officer<br />
University of California<br />
Greg Warner, CHC<br />
Director for Compliance<br />
Mayo Clinic<br />
Compliance Today (CT) (ISSN 1523-8466) is published by the <strong>Health</strong> <strong>Care</strong> Compliance<br />
Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription<br />
rate is $295 a year for nonmembers. Periodicals postage-paid at Minneapolis, MN<br />
55435. Postmaster: Send address changes to Compliance Today, 6500 Barrie Road,<br />
Suite 250, Minneapolis, MN 55435. Copyright 2008 <strong>Health</strong> <strong>Care</strong> Compliance Association.<br />
All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this<br />
publication may be reproduced, in any form or by any means <strong>with</strong>out prior written consent<br />
of the HCCA. For subscription information and advertising rates, call Margaret Dragon<br />
at 781-593-4924. Send press releases to M. Dragon, PO Box 197, Nahant, MA 01908.<br />
Opinions expressed are not those of this publication or the HCCA. Mention of products and<br />
services does not constitute endorsement. Neither the HCCA nor CT is engaged in rendering<br />
legal or other professional services. If such assistance is needed, readers should consult<br />
professional counsel or other professional advisors for specific legal or ethical questions.<br />
4 Cultural competency standards: Using the GAO Yellow Book<br />
elements — By Maria B.J. Chun<br />
9 Introducing Compliance & Ethics Social Networking<br />
— By Shawn Leonard<br />
10 What CMS gives, the courts take way: Patients in ambulances<br />
and EMTALA — By Jeffrey Fitzgerald<br />
14 Meet <strong>Cathy</strong> <strong>Garrey</strong>, Compliance and Quality Assurance Manager,<br />
McHenry County Mental <strong>Health</strong> Board<br />
— an interview by Gabriel L. Imperato<br />
19 Letter from the CEO — By Roy Snell<br />
21 Organizational compliance culture: What message is <strong>your</strong> board<br />
and senior management sending — By Jeff Sinaiko<br />
23 Medicare’s medical necessity criteria: A mystery in the making<br />
— By Lester J. Perling<br />
27 Exploring the question: Does this really make a compliance<br />
program “effective” — By Catherine Boerner<br />
30 Newly Certified CHCs<br />
31 Certification – The recognized mark of a professional<br />
— By Margaret Dragon<br />
32 <strong>CEU</strong>: The 1-2-3s of claims sampling to resolve overpayment<br />
errors — By B. Bo Martin<br />
36 Improving competitiveness and compliance through agent/broker<br />
online training — By Susan Mollet and Martha Braunstein<br />
38 Feature focus: Coordinating external requests for information in<br />
the Compliance Office — By Cornelia M. Dorfschmid<br />
43 The what, why, and how of Medicare Coverage Analysis – Part 1<br />
— By Ofer Amit<br />
46 <strong>CEU</strong>: Quality of care and compliance: Existing challenges<br />
and first steps for hospitals — By Cheryl L. Wagonhurst and<br />
Nathaniel M. Lacktman<br />
48 Conference Calendar 2009<br />
53 SEC Disclosure: Managing information at FDA-regulated<br />
companies — By Elizabeth P. Gray and Jessica Matelis<br />
54 Go Local – Upcoming Regional Conferences<br />
59 <strong>CEU</strong>: Complying <strong>with</strong> the HIPAA Privacy Rule: What you need to<br />
know — By Rebecca C. Fayed<br />
72 New principles can help advance independent corporate<br />
monitoring — By Vincent L. DiCianni.<br />
78 Newly Certified CHRC<br />
82 Compliance Today Editorial Board<br />
83 Ask Leadership<br />
84 Corruption enforcement actions target foreign doctors and hospital<br />
employees — By Robert Christopher Cook and Louis P. Gabel<br />
86 Category B device trials: Looking forward and backward<br />
— By Sumathy Sundarababu<br />
90 New HCCA Members<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
3<br />
October 2008
Affinity Group<br />
Meetings<br />
Hold <strong>your</strong> own<br />
meeting in conjunction<br />
<strong>with</strong> HCCA’s 2009<br />
Compliance Institute!<br />
Planning on attending the<br />
Compliance Institute Need to<br />
hold a meeting of <strong>your</strong> own<br />
Affinity group meetings are now<br />
available in conjunction <strong>with</strong> the<br />
Compliance Institute.<br />
Not only do you get the benefit<br />
of holding <strong>your</strong> meeting alongside<br />
the most comprehensive<br />
compliance conference for<br />
compliance professionals, but<br />
you also receive complimentary<br />
meeting room space at the<br />
conference site, <strong>your</strong> choice of<br />
a complimentary continental<br />
breakfast or an a m or pm<br />
break, and registration at the<br />
HCCA Member rate for <strong>your</strong><br />
attendees.<br />
Affinity Group Meetings may<br />
be held on one of the following<br />
days:<br />
Saturday, April 25, 2009<br />
Wednesday, April 29,<br />
2009 (afternoon)<br />
Thursday, April 30, 2009<br />
To apply, please visit<br />
www.compliance-institute.org<br />
(conference tab) and fill out the<br />
Affinity Group Meeting form.<br />
Please return the completed<br />
form to the HCCA office.<br />
Questions Contact Jennifer<br />
Jansen at 952.405.7922 or<br />
email her at<br />
jennifer.jansen@hcca-info.org<br />
Cultural competency<br />
standards: Using the<br />
GAO Yellow Book<br />
elements<br />
Editor’s note: Maria B. J. Chun is the Associate<br />
Chair, Administration and Finance in the<br />
Department of Surgery at John A. Burns School<br />
of Medicine at the University of Hawaii. Dr.<br />
Chun may be reached in Honolulu by telephone<br />
at 808/586-2925 or by e-mail at<br />
mariachu@hawaii.edu.<br />
Due to the growing diversity of the<br />
US population, the need for culturally<br />
competent health care has been<br />
emphasized, and even required, by various<br />
oversight agencies and ac<strong>credit</strong>ing bodies. 1<br />
Although Title VI of the Civil Rights Act was<br />
passed in 1964, confusion over how to translate<br />
the law into actual practice has only been<br />
seriously addressed over the past decade. 2 The<br />
Department of <strong>Health</strong> and Human Services<br />
has taken the lead by putting forth mandates,<br />
guidelines, and recommendations (referred<br />
to collectively as the National Standards for<br />
Culturally and Linguistically Appropriate<br />
Services or CLAS standards) as a means to<br />
formalize what it expects in terms of “cultural<br />
competency” in health care and how it can be<br />
implemented. The Centers for Medicare and<br />
Medicaid Services (CMS) has issued a CLAS<br />
implementation guide and a cultural competency<br />
crosswalk that links the CLAS standards<br />
<strong>with</strong> the standards of the Joint Commission<br />
(formerly JCAHO), the National Committee<br />
for Quality Assurance (NCQA), and URAC<br />
(formerly Utilization Review Ac<strong>credit</strong>ation<br />
Commission). 3,4 Included in these documents<br />
are numerous toolkits and resources providing<br />
further guidance.<br />
By Maria B. J. Chun, PhD<br />
The 14 CLAS standards are organized into<br />
three themes:<br />
n Culturally competent care (standards 1-3)<br />
n Language access services (standards 4-7)<br />
n Organizational supports for cultural competence<br />
(standards 8-14)<br />
The first two themes deal directly <strong>with</strong> the<br />
actual provision of health care, and the<br />
third theme addresses administrative and<br />
infrastructural issues related to providing<br />
culturally competent care. 1,3 The standards<br />
are classified as mandates, guidelines, and<br />
recommendations. 5 Mandates are defined as<br />
current federal requirements that must be<br />
followed by both individuals and entities, as<br />
specified, who receive federal funds. These<br />
mandates are tied to ensuring linguistically<br />
appropriate access to health care for those<br />
<strong>with</strong> limited English proficiency. The Office<br />
of Minority <strong>Health</strong> then deems the remaining<br />
standards as guidelines and recommendations.<br />
Guidelines are activities that should be<br />
adopted. Recommendations are suggestions<br />
that a health care organization may want to<br />
consider implementing. Table 1 (on page 7)<br />
lists the 14 CLAS standards.<br />
Particularly in the case of the four mandated<br />
standards, how can an organization assess<br />
compliance Given that Standard 9 makes<br />
specific reference to auditing as a method<br />
to evaluate CLAS implementation, the U.S.<br />
Government Accountability Office’s (GAO)<br />
Government Auditing Standards (aka Yellow<br />
Book) provides a helpful risk assessment tool<br />
through its “elements of a finding” approach,<br />
October 2008<br />
4<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
which ensures that the understanding of an<br />
issue/area of concern is complete. 6 The elements<br />
of a finding are comprised of Criteria,<br />
Condition, Cause, Effect, and Recommendation<br />
(CCCER).<br />
Definitions<br />
Criteria - defines the what should be and<br />
include laws, regulations, contracts, grant<br />
agreements, standards, measures, expected<br />
performance, and so on.<br />
Condition - describes what is or the current<br />
situation.<br />
Cause - refers to the why or an explanation<br />
for the current situation, which may be due<br />
to such factors as lack of or poorly designed<br />
policies and procedures or incomplete or<br />
incorrect implementation.<br />
Effect - describes what will happen or<br />
the impact and spells out the discrepancy<br />
between the criteria (what should be) versus<br />
the condition (what is).<br />
Recommendation - refers to what will<br />
be done or what action(s) will be taken to<br />
correct the situation.<br />
To provide an example, of how the CCCER<br />
approach may be applied to the CLAS standards,<br />
we present the following hypothetical<br />
situation utilizing Standard 7:<br />
You are the manager of one of seven<br />
outpatient clinics that are part of a large<br />
hospital. The Chief Operating Officer (COO)<br />
of the hospital has tasked all clinic managers<br />
<strong>with</strong> determining whether each of the clinics<br />
are meeting CLAS standards. The COO<br />
has provided you <strong>with</strong> verbal and written<br />
instructions on how to utilize CCCER and<br />
has asked that you start <strong>your</strong> assessment <strong>with</strong><br />
Standard 7.<br />
Criteria (what should be)<br />
Standard 7 (Mandate)<br />
<strong>Health</strong> care organizations must make<br />
available easily understood patient-related<br />
materials and post signage in the languages<br />
of the commonly encountered groups and/or<br />
groups represented in the service area.<br />
Condition (what is)<br />
After reviewing patient data, you determine<br />
that <strong>your</strong> patient population consists of a<br />
large number of recent immigrants from the<br />
Philippines and Korea. But, you notice that<br />
all patient-related materials (e.g., consent<br />
forms, conflict and grievance procedures,<br />
informational/educational brochures) are<br />
available only in English.<br />
Cause (why this happened)<br />
You and <strong>your</strong> staff were unaware that these<br />
materials were mandated by the federal government.<br />
The hospital administration had not<br />
provided any guidance in this area. Because<br />
some of <strong>your</strong> staff are bilingual and have been<br />
able to converse in the native languages of the<br />
patients, there was an assumption that this<br />
was sufficient.<br />
Effect (why this matters)<br />
Not only is the clinic out of compliance <strong>with</strong><br />
a federal mandate, more importantly, it has<br />
not been culturally competent or sensitive<br />
to its patients’ needs. A patient may have<br />
consented to a procedure or a payment<br />
plan <strong>with</strong>out fully understanding what was<br />
actually involved. This puts the clinic under<br />
potential legal and/or fiscal liability.<br />
Recommendation (what will be done)<br />
You immediately report <strong>your</strong> finding to the<br />
hospital COO and recommend that you<br />
and <strong>your</strong> staff be provided <strong>with</strong> cultural<br />
competency training <strong>with</strong> a focus on CLAS<br />
standards. You also request a more detailed<br />
needs assessment to determine exactly what<br />
patient-related materials and signage are<br />
needed, and in what languages, to properly<br />
assist <strong>your</strong> patient population.<br />
The above scenario simplifies the complexities<br />
faced when trying to deal <strong>with</strong> cultural competency<br />
issues. However, utilizing CCCER is<br />
a good starting point and serves as a means to<br />
identify potential risk areas <strong>with</strong>out overwhelming<br />
those tasked <strong>with</strong> ensuring cultural<br />
competency compliance. This should not<br />
replace a comprehensive organizational assessment,<br />
but once again, can serve as a basis for<br />
such an endeavor. Cultural competency will<br />
continue to grow in significance. What the<br />
federal government now deems as guidelines<br />
and suggestions, may soon become mandates.<br />
If you have already, or are planning to, assess<br />
cultural competency in <strong>your</strong> organization,<br />
please contact me (mariachu@hawaii.edu)<br />
and let me know what methods you have<br />
used or are planning to use. n<br />
1 Brannigan, M.C. 2008. <strong>Connect</strong>ing the dots in cultural competency:<br />
Institutional strategies and conceptual caveats. Cambridge Quarterly of<br />
<strong>Health</strong>care Ethics, 17: 173-184.<br />
2 Beamon C, Devisetty V, Forcina Hill JM, et al: A Guide to Incorporating<br />
Cultural Competency into Medical Education and Training.<br />
December 2005, National <strong>Health</strong> Law Program.<br />
3 http://www.qsource.org/uqiosc/CLASGuide.pdf. Accessed 7/1/08.<br />
4 http://www.qsource.org/uqiosc/CLAS_Standards_Crosswalk_v3.pdf.<br />
Accessed 7/1/08.<br />
5 http://www.omhrc.gov/templates/browse.aspx1v1=2&1v1ID=15.<br />
Accessed 7/2/08.<br />
6 United States Government Accountability Office. July 2007. Government<br />
Auditing Standards, July 2007 Revision. Also available online at:<br />
http://www.gao.gov/govaud/ybk01.htm.<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
5<br />
October 2008
The HCCA HIPAA Training Handbook<br />
The <strong>Health</strong> Insurance Portability and Accountability Act (HIPAA) has had<br />
lasting impact on U.S. health care providers since its passage in 1996. This 36-<br />
page handbook is intended for anyone who needs a basic understanding of the<br />
privacy and security regulations established by the HIPAA. Suitable for staff<br />
training courses, it covers:<br />
• Who must comply <strong>with</strong> the HIPAA<br />
• When and by whom is the use or disclosure of protected health<br />
information (PHI) permitted<br />
• What rights does an individual have regarding his or her PHI<br />
• What are the basic safeguards required to protect the security of PHI<br />
• Which security safeguards are required, which are recommended, and<br />
what’s the difference between those standards<br />
This handbook can prepare all health care professionals to help protect the<br />
privacy and security of their patients’ health information.<br />
Order Now<br />
hcca MEMBER Discounts<br />
# of handbooks cost per book<br />
1–9............................$25<br />
10–24........................$23<br />
25–49........................$20<br />
50–74........................$18<br />
75–99........................$16<br />
100+..........................$15<br />
Qty<br />
________ HCCA Members ($25 or see chart at left)<br />
________ Non-Members ($30 per handbook)<br />
________ Join HCCA!<br />
Cost<br />
$ __________<br />
$ __________<br />
$ __________<br />
Non-members, add $200 to join HCCA, and pay<br />
member prices for <strong>your</strong> order (regular dues $295/year)<br />
Bulk discounts available for HCCA members only. See chart at left to<br />
figure cost. All purchases receive free FedEx Ground shipping <strong>with</strong>in<br />
continental U.S.<br />
Please type or print:<br />
HCCA Member ID<br />
First Name M.I. Last Name<br />
Title<br />
Organization<br />
Street Address<br />
City State Zip<br />
Telephone<br />
Mail check to: 6500 Barrie Road, Suite 250<br />
Minneapolis, MN 55435<br />
Fax order to: 952-988-0146<br />
Total: $<br />
My organization is tax exempt<br />
Check enclosed<br />
Invoice me PO #<br />
Charge my <strong>credit</strong> card:<br />
Mastercard VISA American Express<br />
Account number<br />
Expiration date<br />
Cardholder’s name<br />
Cardholder’s signature<br />
Federal Tax ID: 23-2882664<br />
Prices subject to change <strong>with</strong>out notice. HCCA is required to charge sales<br />
tax on purchases from Minnesota and Pennsylvania. Please calculate this<br />
in the cost of <strong>your</strong> order. The required sales tax in Pennsylvania is 7% and<br />
Minnesota is 6.5%.<br />
Fax<br />
October 2008<br />
6<br />
E-mail<br />
Please make <strong>your</strong> check payable to HCCA.<br />
For more information, call 888-580-8373.<br />
6500 Barrie Road, Suite 250<br />
Minneapolis, MN 55435<br />
Phone 888-580-8373 | Fax 952-988-0146<br />
www.hcca-info.org | info@hcca-info.org
Table 1:<br />
14 CLAS<br />
Standards<br />
U.S. Department of <strong>Health</strong> and Human<br />
Services, Office of Minority <strong>Health</strong><br />
Standard 1 (Guideline)<br />
<strong>Health</strong> care organizations should ensure<br />
that patients/consumers receive from all<br />
staff member’s effective, understandable,<br />
and respectful care that is provided in a<br />
manner compatible <strong>with</strong> their cultural<br />
health beliefs and practices and preferred<br />
language.<br />
Standard 2 (Guideline)<br />
<strong>Health</strong> care organizations should implement<br />
strategies to recruit, retain, and<br />
promote at all levels of the organization a<br />
diverse staff and leadership that are representative<br />
of the demographic characteristics<br />
of the service area.<br />
Standard 3 (Guideline)<br />
<strong>Health</strong> care organizations should ensure<br />
that staff at all levels and across all<br />
disciplines receive ongoing education and<br />
training in culturally and linguistically<br />
appropriate service delivery.<br />
Standard 4 (Mandate)<br />
<strong>Health</strong> care organizations must offer and<br />
provide language assistance services, including<br />
bilingual staff and interpreter services,<br />
at no cost to each patient/consumer <strong>with</strong><br />
limited English proficiency at all points<br />
of contact, in a timely manner during all<br />
hours of operation.<br />
to patients/consumers in their preferred<br />
language both verbal offers and written<br />
notices informing them of their right to<br />
receive language assistance services.<br />
Standard 6 (Mandate)<br />
<strong>Health</strong> care organizations must assure the<br />
competence of language assistance provided<br />
to limited English proficient patients/consumers<br />
by interpreters and bilingual staff.<br />
Family and friends should not be used to<br />
provide interpretation services (except on<br />
request by the patient/consumer).<br />
Standard 7 (Mandate)<br />
<strong>Health</strong> care organizations must make<br />
available easily understood patient-related<br />
materials and post signage in the languages<br />
of the commonly encountered groups and/<br />
or groups represented in the service area.<br />
Standard 8 (Guideline)<br />
<strong>Health</strong> care organizations should develop,<br />
implement, and promote a written strategic<br />
plan that outlines clear goals, policies,<br />
operational plans, and management<br />
accountability/oversight mechanisms<br />
to provide culturally and linguistically<br />
appropriate services.<br />
Standard 9 (Guideline)<br />
<strong>Health</strong> care organizations should conduct<br />
initial and ongoing organizational selfassessments<br />
of CLAS-related activities and<br />
are encouraged to integrate cultural and<br />
linguistic competence-related measures<br />
into their internal audits, performance<br />
improvement programs, patient satisfaction<br />
assessments, and outcomes-based evaluations.<br />
consumer’s race, ethnicity, and spoken and<br />
written language are collected in health<br />
records, integrated into the organization’s<br />
management information systems, and<br />
periodically updated.<br />
Standard 11 (Guideline)<br />
<strong>Health</strong> care organizations should maintain<br />
a current demographic, cultural, and epidemiological<br />
profile of the community as well<br />
as a needs assessment to accurately plan for<br />
and implement services that respond to the<br />
cultural and linguistic characteristics of the<br />
service area.<br />
Standard 12 (Guideline)<br />
<strong>Health</strong> care organizations should develop<br />
participatory, collaborative partnerships<br />
<strong>with</strong> communities and utilize a variety<br />
of formal and informal mechanisms to<br />
facilitate community and patient/consumer<br />
involvement in designing and implementing<br />
CLAS-related activities.<br />
Standard 13 (Guideline)<br />
<strong>Health</strong> care organizations should ensure<br />
that conflict and grievance resolution processes<br />
are culturally and linguistically sensitive<br />
and capable of identifying, preventing,<br />
and resolving cross-cultural conflicts or<br />
complaints by patients/consumers.<br />
Standard 14 (Suggestion)<br />
<strong>Health</strong> care organizations are encouraged<br />
to regularly make available to the public<br />
information about the progress and<br />
successful innovations in implementing<br />
the CLAS standards and to provide public<br />
notice in their communities about the<br />
availability of this information.<br />
Standard 5 (Mandate)<br />
<strong>Health</strong> care organizations must provide<br />
Standard 10 (Guideline)<br />
<strong>Health</strong> care organizations should ensure<br />
that data on the individual patient’s/<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
7<br />
October 2008
We are pleased to introduce<br />
The Duane Morris, LLP<br />
Certified in <strong>Health</strong>care Compliance (CHC) Scholarship<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association<br />
Beginning in 2008, Duane Morris, LLP will sponsor four Certified in <strong>Health</strong>care Compliance (CHC)<br />
Scholarships annually.<br />
The Duane Morris, LLP CHC Scholarship is intended to offer health care professionals the opportunity to expand their<br />
knowledge and advance their careers by obtaining the Certified in <strong>Health</strong>care Compliance (CHC) credential. Obtaining<br />
the CHC credential demonstrates an advanced knowledge of compliance and ethics principles and practice.<br />
Each recipient of the Duane Morris LLP CHC Scholarship will be awarded $4,000 to cover the HCCA Compliance Academy<br />
tuition and CHC test fees, as well as a portion of travel expenses to attend the Academy. (Both Academy tuition and test fees<br />
have member and non-member pricing, so the portion of travel expenses covered will vary based on membership status.)<br />
All applicants must successfully demonstrate financial need of their employer, as this scholarship is designed to provide<br />
educational assistance to health care professionals in organizations that may not otherwise be able to fund Academy<br />
attendance and CHC testing. Applicants must also meet the following criteria for consideration:<br />
v Do not presently hold the CHC credential<br />
v Have worked in the <strong>Health</strong> <strong>Care</strong> Compliance field for at least one year<br />
v Meet the criteria to sit for the CHC exam<br />
v Commit to prepare and sit for the CHC exam through the professional testing service<br />
or at the conclusion of the HCCA Academy<br />
Background: The CHC credential is awarded to candidates who pass<br />
the <strong>Health</strong>care Compliance Certification Board CHC Examination.<br />
The Examination is offered at the conclusion of the HCCA Compliance<br />
Academy. The Compliance Academy offers four days of intense sessions<br />
covering the seven elements of health care compliance.<br />
Duane Morris LLP and HCCA encourage equal opportunity for all CHC Scholarship<br />
applicants and candidates.<br />
Applications are available at www.hcca-info.org, please call 888-580-8373<br />
to receive an application.<br />
October 2008<br />
8<br />
If you have questions about the scholarship or the Compliance Academy program please contact<br />
Jennifer Power at 952/405-7916 or by email at jennifer.power@hcca-info.org<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Scholarship<br />
Recipients<br />
The Four Duane Morris LLP<br />
HCCA <strong>Health</strong> <strong>Care</strong> Compliance<br />
Scholarships for 2008 were<br />
awarded to:<br />
Kimberly Carroll<br />
Compliance Analyst<br />
LSU <strong>Health</strong> Sciences Center – Shreveport<br />
Shreveport, LA<br />
Michele Gildener<br />
Compliance & Privacy Officer<br />
Kona Community Hospital<br />
Kealakekua, Hawaii<br />
Roger Lowe<br />
Privacy Officer<br />
Yukon Kuskokwim <strong>Health</strong> Corp<br />
Bethel, Alaska<br />
Sharon Taylor<br />
Director of Risk Management/Ac<strong>credit</strong>ation Services<br />
Burgess <strong>Health</strong> Center<br />
Castana, IA<br />
To submit an application for the 2009 Duane<br />
Morris LLP HCCA Scholarship please visit<br />
www.hcca-info.org<br />
Introducing<br />
Compliance &<br />
Ethics Social<br />
Networking<br />
By Shawn Leonard<br />
Editor’s note: Shawn Leonard is the Webmaster/Privacy Officer at HCCA. He<br />
can be reached by phone at 952/567-6220 or by e-mail at shawn.leonard@<br />
hcca-info.org.com.<br />
When it comes to social networking, many compliance and<br />
ethics professionals tend to grow deeply concerned: Visions of<br />
questionable content on Facebook and MySpace pages haunt<br />
their dreams.<br />
Despite the high profile disasters, social networking has grown to be an<br />
important part of business networking. LinkedIn, which helps professionals<br />
network <strong>with</strong> each other, now has more than 25 million members. The<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association even has its own group on that site.<br />
To help bring online collaboration among ethics and compliance professionals<br />
to the next level, HCCA, along <strong>with</strong> our sister organization the<br />
Society of Corporate Compliance and Ethics, has invested in creating a<br />
social networking site just for compliance and ethics professionals. This<br />
site will enable you to connect <strong>with</strong> others in the profession year round.<br />
You’ll be able to expand <strong>your</strong> network of peers and won’t need to wait until<br />
the next industry meeting to connect directly.<br />
The site is designed to make it easy for you to find other ethics and<br />
compliance professionals who share the same interests and challenges you<br />
do, whether it’s dealing <strong>with</strong> the complexities of the federal Anti-kickback<br />
and Stark Laws or a general ethics issue. Asking a question of <strong>your</strong> peers is<br />
easy (e.g., Do you have a policy that covers x What’s a best practice for y).<br />
Giving an answer is just as simple.<br />
Here’s how it works.<br />
Go to the HCCA site (www.hcca-info.org) and log in. Then click on the<br />
Network link, which will take you directly to the Compliance & Ethics<br />
Exchange. Once there, you will see a list of various social networks you<br />
can join, based on areas of interest. Simply click on an e-group or groups<br />
that interest you. Then indicate how you want to learn about what’s going<br />
on <strong>with</strong> it (i.e, you might want an e-mail whenever someone posts to the<br />
Continued on page 35<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
9<br />
October 2008
What CMS gives, the<br />
courts take away:<br />
Patients in ambulances<br />
and EMTALA<br />
By Jeffrey Fitzgerald<br />
Editor’s note: Jeffrey Fitzgerald is a partner EMTALA compliance strategies to ensure that<br />
in the <strong>Health</strong> Law group at Faegre & Benson they meet both CMS bright–line standards<br />
LLP. He provides proactive compliance counseling<br />
and represents health care providers who<br />
and the judicially-created intent standard.<br />
are targets of fraud and abuse investigations. EMTALA statute and regulations<br />
He may be reached at 303-607-3740 or The concept behind EMTALA is simple<br />
jfitzgerald@faegre.com.<br />
enough: Congress was worried that hospitals—<br />
organizations to which the government makes<br />
A<br />
hospital’s first step in ensuring significant payments through the Medicare<br />
compliance <strong>with</strong> the federal mandate<br />
called the Emergency Medical patients, including patients who arrived at an<br />
program—were refusing to treat uninsured<br />
Treatment and Labor Act (EMTALA) 1 is emergency department (ED) in need of urgent<br />
to understand what events trigger the law’s medical care. So Congress mandated, through<br />
application. To help in this process, the EMTALA, that all hospitals enrolled in Medicare<br />
that have an ED must provide a medical<br />
Centers for Medicare and Medicaid Services<br />
(CMS) issued regulations that provide screening exam to all individuals who come to<br />
bright–line tests that define when EMTALA the ED and request examination or treatment.<br />
applies. 2 In the case of individuals in ambulances,<br />
many hospitals may think that the individual has an emergency medical condition<br />
If the medical screening exam finds that the<br />
rules are pretty clear: for a hospital-owned (which includes active labor), then the hospital<br />
ambulance, EMTALA applies once the individual<br />
is “in” the ambulance; and for a non-<br />
capacity and capability of the hospital. Further,<br />
must provide stabilizing treatment <strong>with</strong>in the<br />
hospital ambulance, EMTALA applies once if the individual has an emergency medical<br />
the ambulance is “on hospital property.” 3 condition, the hospital may not transfer the<br />
individual to another hospital unless certain<br />
Unfortunately, hospitals cannot rely exclusively conditions are met (generally, a transfer is<br />
on CMS’ bright–line tests because earlier this permitted only if the hospital lacks the ability<br />
year, the US Court of Appeals for the First to care for the individual and a physician<br />
Circuit concluded that, not<strong>with</strong>standing the certifies that the benefits of transfer outweigh<br />
CMS regulations, EMTALA can be violated the risks). Additionally, EMTALA specifically<br />
where a hospital diverts a non-hospital ambulance<br />
that is not yet on hospital property. In so screening exam or stabilizing treatment “in<br />
prohibits a hospital from delaying the medical<br />
doing, the Court of Appeals essentially added order to inquire about the individual’s method<br />
an intent-based test to CMS’ bright–line test. of payment or insurance status.” 4<br />
A similar decision was issued by the Court<br />
of Appeals for the Ninth Circuit a few years Under the statute, hospital’s duties under<br />
ago. As such, hospitals should structure their EMTALA are triggered once a person (1)<br />
“comes to the emergency department,” and<br />
(2) requests or “a request is made on the individual’s<br />
behalf for examination or treatment.”<br />
In the implementing regulations, CMS<br />
specifies four different standards for<br />
determining when an individual “comes to<br />
the emergency department” based upon four<br />
different situations:<br />
n Individuals in a dedicated emergency<br />
department;<br />
n Individuals on the hospital property, but<br />
not in the ED;<br />
n Individuals in a hospital-owned ambulance;<br />
and<br />
n Individuals in a non-hospital ambulance.<br />
For an individual who presents at a hospital’s<br />
dedicated emergency department (i.e., a<br />
traditional ED), EMTALA applies if the<br />
individual requests examination or treatment<br />
for a “medical condition” (or if a prudent<br />
layperson observer would believe, based on<br />
the individual’s appearance or behavior, that<br />
the individual needs treatment for a “medical<br />
condition”). The regulations do not define<br />
“medical condition,” but the clear implication<br />
is that EMTALA applies to all individuals in<br />
an ED who request medical care.<br />
For an individual who is somewhere on hospital<br />
property other than the ED, EMTALA<br />
applies if the individual requests examination<br />
or treatment for an “emergency medical<br />
condition” (or if a prudent layperson observer<br />
would believe, based on the individual’s<br />
appearance or behavior, that the individual<br />
needs emergency examination or treatment).<br />
This definition is intended to exclude from<br />
the scope of EMTALA individuals who are<br />
on the hospital property to obtain non-emergency<br />
care, such as lab tests, physical therapy,<br />
scheduled surgery, or physician visits. This<br />
definition makes clear that EMTALA applies<br />
to individuals who are on hospital property<br />
October 2008<br />
10<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
and need emergency care (e.g., an individual<br />
who collapses in the hospital parking lot).<br />
to the emergency department” when the<br />
individual is “on hospital property.” 6 The<br />
manual defines “hospital property” to include<br />
when they had more information about the<br />
suspected abortion. In the second conversation,<br />
the ED physician inquired as to whether<br />
The EMTALA regulations apply different standards<br />
to individuals in ambulances (ground<br />
and air) based upon whether the hospital owns<br />
the ambulance. If an ambulance is owned by a<br />
hospital, EMTALA applies to an individual in<br />
the ambulance (regardless of the ambulance’s<br />
location), unless the ambulance is operated<br />
under communitywide emergency medical<br />
service (EMS) protocol (and the EMS protocol<br />
directs the ambulance to another hospital).<br />
hospital-owned ambulances, thereby making<br />
EMTALA apply to individuals in hospitalowned<br />
ambulances. In contrast, the manual<br />
states that an individual in “a non-hospital<br />
owned ambulance not on the hospital’s<br />
property is not considered to have come to<br />
the hospital’s emergency department”.<br />
CMS’ interpretation of the “comes to the<br />
emergency department” threshold creates a<br />
bright–line in the context of individuals in<br />
the patient had medical coverage, and when<br />
the paramedics gave no assurance of coverage,<br />
he abruptly terminated the call (an action<br />
that the paramedics interpreted as requiring a<br />
diversion of the patient to another hospital).<br />
The patient brought a personal injury<br />
lawsuit against the hospital, alleging that the<br />
hospital violated EMTALA by diverting her<br />
ambulance to another hospital. The trial court<br />
ruled in favor of the hospital on the basis that<br />
If an ambulance is not owned by the hospital,<br />
then EMTALA applies to an individual in the<br />
non-hospital ambulance once the “ambulance<br />
[is] on hospital property.” To emphasize<br />
that the ambulance must be on the hospital<br />
property in order for EMTALA to apply, the<br />
regulation specifically states that an individual<br />
in a non-hospital ambulance that is not on<br />
hospital property is not deemed to have<br />
come to the ED. However, an individual in a<br />
non-hospital owned ambulance off hospital<br />
property is not considered to have come to<br />
the hospital’s emergency department, even if<br />
a member of the ambulance staff contacts the<br />
hospital by telephone or telemetry communications<br />
and informs the hospital that<br />
they want to transport the individual to the<br />
hospital for examination and treatment. 5<br />
ambulances: EMTALA applies to individuals<br />
in hospital-owned and controlled ambulances<br />
(unless an EMS protocol applies); and<br />
EMTALA does not apply to individuals in a<br />
non-hospital ambulance until the ambulance<br />
is on hospital property.<br />
Courts’ view of EMTALA<br />
In April, 2008, the US Court of Appeals<br />
for the First Circuit issued an opinion<br />
that found that an individual can allege<br />
a violation of EMTALA when a hospital<br />
diverts a non-hospital ambulance that is not<br />
on hospital property to a different hospital<br />
because the patient is uninsured. Morales v.<br />
Sociedad Española De Auxilio Mutuo Y<br />
Beneficencia, 524 F.3d 54 (1st Cir. 2008).<br />
In that case, the plaintiff had an ectopic<br />
the patient had not “come to the ED,” and<br />
thus the hospital’s duties under EMTALA had<br />
not been triggered. The US Court of Appeals<br />
for the First Circuit, in a 2-1 decision,<br />
reversed the trial court ruling.<br />
The First Circuit concluded that for<br />
EMTALA to apply, the plaintiff must “come to”<br />
the ED. The First Circuit noted that the statute<br />
did not provide a definition for that term, and<br />
concluded that the term itself was not selfelucidating.<br />
As such, the First Circuit looked to<br />
CMS regulations for guidance. The First Circuit<br />
found the regulations to be ambiguous on the<br />
basis that the regulations do not state “whether a<br />
hospital may divert an approaching ambulance<br />
only when it is in diversionary status, or whether<br />
it may do so under other circumstances.” 7<br />
The First Circuit also found the CMS State<br />
CMS’ interpretation, that an individual in an<br />
non-hospital ambulance has not “come to”<br />
the ED until the ambulance is on hospital<br />
property, has a common-sense appeal—a<br />
hospital cannot provide a screening exam or<br />
stabilizing treatment to an individual that is<br />
not at the hospital.<br />
pregnancy and began experiencing severe<br />
abdominal pain while at work. She was placed<br />
in an ambulance that set off for the defendant<br />
hospital. The ambulance was not owned by<br />
the hospital, and the paramedics who manned<br />
it were not hospital employees. While in<br />
transit to the hospital, the paramedics called<br />
ahead to the ED twice. In the first conversation,<br />
Operations Manual guidance to be ambiguous.<br />
By finding CMS’ regulations and guidance to<br />
be ambiguous, the court concluded that there<br />
was no clear interpretation of the statute upon<br />
which the court could rely.<br />
Ultimately, the court concluded that the intent<br />
behind EMTALA was to ensure that individuals<br />
The guidance issued by CMS in the State<br />
Operations Manual applies a slightly different<br />
analysis to reach the same conclusion. The<br />
the ED physician expressed concern that<br />
the plaintiff might voluntarily have induced<br />
an abortion. He also stated that he was very<br />
were not turned away by hospital EDs on the<br />
basis of their financial status. As such, the First<br />
Circuit ruled that EMTALA would be violated<br />
manual provides that an individual “comes busy and asked the paramedics to call back<br />
Continued on page 13<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
11<br />
October 2008
October 2008<br />
12<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Court analyzes first case under Stark’s academic medical center exception ...continued from page 11<br />
where a hospital diverts a nonhospital ambulance<br />
because of the individual is uninsured.<br />
A dissenting opinion was filed in the case. The<br />
dissenting judge found that the statute and<br />
regulations were clear and that “comes to an<br />
emergency department” unambiguously means<br />
“arrives” at the ED, such that an individual in<br />
an ambulance who has not yet arrived at the<br />
hospital is not <strong>with</strong>in the scope of the statute.<br />
The dissenting judge also found CMS regulations<br />
to reflect the agency’s interpretation that<br />
“the patient must, at the least, be physically on<br />
hospital property” and CMS’ interpretation is<br />
“eminently plausible” and should have been<br />
deferred to by the Court of Appeals.<br />
The First Circuit’s decision is consistent <strong>with</strong><br />
the only other Court of Appeals decision<br />
on this issue, a 2001 decision from the US<br />
Court of Appeals for the Ninth Circuit. 8 In a<br />
case <strong>with</strong> similar facts, the Ninth Circuit also<br />
concluded that an individual in a non-hospital<br />
ambulance that was diverted specifically<br />
because of the individual’s insurance coverage<br />
was a violation of EMTALA. Interestingly, the<br />
2001 decision from the Ninth Circuit was also<br />
a 2-1 decision, and the dissenting judge in the<br />
Ninth Circuit case shared the same view as the<br />
dissenting judge in the First Circuit case.<br />
Hospital compliance strategies<br />
In light of the tension between the regulations<br />
and court decisions, hospitals should structure<br />
their existing EMTALA policies and procedures<br />
to account for both the bright–line rules<br />
set by CMS and the courts’ intent-based interpretation.<br />
Hospitals should have a comprehensive<br />
EMTALA policy specifically addressing<br />
ambulance issues, including the following:<br />
n If the hospital owns an ambulance service,<br />
the hospital should have a process to ensure<br />
that all patients placed into a hospitalowned<br />
ambulance receive a screening<br />
examination and stabilizing treatment;<br />
n The hospital should identify a process for<br />
ensuring that a screening examination<br />
and stabilizing treatment is provided to all<br />
patients in a non-hospital ambulance that<br />
comes onto hospital property;<br />
n When communicating <strong>with</strong> a nonhospital<br />
ambulance, the hospital should<br />
not inquire about the patient’s insurance<br />
coverage or the patient’s ability to pay; and<br />
n Hospitals should not divert an ambulance<br />
to another hospital based upon the<br />
patient’s (real or perceived) insurance<br />
coverage or financial status.<br />
Following these suggestions will allow a hospital<br />
to ensure that it meets its EMTALA obligations,<br />
as interpreted by CMS and the courts. Hospital<br />
policies that focus on whether the individual is<br />
on hospital property and prohibit consideration<br />
of ability to pay are consistent <strong>with</strong> the intent<br />
behind EMTALA, as they ensure that individuals<br />
seeking emergency care are treated regardless<br />
of their financial status.<br />
Conclusion<br />
In the regulations implementing EMTALA,<br />
CMS states that an individual in a nonhospital<br />
ambulance has not “come to the ED”<br />
for purposes of triggering the hospital’s duties<br />
of providing a medical exam and stabilizing<br />
treatment. Out of an apparent fear that hospitals<br />
would divert ambulances <strong>with</strong> uninsured<br />
individuals to other hospitals, some courts<br />
have added an additional requirement, namely,<br />
that a hospital may not divert an ambulance<br />
purely because of the individual financial<br />
status. This additional requirement blurs the<br />
clear “on hospital property” standard set by<br />
CMS, but prudent hospitals should structure<br />
their EMTALA compliance activities to ensure<br />
that both standards are met. n<br />
1 42 U.S.C. § 1395dd.<br />
2 42 C.F.R. 489.24.<br />
3 42 C.F.R. 489.24(b).<br />
4 42 U.S.C. § 1395dd(h).<br />
5 42 C.F.R. 489.24(b).<br />
6 CMS, State Operations Manual, App. V, at 32.<br />
7 524 F.3d at 59.<br />
8 Arrington v. Wong, 237 F.3d 1066 (9th Cir. 2001).<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
Be Sure to Get Your<br />
CHC <strong>CEU</strong>s<br />
Inserted in this issue of Compliance<br />
Today is a quiz related to the articles:<br />
n The 1-2-3s of claims sampling to<br />
resolve overpayment errors —<br />
By B. Bo Martin, page 32<br />
n Quality of care and compliance:<br />
Existing challenges and first<br />
steps for hospitals — By Cheryl<br />
L. Wagonhurst and Nathaniel M.<br />
Lacktman, page 46<br />
n Complying <strong>with</strong> the HIPAA Privacy<br />
Rule: What you need to know —<br />
By Rebecca C. Fayed, page 59<br />
To obtain <strong>your</strong> <strong>CEU</strong>s, take the quiz and<br />
print <strong>your</strong> name at the top of the form.<br />
Fax it to Liz Hergert at 952/988-0146,<br />
or mail it to Liz’s attention at HCCA,<br />
6500 Barrie Road, Suite 250,<br />
Minneapolis, MN 55435. Questions<br />
Please call Liz Hergert at 888/580-8373.<br />
Compliance Today readers taking the<br />
<strong>CEU</strong> quiz have one year from the<br />
published date of the <strong>CEU</strong> article to<br />
submit their completed quiz.<br />
13<br />
October 2008
feature article<br />
Meet <strong>Cathy</strong> <strong>Garrey</strong>, MA, CHC<br />
Compliance and Quality Assurance Manager,<br />
McHenry County Mental <strong>Health</strong> Board<br />
Editor’s note: This interview <strong>with</strong> <strong>Cathy</strong> <strong>Garrey</strong><br />
was conducted in late summer by Gabriel L.<br />
Imperato, Esq, CHC, Managing Partner of<br />
the Fort Lauderdale office of Broad and Cassel,<br />
where he is Chairman of the firm’s White-Collar<br />
criminal and Civil Fraud Defense Practice<br />
Group. He personally represents individuals<br />
and organizations accused of criminal or civil<br />
fraud in the areas of health care, securities,<br />
and other corporate fraud and compliance and<br />
governance matters. He is board certified as a<br />
specialist in health care law by the Florida Bar;<br />
is a member of the Illinois, Florida, and District<br />
of Columbia bars. Mr. Imperato can be reached<br />
at 954/745-5223 or by e-mail at gimperato@<br />
broadandcassel.com.<br />
<strong>Cathy</strong> <strong>Garrey</strong> may be reached at telephone at<br />
815/455-2828 or by e-mail at cgarrey@mc708.org.<br />
GI: <strong>Cathy</strong>, thank you for agreeing to this<br />
interview for Compliance Today. Please tell<br />
our readers a little about <strong>your</strong> background<br />
and how you became Compliance and<br />
Quality Assurance Manager for the McHenry<br />
County Mental <strong>Health</strong> Board.<br />
CG: Although I earned a degree in<br />
education from Drake University in Iowa,<br />
I found more job opportunities in case<br />
management for individuals <strong>with</strong> severe<br />
and persistent mental illness. My first job<br />
as a case manager at a not-for-profit human<br />
service agency in northern Illinois led me<br />
into a Quality Assurance and Training<br />
Manager position. Here I discovered that<br />
conducting record reviews and preparing<br />
for audits was something that I enjoyed.<br />
This job centered on monitoring compliance<br />
<strong>with</strong> government rules and laws and<br />
program policies, and it included overseeing<br />
the organization’s Training department to<br />
ensure compliance for all the programs in<br />
the agency. Coordinating the organization’s<br />
CARF (Commission on Ac<strong>credit</strong>ation of<br />
Rehabilitation Facilities) ac<strong>credit</strong>ation was<br />
another part of the job. During this time, I<br />
also worked toward an MA in Management.<br />
After getting the degree, I moved into the<br />
position of Director of Quality Assurance<br />
and Training.<br />
Shortly after this appointment, I changed<br />
jobs. An opportunity to focus more on compliance<br />
and less on training and development<br />
opened in another agency, so I took the<br />
position to expand on my interests. Over the<br />
next year or so, as the Compliance Officer, I<br />
developed the corporate compliance program<br />
<strong>with</strong> the help of a consortium of compliance<br />
professionals and a national consultant.<br />
At about that time a position opened at<br />
the McHenry County Mental <strong>Health</strong> Board<br />
(MHB) that called for someone <strong>with</strong> my<br />
qualifications. The position required a background<br />
in mental health as well as significant<br />
experience in compliance and ac<strong>credit</strong>ation<br />
work. It was not only a perfect fit, but also<br />
it offered an opportunity to return to the<br />
county where I had developed wonderful collaborative<br />
relationships. Since starting, about<br />
a year and a half ago, I have been developing<br />
a compliance program at MHB, preparing the<br />
organization for its first CARF survey, and<br />
working <strong>with</strong> county providers to make sure<br />
that everyone meets the new Illinois Medicaid<br />
Rehabilitation Option regulations.<br />
GI: Please describe the McHenry County<br />
Mental <strong>Health</strong> Board, and tell us about<br />
<strong>your</strong> responsibilities as the Compliance and<br />
Quality Assurance Manager.<br />
CG: The McHenry County Mental <strong>Health</strong><br />
Board funds services for individuals who<br />
have a mental illness, developmental disability,<br />
and/or drug or alcohol dependence.<br />
October 2008<br />
14<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
It was established in 1969 in response to the<br />
Community Mental <strong>Health</strong> Act, and since<br />
then it has built a history of success in managing<br />
a comprehensive community human<br />
service system of care that includes collaborative<br />
and financial relationships <strong>with</strong> federal<br />
and state mental health and welfare agencies,<br />
as well as <strong>with</strong> public and private agencies.<br />
My responsibilities include ensuring that<br />
our funded agencies are compliant <strong>with</strong><br />
Medicaid-Medicare rules and regulations.<br />
The MHB audits agencies for compliance<br />
triggered by utilization trends that are over<br />
or under the expected norm by about 15%<br />
based on monthly reports. If a problem <strong>with</strong><br />
compliance emerges during a routine audit,<br />
audits may take place monthly until the<br />
problem is resolved.<br />
During an audit, charts and case notes are<br />
examined to review all required information.<br />
I look for trends in billing records that reflect<br />
the need to develop a plan to ensure quality<br />
of care. An audit also examines treatment<br />
plans, which are reviewed every six months.<br />
All provided services should be part of the<br />
plan. We also make sure that new clients have<br />
a mental health assessment.<br />
Once an audit is completed, we arrange for<br />
an exit conference, and then we structure a<br />
formal report.<br />
GI: What attracted you to the compliance<br />
profession and why do you remain in the<br />
compliance profession<br />
CG: I became a compliance professional<br />
quite by accident. While working as the<br />
Assistant Manager of a community mental<br />
health program, the organization received<br />
notice of an upcoming state Medicaid audit.<br />
At the time, I was the only one available to<br />
review charts and make sure we were ready. I<br />
found that I enjoyed the challenge and had a<br />
knack for the work. Eventually, I became the<br />
Director of Quality Assurance and Training at<br />
that organization. I remain in the compliance<br />
profession because it is challenging. Things<br />
are forever changing. No two days are the<br />
same, and the work is very rewarding. There<br />
are always new things to learn and new<br />
networking opportunities.<br />
GI: I see that you have been Certified<br />
in <strong>Health</strong>care Compliance (CHC) by the<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association. When<br />
did you become certified, and why you chose<br />
to do so<br />
CG: I became Certified in <strong>Health</strong>care<br />
Compliance in 2006. At the time, I was<br />
developing a corporate compliance program<br />
for an organization and came across the<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association website.<br />
I signed up for This Week in Corporate<br />
Compliance, and <strong>with</strong>in a few weeks, I<br />
joined the association. When I presented<br />
the idea of getting certified to my supervisor,<br />
he was supportive. We agreed that the<br />
certification would enhance my credentials<br />
as a Compliance Officer. I signed up to<br />
attend a Compliance Academy and had the<br />
opportunity to meet people from all over the<br />
country. The training was excellent. I sat for<br />
the certification exam on the Friday morning<br />
after completing the four-day training. The<br />
many resource materials presented at the<br />
training proved quite useful.<br />
GI: How has CHC helped you as a compliance<br />
professional, generally and specifically,<br />
in <strong>your</strong> role at the McHenry County<br />
Mental <strong>Health</strong> Board Has CHC certification<br />
brought you professional recognition <strong>with</strong>in<br />
<strong>your</strong> organization How has this helped you<br />
to be an effective compliance professional<br />
CG: Certification necessitates staying<br />
abreast of what is happening in the health<br />
care field in matters of compliance, because<br />
continuing education is one of the requirements.<br />
CHC also allows access to HCCA<br />
website information developed by experts in<br />
the field, offering opportunities to conduct<br />
Gabriel L. Imperato<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
research on compliance issues. Additionally,<br />
it provides networking opportunities that put<br />
me in touch <strong>with</strong> professionals around the<br />
country, and that offers a much larger base of<br />
knowledge and information. When we have<br />
a difficult question regarding compliance, I<br />
can connect <strong>with</strong> experts who are willing to<br />
share their knowledge and tools. Certification<br />
means that I can count on other professionals<br />
to help resolve specific problems.<br />
Here in McHenry County, I meet <strong>with</strong><br />
compliance professionals on a monthly basis.<br />
Reading Compliance Today and attending<br />
Compliance Institute training sessions<br />
provides up-to-date information that I can<br />
share <strong>with</strong> my colleagues. They appreciate my<br />
access to professionals around the country,<br />
which expands their knowledge base as they<br />
develop their compliance programs.<br />
Recently, three compliance professionals<br />
and I developed a comprehensive training for<br />
executive directors, finance managers, and<br />
human resource managers. Information in the<br />
portion that I covered came from materials<br />
that I received at the recent Compliance Institute<br />
and from articles in Compliance Today.<br />
A month later, my executive director showed<br />
me an article she had read on corporate<br />
compliance. Our group had covered it all.<br />
GI: What value does CHC certification<br />
Continued on page 16<br />
15<br />
October 2008
Meet Rita A. Scichilone ...continued from page 15<br />
bring to the workplace <strong>with</strong> employees of<br />
the organization How about <strong>with</strong> management<br />
and the governing authority of the<br />
organization<br />
CG: My supervisors have expressed appreciation<br />
for my CHC certification. They have<br />
confidence that when I say to them that we<br />
need to develop a new compliance tool or add<br />
something to our quality checklists, I have<br />
a good reason. My supervisor told me that<br />
although the Mental <strong>Health</strong> Board has always<br />
been concerned about compliance, prior to<br />
my joining the organization no one had this<br />
level of certification. He and the executive<br />
director have been supportive as we develop<br />
our compliance program. The MHB Board of<br />
Directors attends training sessions on compliance<br />
during the national conferences they<br />
attend. They, too, are supportive, and recently<br />
they approved a new compliance position to<br />
enhance our program.<br />
GI: Would you recommend that <strong>your</strong><br />
fellow compliance professionals seek CHC<br />
certification If so, why What did you do to<br />
become eligible for the CHC, and how did<br />
you prepare for the certification exam<br />
CG: I would certainly recommend that<br />
compliance professionals seek the CHC. As<br />
the government sends out more auditing<br />
groups, certification is going to become<br />
increasingly important, because CHC provides<br />
a comprehensive base for learning about<br />
compliance. Additionally, certification boosts<br />
credibility, not only for compliance professionals,<br />
but also for the organizations that<br />
employ them.<br />
To be eligible for certification, a person<br />
must be an active compliance professional<br />
and meet the guidelines presented in the<br />
CHC handbook. Before deciding to work for<br />
certification, I became quite familiar <strong>with</strong> the<br />
HCCA website. The more familiar I became<br />
<strong>with</strong> the information on the website, the<br />
more I realized the value of CHC.<br />
The certification exam was quite extensive.<br />
Before the test, I read everything available on<br />
the HCCA website; I scoured the Internet<br />
for information on compliance; I looked at<br />
federal OIG guidelines on health care compliance;<br />
and I brushed up on HIPAA information.<br />
I attended the academy the week<br />
before the test. Those attending the academy<br />
attended classes during the day, and continued<br />
to review and read the material on our<br />
own into the evenings. On the day before the<br />
test, we finished at noon and continued to<br />
study through the evening.<br />
When you sit through that exam, and then<br />
finally learn that you have passed it, you can<br />
be proud. When I got that letter informing<br />
me that I passed the exam and earned certification,<br />
I was happy, proud, and relieved.<br />
GI: Please tell us how compliance and<br />
quality are managed in <strong>your</strong> organization,<br />
since you are the Compliance and Quality<br />
Assurance Manager for McHenry County<br />
Mental <strong>Health</strong> Board.<br />
CG: At the Mental <strong>Health</strong> Board, we<br />
have a strong Leadership Team that meets<br />
bi-weekly. During these meetings, we discuss<br />
risk issues, compliance issues, and set a<br />
course of action to resolve any problems that<br />
we have. If specific issues arise that require<br />
immediate action, those in the need to know<br />
are informed of the problem. Decisions are<br />
made and acted upon by the Leadership<br />
Team, which monitors the situation to ensure<br />
that the problem gets resolved.<br />
Staff members come to me, as the compliance<br />
officer, <strong>with</strong> questions and concerns,<br />
and I confer <strong>with</strong> the deputy director, executive<br />
director, or legal counsel as needed for<br />
resolution. In addition, as the compliance<br />
officer, I do have access to the board of directors,<br />
and the executive director reports to the<br />
board on a monthly basis.<br />
The McHenry County Mental <strong>Health</strong><br />
Board is unique in that we provide<br />
coordination and access to services; we also<br />
fund agencies to provide treatment services.<br />
This means that we not only have to ensure<br />
that we are in compliance <strong>with</strong> all funding<br />
requirements, but we also have to be<br />
sure that our funded agencies comply <strong>with</strong><br />
federal, state, and county funding requirements,<br />
including coordination of benefits.<br />
As Compliance Officer, I conduct internal<br />
as well as external audits. As a funder, the<br />
Mental <strong>Health</strong> Board has an obligation to<br />
the constituents of the county to ensure that<br />
quality services are provided.<br />
GI: Do you believe the quality of health<br />
care in an organization is a compliance issue<br />
CG: I absolutely believe that quality of<br />
health care is a compliance issue. When<br />
I conduct audits of providers, I am very<br />
aware of the types of services provided, and<br />
the quality of care that is extended to the<br />
populations that are served. Many of our<br />
organizations utilize an outside firm to collect<br />
discharge satisfaction data, and when we<br />
receive a call that someone is dissatisfied, that<br />
information is followed up on immediately.<br />
I also receive calls from individuals who are<br />
unhappy <strong>with</strong> services they are receiving from<br />
providers. These complaints are documented<br />
and followed up on, and if need be, we bring<br />
the client and the team together to resolve the<br />
problem.<br />
GI: What advice would you give to<br />
someone just starting out as a compliance<br />
professional and setting up a compliance<br />
program<br />
CG: The first bit of advice I would offer<br />
is to ask questions. Reach out to other<br />
compliance professionals in the specific field<br />
and seek their input. Know that one person<br />
does not have to reinvent the wheel. Others<br />
have developed policies and procedures,<br />
compliance programs, and risk management<br />
plans. Read as much information as possible<br />
October 2008<br />
16<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
and get linked up <strong>with</strong> e-newsletters and the<br />
federal OIG Public Affairs updates. Reading<br />
industry journals is critical. Another very<br />
important piece of advice is to maintain a<br />
sense of humor. Things come up; people<br />
make mistakes; and sometimes, it all happens<br />
at once. Take a deep breath and move on.<br />
GI: Having an “effective” compliance<br />
program is critical for health care organizations.<br />
How would you define compliance<br />
effectiveness<br />
CG: An effective compliance program<br />
starts at the top. It acknowledges that events<br />
will occur, corrective action will take place,<br />
and both will be reported immediately as<br />
required. The compliance process requires<br />
careful and complete documentation every<br />
step of the way.<br />
GI: What do you feel have been major<br />
challenges for the health care compliance<br />
industry What do you believe will be the<br />
challenges for the future<br />
CG: The most recent challenges have<br />
included the new auditing bodies coming<br />
out of the federal government – ZPICs<br />
[Zone Program Integrity Contractors],<br />
RACs [Recovery Audit Contractors], MIPs<br />
[Medicaid Integrity Progam contractors],<br />
and the lack of communication between the<br />
federal auditors and state programs. I don’t<br />
see things changing in the foreseeable future<br />
in this area. I do believe that more states will<br />
follow New York and Texas and develop state<br />
OIG programs.<br />
The biggest challenges for the behavioral<br />
health care compliance industry – and the<br />
biggest vulnerabilities – are in documentation.<br />
About a year ago, the State of Illinois<br />
made significant changes in Illinois Medicaid<br />
Rule 132, and recently it made more changes.<br />
<strong>Health</strong> care workers are not confident that<br />
they are capturing everything that is required<br />
in their case notes.<br />
Behavioral health care bills Medicaid using<br />
medical codes. Practicing the science of<br />
physical medicine is much more exact than<br />
working in behavioral health care. An x-ray<br />
verifies a broken arm, and a cast is part of<br />
the treatment. Healing generally takes place<br />
<strong>with</strong>in a period of six weeks. Diagnosis and<br />
treatment of behavior health issues is much<br />
less black-and-white. It is much more difficult<br />
to define in medical terms the need to<br />
teach someone to balance a checkbook or to<br />
maneuver in a grocery store while hearing<br />
voices in their heads. Documentation is crucial.<br />
Treatments can be quite varied, and all<br />
treatments need to clearly relate to the diagnosis.<br />
Behavioral health care professionals not<br />
only need specialized training in their field,<br />
they also need continued training in meeting<br />
compliance requirements.<br />
Providers in McHenry County are committed<br />
to quality and collaboration. For example,<br />
they recently committed to working <strong>with</strong> an<br />
independent national consultant hired by the<br />
Mental <strong>Health</strong> Board to receive additional<br />
training in federal and state compliance<br />
regulations.<br />
GI: What tools does the McHenry County<br />
Mental <strong>Health</strong> Board have in place to help<br />
<strong>with</strong> compliance issues<br />
CG: Our compliance program includes<br />
open discussion of ethical dilemmas, questions,<br />
and concerns at monthly staff meetings,<br />
or if an employee prefers, privately <strong>with</strong><br />
a supervisor. Difficult questions are encouraged.<br />
We strive for an environment in which<br />
people feel comfortable coming forth <strong>with</strong><br />
their concerns. We have worked to create<br />
trust between coworkers.<br />
Additionally, we provide regular compliance<br />
training during these monthly meetings,<br />
and we offer access to Webinars and<br />
teleconferences as they become available.<br />
GI: How do you capture staff support for<br />
compliance<br />
CG: By creating an environment of trust.<br />
At the MHB, starting <strong>with</strong> the board of<br />
directors on down, issues of compliance are<br />
taken very seriously. Our leadership team is<br />
dedicated to an effective compliance plan that<br />
includes an open door to communication.<br />
We send out ongoing e-mail alerts that offer<br />
new information. We focus on doing the<br />
right thing rather then centering attention on<br />
what is wrong. We work hard to incorporate<br />
compliance in a manner in which people are<br />
not threatened, fostering an environment of<br />
openness.<br />
GI: Is the board of directors trained in<br />
issues of compliance<br />
CG: We have developed training for the<br />
MHB Board of Directors as well as for the<br />
boards of our funded agencies. They attend<br />
conferences that offer a wealth of information<br />
and opportunities to network <strong>with</strong><br />
people across the country. Members of our<br />
board of directors participate in our compliance<br />
committees, which include an ethics<br />
committee and a finance committee. n<br />
Contact Us!<br />
www.hcca-info.org<br />
info@hcca-info.org<br />
Fax: 952/988-0146<br />
HCCA<br />
6500 Barrie Road, Suite 250<br />
Minneapolis, MN 55435<br />
Phone: 888/580-8373<br />
To learn how to place an advertisment<br />
in Compliance Today, contact<br />
Margaret Dragon:<br />
e-mail: margaret.dragon@hcca-info.org<br />
phone: 781/593-4924<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
17<br />
October 2008
2300 lawyers in 30 locations. www.jonesday.com<br />
October 2008<br />
18<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Social networking<br />
Many compliance professionals are frustrated by compliance industry<br />
articles, conferences, and books that speak in general terms because<br />
they don’t apply to their specific segment of healthcare compliance.<br />
One of the most common complaints I receive is “All I hear about is<br />
hospital compliance.” Many people want to network <strong>with</strong> people who<br />
are dealing <strong>with</strong> issues specific to their segment of health care compliance.<br />
There are many segments of health care compliance <strong>with</strong> unique<br />
issues, such as long-term care, hospitals, group practice, research,<br />
behavioral health, pharma, med device, quality of care, etc. Special<br />
interest groups cut across all segments, such as ethics, social responsibility,<br />
privacy, security, etc. Compliance professionals are clamoring<br />
to get together in special interest groups. What we need is an easy and<br />
affordable way to get that done. We now have it.<br />
The Web is still in its infancy. Many benefits of the Web have yet to<br />
be realized. Buried in the morass of “features” or benefits of the Web<br />
are many emerging trends. One such trend is social networking. Social<br />
networking sites used by children have already exploded on the scene.<br />
Facebook can often be unprofessional and tawdry, but it is a sign of<br />
things to come for professionals. We have a great need to network<br />
more efficiently and effectively than we have in the past. Social<br />
networking software is about to explode on the scene for compliance<br />
professionals and the benefits are greater than you might expect.<br />
We all use some form of social networking now. There are blogs, Wiki<br />
technology, list serves, document sharing, and much more. Social<br />
networking is uncoordinated, inefficient, limited, and not always easy<br />
to use. However, solutions now exist that incorporate all of these social<br />
networking features into one package.<br />
Set up correctly, social networking software can have many benefits.<br />
These benefits allow special interest groups to communicate regularly<br />
and efficiently.<br />
Benefits<br />
n Improves communications<br />
n Keeps people connected<br />
n Facilitates networking to answer member questions and solve problems<br />
ROY sNELL<br />
n Saves time by sharing documents<br />
n Promotes collaboration and community<br />
n Professionally done social networking<br />
n Significant control of who you want to<br />
have access to you<br />
n Gives members the tools and lets them<br />
run them<br />
n Unlimited number of ways to subdivide<br />
large groups of people in the compliance and ethics profession<br />
into “special interest groups”<br />
The <strong>Health</strong> <strong>Care</strong> Compliance Association is implementing a social<br />
networking package that accomplishes all those benefits. There are<br />
seven integrated components. Within each component are multiple<br />
features. All of this is designed to solve the age-old desire for compliance<br />
professionals to network in special interest groups.<br />
n Member Directory<br />
o Name, address, photo, bio, communities of interest you belong to<br />
o Certification(s) you have achieved<br />
o Create <strong>your</strong> own personal networks<br />
o Find people <strong>with</strong> similar certification, interests, or classes you<br />
jointly attended, job history, education<br />
o Similar to, but more capable/professional than Facebook or<br />
LinkedIn<br />
o Brings business networking online<br />
o Members promote themselves online<br />
o Members can start their own blog<br />
n Forums<br />
o Threaded discussion<br />
o Permanent storage of previous discussions<br />
o Searchable content<br />
n Listserves<br />
o User definable<br />
o Can attach and “tag” documents (attach searchable key words)<br />
o More readable e-mails<br />
o Real time e-mail or daily summary<br />
n Document Library<br />
o Videos, photos, presentations, documents, pod casts, handouts,<br />
session recordings<br />
o Can be “tagged” <strong>with</strong> keywords by anyone<br />
o Link to contributor profile to assess credibility<br />
n Glossary of terms <strong>with</strong> Wiki technology<br />
Continued on page 78<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
19<br />
October 2008
EXPERIENCE.<br />
<br />
<br />
<br />
INTEGRITY.<br />
<br />
<br />
RESULTS.<br />
<br />
<br />
October 2008<br />
20<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Focus on<br />
Organizational Compliance Culture<br />
Organizational<br />
compliance culture:<br />
What message is<br />
<strong>your</strong> board and<br />
senior management<br />
sending<br />
By Jeff Sinaiko<br />
Editor’s note: Jeff Sinaiko is president of Sinaiko<br />
<strong>Health</strong>care Consulting, one of the nation’s leading<br />
independent healthcare management consulting<br />
firms. He works <strong>with</strong> healthcare organizations<br />
nationwide on a diverse range of compliance issues.<br />
For more information, please e-mail<br />
jeff@sinaikohc.com or go to www.sinaikohc.com.<br />
This is not a test of the emergency<br />
broadcast system (it worked just fine<br />
in our recent earthquake, you will all<br />
be happy to know). But, I do interrupt this<br />
series of articles on lab compliance and auditing<br />
to address an issue that has been weighing<br />
heavily on my mind - compliance culture and<br />
its determinant impact on whether an organization<br />
can achieve compliance effectiveness.<br />
In the July issue of Compliance Today, Scott<br />
Kelly wrote very capably on the subject of<br />
what compliance officers can do to maintain<br />
a culture of compliance in their organizations.<br />
I agree that compliance officers have<br />
a critical role in ensuring that a compliance<br />
program is executed, and that compliance<br />
culture must be fostered and reinforced by<br />
what occurs at the operating level every day.<br />
In my column this month, I want to build<br />
on that subject by addressing the issue of<br />
creating a culture of compliance, which<br />
can not be done by the compliance officers<br />
among us, and which experience indicates is<br />
the source of many organizations’ ongoing<br />
struggles <strong>with</strong> compliance.<br />
Creating a compliance culture must have at<br />
its base the focus, example, sponsorship, and<br />
stewardship of the board and the most senior<br />
level executives <strong>with</strong>in any organization. A<br />
clear message must be sent to every member<br />
of an organization through the tangible and<br />
identifiable actions of leadership: doing the<br />
right thing will inform all business conducted<br />
in the organization’s name.<br />
The compliance community focuses heavily<br />
on the tactical – the what, how, and when<br />
to do the myriad of tasks required to achieve<br />
compliance effectiveness (present company<br />
included). I’ve come to believe, however,<br />
that all the specific activity executed under<br />
the aegis of the compliance program can not<br />
truly generate a compliant organization and<br />
a culture of compliance <strong>with</strong>out this serious<br />
commitment and example set by the board<br />
and senior management.<br />
Any organization ultimately reflects such<br />
examples and the priorities set, not just<br />
through words, but most of all, through<br />
actions. If the organization’s board and most<br />
senior management fail to set this example<br />
through their own actions, the message will<br />
be clear, regardless of anything the Compliance<br />
Office and officer do.<br />
So, what specifically can be done on this<br />
level First, determine what message is sent<br />
to the organization via the board and senior<br />
management in this regard. Ask <strong>your</strong>self, for<br />
example, what <strong>your</strong> organization would do<br />
when a serious compliance issue is identified:<br />
n What is the priority If making budget,<br />
protecting a given physician relationship<br />
and/or limiting the cost of addressing<br />
the issue take precedence over diligently<br />
addressing the issue as the organization’s<br />
compliance officer or advisors may recommend,<br />
what message does that send<br />
n If the business people are allowed to<br />
establish the priorities for how the issue is<br />
addressed, perhaps even contrary to what<br />
the compliance officer knows to be the<br />
right way to address it, what message does<br />
that send<br />
n If the board and CEO (or other appropriate<br />
member of senior management) are not<br />
asking questions to assure themselves it is<br />
being handled appropriately, and are not<br />
involved in any of the discussions of resolution,<br />
how seriously is the organization really<br />
taking its compliance obligations<br />
I am not unrealistic as to economic mandates.<br />
We spend a huge amount of our time<br />
assisting clients to focus on and improve<br />
the critical elements of revenue capture and<br />
bottom-line performance. I am not suggesting<br />
that the organization has to spend money<br />
indiscriminately in order to be compliant,<br />
or that due diligence can not be applied in<br />
evaluating options. But, at the end of the day,<br />
the message sent by example must reflect the<br />
foundational principle that doing the right<br />
thing is the organization’s top priority. This<br />
is ultimately the only way to truly build a<br />
culture of compliance and, ultimately, to have<br />
an effective compliance program.<br />
There are times when these various priorities<br />
may be at odds. What choice will <strong>your</strong><br />
organization make<br />
Some concrete measures can be used as a basic<br />
evaluation of the board’s role in compliance.<br />
In 2004, the Federal Sentencing Guidelines<br />
(the source of the definition of current compliance<br />
programs) were revised to include<br />
specific functions of the board as a de facto<br />
eighth element of compliance programs. The<br />
Continued on page 22<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
21<br />
October 2008
WE HOLD OUR EMPLOYEES TO<br />
THE HIGHEST<br />
STANDARDS.<br />
THEIR<br />
OWN.<br />
I stand for <br />
Annalie, Database Coordinator<br />
We all strive to become the best at what we do. But it<br />
helps to have like-minded people surrounding you. At<br />
Stanford, forward thinking and a passion for advancement<br />
are things we all have in common. It's the standard we<br />
hold for our hospital, and one we each take great pride in.<br />
Compliance Facility Fee Auditor<br />
You will be a member of the Compliance Department<br />
team and conduct independent audits to determine<br />
organizational integrity of billing facility and technical<br />
hospital fees for inpatient and/or outpatient services,<br />
including detecting and correcting documentation, coding<br />
and billing errors. These audits consist of evaluating the<br />
adequacy and accuracy of documentation in support of<br />
services billed, including ICD-9/CPT/HCPCS and other<br />
third party payor codes, DRG assignment, APC code<br />
assignment, medical necessity of services and<br />
reimbursement overpayments and underpayments.<br />
We prefer a Bachelor's degree (Master's a plus) in <strong>Health</strong><br />
Information Management, Nursing or a healthcare related<br />
field or equivalent education/experience and at least 1 year<br />
of experience in facility fee coding, auditing or related<br />
work. The facility fee auditor positions are tiered positions<br />
providing growth opportunities as audit skills improve.<br />
Current opportunities include positions for candidates<br />
<strong>with</strong> intermediate documentation and coding skills as well<br />
as advanced skills, <strong>with</strong> experience in one or more of the<br />
following hospital/technical documentation and coding<br />
areas: DRG/MSDRG, APC, ICD/HCPCS/CPT, Medi-Cal<br />
and/or medical necessity determinations. Five years of<br />
recent, professional experience as an RN in a managed<br />
care/HMO, complex hospital or ambulatory care setting<br />
would also be considered, as well as case management<br />
or utilization review experience. Within six months of<br />
employment, all candidates must obtain CCS or CPC-H<br />
certification. Must have strong knowledge of Medicare<br />
and Medi-Cal documentation and coding rules/guidelines,<br />
ICD-9/CPT/HCPS/DRG coding rules, facility fee charge<br />
capture and reimbursement methodologies, including<br />
DRG, APC, CPT, ICD, HCPCS, etc. A CA RN license, CCS,<br />
CPC-H or CHC is preferred. Continuous documentation<br />
and coding education and skill advancement is provided<br />
in a team setting.<br />
To ensure <strong>your</strong> application is captured in our official files,<br />
you MUST apply online at: www.WeStandFor<strong>Care</strong>.com.<br />
Organizational compliance culture: ...continued from page 21<br />
OIG and AHLA jointly published a terrific white paper on the subject,<br />
available on the OIG Website, which provides considerable concrete guidance<br />
for directors. Without going into all of them, some examples of such<br />
guidance and the implications include:<br />
n The board must be responsible for assuring there is an effective compliance<br />
program. Are they<br />
n Is the board actively involved in creating and updating the organization’s<br />
Code of Conduct<br />
n The members must be educated and take responsibility for being educated<br />
on the subject. There is a difference between being independently<br />
educated on the organization’s compliance risks, risk assessment,<br />
and compliance program effectiveness, and passively enduring the<br />
occasional perfunctory update. One allows the board independently<br />
to fulfill their obligations as directors and ensure that a compliance<br />
culture is created and maintained by those responsible for doing so,<br />
the other does not. There are HCCA programs specifically for board<br />
members, for example. Are those attended<br />
n Has the board assured that the Compliance Office and officer are as<br />
independent as possible from both an organizational structure and a<br />
practical, day-to-day perspective<br />
n Has the board ensured that the compliance program has the resources<br />
it needs to meet its full obligations relative to the size and scope of<br />
the operation it is charged <strong>with</strong> protecting Has the board and/or<br />
senior management ensured that a budget exists for compliance that<br />
allows for such resources, and that it is not in conflict <strong>with</strong> operations<br />
managers’ own budget goals If the organization is a 400-physician<br />
medical group that has one coder in the Compliance department (not<br />
an uncommon finding) and does not use significant outside resources<br />
to supplement its efforts, can there really be a reasonable expectation<br />
that appropriate monitoring and resolution of the issues that will inevitably<br />
arise are occurring What message is sent to all those involved<br />
who must know full well that the Compliance Office can not meet its<br />
obligations <strong>with</strong> insufficient resources<br />
So, if you are a board member or a member of the “C-suite” what<br />
message are you sending and what are you doing to establish a culture of<br />
compliance from the top<br />
We now return to our regularly scheduled programming. n<br />
www.WeStandFor<strong>Care</strong>.com<br />
October 2008<br />
22<br />
EOE<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Medicare’s medical<br />
necessity criteria: A<br />
mystery in the making<br />
By: Lester J. Perling, Esq.<br />
Editor’s Note: Lester J. Perling is a partner promulgating formal policies like NCDs<br />
in Broad and Cassel in the Fort Lauderdale, and LCDs, the process of making coverage<br />
Florida office. He is a board-certified health law and medical necessity determinations in the<br />
attorney and author of the Medicare Claims absence of formal policy is not governed by<br />
Appeals Process Handbook, which is available statute or regulation. What evidence can<br />
at www.aspenpublishers.com. He can be reached contractors and subsequent adjudicators rely<br />
at 954/764-7060 or by e-mail at lperling@ on in making individual claim determinations<br />
in the absence of written policy Of the<br />
broadandcassel.com.<br />
significant amount of available medical and<br />
Many of the claim determinations scientific evidence on any particular item<br />
made by Medicare contractors or service, which evidence can adjudicators<br />
on a day-to-day basis involve throughout the appeals process use to support<br />
the application of national or local coverage decisions to either affirm or reverse the denial<br />
determinations (NCDs or LCDs), statements<br />
of national or local policy that describe does Medicare ensure that the evidence<br />
of a claim Perhaps most importantly, how<br />
whether and under what circumstances ultimately used is reliable<br />
Medicare will cover particular items and services.<br />
Because these policies are promulgated The answers to these questions have become<br />
pursuant to strict statutory procedures and particularly relevant of late as a result of<br />
must be developed based on reliable scientific a problematic trend in Medicare appeal<br />
evidence, Medicare contractors’ decisions determinations. Recently, Medicare appeal<br />
about coverage and medical necessity, made adjudicators have been relying on articles and<br />
as a result of these policies, should in turn be information featured on Internet Websites<br />
the result of reliable scientific evidence. The as bases for denying Medicare coverage for<br />
existence of these policies is intended to provide<br />
for greater consistency in Medicare claim two recent QIC reconsideration notices ref-<br />
health care items and services. For example,<br />
determinations, if not on a national scale, erencing Internet links to information posted<br />
then at least at the local level.<br />
on www.audiologyonline.com, www.entlink.<br />
net, and www.vestibularmedicine.com, to<br />
But in cases where no NCD, LCD, or other support their denial of reimbursement for<br />
formal written policy is applicable, contractors<br />
must make individual determinations the point made in this article regarding the<br />
services. Interestingly, and perhaps supporting<br />
based on the facts of the particular case. reliability (or lack thereof) of information<br />
If these claims are appealed, adjudicators posted online, two of the three web links<br />
such as qualified independent contractors referenced are either no longer accessible or<br />
(QICs) and administrative law judges (ALJs) temporarily unavailable.<br />
must also make determinations <strong>with</strong>out<br />
the guidance of formal written policies. In One would think that Medicare would forbid<br />
contrast to the highly regulated process of contractors’ and adjudicators’ use of on-line<br />
medical or scientific evidence, not only<br />
because of its inherent unreliability, but also<br />
because of the lack of predictability in claim<br />
determinations created by contractors’ and<br />
appeal adjudicators’ use of such Websites.<br />
But Medicare rules do not appear to prohibit<br />
the practice. In fact, Medicare standards for<br />
contractors’ and appeal adjudicators’ coverage<br />
and medical necessity determinations in the<br />
absence of formal written policy are vague or<br />
non-existent.<br />
Standards for determining coverage<br />
The Medicare Act confers on beneficiaries<br />
entitlement to a range of medical services<br />
defined only by broad categories. For<br />
example, Medicare Part A hospital insurance<br />
provides coverage for in-patient hospital<br />
services, hospice services, skilled nursing<br />
facility services, and some home health<br />
services. Medicare Part B covers physician’s<br />
services, diagnostic services, durable medical<br />
equipment, and a variety of other services not<br />
covered under the hospital insurance plan.<br />
The Medicare Act also sets forth certain statutory<br />
exclusions from coverage. For example,<br />
cosmetic procedures, custodial care, and<br />
dental care are never covered under Medicare.<br />
By far the most expansive statutory exclusion<br />
from coverage is the prohibition on “payment<br />
for items and services . . . not reasonable and<br />
necessary for the diagnosis or treatment of<br />
illness or injury or to improve the functioning<br />
of a malformed body member.” 1 Aside<br />
from the limited statutory exclusions just<br />
described, Congress did not define what is<br />
considered “not reasonable and necessary.”<br />
Instead, it vested authority in the Secretary<br />
of <strong>Health</strong> and Human Services to determine<br />
what is “medically necessary.” In turn, the<br />
Medicare Act authorizes the Secretary to enter<br />
into contracts <strong>with</strong> entities providing that<br />
the latter will determine whether a particular<br />
Continued on page 24<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
23<br />
October 2008
Medicare’s medical necessity criteria: A mystery in the making ...continued from page 23<br />
medical service is covered by Medicare, and<br />
if so, the amount of the reimbursable expense<br />
for that service. That is the role of Medicare<br />
contractors.<br />
Medicare has developed a complex system for<br />
developing coverage policies. Contractors first<br />
look to NCDs, which state whether Medicare<br />
will cover a particular item or service on a<br />
national basis, and often, the circumstances<br />
under which it will be covered. NCDs are<br />
binding on all Medicare contractors and<br />
on adjudicators throughout the Medicare<br />
appeals process. If no applicable NCD exists,<br />
Medicare contractors look to coverage provisions<br />
in Medicare’s interpretive manuals, or<br />
develop LCDs. LCDs serve the same purpose<br />
as NCDs, but apply only on a contractorwide<br />
basis and do not have a binding effect<br />
on adjudicators in the claims appeals process,<br />
although adjudicators must give “substantial<br />
deference” to an LCD that applies in a<br />
particular case.<br />
Numerous rules exist regarding the development<br />
and promulgation of NCDs and LCDs.<br />
For example, LCDs must be based on “the<br />
strongest evidence available,” including<br />
www.broadandcassel.com<br />
clinical trials, scientific data, or the consensus<br />
of expert medical opinion. Similarly, NCDs<br />
must be supported by a compilation of objective<br />
clinical scientific evidence that measures<br />
the medical benefits of the item or service.<br />
These and other guidelines ensure that<br />
determinations based on NCDs and LCDs<br />
are supported by reliable evidence.<br />
In the absence of a NCD or LCD, or other<br />
formal written policy, a contractor may still<br />
make a determination on a claim, but must<br />
do so based on the individual’s particular<br />
factual situation. 2 In contrast to the numerous<br />
requirements and guidelines for the<br />
development of NCDs and LCDs, very little<br />
published guidance exists regarding the procedures<br />
a contractor must undertake or the<br />
evidence a contractor is authorized to use<br />
in making individual claim determinations.<br />
Medicare policies do, however, state that<br />
contractors may not make automated claim<br />
denials (i.e., computer-generated denials that<br />
involve no personal review) in the absence<br />
of a clear written policy such as an NCD or<br />
LCD. In addition, Medicare policies require<br />
that, in making individual claim determinations,<br />
contractors follow standard guidelines<br />
We’ve made it a practice<br />
to deal <strong>with</strong> solutions.<br />
Our attorneys are available to handle<br />
a full range of services including:<br />
<strong>Health</strong> and Hospital Law<br />
Regulatory and Transactional Work for Physicians,<br />
Ambulatory Surgical Centers and Hospitals<br />
Medical Practice Consolidation<br />
White Collar Criminal and Civil <strong>Health</strong> Fraud Defense<br />
Corporate Liability, Compliance and Governance<br />
and Corporate Investigations and Voluntary Disclosure<br />
Litigation and Administrative Proceedings<br />
for <strong>Health</strong> <strong>Care</strong> Organizations and Professionals<br />
For more information, please contact:<br />
Gabriel Imperato, Managing Partner<br />
One Financial Plaza, Suite 2700, Fort Lauderdale, FL 33394<br />
954-764-7060 | gimperato@broadandcassel.com<br />
BOCA RATON DESTIN FT. LAUDERDALE MIAMI ORLANDO<br />
TALLAHASSEE TAMPA WEST PALM BEACH<br />
for determining that a service is reasonable<br />
and necessary. Those guidelines require that<br />
contractors conclude that a service is reasonable<br />
and necessary only when the item or<br />
service is:<br />
n Safe and effective;<br />
n Not experimental or investigational; and<br />
n Appropriate, including the duration and<br />
frequency that is considered appropriate<br />
for the service, in terms of whether it is:<br />
o Furnished in accordance <strong>with</strong> accepted<br />
standards of medical practice for the<br />
diagnosis or treatment of the patient’s<br />
condition or to improve the function of<br />
a malformed body member;<br />
o Furnished in a setting appropriate to<br />
the patient’s medical needs and condition;<br />
o Ordered and furnished by qualifying<br />
personnel;<br />
o One that meets, but does not exceed,<br />
the patient’s medical need; and<br />
o At least as beneficial as an existing and<br />
available medically appropriate alternative.<br />
3<br />
There appear to be no guidelines that address<br />
how a contractor should determine when<br />
an item or service is “safe and effective,”<br />
“appropriate,” etc., and what evidence it is<br />
permitted to rely upon in order to come to<br />
that conclusion. This poses a problem for<br />
providers and suppliers, who benefit from<br />
anticipating which items and services receive<br />
Medicare coverage and which do not.<br />
The absence of NCDs and LCDs impacts not<br />
just a contractor’s initial determination on a<br />
claim. When claims initially adjudicated on<br />
a case-by-case basis are appealed, subsequent<br />
adjudicators will also make determinations<br />
<strong>with</strong>out the aid of NCDs or LCDs. In those<br />
situations, Medicare guidance as to what<br />
evidence or authority those adjudicators may<br />
rely on is virtually nonexistent.<br />
October 2008<br />
24<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Is no notice enough notice<br />
Legal principles require that the government<br />
afford certain procedures (known as “due<br />
process”) before depriving individuals of<br />
important life, liberty, or property interests.<br />
Among those procedures is the right to<br />
receive adequate notice before the government<br />
undertakes to deprive an individual of<br />
one of these protected interests. Providers’<br />
and suppliers’ right to receive reimbursement<br />
from the Medicare program is arguably one of<br />
the important property interests to which the<br />
protections of due process apply, especially<br />
when providers or suppliers have already<br />
performed the services for which they are<br />
being denied payment. It is for this reason<br />
that Medicare and its contractors are subject<br />
to strict rules requiring that proposed NCDs<br />
and LCDs be published before they become<br />
effective.<br />
Notice of this sort should also be required in<br />
the case of individual claim determinations.<br />
Providers and suppliers have an important<br />
property interest at stake, that being their<br />
right to reimbursement by the Medicare program,<br />
at least for services which have already<br />
been performed. They should not be deprived<br />
of that right <strong>with</strong>out adequate notice of the<br />
information and evidence a contractor will<br />
use in making coverage determinations.<br />
Adequate notice would allow providers and<br />
suppliers to make informed recommendations<br />
to beneficiaries and adjust their treatment<br />
options accordingly.<br />
Instead, it appears that Medicare contractors<br />
and adjudicators are systematically denying<br />
claim reimbursement to providers and<br />
suppliers, whose remuneration and benefits<br />
under the Medicare program will be affected,<br />
<strong>with</strong>out adequate notice of the kinds of evidence<br />
they use to make those determinations.<br />
The notice problem is magnified when the<br />
type of authority contractors and adjudicators<br />
may use includes Internet Websites, because<br />
of the vast amount of information available<br />
on-line. It is unreasonable to charge providers<br />
and suppliers <strong>with</strong> a duty of knowing which<br />
information on what Websites that Medicare<br />
will use to support its coverage and medical<br />
necessity determinations.<br />
Medicare’s vague or non-existent coverage and<br />
medical necessity standards and inadequate<br />
guidance in making individual claim determinations<br />
ultimately threaten providers’ and<br />
suppliers’ ability to practice and earn income.<br />
Without meaningful standards and useful,<br />
reliable, and consistent guidance, providers<br />
and suppliers are often left <strong>with</strong> no choice<br />
but to assume the risk of non-payment if a<br />
contractor or adjudicator deems the item or<br />
service not to be covered, or worse still, not<br />
furnish the item or service at all. Beneficiaries<br />
also have an interest in access to clear<br />
information regarding what the Medicare<br />
program will cover to foster confidence in<br />
the health care system and to allow informed<br />
decision-making on their part.<br />
Limitations on liability<br />
The Medicare Act provides financial relief to<br />
providers and suppliers by permitting Medicare<br />
to make payment for items and services<br />
for which Medicare payment would otherwise<br />
be denied in instances where the provider or<br />
supplier knew, or could reasonably have been<br />
expected to know, that the items or services<br />
were not covered. These rules are known<br />
as the “limitation on liability” provisions.<br />
Medicare contractors determine whether the<br />
provider or supplier had prior knowledge<br />
that services or items would likely be denied<br />
or whether knowledge reasonably could have<br />
been expected.<br />
Aside from having received notice from<br />
Medicare (in the form of either actual written<br />
notice to the provider or supplier, or manual<br />
instructions, bulletins, directives, etc.) that<br />
the same or similar items or services are<br />
not covered, the only other evidence of a<br />
provider’s or supplier’s fault that a contractor<br />
can consider is the provision of items<br />
and services in a manner “inconsistent <strong>with</strong><br />
acceptable standards of practice in the local<br />
medical community.” Medicare policy states<br />
that “acceptable standards of practice in the<br />
medical community” are determined by<br />
looking to:<br />
published medical literature, a consensus<br />
of expert medical opinion, and consultations<br />
<strong>with</strong> their medical staff, medical<br />
associations, including local medical societies,<br />
and other health experts. “Published<br />
medical literature” refers generally to<br />
scientific data or research studies that have<br />
been published in peer-reviewed medical<br />
journals or other specialty journals that<br />
are well recognized by the medical profession,<br />
such as the New England Journal<br />
of Medicine and the Journal of the<br />
American Medical Association. 4<br />
Providers or suppliers who are found at fault<br />
under the limitation on liability provisions<br />
may appeal that determination. Those whose<br />
individual claims have been denied based<br />
on evidence from Internet Websites (in the<br />
absence of formal written policy) and who<br />
did not receive any other form of written<br />
notice from Medicare that the same or similar<br />
claims were not covered, may have a good<br />
argument that their fault determination<br />
should be reversed. In order to argue this successfully,<br />
the on-line information referenced<br />
in a contractor’s notice of decision cannot be<br />
material reprinted from a source which could<br />
be considered “published medical literature.”<br />
In addition, providers or suppliers should<br />
be prepared to present evidence, perhaps by<br />
medical associations or health experts, that<br />
the consensus of medical opinion and/or<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
25<br />
October 2008
ONLINE WITH RESIDENCIES AT<br />
GW’s ALEXANDRIA, VA CENTER<br />
Graduate Certificate in<br />
<strong>Health</strong>care<br />
Corporate<br />
Compliance<br />
Acquire the compliance officer<br />
knowledge in demand today.<br />
Unique Format. Seven-month,<br />
12 <strong>credit</strong> program, <strong>with</strong> two short<br />
residencies and online distance<br />
learning between residencies.<br />
Master the key concepts of<br />
high-priority healthcare laws<br />
including federal fraud and<br />
abuse law, governance and<br />
corporate responsibility, HIPAA,<br />
federal tax law, and more.<br />
Enjoy unparalleled access.<br />
Learn from a world-class faculty<br />
teamed <strong>with</strong> senior regulators,<br />
legislators, patient advocates and<br />
legal experts.<br />
Stackable Credentials. Apply<br />
this certificate toward a Master’s<br />
of Public <strong>Health</strong> degree.<br />
Program offered by the College<br />
of Professional Studies and<br />
School of Public <strong>Health</strong> &<br />
<strong>Health</strong> Services, in partnership<br />
<strong>with</strong> the law firm of Feldesman<br />
Tucker Leifer Fidell LLP.<br />
Information Sessions<br />
Wednesday, Oct. 29<br />
1:00 pm ET<br />
Online<br />
Thursday, Nov. 20<br />
1:00 pm ET<br />
Online<br />
Rsvp Today!<br />
1.800.JoinGWU<br />
nearyou.gwu.edu/hcc<br />
CCB<br />
Ac<strong>credit</strong>ed<br />
CCB<br />
Medicare’s medical necessity criteria: A mystery in the making<br />
...continued from page 25<br />
community standards do, in fact, support coverage of the items or<br />
services at issue.<br />
Conclusion<br />
Under the current system, Medicare is not prevented from infinitely<br />
expanding the sources of information upon which its contractors’<br />
and adjudicators’ individual claim determinations are based. The<br />
fact that Medicare appeal adjudicators have begun to use articles<br />
posted on Internet Websites as bases to support adverse claim<br />
determinations only reinforces that conclusion. Challenging this<br />
practice based on Medicare’s limitation on liability provisions may<br />
or may not prove successful. In any case, that would provide only<br />
a temporary fix. A permanent solution to this problem is needed.<br />
Medicare’s formal written policies delineate the type of medical<br />
and scientific evidence NCDs and LCDs may be based on. Similar<br />
guidance should be applicable to contractors’ individual claim<br />
determinations. This would prevent contractors from resorting to<br />
Internet Websites to support their claim determinations, a practice<br />
which is detrimental to providers, suppliers, and the Medicare<br />
system as a whole. n<br />
1 42 U.S.C. § 1395y(a)(1)(A).<br />
2 See Heckler v. Ringer, 466 U.S. 602, 617 (1984) (acknowledging that the Secretary has discretion to either<br />
establish a generally applicable rule or allow claim adjudication on a case-by-case basis).<br />
3 Centers For Medicare And Medicaid Services, Medicare Program Integrity Manual (Pub. 100-08), Chapter<br />
13, §§ 13.3, 13.5.1.<br />
4 Centers for Medicare and Medicaid Services, Medicare Claims Processing Manual (Pub. 100-04), Chapter<br />
30, § 40.1.3.<br />
Be Sure to Get Your CHC <strong>CEU</strong>s<br />
Inserted in this issue of Compliance Today is a quiz related to<br />
the articles:<br />
n The 1-2-3s of claims sampling to resolve overpayment<br />
errors — By B. Bo Martin, page 32<br />
n Quality of care and compliance: Existing challenges and<br />
first steps for hospitals — By Cheryl L. Wagonhurst and<br />
Nathaniel M. Lacktman, page 46<br />
n Complying <strong>with</strong> the HIPAA Privacy Rule: What you need to<br />
know — By Rebecca C. Fayed, page 59<br />
To obtain <strong>your</strong> <strong>CEU</strong>s, take the quiz and print <strong>your</strong> name at the<br />
top of the form. Fax it to Liz Hergert at 952/988-0146, or mail<br />
it to Liz’s attention at HCCA, 6500 Barrie Road, Suite 250,<br />
Minneapolis, MN 55435. Questions Please call Liz Hergert at<br />
888/580-8373.<br />
33170<br />
www.gwu.edu/gradinfo<br />
THE GEORGE WASHINGTON UNIVERSITY IS AN EQUAL OPPORTUNITY/<br />
AFFIRMATIVE ACTION INSTITUTION CERTIFIED TO OPERATE IN VA BY SCHEV.<br />
Compliance Today readers taking the <strong>CEU</strong> quiz have one<br />
year from the published date of the <strong>CEU</strong> article to submit<br />
their completed quiz.<br />
October 2008<br />
26<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Exploring the question:<br />
Does this really make<br />
a compliance program<br />
“effective”<br />
Editor’s note: Catherine Boerner is president<br />
of Boerner Consulting, LLC, a health care<br />
consulting firm in New Berlin, Wisconsin. Ms.<br />
Boerner was President of the HIPAA Collaborative<br />
of Wisconsin (HIPAA COW) for three years<br />
from 2005-2007 and helped revise the Hospital<br />
Payment Monitoring Program (HPMP)<br />
Compliance Workbook for the QIO community<br />
and acute-care PPS hospitals. She may be<br />
reached by telephone at 414/ 427-8263 or by<br />
e-mail at cboerner@boernerconsultingllc.com.<br />
From the US Sentencing Guidelines,<br />
the Office of the Inspector General<br />
(OIG) Guidance and Supplemental<br />
Compliance Program Guidance documents,<br />
American <strong>Health</strong> Lawyers Association<br />
(AHLA) and OIG resource documents as<br />
well as Corporate Integrity Agreements, I<br />
think we all have a pretty good idea what the<br />
government is looking for in a compliance<br />
program. The structures and processes outlined<br />
in these documents clearly show what<br />
is expected of the infrastructure of a compliance<br />
program, but still many people have<br />
questions, especially <strong>with</strong>in organizations.<br />
Do all of these structures and processes really<br />
make the compliance program effective If<br />
we have these structures and processes, what<br />
outcome measures can we look to in order<br />
to demonstrate that the structures and processes<br />
are working or are effective And even<br />
if these structures and processes are working,<br />
based upon these outcome measures, is our<br />
compliance program, as a whole, really “effective”<br />
in detecting and preventing regulatory<br />
compliance risks<br />
By Catherine Boerner, JD, CHC<br />
Compliance culture<br />
If you want to make the argument that you<br />
do not need all of the structures and processes<br />
(otherwise known as the seven elements)<br />
outlined in the OIG Supplemental Guidance<br />
to be “effective,” you would need to start by<br />
demonstrating that you have achieved some<br />
of the most important outcome measures of<br />
the compliance program, perhaps despite the<br />
lack of certain structures and processes.<br />
The most important outcome measures<br />
involve demonstrating that a strong culture<br />
of compliance has formed and is sustainable.<br />
This strong culture of compliance needs to be<br />
evident not only throughout the workforce,<br />
but especially at the management level. I<br />
think it is important to explore what a strong<br />
culture of compliance means and explore<br />
how you prove it to an external auditor or the<br />
government.<br />
Cultures can be difficult to measure as they<br />
evolve. I like to quote Roy Snell, CEO,<br />
HCCA when he said “Many people get into<br />
trouble more often because of the way they<br />
deal <strong>with</strong> or react to their mistakes, rather<br />
than for the mistakes themselves.” This speaks<br />
directly to culture. How does <strong>your</strong> organization<br />
respond to mistakes or issues that it<br />
becomes aware of Many of you experience<br />
(even <strong>with</strong>in a strong compliance culture)<br />
that as compliance issues get raised, a sense<br />
of urgency follows to investigate and bring<br />
the issue to resolution. However, you lose<br />
steam at the end of the process and weeks<br />
turn into months, and before you know it,<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
six months have gone by <strong>with</strong>out obtaining<br />
the corrective action and follow-up necessary<br />
to prevent it from happening again; let alone<br />
putting it on next year’s compliance work<br />
plan to monitor the resolution (if you have an<br />
annual work plan) or putting it on next years<br />
compliance audit plan to actually perform a<br />
follow-up audit (if you have an annual audit<br />
plan). Other priorities present themselves and<br />
if you don’t have the structure and process<br />
to track the issue in <strong>your</strong> compliance log<br />
and have a compliance committee follow its<br />
progress and receive updates, the outcome of<br />
concluding the investigation appropriately<br />
will not be achieved. Here I would argue that<br />
the structure and process of the reporting<br />
mechanism is part of an effective compliance<br />
program and will help improve the outcomes<br />
of consistently resolving the issues promptly<br />
and following up on corrective action.<br />
I have seen evidence of a strong compliance<br />
culture measured through employee survey<br />
results; however, behind the scenes, the<br />
compliance program infrastructure lacked the<br />
Compliance department or management proactively<br />
addressing compliance risks. Serious<br />
gaps were identified <strong>with</strong> sustaining compliance<br />
<strong>with</strong> the changing billing regulations. If<br />
key managers are not engaged or, more likely,<br />
do not have the support and/or budget <strong>with</strong>in<br />
their department to keep up <strong>with</strong> regulatory<br />
change and risk, a compliance culture alone<br />
will not keep you out of trouble.<br />
Therefore, even <strong>with</strong> the compliance culture<br />
being a main goal, you would have to concede<br />
that <strong>with</strong>out the structures and processes, it<br />
is very difficult to keep up <strong>with</strong> the changing<br />
regulatory environment and continue to focus<br />
upon and proactively mitigate compliance risks<br />
in the organization. So, I would argue that the<br />
compliance culture is really not enough, by<br />
itself, to demonstrate compliance.<br />
Continued on page 29<br />
27<br />
October 2008
Streamline workflow<br />
Enhance compliance<br />
Reduce costs<br />
MediTract helps healthcare professionals reduce the<br />
cost of doing business so they can focus on their<br />
primary objective – providing the highest<br />
levels of patient care.<br />
MediTract’s Conflict of Interest Disclosure Statement<br />
(COIDS) tracking system automates the distribution,<br />
submission and management of conflict of interest<br />
disclosure statements, and provides a way to track conflicts<br />
disclosed and report the resolution of those conflicts.<br />
<br />
<br />
<br />
Authorized user control<br />
Real-time access<br />
Centralized, secure database<br />
REGAIN<br />
CONTROL<br />
OF YOUR<br />
CONTRACTS<br />
DEMONSTRATE CONTROL<br />
EMPOWER STAFF<br />
STREAMLINE OPERATIONS<br />
MONITOR COMPLIANCE<br />
IMPROVE ACCESS<br />
The TractManager® solution<br />
and patented process<br />
MediTract’s flagship product, TractManager®, is a complete turnkey process<br />
that provides all the labor necessary to scan, build, maintain and update a<br />
hospital’s contract files that have been built into a customized and centralized<br />
contract document database.<br />
October 2008<br />
28<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
www.meditract.com<br />
1-877-492-8490
“Does this really make a compliance program “effective”” ...continued from page 27<br />
Effectiveness is the important link between<br />
the structure and process measures and<br />
the outcome measures. The more you can<br />
demonstrate that you have the structures<br />
and processes of the seven elements and that<br />
they are working by demonstrating outcome<br />
measures, the closer you are to arguing that<br />
you have an effective compliance program.<br />
Structure measures refer to how the elements<br />
of the compliance program are organized and<br />
the capacity of the organization to prevent<br />
and detect violations of law. Process measures<br />
refer to the manner in which the organization<br />
seeks to prevent and detect violations of<br />
law. Outcome measures refer to observable,<br />
measurable indications of preventing and<br />
detecting violations of law and creating a<br />
compliant culture. The compliance culture<br />
outcome measures can be tied directly into<br />
whether there is awareness of these structures<br />
and processes and how to use them. For<br />
example, you have the structure of a reporting<br />
mechanism, a hotline. You have a process to<br />
record in a compliance log concerns reported<br />
and take appropriate action, and from an<br />
employee survey you can demonstrate that<br />
90% of employees surveyed knew about the<br />
compliance reporting hotline. This demonstrates<br />
one of many links of the effectiveness<br />
of the reporting mechanism.<br />
I find it helpful to measure effectiveness by<br />
breaking the compliance program down into<br />
its elements and measuring the effectiveness<br />
of each element. For example, I have broken<br />
down the elements of a compliance program<br />
into the following phases:<br />
Phase I: Authorization<br />
Phase II: Code of Conduct<br />
Phase III: Policies and Procedures<br />
Phase IV: General Training Programs<br />
Phase V: Specialized Training<br />
Programs<br />
Phase VI: Reporting Mechanism<br />
Phase VII: Monitoring and Auditing<br />
Phase VIII: Response and Prevention<br />
Phase IX: Enforcement and Discipline<br />
Each phase has many structure, process, and<br />
outcome measures to help demonstrate the<br />
effectiveness of that element of the compliance<br />
program. This process makes it easy to<br />
determine areas of strength and weakness<br />
<strong>with</strong>in the compliance program in more of an<br />
objective manner.<br />
Boerner Consulting, LLC, through its partnership<br />
<strong>with</strong> Mediregs, is using its effectiveness<br />
assessment, ComplyMark TM , to also start<br />
scoring compliance programs in an effort to<br />
one day provide a benchmark. An example is<br />
provided below:<br />
This heatmap can help you see that you may<br />
have acceptable structures and outcomes, but<br />
if <strong>your</strong> processes are weak, it may be difficult<br />
to sustain the outcomes of <strong>your</strong> compliance<br />
program overtime. It can also help you<br />
demonstrate results in areas of <strong>your</strong> program<br />
where you have been focusing <strong>your</strong> efforts<br />
and how to further obtain balance in <strong>your</strong><br />
compliance program.<br />
Regulatory risks<br />
In discussing the effectiveness of the<br />
structures and processes of <strong>your</strong> compliance<br />
program tied to outcome measures, you may<br />
be wondering: What if, despite our compliance<br />
program infrastructure, we don’t discover<br />
our lack of compliance <strong>with</strong> an important<br />
regulation Does an “effective” compliance<br />
program mean you are in compliance <strong>with</strong><br />
every regulation Are there certain regulations<br />
that mean <strong>your</strong> compliance program should<br />
be deemed not “effective” if you find out you<br />
are not complying <strong>with</strong> them<br />
This leads you back to: What are the<br />
structures and processes you can point to in<br />
order to demonstrate that you have reacted<br />
appropriately to regulatory compliance<br />
concerns reported, conducted investigation,<br />
taken corrective action, etc.<br />
Continued on page 30<br />
Phase Description Structure Process Outcome Score<br />
Phase I Authorization 22 of 28 6 of 6 12 of 14 40 of 48<br />
Phase II Code of Conduct 2 of 2 10 of 12 8 of 8 20 of 22<br />
Phase III Policies and Procedures 2 of 4 1 of 4 13 of 22 16 of 30<br />
Phase IV General Training 10 of 10 6 of 6 10 of 10 26 of 26<br />
Phase V Specialized Training 4 of 8 3 of 12 4 of 6 11 of 26<br />
Phase VI Reporting Mechanisms 3 of 4 4 of 6 18 of 18 25 of 28<br />
Phase VII Monitoring and Auditing 5 of 12 10 of 16 8 of 8 23 of 36<br />
Phase VIII Response and Prevention 2 of 2 5 of 10 6 of 8 13 of 20<br />
Phase IX Enforcement and Discipline 2 of 2 4 of 4 9 of 10 15 of 16<br />
Overall Score 52 of 72 49 of 76 88 of 104 189 of 252<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
29<br />
October 2008
“Does this really make a compliance<br />
program “effective””<br />
...continued from page 29<br />
Also, what are the structures and processes<br />
you can point to in order to demonstrate that<br />
you have been proactive in trying to address<br />
regulatory risk by performing an annual risk<br />
assessment based upon the OIG Work Plan,<br />
Conditions of Participation, etc, prioritized<br />
areas to monitor and audit each year and<br />
completed such activities.<br />
certified in<br />
CHC<br />
healthcare<br />
compliance<br />
The Compliance<br />
Professional’s Certification<br />
The Compliance Certification Board (CCB) compliance<br />
certification examination is available in all 50 states. Join <strong>your</strong><br />
peers and become Certified in <strong>Health</strong>care Compliance (CHC).<br />
In conclusion, this is not about being<br />
perfect. This is about having the structures<br />
and processes in place to proactively address<br />
on-going regulatory risks and react and<br />
respond appropriately to reported concerns of<br />
potential non-compliance. n<br />
Be Sure to Get Your<br />
CHC <strong>CEU</strong>s<br />
Inserted in this issue of Compliance<br />
Today is a quiz related to the articles:<br />
n The 1-2-3s of claims sampling to<br />
resolve overpayment errors —<br />
By B. Bo Martin, page 32<br />
n Quality of care and compliance:<br />
Existing challenges and first<br />
steps for hospitals — By Cheryl<br />
L. Wagonhurst and Nathaniel M.<br />
Lacktman, page 46<br />
n Complying <strong>with</strong> the HIPAA Privacy<br />
Rule: What you need to know —<br />
By Rebecca C. Fayed, page 59<br />
To obtain <strong>your</strong> <strong>CEU</strong>s, take the quiz and<br />
print <strong>your</strong> name at the top of the form.<br />
Fax it to Liz Hergert at 952/988-0146,<br />
or mail it to Liz’s attention at HCCA,<br />
6500 Barrie Road, Suite 250,<br />
Minneapolis, MN 55435. Questions<br />
Please call Liz Hergert at 888/580-8373.<br />
Compliance Today readers taking the<br />
<strong>CEU</strong> quiz have one year from the<br />
published date of the <strong>CEU</strong> article to<br />
submit their completed quiz.<br />
CHC certification benefits:<br />
n Enhances the credibility of the<br />
compliance practitioner<br />
n Enhances the credibility of the<br />
compliance programs staffed by<br />
these certified professionals<br />
n Assures that each certified<br />
compliance practitioner has the<br />
broad knowledge base necessary to<br />
perform the compliance function<br />
n Establishes professional standards<br />
and status for compliance<br />
professionals<br />
n Facilitates compliance work for<br />
compliance practitioners in dealing<br />
<strong>with</strong> other professionals in the<br />
industry, such as physicians and<br />
attorneys<br />
n Demonstrates the hard work and<br />
dedication necessary to perform the<br />
compliance task<br />
Since June 26, 2000, when CHC<br />
certification became available, hundreds of<br />
<strong>your</strong> colleagues have become Certified in<br />
<strong>Health</strong>care Compliance. Linda Wolverton,<br />
CHC, says she sought CHC certification<br />
because “many knowledgeable people work<br />
in compliance and I wanted my peers to<br />
recognize me as one of their own.”<br />
For more information about CHC<br />
certification, please call 888/580-8373,<br />
e-mail ccb@hcca-info.org or click on the<br />
CCB Certification button on the HCCA<br />
Web site at www.hcca-info.org. n<br />
Congratulations on achieving<br />
CHC status! The Compliance<br />
Certification Board announces<br />
that the following individuals have<br />
recently successfully completed the<br />
Certified in <strong>Health</strong>care Compliance<br />
examination, earning CHC<br />
designation:<br />
Catherine M. Duffy<br />
Carol A, Kriebel<br />
Marshall Vernon Preddy<br />
Beth-Ann Nmn Saul<br />
Amy Katherine Terrell<br />
CHC-F<br />
Debbie Troklus<br />
Steve Ortquist<br />
Shawn DeGroot<br />
Rita Scichilone<br />
Christine Bachrach<br />
Sheryl Vacca<br />
Marti Arvin<br />
John Falcetano<br />
October 2008<br />
30<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Certification – the<br />
recognized mark of a<br />
professional<br />
By Margaret Dragon<br />
The survey also indicates a 6% increase for<br />
the compliance certification requirement for<br />
attorneys. (Survey results are available on the<br />
HCCA website at www.hcca-info.org under<br />
the “Compliance Info” tab).<br />
Editor’s note: Margaret Dragon is Director of<br />
Communication for the Society or Corporate<br />
Compliance and the <strong>Health</strong> <strong>Care</strong> Compliance<br />
Association. She may be reached by e-mail at<br />
margaret.dragon@corporatecompliance.org or by<br />
telephone at 781/593-4924.<br />
Why go through the preparation and process<br />
of becoming certified Why do so many<br />
employers prefer certification when hiring<br />
Compliance department staff What value<br />
does certification hold for the compliance<br />
and ethics professional Compliance Today<br />
asked a number of compliance and ethics<br />
professionals these and other questions about<br />
compliance and ethics certification, and here<br />
are the results.<br />
Employers take notice<br />
It is common knowledge that certification<br />
indicates a certain level of competency in a<br />
specific profession, so it is no surprise that,<br />
more and more, compliance certification<br />
is becoming preferred or even required.<br />
According to Compliance Certification Board<br />
(CCB) President Debbie Troklus, CHC-F<br />
“Employers believe compliance and ethics<br />
professionals, who have taken the time to<br />
obtain certification, demonstrate a high level<br />
of knowledge in the field and dedication to<br />
the profession.”<br />
Professional certification provides employers<br />
<strong>with</strong> “assurance of competency and also<br />
demonstrates a personal commitment to<br />
excellence,” explains Rita Scichilone, MHSA,<br />
RHIA, CCS, CCS-P, CHC-F, Director,<br />
Practice Leadership <strong>with</strong> the American <strong>Health</strong><br />
Information Management Association.<br />
With an increasingly competitive workforce,<br />
employers can and are requiring professional<br />
credentials, explains Scichilone. “Some<br />
employers may widen their search by listing<br />
a compliance position as CHC [Certified in<br />
<strong>Health</strong>care Compliance] or CCEP [Certified<br />
Compliance and Ethics Professional]<br />
preferred, since it can be a negotiation factor<br />
for the right individual,” said Scichilone.<br />
“Compliance certification lends credibility to<br />
the candidate,” adds Troklus.<br />
Compliance and ethics professional Shawn<br />
DeGroot, CHC-F, CCEP, Vice President of<br />
Corporate Responsibility for Regional <strong>Health</strong><br />
in Rapid City, South Dakota points out that<br />
during her interview <strong>with</strong> Regional <strong>Health</strong><br />
Board of Directors, the compliance credential<br />
“relayed the point that I was personally and<br />
professional motivated to continue to learn<br />
and improve.” DeGroot says that she requires<br />
compliance certification for the Director<br />
position [at Regional <strong>Health</strong>] or [requires]<br />
that he/she “attain the credential <strong>with</strong>in two<br />
years.”<br />
Survey confirms trend<br />
Recent survey results agree <strong>with</strong> Scichilone<br />
and DeGroot. According to a national survey<br />
conducted by the <strong>Health</strong> <strong>Care</strong> Compliance<br />
Association (HCCA) in 2008, the compliance<br />
certification requirement has steadily<br />
increased since it first began tracking this<br />
information in 2006. For example, the 2008<br />
survey indicated that 21% of the respondents<br />
require Assistant Compliance Officers be<br />
CHC, up from 17% in 2006; during that<br />
same time, the certification requirement for<br />
Compliance Generalists increased by 7%.<br />
John Falcetano, CCEP, CHC, CHC-F,<br />
CHRC, CIA, Chief Audit & Compliance<br />
Officer for the University <strong>Health</strong> Systems of<br />
Eastern Carolina, says he prefers certification<br />
when hiring Compliance department staff.<br />
“I have worked <strong>with</strong> my staff and encourage<br />
them to become certified. In fact, one of my<br />
staff just completed the Research Academy in<br />
June 2008 and became Certified in <strong>Health</strong>care<br />
Research Compliance (CHRC).”<br />
Heightened credibility<br />
Employers are hiring certified compliance and<br />
ethics professionals. “The credential provides<br />
increased credibility in the industry on both<br />
the individual and organizational levels,” says<br />
Robert Lesser, Deputy Director, McHenry<br />
County Mental <strong>Health</strong> Board, in Crystal<br />
Lake, Illinois... “Having a credentialed staff<br />
demonstrates that both the individual and the<br />
organization are committed to ensuring that<br />
they will be meeting the required standards,<br />
whether they related to financial, clinical,<br />
legal, or licensure requirements,” he added.<br />
Lesser suggests that having a certified compliance<br />
officer “facilitates confidence in the<br />
minds of monitoring entities. The regulators<br />
who monitor know that their monitoring<br />
activities will likely occur <strong>with</strong> greater ease,<br />
because of the increased likelihood of finding<br />
record keeping performed in a manner that<br />
facilitates easier review and accuracy.”<br />
Compliance certification is a job requirement<br />
and it “was a factor in the decision to interview<br />
me for the job,” said Danna Teicheira,<br />
CHC, CCEP, Compliance Specialist/Privacy<br />
Continued on page 88<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
31<br />
October 2008
The 1-2-3s of claims<br />
sampling to resolve<br />
overpayment errors<br />
By B. Bo Martin, PhD<br />
Recovery Audit Contractors or other payer<br />
agents) present their allegations and quantifications<br />
of significant overpayment errors.<br />
Other parties should be held to the same<br />
minimum standard of rigor and scientific<br />
validity as health care providers.<br />
Editor’s note: B. Bo Martin is Associate Director<br />
<strong>with</strong> Navigant Consulting. He may be reached<br />
by telephone in Chicago at 312/583-6921 or by<br />
e-mail at bmartin@navigantconsulting.com.<br />
Sampling claims to resolve overpayment<br />
errors is now a common practice<br />
in the health care industry. The<br />
measurement of error rates and the quantification<br />
of overpayments no longer require that<br />
every potential error be reviewed. It is also, in<br />
some ways, a practice unique to this industry.<br />
Many health care providers routinely rely on<br />
claims sampling to test for potential errors<br />
and to quantify overpayments that they have<br />
received from government payers in order to<br />
self-disclose these errors. 1<br />
Claims sampling adds rigor and scientific<br />
validity to a health care providers’ compliance<br />
program. This article assesses when claims<br />
sampling can be most helpful and outlines<br />
the major considerations in implementing a<br />
claims sampling process.<br />
Why sample<br />
Before initiating claims sampling, it is critical<br />
to address certain questions that concern the<br />
overall process: Why use claims sampling<br />
instead of a review of an entire claims<br />
population If sampling is preferred, why<br />
are the results acceptable as representative<br />
in measuring an error rate and quantifying<br />
an overpayment for the entire population<br />
The answer to the first question is practical:<br />
sampling should be used when it is more<br />
cost-effective, quicker, or less disruptive,<br />
and still sufficiently precise for resolving an<br />
investigation or dispute concerning overpayment<br />
errors.<br />
The answer to the second question, about<br />
accepting a claims sample as representative<br />
for a population, concerns two statistical<br />
principles: bias and precision. The method<br />
of randomly drawing a claims sample helps<br />
to prevent the introduction of biases into the<br />
final results. Random sampling removes the<br />
proverbial “hand on the scales”—either as<br />
too light or too heavy—for the measurement<br />
and quantification by those conducting the<br />
review. Furthermore, the larger the sample<br />
size, the greater the sample’s precision for<br />
measuring an error rate and quantifying an<br />
overpayment in the population. (We will<br />
explore the determination of sample size in<br />
the next section.)<br />
After a claims sampling process is completed,<br />
other critical questions may arise about the<br />
details in the process. Unfortunately, a flaw<br />
in one step in the process can impact the<br />
scientific validity of any final measurement or<br />
quantification for a population. It is therefore<br />
important to have a comprehensive plan<br />
from the outset that can address practical<br />
issues when they arise, because addressing<br />
them later may not be possible. Several steps<br />
should be considered in developing a claims<br />
sampling plan.<br />
How to sample<br />
A health care provider should generally follow<br />
certain major steps for sampling claims to<br />
resolve payment errors. These steps should<br />
also be assessed when other parties (e.g.,<br />
There are six major steps or milestones in<br />
the overall process for claims sampling, and<br />
critical considerations <strong>with</strong>in these steps. The<br />
following practical observations and relevant<br />
case examples are not meant to be all-inclusive,<br />
but rather alert the reader to the types of<br />
questions that should be asked and answered<br />
as fully as possible in advance. Claims<br />
sampling will never be a strictly cookie-cutter<br />
process in which the same actions are taken<br />
and the same formulas are used. It is essential<br />
to document the questions and answers that<br />
occur during a specific sampling exercise.<br />
Much of scientific validity is based on the<br />
ability to re-create the process at each step.<br />
Step 1: Define the potential error<br />
This first step of defining the potential error<br />
that led to a potential overpayment has the<br />
important effect of regulating all of the subsequent<br />
steps. It can become very difficult to<br />
quantify an error from the collected, sampled,<br />
and analyzed data if the error was not defined<br />
at the beginning. This definition can be based<br />
on non-statistical observations about how a<br />
health care provider’s operations may cause<br />
errors in claims and lead to corresponding<br />
overpayments. Conversely, it can be misrepresentative<br />
to quantify overpayments from<br />
sampled claims for a potential error that has<br />
no other reasonable indication of occurring.<br />
For example, consider the current issue of<br />
potential errors in one-day stay admissions.<br />
Not every one-day stay admission needs to<br />
be reviewed in order to measure the rate at<br />
which some stays were admitted in error.<br />
Instead, sampling a portion of claims may<br />
October 2008<br />
32<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
suffice. This potential error can be considered<br />
broadly, (i.e., for all one-day stay admissions<br />
at a hospital) or narrowly (i.e., for one-day<br />
stay admissions only for a certain type of<br />
care). Both have advantages in terms of<br />
measuring an error rate and quantifying<br />
overpayments. Yet, if this potential error is<br />
defined broadly, it might be difficult later to<br />
confirm common root-causes for stays that<br />
were incorrectly coded as an admission. If<br />
this potential error is defined narrowly for<br />
a certain type of care, it will be improper<br />
to later extrapolate the sample results to all<br />
admissions at a hospital.<br />
Step 2: Create sampling units and a<br />
sampling frame<br />
Sampling units and a sampling frame are<br />
technical terms that should be easy to define<br />
in any review. A sampling unit is what will<br />
be individually reviewed (e.g., a one-day stay<br />
admission that may be in error). A sampling<br />
frame is an “enumerated listing” of all the<br />
sampling units for the review (i.e., a listing<br />
of all one-day stay admissions <strong>with</strong> each<br />
assigned a unique and identifying number).<br />
A sampling frame can be as simple as a<br />
spreadsheet <strong>with</strong> each claim listed in its own<br />
row and <strong>with</strong> its identifying number.<br />
A sampling frame should be validated against<br />
contemporaneous reports. For example, if a<br />
review defined errors in overpayments only<br />
for one-day stay admissions for pneumonia<br />
cases during a certain year, then the number<br />
of units in the sampling frame should be<br />
validated to the number of admissions that<br />
had been recorded for this type of case during<br />
that year. This validation helps to establish the<br />
reasonableness of the final extrapolation of<br />
the sample results to a certain population.<br />
Step 3: Randomly draw and analyze a<br />
probe sample<br />
RAT-STAT statistical software, freely available<br />
from the OIG, 2 is very helpful for randomly<br />
drawing samples, calculating a full sample<br />
size, and extrapolating sample results for a<br />
population.<br />
A probe sample has a relatively small size,<br />
typically 30 to 50 sampling units. The<br />
analysis of the probe sample will enable the<br />
reviewer to roughly measure the error rate<br />
and roughly quantify the overpayments. Neither<br />
this measurement nor the quantification<br />
will be sufficient to report final results about<br />
a population. Rather, the analysis of a probe<br />
sample can be a decision-point for continuing<br />
or stopping the review.<br />
If the error rate or average overpayment is de<br />
minimus in the probe sample, then it might<br />
be considered very unlikely for the population’s<br />
error rate or total overpayments to be<br />
sufficiently large to merit reporting. Even by<br />
this step, the beneficial (and, hopefully, not<br />
frustrating) consequences of defining the<br />
potential error in overpayments will be fully<br />
apparent to the reviewer.<br />
Step 4: Calculate the size for a full sample<br />
Several factors are used to calculate the size<br />
for a full sample. The reviewer must choose a<br />
desired confidence level and desired precision,<br />
and the probe sample can provide the<br />
roughly estimated variation <strong>with</strong> respect to<br />
the error rate and the overpayments among<br />
the sampling units in the sampling frame.<br />
The greater the desired confidence level, the<br />
greater the desired precision, or the greater<br />
the variation among the sampling units, then<br />
the larger the full sample will be. Precision<br />
is occasionally expressed only as a precision<br />
percentage during this step. The precision<br />
percentage is the width of the confidence<br />
interval divided by the rate or average. This<br />
can be confusing, because a smaller value<br />
implies greater precision.<br />
The following question is often asked about<br />
the necessary size for a full sample: How small<br />
is still big enough Abraham Lincoln was<br />
reportedly once asked how long a person’s legs<br />
needed to be in order for the person to be a<br />
strong leader. His response was that the person’s<br />
legs needed to be long enough to reach<br />
the ground. Analogously, the size for a full<br />
sample will be large enough for the desired<br />
confidence level, the desired precision, and<br />
the variation among the sampling units. If an<br />
initially calculated sample size is considered<br />
to be too big for practical reasons, then it<br />
can only become smaller if the requirements<br />
for the desired confidence level or desired<br />
precision are diminished.<br />
In the example of a review of one-day stay<br />
admissions, overpayments among one-day<br />
stay admissions for pneumonia cases may<br />
have less variation than the overpayments<br />
among all one-day stay admissions. The<br />
sample size for a review of one-day stay<br />
admissions for pneumonia would, therefore,<br />
be smaller. As an aside that appears almost<br />
paradoxical, the size of the population has a<br />
rapidly diminishing effect on this calculation<br />
the larger that the population becomes.<br />
Step 5: Randomly draw and analyze a full<br />
sample<br />
By step 5, most of the statistical criteria<br />
underlying the scientific validity of the claims<br />
sampling process have been completed. Put<br />
another way, planning for all of the prior<br />
steps is essential to avoid regrets as considerably<br />
more information about the error rate<br />
and overpayments is learned by the analysis of<br />
a large number of sampling units at this stage.<br />
A full sample can be used to measure the<br />
error rate and quantify the overpayments<br />
for a population. This may be done by a<br />
straightforward process of extrapolation – the<br />
Continued on page 69<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
33<br />
October 2008
Innovative Services.<br />
Delivering Solutions.<br />
Meade & Roach, LLP is dedicated to delivering health care regulatory<br />
compliance solutions. We have earned a reputation for providing hands-on<br />
solutions to complex compliance needs. We not only understand the law,<br />
we understand our clients. Together <strong>with</strong> our affiliate, Aegis Compliance &<br />
Ethics Center, LLP, our firms are dedicated to health care compliance.<br />
Our clients represent a broad array of health care organizations, from<br />
academic medical centers to hospital systems to stand-alone specialty<br />
facilities as well as large physician practice groups and public health<br />
organizations.<br />
• Medicare/Medicaid Compliance<br />
• Clinical Research Compliance<br />
• Fraud & Abuse/Stark Analysis<br />
• Voluntary Disclosure Representation<br />
• Compliance Training & Education<br />
• HIPAA Privacy & Security<br />
• Corporate Compliance Program Effectiveness Reviews<br />
• Internal Investigations<br />
• Compliance Auditing & Monitoring<br />
For more information, contact one of our partners listed below or visit<br />
meaderoach.com.<br />
October 2008<br />
34<br />
Ryan Meade Michael Roach Steve Ortquist<br />
<strong>Health</strong> <strong>Care</strong> 312.498.7004 Compliance Association • 888-580-8373 312.286.4501 • www.hcca-info.org 312.285.4850<br />
rmeade@meaderoach.com mroach@meaderoach.com sortquist@meaderoach.com
Introducing Compliance & Ethics Social Networking ...continued from page 9<br />
network or maybe just a daily digest), and<br />
then click “save.” Your e-mail address is never<br />
shared <strong>with</strong> other users, unless you send it to<br />
them directly.<br />
After that, you’ll be notified, based on <strong>your</strong><br />
communications preferences, whenever something<br />
new is posted. You can stay abreast on<br />
how people are handling issues, or better yet,<br />
get into the discussion <strong>your</strong>self.<br />
And, posting <strong>your</strong> own question is easy. Just<br />
fill out the simple, online form and <strong>your</strong><br />
question goes out to members of the e-group.<br />
What if there isn’t a group that meets <strong>your</strong><br />
needs You can easily create a new group.<br />
Just make sure it’s a broad enough topic so<br />
that there are lots of others who share <strong>your</strong><br />
challenge. For example, compliance <strong>with</strong> a<br />
specific issue posed by one state is probably<br />
too narrow, but dealing <strong>with</strong> a law that has<br />
national or global impact is highly worthwhile.<br />
To make it easier for you to connect <strong>with</strong><br />
others in the ethics and compliance community,<br />
be sure also to fill out <strong>your</strong> personal<br />
profile while you are on the site. You can list<br />
past job experience and areas of interest and<br />
expertise. That way, when you reach out <strong>with</strong><br />
a question, other users will be better able to<br />
respond to <strong>your</strong> needs. And, the more people<br />
fill out their profiles, the easier it will be for<br />
you to find someone <strong>with</strong> the expertise you<br />
need to answer <strong>your</strong> questions. You might<br />
also want to keep in touch <strong>with</strong> people you<br />
met at a Compliance Academy, the Compliance<br />
Institute, or other training.<br />
While you are on the site, be sure to check<br />
out the document library, where you will<br />
find more than 2,000 documents to draw<br />
upon to help improve the effectiveness of<br />
<strong>your</strong> program. The information you need will<br />
be at <strong>your</strong> fingertips, so you won’t have to<br />
reinvent the wheel when writing a new policy<br />
or regulation.<br />
Over the next few months, we’ll be turning<br />
on additional functionality, such as the ability<br />
to create <strong>your</strong> own blog. All of this gives you<br />
more value from <strong>your</strong> HCCA membership<br />
and helps you collaborate <strong>with</strong> <strong>your</strong> peers.<br />
Getting started <strong>with</strong> the Compliance &<br />
Ethics Social Network is easy. Just come to<br />
www.hcca-info.org, click on Network, and<br />
start exploring. Once you’ve had a chance<br />
look around, we welcome <strong>your</strong> feedback and<br />
insights for improving the site. If you are<br />
having difficulties <strong>with</strong> the site, please don’t<br />
hesitate to ask for assistance! n<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
35<br />
October 2008
Improving<br />
competitiveness and<br />
compliance through<br />
agent/broker online<br />
training<br />
Editor’s note: Susan Mollet is an MMA Unit<br />
Manager at <strong>Health</strong> <strong>Care</strong> Services Corporation<br />
in Chicago. She may be reached by telephone at<br />
312/819-1627.<br />
Martha Braunstein is a <strong>Health</strong> <strong>Care</strong> Practice<br />
Leader at Kaplan EduNeering in Princeton,<br />
NJ. She may be reached by telephone at<br />
609/627-5300.<br />
When it was introduced, the<br />
Medicare prescription drug benefit<br />
was heralded as the most significant<br />
government-sponsored health benefit<br />
since the start of the Medicare program. For<br />
those of us in the health insurance industry,<br />
the new program represented both a business<br />
opportunity and a pathway to expanding the<br />
way in which we could fulfill our primary<br />
commitment to providing critical health care<br />
coverage to millions of Americans.<br />
During the three years since the program’s<br />
inception, the Centers for Medicare and<br />
Medicaid (CMS) has revised its compliance<br />
requirements and begun publishing audit<br />
findings on its website. These findings have<br />
driven changes in the regulatory environment,<br />
including a strong focus on the training of<br />
downstream entities, specifically the brokers<br />
and agents who sell Medicare Advantage,<br />
Medicare Advantage prescription drug plans<br />
(MAPD), and stand-alone prescription drug<br />
plans (PDPs).<br />
By Susan Mollet and Martha Braunstein<br />
Compliance training responsibilities<br />
In its Draft 2009 Call Letter, CMS repeated<br />
its compliance expectations for MAPD and<br />
PDP plans, saying “…we remind organizations<br />
that they are responsible for the actions<br />
and sales agents/brokers, whether they are<br />
employee or contracted.” In the same call letter,<br />
CMS stated, “Organizations must ensure<br />
agents/brokers are properly trained in both<br />
Medicare requirements and the details of the<br />
products being offered.” New regulations<br />
clarified and expanded health plan responsibilities<br />
related to agent and broker training.<br />
With the addition of the new requirements,<br />
both MAPD and PDP plans must comply<br />
<strong>with</strong> the compliance regulations for brokers<br />
and agents including:<br />
n Effective training, education, and lines of<br />
communication between their compliance<br />
officers and all of their first-tier, downstream,<br />
and related entities, including<br />
brokers and agents regardless of whether<br />
they are employees or subcontractors;<br />
n Appropriate oversight of the compliance<br />
training requirements are delegated to<br />
outside parties, <strong>with</strong> sponsors expected to<br />
have training logs and copies of attestations<br />
from first-tier, downstream, or related entities<br />
about compliance <strong>with</strong> the training and<br />
education requirements. Section 422.2 and<br />
423.4 define downstream entities to include<br />
(but are not limited to) pharmacy benefit<br />
managers, mail-order pharmacies, retail<br />
pharmacies, firms providing agent/broker<br />
services, agents, brokers, marketing firms,<br />
and call center firms;<br />
n A January 1, 2009 deadline that all<br />
elements of the compliance plan must<br />
include measures to detect, correct, and<br />
prevent fraud, waste, and abuse (FWA);<br />
n A January 1, 2009 deadline that all<br />
compliance plans must include voluntary<br />
self-reporting procedures for potential<br />
fraud and abuse;<br />
n Voluntary self-reporting procedures for<br />
potential fraud and misconduct, <strong>with</strong> selfreports<br />
going to CMS or its designee;<br />
n MAPDs and PDPs must assure that<br />
brokers and agents pass a written test <strong>with</strong><br />
a minimum score of 80% and to report<br />
to states that they are using brokers and<br />
agents consistent <strong>with</strong> state licensing<br />
requirements.<br />
Compliance and business<br />
Inevitably, regulatory compliance must be<br />
achieved regardless of economic or market<br />
conditions, but today’s MAPD and PDP<br />
health plans face particular challenges to ensure<br />
that brokers and agents are properly trained in<br />
Medicare requirements and the details of each<br />
product being offered. First, health plans are<br />
turning to brokers <strong>with</strong> networks of hundreds<br />
or thousands of dispersed agents, some who<br />
are employed by the brokerage agency and<br />
others who are subcontracted or sell policies<br />
on a freelance basis. Until now, the plan had<br />
no need to communicate directly <strong>with</strong> those<br />
individual agents.<br />
Second, this dispersion of agents and an<br />
agent turnover rate of about 20% caused<br />
by intense competition for qualified sales<br />
personnel, creates growing opportunities for<br />
non-compliance and increases the difficulty of<br />
tracking agents authorized to sell an organization’s<br />
health plans. Equally significant for<br />
training professionals committed to ensuring<br />
comprehension of the subject matter, agents<br />
October 2008<br />
36<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
who typically sell multiple plans or change<br />
agencies have become increasingly resistant<br />
to “another compliance training program.”<br />
Absent guidance from CMS, agents may be<br />
required to take several compliance-mandated<br />
training courses that have not always been<br />
inspiring.<br />
The final complicating factors are the market<br />
and the need for all companies to be efficient<br />
and cost-effective in their operations. Competition<br />
among health plans to retain current<br />
members and attract new members will only<br />
increase as the pool of unaffiliated Medicare<br />
beneficiaries decreases. In order for health<br />
plans to comply <strong>with</strong> regulations and budgets,<br />
training has to produce demonstrable<br />
cost, compliance, and learning results beyond<br />
merely achieving regulatory requirements.<br />
The MAPD and PDP compliance training<br />
program at <strong>Health</strong> <strong>Care</strong> Services Corporation<br />
(HCSC) is achieving all three objectives.<br />
n Comply <strong>with</strong> CMS requirements for<br />
broker and agent training, ensuring that<br />
all agents were trained and that all broker<br />
agencies agreed to HCSC’s business<br />
contract;<br />
n Ensure consistent training throughout<br />
the HCSC organization, including both<br />
internal and external audiences;<br />
n Create a database of agents authorized to<br />
sell our products. (Among the states we<br />
serve, only Texas does not require such a<br />
database.) We needed to track not just the<br />
employees of each agency, but the subcontractors<br />
who were selling our policies.<br />
n Optimize compliance training through its<br />
use as a tool to develop and support agent<br />
loyalty;<br />
n Reduce training costs, which had previously<br />
relied on in-person training that<br />
required virtually non-stop travel by<br />
HCSC employees throughout our fourstate<br />
service region.<br />
they can be automatically authenticated and<br />
approved for training.<br />
The capabilities of the solution were familiar<br />
to HCSC because it was already being used<br />
for other in-house compliance training. The<br />
solution uses the application service provider<br />
(ASP) or hosted model, which allows data<br />
to be stored securely outside our firewall and<br />
virtually eliminated the capital, administrative,<br />
and maintenance costs associated <strong>with</strong><br />
purchasing new infrastructure. This was key,<br />
because we could not allow non-employees,<br />
such as agents, brokers, or other downstream<br />
entities to enter our firewall to take the training.<br />
Finally, the solution creates the documentation<br />
required by CMS, including e-signature<br />
validation that all learners have received the<br />
training courses and have been tested for<br />
comprehension of each course’s subject matter.<br />
The documentation of all training activities is<br />
available in audit-ready format.<br />
HCSC business and compliance goals<br />
HCSC serves members in four states through<br />
our Blue Cross/Blue Shield divisions in Illinois,<br />
Texas, New Mexico and Oklahoma. Our<br />
MAPD and PDP plans are offered through<br />
our subsidiary HCSC Insurance Company<br />
(HISC).<br />
In September 2007, we launched a training<br />
program that was offered through November<br />
14. In compliance <strong>with</strong> CMS’ rules, we<br />
stopped the training on November 14, the<br />
day prior to the beginning of the enrollment<br />
period for 2008 MAPD and PDP plans. Our<br />
training program was developed to achieve<br />
well-defined goals that supported the HCSC<br />
commitment to “best in class” service to our<br />
members. Our objectives included:<br />
n Provide our members <strong>with</strong> unequalled<br />
service by ensuring that all agents are<br />
equipped to accurately explain our plan to<br />
current or potential members;<br />
Achieving our training objectives<br />
The MAPD and PDP compliance training<br />
program at HCSC reflects an enterprise-wide,<br />
long-term approach. Because of the number<br />
and diverse locations of agents, we chose an<br />
online training system that supported remote<br />
workers, met CMS’ documentation needs, and<br />
provided the critical management capabilities<br />
for an efficient, cost-effective program.<br />
The program was built on the decision to<br />
create a single program that would be used by<br />
all brokerage agencies, regardless of their state<br />
locations. We developed a program based<br />
on an enterprise-wide, compliance-specific,<br />
learning management system and MAPD and<br />
PDP specific-training courses (herein referred<br />
to as the solution). Agents <strong>with</strong> authorization<br />
to sell our Medicare-regulated prescription<br />
drug plans are required to self-register for the<br />
training. All 21,000 HCSC-authorized agents<br />
have been pre-loaded into the system, so that<br />
Before receiving any training material, each<br />
broker is required to sign a contract (i.e.,<br />
licensing agreement) <strong>with</strong> HCSC’s specific<br />
conditions for performance. Only after signing<br />
the agreement does the agent then receive<br />
an online “package” containing a producer<br />
training course, three forms, and a survey<br />
that must be completed as the final element<br />
of the training program. The producer<br />
training course is broken into seven chapters:<br />
Overview, enrollment, plans, formulary,<br />
prescription policy, marketing guidelines,<br />
and fraud, waste, and abuse. The three forms<br />
contained in the agent’s training package are<br />
the company’s Medicare and Government<br />
Contracts Compliance Program, a Compliance<br />
Checklist, and the HISC Amendment,<br />
which includes the commission structure.<br />
Each chapter of the seven courses concludes<br />
<strong>with</strong> a learning activity and challenge. An 80%<br />
Continued on page 69<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
37<br />
October 2008
focus<br />
feature<br />
Coordinating external requests for<br />
information in the Compliance Office<br />
October 2008<br />
38<br />
By Cornelia M. Dorfschmid, PhD<br />
is conducted. <strong>Health</strong> care providers who have effective compliance<br />
programs will avoid meeting these demands one at a time. Instead,<br />
Editor’s note: Cornelia M. Dorfschmid is Executive Vice President<br />
they will develop a solid response strategy to process external requests<br />
<strong>with</strong> Strategic Management in Alexandria, VA. She may be reached by<br />
for information and data from government agencies, CMS contractors,<br />
oversight bodies, ac<strong>credit</strong>ation organizations, and independent<br />
telephone at 703/683-9600, ext. 419 or by e-mail at cdorfschmid@<br />
strategicm.com.<br />
auditors in a manner that coordinates efforts across departments and,<br />
as part of effective compliance risk management, leverages their own<br />
The need for organization-wide strategies for coordination of requests<br />
data analysis and review capabilities.<br />
for data, records, and patient information has taken higher priority in<br />
the Compliance Office these days. Despite of increased automation<br />
Request for information<br />
and software tools available to compliance officers, the handling of<br />
<strong>Health</strong> care providers can receive a host of requests for data, medical<br />
records, billing information and claims data, the Disclosure of<br />
particular external requests for information warrants a fresh look.<br />
Financial Relationships Reports (DFRR) on physician arrangements,<br />
A Compliance Office is faced <strong>with</strong> a multitude of coordination<br />
or policies and procedures from a myriad of requestors, including:<br />
challenges. Examples include the coordination of compliance training<br />
efforts <strong>with</strong> other training initiatives across the organization, compliance<br />
investigations <strong>with</strong> legal counsel and the Human Resources<br />
Medicare<br />
n Zone Program Integrity Contractors (ZPIC) [formerly Program<br />
department, and risk assessments related to regulatory requirements<br />
Safeguard Contractors (PSC)] that focus on billing fraud<br />
and quality-of-care issues. Facilitating the coordination and cooperation<br />
across departments is nothing new to an effective Compliance<br />
n Medicare Administrative Contractors (MACs) [formerly Carriers<br />
and Fiscal Intermediaries] that process all types of Medicare claims<br />
Office. It is part of the compliance officer’s job. However, a new<br />
n Recovery Audit Contractors (RACs) that audit for Medicare claims,<br />
coordination challenge has moved to the forefront.<br />
focus on billing errors and overpayments, and work on contingency<br />
basis<br />
The Deficit Reduction Act of 2005 (DRA) strengthened Medicaid<br />
n Comprehensive Error Rate Testing (CERT) contractors that conduct<br />
random post-payment reviews of Medicare claims<br />
enforcement. A change in the enforcement landscape and Medicare<br />
reform brought a shift in the Center for Medicare & Medicaid<br />
n Medicare Quality Improvement Organizations (QIO) [successors<br />
Services (CMS) strategy to fight fraud and abuse. The Medicare<br />
of Peer Review Organizations (PRO)] that focus on quality of care<br />
Integrity Program and new national Medicaid Integrity Program are<br />
at the center of CMS’s long-term antifraud and abuse strategy, which<br />
Medicaid/State<br />
is focused on return on investment of enforcement efforts. In this<br />
n Medicaid Integrity Contractors (MICs) that audit claims of providers<br />
of Medicaid services to identify overpayments<br />
context, new CMS contractors will request claims data and medical<br />
records, aggressively use data mining and statistical analysis to find<br />
n Payment Error Rate Measurement (PERM) auditors that review<br />
payment errors, and have access to a powerful data warehouse containing<br />
vast amounts of information on providers and payment data. At<br />
Medicaid claims and beneficiary eligibility<br />
n State Medicaid Fraud Control Units (MFCUs) that investigate state<br />
the same time, boards of directors and external auditors are calling for<br />
Medicaid fraud<br />
increased transparency of how organization-wide risk management<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
n State OIG that fight Medicaid fraud and abuse (e.g., New York,<br />
Texas) and investigate and analyze claims – a growing trend to<br />
implement State OIG offices has been noted<br />
General<br />
n Department of <strong>Health</strong> and Human Services Office of Inspector<br />
General (OIG)<br />
n Joint Commission [formerly Joint Commission on Ac<strong>credit</strong>ation of<br />
<strong>Health</strong>care Organizations (JCAHO)]<br />
Requests are most commonly made by a “demand letter” via mail or<br />
fax, but may also involve e-mails, phone calls, and scheduled or unannounced<br />
site visits by an investigator or auditor. Subpoenas and search<br />
warrants are also a possibility. Unless there is coordination across<br />
the organization (based on written procedures) when these requests<br />
are made, unnecessary legal and compliance risks can arise or be<br />
aggravated. For example, a communication failure due to a non-timely<br />
response or a submission of a response letter that misses input, informational<br />
material, or prompt corrective action from some departments<br />
because they may remain unaware of the request or were inadequately<br />
informed, can pose legal, financial, and compliance risks. Such failures<br />
typically also involve a waste of resources, and even delay corrective<br />
action of detected or alleged systemic problems. When responding<br />
to an allegation or billing problem stated in the demand letter, being<br />
aggressively proactive is also important. Corrective measures should be<br />
put in place or at least be underway if substantial overpayments or lack<br />
of adequate controls are alleged. It is critical that “the left hand knows<br />
what the right hand is doing” to be proactive.<br />
Taking responsibility to master the challenge<br />
Two types of coordination challenges are associated <strong>with</strong> external<br />
requests for information: (1) the communication and handling of<br />
the incoming request, and (2) the coordination of the response and<br />
appropriate corrective action. The Compliance Office may want to<br />
take the lead in facing the coordination challenge.<br />
A critical success factor in mastering the communication challenges is to<br />
engage various departments and assign responsibility, especially in larger<br />
health systems. <strong>Health</strong> care providers may consider the following:<br />
n Designate an initial coordination response team (ICRT) <strong>with</strong> members<br />
of the senior leadership. The Chief Financial Officer (CFO),<br />
Legal Counsel (LC), Chief Operating Officer (COO), Chief<br />
Information Officer (CIO), and Compliance Officer (CO) should<br />
be considered as members of the ICRT.<br />
n Ensure that the ICRT takes responsibility for coordinating the processing<br />
the external requests. Their responsibility is to notify each<br />
other when they become aware of an external request and ensure a<br />
concerted effort.<br />
n Assign responsibility for maintaining a central tracking system, and<br />
n Educate employees about requestors and the proper reporting of<br />
requests up the chain or to ICRT members.<br />
Auditing & monitoring<br />
The Compliance Office is a logical choice for taking on the responsibility<br />
of logging requests and responses. Alternatively, the Legal<br />
department may take on the task. As a quality assurance measure, the<br />
Internal Audit department and/or Compliance Office should periodically<br />
audit the request handling process and provide the executive-level<br />
Compliance Committee <strong>with</strong> a report on the major external requests<br />
and request-processing statistics (e.g., turnaround time and outcome,<br />
appeals involved, monetary impact, facilities affected, etc).<br />
Getting Started. The Compliance Office that leads the charge of<br />
coordination may want to consider the following to get organized:<br />
1. Develop a policy and procedure on coordinating, communicating,<br />
and handling requests for information from government<br />
entities and external organizations. The policy includes the role<br />
of an ICRT or similar task unit and is approved by the executive<br />
Compliance Committee.<br />
2. Flowchart the process to illustrate clearly how a request and related<br />
documents are to be routed. Include regular status updates on the<br />
requests.<br />
3. Make an inventory of current requests in process and categorize<br />
them, if not already done.<br />
4. Develop a communication and training strategy to make employees<br />
aware of how to report any incoming requests for information<br />
and educate them on the new policy and procedure. Educate<br />
employees on the common types of requests <strong>with</strong> examples, the<br />
role of the ICRT, new types of contractors and sources of requests,<br />
and the basic reporting expected of them. Incorporate this effort<br />
into the compliance training program.<br />
5. Dedicate staff in the Compliance Office to maintain a request<br />
tracking and logging system in accordance <strong>with</strong> a written procedure.<br />
6. Implement an electronic request tracking system that can be easily<br />
maintained long-term. Categorize the requests into routine and<br />
non-routine and severity of potential problems, payment errors, or<br />
control weaknesses.<br />
7. Use software that includes a database (e.g., a Microsoft Access<br />
Continued on page 41<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
39<br />
October 2008
Online Compliance Training<br />
authored by<br />
Developed by e<strong>Health</strong>careIT<br />
authored and updated by<br />
CORPORATE COMPLIANCE (76 COURSES)<br />
HIPAA COMPLIANCE (13 COURSES)<br />
Admissions & Registration (3)<br />
Coding & Pricing in the Laboratory<br />
Allied <strong>Health</strong> Services (6) Processing Laboratory Orders (3)<br />
Patient Relationships<br />
Management Responsibilities in<br />
HIM Coding Compliance (2) the <strong>Health</strong> <strong>Care</strong> Environment (4)<br />
HIM General Compliance (2) Nursing Documentation (4)<br />
HIM Compliance Management (3) Patient Financial Services (3)<br />
Home <strong>Care</strong> (3) Physician Coding (2)<br />
Home <strong>Health</strong> (3) Physician Documentation (9)<br />
Hospice (4) Skilled Nursing (5)<br />
Home Medical Equipment (2)<br />
Medical Necessity Requirements<br />
Intro to the Regulatory Environment (3) in the Laboratory (2)<br />
Laboratory Administration (2) EMTALA (9)<br />
HIPAA (13)<br />
CUSTOM COURSES (Organizational General Compliance, Code of Conduct,<br />
DRA, Ethics, etc)<br />
CLIENTS RECEIVE:<br />
• Customization to all courses including introductory pages<br />
from <strong>your</strong> compliance department.<br />
• Interactive Courseware <strong>with</strong> Compliance Case Studies & Scenarios<br />
• Option to utilize <strong>your</strong> facilities current eLearning system or<br />
e<strong>Health</strong>careIT's award winning eLearning system that features<br />
discussion forums, compliance alerts, multiple communication<br />
tools and automatic reports.<br />
• Subject matter experts <strong>with</strong> functional and operational expertise:<br />
PricewaterhouseCoopers.<br />
• Custom Corporate Compliance Administrators manual<br />
COURSEWARE DESIGNED FOR THE<br />
FOLLOWING AUDIENCES:<br />
Coders • Billing/Financial Services • Pharmacy • Admitting • Home <strong>Care</strong><br />
Nurses/Patient <strong>Care</strong> Providers • Finance • Physicians-Employed • Discharge<br />
Planning • Compliance/Audit Laboratory • Hospice<br />
ER Support Staff • Cardiac Services • ER Nursing • Therapies<br />
Registration • HIM • Physicians-Not Employed • Volunteers • Board Members<br />
Skilled Nursing/Long Term <strong>Care</strong> • Nursing Management<br />
Additional online training curriculums available include:<br />
HFMA: Billing, Finance, Avoiding Claims Denials, & Cost Control, Coding,<br />
Reimbursement, Disaster Preparedness, Clinical CE’s & Joint Commission<br />
e<strong>Health</strong>careIT<br />
eLearning & IT Solutions<br />
For further information or to arrange<br />
a product demonstration please<br />
email: info@ehealthcareit.com<br />
or call 1-800-806-0874.<br />
www.ehealthcareit.com<br />
October 2008<br />
40<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Coordinating external requests for information in the Compliance Office ...continued from page 39<br />
database and Excel worksheet; off-the-shelf vendor software application;<br />
a Web application that allows for tracking of compliance<br />
incidents/events; document management software that logs documents<br />
and assigns responsibilities for follow-up).<br />
Discuss <strong>with</strong> the Information Technology (IT) department the options<br />
for a implementing a request tracking system that fits the organization’s<br />
needs, configuration, and update issues. Include the possibility<br />
of integrating the requested correspondence files as electronic attachments.<br />
Explore how to implement secure access controls.<br />
Review major data fields carefully when organizing the request<br />
tracking system. Activities, dates, documents, and responsibilities<br />
typically need to be logged in some type of field. Fields that hyperlink<br />
or electronically reference the main requestor documents and final<br />
response documents (e.g., demand letter by the government agency,<br />
provider’s response correspondence) would be helpful.<br />
Resources<br />
CERT is a federally mandated program-integrity activity established<br />
by CMS to monitor and report the accuracy of Medicare fee-forservice<br />
(FFS) payments to physicians and non-physician practitioners.<br />
CERT contractors use CERT program information to determine<br />
which services are experiencing high error rates. See http://www.cms.<br />
hhs.gov/CERT/<br />
DFRR (Disclosure of Financial Relationships Reports) are used by<br />
HHS as part of a “strategic and implementing plan.” DFRR are meant<br />
to address certain issues relating to physician investment in specialty<br />
hospitals. HHS also stated that it would require all hospitals to<br />
provide information on a periodic basis concerning their investment<br />
and compensation relationships <strong>with</strong> physicians pursuant to 42 CFR<br />
§411.361. See http://www.cms.hhs.gov/PhysicianSelfReferral/05b_<br />
Disclosure.asp<br />
Consider keeping all correspondence documents electronically. For<br />
example, scan all paper documents into Adobe PDF files (or similar<br />
format) and maintain these as electronic document attachments in the<br />
database of the request tracking system or in a dedicated drive on the<br />
network. Maintain version control between draft documents and final<br />
documents.<br />
The data fields in a robust request tracking system should capture<br />
data, such as the date of initial request, requestor name and contact<br />
information, and any response due dates. The system should also log<br />
who at the provider was first contacted and which department and<br />
person is assigned to lead the effort to prepare the response. A date<br />
field to capture the day the ICRT was alerted and a data field for<br />
ICRT action taken may be helpful. In addition, fields that organize<br />
dates and documents related to the correspondence <strong>with</strong> the requestor<br />
(e.g., demand letter, response letter(s), appeal, etc.) help organize<br />
the tracking. Finally, data fields that capture internal actions taken,<br />
final outcome, closure date, and whether attorney-client privilege is<br />
applicable, may be needed. n<br />
MACs (Medicare Administrative Contractors). CMS is in the process<br />
of replacing current contracting authority <strong>with</strong> MACs to administer<br />
the Medicare Part A and Part B FFS programs. MACs will also take<br />
on payment error review functions previously carried out by Quality<br />
Improvement Organizations (QIOs). See http://www.cms.hhs.gov/<br />
MedicareContractingReform/ and http://www.cms.hhs.gov/AcuteInpatientPPS/downloads/InpatientReviewFactSheet.pdf<br />
PERM (Payment Error Rate Measurement) auditors operate in a<br />
three-part sequence: sampling, collecting, and reviewing FFS and<br />
managed care Medicaid claims from providers in each state. Each state<br />
only participates in PERM once every 3 years. See http://www.cms.<br />
hhs.gov/PERM/ and http://www.cms.hhs.gov/PERM/Downloads/<br />
StatesSelectedForPERM.pdf<br />
RACs (Recovery Audit Contractors) are a demonstration program<br />
and strategy begun by CMS to identify overpayments and underpayments<br />
to Medicare in New York, Massachusetts, Florida, South<br />
Carolina, and California. The RAC Program is being expanded to a<br />
50-state permanent program. By 2010, CMS plans to have 4 RACs in<br />
place, each responsible for approximately one quarter of the country.<br />
See http://www.cms.hhs.gov/RAC/ and http://www.cms.hhs.gov/<br />
RAC/10_ExpansionStrategy.asp<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
41<br />
October 2008
Academies<br />
of<br />
<strong>Health</strong> <strong>Care</strong><br />
Compliance<br />
Upcoming Compliance Academies in 2008 and 2009<br />
November 3-6<br />
Hard Rock Hotel | Orlando, FL<br />
December 1-4<br />
Westin Horton Plaza | San Diego, CA<br />
February. 2-5, 2009<br />
The Argonaut | San Francisco, CA<br />
March 9-12, 2009<br />
Dallas, TX<br />
June 1-4, 2009<br />
Scottsdale, AZ<br />
August 10-13, 2009<br />
Chicago, IL<br />
November 16-19, 2009<br />
Orlando, FL<br />
November 31 – December 3, 2009<br />
San Diego, CA<br />
Advanced Compliance<br />
HCCA’s Advanced Compliance Academy<br />
offers four days of intensive, in-depth health care compliance education<br />
for the experienced compliance professional!<br />
Dallas, TX<br />
October 20-23, 2008<br />
Westin City Center<br />
San Francisco, CA<br />
June 22-25, 2009<br />
San Antonio, TX<br />
October 26-29, 2009<br />
October 2008<br />
42<br />
Register online at www.hcca-info.org
The what, why and<br />
how of Medicare<br />
Coverage Analysis –<br />
Part I<br />
Editor’s Note: Ofer Amit is a manager at Huron<br />
Consulting Group, Clinical Research Solutions<br />
and <strong>Health</strong>care Compliance practice in Chicago.<br />
He may be reached by telephone at 312/451-<br />
5628 and via email at<br />
oamit@huroncosultinggroup.com.<br />
This is Part I of a two-part article.<br />
Clinical research has become an<br />
integral part of modern clinical<br />
medicine. It is critical to the effective<br />
practice of medicine, essential to the improvement<br />
of patient care and to the development<br />
of novel therapies, and instrumental in affording<br />
patients access to therapies that would<br />
not be otherwise available to them. However,<br />
clinical research billing presents a regulatory<br />
and operational challenge to clinical trial<br />
sites: private practices, community hospitals,<br />
health systems, and academic medical centers<br />
alike. The challenge is embedded in a precise<br />
balance that a clinical trial billing operation<br />
must strike between billing third-party payers<br />
for all that is allowed, and yet only for what<br />
is allowed. A compliant and effective clinical<br />
research operation is dependent upon three<br />
major elements:<br />
n A clear and consistent definition of allowable<br />
charges;<br />
n A reliable and consistent method to<br />
identify and document the legitimacy of<br />
billing for items and services provided in<br />
the course of each clinical trial; and<br />
n A dependable and verifiable research trial<br />
billing system that can correctly account for<br />
and execute informative billing instructions.<br />
By Ofer Amit<br />
In Part I of this article we lay the statutory<br />
foundations, provide background, and offer<br />
definitions for clinical research billing when<br />
Medicare is the third-party payer. Many<br />
other third-party payers follow Medicare’s<br />
rules and regulations. Hence, in practicality,<br />
this article discusses coverage analysis for<br />
clinical research at large.<br />
The roots of the Medicare Coverage Analysis<br />
(MCA) – the systematic review of a clinical<br />
trial’s documentation and a determination of<br />
chargeability of items and services provided in<br />
the course and as part of a trial – are embedded<br />
in the Medicare Bill 1 which was passed<br />
by Congress in 1965 as part of the Social<br />
Security Act (SSA). 2 Title XVIII to the SSA<br />
vests the authority to determine Medicare<br />
coverage in the Secretary of <strong>Health</strong> and<br />
Human Services (HHS) and provides a scope<br />
of benefits. The SSA specifically excludes<br />
Medicare coverage for items or services which<br />
“…are not reasonable and necessary for the<br />
diagnosis or treatment of illness or injury or<br />
to improve the functioning of a malformed<br />
body member.” 3 In addition, the law lays the<br />
responsibility for billing the federal government<br />
only for allowable items and services<br />
on the billing entity’s shoulders. The False<br />
Claims Act, also known as the “Lincoln<br />
Law” and originally passed by Congress in<br />
March 1863, 4 establishes the responsibilities<br />
of persons or entities presenting claims<br />
(in the context of this discussion, a request<br />
for payment) to the federal government. It<br />
imposes civil and criminal liabilities against<br />
a person or entity which knowingly submits<br />
(or causes another to submit) a false claim for<br />
payment and/or uses a false record to obtain<br />
a payment (where “knowingly” is defined<br />
as demonstration of reckless disregard or<br />
deliberate ignorance.)<br />
The <strong>Health</strong> Insurance Portability and<br />
Accountability Act of 1996 (HIPAA), known<br />
for its provisions regarding security and<br />
privacy of health information, addresses<br />
specifically the application of the False Claims<br />
Act (FCA) in the health care arena and allows<br />
for the exclusion from Medicare participation<br />
of a provider convicted in FCA violation. 5<br />
Congress, in turn and as part of the Balanced<br />
Budget Act of 1997,6 directed the <strong>Health</strong><br />
<strong>Care</strong> Financing Administration (HCFA) to<br />
study preventive and enhanced benefits under<br />
Medicare <strong>with</strong> specific focus on “…routine<br />
patient care costs for beneficiaries enrolled in<br />
approved clinical trial programs.” 7 The study<br />
by HCFA (now called the Centers for Medicare<br />
and Medicaid or CMS) led to President<br />
Clinton’s executive memorandum of June<br />
7, 2000 directing the Secretary of HSS to<br />
“…explicitly authorize payment for routine<br />
patient care costs...and costs due to medical<br />
complications associated <strong>with</strong> participation in<br />
clinical trials.”<br />
CMS subsequently responded by issuing a<br />
National Coverage Decision on the Routine<br />
Costs of Clinical Trials in September 2000<br />
(known as NCD 310.1, Routine Costs in<br />
Clinical Trials). CMS issued the most recent<br />
version of NCD 310.1 effective July 2007,<br />
naming it the Medicare Clinical Trial Policy<br />
(CTP). 8<br />
The CTP includes requirements and limitations<br />
on coverage. In addition, it reiterates<br />
the policy to not <strong>with</strong>draw coverage for items<br />
or services that may be otherwise covered<br />
by (what was once called) Local Medical<br />
Continued on page 45<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
43<br />
October 2008
Every day, clinical and research<br />
programs face pressure to<br />
enhance operations and strengthen<br />
controls and compliance.<br />
Intense government focus on fraud<br />
and abuse as well as the enhancement<br />
of compliance programs are critical<br />
areas for all healthcare organizations<br />
and research sites.<br />
Huron can help alleviate these pressures. With<br />
more than 40 experienced professionals devoted<br />
to healthcare compliance and clinical research<br />
solutions, our team is well prepared to help you<br />
benefi t from our expertise. Our services include:<br />
• Investigations<br />
• Operations improvement<br />
• Responsible conduct of research<br />
• Budgeting, contracting, and Medicare<br />
coverage analysis<br />
• Ac<strong>credit</strong>ation Process<br />
• IRB and Human Research Protections<br />
Compliance<br />
• Medicare Coverage Analysis (MCA)<br />
• Documentation, coding, and billing services<br />
• Compliance effectiveness<br />
Huron Consulting Group helps clients effectively address complex challenges that arise in litigation, disputes, investigations, regulatory compliance, procurement,<br />
financial distress, and other sources of significant conflict or change. The Company also helps clients deliver superior customer and capital market performance through<br />
integrated strategic, operational, and organizational change. Huron provides services to a wide variety of both financially sound and distressed organizations, including<br />
Fortune 500 companies, medium-sized businesses, leading academic institutions, healthcare organizations, and the law firms that represent these various organizations.<br />
www.huronconsultinggroup.com<br />
1-866-229-8700<br />
October 2008<br />
44<br />
© 2008 Huron Consulting Group Inc. All Rights Reserved<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
01/08
The what, why and how of Medicare Coverage Analysis – Part I ...continued from page 43<br />
Review Policies (LMRPs), now named Local<br />
Coverage Determination or LCDs). 9 LCDs<br />
are crafted by Medicare contractors – Carriers,<br />
Fiscal Intermediaries (FIs), and Medicare<br />
Administrative Contractors (MACs) – to<br />
address national or local policy gaps that<br />
may result in billing for services or items that<br />
could be considered neither reasonable nor<br />
necessary. LCDs make up the majority of<br />
current coverage determinations; they contain<br />
decisions that supplement the CTPs; LCDs<br />
may differ between contractors. A National<br />
Coverage Analysis (NCA) may be initiated<br />
to set rules that settle inconsistencies or vast<br />
differences between LCDs.<br />
A National Coverage Analysis (NCA), a<br />
formal evidence-based evaluation process,<br />
may also be triggered by industry, Carriers,<br />
beneficiaries, and others. 10 The NCA considers<br />
input from the Medicare & Coverage Advisory<br />
Committee (MCAC), experts, and the<br />
public in formulating rules about coverage. 11<br />
Guidance about coverage is also available<br />
from certain compendia. 12 The American<br />
Medical Association Drug Evaluations and the<br />
American Hospital Formulary Service (AHFS)<br />
Drug Information, for example, are acceptable<br />
as authoritative sources for the determination<br />
of a “medically-accepted indication” for a drug.<br />
The Medicare Coverage Database (MCD) 13<br />
contains all NCDs, LCDs, local policy articles,<br />
NCA reports, Coding Analyses for Labs<br />
(CALs), MCAC proceedings, and additional<br />
coverage guidance documents, which are<br />
available to the MCA professional as a resource<br />
in determining Medicare coverage for an item<br />
or service.<br />
Of special interest is Medicare coverage for<br />
clinical trials involving medical devices.<br />
Although the CTP allows reimbursement<br />
for items and services that are “…reasonable<br />
and necessary…” and are for “…diagnosis or<br />
treatment…” these provisions were historically<br />
interpreted as requiring that the service<br />
or item (i.e., the device) is also safe and effective,<br />
medically necessary and appropriate, and<br />
not experimental (where experimental was<br />
interchangeably used <strong>with</strong> investigational).<br />
In September 1995, the regulator [the Food<br />
and Drug Administration (FDA)], and the<br />
purchaser [CMS] thus entered an interagency<br />
agreement 14 that:<br />
n Grouped medical devices, for coverage determination<br />
purposes, into two categories<br />
(A and B), and<br />
n Extended Medicare coverage to select<br />
Category A devices and, to a larger extent,<br />
to certain Category B devices.<br />
Category A devices are defined as “Innovative<br />
devices believed to be in class III medical<br />
device for which absolute risk of the device<br />
type has not been established.” Category<br />
B devices are defined as “Nonexperimental<br />
and/or investigational devices believed to be<br />
in classes I or II medical device 15 or devices<br />
believed to be in class III where the incremental<br />
risk is the primary risk in question or it is<br />
known that the device type can be safe and<br />
effective.... 16<br />
Medicare coverage determinations are embedded<br />
in a complex and, at-times, inconsistent<br />
array of guidelines, manuals, Prospective<br />
Payment Systems (PPS), and publications<br />
– many of which are available at CMS’ website.<br />
17 Criteria for coverage, on the other hand,<br />
are derived from the regulations. 18 They state<br />
that a clinical trial considered for potential<br />
Medicare coverage for routine costs must:<br />
1. Have the purpose of evaluating an item or<br />
service that belongs to a Medicare benefit<br />
category,<br />
2. Have a therapeutic intent, and<br />
3. Enroll patients <strong>with</strong> a diagnosed disease.<br />
However, Medicare coverage is extended only<br />
to routine costs in a trial that is:<br />
1. Deemed as automatically qualified; or<br />
2. Qualified by virtue of a certification by<br />
the Principal Investigator (PI) that it<br />
meets qualification criteria; or<br />
3. Its routine costs are allowed under Coverage<br />
<strong>with</strong> Evidence Development (CED).<br />
Although option 2 above (certification by the<br />
PI) is allowed per the regulations, no steps<br />
were taken to date to implement it and, from<br />
a practical standpoint, the option is currently<br />
unavailable. A clinical trial is automatically<br />
deemed as qualified if it is:<br />
1. Funded by the National Institute of<br />
<strong>Health</strong> (NIH), the Center for Disease<br />
Control and Prevention (CDC), the<br />
Agency for <strong>Health</strong>care Research and<br />
Quality (AHRQ), CMS, the Department<br />
of Defense (DOD), or the US Department<br />
of Veterans Affairs (VA); or<br />
2. Supported by a center or cooperative<br />
group which is funded by the NIH,<br />
CDC, AHRQ, CMS, DOD or VA; or<br />
3. Conducted under an Investigational New<br />
Drug application (IND) reviewed by the<br />
FDA; or<br />
4. Exempt from having an IND and until qualifying<br />
criteria are developed and the process<br />
for certifying trials by the PIs is in place.<br />
To qualify a trial that is not deemed automatically<br />
qualified, a PI is required to certify<br />
that it meets the following criteria:<br />
1. It tests whether the intervention potentially<br />
improves the participants’ health<br />
outcomes.<br />
2. It is well-supported by scientific and<br />
medical information or intends to clarify<br />
or establish the health outcomes of interventions<br />
already in common clinical use.<br />
3. It does not unjustifiably duplicate an<br />
existing trial.<br />
4. It is properly designed to address the corresponding<br />
hypothesis.<br />
Continued on page 52<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
45<br />
October 2008
Quality of care and<br />
compliance: Existing<br />
challenges and first<br />
steps for hospitals<br />
By Cheryl L. Wagonhurst, Esq, CCEP and Nathaniel M. Lacktman, Esq, CCEP<br />
members, key leadership, and physicians<br />
need, at a minimum, a general understanding<br />
of the government’s quality-of-care efforts<br />
regarding payments, public reporting, and<br />
enforcement. Educating these key leaders on<br />
quality- of-care compliance is an essential first<br />
step in the process.<br />
Cheryl L. Wagonhurst is a partner <strong>with</strong> the Los<br />
Angeles office of Foley & Lardner LLP, where she<br />
is a member of the <strong>Health</strong> <strong>Care</strong> Industry Team<br />
and the White Collar Defense and Corporate<br />
Compliance Practice, and focuses primarily on<br />
internal investigations, compliance, and health<br />
care regulatory matters. Ms. Wagonhurst is a<br />
member of the advisory board of the Society of<br />
Corporate Compliance and Ethics. She may<br />
be reached at 310/975-7839 or by e-mail at<br />
CWagonhurst@Foley.com.<br />
Nathaniel M. Lacktman is an associate in the<br />
Tampa, Florida office of Foley & Lardner LLP,<br />
where he is a member of the <strong>Health</strong> <strong>Care</strong> Industry<br />
Team and its White Collar Crime and Corporate<br />
Compliance Practice Group and focuses on health<br />
care litigation, medical staff peer review, qui<br />
tam actions, internal investigations, and defense<br />
against enforcement actions by state and federal<br />
regulators. He may be reached at 813/225-4127<br />
or by e-mail at NLacktman@Foley.com.<br />
Compliance officers, in-house counsel,<br />
and other health care professionals<br />
should by now be aware that<br />
the government has made quality of care a<br />
top priority. The government’s three-prong<br />
approach seeks to:<br />
n incentivize quality of care through payment<br />
reform,<br />
n drive quality of care transparency through<br />
public reporting, and<br />
n enforce quality of care through the False<br />
Claims Act and other federal and state<br />
mechanisms.<br />
Many of these professionals understand<br />
that quality of care poses significant compliance<br />
risks to hospitals, including potential<br />
individual liability for the high-ranking<br />
executives, board members, physicians, and<br />
owners. Despite their awareness, these same<br />
professionals are struggling to figure out how<br />
to address quality of care and minimize its<br />
attendant compliance risks.<br />
Foley & Lardner LLP is providing Compliance<br />
Today <strong>with</strong> an ongoing series of articles<br />
designed to address these questions. This<br />
article, the first in the series, highlights the<br />
challenges hospitals face when managing<br />
quality-of-care compliance. It also discusses<br />
the first steps a hospital should take to address<br />
the compliance implications of quality-of-care<br />
failures, including education and a quality<br />
of care/legal risks audit. Several topics are<br />
broadly discussed, including Recovery Audit<br />
Contractor (RAC) audits, all of which will<br />
be addressed in greater depth as this series<br />
of articles unfolds. Forthcoming articles will<br />
include: (1) tools and mechanics of a quality<br />
of care/legal risks audit; (2) quality of care<br />
enforcement; (3) quality-based payments<br />
and reimbursement; (4) quality of care<br />
compliance and the medical staff; (5) public<br />
reporting and quality of care; and (6) quality<br />
of care, data mining, and RAC audits.<br />
Awareness and education challenges<br />
Before a hospital can address the compliance<br />
implications of quality of care, its leadership<br />
must understand the connections between<br />
quality and compliance. Executives, board<br />
The lack of board education and oversight on<br />
quality issues is troubling. A Joint Commission<br />
research effort conducted interviews<br />
<strong>with</strong> CEOs and Board Chairs at 30 hospitals<br />
in 14 states, and revealed that “the level of<br />
knowledge of landmark Institute of Medicine<br />
(IOM) quality reports among CEOs and<br />
board chairs was remarkably low” and that<br />
there were significant differences between the<br />
CEOs’ perception of the knowledge of board<br />
chairs and the board chairs’ self-perception. 1<br />
This disconnect has not been lost on the<br />
Office of Inspector General (OIG), that is<br />
beginning to look to boards to ensure fiscal<br />
integrity and oversight. 2<br />
One approach to education would divide<br />
key personnel into categories (e.g., executives,<br />
board members, physicians, and care<br />
staff) and provide tailored education to each<br />
group. Certain quality-of-care issues are more<br />
appropriate for the board, whereas other<br />
issues would resonate better <strong>with</strong> physicians.<br />
Use education modules (again tailored to each<br />
group) for the training. This approach can<br />
help standardize the education process, collect<br />
feedback from the trainees, and create a<br />
documented record of the hospital’s qualityof-care<br />
education efforts.<br />
The order in which personnel are trained is<br />
also an important aspect to consider. Certain<br />
key executive positions (e.g., CEO, general<br />
counsel, director of quality) will be the champions<br />
for a compliance officer who is seeking<br />
resources for quality of care efforts, and<br />
therefore, it is important for those individuals<br />
October 2008<br />
46<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
to hear the message first. Educating the<br />
board is the next step and there is already an<br />
excellent resource available for board education:<br />
Corporate Responsibility and <strong>Health</strong><br />
<strong>Care</strong> Quality: A Resource for <strong>Health</strong> <strong>Care</strong><br />
Boards of Directors. 3 This resource, issued<br />
jointly by the OIG and the American <strong>Health</strong><br />
Lawyers Association (AHLA), should be<br />
required reading for boards, senior management,<br />
and compliance officers. According to<br />
the report, a “new era of focus on quality and<br />
patient safety [is] rapidly emerging, and oversight<br />
of quality also is becoming more clearly<br />
recognized as a core fiduciary responsibility of<br />
health care organization directors.” 4<br />
Boards must provide an appropriate level of<br />
oversight of health care services to satisfy their<br />
core fiduciary duties to the hospital. Board<br />
members who breach these duties may be<br />
exposed to personal liability. Board members<br />
owe a duty of care, requiring them to exercise<br />
appropriate care in their decision-making<br />
process. Generally, the duty of care is satisfied<br />
when directors act in good faith, <strong>with</strong> the<br />
care that an ordinarily prudent person would<br />
exercise in similar circumstances, and in a<br />
manner they reasonably believe to be in the<br />
best interests of the hospital.<br />
Because the duty of care has been interpreted<br />
to require that directors actively inquire<br />
into the hospital’s operations, educational<br />
materials should be designed to help board<br />
members ask knowledgeable and appropriate<br />
questions related to quality and quality<br />
reporting requirements, as well as the metrics<br />
employed. Education and active involvement<br />
will help board members establish, and affirmatively<br />
demonstrate, that they have followed<br />
a reasonable process for quality oversight.<br />
Boards need not approach these issues alone.<br />
Once the board is “on board” <strong>with</strong> the<br />
compliance officer’s quality-of-care efforts,<br />
the board should seek periodic updates from<br />
executive staff on hospital quality-of-care<br />
initiatives and how the hospital intends to<br />
address legal issues associated <strong>with</strong> those<br />
initiatives. When quality shortcomings are<br />
identified, the board should allocate appropriate<br />
resources to address the gaps including,<br />
for example, enlisting the help of outside<br />
attorneys and consultants to evaluate quality<br />
risk areas <strong>with</strong>in the hospital.<br />
Organizational challenges<br />
Hospitals are large, complex organizations<br />
created (like many other large businesses)<br />
in a bureaucratic structure <strong>with</strong> specialized<br />
departments and groups, each focusing on a<br />
different aspect of the hospital. This structure<br />
is useful for efficiency and specialization,<br />
but has limited capabilities to readily share<br />
information across and between departments.<br />
This problem is known as “siloing.” Lewis<br />
Morris, Chief Counsel to the Department of<br />
<strong>Health</strong> and Human Services (HHS) OIG,<br />
recognized the issue when he said,<br />
“When looking at some of these very large<br />
[health care] corporations, there is a siloing<br />
of responsibility, which has the effect<br />
of inadequate cross[ing] of information<br />
between the peer review/quality people<br />
and the compliance people. The different<br />
components of a health care organization<br />
need to communicate and exchange<br />
information <strong>with</strong> each other and boards<br />
of directors can encourage this process.” 5<br />
Compliance, Quality, and Peer Review<br />
departments each deal, to a certain degree,<br />
<strong>with</strong> quality-of-care issues, and there is an<br />
overlap of subject matter. Yet, a hospital’s<br />
compliance program traditionally is separate<br />
and distinct from its quality assurance and<br />
peer review programs. That type of structure<br />
does not permit the information exchange<br />
necessary to recognize and address the<br />
compliance risks that can arise from poor<br />
quality of care. Hospitals need to develop<br />
structures that can transcend the department<br />
silos and exchange quality-of-care information,<br />
at least among the three departments for<br />
which this exchange has become critical.<br />
Challenges in the peer review process<br />
Critics of the medical staff peer-review<br />
process claim it has proven itself an ineffective<br />
tool to resolve quality and safety issues, both<br />
from the physician and the hospital perspective.<br />
They contend that the current peer<br />
review process is subject to bias and political<br />
motive and cannot adequately help a hospital<br />
meet government-imposed mandates on quality<br />
of care. Of course, the peer review process<br />
offers certain benefits. It enables physicians<br />
to speak frankly, at a peer-to-peer level, on<br />
quality issues and care processes. They are<br />
sometimes more persuasive and receptive<br />
when dealing <strong>with</strong> each other and often show<br />
greater respect to the clinical judgment of<br />
trained, experienced peers.<br />
The most significant limitation in the traditional<br />
peer review process, and the one which<br />
poses the greatest compliance risk, is that the<br />
process is largely retrospective and based on<br />
isolated, past incidents. Constantly looking<br />
backward, rather than identifying patterns<br />
of care failures, the process is always reactive,<br />
not proactive. The hearings are often lengthy<br />
and can suffer significant delay caused by the<br />
subject physician or simply the unavailability<br />
of the hearing panel. These delays can permit<br />
a pattern of poor quality or unnecessary care<br />
to persist before the peer review process is<br />
able to react.<br />
Hospitals must consider new approaches<br />
to integrate into the peer review process.<br />
Consider real-time chart audits based on daily<br />
monitoring of key quality indicators. If a<br />
Continued on page 50<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
47<br />
October 2008
HCCA’s 2009<br />
Conferences<br />
Education and networking<br />
opportunities for you in 2009<br />
Start planning now…<br />
NATIONAL CONFERENCES<br />
Audit & Compliance Committee Conference<br />
February 23–25<br />
Scottsdale, AZ<br />
Managed <strong>Care</strong> Compliance Conference<br />
February 22–24<br />
Scottsdale, AZ<br />
Fraud & Compliance Forum<br />
October 3–5<br />
Baltimore, MD<br />
Quality of <strong>Care</strong> Compliance Conference<br />
October 11–13<br />
Philadelphia, PA<br />
Physician Practice Compliance Conference<br />
October 14–16<br />
Philadelphia, PA<br />
Research Compliance Conference<br />
October 19–21<br />
Chicago, IL<br />
<br />
Compliance Institute<br />
April 26–29<br />
Caesars Palace | Las Vegas, NV<br />
2 0 0 9<br />
CAESARS PALACE<br />
Las Vegas, NV<br />
April 26–29, 2009<br />
October 2008<br />
48<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
COMPLIANCE ACADEMIES<br />
February 2–5<br />
San Francisco, CA<br />
March 9–12<br />
Dallas, TX<br />
June 1–4<br />
Scottsdale, AZ<br />
August 10–13<br />
Chicago, IL<br />
November 16–19<br />
Orlando, FL<br />
November 30—December 3<br />
San Diego, CA<br />
ADVANCED ACADEMIES<br />
June 22–25<br />
San Francisco, CA<br />
October 26–29<br />
San Antonio, TX<br />
RESEARCH<br />
COMPLIANCE<br />
ACADEMIES<br />
June 15–18<br />
San Francisco, CA<br />
September 21–24<br />
Orlando, FL<br />
REGIONAL CONFERENCES<br />
AUDIO/WEB CONFERENCES<br />
Atlanta, GA | January 9<br />
Orlando, FL | January 30<br />
Dallas, TX | February 20<br />
Anchorage, AK | February 26–27<br />
Columbus, OH | May 8<br />
New York, NY | May 15<br />
Seattle, WA | June 5<br />
Los Angeles, CA | June 26<br />
Boston, MA | September 11<br />
Minneapolis, MN | September 18<br />
Kansas City, MO | September 25<br />
Chicago, IL | October 2<br />
Pittsburgh, PA | October 9<br />
Honolulu, HI | October 15–16<br />
Denver, CO | October 23<br />
Nashville, TN | November 6<br />
Louisville, KY | November 13<br />
Phoenix, AZ | November 20<br />
HCCA’s Audio/Web Conferences cover<br />
hot topics throughout the year. Visit<br />
www.hcca–info.org for up-to-date info<br />
on upcoming conferences and to register.<br />
www.hcca-info.org<br />
888-580-8373<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
49<br />
October 2008
Quality of care and compliance: Existing challenges and first steps for hospitals ...continued from page 47<br />
pattern emerges, the hospital can take action.<br />
Also consider a greater emphasis on patterns<br />
(and projected patterns) of care. Physicians<br />
should be permitted a degree of freedom<br />
in their treatment style, but certain care<br />
approaches pose a higher risk than others.<br />
Treatments and medications constantly<br />
evolve, and the hospital should identify<br />
and address physicians who use outdated,<br />
high-risk processes before bad outcomes are<br />
manifested. Because nearly half of physicians<br />
do not report medical incompetence by their<br />
peers, the hospital cannot rely on physicians<br />
to police themselves. 6<br />
Challenges in the traditional medical staff<br />
structure<br />
As physician roles continue to change, the<br />
traditional medical staff structure finds itself<br />
ill-equipped to adapt to emerging compliance<br />
and quality-of-care challenges. There<br />
are an increasing number of hospital-based<br />
physicians, including hospitalists, intensivists,<br />
obstetrical hospitalists, and pediatric hospitalists.<br />
Specialty lines have begun to blur <strong>with</strong><br />
cross-credentialed physicians playing multiple<br />
roles on the care team (e.g., interventional<br />
radiology/cardiology/neurology). The growing<br />
number of outpatient-based physicians has<br />
complicated the credentialing process and led<br />
to reduced collegiality <strong>with</strong> the specialists and<br />
hospital-based physicians.<br />
As hospitals adapt to these physician-driven<br />
changes, regulators mandate further change,<br />
such as competency-based credentialing, standardization<br />
of care processes, and increased<br />
medical staff oversight of quality.<br />
Another key change is the increased public<br />
reporting of quality data, both on the hospital<br />
level and the individual physician level.<br />
Hospitals must crunch their own data and<br />
understand it, not wait for the government<br />
to do so first. Additional transparency by<br />
the medical staff, who share quality data, is<br />
essential and can be achieved <strong>with</strong> a better<br />
medical staff infrastructure, improved design,<br />
and aligned incentives to address national<br />
patient safety and quality mandates.<br />
Need for effective incentive strategies<br />
Many would argue that a lack of effective<br />
hospital-physician collaboration strategies<br />
exist to provide incentives based on quality of<br />
care. In this respect, hospitals and physicians<br />
are co-dependent and should collaborate<br />
on new structures. Hospitals must enlist<br />
physician support to meet quality targets<br />
and earn pay-for-performance incentives.<br />
Similarly, physicians must enlist hospitals<br />
to offer systems that drive quality across the<br />
continuum of care.<br />
Current, traditional equity joint-ventures<br />
often fail to align physician and hospital<br />
interests in improving quality of care.<br />
Consumer-driven health care and increased<br />
access to quality data will eventually lead to<br />
greater patient choice and create consumers<br />
who are better informed and more discerning<br />
about the hospital and physician they choose.<br />
Hospitals need to develop viable, compliant<br />
incentive structures to connect physicians<br />
and reward desirable behavior patterns and<br />
quality-of-care efforts. New structures need to<br />
focus on quality, reducing waste, and promoting<br />
transparency to assist the hospital’s own<br />
data mining efforts. These new joint ventures<br />
should also account for coordinating the care<br />
delivered by providers outside the venture.<br />
Quality of care/legal risks audit<br />
Many hospitals are hampered in providing<br />
consistent quality of care and are simply<br />
unaware of their compliance vulnerabilities,<br />
because they have not subjected their qualityof-care<br />
“processes” to the level of scrutiny<br />
they devote to other compliance concerns,<br />
such as billing and claims submission or<br />
physician financial relationships. This requires<br />
a broad-based, coordinated approach among<br />
the administration, the medical staff, physicians,<br />
nursing staff, risk managers, utilization<br />
review, Quality department, Compliance<br />
department and legal counsel.<br />
A quality-of-care/legal risks audit is an<br />
important step in addressing quality of care<br />
and compliance. Such an audit identifies<br />
areas of potential quality breakdowns and<br />
helps establish internal quality controls,<br />
two key areas a hospital should immediately<br />
address to reduce the risk of an adverse<br />
government-enforcement action. A qualityof-care/legal<br />
risks audit, ideally performed by<br />
objective outside health care counsel under<br />
the attorney-client privilege, can reveal the<br />
true operational landscape of a hospital.<br />
Because of siloing and the various structural<br />
and operational challenges discussed above,<br />
it is difficult to imagine a hospital adequately<br />
addressing its quality-of-care compliance risks<br />
<strong>with</strong>out this broad-based approach.<br />
Patient care is the heart of a hospital’s<br />
enterprise, and some key personnel may<br />
hesitate to scrutinize their hospital’s quality<br />
of care. They might fear an audit will reveal a<br />
slew of previously unknown problems, which<br />
the hospital would then need to remedy. They<br />
might also believe (<strong>with</strong> regard to liability)<br />
that ignorance is bliss, and would rather not<br />
know of existing problems. Such attitudes are<br />
understandable but misguided.<br />
In light of the OIG/AHLA guidance,<br />
board members have an affirmative duty to<br />
understand their hospital’s quality-of-care<br />
risks. Affirmatively choosing not to conduct<br />
a quality-of-care compliance audit, simply<br />
because the hospital fears the results, could<br />
constitute willful ignorance or reckless<br />
disregard of the failures, if the problems later<br />
become known in a government investigation<br />
October 2008<br />
50<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
or whistleblower lawsuit. Moreover, the<br />
underlying quality-of-care failures will continue<br />
to exist and can pose an ever-increasing<br />
compliance risk (false claims, malpractice, or<br />
otherwise), whether or not the hospital knows<br />
about the failures.<br />
A responsible, less-invasive alternative to<br />
the audit process would be to perform a risk<br />
assessment based on key quality-of care-and<br />
compliance factors. The underlying concepts<br />
would be the same as those in the quality-ofcare/legal<br />
risks audit, but the investigation<br />
would not run as deep as an audit. This<br />
process would give the compliance officer a<br />
general understanding of the hospital’s risks.<br />
The results would highlight and prioritize key<br />
risk areas, which the compliance officer can<br />
then report to the board. A quality-of-care/<br />
legal risks audit could then be performed on<br />
selected, priority risk areas.<br />
Quality of care and RAC audits<br />
As the RAC programs start again, hospitals<br />
should be particularly concerned about<br />
quality-of-care compliance risks. In the<br />
time since the RAC audits were temporarily<br />
suspended, the government has announced a<br />
significant number of quality-of-care initiatives<br />
regarding reimbursement methodology.<br />
Commencing October 1, 2008, Medicare<br />
will no longer reimburse for certain hospitalacquired<br />
conditions unless the condition was<br />
present on admission. 7 Where previously,<br />
hospitals were required to report only certain<br />
quality indicators, Medicare’s impending<br />
Value-Based Purchasing plan will deny payment<br />
altogether. 8 State Medicaid programs,<br />
including Massachusetts, Minnesota, and<br />
New York, have announced plans to deny<br />
payment for medical errors and/or certain<br />
hospital-acquired conditions. These are just a<br />
few of the quality-of-care payment changes,<br />
to say nothing of the growing enforcement<br />
focus on quality-of-care failures.<br />
RAC auditors are aware that hospitals have<br />
invested significant resources to address and<br />
reduce traditional billing errors. They are<br />
also aware that many of these same hospitals<br />
have not invested the resources to address and<br />
reduce quality-of-care errors. It should be no<br />
surprise when RAC auditors focus their data<br />
mining efforts on quality-of-care issues. The<br />
RAC audits might reveal patterns of substandard<br />
care or medically unnecessary surgeries,<br />
all submitted for reimbursement. Hospitals<br />
must ready themselves to address and defend<br />
against quality-of-care issues brought by RAC<br />
auditors.<br />
Conclusion<br />
Quality of care, <strong>with</strong> its attendant impact on<br />
payments, public reporting, and enforcement,<br />
should be a major concern for hospitals.<br />
Traditional structures and business models<br />
are not designed to best respond to the<br />
government’s mandates on quality of care and<br />
compliance. Hospitals will need to work <strong>with</strong><br />
the compliance officer, the Quality department,<br />
and legal counsel, who are experienced<br />
in these quality of care issues, to implement<br />
new models and incentives to promote<br />
quality of care.<br />
The first step in the process is to educate key<br />
personnel and board members. After enlisting<br />
their support, the hospital should consider<br />
undergoing a quality-of-care/legal risks audit<br />
or, at least, a risk assessment based on those<br />
same factors.<br />
Addressing quality of care proactively, and<br />
integrating it <strong>with</strong> compliance, will give a<br />
hospital a financial and operational advantage.<br />
Those same investments in qualityof-care<br />
compliance can provide additional<br />
returns by minimizing litigation exposure and<br />
enforcement actions based on poor quality.<br />
Hospitals that refuse to recognize and address<br />
quality-of-care risks and failures should not<br />
be surprised to find themselves subjected to<br />
whistleblower suits, RAC audits on quality<br />
of care, or (worse yet) excluded from federal<br />
programs. n<br />
1 “Getting the Board on Board: Engaging Patient Boards in Quality and<br />
Patient Safety,” 32 Joint Commission Journal on Quality and Patient<br />
Safety 179-187 (April 2006)<br />
2 “Driving for Quality in Long-Term <strong>Care</strong>: A Board of Directors Dashboard,”<br />
HHS and HCCA joint report (January 2008)<br />
3 Arianne N. Callender, et al., The Office of the Inspector General of the<br />
U.S. Department of <strong>Health</strong> and Human Services and The American<br />
<strong>Health</strong> Lawyers Association, Corporate Responsibility and <strong>Health</strong> <strong>Care</strong><br />
Quality: A Resource for <strong>Health</strong> <strong>Care</strong> Boards of Directors (2007)<br />
4 See footnote No. 3<br />
5 Lewis Morris, Chief Counsel to the Office of United States Inspector<br />
General of <strong>Health</strong> and Human Services, on September 25, 2007<br />
6 According to Institute of Medicine as a Profession, “Survey on Medical<br />
Professionalism,” Annals of Internal Medicine (December 4, 2007)<br />
7 Medicare Program: Changes to the Hospital Inpatient Prospective Payment<br />
Systems and Fiscal Year 2008 Rules, 72 Fed. Reg. 47130, 47200<br />
(Aug. 22, 2007)<br />
8 The Deficit Reduction Act of 2005 authorized CMS to develop for<br />
Medicare a hospital pay for performance model (known as Value-Based<br />
Purchasing). Pub. L. 107-191<br />
Be Sure to Get Your<br />
CHC <strong>CEU</strong>s<br />
Inserted in this issue of Compliance<br />
Today is a quiz related to the articles:<br />
n The 1-2-3s of claims sampling to<br />
resolve overpayment errors —<br />
By B. Bo Martin, page 32<br />
n Quality of care and compliance:<br />
Existing challenges and first<br />
steps for hospitals — By Cheryl<br />
L. Wagonhurst and Nathaniel M.<br />
Lacktman, page 46<br />
n Complying <strong>with</strong> the HIPAA Privacy<br />
Rule: What you need to know —<br />
By Rebecca C. Fayed, page 59<br />
To obtain <strong>your</strong> <strong>CEU</strong>s, take the quiz and<br />
print <strong>your</strong> name at the top of the form.<br />
Fax it to Liz Hergert at 952/988-0146,<br />
or mail it to Liz’s attention at HCCA,<br />
6500 Barrie Road, Suite 250,<br />
Minneapolis, MN 55435. Questions<br />
Please call Liz Hergert at 888/580-8373.<br />
Compliance Today readers taking the<br />
<strong>CEU</strong> quiz have one year from the<br />
published date of the <strong>CEU</strong> article to<br />
submit their completed quiz.<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
51<br />
October 2008
The what, why and how of Medicare Coverage Analysis – Part I ...continued from page 45<br />
5. It is sponsored by a credible organization/<br />
individual who is capable of executing the<br />
trial successfully.<br />
6. It complies <strong>with</strong> federal regulations<br />
regarding human subject protections.<br />
7. It is conducted in accordance <strong>with</strong> appropriate<br />
standards of academic integrity.<br />
This certification process also requires that<br />
the PI enrolls the trial in the Medicare clinical<br />
trials registry. The registry, per CMS, is under<br />
development and the option to qualify a<br />
trial on the basis of the PI’s certification is,<br />
as stated above, not practically available at<br />
this time. Once a trial meets the criteria as<br />
“qualifying” for Medicare coverage and in<br />
order to be reimbursable by Medicare, each of<br />
its items and services must be (1) identified as<br />
a “routine cost” and (2) declared reasonable<br />
and necessary. (The criteria and the review<br />
process for each item and service to determine<br />
if it is a “routine cost” will be covered in detail<br />
by Part 2 of this article.)<br />
The elaborate statutory environment and<br />
intricate coverage issues present clinical trial<br />
sites <strong>with</strong> complex regulatory requirements<br />
and, potentially, far-reaching consequences for<br />
non-compliance. In 1995, the Rush University<br />
Medical Center settlement <strong>with</strong> the HHS<br />
Office of Inspector General (OIG) for allegations<br />
of research-related Medicare over-billing<br />
included $1 million in reimbursement and<br />
penalties and a Certification of Compliance<br />
Full Name:<br />
Title:<br />
Organization:<br />
Address:<br />
City/State/Zip:<br />
Telephone:<br />
Fax:<br />
E-mail:<br />
Agreement (CCA.) Furthermore, the OIG<br />
identified “…reporting of financial support<br />
from other sources…” as a risk area in its 2004<br />
Medicare Work Plan and the item remains a<br />
priority in OIG’s annual work plans.<br />
Evaluation of research billing operations is,<br />
therefore, an integral part of any high-level<br />
risk assessment of a clinical trial-participating<br />
health care facility. In this context, an<br />
inadequately performed and/or ineffectively<br />
deployed MCA may represent a substantial<br />
compliance risk. An analysis that does not<br />
clearly identify a therapeutic intent; performs<br />
an ad hoc classification of routine care;<br />
or does not provide adequate support for<br />
routine care classifications by an NCD and/or<br />
LCD, rules, manuals, guidance documents,<br />
compendia, etc could lead to allegations of<br />
False Claims Act violation and subsequent<br />
enforcement and legal action.<br />
By contrast, a properly performed and<br />
implemented MCA demonstrates careful<br />
consideration and provides significant protection<br />
against charges of FCA violation. The<br />
MCA, therefore, has a vital role in a health<br />
care entity’s risk management and compliance<br />
programs as a key compliance control.<br />
The MCA may be conducted by and <strong>with</strong>in<br />
a variety of business units in a health care<br />
enterprise. It should also be performed by an<br />
adequately-trained professional. The MCA<br />
is, additionally, a product of a partnership<br />
between key trial and operations stakeholders:<br />
the PI, research staff, providers, the<br />
Institutional Review Board (IRB), sponsors,<br />
coders, billing staff, Financial, Compliance,<br />
Contracts and Grants offices, and many more.<br />
The correctly-conducted MCA is, therefore,<br />
not only an essential billing compliance<br />
control; it is also a cornerstone of a clinical<br />
trial’s financial analysis and budget process.<br />
In summary, Part I of this article about<br />
Medicare Coverage Analysis, provided<br />
statutory context, illustrated the need for and<br />
benefits of the MCA process, and discussed<br />
potential consequences for non-compliance.<br />
It highlighted certain processes and a variety<br />
of documents that jointly define coverage,<br />
presented criteria for Medicare coverage,<br />
and introduced key participants of the MCA<br />
process. Part 2 of this article will focus on<br />
the methodology and tools for conducting a<br />
Medicare Coverage Analysis. n<br />
1 42 U.S.C. §1395<br />
2 P.L. 74-271<br />
3 42 U.S.C. §1395y (a)(1)(A)<br />
4 31 U.S.C. §3729-3733<br />
5 P.L. 104-191<br />
6 P.L. 105-33<br />
7 P.L. 105-33, Section 4108 (b)(2)(D)<br />
8 Pub 100-03, Medicare National Coverage Determinations for Routine<br />
Costs in Clinical Trials (310.1)<br />
9 Benefits Improvement and Protection Act (BIPA)<br />
10 68 Fed Reg. 55634<br />
11 63 Fed Reg. 68780<br />
12 Social Security Act, Section 1861(t)(2)(B)(ii)(I)<br />
13 http://www.cms.hhs.gov/mcd/overview.asp accessed June 23, 2008<br />
14 FDA/HCFA Interagency Agreement Regarding Reimbursement Categorization<br />
of Investigational Devices September 15, 1995 (D95-2)<br />
15 21 CFR 860<br />
16 Medicare Prescription Drug, Improvement, and Modernization Act of<br />
2003 (MMA), section 731(b)<br />
17 http://www.cms.hhs.gov/center/coverage.asp accessed June 23, 2008<br />
18 Pub 100-03, Medicare National Coverage Determinations for Routine<br />
Costs in Clinical Trials (310.1)<br />
Complete this coupon to order Compliance Today (CT)<br />
HCCA individual membership costs $295; corporate membership<br />
(includes 4 individual memberships, and more) costs $2,500.<br />
CT subscription is complimentary <strong>with</strong> membership.<br />
HCCA non-member subscription rate is $295/year.<br />
Payment enclosed<br />
Pay by charge: AmEx MasterCard Visa<br />
Card #:<br />
Exp. Date:<br />
Signature:<br />
Please bill my organization: PO#<br />
Please make checks payable to HCCA and return subscription coupon to: HCCA,<br />
6500 Barrie Road, Suite 250, Minneapolis, MN 55435<br />
October 2008<br />
52<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
SEC Disclosure:<br />
Managing information<br />
at FDA-regulated<br />
companies<br />
By Elizabeth P. Gray, Esq. and Jessica L. Matelis, Esq.<br />
Editor’s note: Elizabeth P. Gray is a partner and<br />
Jessica L. Matelis is an associate in the Washington,<br />
DC office of Willkie Farr & Gallagher LLP where<br />
their practices include securities law enforcement<br />
and litigation matters. Ms. Gray can be reached at<br />
202/303-1207 or by email at egray@willkie.com.<br />
Ms. Matelis can be reached at 202/303-1132 or<br />
by email at jmatelis@willkie.com.<br />
Four years ago, the Securities and<br />
Exchange Commission (SEC) and<br />
the Food and Drug Administration<br />
(FDA) announced steps to enhance cooperation<br />
between the two agencies, <strong>with</strong> the FDA<br />
agreeing to support the SEC in its mission<br />
to protect the public from false and misleading<br />
statements by public companies. 1 At that<br />
time, the agencies developed a centralized<br />
process through which the FDA could refer<br />
potential disclosure matters to the Division<br />
of Enforcement at the SEC and also identified<br />
specific FDA point persons and procedures<br />
for the SEC to use when seeking information<br />
from the FDA about publicly traded<br />
companies regulated by the FDA. Recent<br />
SEC cases evidence the continued existence<br />
of the relationship between these two regulatory<br />
bodies. 2<br />
In addition to the scrutiny from government<br />
agencies, FDA-regulated companies, like<br />
medical device developers and manufacturers,<br />
have proven to be frequent defendants in<br />
private securities class actions. Consequently,<br />
given the relationship between the SEC and<br />
the FDA, the consistent flow of information<br />
between regulated companies and the<br />
FDA, and the frequency <strong>with</strong> which many<br />
FDA-regulated companies utilize the public<br />
markets to raise funds, companies in this area<br />
are well-advised to develop and implement a<br />
robust set of disclosure policies and procedures<br />
to ensure that material information<br />
is not only being disclosed, but is being<br />
disclosed promptly and accurately.<br />
Although a public company has no general<br />
affirmative duty to disclose nonpublic information,<br />
SEC rules and regulations, such as<br />
the revised disclosure obligations under Form<br />
8-K, may require disclosure under certain<br />
circumstances. Even when disclosure is not<br />
required, however, a company that receives<br />
news from the FDA or through one of its<br />
clinical investigations may want to disclose<br />
that information to the public. And, when a<br />
company speaks, whether because of a regulation<br />
or voluntarily, it must provide complete<br />
and accurate disclosure to avoid misleading<br />
the investing public. 3 Additionally, after a<br />
company discloses information regarding a<br />
certain matter, it may have a “duty to update”<br />
or a “duty to correct” the information in<br />
that disclosure if new information becomes<br />
available. Because of the importance of<br />
getting accurate information to the investing<br />
public in a timely fashion, even small<br />
public companies that are regulated by the<br />
FDA need to focus not just on their clinical<br />
investigations and FDA applications, but on<br />
making sure that information regarding those<br />
areas is flowing both <strong>with</strong>in the company and<br />
then to the public through its SEC filings and<br />
public statements.<br />
Standard Operating Procedures<br />
One approach for FDA-regulated companies<br />
is to develop and utilize standard operating<br />
procedures (SOP) for encouraging the timely<br />
and accurate exchange of information. Just as<br />
a company would develop and follow an SOP<br />
for reporting adverse effects during a clinical<br />
trial or investigation, it can develop SOPs<br />
for communicating <strong>with</strong> regulatory bodies,<br />
for dealing <strong>with</strong> clinical investigation or trial<br />
developments and for drafting SEC filings,<br />
including Forms 10-K, 10-Q, and 8-K.<br />
Regulatory bodies<br />
Communications <strong>with</strong> the FDA and other<br />
similar regulatory bodies are fertile ground<br />
for information that either needs to be publicly<br />
disclosed or that the company would<br />
like to disclose. Consequently, a formal written<br />
SOP for dealing <strong>with</strong> communications<br />
from the FDA can help a company identify<br />
and disclose pertinent information. Such an<br />
SOP may include the following guidelines:<br />
n Any written communication to or from<br />
the FDA should be promptly circulated<br />
(<strong>with</strong>in 24 hours) to not only members of<br />
the regulatory affairs and clinical divisions,<br />
but to someone in the General Counsel’s<br />
office and to a member of corporate communications.<br />
n Two or more people should participate in<br />
all oral communications <strong>with</strong> the FDA.<br />
n Oral communications should be promptly<br />
documented in a written summary and<br />
circulated to the same group of people<br />
who would receive written communication.<br />
n Specific personnel should be responsible<br />
for drafting and distributing these communications.<br />
Clinical trials<br />
Developments from clinical investigations<br />
are another area likely to generate material<br />
Continued on page 57<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
53<br />
October 2008
HCCA Regional Conferences<br />
Join us at HCCA’s 2008-2009 Regional Conferences<br />
HCCA’s regional conferences take place throughout the year, all over the United States.<br />
You’re sure to find one that works for you!<br />
2008 Regional Conferences<br />
Chicago, IL.......................October 3<br />
Pittsburgh, PA................October 10<br />
Honolulu, HI............. October 16-17<br />
Denver, CO.....................October 24<br />
Nashville, TN................November 7<br />
Louisville, KY.............November 14<br />
2009 Regional Conference<br />
Atlanta, GA.......................January 9<br />
Orlando, FL....................January 30<br />
Dallas, TX..................... February 20<br />
Columbus, OH....................... May 8<br />
New York, NY....................... May 15<br />
Seattle, WA........................... June 5<br />
Los Angeles, CA................. June 26<br />
Anchorage, AK............... July 9 - 10<br />
Boston, MA.................September 5<br />
Minneapolis, MN......September 12<br />
Kansas City, KS........September 26<br />
Chicago, IL.......................October 2<br />
Pittsburgh, PA..................October 9<br />
Honolulu, HI.............October 15–16<br />
Denver, CO.....................October 23<br />
Nashville, TN................November 6<br />
Louisville, KY.............November 13<br />
Phoenix, AZ................November 20<br />
October 2008<br />
54<br />
Visit www.hcca-info.org for registration information<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Upcoming Regional Conferences<br />
October 24<br />
Denver, CO<br />
October 3<br />
Chicago, IL<br />
October 10<br />
Pittsburgh, PA<br />
November 7<br />
Nashville, TN<br />
November 14<br />
Louisville, KY<br />
October 16-17<br />
Honolulu, HI<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
55<br />
October 2008
Compliance Policies/<br />
Document Sharing Project<br />
OUR GOAL: to make<br />
1,000 documents<br />
available to members<br />
THE INDIVIDUAL THAT SUBMITS THE MOST DOCUMENTS<br />
TO THE LIBRARY EACH MONTH, RECEIVES ONE OF 12<br />
IPOD NANOS OR AN HCCA AUDIO CONFERENCE!<br />
Contribute a document and enter the<br />
iPod/Audio Conference Giveaway!<br />
Contribute the most compliance-related documents to the SCCE<br />
Document Library and receive an iPod Nano or an SCCE Audio<br />
conference. Each month, an iPod Nano or an HCCA Audio<br />
conference is given away beginning in July 2008. Giveaways<br />
will be held on a monthly basis through June 2009, so there are<br />
many opportunities for YOU to contribute.<br />
E-mail <strong>your</strong> document(s) to Caroline Lee<br />
Bivona at caroline.leebivona@hcca-info.org<br />
October 2008<br />
56<br />
With 2,300 lawyers in 30<br />
locations, Jones Day One<br />
Firm Worldwide is a proud<br />
law firm sponsor of this<br />
giveaway!<br />
www.jonesday.com<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org www.hcca-info.org | 888-580-8373
SEC Disclosure: Managing information at FDA-regulated companies. ...continued from page 53<br />
information that a company may need to<br />
disclose, particularly if the company has<br />
previously disclosed information regarding<br />
a clinical investigation or trial. Significant<br />
changes or results from investigations previously<br />
discussed <strong>with</strong> the public will likely<br />
warrant prompt and accurate disclosure.<br />
Again, in order to accomplish this efficiently,<br />
the creation and implementation of an SOP<br />
regarding clinical investigation developments<br />
may be beneficial.<br />
For each ongoing clinical investigation,<br />
create a distribution list which includes at<br />
least one member from the regulatory affairs<br />
department, the General Counsel’s office and<br />
the corporate communications or investor<br />
relations department. Use this distribution list<br />
to promptly communicate any new and significant<br />
developments so that people outside<br />
the clinical investigation group are not only<br />
informed of the new information, but can<br />
make an assessment regarding whether or not<br />
disclosure is necessary. Consider including<br />
as part of this SOP a procedure for calling<br />
meetings among the distribution list on short<br />
notice, thus allowing for discussion about the<br />
new information across various segments of<br />
the company.<br />
SEC filings<br />
Creating SOPs for the drafting, review, and<br />
filing of any SEC filings is also an important<br />
component for disclosure policies and<br />
procedures. For each periodic filing on Form<br />
10-K or 10-Q, implement an SOP that not<br />
only sets forth the timeline for drafting the<br />
filing, but also includes the necessary sign-offs<br />
for each section. Of particular importance for<br />
many FDA-regulated companies, including<br />
medical device developers and manufacturers,<br />
is a section appearing in each periodic<br />
report called management’s discussion and<br />
analysis of financial conditions and results of<br />
operations (MD&A). This section requires<br />
management to discuss information that may<br />
cause the current financial condition to not<br />
be indicative of future financial condition.<br />
For medical device companies, this may<br />
include indications from the FDA regarding<br />
status of a pending application or events<br />
from a clinical investigation. Consequently,<br />
an SOP regarding the drafting and review of<br />
periodic filings needs to allow for review by<br />
members of the regulatory affairs and clinical<br />
investigation divisions to ensure that information<br />
pertinent to those divisions is included<br />
and accurately described.<br />
Similarly, SOPs for Forms 8-K and registration<br />
statements can be drafted to allow for<br />
review by relevant divisions at the company.<br />
These SOPs, however, may need to be streamlined<br />
because often time is of the essence<br />
when filing a disclosure on Form 8-K or a<br />
registration statement for an equity offering.<br />
In August 2004, revisions for the filing of<br />
Forms 8-K became effective, requiring that<br />
companies file disclosures regarding specified<br />
information <strong>with</strong>in four business days. And,<br />
although registration statements can integrate<br />
prior filings, a company must still ensure that<br />
it describes “any and all material changes in<br />
the registrant’s affairs” that were not previously<br />
reported on a Form 10-Q or 8-K.<br />
Regulation Fair Disclosure<br />
Finally, because many FDA regulated companies<br />
are frequently communicating <strong>with</strong><br />
the investing public, particularly institutional<br />
investors, developing an SOP that covers<br />
Regulation Fair Disclosure (Reg FD) may<br />
be useful. Under Reg FD, companies are<br />
prohibited from selectively disclosing material<br />
nonpublic information to certain parties,<br />
such as securities market professionals, institutional<br />
investors, and investment companies.<br />
If material nonpublic information is disclosed<br />
to a select party, Reg FD requires that the<br />
information be simultaneously disclosed to<br />
the public or if the disclosure is inadvertent,<br />
the information must be disclosed to the<br />
public as soon as practicable after discovering<br />
the disclosure. SOPs regarding communications<br />
<strong>with</strong> the investment community can be<br />
a valuable way to prevent running afoul of<br />
Reg FD. For example, an SOP to assist <strong>with</strong><br />
Reg FD compliance might require that:<br />
n All staff who interact <strong>with</strong> the investment<br />
community complete regular training<br />
about FD.<br />
n All communication <strong>with</strong> investors be<br />
logged into a central system, which includes<br />
the date of the communication and<br />
a description of the information provided<br />
to the investor.<br />
n All “road show” materials be reviewed and<br />
approved by specified personnel.<br />
Conclusion<br />
SEC disclosure requirements may not always<br />
be given the necessary attention at developing<br />
public companies that are regulated by the<br />
FDA. However, the cooperation between the<br />
FDA and the SEC, as well as the risk of civil<br />
suits, suggest that FDA-regulated companies<br />
need to take care when disclosing information<br />
to the investing public because the potential<br />
damage from making inaccurate disclosures<br />
can be significant. Using SOPs, a familiar<br />
format of control at FDA-regulated companies,<br />
is one possible way to make disclosure<br />
policies and procedures functional for these<br />
dynamic companies. n<br />
1 See “SEC and FDA Take Steps to Enhance Inter-Agency Cooperation,”<br />
SEC Press Rel. 2004-13 (Feb. 5, 2004) and “FDA and SEC Work to<br />
Enhance Public’s Protection from False and Misleading Statements,”<br />
P04-15 (Feb. 5, 2004).<br />
2 See SEC v. Shashikant C. Shah, Lit. Rel. No. 20034 (March 8, 2007)<br />
(“The staff acknowledges the assistance and cooperation of . . . the FDA<br />
in the investigation of this matter”).<br />
3 See Backmun v. Polaroid Corp., 910 F. 2d 10, 13 (1st Cir. 1990) (en<br />
banc).<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
57<br />
October 2008
Improving Governance Practices<br />
Buy one<br />
registration for<br />
$695 and<br />
get one<br />
for $395*<br />
Au d i t<br />
&<br />
Co m p l ia n c e<br />
Committee<br />
Conference<br />
October 27–29, 2008<br />
Hilton Fort Lauderdale Beach Resort<br />
Fort Lauderdale, FL<br />
This conference is designed for board members and audit committee members of<br />
not-for-profit healthcare organizations who serve on an organization’s audit and/or<br />
compliance committee. Compliance officers may attend <strong>with</strong> their board member. CEO,<br />
CFO, and other senior officers are welcome to attend.<br />
“Outstanding! This conference is geared for board members—should be a<br />
requirement for chairmen of audit committee, a must for compliance officers,<br />
and also should be attended by CEO & CFO.”<br />
H. James Mueller, Treasures board of Trustees-Chair Audit & Finance Committees,<br />
Cheyenne Regional Medical Center<br />
“The conference presented a realistic view of the importance of the role<br />
of compliance as it relates to the core operations of a hospital as well as<br />
joint ventures and physician relationships.”<br />
Jake Easton III, Audit and Compliance Committee Chair,<br />
Hoag Memorial Hospital Presbyterian, Newport Beach, CA<br />
October 2008<br />
58 Register online at www.hcca-info.org
Complying <strong>with</strong> the<br />
HIPAA Privacy Rule<br />
– What you need to<br />
know<br />
Editor’s note: Rebecca C. Fayed is an associate<br />
in the Washington law offices of Sonnenschein,<br />
Nath & Rosenthal LLP. Rebecca is a member<br />
of Sonnenschein’s <strong>Health</strong> <strong>Care</strong> Group. She may<br />
be reached by telephone at 202/408-6351 or by<br />
e-mail at rcfayed@sonnenschein.com.<br />
The <strong>Health</strong> Insurance Portability<br />
and Accountability Act of 1996<br />
(HIPAA) 1 , among other things,<br />
directed the Department of <strong>Health</strong> and<br />
Human Services (HHS) to adopt regulations<br />
regarding the privacy of health information.<br />
After a series of proposed and final rules and<br />
modifications, on August 14, 2002, HHS<br />
published what is now commonly referred<br />
to as the Privacy Rule. 2 Most covered entities<br />
have been required to comply <strong>with</strong> the<br />
Privacy Rule since April 14, 2003.<br />
As a general matter, the Privacy Rule requires<br />
that covered entities not use or disclose<br />
protected health information (PHI) <strong>with</strong>out<br />
an individual’s authorization unless that use<br />
or disclosure is specifically permitted under<br />
the Privacy Rule. In addition, the Privacy<br />
Rule provides individuals <strong>with</strong> a number of<br />
rights <strong>with</strong> respect to their PHI and requires<br />
covered entities to comply <strong>with</strong> certain<br />
administrative requirements.<br />
In order to comply <strong>with</strong> the Privacy Rule, a person<br />
or entity must, at a minimum, determine:<br />
n If the Privacy Rule applies (i.e., whether<br />
the person or entity is a covered entity or a<br />
business associate);<br />
n What information is considered PHI; and<br />
By Rebecca C. Fayed, JD<br />
n What uses and disclosures of PHI are<br />
permitted.<br />
In addition, covered entities must have<br />
procedures in place to allow individuals to<br />
exercise their rights <strong>with</strong> respect to their PHI<br />
and must implement the requisite administrative<br />
requirements under the Privacy Rule.<br />
Who must comply <strong>with</strong> HIPAA<br />
Only people or entities that meet the definition<br />
of a covered entity are required to comply<br />
<strong>with</strong> the Privacy Rule. A covered entity is a<br />
health plan, a health care clearinghouse, or a<br />
health care provider who transmits any health<br />
information in electronic form in connection<br />
<strong>with</strong> a standard transaction. In terms of health<br />
care providers, generally this includes any health<br />
care provider who submits claims electronically.<br />
<strong>Health</strong> care providers who may be covered<br />
entities include, for example, hospitals, physicians,<br />
dentists, nursing homes, and pharmacies<br />
(assuming that these entities submit claims electronically).<br />
<strong>Health</strong> plans that may be covered<br />
entities include, for example, health insurance<br />
companies, HMOs, and employer group health<br />
plans (but not the employer plan sponsor).<br />
In addition, people or entities who are not<br />
part of a covered entity’s workforce, but who<br />
provide certain services for or on behalf of<br />
a covered entity and receive PHI from the<br />
covered entity when providing those services,<br />
may be considered business associates under<br />
the Privacy Rule and contractually required<br />
to comply <strong>with</strong> certain Privacy Rule requirements.<br />
Specifically, if a covered entity is<br />
disclosing PHI to a business associate in order<br />
for the business associate to provide services<br />
for the covered entity, the covered entity must<br />
obtain “reasonable assurances” from the business<br />
associate that the business associate will<br />
appropriately safeguard the PHI that it receives<br />
when providing services. These reasonable<br />
assurances must be in the form of a written<br />
agreement, commonly referred to as a business<br />
associate agreement or BA agreement.<br />
BA agreements must contain a number of<br />
provisions set forth in the Privacy Rule,<br />
including, for example, a provision that establishes<br />
the permitted and required uses and<br />
disclosures of PHI, a prohibition against any<br />
further use or disclosure except as permitted<br />
by the agreement or as required by law, and<br />
provisions that require the business associate<br />
to permit individuals to exercise their rights<br />
<strong>with</strong> respect to their PHI (either directly or<br />
through the covered entity).<br />
To comply <strong>with</strong> the Privacy Rule’s requirements<br />
regarding disclosure of PHI to a business associate,<br />
covered entities should analyze their business<br />
relationships to determine who is a business<br />
associate. Covered entities should enter into<br />
BA agreements <strong>with</strong> any people or entities that<br />
meet the definition of a business associate. Some<br />
common examples of business associates include<br />
lawyers, consultants, CPA firms, and third-party<br />
administrators. In contrast, a person or entity is<br />
not a business associate if that person or entity’s<br />
services do not involve the use or disclosure of<br />
PHI or only involve incidental disclosures of<br />
PHI. For example, janitors, electricians, or couriers<br />
generally are not business associates, because<br />
they only incidentally come into contact <strong>with</strong><br />
PHI during the course of providing services.<br />
What is protected<br />
PHI is the only information protected by the<br />
Privacy Rule. PHI is information (including<br />
Continued on page 62<br />
59<br />
October 2008
October 2008<br />
60<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
61<br />
October 2008
Complying <strong>with</strong> the HIPAA Privacy Rule – What you need to know<br />
...continued from page 59<br />
demographic information) that is created or received by a health care provider,<br />
health plan, employer, or health care clearinghouse that relates to:<br />
n The past, present, or future health of an individual;<br />
n The provision of health care to an individual; or<br />
n The past, present, or future payment for health care to an individual AND<br />
that either<br />
o identifies the individual, or<br />
o there is a reasonable basis to be believe that the information could be<br />
used to identify the individual.<br />
In contrast, information that has been de-identified is not protected under<br />
the Privacy Rule. De-identification, however, is not simply removing the<br />
individual’s name from the information. In fact, in order for information<br />
to be truly “de-identified” for purposes of the Privacy Rule (and therefore<br />
outside of the Privacy Rule’s scope), either all eighteen identifiers enumerated<br />
in the Privacy Rule must be removed from the information or a person<br />
<strong>with</strong> “appropriate knowledge of and experience <strong>with</strong>” accepted principles<br />
and methods must determine that the risk is very small that the information<br />
could be used alone or in combination <strong>with</strong> other available information to<br />
identify the individual to whom the PHI relates.<br />
What uses and disclosures are permitted<br />
A covered entity may not use or disclose PHI unless that use or disclosure is<br />
permitted by the Privacy Rule. A covered entity may disclose, and in fact, is<br />
required to disclose PHI to the individual or the individual’s representative<br />
and to the Secretary of HHS for purposes of determining compliance <strong>with</strong><br />
the Privacy Rule.<br />
Uses and disclosures that are “incident to” an otherwise permitted use or<br />
disclosure are also permitted under the Privacy Rule. For example, the Privacy<br />
Rule does not prohibit a physician from discussing a patient’s medical condition<br />
<strong>with</strong> that patient in a hospital room that is shared <strong>with</strong> another patient.<br />
Any PHI that the other patient may hear is an incidental disclosure of PHI<br />
and is permissible under the Privacy Rule.<br />
Perhaps most important in terms of most day-to-day uses and disclosures of<br />
PHI, the Privacy Rule permits covered entities to use and disclose PHI for purposes<br />
of treatment, payment, and health care operations (commonly referred<br />
to as TPO). Treatment includes the provision, coordination, or management of<br />
health care, the consultation between health care providers, and the referral of<br />
patients to other health care providers. Payment includes activities undertaken<br />
by a health plan to obtain premiums or to determine or fulfill obligations<br />
related to coverage and the provision of benefits. Payment also includes activities<br />
undertaken by a health care provider or health plan to obtain or provide<br />
reimbursement for health care. In defining payment, the Privacy Rule includes<br />
October 2008<br />
62<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
HM-MDaudit_1_08.qxd 1/25/08 4:10 PM Page 1<br />
several specific examples, including, for example, determinations<br />
of coverage, billing, claims management, collection activities, and<br />
utilization review. Finally, health care operations is a very broad<br />
category of non-treatment and non-payment business activities<br />
undertaken by a covered entity. The Privacy Rule sets forth several<br />
specific examples of health care operations, including quality<br />
assessment and improvement activities, credentialing activities,<br />
arranging for legal services, medical review and auditing functions,<br />
and business planning and development.<br />
A covered entity may use or disclose PHI for its own TPO purposes.<br />
It also may disclose PHI for the treatment purposes of<br />
another health care provider or to another covered entity or health<br />
care provider for the recipient’s payment purposes. Moreover,<br />
albeit more limited in scope, a covered entity may disclose PHI for<br />
another covered entity’s health care operations purposes if:<br />
n The health care operations purposes are quality assessment,<br />
credentialing, training activities, or fraud and abuse detection;<br />
and<br />
n Both entities have or have had a relationship <strong>with</strong> the person<br />
to whom the PHI relates.<br />
In addition to these more day-to-day uses and disclosures, the<br />
Privacy Rule permits covered entities to use or disclose PHI for<br />
the following purposes, provided that the covered entity meets<br />
the applicable requirements for the particular use or disclosure<br />
as specifically set forth in the Privacy Rule:<br />
n To create or maintain a facility directory<br />
n To individuals involved in a person’s care or payment for that care<br />
n As required by law<br />
n For public health activities<br />
n For victims of abuse, neglect, or domestic violence<br />
n For health oversight activities<br />
n During the course of judicial and administrative proceedings<br />
n To law enforcement officials<br />
n For decedents<br />
n For organ donation<br />
n For research purposes<br />
n To avert a serious threat to public health or safety<br />
n For specialized government functions<br />
n For workers’ compensation purposes<br />
Manage<br />
<strong>your</strong> risk.<br />
Protect <strong>your</strong> revenue.<br />
Seven of the top 15 healthcare organizations as ranked by<br />
US News & World Report are using MDaudit to automate<br />
the administrative tasks of compliance auditing. Using<br />
strategic, risk-based audit methodology, they:<br />
• Increase audit productivity: More providers are<br />
audited in less time, allowing <strong>your</strong> staff to focus on<br />
changing provider behavior.<br />
• Quickly target risk areas: Risk-based audit scheduling<br />
helps you easily target non-conforming providers.<br />
• Improve reporting capabilities and consistency:<br />
Professional reports quickly illustrate areas of concern.<br />
• Monitor audit status across departments:<br />
Audit status and productivity is assessed at a glance.<br />
• Allow staff to focus on value-added activities:<br />
With more time and actionable information, <strong>your</strong> staff can<br />
focus on provider education to eliminate incorrect coding.<br />
To find out more and to schedule a free ROI analysis, call<br />
Hayes’ MDaudit team at 617-559-0404 or send an email to<br />
mdaudit@hayesmanagement.com.<br />
For all other uses and disclosures, that is, for all uses and<br />
disclosures that the Privacy Rule does not specifically permit, a<br />
Continued on page 65<br />
www.HayesManagement.com<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
63<br />
October 2008
October 2008<br />
<br />
An Independent Member of Baker Tilly International • 24,000+ personnel • 104 countries • 505 affiliate offices worldwide<br />
64<br />
<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Complying <strong>with</strong> the HIPAA Privacy Rule – What you need to know ...continued from page 63<br />
covered entity first must obtain an individual’s<br />
authorization before using or disclosing PHI.<br />
Under the Privacy Rule, an authorization<br />
must contain certain provisions, including a<br />
description of the information to be used or<br />
disclosed, the name of the person or entity<br />
authorized to make the use or disclosure, the<br />
person or entity who may receive the information,<br />
a description of the purpose of the use or<br />
disclosure, an expiration date, a signature, and<br />
other provisions related to individual rights.<br />
In addition to those provisions required by the<br />
Privacy Rule, many state laws also have specific<br />
requirements related to what must be included<br />
in an authorization. Covered entities should<br />
confirm that their authorization forms contain<br />
all required provisions under the Privacy Rule<br />
and under state law.<br />
There are many purposes for which a covered<br />
entity may use or disclose PHI, but the vast<br />
majority of these uses and disclosures are<br />
subject to the Privacy Rule’s minimum necessary<br />
requirement. That is, <strong>with</strong> few exceptions<br />
(e.g., treatment purposes), when a covered<br />
entity uses or discloses PHI, the covered<br />
entity must use or disclose only the minimum<br />
amount of PHI necessary to effectuate the<br />
purpose of the use or disclosure.<br />
Individual rights<br />
In addition to governing a covered entity’s<br />
use and disclosure of PHI, the Privacy Rule<br />
created certain individual rights <strong>with</strong> respect<br />
to PHI. Simultaneously, the Privacy Rule<br />
created certain obligations for covered entities<br />
to allow individuals to exercise these rights.<br />
Notice of privacy practices. Under the Privacy<br />
Rule, an individual has the right to adequate<br />
notice of a covered entity’s uses and disclosures<br />
of PHI, his or her rights <strong>with</strong> respect to PHI,<br />
and a covered entity’s legal obligations regarding<br />
PHI. Accordingly, covered entities must<br />
provide individuals <strong>with</strong> a written notice of their<br />
privacy practices. Generally, the notice of privacy<br />
practices must contain a description of the<br />
covered entity’s uses and disclosures, a statement<br />
of the individual’s rights, the covered entity’s legal<br />
duties <strong>with</strong> respect to the PHI, a description of<br />
the process for filing a complaint, and contact<br />
information for purposes of asking additional<br />
questions. In addition, health care providers<br />
must make a good faith effort to obtain a written<br />
acknowledgement that a patient received the<br />
notice of privacy practices. If the health care<br />
provider is unable to obtain the acknowledgement,<br />
the health care provider must document<br />
its good faith efforts and the reasons why such<br />
acknowledgement was not obtained.<br />
Access to PHI. The Privacy Rule provides that<br />
individuals have a right to inspect and obtain a<br />
copy of their PHI. This means that covered entities<br />
have a corresponding obligation to provide<br />
access to and copies of PHI to individuals who<br />
make such a request. The Privacy Rule does<br />
permit a covered entity to limit this right under<br />
certain circumstances. In addition, a covered<br />
entity does not have to comply immediately<br />
upon receiving a request. That is, generally,<br />
a covered entity has 30 days to respond to a<br />
request for access and may have up to 60 days<br />
under certain circumstances. Moreover, covered<br />
entities are permitted to charge a reasonable,<br />
cost-based fee for fulfilling these requests.<br />
Amendment of PHI. Under the Privacy Rule,<br />
individuals have the right to have a covered<br />
entity amend their PHI, and covered entities<br />
have the obligation to fulfill these requests.<br />
As <strong>with</strong> the right to access PHI, the right to<br />
have PHI amended is limited under certain<br />
circumstances. For example, if the PHI is<br />
accurate and complete, the covered entity is<br />
not required to amend the PHI. Again, as <strong>with</strong><br />
the right to access, the right to amendment<br />
is not immediate. As a general rule, a covered<br />
entity has 60 days to respond to a request for<br />
amendment and has up to 90 in some cases.<br />
Accounting of disclosures. Individuals have<br />
the right to receive an accounting of certain<br />
disclosures made by a covered entity in the<br />
prior six year period. Accordingly, to fulfill<br />
their obligation, covered entities must have a<br />
process in place, for example an accounting<br />
log, to track information related to certain<br />
disclosures and must have a way to provide<br />
such information to an individual upon<br />
request. Many disclosures do not need to be<br />
accounted for, including disclosures made for<br />
TPO purposes, disclosures made pursuant<br />
to an authorization, disclosures made to the<br />
individual, and disclosures incident to an<br />
otherwise permitted disclosure. Examples of<br />
disclosures that must be accounted for include<br />
unauthorized disclosures of PHI, disclosures<br />
required by law, those made for public health<br />
purposes, and disclosures for health oversight.<br />
Similar to the access and amendment rights,<br />
the right to an accounting is not immediate.<br />
Rather, covered entities have up to 60 days,<br />
and up to 90 days in some cases, to respond to<br />
the request. In addition, while a covered entity<br />
must provide an individual <strong>with</strong> an accounting<br />
free of charge, for any additional request<br />
<strong>with</strong>in the same 12-month period, a covered<br />
entity may charge a reasonable cost-based fee.<br />
Right to request restrictions. The Privacy<br />
Rule provides individuals <strong>with</strong> the right to<br />
request restrictions on the way a covered entity<br />
uses or discloses PHI for purposes of TPO and<br />
to an individual involved in the individuals care<br />
or payment for that care. The covered entity,<br />
however, is not obligated to comply <strong>with</strong> the<br />
request. Therefore, this is the only individual<br />
right under the Privacy Rule that does not have<br />
a corresponding obligation for the covered<br />
entity. However, if the covered entity does<br />
agree to the request, the covered entity may not<br />
violate the restriction (unless under emergency<br />
treatment circumstances).<br />
Continued on page 66<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
65<br />
October 2008
Complying <strong>with</strong> the HIPAA Privacy Rule – What you need to know<br />
...continued from page 65<br />
Confidential communications. Under the Privacy Rule, individuals have<br />
the right to request that communications of PHI be made by alternative<br />
means (e.g., by mail instead of by telephone) or at alternative locations<br />
(e.g., at work instead of at home). <strong>Health</strong> care providers are required to<br />
accommodate all reasonable requests. <strong>Health</strong> plans must accommodate<br />
reasonable requests only if the individual clearly states that the disclosure<br />
of PHI could endanger the individual.<br />
Is <strong>your</strong> rehabilitation program ready<br />
to face the auditor’s microscope<br />
Inpatient and outpatient rehab providers are<br />
experiencing increased scrutiny from their<br />
fiscal intermediaries and others. The 75%<br />
Rule, the Recovery Audit Contractor (RAC)<br />
project, and focused reviews for medical<br />
necessity have changed the way rehabilitation<br />
providers operate.<br />
Most rehab providers have not established<br />
effective mechanisms to assure the integrity<br />
of their operating and billing practices when<br />
viewed by a third party. The full consequences<br />
may only be apparent when it is too late.<br />
Noblis provides solutions-focused services<br />
across the post-acute care continuum and we<br />
can help solve the IRF compliance puzzle and<br />
help you face the future of rehab.<br />
Contact Noblis’ Center for <strong>Health</strong> Innovation<br />
Post-Acute Strategy experts (404.231.4422)<br />
to discuss customized solutions to <strong>your</strong><br />
compliance needs. We will help you to climb<br />
out from under the auditor’s microscope.<br />
www.noblis.org/healthcare • 404.231.4422<br />
Administrative requirements<br />
The Privacy Rule requires covered entities to implement certain administrative<br />
requirements. In effect, these requirements create an obligation for covered<br />
entities to establish a privacy compliance program. That is, many of the<br />
requirements are similar to the elements of a general health care compliance<br />
program. For example, covered entities must:<br />
n Designate a privacy officer.<br />
n Develop and implement privacy policies and procedures.<br />
n Provide training to all members of the workforce.<br />
n Have a process in place for individuals to make complaints regarding<br />
privacy issues, including issues related to the covered entity’s compliance<br />
<strong>with</strong> the Privacy Rule and its own privacy policies and procedures.<br />
n Have and apply appropriate sanctions against employees who violate<br />
the Privacy Rule and/or the covered entity’s privacy policies and procedures.<br />
n Refrain from intimidating or engaging in any retaliatory acts against<br />
individuals who exercise their rights under the Privacy Rule or who file<br />
a complaint against the covered entity.<br />
n Mitigate any harmful effect that results because of an act of noncompliance<br />
<strong>with</strong> the Privacy Rule or the covered entity’s privacy policies and<br />
procedures.<br />
n Implement appropriate administrative, technical, and physical safeguards<br />
to protect the privacy of PHI.<br />
n Maintain documentation as required by the Privacy Rule.<br />
Enforcement<br />
The HHS Office for Civil Rights (OCR) is responsible for enforcing the<br />
Privacy Rule. OCR has the authority to impose civil monetary penalties<br />
(CMPs) for violations of the Privacy Rule. CMPs are limited to $100 per<br />
violation <strong>with</strong> a maximum of $25,000 per year for each identical Privacy<br />
Rule requirement that is violated.<br />
The United States Department of Justice (DoJ) has the authority to impose<br />
criminal penalties for violations of the Privacy Rule. Specifically, if a person<br />
or entity knowingly obtains or discloses PHI in violation of the Privacy<br />
Rule, the person or entity may be liable for up to $50,000 and/or may be<br />
imprisoned for up to one year. If a person or entity obtains or discloses the<br />
October 2008<br />
66<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
PHI under false pretenses, that person or entity may be subject<br />
to $100,000 in fines and/or five years in prison. In addition, if<br />
the individual obtains or discloses PHI <strong>with</strong> an intent to sell,<br />
transfer, or use it for commercial advantage, commercial gain,<br />
or malicious harm, that individual or entity may be fined up to<br />
$250,000 and/or be imprisoned for up to 10 years.<br />
It is important to note that there is no private right of action<br />
under HIPAA. Therefore, an individual may file a complaint<br />
<strong>with</strong> HHS <strong>with</strong> respect to a covered entity’s compliance <strong>with</strong><br />
the Privacy Rule, but he or she may not file an action against the<br />
covered entity for violating the Privacy Rule.<br />
Conclusion<br />
As stated above, in order to comply <strong>with</strong> the Privacy Rule, a<br />
person or entity must, at a minimum, determine:<br />
n if the Privacy Rule applies,<br />
n what information is protected, and<br />
n what uses and disclosures of PHI are permitted.<br />
In addition, covered entities must have procedures in place to<br />
allow individuals to exercise their rights <strong>with</strong> respect to their<br />
PHI. Finally, and perhaps most importantly, covered entities<br />
must implement the administrative requirements required<br />
under the Privacy Rule. These administrative requirements create<br />
a HIPAA privacy compliance program infrastructure that is<br />
necessary to ensure compliance <strong>with</strong> the Privacy Rule’s requirements.<br />
Because Privacy Rule enforcement is a complaint-driven<br />
process, it is important to have this infrastructure in place, not<br />
only to comply <strong>with</strong> the law, but also to:<br />
n Reduce the potential for incidents to occur that may give rise<br />
to complaints; and<br />
n Be able to show OCR or DoJ that PHI is properly safeguarded<br />
by the covered entity. Such proof may be essential to avoid<br />
civil or criminal penalties should a Privacy Rule violation<br />
occur. n<br />
1. Public Law 104-191.<br />
2 67 Fed. Reg. 53182 (Aug. 14, 2002) codified at 45 C.F.R. Parts 160 and 164.<br />
To Register visit www.hcca-info.org<br />
Whistleblower Claims in <strong>Health</strong>care<br />
October 8<br />
Part 1: A Compliance Perspective<br />
Available on CD<br />
Part 2: The Enforcement Perspective<br />
Carmen Wolf, Principal, BlickenWolf LLC<br />
Patrick Coffey, Partner, Locke Lord Bissell & Liddell<br />
Linda Wawzenski, Assistant United States Attorney, Deputy Chief,<br />
Civil Division, United States Attorney’s Office<br />
2008 MACS and RACS: What It<br />
Means For The Lab — October 14, 2008<br />
In this presentation you will learn about Medicare<br />
Administrative Contractors (“MAC’s”) and the MACs process<br />
both Part A and B claims allowing for increased program<br />
integrity. The full fee-for-service workload is scheduled to be<br />
transitioned to the MACs by October 2009.<br />
2009 OIG Work Plan for Hospitals &<br />
Physicians — October 23 & 24<br />
Be prepared for the year ahead by taking advantage of<br />
the HCCA’s presentation of the 2009 OIG Work Plan for<br />
Hospitals. Outstanding speakers combine <strong>with</strong> engaging<br />
interaction for a serious, in-depth look at the OIG’s key<br />
compliance concerns for fiscal year 2009. If you’re looking for<br />
OIG Work Plan coverage that is substantial and to‐the‐point<br />
don’t miss this conference<br />
An Insider’s Guide to<br />
Workplace Investigations<br />
October 30, 2008<br />
Meric Craig Bloch,<br />
Vice President–Corporate<br />
Compliance, Adecco S.A.<br />
Past Audio/Web conferences<br />
are available on CD at<br />
www.hcca-info.org/ pastweb<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
67<br />
October 2008
AUTOMATE YOUR COMPLIANCE AND RISK MANAGEMENT PROGRAM<br />
•<br />
Enforce Consistency<br />
Cost<br />
Streamline Processes<br />
•<br />
Mitigate Risk<br />
•<br />
•<br />
Reduce<br />
Policy Management<br />
Contract Management<br />
Remediation Projects<br />
Enterprise Risk Management<br />
Incident Management & Reporting<br />
Audit Management<br />
Regulation Management<br />
Surveys<br />
Liability<br />
<br />
•<br />
• Increase Productivity<br />
Decrease<br />
•<br />
Drive Accountability<br />
Enhance Compliance Visibility<br />
•<br />
Contact us today to view a free demo.<br />
Compliance 360 assists <strong>Health</strong>care Organizations comply <strong>with</strong>:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
October 2008<br />
68
Improving competitiveness and compliance through agent/broker online training<br />
...continued from page 37<br />
proficiency level is required before the system The success of the training program offers<br />
allows the user to move to the next chapter opportunities for HCSC to expand and<br />
or to complete the course. Agents who fail improve the program. We are now working<br />
to complete all components of the training/ to equip the agent certification program <strong>with</strong><br />
certification program are prohibited from more teeth by preventing any agent from<br />
selling the Medicare products. If an agent who using the online enrollment application or<br />
was not certified did sell a Medicare policy, marketing materials <strong>with</strong>out first completing<br />
the commission system would automatically our training program. This will not only<br />
prevent the agent from being paid.<br />
add another layer of compliance assurance,<br />
but will help our marketing team develop<br />
The survey results from the 2007 training valuable collateral for use by agents. We also<br />
program have been very positive about the are working on ways to leverage the training<br />
training program. An average of 89% of program to promote agent loyalty and are<br />
surveyed agents in the four-state service area investigating additional uses of our new<br />
rated the training program as Excellent/Good. database.<br />
Perhaps most promising, the majority of our<br />
agents answered positively when asked if they The MAPD and PDP compliance training<br />
would like to have access to other HCSC program we implemented has enabled us to<br />
training courses for Medicare-related products. meet multiple objectives, including costefficiency<br />
and compliance. It has provided a<br />
These results, along <strong>with</strong> specific agent<br />
feedback, will be used to develop the next level versatile system that can support a range of<br />
of training, which will include topics suggested additional communication and education<br />
by the agents in our follow-up surveys. initiatives to our employees, brokers, agents<br />
and members. As regulations change, HCSC<br />
Measuring the results<br />
feels that it is well-positioned to meet new<br />
HCSC’s new, online MA and MAPD training<br />
program has already produced substantial Plan Sponsors will be required to include<br />
requirements. For example, in January 2009,<br />
results—in compliance and in efficiency: a written or computer-based test in their<br />
n Cost. Training costs were significantly training programs. Agents and brokers will<br />
reduced by instituting an online program be required to successfully complete the<br />
and eliminating the need for in-person test(s) <strong>with</strong> a minimum score of 80% to<br />
training.<br />
demonstrate their knowledge of the Medicare<br />
n Time. More than 3,800 agents who sell program and the plan-specific products they<br />
MAPD or PDP were trained and tested intend to sell. These requirements will apply<br />
between late September and November to both employed and contracted agents and<br />
14, 2007.<br />
brokers. CMS believes the requirement is necessary<br />
to ensure that beneficiaries are receiving<br />
n Compliance. We achieved compliance<br />
<strong>with</strong> CMS’ training requirements for the information needed to make informed<br />
agents and brokers and consider ourselves decisions and that agents understand the<br />
well-positioned to achieve CMS’ next set plans they are marketing and are prepared<br />
of requirements.<br />
to provide recommendations. CMS will<br />
n Database. The database of agents adds continue to provide information necessary to<br />
value to our business by enabling direct conduct such oversight. n<br />
communications and providing advanced<br />
training to agents who sell our products.<br />
The 1-2-3s of claims sampling to resolve<br />
overpayment errors<br />
...continued from page 33<br />
quantification of the total overpayments<br />
is equal to the average overpayment in the<br />
sample times the number of sampling units<br />
in the sampling frame. This measurement<br />
and quantification should be stated <strong>with</strong> a<br />
confidence interval that is set by the desired<br />
confidence level. The final precision (i.e., the<br />
width of the confidence interval) will depend<br />
on this, the variation in the error rate, and the<br />
overpayments among the sampling units in<br />
the full sample.<br />
Step 6: Report the final results<br />
Reporting the final results is basically an<br />
exercise in documentation. An executive<br />
summary should begin <strong>with</strong> the definition<br />
of the potential error that was reviewed<br />
and end <strong>with</strong> the measurement of the error<br />
rate, if found, and the quantification of the<br />
overpayments, if any. All of the intermediary<br />
steps should be preserved, as appropriate, as<br />
work papers, so that any other reviewer could<br />
confirm what was done. For example, the<br />
sampling frame (i.e., the list of one-day stay<br />
admissions either for pneumonia cases or all<br />
cases in this example) should be kept as well<br />
as the probe sample and the full sample.<br />
Conclusion<br />
The sampling claims process requires<br />
statistical expertise, but it is best not left to<br />
statisticians alone. Compliance officers who<br />
decide to initiate a claims sampling process<br />
will benefit by the step-by-step planning that<br />
is as important for scientific validity as the<br />
correct application of the statistical formulas<br />
that are recommended to them. n<br />
1 Catherine Sreckovich, Alan Peterson, B. Bo Martin: “Keeping the<br />
Sampling Gains Going” in Monitoring & Auditing for Effective<br />
Compliance, edited by John E. Steiner, JD. Philadelphia: <strong>Health</strong> <strong>Care</strong><br />
Compliance Association, 2008. (Chapter contains a history on the<br />
contribution of sampling methods to advancements in health care<br />
compliance)<br />
2 Available at http://www.oig.hhs.gov/organization/OAS/ratstat.html<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
69<br />
October 2008
Register before<br />
January 6, 2009,<br />
and save $200!<br />
February 22–24, 2009 | Scottsdale, AZ<br />
Managed <strong>Care</strong><br />
Compliance Conference<br />
HCCA’s Managed <strong>Care</strong> Compliance Conference provides essential information for individuals involved<br />
<strong>with</strong> the management of compliance at health plans. Plan to attend if you are a compliance professional<br />
from a health plan (all levels from officers to consultants); in-house and external counsel for a health plan;<br />
internal auditor from a health plan; regulatory compliance personnel; or managed care lawyer.<br />
Topics to be covered may include: compliance risk monitoring and auditing; application of Sarbanes Oxley<br />
requirements to non-profit health plans; ethics and building an ethical culture; board involvement in<br />
compliance; Medicare Prescription Drug Plan compliance and audit experience; New York's Medicaid compliance<br />
guidance for managed care plans; and HIPAA privacy and security challenges at health plans.<br />
888-580-8373 | www.hcca-info.org
Speakers<br />
Sharon Anolik<br />
Blue Cross Blue Shield of<br />
California<br />
San Francisco, CA<br />
General Session Speaker:<br />
Hot Topics from the<br />
Medicare & Medicaid<br />
Services<br />
Kim Brandt<br />
Director, Program Integrity Group<br />
Center for Medicare and<br />
Medicaid Services<br />
Baltimore, MD<br />
Elizabeth Browning, CHC<br />
Compliance Manager<br />
Fallon Community <strong>Health</strong> Plan<br />
Worcester, MA<br />
Steve Bunde CPA, CFE, CHC<br />
Sr. Director of Corporate Integrity<br />
& Internal Audit<br />
<strong>Health</strong> Partners<br />
Minneapolis, MN<br />
Leila A. Daiuto<br />
Director, Life Sciences &<br />
<strong>Health</strong>care<br />
Axentis, Inc.<br />
Cleveland, OH<br />
Dorothy DeAngelis<br />
Managing Director<br />
Huron Consulting Group<br />
Charlotte, NC<br />
Anne Doyle<br />
Executive VP/<br />
Chief Compliance Officer<br />
Fallon Community <strong>Health</strong> Plan<br />
Worcester, MA<br />
Lori Dutcher<br />
Vice President Compliance MSSA<br />
Kaiser Foundation <strong>Health</strong> Plan<br />
Pasadena, CA<br />
Libby Easton-May<br />
Manager<br />
Huron Consulting Group<br />
Simsbury, CT<br />
Gary Fitzgerald<br />
Director Compliance &<br />
Regulatory Affairs<br />
Harmony <strong>Health</strong> Plan of IL, Inc.<br />
Chicago, IL<br />
Jeannette Frey<br />
Privacy Officer<br />
Fallon Community <strong>Health</strong> Plan<br />
Waltham, MA<br />
Dan Garcia<br />
Senior Vice President<br />
Kaiser Permanente<br />
Oakland, CA<br />
William Gedman<br />
VP Audit, Fraud & Abuse<br />
UPMC <strong>Health</strong> Plan<br />
Pittsburg, PA<br />
Annmarie Gover<br />
Medicare Compliance Officer<br />
Capital BlueCross<br />
Harrisburg, PA<br />
Kim Green<br />
Compliance Officer<br />
Blue Cross Blue Shield of<br />
Minnesota<br />
Minneapolis, MN<br />
Lucia Guidice<br />
Director, <strong>Health</strong>care Advisory<br />
Practice<br />
PricewaterhouseCoopers, LLP<br />
Boston, MA<br />
Jason Hall<br />
Interim Regional Compliance<br />
Officer<br />
Hawaii Region, Kaiser Permanente<br />
Hawaii<br />
Rebecca Learner<br />
Senior VP & Compliance Officer<br />
SCAN <strong>Health</strong> Plan<br />
Long Beach, CA<br />
Sandra Miller<br />
Director of Government<br />
Compliance<br />
Blue Cross Blue Shield of<br />
Minnesota<br />
St. Paul, MN<br />
Christian Presley<br />
Compliance Officer<br />
Blue Cross Blue Shield of<br />
Massachusetts<br />
Boston, MA<br />
Rick Shackelford<br />
Partner<br />
King & Spalding, LLP<br />
Atlanta, GA<br />
General Session Speaker:<br />
NYS–OMIG Compliance<br />
Guidance for Medicaid<br />
Managed <strong>Care</strong> Jim Sheehan<br />
Associate U.S. Attorney<br />
Office of the Medicaid<br />
Inspector General<br />
Albany, NY<br />
Linda Tomaselli<br />
Partner<br />
Epstein Becker & Green PC<br />
Washington, DC<br />
General Session Speaker:<br />
Hot Topics from the<br />
Medicare & Medicaid<br />
Services<br />
Brenda Tranchida<br />
Program Compliance and<br />
Oversight Group, Center for<br />
Drug and <strong>Health</strong> Plan Choice<br />
Centers for Medicare<br />
and Medicaid Services<br />
Baltimore, MD<br />
Matt Weber<br />
Partner<br />
Holland & Hart LLP<br />
Denver, CO<br />
Deb Ziegler<br />
Corporate Compliance Officer<br />
Capital Blue Cross<br />
Harrisburg, PA<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
71<br />
October 2008
New principles can<br />
help advance<br />
independent corporate<br />
monitoring<br />
Editor’s note: Vincent L. DiCianni is President<br />
and founder of Affiliated Monitors, Inc. (AMI)<br />
of Boston. Mr. DiCainni may be reached at<br />
617/275-0620 or toll free at 866/201-0903<br />
or by e-mail at vdicianni@affiliatedmonitors.<br />
com. For additional information, please visit the<br />
AMI Web site at www.affiliatedmonitors.com.<br />
As government regulators and federal<br />
and state prosecutors search for<br />
effective alternatives to prosecutions,<br />
they are increasingly using Deferred<br />
Prosecution Agreements (DPAs) or nonprosecution<br />
agreements, which include some<br />
form of monitoring. Unfortunately, the<br />
frequent appointment of former government<br />
officials to serve as monitors has left some<br />
questioning the independence and integrity<br />
of the monitoring process used in such agreements.<br />
To address these concerns, the U.S.<br />
Department of Justice (DoJ) recently issued<br />
a memorandum outlining the “best practice”<br />
principles for choosing monitors.<br />
Explaining the reasons for issuing the<br />
principles in his March 7, 2008 memo to US<br />
attorneys, Acting Deputy Attorney General<br />
Craig S. Morford wrote: “The corporation<br />
benefits from expertise in the area of corporate<br />
compliance from an independent third party.<br />
The corporation, its shareholders, employees<br />
and the public at large then benefit from<br />
reduced recidivism of corporate crime and the<br />
protection of the integrity of the marketplace.” 1<br />
The memo’s intent is to provide “a series of<br />
principles for drafting provisions,” so the<br />
By Vincent L. DiCianni<br />
principles are not an end in themselves, but a<br />
guide to potential provisions of an agreement.<br />
The memo’s stated purpose is to provide “only<br />
internal Department of Justice guidance” and a<br />
further limitation notes that the memo “applies<br />
only to criminal matters and does not apply to<br />
agencies other than the Department of Justice.”<br />
Yet the principles stated can also provide useful<br />
guidance for state courts, regulatory agencies,<br />
and other oversight authorities that may use or<br />
advocate the use of monitors.<br />
Standard principles are warranted, as the<br />
use of independent corporate monitors has<br />
become “almost commonplace” 2 in recent<br />
years. Monitors are commonly associated<br />
<strong>with</strong> DPAs and other pretrial agreements,<br />
which “have been used <strong>with</strong> more frequency<br />
recently to resolve a wide variety of criminal<br />
investigations, ranging from accounting<br />
fraud to tax fraud to violations of the FCPA<br />
(Foreign Corrupt Practices Act).” 3<br />
Monitors have been used in high-profile<br />
cases involving well-known companies, such<br />
as America Online (AOL), Bristol-Myers<br />
Squibb, and American Insurance Group<br />
(AIG). The Securities and Exchange Commission<br />
(SEC) also is using them frequently<br />
in enforcement actions, such as in its action<br />
against WorldCom. 4<br />
The use of monitors is increasingly common<br />
in state courts as well, and they are sometimes<br />
used in cases when no prosecution is involved.<br />
Monitors have been used in high-profile cases,<br />
such as the 2002 case against Arthur Andersen<br />
Vincent L. DiCianni<br />
executives involved <strong>with</strong> Enron, 5 but they are<br />
also used by administrative agencies in cases<br />
involving regulatory violations.<br />
So what is a monitor<br />
An independent corporate monitor is a person<br />
or entity who has in-depth knowledge and<br />
experience <strong>with</strong> regulatory schemes and oversees<br />
businesses that have been sanctioned for<br />
violating one or more regulations. The monitor’s<br />
role is to provide both oversight to protect<br />
the public and guidance to help the corporation<br />
comply <strong>with</strong> regulations on an ongoing<br />
basis. The corporation pays the monitor and,<br />
in exchange for agreeing to ongoing oversight,<br />
typically avoids other sanctions, such as<br />
having a license to practice suspended. In this<br />
respect, monitors can help the courts save time<br />
and reduce their backlog, as well as provide<br />
employee compliance training and oversight to<br />
reduce the likelihood of recidivism.<br />
Describing the monitor’s role, the Morford<br />
memo says that, once an agreement is reached<br />
for how to prevent future misconduct, “A<br />
monitor’s primary responsibility is to assess and<br />
monitor a corporation’s compliance <strong>with</strong> the<br />
terms of the agreement specifically designed to<br />
address and reduce the risk of recurrence of the<br />
corporation’s misconduct, and not to further<br />
punitive goals.” More specifically, the memo<br />
says the monitor should “oversee a company’s<br />
October 2008<br />
72<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
commitment to overhaul deficient controls,<br />
procedures and culture.” 6<br />
Origins of corporate monitoring<br />
Although receiving increasing attention today,<br />
corporate monitoring is not a new concept. It<br />
has its roots in the late 1960s, when monitoring<br />
programs were created to help rehabilitate<br />
juveniles and first offenders. Pilot programs in<br />
Washington, DC and New York City provided<br />
offenders <strong>with</strong> counseling, training, and job<br />
placement in lieu of prosecution, in the hope<br />
that the programs would reduce recidivism. 7<br />
Corporate monitoring was further inspired<br />
by the federal Inspector General Act of<br />
1978, which created an Inspector General to<br />
prevent and detect fraud, waste, and abuse<br />
for each of 12 major federal civilian agencies.<br />
The Inspector Generals’ combination<br />
of auditing and investigating responsibilities<br />
and statutory guarantee of independence are<br />
key characteristics of today’s independent<br />
corporate monitors. 8<br />
Perhaps the most successful pioneering<br />
program for corporate monitoring is the<br />
Independent Private Sector Inspector General<br />
(IPSIG) program developed in New York in<br />
response to the 1989 report, “Corruption<br />
and Racketeering in the New York City<br />
Construction Industry.” 9 The issuing of the<br />
Federal Sentencing Guidelines in November<br />
1991, shifting policing responsibilities from<br />
the government to the corporation, provided<br />
a boost for the IPSIG model by recommending<br />
less stringent penalties for companies that<br />
took steps to detect and prevent fraud, report<br />
misconduct promptly, and create a culture in<br />
which high-level officials did not participate<br />
in or condone criminal activity. 10<br />
The IPSIG program, which was used to<br />
investigate the theft of scrap materials from<br />
The World Trade Center site after 9-11,<br />
created an ongoing monitoring program<br />
for construction companies <strong>with</strong> large state<br />
contracts. It requires the contractors to<br />
maintain a 24-hour hotline that employees<br />
and others can use to report any wrongdoing;<br />
it also provides monitors <strong>with</strong> ongoing access<br />
to financial reports and other records, and to<br />
employees. IPSIG monitors professionals in<br />
the health care, accounting, and insurance<br />
industries, and businesses and individuals that<br />
contract <strong>with</strong> the state government.<br />
The IPSIG model utilizes private sector<br />
resources and expertise as<br />
“an independent, private sector firm (as<br />
opposed to a governmental agency) that<br />
possesses legal, auditing, investigative, and<br />
loss prevention skills, that is employed<br />
by an organization (i) to ensure that<br />
organization’s compliance <strong>with</strong> relevant<br />
laws and regulations, and (ii) to deter,<br />
prevent, uncover, and report unethical<br />
and illegal conduct committed by the<br />
organization itself, occurring <strong>with</strong>in the<br />
organization, or committed against the<br />
organization. Notably, an IPSIG may be<br />
hired voluntarily by an organization or<br />
it may be imposed upon an organization<br />
by compulsory process such as a licensing<br />
order issued by a governmental agency, by<br />
court order, or pursuant to the terms of a<br />
deferred prosecution agreement.” 11<br />
The independent monitoring model that has<br />
evolved differs somewhat from the IPSIG<br />
model, which has been criticized by some<br />
who feel that IPSIGs can be too intrusive into<br />
areas of a company that have nothing to do<br />
<strong>with</strong> the matter at hand.<br />
The increased focus on corporate scrutiny<br />
resulting from the 2001 Enron scandal<br />
created another boost for the use of corporate<br />
monitors. Until recently, “a prosecutor’s<br />
choices, when faced <strong>with</strong> corporate wrongdoing,<br />
were essentially binary: he or she could<br />
either bring charges or decline prosecution,<br />
<strong>with</strong> no middle ground allowing for continued<br />
supervision or enforced remediation.” 12<br />
Because of the rigidity of existing standards,<br />
prosecutors sought<br />
“a way that would enable them to exercise<br />
their discretion not to charge a corporation<br />
in appropriate circumstances but<br />
that would, at the same time, give them<br />
sufficient leverage to require significant<br />
changes in corporate culture, compliance<br />
and controls and, as importantly, monitor<br />
those changes for a reasonable period of<br />
time. Thus was born the corporate Deferred<br />
Prosecution Agreement (DPA) and<br />
its adjunct, the independent monitor.” 13<br />
Monitoring the health care profession<br />
Although the DoJ memo focuses specifically<br />
on monitoring in a corporate setting, its<br />
guiding principles and model are applicable<br />
in most regulated businesses and professions.<br />
Monitoring is especially appropriate for highly<br />
regulated, service-intensive industries, such as<br />
the health care industry. And while it has been<br />
used for high-level corporate crime, it also can<br />
be effective for inadvertent and minor regulatory<br />
violations, which have clogged the courts<br />
and regulatory agencies, and have resulted in<br />
delayed and protracted proceedings.<br />
Few regulated businesses face the level of<br />
regulatory obligations and oversight that<br />
medical practitioners face, where a violation<br />
could result in the loss of a license to practice.<br />
In addition to patient care responsibilities,<br />
practitioners must navigate the complexities<br />
of healthcare billing and record-keeping<br />
requirements, Occupational Safety and <strong>Health</strong><br />
Administration (OSHA), <strong>Health</strong> Insurance<br />
Portability and Accountability Act (HIPAA),<br />
Continued on page 77<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
73<br />
October 2008
October 5–7, 2008<br />
Renaissance Harborplace Hotel | Baltimore, MD<br />
Keynote Speakers:<br />
John D. Ashcroft, Esq. Former U.S. Attorney General, Chairman,<br />
The Ashcroft Group LLC<br />
Kevin O. Connor, Esq., Associate Attorney General, U.S.<br />
Department of Justice<br />
HCCA and AHLA are going green! Attendees will<br />
receive electronic access to the course materials<br />
prior to the program as well as an electronic version<br />
of the materials at the program. Attendees<br />
will not, however, automatically receive a binder.<br />
If you would like to purchase a binder for $45,<br />
please indicate that on the registration form.<br />
<strong>Health</strong><strong>Care</strong> Appraisers, Inc. and<br />
PricewaterhouseCoopers have provided<br />
sponsorship in support of this program<br />
October 2008<br />
74<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association<br />
6500 Barrie Road, Suite 250<br />
Minneapolis, MN 55435<br />
888-580-8373 (p) • 952-988-0146 (f)<br />
info@hcca-info.org • www.hcca-info.org<br />
American <strong>Health</strong> Lawyers Association<br />
Suite 600, 1025 <strong>Connect</strong>icut Avenue NW<br />
Washington, DC 20036-5405<br />
202-833-1100 (p) • 202-833-1105 (f)<br />
www.heatlhlawyers.org<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
e g i s t e r n o w f o r HCCA’s<br />
Physician Pr a c t i c e<br />
Co m p l ia n c e Co n f e r e n c e<br />
October 1–3, 2008<br />
Philadelphia, PA | Doubletree Hotel Philadelphia<br />
Sponsored by<br />
Visit www.hcca-info.org or call 888-580-8373<br />
General Session Topics and Speakers:<br />
Can Compliance Programs Help Physicians<br />
Improve Quality of <strong>Care</strong><br />
Rory Jaffe, MD, MBA, CHC<br />
President, HCCA Board of Directors<br />
How Compliance Efforts Can Help Avoid<br />
Enforcement Actions<br />
Sean R. McKenna<br />
Assistant U.S. Attorney<br />
Department of Justice<br />
Medicaid Enforcement<br />
James Sheehan<br />
Medicaid Inspector General<br />
New York State Office of the Medicaid Inspector<br />
General<br />
Physician Practice Enforcement Initiatives<br />
Laura Ellis<br />
Senior Counsel<br />
U.S. Department of <strong>Health</strong><br />
& Human Services<br />
Office of Counsel &<br />
Office of the Inspector General
General Session Topics and Speakers:<br />
Handling Research Misconduct Correctly: Your First Chance<br />
and Last Chance May Be One and the Same<br />
Jo An Rochez<br />
Senior Attorney<br />
U.S. Department of <strong>Health</strong> and Human Services<br />
Office of the General Counsel<br />
Counsel to the Office of Research Integrity<br />
Register now for HCCA's<br />
Research<br />
Compliance<br />
Conference<br />
October 20–22, 2008 | Chicago, IL | Westin Michigan Avenue<br />
Research Compliance Oversight in the Department of<br />
Veterans Affairs<br />
Karen M. Smith, PhD<br />
Director, Midwestern Region<br />
VA Office of Research Oversight<br />
Anti-Kickback Stark and Related Fraud & Abuse Issues in<br />
Research: What Every Compliance Officer Needs to Know!<br />
Gadi Weinreich<br />
Partner<br />
Sonnenschein, Nath & Rosenthal<br />
Medicare Contractor’s Perspective on Coverage<br />
Ryan Meade<br />
Partner<br />
Meade & Roach, LLP<br />
Richard K. Baer, MD<br />
Medical Director, Medicare Part A<br />
National Government Services, Inc.<br />
Medicare Prescription Drug<br />
Part D Compliance Conference<br />
December 7–9, 2008<br />
Baltimore, MD | Renaissance Baltimore Harborplace Hotel<br />
Register before<br />
October 17, 2008,<br />
and save $200!<br />
Featuring expert speakers:<br />
Kim Brandt, Director of Program Integrity<br />
Centers for Medicare & Medicaid Services<br />
Cynthia Tudor, Medicare Drug Benefit Group<br />
Centers for Medicare & Medicaid Services<br />
Brenda Tranchida, Centers for Medicare and<br />
Medicaid Services<br />
October 2008<br />
76<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
New principles can help advance independent corporate monitoring ...continued from page 73<br />
Centers for Disease Control (CDC) guidelines,<br />
and other government regulatory obligations<br />
and network provider responsibilities.<br />
A single complaint to a state licensing board<br />
or federal regulatory agency, an intensive peer<br />
review, or an audit by a third-party payer, can<br />
trigger a series of inquiries and investigations<br />
that could lead to loss of network provider<br />
status, suspension or loss of license, loss of<br />
malpractice insurance coverage, steep fines, or<br />
forced closure of a practice.<br />
Today, as an alternative, monitors are being<br />
used <strong>with</strong> increasing frequency to address<br />
compliance issues in matters involving<br />
provider-patient boundary violations,<br />
Medicaid and Medicare fraud, record keeping<br />
deficiencies, improper delegation of patientcare<br />
functions, over-prescribing of medications,<br />
and many other types of cases.<br />
The Morford Principles<br />
Independent corporate monitors will never be<br />
the right option for every case, but requiring<br />
independent oversight can be appropriate in a<br />
number of instances. In determining whether<br />
a case is suitable for the use of a monitor, the<br />
Morford memo suggests that, “In negotiating<br />
agreements <strong>with</strong> corporations, prosecutors<br />
should be mindful of both: (1) the potential<br />
benefits that employing a monitor may have<br />
for the corporation and the public, and (2)<br />
the cost of a monitor and its impact on the<br />
operations of a corporation.” 14<br />
When a cost-benefit analysis makes monitoring<br />
a viable option, the Morford memo sets<br />
out nine principles covering the selection of<br />
monitors, scope of duties, communications, and<br />
duration of any agreement to retain monitors.<br />
Selection of monitors<br />
Independence, experience, and integrity<br />
of the monitor are the key elements in the<br />
selection process, as monitoring has come<br />
under justified criticism in some cases where<br />
the independence of the monitor was in<br />
question. Some corporate defense attorneys<br />
have expressed concern over the appointment<br />
of monitors who may not be completely<br />
impartial, and the attorneys have maintained<br />
that monitors who are put in place by government<br />
officials represent government agencies<br />
to the potential detriment of corporations.<br />
For example, the US Attorney for the District<br />
of New Jersey, Christopher Christie, who<br />
worked for former US Attorney General John<br />
Ashcroft, came under scrutiny recently for<br />
appointing Ashcroft as a monitor for Zimmer<br />
Holdings. 15 In addition to the perceived conflict,<br />
critics cited the cost, which is predicted to<br />
range between $28 million and $52 million. 16<br />
When the deal came to light, the chairmen<br />
of the US Senate and House Judiciary<br />
Committees requested an inquiry by the US<br />
Government Accountability Office. Soon<br />
after, US Congressman Frank Pallone (D-NJ)<br />
introduced legislation that would require the<br />
Attorney General to issue guidelines to help<br />
determine when US attorneys should enter<br />
into a DPA. 17 The action may have influenced<br />
the decision by the Office of the Deputy<br />
Attorney General to issue the memo containing<br />
principles for appointing monitors. The<br />
Morford memo focuses on the application of<br />
criteria for preventing such conflicts.<br />
Given the monitor’s responsibilities, it is vital<br />
that monitors be impartial when performing<br />
their duties. Biases are typically the result of<br />
the unilateral selection of monitors, which<br />
would be avoided by following the DoJ’s principles.<br />
A monitor’s independence is, of course,<br />
as important as the independence of a judge<br />
or juror. Monitoring should be considered as a<br />
valid legal option only when a monitor can be<br />
appointed whose independence is established.<br />
As such, the memo’s principles begin <strong>with</strong> the<br />
following:<br />
Principle 1. “Before beginning the process<br />
of selecting a monitor in connection <strong>with</strong><br />
deferred prosecution agreements and nonprosecution<br />
agreements, the corporation and<br />
the Government should discuss the necessary<br />
qualifications for a monitor based on the<br />
facts and circumstances of the case.”<br />
While recognizing that flexibility is necessary,<br />
the DOJ memo also notes the necessity for<br />
the monitor to be truly independent. The<br />
principle denunciated requires that monitors<br />
be selected based on their merits, rather than<br />
being political appointments. The selection<br />
process must, “at a minimum, be designed<br />
to: (1) select a highly qualified and respected<br />
person or entity based on suitability for the<br />
assignment and all of the circumstances;<br />
(2) avoid potential and actual conflicts of<br />
interests, and (3) otherwise instill public<br />
confidence by implementing the steps set<br />
forth in this Principle.”<br />
The memo requires that the following steps<br />
be taken during the selection process. Those<br />
steps include:<br />
n Attorneys selecting monitors must comply<br />
<strong>with</strong> the conflict-of-interest guidelines set<br />
forth in 18 U.S.C. § 208 and 5 C.F.R.<br />
Part 2635.<br />
n US Attorneys and Assistant Attorneys<br />
General cannot unilaterally select monitors,<br />
or accept or veto their selection.<br />
n No monitor will be appointed who has an<br />
interest in, or relationship <strong>with</strong>, the corporation<br />
or its employees, officers or directors<br />
“that would cause a reasonable person to<br />
question the monitor’s impartiality.”<br />
n The corporation cannot employ or be affiliated<br />
<strong>with</strong> the monitor for at least a year<br />
after the monitoring relationship ends.<br />
Continued on page 79<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
77<br />
October 2008
Letter from CEO ...continued from page 19<br />
n Microsites<br />
o User definable Websites<br />
o Can be used for special interest<br />
groups<br />
o Easy to set up, although<br />
they have somewhat limited<br />
flexibility<br />
n Event Calendar<br />
o Highlight by event type<br />
o Filter events by location<br />
o Search the calendar by keyword<br />
This is one of the biggest advantages to<br />
compliance professionals to come along<br />
in many years. Our profession will be<br />
more effective and successful. Many<br />
other professions have yet to adopt this<br />
technology. The key to its success is<br />
simply a numbers game, particularly for<br />
small special interest groups. If small<br />
groups don’t get enough people to<br />
participate, questions will go unanswered,<br />
documents will not be shared<br />
as effectively, etc. Do whatever you can<br />
to support the compliance community<br />
and become involved. Each group will<br />
benefit only if there are an adequate<br />
number of people to participate. I have<br />
been getting complaints for years from<br />
people who say “All I hear about is the<br />
hospital perspective.” I agree more must<br />
be done. In some ways, the ball is in<br />
their court. This is an obvious case of,<br />
“If you don’t give, you will not receive.”<br />
This will be a great step in the right<br />
direction. n<br />
Reprinted from Journal of <strong>Health</strong> <strong>Care</strong><br />
Compliance, Volume 10, Number 5,<br />
September-October 2008, pages 3-4,<br />
<strong>with</strong> permission from CCH and Aspen<br />
Publishers, WoltersKluwer businesses,<br />
New York, NY, 1-800-638-8437,<br />
www.aspenpublishers.com.<br />
CHRC<br />
certified in<br />
healthcare<br />
Research<br />
compliance<br />
The Research Compliance<br />
Professional’s Certification<br />
The CCB Research Compliance Certification exam will be available in<br />
all 50 U.S. states. Join <strong>your</strong> peers and become Certified in <strong>Health</strong>care<br />
Research Compliance (CHRC).<br />
Enjoy the benefits of CHRC<br />
certification:<br />
n Demonstrate professional<br />
standards and status<br />
for healthcare research<br />
compliance professionals<br />
n Heighten the credibility of<br />
compliance practitioners and<br />
the compliance programs<br />
staffed by these certified<br />
professionals<br />
n Ensure that each certified<br />
practitioner has the knowledge<br />
base necessary to perform the<br />
compliance function<br />
n Facilitate communication <strong>with</strong><br />
other industry professionals,<br />
such as government officials<br />
and attorneys<br />
n Demonstrate the hard work<br />
and dedication necessary to<br />
succeed in the compliance<br />
field<br />
For more information<br />
on how you can<br />
become CHRC<br />
Certified, please call<br />
888-580-8373 or<br />
e-mail<br />
ccb@hcca-info.org.<br />
Congratulations on achieving CHRC<br />
status! The Compliance Certification Board<br />
announces that the following individuals<br />
have recently successfully completed the<br />
Certified in <strong>Health</strong>care Research Compliance<br />
examination, earning CHRC designation:<br />
Ofer Amit<br />
Marti Arvin<br />
Thomas Bechert<br />
Brenda Chapman<br />
Dwight Claustre<br />
Kendra Dimond<br />
John Falcetano<br />
Susan Golembeski<br />
Joy Hardee<br />
Lucinda Hopewell<br />
Stuart Horowitz<br />
Lori Kam<br />
Carole Klove<br />
Heather Kopeck<br />
Amy Latulipe<br />
Sarah McHugh<br />
Angela McMahill<br />
Ryan Meade<br />
Stacey Medeiros<br />
Rachel Nosowsky<br />
Mary Prather<br />
Terry Reeves<br />
Barbara Scott<br />
Jonathan Seltzer<br />
Lindsay Sondergeld<br />
Katherine Tarvestad<br />
Debbie Troklus<br />
Sheryl Vacca<br />
Kelly Willenberg<br />
The certification in <strong>Health</strong>care Research Compliance (CHRC) is<br />
developed and managed by the Compliance Certification Board (CCB)<br />
October 2008<br />
78<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
New principles can help advance independent corporate monitoring ...continued from page 77<br />
The memo notes that no one method of selection<br />
will cover every case, because a monitor’s<br />
role may vary. However, whatever method is<br />
used, the government should determine what<br />
selection process is most effective as early in<br />
the negotiations as possible, and “endeavor to<br />
ensure that the process is designed to produce<br />
a high-quality and conflict-free monitor and<br />
to instill public confidence.” 18<br />
The memo suggests that both sides in the<br />
matter discuss what role the monitor will<br />
play, and the skills and experience needed.<br />
The memo anticipates that, depending on the<br />
case, monitors may include former government<br />
attorneys, accountants, technical or<br />
scientific experts, and compliance experts.<br />
It recommends that at least three qualified<br />
candidates be considered in each case.<br />
Scope of Duties<br />
Critics of monitoring also express concern over<br />
the authority of the monitor. In some cases,<br />
monitors have been able to override the decision-making<br />
authority of the company CEO<br />
and the Board of Directors. In the WorldCom<br />
case, for example, the monitor participated<br />
in the company’s business operations and was<br />
described unofficially as a company executive.<br />
19 To address these concerns, the Morford<br />
memo spells out the breadth of the monitors’<br />
responsibilities to prevent the monitor from<br />
overstepping his or her authority, while also<br />
reinforcing the monitor’s independence.<br />
Principle 2. “A monitor is an independent<br />
third-party, not an employee or agent of the<br />
corporation or of the Government.”<br />
By definition, the independent monitor is<br />
distinct and independent from the directors,<br />
officers, employees, and other representatives<br />
of the corporation. The monitor is not the<br />
corporation’s attorney. Similarly, the monitor<br />
is not an arm of the government. While open<br />
dialogue <strong>with</strong> the monitor throughout the<br />
agreement is essential, all parties must understand<br />
the corporation cannot seek legal advice<br />
from the monitor, nor can the government<br />
direct the monitor.<br />
Principle 3. “A monitor’s primary responsibility<br />
should be to assess and monitor a<br />
corporation’s compliance <strong>with</strong> those terms of<br />
the agreement that are specifically designed<br />
to address and reduce the risk of recurrence<br />
of the corporation’s misconduct, including,<br />
in most cases, evaluating (and where appropriate,<br />
proposing) internal controls and<br />
corporate ethics and compliance programs.”<br />
The type of misconduct being monitored and<br />
the skills required of the monitor will vary<br />
from one case to another, but a common<br />
thread in any case where the use of an<br />
independent monitor is under consideration<br />
includes the existence of an effective compliance<br />
program. As such, “A monitor’s primary<br />
role is to evaluate whether a corporation has<br />
both adopted and effectively implemented<br />
ethics and compliance programs to address<br />
and reduce the risk of recurrence of the<br />
corporation’s misconduct. A well-designed<br />
corporate code of ethics and compliance<br />
program that is not effectively implemented<br />
will fail to lower the risk of recidivism.” 20<br />
The memo recommends that the corporation<br />
should design its own compliance program,<br />
but subject to the monitor’s “input, evaluation<br />
and recommendations.”<br />
Principle 4. “In carrying out his or her<br />
duties, a monitor will often need to<br />
understand the full scope of the corporation’s<br />
misconduct covered by the agreement,<br />
but the monitor’s responsibilities should be<br />
no broader than necessary to address and<br />
reduce the risk of recurrence of the corporation’s<br />
misconduct.”<br />
In other words, the role of the monitor should<br />
be clearly defined and focused on reducing the<br />
risk of recurring misconduct. According to the<br />
memo,<br />
“Neither the corporation nor the public<br />
benefits from employing a monitor whose<br />
role is too narrowly defined (and, therefore,<br />
prevents the monitor from effectively<br />
evaluating the reforms intended by the<br />
parties) or too broadly defined (and,<br />
therefore, results in the monitor engaging<br />
in activities that fail to facilitate the corporation’s<br />
implementation of the reforms<br />
intended by the parties).”<br />
Just as a business is more likely to succeed<br />
when it has a business plan <strong>with</strong> clearly<br />
defined goals, corporate monitors will be<br />
more likely to succeed if their duties and ultimate<br />
goals are clearly defined. The scope of<br />
the monitor’s duties should be fully described<br />
in the terms of the agreement.<br />
The memo points out that an understanding<br />
of historical misconduct may inform a<br />
monitor’s evaluation of the effectiveness of the<br />
corporation’s compliance <strong>with</strong> the agreement.<br />
Communication<br />
How and what a monitor communicates<br />
to the government agency prosecuting the<br />
case or the corporation being monitored<br />
can be challenging. The monitor must<br />
maintain impartiality, while keeping in<br />
mind the ultimate goal of helping the<br />
corporation to achieve ongoing regulatory<br />
compliance.<br />
What happens, though, when the monitor<br />
discovers previously unknown misconduct<br />
And what if the corporation is lax in following<br />
the monitor’s recommendations<br />
Continued on page 80<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
79<br />
October 2008
New principles can help advance independent corporate monitoring ...continued from page 79<br />
As outlined in the Morford memo, communication<br />
on any wrongdoing is, of course,<br />
necessary, but so is communication of<br />
progress made by the corporation. Reporting<br />
is a key responsibility of the monitor.<br />
Principle 5. “Communication among<br />
the Government, the corporation and the<br />
monitor is in the interest of all the parties.<br />
Depending on the facts and circumstances,<br />
it may be appropriate for the monitor to<br />
make periodic written reports to both the<br />
Government and the corporation.”<br />
Among the issues the monitor is likely to<br />
cover in a monitoring report about the party<br />
to be monitored are:<br />
n The progress of the corporation;<br />
n The degree of cooperation provided;<br />
n Whether the corporation is complying<br />
<strong>with</strong> the terms of the agreement and its<br />
internal compliance program; and<br />
n Any recommended changes that would<br />
help achieve compliance.<br />
Principle 6. “If the corporation chooses not<br />
to adopt recommendations made by the<br />
monitor <strong>with</strong>in a reasonable time, either<br />
the monitor or the corporation, or both,<br />
should report that fact to the Government,<br />
along <strong>with</strong> the corporation’s reasons. The<br />
Government may consider this conduct when<br />
evaluating whether the corporation has<br />
fulfilled its obligations under the agreement.”<br />
If the corporation declines to adopt a recommendation<br />
by the monitor, the Government<br />
should consider both the monitor’s recommendation<br />
and the corporation’s reasons<br />
in determining whether the corporation is<br />
complying <strong>with</strong> the agreement. A flexible<br />
timetable should be established to ensure that<br />
both a monitor’s recommendations and the<br />
corporation’s decision to adopt or reject them<br />
are made well before the expiration of the<br />
agreement. Sometimes the implementation<br />
of a recommendation is cost prohibitive;<br />
other times, it may interfere <strong>with</strong> legitimate<br />
business purposes. The agreement must be<br />
flexible enough to address potential barriers<br />
to full implementation of the monitor’s<br />
recommendations.<br />
Principle 7. “The agreement should clearly<br />
identify any types of previously undisclosed<br />
or new misconduct that the monitor<br />
will be required to report directly to the<br />
Government. The agreement should also<br />
provide that as to evidence of other such<br />
misconduct, the monitor will have the<br />
discretion to report this misconduct to the<br />
Government or the corporation or both.”<br />
In many cases, when the monitor discovers<br />
new misconduct, it should be reported<br />
directly to the government and not to the<br />
corporation, particularly if the behavior is<br />
substantive and:<br />
n poses a risk to public health or safety or<br />
the environment;<br />
n involves senior management of the corporation;<br />
n involves obstruction of justice;<br />
n involves criminal activity that the government<br />
has the opportunity to investigate<br />
proactively and/or covertly; or<br />
n otherwise poses a substantial risk of harm.<br />
However, the monitor should use some<br />
discretion in determining whether to report<br />
allegations that may not be credible or that<br />
involve actions outside the scope of the<br />
corporation’s business.<br />
Duration<br />
The memo notes that “any guidance regarding<br />
monitors must be practical and flexible.” That<br />
flexibility extends to the duration of the agreement.<br />
In some cases, extending the agreement<br />
may be warranted. Likewise, there may be<br />
circumstances in which the monitoring agreement<br />
should be terminated early or altered. The<br />
Morford memo anticipates both circumstances.<br />
Principle 8. “The duration of the agreement<br />
should be tailored to the problems that<br />
have been found to exist and the types of<br />
remedial measures needed for the monitor<br />
to satisfy his or her mandate.”<br />
Criteria to consider when determining how<br />
long the agreement should last include:<br />
n the nature and seriousness of the misconduct;<br />
n the pervasiveness and duration of misconduct;<br />
n the involvement of senior management;<br />
n the corporation’s history of misconduct;<br />
n the corporate culture;<br />
n the scale and complexity of any remedial<br />
measures, factoring in the size of the business;<br />
and<br />
n any progress in implementing remedial<br />
measures before the monitoring agreement<br />
begins.<br />
Principle 9. “In most cases, an agreement<br />
should provide for an extension of the<br />
monitor provision(s) at the discretion of the<br />
Government in the event that the corporation<br />
has not successfully satisfied its obligations<br />
under the agreement. Conversely, in<br />
most cases, an agreement should provide<br />
for early termination if the corporation can<br />
demonstrate to the Government that there<br />
exists a change in circumstances sufficient to<br />
eliminate the need for a monitor.”<br />
A monitoring agreement may be extended if<br />
warranted by circumstances, such as when a<br />
compliance program has not yet been fully<br />
implemented. Conversely, the agreement<br />
may end early when warranted as well, such<br />
as when a business unit responsible for<br />
misconduct ceases operations.<br />
October 2008<br />
80
When to use a monitor<br />
Although some argue the new DoJ guidelines may not go far enough<br />
to ensure uniformity in DPAs themselves, 21 taken as a whole, even<br />
critics of monitoring likely will see value in considering the principles<br />
for choosing an independent monitor as described in the Morford<br />
memo. For example, some commentators who view monitoring as<br />
an intrusion on corporate board authority wrote that, “The Morford<br />
memo does, at a minimum, provide counsel <strong>with</strong> some new arguments<br />
when negotiating <strong>with</strong> prosecutors over whether or not such a<br />
monitorship is appropriate in a particular case, and, if so, how such<br />
monitors should be selected, supervised and compensated, and what<br />
the scope and term of their monitoring activities should be.” 22<br />
In practice, the Morford guidelines should help standardize corporate<br />
monitoring, while at the same time, allow the degree of flexibility<br />
needed to accommodate a broad range of cases. As a result,<br />
the new guidelines could foster confidence in monitoring by both<br />
prosecutors and defense teams as an alternative method for resolving<br />
both criminal charges and regulatory matters involving businesses<br />
and professionals. The ultimate success will always depend, however,<br />
on the commitment to compliance by the offending party and the<br />
transparent behavior it will be required to demonstrate. n<br />
1 Craig S. Morford, Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution<br />
Agreements <strong>with</strong> Corporations, U.S. Department of Justice, Office of the Deputy Attorney General, March 7,<br />
2008.<br />
2 Christopher J. Gunther and Robert M. Pollak, “Scrutiny of Corporate Monitors Is on the Rise,” The National<br />
Law Journal, March 31, 2008.<br />
3 James K. Robinson, Phillip E. Urofsky and Christopher R. Pantel, “Deferred prosecutions and the independent<br />
monitor,” International Journal of Disclosure and Governance, v .2, #4, September 28, 2005.<br />
4 Jennifer O’Hare, “The Use of the Corporate Monitor in SEC Enforcement Actions,” Villanova School of Law,<br />
paper 106, The Berkeley Electronic Press, 2008.<br />
5 Tittle v. EnronCorp., 284. F.Supp. 2d 511, 553 n.59 (S.D.Tex. 2003).<br />
6 Morford memo, supra note 1.<br />
7 Harvard Law Review Association, “Developments in the law: Alternatives to incarceration,” Harvard Law<br />
Review, 111, 1863, 1902 (1998).<br />
8 Stanley N. Lupkin and Edgar J. Lewandowski, “Independent Private Sector Inspectors General: Privately<br />
Funded Overseers of the Public Integrity,” NY Litigator Journal, v. 10, #1, Summer 2005.<br />
9 Id.<br />
10 Id.<br />
11 International Association of Independent Private Sector Inspectors General, www.iaipsig.org.<br />
12 Robinson, et al., supra note 3.<br />
13 James K. Robinson, Phillip E. Urofsky and Christopher R. Pantel, “Deferred prosecutions and the independent<br />
monitor,” International Journal of Disclosure and Governance, v .2, #4, September 28, 2005.<br />
14 Morford memo, supra note 1<br />
15 Terry Frieden, CNN Money, “Deals For Corporate Monitors Reined in By Justice Department,” March 10,<br />
2008.<br />
16 Philip Shenon, “Ashcroft Deal Brings Scrutiny in Justice Dept.,” The New York Times, page A1, Jan. 10,<br />
2008.<br />
17 H.R. 5086, currently in the Judiciary Committee, http://www.house.gov/list/press/nj06_pallone/pr_jan22_<br />
deferredpros.html.<br />
18 Morford memo, supra note 1.<br />
19 Jennifer O’Hare, “The Use of the Corporate Monitor in SEC Enforcement Actions,” Villanova School of Law,<br />
paper 106, The Berkeley Electronic Press, 2008.<br />
20 Morford memo, supra note 1.<br />
21 See Hearing on Deferred Prosecution: Should Corporate Settlement Agreements Be Without Guidelines,<br />
March 11. 2008 (statement of Judiciary Committee Chairman John Conyers, Jr. (D-NJ)).<br />
22 John F. Savarese and David B. Anders, “DOJ Issues Memo on Corporate Monitors,” Directorship, April 28,<br />
2008.<br />
A Valuable<br />
Resource!<br />
Get the week’s compliance news<br />
right at <strong>your</strong> desk! Subscribe to<br />
This Week in<br />
Corporate<br />
Compliance<br />
HCCA’s free weekly news update.<br />
It’s just a click away when you<br />
use this link to subscribe:<br />
www.hcca-info.org/subscribe<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
81<br />
October 2008
Compliance Today Editorial Board<br />
The following individuals make up the Compliance Today Editorial Advisory Board:<br />
Gabriel Imperato, JD, CHC<br />
CT Contributing Editor<br />
Managing Partner<br />
Broad and Cassel<br />
Eric Klavetter, JD, MS, MA<br />
Privacy and Compliance Officer<br />
Mayo Clinic<br />
Lisa Silveria, RN BSN<br />
Home <strong>Care</strong> Compliance<br />
Catholic <strong>Health</strong>care West<br />
Christine Bachrach, CHC<br />
Senior Vice President –<br />
Compliance Officer<br />
<strong>Health</strong>South<br />
F. Lisa Murtha, JD, CHC<br />
Managing Director<br />
Huron Consulting Group<br />
Jeffrey Sinaiko<br />
President<br />
Sinaiko <strong>Health</strong>care Consulting, Inc.<br />
Bonnie-Lou Bennig<br />
Director of Corporate Compliance<br />
& Quality Improvement<br />
Vanguard <strong>Health</strong>care Services, LLC<br />
Deborah Randall, JD<br />
Partner<br />
Arent Fox LLP<br />
José A. Tabuena,<br />
JD, CFE, CHC<br />
VP Integrity and Compliance/<br />
Corporate Secretary<br />
MedicalEdge <strong>Health</strong>care Group, Inc.<br />
Cynthia Boyd, MD, MBA<br />
Associate Vice President<br />
Chief Compliance Officer<br />
Rush University Medical Center<br />
Kirk Ruddell, CHC, MBA<br />
Compliance Officer<br />
Island Hospital<br />
Debbie Troklus, CHC, CCEP<br />
Assistant Vice President for<br />
<strong>Health</strong> Affairs/Compliance<br />
University of Louisville<br />
School of Medicine<br />
Becky Cornett, PhD, CHC<br />
Director, Fiscal Integrity<br />
Finance Administration<br />
The Ohio State University<br />
Medical Center<br />
James G. Sheehan, JD<br />
New York State<br />
Medicaid Inspector General<br />
Cheryl Wagonhurst, JD, CCEP<br />
Partner<br />
Foley & Lardner LLP<br />
David Hoffman, JD<br />
President<br />
David Hoffman & Associates<br />
October 2008<br />
82<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
ASKLEADERSHIP<br />
John asks the leadership<br />
<strong>your</strong> questions<br />
Editor’s note: John Falcetano,<br />
CCEP, CHC-F, CHRC is Chief<br />
Audit/Compliance Officer for<br />
University <strong>Health</strong> Systems of<br />
Eastern Carolina and a long-time<br />
member of HCCA. This column<br />
has been created to give members the opportunity to submit their<br />
questions by e-mail to jfalcetano@suddenlink.net and have John<br />
contact members of HCCA leadership for their response.<br />
John Falcetano<br />
Question: What is the difference between attorney-client<br />
protection/privilege and attorney-client work product Does it<br />
make a difference if you get legal advice from in-house counsel or<br />
external counsel when you identify a potential compliance issue<br />
The answer was provided by Frank E. Sheeder III, JD, CCEP, Partner,<br />
Jones Day and member of the HCCA Board of Directors<br />
Both of these doctrines are long-standing ways to protect the confidentiality<br />
of communications between lawyers and clients, and the work that<br />
lawyers and their agents generate. The attorney-client privilege generally<br />
protects communications between a client and an attorney where the<br />
client is seeking, and the lawyer is providing, legal advice. The privilege<br />
dates back to Elizabethan times (the 1500s) and is designed to facilitate<br />
the candid exchange of facts, which should lead to better legal advice.<br />
If clients were not assured that the information they shared <strong>with</strong> their<br />
lawyers, and the ensuing discussions, were not confidential, this would<br />
have a chilling effect on the efficacy of the legal advice process.<br />
The attorney work product doctrine protects the confidentiality of an<br />
attorney’s thought processes, analyses, memoranda, notes, and the like. It<br />
is likewise designed to facilitate the rendition of legal advice. In the health<br />
care compliance realm, it is important to note that when attorneys engage<br />
consultants or experts to assist them in rendering legal advice, their work<br />
can be protected under the auspices of the work-product doctrine.<br />
It does not make any difference whether you get advice from an in-house<br />
lawyer or outside counsel when you identify a potential compliance issue.<br />
The important thing is for compliance professionals to recognize<br />
circumstances in which it is prudent to seek legal advice. n<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
83<br />
October 2008
Corruption<br />
enforcement actions<br />
target foreign doctors<br />
and hospital employees<br />
By Robert Christopher Cook, JD and Louis P. Gabel, JD<br />
Editor’s note: Christopher Cook is a partner<br />
<strong>with</strong> the international law firm Jones Day in<br />
Washington in DC, where he advises clients<br />
regarding compliance <strong>with</strong> the Foreign Corrupt<br />
Practices Act. He may be reached by telephone<br />
at 202/879-3734 or by e-mail at christophercook@JonesDay.com.<br />
Louis Gabel has recently accepted a position as an<br />
Assistant United States Attorney in Detroit, Michigan.<br />
He was an associate at Jones Day in Washington,<br />
DC at the time this article was written.<br />
Companies <strong>with</strong> operations outside<br />
the United States, including health<br />
care suppliers and providers, are<br />
increasingly at risk of being investigated or<br />
prosecuted for corruption that occurs in<br />
foreign marketplaces. The US Department<br />
of Justice (DoJ) and the Securities and<br />
Exchange Commission (SEC) are the government<br />
agencies <strong>with</strong> authority to conduct<br />
enforcement investigations and institute<br />
criminal or civil actions pursuant to the<br />
Foreign Corrupt Practices Act (FCPA). Both<br />
have stepped up scrutiny of corrupt foreign<br />
dealings across all industries. The health care<br />
industry is a particularly ripe target for such<br />
investigations.<br />
<strong>Health</strong> care companies face an acute risk of<br />
exposure to public corruption (and attendant<br />
enforcement investigations) due to their sales<br />
and marketing in foreign countries because<br />
health care customers in those countries are<br />
oftentimes government-owned hospitals or<br />
government-employed physicians. When<br />
physicians and hospital employees are in a<br />
position to influence purchasing decisions,<br />
payments or gifts that could influence their<br />
judgment run the risk of being considered<br />
unlawful under the FCPA. <strong>Health</strong> care<br />
companies thus must endeavor to create compliance<br />
programs and controls that are robust<br />
enough to minimize the risk of violating the<br />
FCPA or other public corruption laws when<br />
dealing <strong>with</strong> such situations. They must also<br />
be prepared to act decisively and swiftly once<br />
a potential violation is discovered.<br />
The good news is that health care companies<br />
are in a better position than many to address<br />
these issues overseas. Laws governing physician<br />
relationships in the United States, such<br />
as the Anti-kickback Statute and the Stark<br />
Law, are similar in many important respects<br />
to the FCPA. To the extent that health<br />
care companies have in place policies and processes<br />
to comply <strong>with</strong> such requirements in<br />
the United States, they are closer to ensuring<br />
FCPA compliance overseas.<br />
Anti-corruption laws<br />
The FCPA makes it a crime to pay, offer,<br />
authorize, or promise to award anything of<br />
value to a foreign government official in order<br />
to assist in obtaining business. The FCPA<br />
applies to companies <strong>with</strong> formal ties to the<br />
United States and those who take action in<br />
furtherance of a violation while in the United<br />
States. Companies and individuals who are<br />
otherwise subject to the FCPA can even be<br />
held liable for bribes paid to foreign officials<br />
if no actions or decisions take place <strong>with</strong>in<br />
the United States. That is, the FCPA controls<br />
the conduct of US persons and US companies<br />
anywhere in the world. As a result, the FCPA<br />
potentially applies to a wide range of companies<br />
and individuals who have expanded their<br />
operations beyond this country’s borders.<br />
Criminal penalties under the FCPA can reach<br />
$2 million per violation, and individuals can<br />
face up to five years in prison per violation.<br />
In addition to criminal liability, civil penalties<br />
can include a fine of up to $500,000 per<br />
violation or disgorgement of profits that were<br />
obtained as a result of the violation. Other<br />
consequences could follow from an FCPA<br />
conviction, such as exclusion from certain<br />
federal programs (including Medicare and<br />
Medicaid) or ineligibility to receive export<br />
licenses.<br />
In addition to US anti-corruption laws such<br />
as the FCPA, an increasing number of foreign<br />
countries have enacted laws aimed at curbing<br />
bribery. For instance, the thirty member<br />
countries of the Organisation for Economic<br />
Co-operation and Development (OECD)<br />
and five non-member countries adopted<br />
the Convention on Combating Bribery of<br />
Foreign Public Officials in International<br />
Transaction in 1997. The OECD Convention<br />
obligates these signatory countries to enact<br />
and enforce laws similar to the United States’<br />
FCPA. Similarly, 170 countries have now<br />
signed on to the United Nations Convention<br />
against Corruption, which contains<br />
measures for preventing and criminalizing<br />
corruption. China in particular has become<br />
more aggressive in its attempts to stamp out<br />
public corruption, <strong>with</strong> top Chinese officials<br />
announcing that the country’s anti-corruption<br />
efforts were to be treated as a top priority.<br />
Indeed, in July 2007, China executed the<br />
former head of China’s Food and Drug<br />
Administration for taking bribes from eight<br />
drug companies.<br />
October 2008<br />
84<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Enforcement actions in health care<br />
Recent enforcement actions by the DoJ and<br />
SEC demonstrate the peril that health care<br />
providers and suppliers face when conducting<br />
business in foreign marketplaces.<br />
In June 2008, AGA Medical Corporation<br />
agreed to pay a $2 million criminal penalty<br />
and entered into a Deferred Prosecution<br />
Agreement (DPA) <strong>with</strong> the DoJ to settle a<br />
criminal investigation of potential FCPA<br />
violations. AGA Medical, a privately-held<br />
medical device manufacturer that employs<br />
approximately 350 people worldwide, was<br />
charged <strong>with</strong> two counts (one alleging that it<br />
conspired to violate the FCPA and the other<br />
alleging that it actually did violate the FCPA)<br />
in connection <strong>with</strong> bribes paid to doctors<br />
and patent office officials in China. According<br />
to the DoJ’s allegations, AGA Medical<br />
employees authorized AGA Medical’s Chinese<br />
distributor to make payments to doctors in<br />
government-owned hospitals to encourage<br />
them to purchase the company’s products<br />
over those of its competitors. The payments,<br />
which were called “commissions” by the<br />
distributor, spanned from 1997 through 2005<br />
and totaled at least $460,000. AGA Medical’s<br />
sales in China for that time totaled approximately<br />
$13.5 million. The DoJ also alleged<br />
that, between 2000 and 2002, AGA Medical<br />
agreed to make corrupt payments through<br />
the same Chinese distributor to Chinese<br />
government officials employed in the State<br />
Intellectual Property Office in order to secure<br />
approval for AGA Medical’s patents.<br />
Along <strong>with</strong> the payment of the $2 million<br />
penalty, a three-year DPA requires AGA Medical<br />
to appoint an independent compliance<br />
monitor who must be approved by the DoJ.<br />
It also requires AGA Medical to continue its<br />
implementation of corporate compliance and<br />
ethics programs throughout the company’s<br />
operations, including its contractors and<br />
subcontractors. The compliance obligations<br />
of the DPA apply to any successor company<br />
that acquires the business or assets of AGA<br />
Medical. The DoJ cited the company’s<br />
voluntary self-disclosure and thorough review<br />
of the improper payments, the company’s<br />
cooperation <strong>with</strong> the DoJ’s investigation, and<br />
the company’s implementation of enhanced<br />
compliance policies as factors that influenced<br />
the agency’s decision to defer prosecution.<br />
In September 2007, the SEC filed a civil<br />
injunctive action against Monty Fu, the<br />
former chairman of Syncor International<br />
Corp., stemming from payments Syncor’s<br />
subsidiary made to doctors employed by<br />
government-owned hospitals in Taiwan<br />
between 1985 and 2002. The payments,<br />
which amounted to commissions and referral<br />
fees for the doctors, averaged over $170,000<br />
per year from 1997 through 2002. They were<br />
recorded as “advertising and promotions”<br />
expenses in the subsidiary’s accounting books<br />
and records. The SEC alleged that Mr. Fu was<br />
aware that such payments were being made<br />
and did not exercise his authority to ensure<br />
that appropriate accounting controls were in<br />
place and to make sure that such payments<br />
were executed and recorded in compliance<br />
<strong>with</strong> the FCPA. Mr. Fu consented to a final<br />
judgment imposing a permanent injunction<br />
and a civil penalty of $75,000.<br />
In 2005, the DOJ undertook separate<br />
enforcement actions against two medical<br />
equipment companies, Micrus Corporation<br />
and the Chinese subsidiary of Diagnostic<br />
Products Corporation (DPC), for payments<br />
those companies made to doctors and<br />
hospital personnel working in governmentowned<br />
hospitals. In each case, the payments<br />
were made in order to influence the hospitals’<br />
purchasing decisions. Citing Micrus’ selfdisclosure<br />
of the matter, the DoJ declined<br />
to charge the company criminally, instead<br />
entering into a two-year DPA under which<br />
Micrus was required to pay $450,000 in<br />
civil penalties and adopt an FCPA internal<br />
compliance program. DPC’s subsidiary was<br />
charged by the DoJ. It pled guilty and paid a<br />
$2 million criminal fine. DPC itself settled a<br />
related civil action by the SEC for $2.8 million,<br />
an amount that equaled the company’s<br />
net profit in China, plus interest, for the<br />
period of alleged misconduct. DPC was also<br />
required to adopt internal compliance policies<br />
and hire an independent consultant to audit<br />
and monitor its adherence to these policies.<br />
Compliance considerations<br />
<strong>Health</strong> care companies can reduce their risk of<br />
running afoul of the FCPA and enduring the<br />
scrutiny of an enforcement investigation by<br />
taking several discrete, yet meaningful, steps.<br />
First, companies should review their current<br />
compliance and ethics policies to ensure that<br />
they adequately detect and prevent violations<br />
of the FCPA. Particular attention should be<br />
given to areas <strong>with</strong>in the company that are<br />
most likely at risk of violating the FCPA, such<br />
as marketing and sales personnel whose customers<br />
include foreign doctors or hospitals.<br />
The company’s policies should make clear<br />
what constitutes appropriate (and inappropriate)<br />
marketing and sales activity when<br />
dealing <strong>with</strong> such customers. Again, health<br />
care companies likely have such policies in<br />
place already for US operations and will only<br />
need to modify and extend these policies, as<br />
necessary, to foreign operations.<br />
Second, companies should ensure that their<br />
employees receive training on compliance <strong>with</strong><br />
anti-corruption laws, including the FCPA, and<br />
document the fact that the company has provided<br />
such training. Employees who are in a<br />
position to make payments to foreign officials<br />
should certify that they know the company’s<br />
Continued on page 87<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
85<br />
October 2008
Category B Device<br />
Trials: Looking<br />
backward and forward<br />
Editor’s note: Sumathy Sundarababu is Clinical<br />
Trial Manager in the Office of Clinical Trials,<br />
New York University Medical Center, Veterans Administration<br />
Hospital in New York City. Sumathy<br />
may be reached by e-mail at sumathy.sundarababu@nyumc.org<br />
or by phone at 212-263-4206.<br />
Today we are witnessing a significant<br />
increase in the number of device trials<br />
all over the country. Device trials<br />
unlock a variety of compliance and regulatory<br />
issues, leaving many hospitals and healthcare<br />
providers wondering if they should ever take<br />
a risk and run a device trial at their site.<br />
Medicare guidelines specify that a bill may<br />
be submitted for services related to use of<br />
a Category B device, but only if specific<br />
information has been previously submitted<br />
to Medicare and if Medicare has provided<br />
a billing authorization. In some instances,<br />
vendors may chose to provide a device free<br />
of charge to the site. Under those circumstances,<br />
institutional providers have an obligation<br />
to report the no cost item by placing a<br />
token charge in the charge field. By doing so,<br />
hospitals/providers are making sure they are<br />
transparent to the eyes of Medicare, compliant<br />
<strong>with</strong> Medicare billing regulations, and<br />
accomplishing the following four things:<br />
1. Communicating to the contractor that<br />
the provider is not seeking reimbursement<br />
for the no cost item,<br />
2. Reflecting <strong>with</strong> completeness and accuracy<br />
all services provided to the patient,<br />
3. Preventing the claim from being rejected/<br />
denied by system edits that require an<br />
item to be billed in conjunction <strong>with</strong> an<br />
associative procedure, and<br />
By Sumathy Sundarababu, PhD<br />
4. Assuring that patient and provider are not<br />
held liable for any charges for the no cost<br />
item.<br />
Although many institutional healthcare<br />
providers have developed their own comprehensive<br />
process of auditing, reconciliation,<br />
and monitoring to ensure that billing for<br />
research services is accurate, device trials<br />
continue to be a challenge, even for the most<br />
compliant site. Many sites fear that they<br />
would jeopardize their billing compliance by<br />
receiving reimbursement from Medicare for<br />
the diagnosis-related group (DRG) expenses,<br />
including the cost of the device, for devices<br />
that are already paid by another source.<br />
In the CY 2007 Outpatient Prospective Payment<br />
System (OPPS) Final Rule, a policy was<br />
adopted to pay a hospital less when a device is<br />
provided to them at no cost. CMS expanded<br />
this policy to the Inpatient Prospective Payment<br />
System (IPPS) in the FY 2008 rule.<br />
Under the rule, hospitals will be required<br />
to identify when they receive a replacement<br />
device and CMS will reduce the DRG<br />
payment to reflect the hospital’s lower cost.<br />
However, CMS does not believe that the<br />
IPPS policy should apply to all DRGs and all<br />
situations in which a device is replaced <strong>with</strong>out<br />
cost to the hospital for the device or <strong>with</strong><br />
full or partial <strong>credit</strong> for the removed device.<br />
For this reason, CMS is applying the policy<br />
only to those DRGs under the IPPS where<br />
the implantation of the device determines the<br />
base DRG assignment and situations where<br />
the hospital received a <strong>credit</strong> equal to 50% or<br />
more of the cost of the device. Heart rhythmrelated<br />
Medicare-severity DRGs (MS-DRGs)<br />
are subject to the final policy.<br />
Although, CMS acknowledges the fact that<br />
institutional providers are allowed to seek<br />
devices free of charge from the vendors,<br />
Medicare DRG payment doesn’t actually<br />
distinguish devices provided free of charge<br />
from those that are not. In addition, the FY<br />
2008 IPPS rule seems to apply for “replacement<br />
devices” only.<br />
Until CMS comes up <strong>with</strong> ways to carve out<br />
appropriate charges from the DRG payment<br />
for the “free” devices, the sites have no choice<br />
but continue following the current Medicare<br />
billing guidelines on the UBO4 form:<br />
1. To place the IDE # of the category B<br />
device in form locator 43 (along <strong>with</strong> a<br />
description of the investigational device)<br />
on the CMS-1450 paper form, or the<br />
electronic equivalent.<br />
2. For part A, the revenue code 624 (IDE)<br />
must be entered in the form locator 42, or<br />
the electronic equivalent<br />
3. To place a token charge of $”1”or $”0”on<br />
the claim form for devices provided free<br />
of charge.<br />
4. Physicians must place the IDE # in item<br />
23 of the CMS-1500 claim form, or the<br />
electronic equivalent<br />
5. Appropriate ICD-9 and CPT/HCPCS<br />
codes that relate to IDE must be reported<br />
on the claim.<br />
6. The modifier Q0 / Q1 must be appended<br />
to the CPT/HCPCS codes.<br />
Furthermore, if CMS is utilizing the annual<br />
cost reports submitted by Institutions to calculate<br />
payment adjustment/carve out device<br />
charges to sites, how do they determine how<br />
much to carve out How is the implantable<br />
device distinguished from other disposable<br />
surgical supplies (for example, ablation<br />
probes & catheters) that are not integral<br />
October 2008<br />
86<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
Corruption enforcement actions target foreign doctors and hospital employees<br />
...continued from page 85<br />
part of device but are required for successful<br />
implantation of device Will that reimbursement<br />
reasonable enough to cover the direct<br />
and indirect costs involved in the surgery<br />
and hospitalization Will this give rise to<br />
charge compression Questions like this will<br />
continue to daunt the service providers until<br />
CMS provides further clarification on the<br />
“Medicare cost report”.<br />
On April 14, the Centers for Medicare &<br />
Medicaid Services (CMS) released its fiscal<br />
year (FY) 2009 proposed rule for the hospital<br />
inpatient prospective payment system (PPS).<br />
Comments are due June 13. A final rule will<br />
be released by August 1, and changes will take<br />
effect October 1. The FY 2009 IPPS rule may<br />
hold the key to some of our questions. n<br />
The information presented here express the views<br />
of the author and not necessarily the Institution’s.<br />
policy against such payments and have not<br />
made any. Additionally, companies should<br />
consider whether agents, distributors, dealers,<br />
and other third-parties who are engaged in<br />
connection <strong>with</strong> the company’s business operations<br />
should be required to certify in writing<br />
that they will not engage in corrupt activity.<br />
Third, companies should assess the adequacy of<br />
their internal monitoring programs to ensure<br />
that sufficient resources are dedicated to the<br />
implementation and enforcement of the companies’<br />
FCPA policies. As <strong>with</strong> all compliance<br />
efforts, careful documentation is important,<br />
because it will evidence the company’s commitment<br />
to anti-corruption efforts in the event<br />
a violation does occur and an investigation by<br />
the DoJ or SEC is undertaken.<br />
Fourth, when a potential violation is uncovered,<br />
the company should conduct a prompt,<br />
thorough investigation of relevant facts and<br />
examine whether the problem is isolated or<br />
systemic. As the investigation proceeds, management<br />
should consider whether compliance policies<br />
or practices need modification in light of<br />
what is uncovered, and should determine, <strong>with</strong><br />
the assistance of counsel, whether it is appropriate<br />
to disclose the results of the investigation to<br />
the DoJ and SEC.<br />
Even the very best anti-corruption policies<br />
and practices cannot always prevent rogue<br />
employees from violating the law. Nonetheless,<br />
health care companies should recognize<br />
that a little advanced effort in anti-corruption<br />
compliance can go a long way in minimizing<br />
the risk of violation, and detecting and<br />
containing such violations if they occur. All of<br />
these are important factors when enforcement<br />
agencies consider a companies’ culpability for<br />
the conduct of its employees. n<br />
2 0 0 9<br />
CAESARS PALACE<br />
Las Vegas, NV<br />
April 26–29, 2009<br />
It’s never too early to register for<br />
The Largest<br />
<strong>Health</strong> <strong>Care</strong> Compliance<br />
Meeting in the Country<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association’s<br />
2009 Compliance Institute<br />
April 26 - 29, 2009 | Las Vegas, NV | Caesars Palace<br />
Register Now at www.compliance-institute.org<br />
Register NOW, and SAVE $425!<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
87<br />
October 2008
Certification — the recognized mark of a professional ...continued from page 31<br />
Officer <strong>with</strong> Southcentral Foundation, in<br />
Anchorage, Alaska. “My organization will<br />
fund the continuing education required to<br />
maintain the required certification,” adds<br />
Teicheira.<br />
Bill Hensley, CCEP, Principle<br />
Corporate Compliance Specialist,<br />
Office of Ethics & Compliance<br />
<strong>with</strong> Medtronic, Inc. in Minneapolis<br />
is not the hiring manager<br />
for the Ethics and Compliance<br />
team, but he points out that a<br />
candidate “<strong>with</strong> a CCEP would<br />
certainly have an advantage from<br />
my perspective.” Falcetano adds,<br />
“Hiring qualified compliance<br />
professionals is a concern of<br />
many organizations. Being certified<br />
in <strong>your</strong> profession not only<br />
increases <strong>your</strong> credibility <strong>with</strong>in<br />
<strong>your</strong> organization, but also <strong>with</strong><br />
<strong>your</strong> peers.”<br />
Value of compliance certification<br />
Compliance and ethics professionals find<br />
personal and professional value in becoming<br />
compliance and ethics certified. “Credentials<br />
from reputable sources garner respect, from<br />
the industry at large and <strong>with</strong>in organizations,”<br />
says Scichilone. Teicheira agrees.<br />
“Certainly certification has enhanced my<br />
I consider compliance<br />
professionals walking, talking<br />
insurance policies for an<br />
organization. SCCE and HCCA<br />
help ensure we meet our<br />
obligations, never losing sight<br />
of the fact that at the end of<br />
the day, it’s all about doing the<br />
right thing.”<br />
– Danna Teicheira<br />
job skills and expanded my knowledge of<br />
compliance. To be clear, I would say that<br />
the education and training that I received<br />
and continue to receive in order to earn and<br />
maintain certification helps me every day,”<br />
says Teicheira.<br />
Professional certification brings credibility<br />
and helps edge out the competition. “Competition<br />
in the workforce is a way of<br />
life, and obtaining a professional<br />
certification helps me demonstrate<br />
my commitment to the profession.<br />
I would say certification is an<br />
investment in my career,” explains<br />
Falcetano.<br />
Cheryl Wagonhurst, JD, CCEP,<br />
Partner in the Los Angeles office<br />
of Foley and Lardner says that the<br />
“CCEP helps me in developing<br />
myself as an expert in the compliance<br />
field….It lends credibility to<br />
me as a compliance professional.”<br />
Wagonhurst adds that “anyone<br />
working in the compliance<br />
profession should become certified. It helps in<br />
establishing compliance as a profession.”<br />
Glossary of Certification Acronyms<br />
CCB – Compliance Certification Board.<br />
(The independent CCB is governed by a<br />
board of directors appointed by the HCCA<br />
board. The President and Immediate Past<br />
President of HCCA are ex-officio members<br />
of the CCB Board of Directors. The mission<br />
of the CCB is to develop criteria for the<br />
determination of competence in the practice<br />
of health care compliance at a variety of<br />
levels and to recognize individuals who meet<br />
these criteria.)<br />
CCEP – Certified Compliance and Ethics<br />
Professional<br />
Society of Corporate Compliance and<br />
Ethics (SCCE). For more information,<br />
visit the Website at www.corporatecompliance.org.<br />
CHC – Certified in <strong>Health</strong>care<br />
Compliance<br />
CHC-F – Certified in <strong>Health</strong>care<br />
Compliance – Fellowship<br />
CHRC - Certified in <strong>Health</strong>care Research<br />
Compliance<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association<br />
(HCCA). For more information, visit the<br />
Website at www.hcca-info.org.<br />
CCS - Certified Coding Specialist<br />
CCS-P - Certified Coding Specialist--<br />
Physician-based<br />
RHIA - Registered <strong>Health</strong> Information<br />
Administrator<br />
American <strong>Health</strong> Information<br />
Management Association. For more information,<br />
visit the Website at www.ahima.org.<br />
CIA® - The Certified Internal Auditor®<br />
Institute of Internal Auditors. For more<br />
information, visit the Website at<br />
www.theiaa.org.<br />
October 2008<br />
88<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
“I am a compliance professional and proud<br />
of it,” adds Teicheira. She says that at a<br />
recent conference she attended, a U.S.<br />
Attorney applauded HCCA’s Code of Ethics.<br />
“Such praise reminds me why I have chosen<br />
to work in compliance. I consider compliance<br />
professionals walking, talking insurance<br />
policies for an organization. SCCE [Society<br />
of Corporate Compliance and Ethics] and<br />
HCCA help to ensure we meet our obligations,<br />
never losing sight of the fact that at<br />
the end of the day, it’s all about doing the<br />
right thing.” n<br />
To learn more about compliance certification<br />
options, including CCEP, CHC, CHC-F, and<br />
CHRC, please contact Liz Hergert by e-mail at liz.<br />
hergert@corporatecompliance.org or visit www.<br />
corporatecompliance.org or www.hcca-info.org<br />
Be Sure to Get Your<br />
CHC <strong>CEU</strong>s<br />
Inserted in this issue of Compliance<br />
Today is a quiz related to the articles:<br />
n The 1-2-3s of claims sampling to<br />
resolve overpayment errors —<br />
By B. Bo Martin, page 32<br />
n Quality of care and compliance:<br />
Existing challenges and first<br />
steps for hospitals — By Cheryl<br />
L. Wagonhurst and Nathaniel M.<br />
Lacktman, page 46<br />
n Complying <strong>with</strong> the HIPAA Privacy<br />
Rule: What you need to know —<br />
By Rebecca C. Fayed, page 59<br />
To obtain <strong>your</strong> <strong>CEU</strong>s, take the quiz and<br />
print <strong>your</strong> name at the top of the form.<br />
Fax it to Liz Hergert at 952/988-0146,<br />
or mail it to Liz’s attention at HCCA,<br />
6500 Barrie Road, Suite 250,<br />
Minneapolis, MN 55435. Questions<br />
Please call Liz Hergert at 888/580-8373.<br />
CHC Fellowship<br />
On May 1, 2008 HCCA introduced Certified<br />
in <strong>Health</strong>care Compliance Fellowship<br />
(CHC-F), an advanced level of certification.<br />
The purpose of the fellowship level of certification<br />
is to promote the profession of<br />
healthcare compliance practice by:<br />
1. Formally recognizing health care compliance<br />
professionals who demonstrate<br />
an advanced knowledge of health care<br />
compliance.<br />
2. Encouraging continued personal and<br />
professional growth in the practice of<br />
health care compliance, and<br />
3. Providing a national standard of requisite<br />
knowledge required for advanced<br />
certification; thereby assisting employers,<br />
the public, and members of the<br />
health professions in the assessment of a<br />
health care compliance professional.<br />
For a candidate to begin the fellowship<br />
process, an application (which demonstrates<br />
that all requirements are met) must be completed.<br />
“Candidates should keep in mind<br />
that this is an advanced credential and it has<br />
many requirements,” said Debbie Troklus,<br />
Compliance Certification Board President.<br />
Requirements to apply for CHC-Fellowship<br />
1. Maintain the CHC credential for a<br />
minimum of three years (can be nonconsecutive<br />
years);<br />
2. Certificates of <strong>credit</strong> documenting 40<br />
hours of CCB <strong>CEU</strong>s <strong>with</strong>in the two years<br />
preceding application <strong>with</strong> 20 hours <strong>with</strong>in<br />
the 12 months preceding application;<br />
3. Three references<br />
n No immediate family members<br />
n One character reference<br />
n One reference from an HCCA member<br />
who is also a CHC<br />
4. One reference from <strong>your</strong> current immediate<br />
supervisor;<br />
4. HCCA membership for at least three<br />
years preceding application (these need<br />
not be consecutive years);<br />
5. A written statement that details knowledge<br />
and experience in the operation<br />
of all necessary elements of an effective<br />
compliance program;<br />
6. Minimum of a bachelor’s degree verified<br />
by a certified transcript;<br />
7. At least five years experience as a health<br />
care compliance professional;<br />
8. Detailed written description of the Fellowship<br />
project proposal for approval by<br />
the CCB Fellowship Certification Board;<br />
9. A completed authorization form allowing<br />
the CCB Certification Board to<br />
complete a background check including<br />
a criminal background check; and<br />
10. Submission of $150.00 non-refundable<br />
application fee<br />
PLEASE NOTE: An application to CHC-F<br />
will require approval of the CCB Fellowship<br />
Certification Panel. Prior to approval<br />
of the application, an in-person screening<br />
interview <strong>with</strong> the CCB Fellowship<br />
Certification Panel may be required.<br />
Your application will not be reviewed until all<br />
required forms and documents are received by<br />
the CCB Fellowship Certification Board.<br />
After the candidate’s application for fellowship<br />
status has been accepted, the first step<br />
is the successful completion of a simulation<br />
examination.<br />
For further information, please contact<br />
Liz Hergert, Certification Coordinator for<br />
SCCE/HCCA, at 952/405-7905.<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
89<br />
October 2008
New HCCA Members<br />
The <strong>Health</strong> <strong>Care</strong> Compliance Association<br />
welcomes the following new members and<br />
organizations. Please update any contact<br />
information using the Member Center on the<br />
Web site, or e-mail Karrie Hakenson<br />
(karrie.hakenson@hcca-info.org) <strong>with</strong><br />
changes or corrections.<br />
Minnesota<br />
n Lucinda Jesson, Hamline University<br />
School of Law<br />
n Kari Myrold<br />
n Nancy L. Ohlenberg, Prime Therapeutics<br />
n Roberta C. Patrow, Prime Therapeutics<br />
Missouri<br />
n Susan Cejka, Grant Cooper<br />
n Linda K. Eickmann, HCA Midwest<br />
Division<br />
n Jennifer Koepke, Western Missouri<br />
Medical Center<br />
n Angie Lantz, Ranken Jordan Pediatric<br />
Specialty Hospital<br />
n Mary F. Sneed, Interim <strong>Health</strong><strong>Care</strong><br />
New Mexico<br />
n Charmaine Quintana, RHIT CCS,<br />
Christus/St Vincent Reg Med Ctr<br />
n Gail Walsh, Compliance,<br />
New York<br />
n Cassandra Andrews Jackson, CHC,<br />
MetroPlus <strong>Health</strong> Plan, Inc.<br />
n Nirmala Beharry, Albert Einstein College<br />
of Medicine/Dept of Psychiatry<br />
n Myrna Cuevas, Hudson Valley Hospital<br />
Center<br />
n Ludomir J. Czynski, Bronx Lebanon<br />
Highbridge Woodycrest Ctr<br />
n Mrs. Tamara M. Dickey, CMBS, BS, St<br />
James Mercy Hospital<br />
n William Friedel, Memorial Sloan Kettering<br />
Cancer Center<br />
n Todd M. Hinman, CIPP, Capital District<br />
Hlth Plan Inc<br />
n Anthony R. Lisske, CPHQ CPSO CHPS,<br />
New York Downtown Hospital<br />
n Barbara A. McDermott, Madison<br />
Cortland ARC<br />
n Jayshree M. Negandhi, Hillside Family of<br />
Agencies<br />
n Nicky O’Connor, Westchester Medical Center<br />
n Renee K. Olmsted, RHIA, Oneida<br />
<strong>Health</strong>care Center<br />
n Najarian Peters, Weill Cornell Medical<br />
College<br />
n Lisa Serotta, Schenectady ARC<br />
North Carolina<br />
n Kenneth A. DeVille, PhD JD, Brody<br />
School of Medicine<br />
n Joy Hardee, CHRC, Univ <strong>Health</strong> Systems<br />
n Beth Lyle, Mission Hospital Inc<br />
n Lisa D. McDonald, Boice - Willis Clinic<br />
n Lisa A. Shaeffer, BCBS NC<br />
n Bratic Stanislavka, Omni Home <strong>Health</strong><br />
Services, LLC<br />
n Mrs. Mava Webster, BCBS of NC<br />
Ohio<br />
n Eric Sandkuhl, Molina <strong>Health</strong>care of Ohio Inc<br />
n Dave Snow, Molina <strong>Health</strong>care of OH<br />
Oklahoma<br />
n Ann Cole, CPA, Comprehensive Med<br />
Billing Solutions Inc<br />
Oregon<br />
n Dori J. Dawson, Kaiser Permanente<br />
n James Gilson, Kaiser Permanente<br />
n Maria E. Goodrich, RHIT, Kaiser<br />
Permanente NW Region<br />
n Laura L. Martinez, Kaiser Permanente<br />
Pennsylvaia<br />
n Lisa Adams Muhler, JD, MBA, MSN,<br />
Merck & CO., Inc.<br />
n Susan L. Fields, Marshall Dennehey<br />
Warner Coleman & Coggin<br />
n Christy L. Gilchrist, PhD CRA, WellSpan<br />
<strong>Health</strong><br />
n Linda Harris, RN, Titusville Area Hosp<br />
ADM<br />
n Julie Hughes, Geisinger <strong>Health</strong> Plan<br />
n Monica Johnson, Burman’s Medical<br />
Supplies, Inc<br />
n Randall J. Laubach, Geisinger <strong>Health</strong> Plan<br />
n Melissa K. Schlenker, MS CCRC,<br />
Wellspan <strong>Health</strong><br />
n Mrs. Sharon E. Sherwood, Hahnemann<br />
Univ Hospital<br />
n Robert J. Simon, Home Hlth Corp of<br />
America<br />
n David Weader, Geisinger <strong>Health</strong> Plan<br />
Puerto Rico<br />
n Myriam Derieux-Boria, CCP, VA<br />
Caribbean <strong>Health</strong> <strong>Care</strong> Sys<br />
South Carolina<br />
n Dennis G. O’Connor, Lexington Medical<br />
Center<br />
n Joan C. Padgett, Spartanburg Regional<br />
n Mary Prather, RN BSN MPH, CHRC,<br />
Palmetto <strong>Health</strong><br />
n Judy W. Wallace, Spartanburg Regional<br />
Med Ctr<br />
South Dakota<br />
n Ann Bain, Avera <strong>Health</strong> Plans, Inc.<br />
n Ms. Sharon J. Hoon, RN, BSN, CCRC,<br />
Sanford Research/USN<br />
Tennessee<br />
n Jennifer B. Baldock, Ambulatory Srvs of<br />
America Inc<br />
n Jeremy W. Banks, United Regional Med Ctr<br />
n Linda Earhart, Ambulatory Services of<br />
America<br />
n Adam Nunn, Aim <strong>Health</strong>care<br />
n Nancy N. Orndorff, Ambulatory Srvs of<br />
America Inc<br />
n Stephen V. Roberts, Dialysis Clinic, Inc<br />
n Julie A. Sellers, PHP Companies, Inc<br />
October 2008<br />
90<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
n M. Michelle Walker, LifePoint Hospitals Inc<br />
n Beth Wampler, Ambulatory Services of<br />
America<br />
Texas<br />
n Joan B. Bell, Brazosport Regional <strong>Health</strong><br />
Sys<br />
n Charlotte Blakely-Frazier, ValueOptions<br />
n Brenda Chapman, Baylor Research<br />
Institute<br />
n Rocio Chavez, El Paso First <strong>Health</strong> Plans, Inc<br />
n Noralene Corder, CPA-CFO, Smithville<br />
Regional Hospital<br />
n Janet Daylong, West Texas VA <strong>Health</strong>care<br />
System<br />
n David Everitt, The Compliance Division,<br />
LLC<br />
n Sara K. Fletcher, MSN, RN, Val Verde Reg<br />
Med Ctr<br />
n Monica Frazer, CPA, CHC, Children’s<br />
Medical<br />
n Candace Martinez, US Oncology<br />
n Lois Pierson, University of Texas <strong>Health</strong><br />
Science Center at Houston<br />
n Martha Porinchak, Huntsville Memorial<br />
Hospital<br />
n Beverly Prudhomme, City of Austin/<br />
Patient Services<br />
n Jeffrey Quade, <strong>Health</strong>tronics, Inc.<br />
n Ms. Marion T. Richardson, PMP,<br />
Community First <strong>Health</strong> Plans<br />
n Trae D. Rohan<br />
n Daisy Seebach<br />
n Andrew Whitacre Smith, Huron<br />
Consulting Group<br />
n Lindsay J. Sondergeld, MHA, CHRC,<br />
Cancer Therapy & Research Ctr<br />
n Anchi Angie Wang, BS, UT MD<br />
Anderson Cancer Center<br />
Virgina<br />
n John Benson, Government Management<br />
Svcs Inc<br />
n Jittra Charnrissuragul, Georgetown<br />
University Hospital<br />
n Tammy L. Danek, CCS CPC CPC-H<br />
CRS, Medicorp <strong>Health</strong> System<br />
n Mark Erath, PricewaterhouseCoopers<br />
Washington<br />
n Mrs. Melania Antonio, CPC, Derry Nolan<br />
& Associates<br />
n Vincent Driano, Group <strong>Health</strong> Cooperative<br />
n Julie Fry, Virginia Mason Medical Center<br />
n Rebecca Marsh, CHC, Accuro <strong>Health</strong>care<br />
Solutions<br />
n Joseph Vessey, Whidbey General Hospital<br />
n Clinton C. Vickers, Seattle Children’s<br />
Hospital Research Institute<br />
n Lisa Werlech, MBA, Proliance Surgeons<br />
Inc PS<br />
Wisconsin<br />
n Cindy Ann Beran, Memorial <strong>Health</strong><br />
Center<br />
n Crystal J. Laven, CPA CIA, Children’s<br />
Hospital & Hlth System<br />
n Penny Osmon, WI Medical Society<br />
n Lori P. Peck, Memorial <strong>Health</strong> Center<br />
L<br />
Westlaw<br />
Compliance Advisor<br />
Compliance doesn’t have to be so hard.<br />
Presenting Westlaw Compliance Advisor, SM<br />
and not a<br />
moment too soon. In a single location, it delivers the<br />
resources you need to assure <strong>your</strong> organization knows<br />
and complies <strong>with</strong> current state and federal statutes<br />
and regulations.<br />
Call 1-800-248-2449 or visit west.thomson.com/compliance<br />
comp<br />
L<br />
Easy to use – easy to navigate. No search terms<br />
to enter, no databases to learn. Instead, Compliance<br />
Advisor is completely menu driven, so you point and<br />
click to the answers you need. It’s loaded <strong>with</strong> other<br />
features that save you time. See for <strong>your</strong>self:<br />
iance<br />
© 2008 West, a Thomson Reuters business L-342781/8-08<br />
Answer. Advise. Comply.<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org<br />
91<br />
October 2008
Your HCCA Staff<br />
888-580-8373 | 952-988-0141 | fax 952-988-0146<br />
Sarah Anondson<br />
Graphic Artist<br />
sarah.anondson@hcca-info.org<br />
Gary DeVaan<br />
IT Manager/Graphic Artist<br />
gary.devaan@hcca-info.org<br />
Margaret Dragon<br />
Director of Communications<br />
margaret.dragon@hcca-info.org<br />
Darin Dvorak<br />
Director of Conferences<br />
and Exhibits<br />
darin.dvorak@hcca-info.org<br />
Wilma Eisenman<br />
HR Director/Office Manager/<br />
Compliance Officer<br />
wilma.eisenman@hcca-info.org<br />
Nancy G. Gordon<br />
Managing Editor<br />
nancy.gordon@hcca-info.org<br />
Melanie Gross<br />
Conference Planner<br />
melanie.gross@hcca-info.org<br />
Karrie Hakenson<br />
Data Entry/Member Relations<br />
karrie.hakenson@hcca-info.org<br />
Elizabeth Hergert<br />
Certification Coordinator<br />
elizabeth.hergert@hcca-info.org<br />
Patti Hoskin<br />
Database Associate/<br />
Member Relations<br />
patti.hoskin@hcca-info.org<br />
Jennifer Jansen<br />
Conference Planner<br />
jennifer.jansen@hcca-info.org<br />
April Kiel<br />
Database Administrator/<br />
Member Relations/Marketing<br />
april.kiel@hcca-info.org<br />
Meghan Kosowski<br />
Receptionist<br />
meghan.kosowski@hcca-info.org<br />
Caroline Lee Bivona<br />
Project Specialist<br />
caroline.leebivona@hcca-info.org<br />
Shawn Leonard<br />
Webmaster/Privacy Officer<br />
shawn.leonard@hcca-info.org<br />
Amy Macias<br />
Member Services<br />
amy.macias@hcca-info.org<br />
Patricia Mees<br />
Communications Editor<br />
patricia.mees@hcca-info.org<br />
Jennifer Power<br />
Conference Planner<br />
jennifer.power@hcca-info.org<br />
Marlene Robinson<br />
Audio Conference Planner<br />
marlene.robinson@hcca-info.org<br />
Beckie Smith<br />
Conference Planner<br />
beckie.smith@hcca-info.org<br />
Roy Snell<br />
Chief Executive Officer<br />
roy.snell@hcca-info.org<br />
Charlie Thiem<br />
Chief Financial Officer<br />
charlie.thiem@hcca-info.org<br />
Adam Turteltaub<br />
VP Member Relations<br />
adam.turteltaub@hcca-info.org<br />
Nancy Vang<br />
Administrative Assistant<br />
nancy.vang@hcca-info.org<br />
Allison Willford<br />
Accountant<br />
allison.willford@hcca-info.org<br />
Julie Wolbers<br />
Accountant<br />
julie.wolbers@hcca-info.org<br />
October 2008<br />
92<br />
<strong>Health</strong> <strong>Care</strong> Compliance Association • 888-580-8373 • www.hcca-info.org
600 U.S. BANK PLAZA SOUTH 220 SOUTH SIXTH STREET MINNEAPOLIS, MN 55402 PHONE: 612.338.1838 FAX: 612.338.7858