RJ - Health Care Compliance Association

Volume Four/Number TenOctober 2002A publication forhealth care complianceprofessionalsmeetJames R. HerronREGISTER TODAY!FOR THE HCCA/AHA HIPAA Forum, SAN DIEGO, CA–DEC 9-11, 2002 For info see p.26or go to conference central on the HCCA Website: http://www.hcca-info.orgINSIDE234710121519202225Leadership letterOn the calendarHow to keep employeesfrom becomingwhistleblowersBack to basicsAt last, HIPAA PrivacyRule is finalizedMeet James R. HerronHealth Care SystemSIGCompliance is not agameCEO’s letterMarketing under theHIPAA Privacy RulePeople on the go

EffectiveGovernance,CorporateResponsibility,andComplianceSHERYL VACCAHCCA PresidentGovernance, corporate responsibility, andcompliance–what are the common themes?The 21st Century Governance Principlesfor US Public Companies, issued by theCorporate Governance Center at KennesawState University in Kennesaw, Georgia, identifiedthe following corporate governanceprinciples:■ Interaction–Among the board, manage-ment, external audit, and the internal audit■ Board Purpose–Protecting the interests of the stockholdersand stakeholders■ Board Responsibilities–Monitoring management, corporatestrategy, risks, and the corporation’s control systems■ Independence–Majority of the directors should be independentin both fact and appearance so as to promote armslengthoversight■ Expertise–Directors should possess relevant industry, company,functional, and governance expertise■ Meetings and Information–Board should meet frequentlyfor extended periods of time and should have access to theinformation and personnel necessary to perform its duties■ Leadership–The roles of Board Chair and CEO should beseparate■ Disclosure–Board communications should reflect Boardactivities and transactions in a transparent and timelymanner■ Committees–Nominating, Compensation,and Audit Committeesof the Boardshould be composed onlyof independent directors■ Internal Audit–Shouldmaintain an effective, fulltimeinternal audit function that reports directly to theAudit CommitteeThe common themes to governance effectiveness include riskmanagement, controls, and the governance process. Do thesesound familiar?On the other hand, corporate responsibility, not only includeshaving an “effective” governing Board, but also includes maintainingan effective corporate compliance function. Seniormanagement and Board accountability are necessary in orderto integrate risk management compliance aspects into organizationaldecision-making processes. These processes should notbe separate initiatives, but should be built in as part of businessplanning, and linked to other priorities. Baseline performancemetrics should be established to assist in evaluating and measuringthe process and outcomes.“Effective” governance and corporate responsibility include allof these key principles but the structure that keeps risk management,controls, and the governance process in a “prevention,detection, and deterring mode” are the compliance functionsthat are inherent in business operations. Corporateresponsibility is comprised of an active compliance programoperating with management accountability and fully integratedinto all aspects of a corporation’s daily life. ■October 20022HCCA’SHCCA exists to champion ethicalpractice and compliance standards inMISSION the health care community and to providethe necessary resources for compliance professionals and others whoshare these principles.through 9/30 fforum from 10/1 02dory

NewsFlashONTHE CALENDARFREE Audio ConferenceFor HCCA Members OnlyHCCA Compliance PerformanceMeasurement InitiativeAudio ConferenceSeptember 24th, 200211:00 AM Eastern/10:00 AM Central/9:00 AM Mountain/8:00 AM Pacific(approximately 90 minutes)HCCA is engaged in a collaborative, volunteer effort toimprove the ability of HCCA members and all health carecompliance professionals to know with greater precision:■ What are some key indicators that may be important toinclude in the design and implementation of an effectivehealth care compliance program■ How to measure these indicators to be assured that thecompliance program is achieving fundamental performanceobjectivesPlease join your colleagues on September 24, 2002, at11:00 AM Eastern/10:00 AM Central/9:00 AM Mountain/8:00 AM Pacific, for an update via audio conference onHCCA’s Compliance Performance Measurement Initiative.This forum will provide you with an update on the initiative’sstatus and an opportunity to share your thoughts,comments, and suggestions.Visit the Members Only section of the HCCA Websitehttp://www.hcca-info.org for participation instructions. ■Mark your calendars for the followingHCCA sponsored events:AUDIO ATLANTA, GA:CONFERENCES: ■ NOV 4, HCCA Region IVCompliance Lessons Learned Compliance Conferencefrom Enron - Parts III & IVDES MOINES, IA:■ September 17 and 24, 1-2:30■ NOV 12, HCCA Region VIIPM ESTState ConferenceMajor Changes to HIPAA PatientATLANTIC CITY, NJ:Privacy■ OCT 21-22, HCCA Region’s II■ September 12, 1-2:30 PM& III Compliance ConferenceESTPHILADELPHIA, PA:2002 CONFERENCES:■ NOV 11-15, HCCA’s AcademyBIRMINGHAM, AL:of Health Care Compliance,■ OCT 25 - HCCA Region IVUnion LeagueCompliance MeetingREDMOND, WA:SAN DIEGO, CA:■ NOV 21-22, National■ DEC 9-11, HCCA/AHA HIPAASymposium on CorporateForum WestResponsibility hosted bySAN FRANCISCO, CA:Microsoft■ NOV 7-8, Physician Group2003 CONFERENCES:Practice ComplianceLOS ANGELES, CA:Conference■ FEB 16-19, HCCA Academy ofWASHINGTON, DC:Health Care Compliance■ SEPT 29-OCT 1, HCCA/AHLADALLAS/FT.WORTH, TX:Fraud and Compliance Forum■ FEB 21, HCCA Region VIHCCACompliance Meeting ■RESOURCESFor more information about events or resources, check out theHCCA Website, http://www.hcca-info.org or call 888/580-8373.Be sure to ask about your member discount.ERRATAOn page 4 of the September issue of ComplianceToday, Cathy Cahill, author of the article, Stark“made easy”, was incorrectly identified. She is theSUNY Stony Brook Clinical Practice PlanCompliance Officer. ■NEW!■ Monitoring & Auditing Practicesfor Effective Compliance–HCCA’s newest book offersguidance and advice fromnational experts■ HCCA’s Compliance, Conscience,and Conduct , a video-basedcompliance training program■ HCCA’s book, Compliance 101■ Individual & Small GroupPhysician Practice Compliance:What every physician shouldknow, HCCA’s audio trainingprogram designed specificallyfor physicians.■ Privacy Matters–HCCA’svideo-based HIPAA TrainingProgram ■October 20023

October 20024By Frank SheederEditor’s note: Frank Sheeder is the principaland founder of The Sheeder Firm, a employer because of lawful acts done byconditions of employment by his or herDallas-based law firm that focuses on the employee on behalf of the employeehealth care compliance and complex litigationmatters. He may be reached at under this section [e.g., a whistlebloweror others in furtherance of an action214/747-9900 or at frank@sheederfirm.coessaryto make the employee whole.action] shall be entitled to all relief nec-Despite the significant attentionand resources that employees under this language when theCourts generally grant protection tohealth care providers are following three elements are present:devoting to compliance, they are being ■ Protected activity–The present orchallenged by an increasing number of former employee engaged in “protectedactivity.” Such activity canqui tam, or whistleblower, lawsuits. Therelators in those cases are most often include the employee’s investigationthe provider’s present or formerof a matter that is a possible Falseemployees. This article describes the Claims Act violation. It can also consistof confronting an employerlegal protections generally afforded towhistleblowers, profiles the “common” about suspected fraudulent activity.whistleblower (although they come in The activity must be coupled with amany varieties), and offers some guidanceon the steps that providers can blower action. Allegations of fraud orreasonable possibility of a whistle-take to avoid having otherwise dedicatedemployees become zealous adver-fraud against the federal governmentmisconduct, without some link tosaries.and a contemplated or pending FalseClaims Act case, may not be protectedactivity.Legal protections for whistleblowersThe laws protecting whistleblowers are ■ Notice–The employer knew of thestrong at the federal level and in many employee’s protected activity. Thisstates. The federal False Claims Act, 31 element is necessary to show theU.S.C. ß3730(h), offers the following employer’s retaliatory intent. Noticesafeguards:to the employer can be implicit orAny employee who is discharged,explicit, and the level of employerdemoted, suspended, threatened,knowledge that the courts requireharassed, or in any other manner discriminatedagainst in the terms andvaries significantly among jurisdictions.FRANK SHEEDER■ Causation–The employee was terminatedor discriminated againstbecause of the employee’s protectedactivity. This element establishes thecausal link between the employee’sprotected activity and the employer’smistreatment of the employee. Anemployer’s legitimate, non-pretextualreasons for taking action against anemployee may prevent the employeefrom sustaining a retaliation claim.An aggrieved employee who establishesa retaliation claim is entitled to a widerange of relief. A non-exhaustive list ofthe remedies that an aggrieved employee“shall” receive includes:■ Reinstatement with the same senioritythe employee would have enjoyedbut for the adverse action againsthim or her■ Two times back pay■ Interest on the back pay■ Special damages, which can includecompensation for emotional distress,recovery of litigation costs, and reasonableattorneys’ fees■ All relief necessary to make theemployee wholeThe relief to which the aggrievedemployee is entitled is in addition tothe relator’s share of any recovery by

the government under the False ClaimsAct. While a whistleblower’s ability torecover such relief will vary based onthe facts and the jurisdiction in whichthe circumstances arose, a provider’sbest defense is to prevent employeesfrom becoming whistleblowers in thefirst place.often attach to whistleblowers after theyfile an action, came by their dissatisfactionlegitimately. They did not starttheir employment with an eye towardbecoming their employer’s adversary.There are usually multiple system failuresthat take place before the whistlebloweractually files the action. Manywritten compliance plans with effectivemechanisms for investigating andresponding to issues. A provider musthave working processes in place toactively address compliance issues. Acompliance notebook that is distributedto employees, and then sits on theshelf, is plainly not enough. The mostThe transition from good employee togreat whistleblowerBelieve it or not, it usually takes a lot toconvert a good employee into a whistleblower.Consider the personal makeupof the majority of people who work forhealth care providers. Many of themhave chosen health care careers becausethey:■ Have the gift of compassion■ Are idealistic■ Thrive on helping others■ Are rule-followersemployees who developed into whistleblowersendeavored to follow theprovider’s protocols to identify potentialcompliance issues, and they respectedand followed the chain of command indoing so. The recipients of their overturesoften replied with inaction, condescension,or retaliatory hostility. Wehave heard this mantra time and again,but it bears repeating here: if a provideris going to talk the talk, it must walkthe walk. Having an ineffective complianceprogram is worse than having nocompliance plan at all. Ineffective com-common failure is to roll out a complianceplan with some fanfare, and thendo nothing to put it into action. A secondfailure is to assign people withvested interests to investigate concerns.In such circumstances, they often giveshort shrift to the concerns and theemployee who raised them. Simply put,the person charged with investigatingconcerns should not have a stake in theoutcome. A provider that does not havemechanisms in place to effectivelyinvestigate and respond to claims ofnon-compliance may unknowinglyReflect also on the number of protocols,policies, and procedures to whichthe health care industry demands strictadherence by its employees. The industry’senvironment and the health careemployee’s mindset often lead to astrong internal commitment to compliancewhen the provider supports itscompliance plan with effective actions.But when the values of a compassionate,idealistic, helpful, and compliantemployee (and the espoused values ofthe provider) conflict with the provider’sactual or perceived conduct–andwhen the provider ignores or thwartsthe employee’s attempt to raise complianceissues–the same employee may gobeyond the provider’s protocols andseek redress through other means.pliance programs not only cultivatewhistleblowers, but they also lead totougher results vis a vis government regulators.The good news, however, isthat effective compliance programs inwhich employees are affirmed for raisingconcerns can actually convertpotential whistleblowers into evenbetter employees.Prevention: Existing employees(steps 1-4)The legal protections discussed above,and the potential damage that whistleblowerscan cause, are daunting.Fortunately, there are a number of stepsthat providers can take to prevent theiremployees from becoming whistleblowers,even in the presence of significantcompliance issues.establish the first two elements of awhistleblower’s retaliation claim: protectedactivity and notice.Step 2: Employee follow-upProviders should follow-up with employeeswho raise compliance concerns,regardless of how groundless or erroneousthey turn out to be. Summarilyrejecting or ignoring an employee’scomplaint generally will not make it goaway. Prudent providers encourage andaffirm employee initiation of the complianceprocess. Additionally, withinthe bounds of appropriate confidentiality,providers should let the employeeknow what steps were taken to investigateand, if necessary, rectify the conductreported by the employee. Theseactions should be formally documentedand maintained in the provider’s com-Unfortunately, many “disgruntled formeremployees,” which is the label weStep 1: Written compliance plansIt is axiomatic that providers must havepliance records.Continued on page 65October 2002

HOW TO KEEP GOOD EMPLOYEES...continued from page 5Step 3: Compliance questionnaires cases the stakeholder should be takenProviders should consider using periodiccompliance questionnaires in which practical way to avoid retaliation is toout of the process altogether. Anotheremployees are required to certify include a section on “personnel actionwhether or not they are aware of any forms” that inquires as to whether theactual or potential compliance issues. affected employee has raised any complianceissues in the past. Then considerThere is a difference of opinion amongboth compliance professionals and whether transfers, demotions, writeups,or counseling are used as counsel as to whether this is a judiciousresponses“...if a provider is going to talk the talk, it must walkthe walk. Having an ineffective compliance programis worse than having no compliance plan at all.”potential for a whistleblower action.The provider is then shocked and dismayedwhen the ex-employee files suchan action, usually after taking fulladvantage of the provider’s severancepackage. While a release between theprovider and the departing employeemight not forestall a whistlebloweraction (the legal authority variesdepending on location and circumstances),providers should requiredeparting employees to certify theirknowledge (or lack thereof) aboutpotential compliance issues.October 20026practice. Questionnaires provide a goodway to measure the effectiveness of aprovider’s compliance program andidentify compliance issues. In addition,a provider can use negative responseslater to prove that an employee-turnedwhistleblowerdid not raise potentialissues when invited to do so.Questionnaires do, however, invite andoften result in a plethora of unsubstantiatedallegations that the provider isthen compelled to address. Anothershortcoming of questionnaires is thatthe responses to them may not be privileged.Any self-evaluation should beperformed under attorney-client privilege.So, at a minimum, the providershould have the responses sent directlyto counsel in an effort to maintain privilegesand protections from discovery.Step 4: Safeguard employeesProviders should have tangible, activeprocesses to safeguard employees fromretaliation for raising compliance issues.In most instances, therefore, it is essentialnot to make a stakeholder the pointperson on a compliance matter, especiallywhen one of his or her directreports raised the issue. In fact, in manyto employees who raise legitimateissues. Paying close attention to the reasonsfor adverse personnel actions maynegate the third element of a retaliationclaim: causation.Prevention: Departing employees(Steps 5-6)Step 5: Exit interviewsProviders should engage in meaningfulexit interviews. Specifically, the exitinterview form should include a sectionrelating to any past or current complianceconcerns that the exiting employeemight have. The exit interview formsshould be routed to appropriate complianceor legal personnel if the exitingemployee raises any compliance concerns.Without such a mechanism,many compliance “red flags” end upburied in personnel files, only to beunearthed when the employee threatensor initiates litigation.Step 6: Separation agreementsEmployers should carefully draft separationagreements. On many occasions,an employee has left a provider’s employwith hard feelings, but the provider hasdone absolutely nothing to address theConclusionThe reality in today’s health care environmentis that there are potentialwhistleblowers within the ranks ofevery provider. Prudent providers willtake practical, active steps to gainstrength from the compassion, idealism,helpfulness, and compliance of theiremployees. By ignoring the employees’compliance concerns, providers maytransform their dedicated employeesinto zealous whistleblowers. ■FREE Audio Conference ForHCCA Members OnlyHCCA Compliance PerformanceMeasurement Initiative AudioConferenceSeptember 24th, 200211:00 AM Eastern/10:00 AMCentral/9:00 AM Mountain/8:00 AM Pacific(approximately 90 minutes)Visit the Members Only sectionof the HCCA Website http://www.hcca-info.org for details and participationinstructions. ■

BACKTO BASICSDiagnosisRelatedGroup (DRG)auditing:The value is in the detailBy Britt H. Crewse, CPA, MHS,MBAEditor’s note: Britt Crewse is the AssociateVice President and Chief Complianceand Privacy Officer for Duke UniversityHealth System in Durham, NC. He isthe President of HCCA Region IV andmay be reached at 919/668-6250.Where are the greatest compliancerisks for acute care hospitals?The answer is not anti-kickbacks, Starklaws, or even Physicians at TeachingHospitals (PATH). It is very simple, thegreatest risk is with coding practicesrelated to Medicare DRGs. The easiestcase for the government to prove is thatan organization is intentionally upcoding.Why? Because the government hasthe tools and resources to track all hospitals’DRG coding practices and comparethem versus defined peer groups.No one will be surprised if DRG codingremains on the OIG Workplan formany years to come.Familiar to most, within the DRG classification,there are certain DRGsknown simply as paired DRGs because,based on the severity and acuity of thecase, one has a lower payment and theother a higher payment. One exampleis related to pneumonia. Medicare’spaired DRGs for pneumonia are thehigher paying DRG 79 (AspirationPneumonia) versus the lower payingDRG 89 (Regular Pneumonia).Analyzing the paired DRGs, the higherthe percentage of lower paying DRGsversus higher paying DRGs, the morelikely coding is compliant.The rest of this article will discuss thedetailed steps necessary to conduct aneffective DRG coding audit.Step one: Gathering MedPar dataThe first step begins with obtainingMedPar data from the Centers forMedicare and Medicaid Services(CMS). Although this data is availableto the public, it is not very refined andcan be very difficult to use. Many firmshave already developed databases usingthe MedPar data. Evaluate the benefitsof outsourcing in this phase of theDRG audit in order to save time andenergy.The MedPar data consists of everyDRG that all hospitals have been paidby CMS for a given period of time.Reviewing at least three years of data toensure consistency is highly suggested.Looking at only one year of data couldlead to inadvertently examining anaberrant year that does not reflect normalcoding practices.Step two: Benchmark criteriaThe most critical part of reviewingDRG coding practices is determiningthe benchmark group. Duke UniversityHealth System (DUHS) has three hospitals–alarge academic medical center,a medium-sized community hospital,and a small community hospital. Allthree hospitals are compared againstdifferent peer groups. For example,Duke University Hospital’s (DUH)paired DRGs are compared to the followingpeer group:BRITT H. CREWSE■ Mayo Clinic■ Cleveland Clinic■ Massachusetts General■ UCLA Medical Center■ Johns Hopkins■ University of North Carolina■ University of Pennsylvania■ StanfordAs one of the nation’s largest tertiaryhospitals, it would be unwise to compareDUH’s paired DRGs to thenational or state averages. The only wayto compare DUH is with other similarhospitals.Step three: What DRGs should becompared?The DUHS Compliance office hascompiled a list of DRGs (see Exhibit Aon page 8) that is neither exhaustivenor complete. However, it is stronglyrecommended that, the first time suchan analysis is performed, the health careprovider compare these high-risk pairsat that organization to the results of asimilar peer group.After determining the DRGs to bereviewed, utilize a spreadsheet to easilycompare the number of cases andpercentage of higher and lower payingContinued on page 87October 2002

BACK TO BASICS...continued from page 7October 20028Exhibit A–DRG Pairs14 - Specific Cerebral Disorderexcept TIA138 - Cardiac Arrhythmia andConduction Disorder15 - TIA and Pre-cerebralOcclusions140 - Angina Pectoris79 - Respiratory Infections greaterthan 17 w/CC140 - Angina Pectoris143 - Chest Pain89 - Simple Pneumonia andPleurisy174 - G. I. Hemorrhage182 - Misc. Digestive Disorder with87 - Pulmonary Edema andRespiratory Failureage greater than 17188 - Other Digestive System88 - COPDDisorders88 - COPD180 - G.I. Obstruction96 - Bronchitis and Asthma greaterthan 17239 - Path Fractures and Musculo.Tiss. Mal.89 - Simple Pneumonia andPleurisy243 - Medical Back Problems182 - Esopha. Gastro. And Misc.96 - Bronchitis and Asthma greaterthan 17Digestive Disorder296 - Nutritional and Misc.Metabolic Disorder121 - Circulatory Disorders w/AMI124 - Circulatory Disorders exceptAMI316 - Renal Failure331 - Other Kidney and UrinaryTract Dxs.122 - Circulatory Disorders withoutmajor com125 - Circulatory Disorders expt.AMI w/cath296 - Nutritional and Misc.Metabolic Disorder320 - Kidney and Urinary TractInfections127 - Heart Failure and Shock140 - Angina Pectoris320 - Kidney and Urinary TractInfections128 - Deep Vein Thrombosis 416 - Septicemia130 - Peripheral Vascular Disordersw/cc425 - Disturbances of PsychosocialDys.132 - Atherosclerosis430 - Psychoses and Acute Adjust. Re140 - Angina PectorisDRGs among the paired DRGs (seeExhibit B on page 9) versus the peergroup.Step four: When are higher payingDRGs’ percentages too high?In reviewing Exhibit B, it is evidentthat Hospital A has the highest percentageof DRG 79 cases. In fact, HospitalA’s peer group average (39%) of DRG79 cases is significantly less thanHospital A’s average (50%). The 11%difference (50% - 39% average) shouldraise concern. At this point, consultwith legal counsel as to whether thesepaired DRGs require outside review.Unfortunately, governmental guidelinesdo not exist as to what percentage differenceconstitutes a statistically significantvariance. Evaluating the risks afterthe completion of the analysis couldprove very beneficial.A good rule of thumb is to review pairsover 5% higher than the peer groupaverage. In the case of Hospital A inExhibit B, a potential for upcodingexists because it is 11% over the peergroup average.Step five: When are consultants necessary?Many times external consultants canverify what the compliance office andhealth information managementdepartments already know–the codingpractices are accurate and the organizationhappens to see sicker patients forcertain DRGs.After determining that a hospital has agreater percentage of the higher payingDRG within a set of paired DRGswhen compared to its peers, then there

is a potential need to bring in consultants.Prior to an external engagement,each organization should determine ifthe attorney-client privilege should beinvoked. If a hospital reviews all potentialpaired DRGs versus its peer group,it is highly likely there will be severalthat may cause further review. A hospitalmay decide to provide an internaldetailed analysis proving accurate codingfor some of the paired DRGs inquestion. However, the OIG and CMSwill rely on external review more than ahospital’s internal review.Exhibit BDRG Hosp A Hosp Hosp B Hosp Hosp C Hosp Total AverageCases A % Cases B % Cases C % Cases %79 50 50% 35 35% 32 32% 117 39%89 50 50% 65 65% 68 68% 183 61%Step six: How many charts should bereviewed by the external consultants?Many compliance officers believe thatthe only way to prove compliance is byauditing a statistically significant numberof charts. However, if a hospital isvoluntarily reviewing charts proactively,why does it need to review so manycharts and why does the sample need tobe statistically significant? An organizationmay request a consulting firm toreview 10-15 charts for those pairedDRGs that have a higher percentageversus its peers of higher paid pairedDRGs.The second point a hospital will haveto determine is how many of thehigher paid paired DRGs it will requestthe external consultants to review.Obviously, compliance offices have limitedbudgets and probably cannotafford to have a review of all of itspaired DRGs that have a higher percentageversus its peers of higher paidpaired DRGs. It would be wise todetermine how much a hospital is willingto expend on this type of engagementbefore deciding how many DRGsto review.Step seven: What should be donewith the consulting report?This is a topic that should be discussedwith legal counsel. In most cases, theexternal consulting report proves thatyour coding department has been accuratelycoding DRGs. The Audit andCompliance Committee of the Board ofDirectors as well as the hospital’s compliancecommittee, its executive managementcommittee, and the codingdepartment should be informed of thereport findings.When the results are less than par, thereport distribution and presentation listis more challenging to develop. Thehospital will need to decide if a morein-depth audit should be conducted todetermine the possibility of upcoding.In conclusion, auditing and monitoringare the most important elements of aneffective compliance program. Medicareexpends more dollars on hospital inpatientsand DRGs than any other items.It is very critical to the success of acompliance program to review its DRGcoding. Unfortunately, far too oftenhospitals fail to conduct analyses oftheir DRG coding practices versus peergroups. By taking the proactive step ofconducting paired DRG audits, complianceofficers will significantly reducecompliance risk in their hospitals. ■Your physician compliance training just got easier...With HCCA’s 39-minuteaudio-training programIndividual & Small Group PhysicianCompliance: What every physicianshould knowAn essential resource for every compliancedepartment. Visit HCCA’s Website,http://www.hcca-info.org, to order.9October 2002

By F. Lisa Murtha, J.D.Editor’s note: F. Lisa Murtha, J.D., is theChief Audit, Compliance, and PrivacyOfficer for Children’s Hospital of Philadelphia.Lisa has served on the HCCA Boardof Directors since it was founded in 1997.She may be reached at 215/540-9156 orby email at flmurtha@earthlink.netThe wait is finally over! TheUnited States Department ofHealth and Human Services(HHS) has published the final HIPAAPrivacy Rule. The biggest, and perhapsmost disappointing aspect of the finalRule is that the compliance deadline wasnot extended. It continues to be April 14,2003. Hence, there is no rest for theHIPAA weary!There were in excess of 11,000 commentsoffered to HHS related to themodifications proposed on March 27,2002. The good news is that HHS wasresponsive to concerns of the health carecommunity and (among other things)eliminated the written consent requirementfor providers to use ProtectedHealth Information (PHI) for treatment,payment, and health care operations. TheRule states, however, that providers shoulduse good faith efforts to obtain writtenacknowledgement from the patient (orlegal guardian) of their receipt of theprovider’s notice of privacy practices.Another area in which HHS respondedto the pleas of the industry is that it recommendedthat providers consider usinga layered notice of privacy practices. Inother words, a short summary of privacypractices would be used and the fullOctober 200210notice would be attached for review bythe patient.The March proposed Business Associateschanges were adopted, allowing a oneyear extension (until April 14, 2004) forCovered Entities to obtain BusinessAssociate Contracts including therequired confidentiality provisions.Another welcome development is thatthe final Rule allows a Covered Entity todisclose PHI to another Covered Entityor to any health care provider (regardlessof whether the provider is a CoveredEntity) for the payment activities of theentity or provider that receives the information.Moreover, it provides latitudefor providers to disclose PHI for otheroperations like activities such as qualityassurance, case management activitiesand coordination of care, training programs,accreditation, licensing, or credentialingactivities.While the final Rule contemplates thatCovered Entities have the flexibility todefine what is “minimum necessary” fortheir unique needs and operationalrequirements, the “minimum necessary”requirements remain fairly unalteredfrom the proposed Privacy Rule.The Authorization Requirements havebeen amended consistent with theMarch proposed changes as follows:■ Covered Entities will be able to useone authorization form for all purposes.An Authorization, however, will bevalid only if all of the “core elements”and “notification statements” as setF. LISA MURTHAforth in the regulation are included■ A patient is unable to revokeAuthorization if the Covered Entityacted in reliance on the Authorizationor if the Authorization was obtainedas a condition of obtaining insuranceand other law gives the insurer theright to contest the claim or the policyitself■ HHS has exempted from theMinimum Necessary Standard anyuses or disclosures for which theCovered Entity has received anAuthorization from the patient■ HHS has exempted from the requirementto account for disclosures anydisclosure made pursuant to anauthorization■ The final Rule permits covered entitiesto disclose PHI, without authorization,“to a person subject to FDA’sjurisdiction with respect to an FDAregulatedproduct or activity forwhich that person has responsibility,for the purpose of activities related toquality, safety, or effectiveness of suchFDA-regulated product or activity”The final Rule has tightened the restrictionson marketing activities. In effect,the final changes have narrowed the situationsin which PHI can be used formarketing without the patient’s authori-

zation. The only exceptions to the marketingauthorization requirement are faceto face communications and what arenow called “promotional gifts of nominalvalue.”There is positive news when it comes toresearch activities and the final PrivacyRule. First, the Rule permits a combinedAuthorization. In other words, a HIPAAresearch Authorization can be combinedwith the Common Rule required“informed consent”. Moreover, the Rulenow permits the use of statements suchas “at the end of the research study”instead of listing specific expiration dates.In addition, the Authorization may list“none” as an expiration date, allowingthe Covered Entity to continue usingPHI gathered in the study even after thestudy concludes. Finally, CoveredEntities may continue using PHIobtained prior to a revocation ofAuthorization in order to “maintain theintegrity of the research study.”SPECIALTo get involved or ask a question, just email or call the following SIG chairs; be sureINTEREST GROUPSto include your telephone and fax numbers, and best time to contact you. Alternately,you may fill in this form and fax it to 215/545-8107 or mail it to The HealthCare Compliance Association, 1211 Locust Street, Philadelphia, PA, 19107 ■❏ I am interested in the Special Interest Group(s) checked below:❏ Health Care SystemMichael C. Hemsley, Esq., 610/355-2047, mhemsley@che.org❏ Payor/Managed CareVickie McCormick, 612/204-4156, vmccormick@halleland.com❏ Long Term CareTerri Graham, 502/596-7356, terri_graham@kindredhealthcare.com❏ Home CareChris Anderson, 631/501-7390, chris.anderson@gentiva.com❏ Behavioral HealthJohn Ciavardone, 610/260-4610, Jciavardone@nhsonline.org❏ Academic/ResearchMarti Arvin, JD, CHC, CPC, 412/647-3388, arvinm@msx.upmc.edu❏ PharmaceuticalCharles Brock, 847/937-5210, charles.brock@abbott.com❏ I have a question about:The final Rule has streamlined theprocess for obtaining a waiver from an“institutional review board” or “privacyboard” in order to use PHI for researchwithout authorization. The final Rule hasalso added a class of information called a“limited data set” in order to preservesome of those data points most useful toresearchers, while still eliminating theinformation that most directly identifiesan individual subject.NameTitleOrganizationAddressCityStateZipAll in all, the Privacy Rule has come along way from its first iteration inDecember, 2000. Now the real funbegins as we all continue our implementationefforts. ■PhoneFaxEmailHCCA member #11October 2002

featurearticleOctober 200212Editor’s note: This interview with James R.Herron, Associate Dean and CorporateCompliance Officer/Privacy Officer,University of California, Irvine HealthSciences, University of California, Irvine,was conducted by Rory Jaffe, MD, MBA,HCCA Board member and ComplianceOfficer, UC Davis Health System. Mr.Herron may be reached at 714/456-3672or via email at jrherron@uci.edu. RoryJaffe may be reached at 916/734-8804.RJ:Please tell us of your backgroundand experience.JH:I have been employed at theUniversity of California, Irvine (UCI) for23 years and have served in various positionson the general campus and at UCICollege of Medicine and UCI MedicalCenter. I first began my career on the generalcampus in the Accounting Office asan accountant and later assumed the managementposition as assistant accountingofficer. During this time, I was pursuing ajuris doctor degree and attained thatdegree in 1983 not realizing at the timehow important that educational experiencewould become. In 1989, I was appointedas associate dean of finance and administrationin UCI College of Medicine andserved in this position until 1996 whenthe Health Care Financing Administration(HCFA) now CMS revised documentationguidelines for physicians at teachinghospitals. This, along with the PATH initiative,established a need for a position ofcomprehensive compliance oversight withinUCI HealthSystem (UCI College ofMeet James R. HerronAssociate Dean and CorporateCompliance Officer/Privacy Officerfor the University of California,Irvine Health SciencesMedicine, UCI Medical Center, and UCIMedical Group). Because of my variedexperience and educational background, Iwas asked to accept the position asCorporate Compliance Officer for UCIHealthSystem.RJ:Do you report to the dean ofthe college of medicine and the directorof the medical center?JH: I have a dual reporting relationshipto the Dean of UCI College ofMedicine and the Director of UCIMedical Center.RJ:What do you feel are yourmajor accomplishments as the complianceofficer so far?JH: I feel my major accomplishmentsas corporate compliance officer arethe following:■ The acknowledgement of the importanceof an effective compliance programat all levels, including the UCIChancellor and Executive ViceChancellor, the Dean of UCI Collegeof Medicine, the Director of UCIMedical Center, UCI College ofMedicine academic leadership, staff,and faculty■ Support and assistance from thisgroup to adopt, implement, andmaintain our compliance programand code of conduct■ Corporate Compliance Officer givenappropriate level of authority to assuredevelopment and implementation ofan effective corporate compliance programthroughout UCI HealthSystem■ Development of a compliance programthat not only assures compliancebut also accentuates our values(Academic Achievement, Respect,Integrity, Service, and Excellence), alsoknown as ARISERJ:What do you think was thesecret to getting acknowledgement of your

program from the top all the way down?JH:I believe our success was thedevelopment of a comprehensive complianceprogram, involving them in thedevelopment and implementationprocess, continuously communicatingour implementation plan throughoutthe development process to executiveleadership, and providing effective complianceeducation throughout UCIHealthSystem to all university personnel.RJ:in the next year?JH:What are your top three goalsI have identified my top threegoals for the coming year as follows:■ Continue to assess the effectiveness ofour compliance program through riskanalysis and computer-based competencytesting■ Develop and implement web-based,interactive education modules accessiblefrom the desk top to enhance ourcompliance education program■ Develop and implement HIPAAprivacy compliance monitoring andoversight function within UCIHealthSystem Corporate ComplianceOffice, (hotline, privacy officer, establishHIPAA committee, etc.)RJ:Which of these do you thinkare going to be most challenging?JH:At the moment, I think theHIPAA privacy compliance monitoringoversight will be the most challenging.RJ:JH:Why is that?As you are aware, HIPAA is anew regulation for medical enterprisesand requires that these enterprises complywith these regulatory requirementswithin a prescribed timeframe. Theseregulatory requirements require that wedevelop guidelines, policies and procedures,new forms, etc., as well as educateour workforce regarding the appropriateuse of protected health information(PHI) and educate our patients abouttheir rights as patients. In addition to myrole as Corporate Compliance Officer, Ihave been appointed Privacy Officer andI am responsible for HIPAA implementationon our campus. I also serve onthe University of California HIPAATaskforce that is responsible for oversightof HIPAA implementation for our tencampuses in the UC system and federallaboratories. As Corporate ComplianceOfficer and Privacy Officer, I am planningto utilize our corporate complianceinfrastructure to accommodate HIPAAprivacy compliance oversight. Throughour previous efforts we have an establishedconfidential message line and havedeveloped well-trained staff who willcontinue to provide effective corporatecompliance monitoring and educationand, in addition, will now assume theadditional responsibility for privacy complianceoversight. We will assess our needfor additional resources over the next fewmonths and determine if additional staffis necessary in order to continue to maintainan effective compliance program.RJ:As Privacy Officer as well as theCompliance Officer, where do you findthe extra time?JH:In regard to development andimplementation of our HIPAA complianceand education plan, we have organizeda UCI HIPAA Steering Committeeand various other subcommittees in aneffort to reduce the workload on any oneindividual or unit. I continue to coordinatethis effort; however the success of ourHIPAA implementation is because ofmuch effort and assistance from facultyand staff throughout the organization. Weutilized this same process during theimplementation phase of our corporatecompliance program development. Wehave a well organized corporate complianceoffice staff and our corporate complianceprogram is now well developed so Ibelieve that we can take on this additionalchallenge within our current structure.RJ:Are you getting more personnelto work on the HIPAA compliance?JH: Not at the moment. As I mentionedabove, we have spread the activitythroughout the entire organization. Wehave established our steering committee,which I co-chair with our ChiefInformation Officer (CIO), and sevensubcommittees, all of which are made upof staff and faculty from our institution.We have given the responsibility of cochairingthese subcommittees to representativeswho will be ultimately responsiblefor oversight and compliance withthe new regulations on an on-going basis.In addition our human resources staffwill be responsible for the initial HIPAAeducation as well as the on-going trainingeffort.RJ:Can you describe for us yourefforts in research compliance?JH: We have included clinicalresearch compliance within our corporatecompliance program structure. We havemodeled our clinical research complianceprogram, as we did our other complianceprograms, after the seven sentencingguidelines recommended by the Office ofInspector General (OIG), in that wehave developed our clinical research complianceplan, appointed a clinical researchcompliance officer and research compliancecommittee, educated our workforce,and are monitoring our clinical trailContinued on page 14October 200213

James R. Herronprotocols and clinical trial billing.October 200214RJ:you do?JH:In the hospital setting, what doWe are reviewing protocols forclinical activities related to research protectionsand reviewing the clinical servicesbilling activity as it relates to standardof care which can be appropriatelycharged to medicare or other payers asopposed to clinical research which mustbe charged to the research study. We aremaking every effort to educate andinform our principal investigators aboutthe responsibilities and risks associatedwith research compliance in the area ofhuman subjects. This occurs through livepresentations, our Corporate ComplianceWebsite, and our UCI College ofMedicine Research Manual.RJ:What resources do you need fora program like that?JH:We have assigned the responsibilityfor oversight of our clinical researchcompliance program to a research complianceofficer. The clinical research complianceofficer has a staff of three to assistin reviewing protocols and providingcompliance education and we have twostaff members that monitor clinical trialbilling activity.RJ:What do you think are thegreatest challenges you’ve had as a complianceofficer?JH:I believe my greatest challengehas been in the area of disseminating vastamounts of regulatory information to ourstaff and faculty, on an on-going basis, ina clear, concise, and effective manner. Asyou are aware, one of the elements of aneffective compliance program is education.The key is being able to providecomprehensive, easily understandableeducation programs to our staff and facultyon these regulatory requirements.RJ:I’m going to switch this over tosome training questions. Please describeto me some of the challenges you face intraining people in a large organizationsuch as yours.JH:As Corporate ComplianceOfficer and now Privacy Officer, one ofmy responsibilities is to develop andimplement effective compliance educationprograms for faculty, staff, residents,and medical students and to presentthese educational sessions as efficiently aspossible. We are working on several waysto bring compliance education to thedesktop in a manner that makes it moreefficient and effective but also more convenientto the individual who has to beupdated on compliance issues on a continuousIs there anything special that Ihaven’t touched on yet?basis. Another challenge in edu-JH: I believe the successful imple-cating faculty and staff in a large organizationis faculty and staff turnover. Newfaculty and staff are being recruited andentering UCI HealthSystem and ourchallenge is to inform them of our complianceprogram and provide complianceeducation as soon as possible after theycome on board. This is another reason toimplement computer-based training sothat these new employees can accesscompliance education immediately, viathe web, rather than waiting for the nextscheduled new employee orientation programor the next available complianceeducation program.mentation of our compliance program isbased on the acknowledgment of theimportance of the program from executiveleadership and that culture flowingthrough the organization. Compliancemust become a part of the institution’score values to be meaningful for thelong-term. I believe we are accomplishingthis and we will continue to strive tokeep compliance at the forefront of ourdaily activities. The accomplishmentsthat we have achieved in this area wouldonly have been possible with the supportand authority from the highest levels inthe organization. The support I receiveRJ:access?JH:RORY JAFFEand the authority that I have been givenNo problem with computer allow me to accomplish my goal of providingan effective and sustaining corporatecompliance program for Most of our employees (bothUCIfaculty and staff) have computer access.If an employee does not have access to acomputer, we have established trainingrooms where an individual can go andaccess training via a computer. We havealso prepared a compliance resource manualfor our departments to use for any ofthose individuals who are not, for onereason or another, able to access compliancetraining by computer.RJ:HealthSystem.RJ:JH:Great. Thank you very much.Thank you. ■

SPECIAL GROUPInvestigations:issue, you need to adopt a specificmindset. You must be extremely curi-Some ous and extremely open to new information.lessons fromEspecially when issues are pre-small screen detectivessented to you by other humans, sinceBy Glenna S. Jacksonthey tend to be packaged with a pointof view. Your job is to differentiate theEditor’s note: Glenna S. Jackson has been facts from the point of view. The greatVice President of Compliance fordetectives of television can be your roleMedStar Health, Inc. for five years. models.Before joining MedStar, she developed aReimbursement Compliance Program for Columbo: “Could you just help methe Blue Cross and Blue Shieldunderstand how?”Association Federal Employees Program. It is very instructive to know a lotShe can be reached at 202/877-3868. about an issue already and then asksomeone else to explain how it worksAs a Compliance Officer, investigating from their point of view. This approachissues reported to you can be the most may seem disingenuous, but youinteresting, frustrating, dangerous, and inevitably learn something key aboutrewarding part of your job. In general, the operation that you did not knowissues arise in any one of a number of before; or you learn something aboutways: through the hotline, through the person describing the process. Onedirect contact by an employee, as a byproducttechnique that I use is to ask three peo-of reviews, or during the ple the same question. Of course, youcourse of an exit interview.need to ask each one separately–out ofhearing by the others. The differencesTypically, very few issues come through between the answers are fascinating andthe hotline. Compliance Officers report often hold the key to the real problemthat, as they expand their training and and perhaps the solution as well.review activity, employees get to know Callers have their own perspectives on athem and will simply approach them problem. A unit clerk and the departmentwith questions, problems, and potentialmanager may both give highlyissues to investigate. Other issues arise accurate descriptions of the sameduring the course of a review. At process that sound totally different. TheMedStar, we choose to log them in our key to the problem lies right at thetracking system to ensure that we followpoint where the explanations differ. Itup in a timely, organized way, may be a matter of terminology or inaccording to the protocol we’ve developed.understanding how the system works.(See Sidebar1)Investigations: Willing suspension ofdisbeliefIf you determine that the complianceoffice is responsible for investigating anKojak: “Who loves you, baby?”It is also important to put people atease. Most employees want to do agood job; most want the organizationto succeed. Some however, may be wor-H EALTH C ARE S YSTEMried about their own small errors andmissteps. You may even interview anemployee who actually has somethingto hide. The employee may be nervousand evasive, but their discomfort maynot relate to your area of inquiry. Workhard to calm their anxiety about theirown performance, so that it doesn’t getin the way of your learning about thebroader issues.Dragnet: “Just the facts, ma’am”It is important to separate how peoplefeel about an issue and the conclusionsthey leap to from the actual facts of anissue. Comb through the informationyou have and consciously test each itemto determine if you have informationthat is opinion, hearsay, or fact. Lookfor corroborating data. Refrain fromtaking sides in an issue. Complianceofficers owe as much respect to the personor department accused of wrongdoingas they do to the person calling thehotline.Also remember that not everyone isarticulate about the facts as they understandthem. Employees may not understandhow a process works; they mayonly know about their own piece of thesystem. Doctors, for example, are skilledat helping patients describe their symptomsand make observations about theirown health. Compliance officers needthe same skills at drawing out callers tothe hotline about the facts of an issueand the symptoms of the problem inorder to reach an accurate diagnosis.Law & Order: Remember, there isalways a twist.Rarely does a compliance issue resolveContinued on page 16October 200215

INVESTIGATIONS...continued from page 15Sidebar One: Compliance Issue Report TemplateThe most rewarding aspect of an investigation is solving the problem for the future. Below is the report template thatMedStar uses to document all investigations. Having an organized, consistent approach to investigating, documenting,and reporting compliance issues will help you earn and maintain respect for the Compliance Department. ■COMPLIANCE ISSUE REPORT TEMPLATEPurposeState the reason the review was conducted, the origin ofthe issue, and a brief description of the issue.ScopeDescribe the approach used to conduct the review, identifythose responsible for conducting the review, thetime range included in the review, interviews conducted,sample size, and a description of the documents thatwere reviewed.Government Regulation or PolicyProvide a summary of any government regulations orMedStar Health policies related to the issue.FindingsProvide an overview of the review findings.Findings QuantifiedInclude details that support the review findings.ImplicationsWhat do the review findings mean to the organization,physician, and/or department reviewed. What is thepotential exposure to the organization?RecommendationsGiven the findings of the review, include recommendationsfor improvement.Examples:■ Return of any overpayments■ Physician Disciplinary Action■ Employee Disciplinary Action■ Additional Training Sessions■ Revise Billing and Documentation ToolsFollow-up and MonitoringDescribe any follow-up and monitoring activities necessaryto ensure compliance.■ Additional Coding and Documentation Reviews (byexternal reviewer, paid by trainee) within threemonths of initial findings■ Process Reviews within three months of initial findings©1999 MedStar Health. All rights reservedOctober 200216itself the way you first expect.Compliance officers learn that firstimpressions are often wrong, so it’s bestto keep an open mind and be ready tolearn something you didn’t anticipate.Issues that involve computer programsand columns of numbers, yield onlymild surprises. But issues involvingother human beings introduce a host ofnew variables.Experienced compliance officers know,for example, that not everyone whocalls the hotline is motivated to makesure the company is doing the rightthing, following the government regulations,and operating efficiently. Thehard part is separating the motive of thecaller from the substance of the issue.An unpleasant caller, who seems to havea dishonorable motive, may still have avalid issue. Conversely, an articulate,capable caller may have an ulteriormotive. So it’s best to stick to the factsand see how they play out.How you handle sensitive investigationswill define your reputation as a complianceofficer. You may be a knowledgeable,engaging trainer. Your audits mayContinued on page 18

The protocol is a guide toinvestigating an issue thoroughlybefore making a recommendationfor correctiveaction. It also provides measuresfor ranking issues in orderof significance. Quarterly,Level 1 issues are reported tothe Compliance Committee.When an issue presents, thefirst question to answer iswhether this issue rises to thelevel of a Compliance issue. If,in your judgement, it does,then it is logged into the system.The second question iswhether it is the responsibilityof the compliance office toinvestigate the issue. Manyissues reported to the complianceoffice should be addressedand resolved by other departments,such as RiskManagement or HumanResources. You can build goodrelations with other departmentsby making sure that yourefer to them issues that arewithin their expertise.However, these referred issuesare still logged into the system,because they were initiallyreported to the complianceoffice. The system marks theissue complete and indicates areferral to another department.Staff then follow up with thereferred department in a specifiedamount of time to ensurethe issue has been resolved. ■Sidebar Two: Investigation ProtocolINVESTIGATION PROTOCOLFOR COMPLIANCE ISSUES1. Log issue in tracking system and file hardcopies in issues files.2. Determine and assign level of potential exposure:1–Highest Priority 2–Midlevel Priority 3–Low PriorityEconomic impact Economic impact Economic impact≥ $50,000 $15,000 - $49,999 ≤ $14,999High risk for P.R. Likely risk for P.R. Little to no riskexposure exposure for P.R. exposureSignificant system Some impact on Little to no systemimpact: high potential system: potential for impact: not likelyfor director liability director liability and/or to lead to directorand/or audit by audit by outside liability or auditoutside agency agency3. If issue is a “Level 1” status, consult internal counsel to discuss issue, nextsteps, and need to investigate under attorney-client privilege, then proceedto Step 5.4. If issue is Level 2 or 3, proceed to Step 5.5. Identify person responsible for follow-up.6. Research background on issue and determine areas of exposure.7. Interview parties who have knowledge of the situation.8. Review Carrier rules, payer policies, or company policies and proceduresrelated to issue.9. Gather and review all pertinent information available (i.e., sanctionnotices, claims data, medical records, etc).10. Inform department chair or medical director and administrator of issue.11. Discuss situation with parties in question (include chair, medical director,and/or administrator in meeting).12. Determine if any repayments are necessary. If so, inform internal counseland work with appropriate departments to issue refunds.13. Implement Protocol for Compliance Sanctions, if necessary (with internalcounsel, clinical department chair, and medical director involvement).14. Determine steps required to come to resolution.15. If there is physician, administrator, or employee disagreement, involveinternal counsel in discussions. Follow Protocol for Compliance Sanctionsor Human Resources Policies as appropriate.16. Log action steps and resolution in tracking system (ComplianceSaver).17. File all back-up documents with original issue file.©1999 MedStar Health. All rights reserved. Rev 12/01October 200217

INVESTIGATIONS...continued from page 17be accurate, comprehensive, and ontime.But how you handle sensitiveissues that involve people and their jobsand possibly their mistakes, will determinehow much you will be trusted.Everyone involved in the processdeserves respect, especially any personfound responsible for wrongdoing. Anindividual may be terminated; theorganization may have to refund payments;but the process should beinevitable and dispassionate. It is rarethat an issue involves clear right andwrong. The root of a problem is usuallya combination of misguided interestand lack of controls. Individuals may beresponsible for misguided interest, butthe organization has to take responsibilityfor the controls. Issues that result indisciplinary actions are unfortunate foreverybody. ■Sidebar Three: Compliance Issue Action FormCOMPLIANCE ISSUE ACTION FORMIssue #:Issue Title:Date of Action Description of Action Person Performing ActionIssue Reported To:TitleFacility Compliance DirectorDirector of Corporate ComplianceVice President–ComplianceAudit and Compliance CommitteeCEO/CFOBoard of DirectorsDateDate Report Closed: _____/_____/_____Date of discussion with reporting employee regarding action taken/resolution: _____/_____/_____Approved for Closure:Compliance Officer©1999 MedStar Health. All rights reserved.October 200218

By Paula DahlEditor’s note: Paula Dahl is the Corporate the team to the task–that’s how ICompliance Director for Rotechbecame known as “Drewcilla Carey!”Healthcare Inc. She may be reached at407/822-4600 or by email atWhose Line is it Anyway is a televisionpdahl@rotech.comseries hosted by Drew Carey that hascaptivated audiences with its comicalTo compliance professionals, improvisation. This, I decided, wouldthis is not news. However, for become the law presentation. Afterthe Rotech Healthcare Inc. recruiting (persuading, actually) three(Rotech) employees, this message was new compliance specialists that thisperplexing since that statement was atthe bottom of a memo they receivedinforming them that the annual compliance-trainingprogram was quicklyapproaching. In fact, every memo thatpertained to the annual training endedwith “compliance is not a game”.Mimi could) to collect requests foradditional scenarios and to addressquestions or concerns about the industryand compliance issues in general.The actors improvised the selectionsfrom Mimi’s hat and acted out theaudience’s requests. ModeratorDrewcilla Carey was on hand to explainthe particular law or concern thatappeared in each skit.After four road trips of a full three-daycompliance training, the complianceteam met and reviewed the trainingevaluations. The evaluations demon-The Rotech compliance team feltstrongly that the annual training had tobe memorable as well as effective. In aneffort to meet this objective, whilebrainstorming module development,the team fashioned the idea that eachmodule would associate with a televisiongame show or a television series.For example, a high-risk category wasprepared in the theme of Jeopardy andthe high-volume category was developedwith a Survivor theme, and so on.However, the real challenge came whenthe compliance law module was indevelopment. What game show orseries could convey the tedious and boringtopic of law without putting theaudience into a deep REM cycle?Coincidentally, this topic had receivedlow marks from audiences in the pasttraining, so the team thought it wasappropriate to assign the new person onopportunity was a great introduction tothe company, to the compliance training,and to their deep-seated actingskills, we were ready to design.All involved parties did their research(including watching the TV series) andthen created scenarios reflecting issuesrelated to STARK, HIPAA, CMSMedicare Supplier Standards, Antikickback,and False Claims. To completethe theme, Mimi, from the DrewCarey Show appeared and passed her hataround the audience (as tactfully asstrated that the audience thoroughlyenjoyed the entire compliance trainingand successfully improved the rating ofthe previous law presentation.Attendees felt they could remember thecontent of the training since they wereable to associate it with a positive experience,laughter. Additionally, the messageconveyed, i.e., the jeopardy ofdoing something improper, was clearlyheard. Overall, the Rotech employeesfound that indeed, compliance is not agame, but a valuable resource withintheir own walls. ■October 200219

and you would receive no money.If you took their offer of $500 yourcabin was burned as soon as youleft.Hounded byregulations,even onvacationROY SNELLAs compliance professionals we dealwith regulations all day long. RecentlyI learned that even while on vacationwe do not escape them. I just returnedfrom an unbelievably restful vacationin a very remote and serene location.My wife, our four girls, and I makethis trip once a year to a cabin purchased by my grandfather70 years ago. It is on a deserted 45 mile-long, nine mile-wideisland in Lake Superior. My grandfather stayed all summerand used the cabin to write many of the 90 children’s storieshe published. There are no roads, electricity, running water,and very few people. There are harbors, inlets, coves, and 400smaller islands around the main island. There are lakes on theisland only accessible by foot and there are islands on thoseinland lakes. It is called Isle Royale and it is an archipelago ofserenity.There was a fox at our door, a moose swimming in our harbor,and loons singing all day and night. We saw northernlights, shooting stars, and the big dipper was so bright weneeded sunglasses. Rarely did we see people or boats. Thereare no lights or noise that we are normally accustomed tohearing. There is no electricity, cell phones do not work, norunning water, and the 1920 cooking stove requires wood tofunction properly. It is a marvelous step back into a simplertime. Even the National Geographic magazine on the shelf isdated, August 1948.The reason such a large island is deserted is that the governmentpassed a regulation designating that the island becomea national park in 1940. At the time of the governmenttakeover there were dozens of commercial fisherman, resorts,and several families that had cabins on the island. Commercialfisherman and resort owners were evicted and their buildingswere burnt to the ground. The cabin owners were given achoice between a check of about $500 or keeping the cabinfor the life of the current family members. At the death of thelast family member the government would burn the cabinOctober 200220Many cabin owners sold outbecause they mistakenly thoughtthe government would bring toomany tourists, overpopulate theisland, and ruin the experience. There are 10 cabins left now.I have two uncles on our “Life Lease.” My Uncles are in theirlate 70s. Soon we will no longer be able to use our cabin. Oneuncle has given us permission to put him on indefinite lifesupport; however, it is more likely we will be spreading hisashes next to the ashes of our cabin (which, of course, is illegaldue to a government regulation).The government’s intent was to return the island to its originalstate. They believe it to be one of the few biological ecosystemsin the world. For instance, the island has a wolf populationthat fluctuates from about 12 to 40 depending on the moosepopulation which fluctuates from about 700 to 1,500. Whenthere are a lot of moose, particularly old slow moose, thewolves do well, and their population increases. When themoose are few in number but young and healthy, the wolfpopulation quickly drops.All of the animals are “trapped” on the island which is in themiddle of a lake so temperamental that it once snapped a boatnamed the Edmund Fitzgerald in two. Flora and fauna can neitherenter nor leave the island easily. The ecological balance iscontained by Lake Superior. The government has returned theisland as close to its original state as possible. There are strictregulations about where you can go, when you can go there,and what you can do when you get there.There is a plaque on the island dedicated to the man whofought for the regulation to take over the island. On this trip Istopped, looked at the plaque, and thought once again, “Howodd–a plaque to the guy who stole our utopian cabin.” Onlyin America.I am often asked what I think about the government takeoverand the fact that in a few years we will loose our cabin. Myanswer has always been the same. I am glad he did it and he

deserves a plaque for it. Actually, I believe that those of us whosacrificed our property to save the island should be on theplaque. However, from the government’s perspective, listingthose who were evicted doesn’t have quite the same ring to it.If the government had not taken over Isle Royale there mightbe a road down the middle of the island lined with resorts,restaurants, a big casino, and a landing strip with a wind sock.Thousands of cabins would probably line the shore and covermany of the 400 small islands that surround Isle Royale. Atany given time there could be thousands of people on theisland.Last year there were only 18,000 visitors a year to Isle Royale,some national parks have that many visitors in a day. Humanpopulation on the island is monitored and indirectly discouragedby the strict government regulations. It seems ironic tome that the overpopulation the original “sell-outs” feared wasexactly what the government prevented. I am sure manycabin-owners regret selling out.There is a small island across from our dock called Musselman’sIsland that had its two story cabin burned 50 years ago.While I was sitting on my dock one day last week an oldman in a small boat pulled up and introduced himself asMusselman Jr. himself. Like everyone, he griped about thegovernment but despite the fact he has no cabin, he was stillcoming to the island 50 years later. Would he still be comingif the island looked like the city he currently lived in? Whatwould be the point?My grandfather went there in 1932 to get away to a remotelocation. That was its appeal and value. Although we and othershave lost our cabins they would have been “spirituallyworthless” by now anyway because the original reason forgoing there would have been destroyed by capitalists (I lovecapitalists, but we need to protect a few places from them).What would Isle Royale look like in an unregulated country?Would profiteers have ravaged its trees, minerals, and wildlife?Many beautiful pieces of land have been significantly changedby “progress.”Don’t get me wrong, I am extremely disappointed that we willlose the cabin. I cannot describe the wonderful experience it isto sit on our porch overlooking Tobin harbor and listening tothe loons sing. It has become an annual family retreat of rejuvenationand bonding. Our last day on the island will be a terribleday. It is irreplaceable. Regulations stole our cabin andsaved Isle Royale. From the big picture perspective, I wouldsay it was a reasonable trade. From a small picture perspectiveit is an extraordinary personal sacrifice by our family.Regulations often hurt a minority of people while attemptingto help the majority of people. Regulations get old and needto be fixed. Regulations cause a lot of additional work.Regulations sometimes do not go far enough and other timesthey go too far. Some regulations are indefensible. Collectively,regulations affect our country’s living style, personality, andculture. Look around the globe and you will see unregulatedcountries. In my opinion, under-regulated countries work nobetter than over-regulated countries.When you get tired of fighting with the oftentimes frustratingregulations it is helpful to step back and look at the alternativeunregulated approach some countries take. Without regulationspeople can suffer spiritually, physically, and economically.To achieve the overall benefit of regulations we have to takethe bad with the good. When you are out there dealing withthe complaints such as “Why do we have to do this?”, “This isnot fair!”, and “This makes no sense.”, it helps to know thatwithout regulations the environment we created in the UnitedStates would not work. There is no perfect system.Compliance professionals can proceed with a greater convictionand peace of mind if you understand and support theoverall purpose and impact of regulations. It helps to supportthe notion that you must support the bad with the good for aregulatory system to work. For the system to work we can notjust support and comply with the regulations that make sense.If you don’t believe that regulations, despite all of their problems,are necessary and are overall very helpful, your job as acompliance professional will be very painful. ■Compliance Today wants you!Please email your article or topic ideas to Compliance Todayeditor, Margaret Dragon, at mrdragon@ziplink.net. Be sure toinclude your telephone number. Or call Margaret at781/593-4924 to discuss your article ideas. ■October 200221

By Kirk J. NahraEditor’s note: Mr. Nahra is a partner in definition (for example, a communicationthe Washington, D.C. law firm of Wileyby a Covered Entity for theRein & Fielding, LLP, specializing in purpose of describing entities participatingprivacy and insurance fraud issues. Viewsin a health care network orexpressed in this article are his alone and for the purpose of determining thedo not necessarily reflect the views of any extent to which a product or serviceentities he represents. He may be reached is provided by the Covered Entity orat 202/719-7335 or knahra@wrf.com included in a plan of benefits)J■ Marketing communications forust last month in the Payor/ which an Authorization is notManaged Care SIG, werequired (a marketing communicationto the individual that concernsaddressed how the HIPAAPrivacy Rule will affect marketing in health-related products or services ofthe health care context. (See Nahra, the Covered Entity (or of a thirdMarketing Under the HIPAA Privacy party) and the communication meetsRule, Compliance Today, September certain specified requirements (e.g.,2002, pp. 6-8.) Now, with the publicationit describes how the individual mayof the “final” Privacy Rule, HHS opt out of receiving such futurehas changed the rules again, although communications))these changes will make it somewhateasier for health plans (and others) to The NPRM changesengage in certain limited marketing The NPRM cut back significantly onactivities. Here are the highlights. the “marketing” that could be donewithout an Authorization. In particular,The first “final” RuleHHS proposed to delete the category ofAs published in December 2000, the marketing communications for “healthPrivacy Rule did not impose anrelated products or services of theabsolute prohibition against using or Covered Entity or another third party,”disclosing PHI for marketing. Rather, which, under the Privacy Rule, couldthe Privacy Rule generally provided that be made without Authorization as longbefore a Covered Entity could use or as certain conditions were met.disclose PHI for marketing purposes, itmust obtain a prior written Authorization,HHS also proposed certain otherunless the disclosure fits one of “minor clarifications” to the marketingthe marketing exceptions. There were provisions. They revised the definitiontwo key exceptions:of marketing, to focus on the effect of■ Communications that fall within one the communication, not the intent ofOctober 200222of the exceptions to the marketing the marketer. There also was a slightKIRK J. NAHRArevision to the exceptions for the marketingcommunications in connectionwith treatment-related activities, tobring the exception in line with terminologyused elsewhere (to allow communications“for case management orcare coordination for that individual, orto direct or recommend alternativetreatments, therapies, health careproviders, or settings of care to thatindividual”)The “final” final RuleHHS, in the August 14, 2002 finalRule, changed the rules again. In general,HHS adopted many of the changesproposed in the NPRM. There weretwo significant changes, however.First, HHS was concerned that CoveredEntities would disclose PHI to thirdparties, perhaps even for monetary payments,in the guise of “business associate”arrangements, and the third partieswould use that PHI to market theirown products as “alternative treatments.”HHS seemed particularly concernedabout pharmaceutical companiestrying to market different drugs. HHS,in the final Rule, eliminated this practiceby expressly prohibiting arrangementsbetween a Covered Entity and

another entity where, in exchange forremuneration, PHI would be disclosedfor the other entity to make a communicationabout its own products or servicesthat would encourage recipients ofthe communication to purchase or usethat product or service. HHS views thisprovision as prohibiting the sale ofpatient lists.In addition, the Final Rule broadensthe types of communications that canbe made without an Authorization(although not going as far as to restorethe general exception from the firstfinal Rule for “health-related communications.”).Instead, in addition to allowingcommunications for treatment, casemanagement or care coordination, or todirect or recommend alternative treatmentsor settings of care, HHS nowallows communications that describe:■ A health-related product or service(or payment for such product orservice) that is provided by, orincluded in a plan of benefits of, theCovered Entity making the communication,including communicationsabout: the entities participating in ahealth care provider network orhealth plan network; replacement of,or enhancements to, a health plan;and health-related products or servicesavailable only to a health planenrollee that add value to, but arenot part of, a plan of benefitsThe specific addition deals with twopoints–replacement or enhancement ofa health plan, and “value added items orservices.”For health plans, this final provisionwill allow plans to market a wide varietyof “changes” to their products.Specific examples mentioned in thefinal Rule are:■ Product upgrades (differentdeductibles, co-pay percentages, etc)■ Conversion or continuation policies(e.g., a child no longer covered by aparent’s policy)■ Guaranteed issue products■ Prescription drug card programsThe key question for analysis is wherethe line is between a “new” health productand a “replaced” or “enhanced”product.Also, HHS now allows marketing ofcertain “value-added” items and services(e.g., discounts on eyeglasses or chiropracticvisits), as long as these valueaddeditems were “health-related” andwere available only to members of aninsurance plan. If these discounts applyto non-health areas (e.g., movie tickets,)or are available to the general public(either from the Covered Entity or theservice provider directly), then no marketingcould occur without an Authorization.(Query whether this provisionplaces an obligation on a CoveredEntity to ensure that no one else couldget the same discount from the serviceprovider?). In general, while the finalchanges do not allow unlimited marketingof “health-related” products or services,the final Rule does allow much ofthe marketing that was allowed by theoriginal final Rule, without the need forCovered Entities to establish an “optout”process.ConclusionsMarketing remains an area of criticalconcern, for HHS, Covered Entities,and the general public (and theirlawyers). While the final Rule allowscertain marketing activities withoutrestriction, Covered Entities shouldevaluate these Rules carefully, with aneye not only towards compliance withthe Rule but also to the risks of activitiesat the margins. ■Attention HCCA Members:HCCA Compliance Performance Measurement InitiativeUpdate and DRAFT Report to be issuedHCCA Member Luncheon–October 1, 2002–12:15 to 1:45Hilton Washington Hotel, Washington, DCAn update on the progress of the HCCA Compliance Performance Measurement Initiative and a DRAFT report will bereleased and reviewed during a luncheon planned for HCCA Members during the Fraud & Compliance Forum, HiltonWashington Hotel on October 1, 2002, from 12:15-1:45—on the HCCA Compliance Performance MeasurementInitiative by Steve Vincze, CHC, Chair, HCCA Measurement Task Force. All members are encouraged to attend. ■23October 2002

October 2002HCCA REGIONAL24CONTACTSMeet HCCA’s 2002Regional PresidentsThe 2002 RegionalPresidents are:■ Region I–President, RobertFreeman, JDAssociate General Counsel &Compliance OfficerBlue Cross Blue Shield ofMassachusetts, Boston, MA617/246-3535robert.freeman@bcbsma.com■ Region II–President, Bret BisseyChief Compliance OfficerDeborah Heart and Lung CenterBrown Mills, NJ609/893-3014bisseyb@deobrah.org■ Region III–President, Donna K.ThielMorgan Lewis & Bocklus202/739-5165dthiel@morganlewis.com■ Region IV–President, BrittCrewse, CPA, MHS, MBAAssociate VP & Chief ComplianceOfficer & Privacy OfficerDuke University Health SystemDurham, NC919/668-6250britt.crewse@duke.edu■ Region V–President, DavidOrbuchCorporate Compliance OfficerAllina Health SystemMinneapolis, MN952/992-2795dorbuch@allina.com■ Region VI–President, DavidLancaster, CHCDirector, Internal AuditCook Children’s Health CareFort Worth, TX817/810-1358davidl@cookchildrens.org■ Region VII–President, MillieJohnson, JD, CPCAssoc. General Counsel Reg.SupportCreighton University, Omaha, NE402/280-2107milliej@creighton.edu■ Region VIII–President, JuleneBrown, RN, CPC, CHCBilling Compliance ManagerMeritCare Health SystemFargo, ND701/234-3747julenebrown@meritcare.com■ Region IX–President, StevenOrtquistChief Compliance OfficerBanner Health System, Phoenix,AZ602/495-4845steven.ortquist@bannerhealth.com■ Region X–President, TimTimmonsCompliance OfficerHealth Future, LLC, Medford,OR541/618-7257hfuture@aol.comDon’t hesitate to contact yourRegional President. Your ideasand involvement are alwaysappreciated. ■Region IRegion IIIRegion VRegion VIIRegion IXRegion IIRegion IVRegion VIRegion VIIIRegion X

Editor and Publisher:Margaret R. Dragon, Director of Communications, HCCA, 781/593-4924,mrdragon@ziplink.netConsulting Editors:Sheryl Vacca, President, HCCA, 916/498-7156Roy Snell, CEO, HCCA, rsnell@hcca-info.orgAdvertising Department:Joni Lipson, 888/580-8373, joni.lipson@rmpinc.comDesign & Layout:Robin Taliesin, Raven Creative, 781/631-4639, robint@raven2.comHCCA Officers and Board of Directors:Sheryl Vacca, CHCHCCA PresidentDirector, West Coast Compliance Practice,Deloitte & ToucheAlan Yuspeh, JD, MBAHCCA 1st Vice PresidentSenior Vice PresidentEthics, Compliance and CorporateResponsibilityHCAAl W. Josephs, CHCHCCA 2nd Vice PresidentCompliance OfficerHillcrest Healthcare SystemOdell GuytonHCCA TreasurerDirector for ComplianceMicrosoft CorporationDaniel RoachHCCA SecretaryVP and Corporate Compliance OfficerCatholic Healthcare WestGreg WarnerHCCA Imme. Past PresidentDirector for ComplianceMayo FoundationShawn Y. DeGroot, CHCCompliance OfficerUpper Midwest Network & VA Medical& Regional Office CenterSuzie Draper, BSN, RNCorporate Compliance Officer and PrivacyOfficer, Intermountain Health CareCEO/Executive Director:Roy Snell, CHCHealth Care Compliance AssociationRory Jaffe, MD, MBAChief Compliance OfficerU.C. Davis Health SystemAllison Maney, CPA, CHCCompliance OfficerLovelace Health SystemVickie McCormickSpecial CounselHalleland Lewis Nilan Sipkins & JohnsonLewis Morris, Esq.Assistant Inspector Generalfor Legal AffairsDHHS Office of Inspector GeneralF. Lisa MurthaChief Audit and Compliance OfficerChildren’s Hospital of PhiladelphiaJeffrey Oak, PhDAssociate Chief Financial Officer forComplianceVeteran’s Health AdministrationTeresa L. Mullett ResselDeputy Assistant SecretaryU.S. TreasuryBrent SaundersPartnerPricewaterhouseCoopersDebbie Troklus, CHCAssistant Vice President for Complianceand PrivacyUniversity of Louisville, School ofMedicineL. Stephan Vincze, JD, LL.M, CHCEthics and Compliance OfficerTAP Pharmaceutical Products, Inc.Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care ComplianceAssociation (HCCA), 1211 Locust Street, Philadelphia, PA 19107. Subscription rate is $287 a yearfor non-members. Periodicals postage-paid at Philadelphia, PA 19107. Postmaster: Send addresschanges to Compliance Today, 1211 Locust Street, Philadelphia, PA 19107. Copyright 2002the Health Care Compliance Association. All rights reserved. Printed in the USA. Except wherespecifically encouraged, no part of this publication may be reproduced, in any form or by anymeans without prior written consent of the HCCA. For subscription information and advertisingrates, call HCCA at 888/580-8373. Send press releases to M. Dragon, PO Box 197, Nahant, MA01908. Opinions expressed are not those of this publication or the HCCA. Mention of productsand services does not constitute endorsement. Neither the HCCA nor CT is engaged in renderinglegal or other professional services. If such assistance is needed, readers should consult professionalcounsel or other professional advisors for specific legal or ethical questions.PEOPLEEditor’s note: If you have receiveda promotion, award, degree, orrecently changed jobs, please let CTknow. Call or fax 781/593-4924, emailmrdragon@ziplink.net, or mail your news to MargaretDragon, HCCA, P.O. Box 197, Nahant, MA 01908.➤ Kathleen Catalano, RN, JD, is now Director ofRegulatory Compliance at Provider Healthnet Services Inc.in Addison, TX. She may be reached at 214/764-3749.➤ Cheryl Hetland is Specialty Pharmacy Coordinator forFairview Pharmacy Services in Minneapolis, MN. She maybe reached by email at chetlan1@fairview.org➤ Jill B. Keller has joined the Health Law Practice Group aspartner in the Bangor, Maine office of Duane Morris. Shemay be reached at 207/262-5400.➤ Catherine King, JD has been named the Plan Compliance& Ethics Liaison for the Blue Cross Blue Shield Associationin Chicago. She may be reached at 312/297-5732.➤ Sharon McNamara, RN, JD, CHC, is now Risk Managerfor Chubb Group of Insurance Companies Health CareGroup in Simsbury, CT. She may be reached at 603/742-6660.➤ Rita Vann is now the Director of Corporate Compliancefor Mariner Health Care. She can be reached at 678/443-6919. ■HCCA Annual Survey resultswill be reviewed in the nextissue of Compliance Today.Thank you to all whoparticipated in this year’sAnnual Survey. ■25