Download - Health Care Compliance Association

March 20112Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Publisher:Health Care Compliance Association, 888-580-8373Executive Editor:Roy Snell, CEO, roy.snell@hcca-info.orgContributing Editor:Gabriel Imperato, Esq., CHCEditor:Margaret R. Dragon, 781-593-4924, margaret.dragon@hcca-info.orgCopy Editor:Patricia Mees, CHC, CCEP, 888-580-8373, patricia.mees@hcca-info.orgLayout and Production Manager:Gary DeVaan, 888-580-8373, gary.devaan@hcca-info.orgHCCA Officers:Jennifer O’Brien, JD, CHCHCCA PresidentMedicare Compliance OfficerUnitedHealth GroupFrank Sheeder, JD, CCEPHCCA 1st Vice PresidentPartnerJones DayShawn Y. DeGroot, CHC-F, CHRC, CCEPHCCA 2nd Vice PresidentVice President Of Corporate ResponsibilityRegional HealthJohn C. Falcetano, CHC-F, CIA, CCEP-F, CHRCHCCA TreasurerChief Audit/Compliance OfficerUniversity Health Systemsof Eastern CarolinaCatherine M. Boerner, JD, CHCHCCA SecretaryPresidentBoerner Consulting, LLCDaniel Roach, Esq.Non-Officer Board Memberto the Executive CommitteeVice President Compliance and AuditCatholic Healthcare WestJulene Brown, RN, MSN, BSN, CHC, CPCHCCA Immediate Past PresidentDirector of Corporate ComplianceInnovis HealthCEO/Executive Director:Roy Snell, CHC, CCEP-FHealth Care Compliance AssociationCounsel:Keith Halleland, Esq.Halleland Habicht PABoard of Directors:Urton Anderson, PhD, CCEPChair, Department of Accounting andClark W. Thompson Jr. Professor inAccounting EducationMcCombs School of BusinessUniversity of TexasMarti Arvin, JD, CPC, CCEP-F, CHC-F, CHRCChief Compliance OfficerUCLA Health SciencesAngelique P. Dorsey, JD, CHRCResearch Compliance DirectorMedStar HealthBrian Flood, JD, CHC, CIG, AHFI, CFSNational Managing DirectorKPMG LLPMargaret Hambleton, MBA, CPHRM, CHCSenior Vice PresidentMinistry Integrity, Chief Compliance OfficerSt. Joseph Health SystemDave HellerVP and Chief Ethics and Compliance OfficerEdison InternationalRory Jaffe, MD, MBAExecutive Director, California Hospital PatientSafety Organization (CHPSO)Matthew F. Tormey, JD, CHCVice PresidentCompliance, Internal Audit, and SecurityHealth Management AssociatesDebbie Troklus, CHC-F, CCEP-F, CHRCAssistant Vice Presidentfor Health Affairs/ComplianceUniversity of LouisvilleSheryl Vacca, CHC-F, CCEP, CHRCSenior Vice President/Chief Complianceand Audit OfficerUniversity of CaliforniaSara Kay Wheeler, JDPartner–AttorneyKing & SpaldingCompliance Today (CT) (ISSN 1523-8466) is published by the Health CareCompliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN55435. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Sendaddress changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis,MN 55435. Copyright 2011 Health Care Compliance Association. All rightsreserved. Printed in the USA. Except where specifically encouraged, no part of thispublication may be reproduced, in any form or by any means without prior writtenconsent of the HCCA. For Advertising rates, call Margaret Dragon at 781-593-4924. Send press releases to M. Dragon, 41 Valley Road, Nahant, MA 01908.Opinions expressed are not those of this publication or the HCCA. Mention ofproducts and services does not constitute endorsement. Neither the HCCA norCT is engaged in rendering legal or other professional services. If such assistance isneeded, readers should consult professional counsel or other professional advisors forspecific legal or ethical questions.INSIDE4 Deciphering Dodd-Frank: Implications of thewhistleblower award programBy Howard J. Young and Sherine B. Abdul KhaliqThe new law may entice some employees to circumvent internalreporting and go directly to the government to report fraud.Health Care Compliance Association • 888-580-8373 • www.hcca-info.org7 Research record retention requirements By Mike WheelerInstitutions, sponsors, and government agencies may require youto keep research-related documents for varying amounts of time.9 Newly Certified CHCs, CHRCs and CHPCs10 A compliance officer’s best bet: Smart technologyinvestments for clinicians By Carol EverhartThe cost of technology is far outweighed by improved quality ofcare, faster audits, and savings in time and money.12 Ambulance replenishing and remuneration: Compliancewith federal guidelines By Denise A. Atwood and Eric M. RoyalThe Anti-kickback Statute has a safe harbor for restockingambulances used for emergency services.14 Meet Steve Lindo, Director, Treasury Management andMortgage Risk, Fifth Third BancorpAn interview by Greg Triguba18 Letter from the CEO By Roy Snell2010 was a great year for our organization19 Social Networking By John FalcetanoBurning compliance questions20 CEU: Feature Focus: The compliance officer’s role inboard oversight of the compliance programBy H. Rebecca NessKeeping board members fully informed about compliance issues,but not overwhelmed with details, is both an art and a science.25 HIPAA, HITECH, and health information: Past, present,and future By Sherry K. ScottA look at the journey toward meaningful use of electronic healthrecords.31 What’s new for PEPPER: More target areas, new settingsBy Kimberly Hrehor and Dan McCulloughThese free, comparative billing reports are a tool for preventingunnecessary admissions, coding errors, and improper payments.38 CEU: OIG/GSA sanction screening: Creating a robustcompliance program By Cynthia L. PalkaMaking a proactive effort to ensure that none of your employeesor vendors are on sanction lists for government payers.42 Improving hospital risk assessmentBy Mitch Saruwatari and James WadzinskiHospital emergency managers know what to do when disasterstrikes to prevent disruption of patient care.45 CEU: Genetic Information Nondiscrimination Act of 2008By K RoyalEmployers and health plans must follow specific rules that mostlyprohibit using genetic information about employees.49 New HCCA Members3March 2011

March 20114Deciphering Dodd-Frank: Implicationsof the whistlebloweraward programBy Howard J. Young, Esq. and Sherine B. Abdul Khaliq, Esq.Editor’s note: Howard J. Young is a Partner (R-MA), the Dodd-Frank Act increases thein the Washington DC office of Morgan Lewis monetary award that can be paid by the& Bockius, where he concentrates on health SEC to whistleblowers who have originalcare compliance, enforcement, and fraud and information and report suspected violationsabuse matters. He can be reached by telephone of securities laws that lead to a successfulat 202/739-5461 or by e-mail at hyoung@ enforcement action. The Dodd-Frank Act alsomorganlewis.com.enhances anti-retaliation protections for thoseindividuals who provide the Commission withSherine B. Abdul-Khaliq is an Associate in information about potential securities violations.Additionally, the Dodd-Frank Act cre-Morgan Lewis’s FDA & Health Care PracticeGroup, and frequently counsels clients on ates a new Investor Protection Fund to finance,compliance program matters. She can be reached in part, whistleblower awards—funded to theby telephone at 202/739-5108 or by e-mail at tune of over $451 million for FY 2010.sabdulkhaliq@morganlewis.com.Contours of the whistleblower award programSigned into law on July 21, 2010, Section 922 of the Dodd-Frank Act adds newand with proposed rules promulgatedby the Securities and Exchange Incentives and Protection” to the SecuritiesSection 21F, entitled “Securities WhistleblowerCommission (SEC or the Commission), and Exchange Act of 1934. Under this newthe Dodd-Frank Wall Street Reform and authority, the SEC has the power to provideConsumer Protection Act (Dodd-Frank Act) monetary rewards to individuals who provideincludes important new whistleblower provisionsthat could seriously challenge, and in to recoveries of monetary sanctions in excessthe Commission with information that leadssome respects undermine, existing internal of $1 million. The Dodd-Frank Act requirescompliance programs at publicly-traded health the SEC to promulgate final implementingcare companies. 1 Compliance programs encourageinternal reporting of suspected wrongdoing; the administration of the whistleblower awardregulations by April 21, 2011 that will governthe Dodd-Frank Act’s financial awards and program. Accordingly, on November 3, 2010,protections to whistleblowers provide a strong the Commission issued the requisite proposedincentive to sidestep internal compliance programreporting in favor of SEC reporting.rule, Regulation 21F.Key highlights of Regulation 21F, whichNamed after co-sponsoring Senatorsallowed for public comments by DecemberChristopher Dodd (D-CT) and Barney Frank 17, 2010, are as follows.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgDefinition of whistleblower. A whistlebloweris any natural person (companiesor other entities excluded) who alone, orjointly with others, provides informationto the Commission relating to a potentialviolation of the securities laws. The emphasison “potential violation” makes clear thatthe anti-retaliation protections afforded toindividuals under the Dodd-Frank Act do notdepend on an actual finding or conclusionthat a securities law has been violated.Payment of award. To be eligible for awhistleblower award, an individual must satisfythe following criteria: (1) voluntarily providethe Commission (2) with original information(3) that leads to the successful enforcement bythe Commission of a federal court or administrativeaction (4) in which the Commissionobtains monetary sanctions totaling more than$1 million. Here, the SEC in its proposed ruleunderscores once again that anti-retaliationprotections are not conditioned on whetherthe whistleblower meets all of the requirementsfor payment of an award.Voluntary submission of information. Asubmission will be deemed voluntary if thewhistleblower provides the Commission withinformation before receipt of any request,inquiry, or demand from the SEC, Congress,other government authority, or the PublicCompany Accounting Oversight Board.Information submitted by individuals with aclear, pre-existing legal duty to report securitiesviolations (e.g., a lawyer or independentauditor for the company) of the type at issuewill not be considered voluntary.Original information. The requirementfor the submission of “original information”mandates that information be provided to theCommission after July 21, 2010, when theDodd-Frank Act was enacted. Additionally,the “original information” must flow from the

whistleblower’s “independent knowledge oranalysis.” The “original information” cannotalready be known to the SEC from any othersource and may not be exclusively derived froman allegation made in a judicial or administrativehearing, in a government report, hearing,audit, or investigation, or from the newsmedia, unless the whistleblower is the sourceof the information. The proposed Regulation21F, also excludes certain categories of informationfrom being considered to be derivedfrom independent knowledge or analysis,such as information obtained by lawyers andaccountants from client engagements.audit, supervisory, or governance responsibilitieswho receive information based on thereasonable expectation that they will takeappropriate steps to cause an entity to respondappropriately to the violation. The proposedSEC regulation also bars any informationobtained from or through an entity’s legal,compliance, audit, or similar functions or processesfor identifying, reporting, and addressingpotential non-compliance with securities laws.The goal of these two exclusions is to addressthe potential for monetary incentives toundermine a company’s existing compliance,legal, audit, and similar internal processes; butthey may not go far enough. The SEC’s rulenecessary. For instance, a company may needto strengthen its anti-retaliation languagein its employee handbook, or it may needto substantially overhaul its written policiesand procedures to encourage and incentivizeemployees to report violations in accordancewith company policies by using existingcompany reporting mechanisms.It is unclear how the SEC will respond topublic comments from the regulated industry(and from the myriad of law and consultingfirms that filed comments) for greatersafeguards that will minimize the potentialfor bad-faith actors, such as entrepreneurialIs a storm brewing?The passage of the Dodd-Frank Act igniteddebate among the regulated business community,the plaintiff’s bar, and whistlebloweradvocates about how best to balance thetensions that result from trying to encourageindividuals to come forward with high-qualitytips while simultaneously discouraging othersfrom circumventing their company’s owninternal compliance program. By providingwhistleblowers with between 10% and 30%(in aggregate) of any monetary sanctions theSEC is able to collect, the Dodd-Frank Act, aswritten, financially incentivizes whistleblowersto bypass well-established internal mechanismsfor reporting wrongdoing, and potentiallydeprives companies of the opportunity to takeprompt corrective action that could mitigatethe effects of enforcement action. This dynamicis similar to that which has existed under thequi tam whistleblower provisions of the FalseClaims Act, making it even more challengingfor compliance officers to effectively encourageemployees to report suspected wrongdoingthrough corporate compliance programs.would not mandate that whistleblowers firstreport actual or potential violations throughexisting channels established by a companyfor disclosing fraud and abuse violations.Furthermore, the exclusions contain an escapehatch for legal, compliance, or other personnelto go directly to the government, if a companydoes not disclose information within a reasonabletime or if the entity proceeds in bad faith.These are inherently vague standards that mayinvite reports from whistleblowers who dohave a fiduciary, legal, compliance, or auditresponsibility to the company.Impact on the health industryThe Dodd-Frank Act and its correspondingSEC regulations were not written specificallywith the health care industry in mind, buthealth care companies subject to the SEC’sregulatory authority should not overlook itsapplication to their operations, particularlywith respect to corporate compliance.For-profit health care companies, even thosewith sophisticated and robust complianceprograms, should pay close attention to theCommission’s final rule pertaining to thewhistleblowers and lawyers looking to cash inon the bounty program by using informationthat lacks any indicia of reliability and specificity.Given the clear Congressional mandateto encourage the reporting of valuableinformation on securities law violations inexchange for rich financial rewards, however,it is unlikely the SEC will dramatically alterits approach in the final rule.Corporate Compliance Committees andofficers at health care companies shouldperform their own environmental scan, keepingin mind that the whistleblower provisionsof the Dodd-Frank Act break in favor of thegovernment and largely support its desire toleverage information from third parties (i.e.,whistleblowers) to combat insider trading andsecurities fraud. Obviously, the “lionization”of whistleblowers by the government makesany perceived retaliation against a whistleblowerthat much riskier.The government has bolstered its prowhistleblowerstance with strong antiretaliationprovisions within the Dodd-FrankThe SEC acknowledged this tension inRegulation 21F and attempted to address theissue by barring the submission of informationwhistleblower award program and enhancedwhistleblower protections to determinewhether changes to its internal complianceAct that make it unlawful for any employerto “discharge, demote, suspend, threaten,harass, directly or indirectly, or in any otherobtained by persons with legal, compliance, policies and procedures and training areContinued on page 6Health Care Compliance Association • 888-580-8373 • www.hcca-info.org5March 2011

Deciphering Dodd-Frank: Implications of the whistleblower award program ...continued from page 5manner discriminate against, a whistleblowerin the terms and conditions of employment.” 2Moreover, the Dodd-Frank Act provides thatany individual who alleges retaliation thereundermay bring an action in the appropriatefederal district court. The anti-retaliationprotections of the Dodd-Frank Act are notentirely unfamiliar to many health care companies,because the establishment of a policyof non-intimidation and non-retaliationfor good-faith participation in complianceprograms has been well-touted by New York’sinfluential Medicaid Inspector General, JamesG. Sheehan, as the eighth pillar of an effectivehealth care compliance program.ConclusionLitigation trends indicate that whistleblowerswill continue to be an important source fordetecting corporate fraud and abuse. Thus,it goes without saying that monetary awardsprovided in exchange for such informationwill serve as a powerful inducement forindividuals to come forward about fraudulentand other prohibited conduct. As such, theevolving contours of the SEC’s whistlebloweraward program are one to watch. In its currentiteration, it is viewed by those representingwhistleblower interests as a powerful tool, and,unless curtailed through rulemaking, it willlikely spur increased whistleblower activity andgovernment enforcement for publicly tradedhealth care companies for years to come. Itsbroader effect throughout the health careindustry remains to be seen on “best practice”anti-retaliation policies and procedures andinternal compliance program reporting. n1 Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub.L. No. 111-203, § 922, 124 Stat. 1376, 1841-49 (2010); 75 Fed. Reg.70488, 70488-554 (Nov. 17, 2010).2 Dodd-Frank Wall Street Reform and Consumer Protection Act §922,124 Stat. at 1845-46.Contact Us! www.hcca-info.orginfo@hcca-info.orgFax: 952/988-0146HCCA6500 Barrie Road, Suite 250Minneapolis, MN 55435Phone: 888/580-8373To learn how to place an advertismentin Compliance Today, contactMargaret Dragon:e-mail: margaret.dragon@hcca-info.orgphone: 781/593-4924Diverse Talents.Diverse People.Diverse Opportunities.One Mission.Partners Continuing Care (PCC) is the non-acute care services division of Partners HealthCare, headquartered in Boston. PCC isdedicated to providing a comprehensive array of rehabilitation, long-term acute care, skilled nursing, and certified home health andprivate duty services to patients and their family.Vice presidentQuality Assurance, compliance & regulatory AffairsIn this role, you will be responsible for the leadership and comprehensive oversight of Partners Continuing Care(PCC) compliance, regulatory, business integrity and quality programs. You will be the primary architect for developingrelevant policies, procedures and practices and promote a corporate culture that fosters ethical business behavior. Thisposition is responsible for ensuring compliance with all laws and regulatory requirements and the measurement,improvement and sustainment of patient and organizational quality outcomes.The incumbent will supervise all PCC exempt compliance and quality professionals as well as department supportstaff, leading a centralized function supporting all PCC entities. This will include two rehabilitation hospitals, twoLTACHs, two SNFs, 23 outpatient centers, as well as a certified home and a private duty agency. Qualified applicantsmust have an advanced degree in a related field. Compliance and Quality certification is highly desired. Clinicallicensure (PT/OT/SLP/RN), in the Commonwealth of Massachusetts is required. Applicants must have a minimum of10 years’ experience in a related setting with regulatory oversight. Experience within a complex health care organizationwith extensive patient care, research and academic programs, multiple sites and/or corporate entities is essential.Interested applicants are encouraged to visit us online for more information and to apply to Job ID# 2209043 at:www.spauldingrehab.org/careersPartners Continuing Care is an equal opportunity employerembracing the strength diversity brings to the workplace.March 20116Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Researchrecord retentionrequirementsBy Mike Wheeler, MA, CCRAEditor’s note: Mike Wheeler is an Assistant and Agreements with Institutions of HigherProfessor at the Medical University of South Education, Hospitals, and Other Non-ProfitCarolina in Charleston. He serves as University Organizations). The circular specifies thatPrivacy Officer and University Information financial records, supporting documents,Assurance Compliance Officer. He may be statistical records, and all other pertinentcontacted by telephone at 843/792-8744 or by records shall be retained by the institution.Research records are pertinent to thee-mail at wheelerm@musc.edu.award and therefore, must be retained. ThisAn article published in the November retention period is three years from the date2010 edition of Compliance Today of submission of the final expenditure report(“What Every Compliance Officer or, for awards that are renewed quarterly orShould Know About Document Retention”) annually, from the date of the quarterly orfocused on the various requirements for the annual financial reports, as authorized by theestablishment of a comprehensive record federal awarding agency.retention program. This article providedin-depth requirements for the health care In addition, institutions (including hospitals)industry, but did not address the subject of that apply for or receive Public Health Servicethe retention of records for research studies. support for research must meet the retentionEstablishing a research record retention requirements specified in 42 Code of Federalprogram is a three-step process.Regulations (CFR) Part 93 (Public HealthService Policies on Research Misconduct).First, identify your research records. A This regulation specifies evidentiary retentionresearch record can be defined as a record of requirements for research records and requiresdata or results that embody the facts resulting research records to be retained for a sufficientfrom scientific inquiry, including but not minimum period to allow evaluation andlimited to research proposals, laboratory repetition by others of the results and torecords, both physical and electronic, progress investigate an allegation of research misconduct.Usually, this minimum retention periodreports, abstracts, clinical trial records, theses,oral presentations, internal reports, journal is six years. An institution must also maintainarticles, etc.records of research misconduct proceedingsin a secure manner for seven years afterSecond, identify the regulations and specify completion of the proceeding or the completionof any proceeding involving the researchthe requirements for research record retention.Federal regulations for record retention and misconduct allegation, whichever is later.access to records for awards to recipients areset forth in OMB Circular A-110, (Uniform The Federal Food and Drug Administrationrequirements for studies under their purviewin 21 CFR Part 312 (Investigational NewDrug Application) and requires the PrincipalInvestigator (PI) to retain records for a periodof two years following the date a marketingapplication is approved for the drug for theindication for which it is being investigated.If no application is to be filed, or if theapplication is not approved for such indication,retain the records for two years after theinvestigation is discontinued and the FDA isnotified. Similar retention requirements arespecified for Investigational Device Exemptionsin 21 CFR Part 812.State regulations or other requirements mayadd additional minimum retention periods.For example, the State of South Carolinarequires an additional retention period forresearch records on studies that involvechildren as research participants. In addition,study sponsors and other governmentagencies may also specify additional recordretention requirements.Third, consider record retention requirementsif the PI leaves the institution prior to theend of the required record retention period.The PI and the institution should establishan agreement on the disposition of researchrecords and the institution should specify aright of access to these records.One important requirement to remember isthe HIPAA Privacy Rule does not permit a PIto transfer control of participant identifiableresearch records containing protected healthinformation (PHI) to another institutionunless the original permission under whichthe PI obtained or created the record (such asthe individual’s authorization or approved bythe Institutional Review Board) was grantedexplicitly for the PI, rather than solely forinstitution. HIPAA requirements place strictAdministrative Requirements for Grants (FDA) also specifies research record retentionContinued on page 9Health Care Compliance Association • 888-580-8373 • www.hcca-info.org7March 2011

March 201110A complianceofficer’s best bet:Smart technologyinvestments forcliniciansBy Carol Everhart, RN, MMI, MSEditor’s note: Carol Everhart is Director of ClinicalInformatics at Curaspan Health Group in impermissible becomes more and morewhere sorting through the permissible andNewton, Massachusetts. Carol may be contacted difficult. It just makes sense to arm cliniciansby e-mail at CEverhart@Curaspan.com. with the tools—the technology—to helpminimize risk and enhance compliance withThe other day, I heard an adage that the growing and ever-changing array of ruleswas new to me, and maybe it’s new and regulations.to you too: “Don’t trip over dollars toget to pennies.” As with many an old saying, It makes sense, because technology really is athere’s a lot of truth in it, even as we think of strategic investment. In addition to providingautomation and workflow with built-innew health care information technology (IT)capabilities and regulatory requirements. checks and balances, it fosters other benefits.In that same survey of community hospitalIn a survey of more than 100 community executives, respondents acknowledged thehospital CEOs and their direct reports, we value of technology in improving clinicianfound that when making a decision about and patient satisfaction, as well as hospitaltechnology, hospital leadership ranked regulatorycompliance third in importance, behind re-admissions).financials and key metrics (e.g., length of stay,clinical outcomes and project cost. That’s thegood news and the bad.Technology therefore can be a kind of institutionalinoculation: It keeps risk at bay whileIt’s good, because nothing should surpass delivering the data that creates immunity tosuccessful outcomes in importance, yet it’s a other institutional challenges. Compliancelittle surprising that the cost of technology officers have an opportunity to grow theiris a bigger concern than compliance. It’s impact on their facilities by pushing for ashort-sighted, because the cost of a project strategic and intelligent use of technology.can be dwarfed by technology-driven savings Here are three additional benefits from usingin compliance-related costs, such as legal fees. technology to bridge the gap between cliniciansand compliance.Clinicians aren’t regulatory experts and casemanagers aren’t compliance officers, but 1. System-generated audit trails providethey’re on the front lines of this battlefield, documentation, fast.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgI recently worked with a director of casemanagement who was faced with a JointCommission audit. The surveyor asked fora report on post-acute referral patterns,which typically takes days to compile. Thesoftware application that the hospital used todischarge patients generated a report within30 minutes, surprising the surveyor. That wason Day Two of a five-day survey—and therewere no more questions about the dischargeprocess.Access to data helped save a valuable asset:time—time that could be better spent on thetop priority of quality patient outcomes aswell as on other time-consuming activities.Not surprisingly, audit trails revolve arounddocumentation. Whether to demonstratepatient choice or pre-admission screening andresident review (PASRR) compliance, or tolocate the backup for hospital-issued noticesof non-coverage (HINN) and RAC audits,automatically generated audit trails with timeand date stamps save time.The importance of being able to demonstratecompliance quickly and efficiently is growing.Case in point: the HITECH Act, whichcontains new rules and new requirements,such as business associate agreements (BAAs)to help ensure that protected health information(PHI) remains protected. The specter ofincreased record keeping and civil as well ascriminal penalties underscore the importanceof thinking about support from technology—andspending some pennies to avoidbig-dollar penalties.2. Automation provides structure for bestpractices, supports good behavior.Technology can also pay dividends byproviding compliance safeguards. Electronicreferral packets, for example, eliminate therisk of a liaison (to be covered under thosenewly revised BAAs) from walking out of the

hospital with PHI and perhaps leaving it inan unlocked car while running an errand.Electronically stored documents eliminatethe need for paper records with PHI stackingup at unattended fax machines; they also getrid of records being sent by mistake to non–BAA-covered fax machines.System controls can limit who sees what ona need-to-know basis too. Consider this:Consent to treat may end when a patient isdischarged, but requests for needed patientinformation don’t. While inefficient, manualconsent checkpoints can be overlooked,automated notifications or alerts about amissing consent and a prohibited release ofinformation are harder to miss. Conversely, aprogrammed decision tree provides assuranceabout a secure transmission of a permittedrelease to a payer, for example.3. Automatically captured businessintelligence helps optimize outcomes.Easily accessible, system-generated data is aninvaluable asset. It compounds in value overtime as more data and more trends surfaceproblems to address or progress to maintain.In working with discharge and case-managementstaff at hospitals nationwide, I’ve seenthe impact of data in helping facilities at thebedside and on the bottom line. I looked atabout 140 hospitals with 150 or more bedsthat regularly receive, review, and respondto data about re-admissions by diagnosis,provider, placement, and physician. By utilizingthat business intelligence, those hospitalscut their preventable re-admission rates by anaverage of 0.5%.That translates into approximately $108,000per month or nearly $1.3 million annuallyper hospital (based on 15 fewer re-admissionseach month at an average case rate of$7,200). That’s about a 10-fold return ontheir technology investment, without takinginto consideration other savings derived fromactivities based on that same technology. Ifwe extend the potential annual savings toall similarly sized hospitals nationwide, thenumber grows to approximately $7 billion.Technology isn’t a necessary evil. It’s a necessarydriver of results that can help complianceefforts in particular, and hospital performancein general. nHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org11March 2011

March 201112Editor’s note: Denise A. Atwood is AdministrativeDirector Medical Services Provider Contractat Maricopa Integrated Health System inPhoenix, Arizona. She may be contacted bytelephone at 602/344-1345 or by e-mail atdenise.atwood@mihs.org.Eric M. Royal is the Director of Compliance atMaricopa Integrated Health System, and may becontacted in Phoenix by telephone at 602/344-5816 or by e-mail at eric.royal@mihs.org.Although ambulance replenishing hasnot been in the forefront of complianceissues in the past several years,it does merit consideration when reviewingyour hospital’s contractual relationships withambulance transport companies in relationto the federal Anti-kickback Statute (AKS).This article will analyze the “safe harbor”under the AKS which permits, under specificconditions, the replenishing of drugs, linens,and supplies by hospitals to ambulance providers.Additionally, the article will providean overview of the statutory requirementsnecessary for reviewing existing and proposedcontracts with ambulance transport companiesfor compliance with the federal statutes.Overview of applicable regulationsThe AKS is a criminal statute that prohibitsthe exchange (or offer to exchange) ofAmbulancereplenishing andremuneration:Compliance withfederal guidelinesBy Denise A. Atwood, RN, BSS, JD and Eric M. Royal, MPH, JDanything of value, in an effort to induce (orreward) the referral of federal health careprogram business. 1 Thus, if remuneration ispurposefully paid to induce referrals of itemsor services for which payment may be madeby a federal health care program, the AKS isviolated. Conviction based upon violating theAKS is a felony and can result in a fine up to$25,000, imprisonment for up to five years,or both. 2 Additionally, a conviction willresult in mandatory exclusion from participationin all federal health care programs.The United States Department of Healthand Human Services (DHHS), Office theTable 1. Sample Ambulance Replenishing Compliance ChecklistSATISFY ALL FOURCONDITIONSSATISFY ONECATEGORYRequirementOnly ambulance provider OR receiving facilitybills (policy and documentation)Receiving facility OR ambulance provider ORboth maintain records (policy and documentation)Value or volume of referrals NOT taken intoaccount (policy)Ambulance provider and receiving facility complywith all applicable laws (policy and documentation)General Replenishing (policy posted)Fair Market Value ReplenishingGovernment-mandated ReplenishingHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgInspector General (OIG) has been grantedthe authority to promulgate safe harborsthat define practices that do not violate theAKS. The ambulance replenishment safeharbor became effective on January 3, 2002,and it permits the restocking of ambulancesthat are only used for emergencies, but doesnot permit the restocking of strictly nonemergencyambulances. 3Replenishment regulations—four conditionsThe Ambulance Replenishing (AR) complianceregulations are found at 42 CFR1001.952(v). The AR guidelines set forth thatremuneration does not include any transferof drugs or medical supplies to an ambulanceprovider for the purpose of AR in connectionwith the transport of a patient by an ambulanceto the hospital or other receiving facilityas long the ambulance is used to provideemergency ambulance services an average ofthree times per week. 4The ambulance replenishing arrangementmust also satisfy all four of these conditions:1. Replenished drugs or medical suppliesmay only be billed to a federal healthcare program by either the ambulanceMetNot Met – CorrectiveAction & Due Date

provider or the receiving facility, not both,and claims must comply with applicablefederal health care program payment andcoverage rules and regulations;2. The receiving facility or ambulanceprovider or both must maintain recordsof the replenished drugs and medicalsupplies and the patient transport towhich the replenishment was related. Apre-hospital care report prepared by theambulance provider and filed with the receivingfacility will satisfy this condition;3. The replenishing arrangement must nottake into account the volume or valueof any referrals generated between theambulance provider and the facility; and4. The ambulance provider and the receivingfacility must comply with all federal,state, and local laws related to ambulanceservices, emergency services, provision ofdrugs and supplies, and the handling ofcontrolled substances. 5To demonstrate compliance with all fourconditions, the receiving facility and theambulance provider should implement policiesor protocols that address billing, recordretention, and compliance with federal,state and local laws as noted above (see table1). The contract should clearly reflect therequirements that each party must fulfill, perthe regulations.Replenishment categoriesThe replenishing arrangement must alsosatisfy all of the standards in “one” of thesethree categories:1. General replenishing. The receivingfacility must replenish drugs or medicalsupplies on an equal basis for allambulance providers that bring patientsto the facility. A receiving facility mayoffer replenishing in one or more of thecategories:o all ambulance providers that do not billfor ambulance services (such as volunteercompanies);o all not-for-profit and state or localgovernment ambulance services providers(including, but not limited to,volunteer companies); oro all ambulance service providers. 6Also the replenishing arrangement must beconducted in an open and public manneras demonstrated by a written disclosure orprotocol of the replenishing arrangementthat is conspicuously posted in the facility;or the replenishing arrangement operates inaccordance with a plan of general applicationpromulgated by an Emergency MedicalServices Council or comparable entity oragency (as long as the plan is readily availableupon request to ambulance providers, facilities,and the public). 7 Posting the replenishingarrangement policy or protocol in aprominent place in the facility will meet theintent of the requirement. As set forth in theregulations, no written contract is required todemonstrate compliance.2. Fair market value replenishing. The ambulanceprovider must pay the receivingfacility fair market value (FMV), based onan arms-length transaction for replenishedmedical supplies; and if payment is notmade at the same time as the replenishing,the receiving facility and ambulance providermust make commercially reasonablepayment arrangements in advance. 8The replenishing arrangement transactionmust be done at arms-length, whichmeans each party is unconnected orunrelated and has equal bargaining power.To demonstrate compliance, a writtenpolicy or protocol addressing the FMVfor replenishing drugs and medical suppliesshould be implemented.3. Government mandated replenishing.The replenishing arrangement is done inHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgaccordance with a state or local statute,ordinance, regulation or binding protocolthat requires receiving facilities to replenishambulances that deliver patients tothe facility. 9 Research is recommended todetermine if your state or local governmenthas mandated AR.ConclusionAmbulance Replenishing is an exception(safe harbor) to the federal AKS as longas compliance with the regulations can bedemonstrated. By following the requirementsfor the conditions and categories noted aboveand by creating and implementing applicablepolicies and protocols, facilities and ambulanceproviders should be able to demonstratecompliance with the regulations and safeharbors. n1 42 U.S.C. section 1320a-7b.2 OIG Advisory Opinion No. 02-3, posted April 11, 2002, p. 3.3 42 C.F.R. section 1001.952(v).4 42 C.F.R. section 1001.952(v)(1).5 42 C.F.R. section 1001.952(v)(2)(i-iv).6 42 C.F.R. section 1001.952(v)(3)(i)(A).7 42 C.F.R. section 1001.952(v)(3)(i)(B)(1)(i).8 42 C.F.R. section 1001.952(v)(3)(i)(B)(1)(ii).9 42 C.F.R. section 1001.952(v)(3)(i)(B)(1)(ii).HCCA has stepped up ourenvironmental responsibilityby printing ComplianceToday on recycled paper.The interior pages are now printed on papermanufactured with 100% post-consumerwaste. The cover stock is made up of 10%post-consumer waste and is locally producedin Minnesota near our printing facility. Inaddition, the energy used to produce thepaper is 100% renewable energy. This is notto mention that the ink used in our magazineis 100% soy based water soluble inks. Certificationsfor the paper include The ForestStewardship Council (FSC), SustainableForestry Initiative (SFI), and Green-e.org.13March 2011

featurearticleMeet Steve Lindo, Director, TreasuryManagement and Mortgage Risk, Fifth Third BancorpEditor’s note: This interview with Steve Lindoof Fifth Third Bancorp in Cincinnati was conductedin November 2010 by Greg Triguba, JD,CCEP, Principal, Compliance IntegritySolutions, LLC located in Colorado. Greg maybe contacted by telephone at 303/997-7324or by e-mail at greg.triguba@complianceintegrity.com.Steve Lindo may be contacted bye-mail at stephen.lindo@53.com.GT: Thanks you so much for sharing yourperspective and insight. Please share a littlebit about your background, experience, andpoint of view on audit and risk managementpractice.SL: I’ve been a practicing financial riskmanager for over 20 years, first in banking,then in alternative asset management, andmost recently, in consumer finance. All ofthese positions were in large multinationalcorporations, where audit and compliancewere well-developed, independent functions.Looking back, my interactions with the auditand compliance professionals were infrequentand mostly situational, which I don’t consideroptimal, given that risk, audit, and compliancefunctions share the same goal of protectingshareholder value. My primary reason fortalking with you today is to encourage riskmanagement, audit, and ethics and complianceprofessionals to collaborate more with eachother than I have been able to do in the past.GT: Steve, how would youdefine “risk management”as a corporate function?SL: The best way I knowhow to define it is witha metaphor. To me, thepurpose of risk managementis to act like the navigatorin a car rally – sitting nextto the driver, roadmap inhand, calculating distances,warning of obstaclesahead, checking on fuel level, monitoringthe weather, topography, etc. In order to dothis, the risk manager has to possess manyof the technical competencies of the driver;however, the risk manager is assigned the taskof navigation, not driving. Risk management,if well-performed, provides the driver with anexpert second opinion in uncertain situationswhere judgment is called for and, overall,increases the driver’s chances of completingthe course on time and without mishap. Asyou can imagine, risk management demonstratesits value mostly in business conditionsthat are high-risk to the corporation, eitherdue to high volume or volatility, which iswhy risk managers concentrate their activitiesin such areas. Using the same metaphor, anavigator isn’t needed to drive to the 7-Elevento buy a newspaper.GT: How do you distinguish risk managementas you defined it above, from ethics andcompliance risk management? Is therea difference?SL: Risk to the corporation from unethicalpractices or inadequate compliance withapplicable laws and regulations is one of manyconcerns for risk managers. The amount ofattention it receives is typically dictated by thestandard of ethics adopted by the corporationand the scope and quality of its compliancefunction. In an environment where highstandards are in evidence for both, a riskmanager can confidently focus his/her attentionon other risks. The optimal way for arisk manager to be sure of this is to establishregular and collaborative interaction with theaudit and compliance functions.GT: Is risk management as a function andpractice the same across all industries, or doesMarch 201114Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

it look different depending on the type ofbusiness?SL: The fundamental principles of riskmanagement apply across all industries,whether financial services, transportation,energy, telecommunications, manufacturing,retail, or public administration, to name justa few. In their simplest form, these principlesare: risk governance, risk identification, riskanalysis, risk measurement, risk communication,and risk-sensitive decision-making.The practice of risk management howevervaries by industry, adapting to the specificamounts and types of risk which arise ineach particular industry. Examples of themost common risk types are market risk,operational risk, credit risk, reputational risk,business continuity risk, technology risk,political risk, and country risk.GT: Describe the value proposition of effectiverisk management within an organization? Howdoes it help the organization be successful?SL: The payoff for organizational investmentin risk management comes in two forms:(1) better business decisions, and (2) earlywarning of potential loss-making events.These two contributions to the organization’ssuccess are demonstrated in different ways.Expert risk input to decision-making is anongoing practice which becomes valuablewhen integrated into the organization’s coremanagement processes (i.e., by making assessmentof both expected profits and potentialrisks a pre-requisite for any significantbusiness decision). Early warning of possibleloss-making events, on the other hand, isincidental in nature and varies in frequency,depending on internal and external conditions.In times of stress, these warnings tendto come in a steady stream, while in timesof stability, months can go by without anynoteworthy threats being detected. The valueproposition in these cases is to give the organization’smanagement time to take protectiveaction, such as hedging, buying insurance, orreducing the volume of its business activitybefore risks actually materialize or until thethreat is judged to have subsided.GT: Is the value proposition of risk managementreadily accepted in most organizations,or must return on investment (ROI) typicallybe addressed to create the support and budgetneeded for risk management activities?SL: Acceptance varies widely from industryto industry and within industries. Regulatedindustries, such as financial services, energy,and transportation, have (in the main) adoptedrisk management standards either voluntarilyor involuntarily, because of the unacceptableeconomic or social consequences of poor riskmanagement. Acceptance in non-regulatedindustries tends to be situational (i.e., morecommon in sectors where catastrophicloss-making events have recently occurredor where business leaders have voluntarilyadopted risk management principles inpursuit of long-term competitive advantage).GT: What are some strategies andapproaches to champion and “sell” a riskmanagement program within an organization?How do you get people on board andaccountable?SL: Approaches which have provedsuccessful are: (1) case studies of catastrophiclosses incurred by other organizations whichcould have been prevented by effective riskmanagement; (2) scenario analysis demonstratingthe catastrophic losses which theorganization could suffer as a result of theoccurrence of a certain type or combinationof risks; and (3) unexploited business value oftransaction data retrieved and analyzed by riskmanagers for risk measurement purposes, forexample demonstrating how product pricingshould be graduated to recognize higheror lower risk profiles of different marketsegments.GT: When collaborating with managementand various departments within an organizationon risk management goals and objectives,what considerations should an ethics andcompliance professional keep in mind?SL: An ethics and compliance professionalhas specialized insight into the organization’sactivities which can be invaluable to RiskManagement and other departments whenethical or compliance risks are being assessedor materialize unexpectedly. It’s highly desirablefor ethics and compliance professionalsto establish close working relationships withtheir peers in these departments in order tomake them aware of the specialized knowledgethey can bring to bear in such situations.Reciprocally, it’s also highly desirable for riskmanagers to establish close working relationshipswith ethics and compliance professionalsin order to get early warning of potentialethical or compliance risks that are first discoveredby Ethics and Compliance departments.GT: Are there key partnerships within anorganization that are essential for effectiverisk management to work? Please shareconsiderations in this area.SL: Yes, many. In addition to partneringwith Ethics and Compliance, at a minimum,Risk Management needs to partner withAudit, IT, Tax, Legal, Accounting, andOperations. Some of the information anddata which these departments handle orgenerate in the course of their daily activitiesprovides critical input for effective riskidentification, analysis, measurement, andcommunication.GT: There are many methodologiesand approaches to effective risk management(e.g., Enterprise Risk Management;Governance, Risk, and Compliance; COSO 1 ;etc.). Please share your perspective on whatfactors should be considered in determiningContinued on page 16Health Care Compliance Association • 888-580-8373 • www.hcca-info.org15March 2011

Meet Steve Lindo, Director, Treasury Management and Mortgage Risk, Fifth Third Bancorp ...continued from page 15March 201116the best approach and methodology for anorganization. Are there resources availablethat can help in making this determination?SL: The approaches and methodologieswhich you cited are all valuable. The reasonfor there being so many is a continuingpursuit of excellence in designing processesthat can be effectively implemented byorganizations seeking to adopt a disciplinedapproach to risk management. The consensusof organizations that have done so is thatno approach or methodology alone ensuressuccessful implementation, Rather, successcomes with building a culture that regardsunderstanding and pro-actively managing riskas a shared responsibility of all employees anda critical success factor for the organizationover time.GT: When setting up risk managementactivities as part of a broader ethics andcompliance program within an organization,please walk us through some of the initialconsiderations to keep in mind from both astrategic and tactical standpoint.SL: The first consideration is to understandthat risk management is a firm-wide activityin which all employees play a greater or lesserrole, depending on their job function. In thecase of Ethics and Compliance, a well-organizedand high-performing department can berelied upon to successfully monitor and dealwith all known ethics, legal, and regulatoryrisks, leaving the Risk Management departmentto focus its attention and resources onother types of risk.The second consideration is to establisha regular and intentional dialog betweenrepresentatives of the Risk Managementand Ethics and Compliance departments toensure that emerging ethics and compliancerisks are identified and appropriate actionplans are developed in case they materialize.In studying recent, well-publicized cases ofsub-standard compliance and/or ethics, suchas the widespread deficiencies in residentialmortgage foreclosure documentation or thehefty fine that Goldman Sachs agreed topay regarding one of its collateralized debtobligation (CDO) programs, it’s hard toimagine that those companies had this kindof partnership in place between risk managementand ethics and compliance specialists.GT: What are some of the typical componentsand elements that should be included as partof a good risk management program?SL: As I mentioned earlier, there are six coreelements of a risk management program: riskgovernance, risk identification, risk analysis,risk measurement, risk communication, andrisk-sensitive decision-making. One of themany harsh lessons provided by the recentfinancial sector crisis is that, like many otheractivities, a risk management program is likea chain that is only as strong as its weakestlink. So, in order to function effectively in timesof stress, which is when it’s most needed andof greatest value, all six elements in a good riskmanagement program need to be equally strong.GT: Please share a little bit about the typesof tools and resources available to help organizationsmanage risk. Does technology playa role in effective risk management?SL: Once the framework of a good programis in place, the four main tools and techniquesof effective day-to-day risk management arepolicies, limits, risk measurement models,and risk reports. Models are typically highlytechnology dependent, especially whenrequired to determine the risks characteristicsof large numbers of similar assets or liabilities,such as credit card debt or life insurancepolicies. In the aftermath of the financialsector crisis, the role of models has received alot of justifiably critical attention, causing anappearance of lesser importance in the otherrisk management tools and techniques. Inreality, remembering the analogy of a chain,Health Care Compliance Association • 888-580-8373 • www.hcca-info.orga weakness in any of these four can leave anorganization blindsided as to risks it is incurringthat are potentially life threatening.GT: The Federal Sentencing Guidelines forOrganizations and other governing standardsemphasize the importance of “effective” riskmanagement and risk assessment for ethicsand compliance programs. Please share somestrategies for ways to evaluate effectivenessin this area.SL: The first and most visible component ofan effective ethics risk management programis a written corporate code of conduct whichhas to be signed annually by all employees.The code typically requires everyone toagree not to enter into (and furthermore, toreport instances of other employees enteringinto) any business arrangement which eitherbreaches prevailing laws or regulations; orexposes them to a conflict of interest betweentheir company duties and personal commitmentsor obligations; or involves bribery and/or influence-trafficking; or which, if publiclydisclosed,could tarnish the company’sreputation.The second component is a demonstratedhistory and process for punishing code ofconduct violations and supporting legitimatewhistleblowers.GT: Please share more about conductingrisk assessments and the management ofoutputs and information from these activities.For example, what level of detail should beprovided to senior management and boards?SL: This is one of the most challengingareas for all risk managers. By the nature oftheir responsibilities, they are required to digdeeply into the risks presented by specificsituations and routine business activities, yetthe benefit of this work critically depends onit’s being communicated effectively to thecompany’s decision-makers. Stories abound

of company executives and directors becoming disengaged from riskoversight due to the sheer weight and impenetrability of risk reportswhich they receive. At the other extreme, there are well-documentedinstances of the essential risk characteristics of a high-stakes businessproposition being underestimated, because risk analysis presented tothe company’s executives and directors was “dumbed-down” in anattempt to present complex material in a simplified manner. Thereis no short answer to your question other than to employ a seasonedrisk management professional in the role of chief risk officer who canjudge the appropriate level of detail in both routine and one-off riskpresentations.GT: When thinking about global ethics and compliance programs,are there any special considerations that should be kept in mind whenimplementing risk management programs across borders?SL: Not surprisingly, national and industry cultures play a big rolein the effective implementation of risk management programs. Evenwithin a multinational corporation that champions company-widestandards of risk management and ethics and compliance, the riskmanagement program within a line of business may still have to beadapted to suit the cultural norms of different countries where thecompany operates.GT: Finally, are there any emerging trends in risk management andauditing practice on the horizon that we should be thinking aboutand preparing for?SL: Public awareness of risk management, ethics, and audit standardshas increased substantially in the past couple of years, in response to acontinuous stream of public reports about irresponsible and/or illegalbehavior by leaders in business, politics, and social arenas. The trend Isee is that responsible organizations are investing in people, processes,and systems in order to achieve these standards, because they’vewitnessed the catastrophic impact on others of not doing so.GT: Many thanks for sharing your perspective on risk managementand auditing practice. The information and insight you shared hasbeen very helpful and appreciated. n1 Committee of Sponsoring OrganizationsHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org17March 2011

we are. Our compliance and ethicsprofessionals social network is among thelargest and most active of any professionalassociation in the world.If you have any questions that you would likeRoy to answer in future columns, please e-mailthem to: roy.snell@hcca-info.org.2010 was a great year for our organization2010 was a great year for our organization, and another great job byour volunteer leaders. Despite the economy, our membership grewby 9% in 2010. Attendance at almost every one of our conferencesgrew. We have had a big increase in the number of people involvedin our online social networks. We have research projects movingforward with the Ethics Resource Center. We have done several shortsurveys that have caught the eye of the profession and generated agreat deal of PR, not only for the organization, but for our profession.We have a new Privacy certification. We now have 2,000 Certifiedin Healthcare Compliance (CHC) professionals. Our diversificationinto other industries through the Society of Corporate Complianceand Ethics has not only been successful, it is now the largest multiindustrycompliance professionals’ association in the U.S. Togetherwith HCCA, our organization is the largest multi-industry complianceassociation in the world.Our board members are highly accomplished. Dan Roach, boardmember on the HCCA Executive Committee, and Odell Guytonand Haydee Olinger from the SCCE Advisory Board were recentlyrecognized by Ethisphere magazine as 2010 Lawyers Who Matter.The recent achievements (e.g., the Advanced CHC certification,Advanced CCEP certification, Privacy certification, social media forcompliance professionals, and the mobile applications for conferenceattendees) show our commitment to innovation. I have had severalcomments in the past year recognizing our organization as where thethought leaders are. I can think of no more important distinction.We have done all this despite an economy that has caused many tocrawl into a bunker.Although the total number of foreignmembers is small, we now have membersfrom more than 30 countries. OurROY sNELLadministrative overhead is lower than the average of other organizationsour size and type. We are in the process of working with otherorganizations like ours to encourage the Department of Justice to startsharing information about companies that have been given a break forhaving compliance programs as described in the Federal SentencingGuidelines for Organizations. We are in a good place. We are wherewe are because of hundreds of people. Our volunteers speak, write,participate in the social network, and contribute in many other ways.Rather than setup endless, overreaching, and ineffective committees,we delegate to individuals who get something done. Our volunteerleadership is talented. Our staff works shoulder to shoulder with thevolunteers to efficiently and effective accomplish tasks.We appear to have weathered the worst of the budget cuts relatedto the recession (i.e., education, travel, and membership.) In late2008, our President, Rory Jaffe, and I discussed the financial future ofHCCA. Late 2008 was a very bleak time. Optimism was nowhere tobe found. It was a very strange time to be responsible for somethingof great value that was owned by several thousand HCCA members.Rory and our subsequent presidents, Julene Brown and Jenny O’Brien,navigated the very rough waters with great effectiveness.Rory Jaffe not only has a great sense for business, but he is a fearlessleader who can focus on the right issue and move with great speed.He said, “In a recession we really can’t affect revenue, but we can affectour costs,” so that is what we set out to do and did so immediately.We had all our investments set up with zero risk prior to the collapse,while others lost millions. We moved all the money into T-Bills toprotect it “completely.” We have hired an investment advisor and aretaking advantage of the upswing while maintaining the very, veryconservative investment policy established buy our Finance Committeeand approved by our board.March 201118We recently received an award from the premiere vendor of association President Julene Brown’s greatest skills were streamlining our processessocial media platforms for our work in social media. We are not only during her tenure as Secretary and Treasure. We are more efficientcompeting with associations in our profession, but with associations and accountable as a result. During her presidency, we had one of ourfrom all professions, including some associations much larger thanContinued on page 41Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Social NetworkingJohn FalcetanoEditor’s note: John Falcetano, CHC-F,CCEP-F, CHRC, CHPC, CIA is ChiefAudit/Compliance Officer for UniversityHealth Systems of Eastern Carolina andTreasurer of the HCCA Board of Directors.John may be contacted by e-mail atjfalcetano@uhseast.com.Want answers to those burning compliance questions? A good place to findthe answers is on the HCCA/SCCE Social Network site. One of the greatbenefits of participating on the Social Network is the ability to ask your peersquestions. Here is an example of one of the questions asked by one of ourmembers. “Is anyone familiar with the annual requirement to submit theBreach Notification Log to DHHS annually per ARRA?”Web 2.0 is about thenew, faster, everyoneconnected Internet.HCCA is embracing this approach and offers youa number of ways to build out your network,connect with compliance professionals, andleverage this new technology. Take advantage ofthese online resources; keep abreast of the latestin compliance news; and stay ahead of the curve.The following answer was provided by Marti Arvin from UCLA. “Yes, theinterim final rule on breach notification came out in the summer of 2009. Itindicated that for all breaches that required notification of fewer than 500persons, you are required to report the breaches to HHS within 60 days ofthe end of the calendar year. There is a form that you need to complete on theOCR website for each notification. If your breach involved more then 500people, you should have notified HHS on the same website at the same timeyou notified the patients.”Here are four other questions that were recently asked:1. As an FQHC [Federally Qualified Health Center] and Non-Profit HealthCenter, can we provide a meeting space on our premises to allow an electedofficial to hold a fundraising effort? Of note, we will not be contributingany dollars nor endorsing the official, and as an organization we would beopen to this sort of collaboration with elected officials of any political party.2. We are in process of developing health system texting of PHI guidelinesfor employees/providers. Does anyone have guidelines they would share?3. I have been considering developing an internal annual process to sendout a survey to management, asking them to identify key compliance riskareas in their department. Their responses could then be populated on areview/audit plan to which the departments would reply with their correctiveaction plan. Has anyone had experience/success with this type ofinternal compliance risk assessment process?4. I am working with HR at our hospital to re-design the exit interview process.We have historically not captured much information related to complianceissues identified by exiting employees. Would anyone be willing to share anythoughts, ideas, examples, templates of what they have found to be valuablein identifying potential compliance issues from exiting employees?Continued on page 35Dozens of discussion groups andmore than 6,800 participantshttp://community.hcca-info.orgProfiles of over 4,500 complianceand ethics professionalshttp://www.hcca-info.org/LinkedInFollow HCCA_News to keep up with thelatest compliance news and eventshttp://twitter.com/HCCA_NewsConnect with compliance and ethicsprofessionals on Facebookhttp://www.hcca-info.org/FacebookEach resource is 100% dedicated tocompliance and ethics management.So sign up for whichever one worksbest for you, or for all four if you’realready living the Web 2.0 life.Health Care Compliance Association • 888-580-8373 • www.hcca-info.org19March 2011HCCASocialNetworking_halfpage_301nK_CTad.indd 1 12/28/2010 10:03:44

focusfeatureThe compliance officer’s role in boardoversight of the compliance programBy H. Rebecca NessMarch 201120Editor’s note: H. Rebecca Ness is a health care professional with specific with the link between Medicare and Medicaid reimbursement andexpertise in governance and compliance. She has 25 years of senior level patient care quality, and with The Joint Commission’s expectation thatmanagement experience in health care and higher education. As a Compliance board members are well versed in quality and patient safety issues.Officer and Governance Director, she designed, developed, and implemented Two factors directly affecting board oversight of compliance are thegovernance infrastructures, board education programs, and a corporate expanded government focus on fraud and abuse recovery initiativescompliance program. Rebecca may be reached at becness@myfairpoint.net. and the Health Reform Law of 2010. More familiar to the CO arethe Federal Sentencing Guidelines (FSG), as amended in 2004, whichThe boards of not-for-profit hospitals are experiencing an obligates the governing authority to be knowledgeable about andexpanded scope of their governing authority in today’s health exercise oversight over the compliance program.care environment. As board member accountability increases,so does the responsibility of the compliance officer (CO) to support The compliance officer relationship to the boardthem in meeting their oversight duties.Recommended guidelines for board oversight and the reporting structureof the CO are not new. Dating back to 1998, the OIG guidance forTo assist the board, it is important for the CO to understand the an effective compliance program outlines these recommendations, indicatingthat every effective compliance program must begin with a formalbasis of board member responsibilities. The underlying principle ofthe trustee obligation is to act in accordance with the trust and confidenceplaced by the hospital or health system to govern on behalf elements. 1 One of these elements is the designation of a chief compli-commitment by the hospital’s governing body to include the FSG sevenof the organization. The foundation of this obligation is set in the ance officer who reports directly to the CEO and the governing body.following fiduciary and legal responsibilities, which in many states are The 1998 program guidance also notes the importance of independenceincorporated in the laws that govern not-for-profit organizations: in the compliance function, separating it from key management positions,specifically the General Counsel or Chief Financial Officer. 2n Duty of care requires a board member to exercise reasonablecare that an ordinarily prudent person would use in similarcircumstances.However, 2010 brought renewed focus to these issues, making itn Duty of loyalty requires a board member to act faithfully in seem to some like an added component in the compliance arena.the best interest of the organization and never for self-benefit This increased emphasis is in large part due to the November 1, 2010financially or any other personal gain.amended FSG, specifically the changes connecting an effective complianceprogram to the reporting relationship of the CO to the board.n Duty of obedience requires a board member to serve in a mannerthat is faithful to and consistent with the organization’s mission. For an organization to potentially mitigate penalties or lower theculpability score under these advisory guidelines, the CO must have aIn addition, increased governance accountability arises from the direct reporting relationship to the board. This 2010 FSG amendmentimplications for non-profit organizations in the Sarbanes-Oxley Act defines a “direct reporting obligation” as one where the individualof 2002 as well as the Internal Revenue Service requirements in both with operational responsibility for the compliance program has expressthe IRS Form 990 and the IRS focus on board oversight of executive authority to communicate personally to the governing authority orcompensation. Board oversight obligations have also been heightened appropriate subgroup thereof. 3Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

There is a subtle, but significant, point about the wording of the FSG all entities within your organization, such as the hospital, home healththat board members and compliance professionals should recognize. agency, long-term care facility, and physician practices. If your organizationis part of a larger system, become familiar with that structure as wellThe FSG states, “specific individual(s) within the organization shall bedelegated day-to-day operational responsibility for the compliance and to know what is reported up to the parent corporation.ethics programs.” 4 It is this individual who has the direct reportingobligation to the governing authority. Hospitals and health systems have Always keep in mind two additional key considerations. First, thevaried organizational structures. In some, the person with operational board is comprised of voluntary members with limited time to executeresponsibility for the compliance program may have the title of Director the breadth of organizational oversight required of the governingor Vice President and the CEO or another senior executive may hold authority, and compliance is just one area of responsibility. Second,the CO title. If you are a Director of Compliance, responsible for the a diverse board representing the community’s needs necessitates aoperations of the compliance program, but report to another senior broad range of core competencies (i.e., areas of expertise) among itsexecutive or to the General Counsel, having a discussion with your CEO membership. Not all board members will have the necessary depth ofand board would be prudent advice. Educating them on the significance knowledge on the complexity of the compliance program for whichand implications of the government guidance on what constitutes an they have an oversight responsibility. This leads the CO to othereffective compliance program is essential. A revision of the organizationalreporting chart may be necessary to meet government recom-regulatory environment, and the report content provided by the COpractical action areas, board member education on the compliance andmendations. This is a practical matter, reducing potential organization and other management staff to the board committee(s).risk associated with government anti-fraud initiatives and potentialboard member liability for breaching their compliance plan oversight Educationduty. A useful resource for this conversation is the 2010 article in Trustee What does your board need to be well-served and positioned to overseeMagazine 5 by US Department of Health and Human Services Inspector the compliance program? Education provided by the CO is fundamentalGeneral Daniel Levinson. The Inspector General addresses compliance in establishing an effective relationship with board members.program board oversight, the reporting relationship of the CO tothe board, and the link between quality patient care and compliance. Board orientation is crucial. All new board members go through anAnother comprehensive resource is the OIG/AHLA joint publication, orientation process to educate them on the organization’s strategicThe Health Care Director’s Compliance Duties: A Continued Focus of plan, operating plan, mission, financial statements, quality plan, andAttention and Enforcement. 6community benefit initiatives. The compliance program is an equallyimportant element, but not always given due attention. The COUnderstanding the driving factors of governance accountability and should ensure that compliance is properly covered in the board orientation.Basic elements all board members should know include:fiduciary duties, which are the foundation of compliance programboard oversight, sets the stage for practical steps the CO can take to n Key components of the of the compliance planestablish an effective relationship with the board.n What the OIG Work Plan coversn How the OIG Work Plan influences a hospital’s annualStructural and organizational considerationsCompliance Work PlanAs noted above, hospitals and health systems differ in how the organizationis structured. This will impact the governance approach taken to establishedn Risk assessment process to understand how priority focus areas arecarry out the board oversight obligation. How is your board set up? n Internal and external audit processesDoes it have a Compliance Committee, or an Audit and Compliance n The connection between compliance monitoring and auditing, andCommittee, or a Finance and Audit Committee? Who reports at the Medicare and Medicaid reimbursement and the hospital’s financialcommittee level and how is that information passed on to the full board? healthn The link between compliance and quality of careYour first task is to understand both the organizational and thegovernance structures of your organization to ensure that appropriate This content should be presented as a high-level overview. More detailedregulatory and compliance issues are reviewed and reported on to the and in-depth education should be provided at the committee level.board – even if you are not doing the reporting. Take into considerationHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgContinued on page 2321March 2011

MediRegs.com22Compliance Today 1-11.indd 112/7/2010 2:32:42 PM

The compliance officer’s role in board oversight of the compliance program ...continued from page 21Committee level orientation should include:monitoring and auditing by the CO. The annual Compliance Workn Compliance plan policiesPlan can be formatted with a status column where the CO recordsn An understanding of the major compliance laws such as the progress made toward completion of each item. When sending theFalse Claims Act, Stark Law, Anti-kickback Statute, HIPAA and Work Plan to the board committee prior to their quarterly meeting,HITECH, and the Emergency Medical Treatment and Labor Act highlight only those items that have a status change, so board membersn OIG program guidance and the Federal Sentencing Guidelines are able to quickly scan the Work Plan and visually identify whatn Federal and state fraud and abuse recovery initiativesinformation they need to review. Develop a dashboard report for auditn Compliance program effectiveness assessmentsentities: Recovery Audit Contractors (RACs), Medicare AdministrativeContractors (MACs), Medicaid Integrity Contractors (MICs), ZoneA glossary of compliance terminology is an essential aspect of board Program Integrity Contractors (ZPICs), and Comprehensive Error Rateeducation. It should be updated regularly to keep pace with the Testing (CERT) audits (see the need for a glossary?). Board membersgrowing number of terms and acronyms associated with the changes in need to know what government fraud and abuse recovery initiatives aretoday’s compliance environment.underway, but do not need the detail of these audits unless there is anaudit outcome that presents a risk to the organization.All board members should receive the Code of Conduct and understandthat this general statement, outlining the fundamental ethical Plan the board committee meeting agenda to focus on reportingand compliance principles guiding the hospital operations, is a recommendationin the OIG program guidance.cards, the Work Plan, and internal audits to identify risk areas, andand discussion of identified potential risk areas. Review your reportthen prioritize them by relative importance and level of impact to theThe OIG program guidance also addresses developing open lines organization. Always include your plan of action to address each item.of communication to increase the hospital’s ability to identify andrespond to compliance problems by using alternative communication As noted above, there should be an education agenda item focusing onmethods. These periodic notices to employees could also be sent to new laws, regulations, and other government initiatives. Keeping theboard members as an educational tool.board informed of the content and impact of new developments onthe compliance program is essential in assisting the board with theirBoard Compliance Committee meetings should include education as oversight obligation.a standing agenda item. It could be a discussion on a relevant articledistributed prior to the meeting, or a presentation on a new law or Additional CO actiongovernment initiative. Educating board members on the compliance If you provide reports to the board Compliance Committee but notprogram implications in the Patient Protection and Affordable Care directly to the full board, there are additional steps you can take toAct of 2010 (PPACA) should be a priority.ensure that board members are fully informed. These steps will alsoaide you in showing the effectiveness of the compliance program to anReporting to the boardexternal party, if the need arises.What do you include and how do you format your report to the boardcommittee? Reports should be comprehensive yet concise, and easily Work with the Chief Governance Officer or Governance Director onunderstood. Learning how to effectively report so that board members the following three items.are fully informed in their oversight role—but not overwhelmed by 1. Review all committee meeting minutes to ensure they accuratelyoperational details—is a challenge for COs that is more art than science. and completely reflect your report to the board committee. Thesemeeting minutes are provided to all board members and you shouldStart by identifying the key elements board members need to know and take responsibility to know that all necessary information is memorializedin the board documentation retained and required by law.then develop a clear dashboard report card. Review the OIG programguidance for recommended content that should be reported to the 2. Read the board committee charter, which guides the committeein fulfilling its oversight role. The charter components shouldboard. Much of this information can be summarized in report cardformat, including organization measurements related to the FSG seven include a statement of purpose, responsibilities and authorities,elements such as hotline calls, education and training programs, andContinued on page 24Health Care Compliance Association • 888-580-8373 • www.hcca-info.org23March 2011

The compliance officer’s role in board oversight of the compliance program...continued from page 23Train Your EmployeesWith HCCA’sTop-Rated DVDCompliance and Ethics:An Introduction for HealthCare ProfessionalsHCCA’s video provideseverything you need to conductcompliance and ethics training:• 23-minute video with sevendramatizations (available in DVDor VHS)• Trainer’s Guide with suggested programagendas and discussion outlines• Reproducible participant materials• DVD includes viewer’s menu for easycustomization of training sessionsHCCA member price $350.00Non-member price $395.00Visit www.hcca-info.org for moreinformation and to ordermembership criteria, and meeting frequency requirement. A periodicreview of the charter with the board committee is advised.3. Make suggestions to the Governance Director if there is anarea of expertise not represented among the composition of thecurrent board Compliance Committee that you think wouldcontribute to effective oversight. Your recommendations can thenbe considered by the board Governance Committee when recruitmentand committee assignment decisions are made.Annual compliance reportA final recommendation is to write a year-end annual compliancereport that summarizes all compliance activity. This is a high-leveldocument that provides an overview of progress made to enhancethe compliance program. Content areas could include, but are notlimited to:n Summary of the compliance Work Plan key deliverablesn Compliance program effectiveness initiativesn External audit review findingsn Management and board oversightn Activities that relate to the OIG seven elements and other OIGprogram guidance recommendations, such as education andtraining provided to employees and board membersn Updated or new compliance plan policiesn Summary of internal auditsn Other notable initiatives that should be documented in writing(i.e., specific action taken to enhance billing compliance)The benefit of having an annual report is two-fold. For the Compliancefiles, there is an easily accessed record of activity during eachyear for future reference. Second, this report should be included withmaterial distributed to the full board, and will serve to inform allboard members of key compliance program activity, assisting them intheir oversight obligation.ConclusionAs the compliance officer who is responsible for the daily operationsof the compliance program, you have a duty to yourself and to theboard to take an active role in ensuring effective board oversight ofthe compliance program. n1 Federal Register Vol. 63, No. 35, Feb. 23, 1998, 89892 Federal Register Vol. 63, No. 35, Feb. 23, 1998, Note 353 Federal Sentencing Guidelines, November 1, 2010, §8C2.5(f) (3) (c) (i)4 Federal Sentencing Guidelines, November 1, 2010, §8B2.1(b) (2) (c)5 Daniel R. Levinson: Trustee Engagement and Hospital Success. Trustee Magazine, Viewpoint, July 2010. Availableat http://www.trusteemag.com/trusteemag_app/jsp/articledisplay.jsp?dcrpath=TRUSTEEMAG/Article/data/07JUL2010/1007TRU_viewpoint6 Office of the Inspector General and the American Health Lawyers Association: The Health Care Director’sCompliance Duties: A Continued Focus of Attention and Enforcement. PDF available at http://www.healthlawyers.org/Resources/PI/Documents/Health%20Care%20Director’s%20Compliance.pdfMarch 201124Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgCompEthicsIntroHealthCare_ad_HalfPageVert_new.indd 12/10/2011 10:54:11 AM

HIPAA, HITECH,and healthinformation: Past,present, and futureBy Sherry K. ScottEditor’s note: Sherry K. Scott is Coordinator, OverviewCorporate Responsibility Education and Policy The health care industry is evolving towardsDevelopment with Via Christi Health located the implementation of EHRs, and there arein Wichita, Kansas. Sherry may be contacted many opinions concerning the advantagesby telephone at 316/858-4976 or by e-mail at and disadvantages of this transformation.sherry_scott@via-christi.org.Many believe it will lead to improvedquality of care, reduced costs, promotion ofHIPAA, ARRA, HITECH, EHR. evidence-based medicine, increased sharing ofThese acronyms appear more frequentlyas health care organizations and efficiency, and more patient involvement.information translating to added convenienceand their business associates continue the Others fear it may lead to increased costs andjourney towards the adoption of electronic decreased productivity. There are concernshealth records (EHRs). While the implicationsof the Health Information Technology of information as it moves from paper toabout protecting the privacy and securityfor Economic and Clinical Healthelectronic format. Regardless of one’s views,(HITECH) Act may seem overwhelming, it health care organizations must be actively preparingto comply with the new regulations.is helpful to review and reflect on the roadthe industry has been traveling towards thisgoal for many years.It is challenging to keep current on newrequirements of the law and to understand the“Our recovery plan will invest in electronic proposed regulations that are rapidly approaching.Health care executives and managementhealth records and new technology thatwill reduce errors, bring down costs, ensure have many questions concerning the stepsprivacy, and save lives,” said President Obama required for achieving compliance with newin his February 2009 Address to a Joint laws, the prioritization of preparation activities,Session of Congress. 1and the effects on patients, employees, businessassociates, and the industry.President Obama’s quote provides a concisedescription of health care’s direction. The In the August Journal of AHIMA, AlanHITECH Act is pushing the industry towards Dowling, (CEO of that organization) askedthe ultimate outcomes being sought— the reader to imagine working in the airlinereducing medical errors, saving lives, and industry during the early 1950s. This timedecreasing costs while ensuring the privacy of period marked the beginning of commercialby propellers, they carried far fewer passengersthan today, and travel required more time.The technology advanced, resulting in faster,larger, commercial jets, and the industry wentthrough a revolution. Those in the airlineindustry had to evolve with the technology.Mr. Dowling compared that transformationto the changes taking place today in healthcare. Technology is advancing rapidly, and theindustry must do the same, resulting in a newmodel for medical professionals, health careworkers, and the patients they serve. 2To prepare for the approaching health carereformation, it is helpful to review advancesmade since the mid-1990s. This time framemarks the beginning of the journey towardsmeaningful use of EHRs.A review of HIPAAThe Health Insurance Portability and AccountabilityAct (HIPAA) was passed by the UnitedStates Congress in 1996. Its provisions werephased in over several years. One primarygoal was to ensure the portability of healthinsurance, allowing an individual to changejobs and keep one’s health insurance, even withpre-existing conditions. The AdministrationSimplification provision of HIPAA becameeffective in 2003. It included a requirement forstandardized electronic data exchange amonghealth care providers, health plans, clearinghouses,and government agencies. This wasan important step on the path to EHRs. Thisprovision also implemented rules regardingthe privacy and security of confidential healthinformation. The shift from paper to electronicrecords introduces new opportunities forinappropriate access to data.The passage of HIPAA addressed significanthealth care risks. Prior to 1996, there was nonational standard in place for the health careindustry regarding the format of electronicconfidential health information.jet travel. Prior to then, airplanes were poweredContinued on page 27Health Care Compliance Association • 888-580-8373 • www.hcca-info.org25March 2011

SAVE THE DATESPhysicianPractice / ClinicComplianceConferenceOctober 16–18, 2011Philadelphia, PAWhy yOu Should AttendPhysicians, compliance officers,coders, and managers willlearn to manage an effectivecompliance program. Participantswill learn about complianceprogram development andmanagement as it relates tophysician practices; currentgovernment initiatives in the fieldof health care compliance specificto physicians and their grouppractices; correct documentation,billing and coding practices forphysicians; and best practicesutilized in physician practices.ResearchComplianceConferenceJune 12–15, 2011Austin, TXThis is the research conferenceyou cannot miss if you work fora research site, a CRO or SMO,a hospital or hospital system,a sponsor, or for clinicians/investigators who conductresearch. Learn the latest trendsin compliance with researchaccounting standards, clinical trialbilling and process improvements,effort reporting, scientificmisconduct, conflicts of interest, offlabeluse issues, FDA compliance,and government enforcementtrends. Hear from industryexperts who can provide practicalperspectives for handling researchcompliance risks.Learn more & register Atwww.hcca-info.orgMarch 201126Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

HIPAA, HITECH, and health information—Past, present and future ...continued from page 25information or the privacy and security ofprotected health information (PHI). Theserisks inhibited the use of electronic mediato facilitate patient care across the countryand also created confusing scenarios withinterstate transfer and treatment of patients.Patients were frustrated when dealing withmedical facilities in neighboring states withdifferent rules. The HIPAA Privacy and SecurityRules were beginning steps in addressingthese issues, and national standards finallyexisted for the first time.Privacy Rule applies to PHI in all formats,including verbal, electronic, and written.The Security Rule established nationalstandards for the protection of electronicpersonal health information (e-PHI) that iscreated, received, used, or maintained by acovered entity. The rule was created to ensurethe confidentiality, integrity and availabilityof e-PHI.With the HITECH Act boosting the HIPAAstandards, health care organizations mustA HITECH roadmapThe HITECH Act has many provisions, andthe major ones include:n Breach notificationn Business Associate agreementsn Marketing and fundraisingcommunicationsn Increased penalties and enforcementn Additional patient rights regarding PHI,andn Meaningful use of electronic healthrecords (EHRs)A HITECH roadmap is useful in pointingHealth care organizations began progressingtowards HIPAA compliance. New policiesand procedures were developed to ensure theprivacy and security of health information.Employees and medical staff were trainedon new requirements. Information technologydepartments worked to increase thesecurity and availability of electronic data,including the development of administrative,technical, and physical safeguards. Codes ofconduct and training materials were updatedto include information about privacy andsecurity of PHI. Organizations appointedprivacy and security officers. These steps wereonly beginning preparations for conversion toEHRs. HIPAA rules were as radical in 1996as HITECH rules are today.review existing policies and controls to ensurethey meet the new requirements. It is criticalthat employees, associates, and medicalprofessionals understand where to find policiesand understand how they translate intoevery day actions. The updated Privacy andSecurity rules require more than efforts by theCompliance department and the InformationTechnology (IT) department. Everyone in theorganization must have a basic understandingof the “hows” and “whys” regarding theprivacy and security of PHI.Change often brings fear and apprehension.Consider the adoption of the stethoscope.Even though the first one was invented in1816 by French physician, Rene Laennec, itwas not accepted and widely used until manyorganizations in the right direction andmaking sure the affected parties are involved.A HITECH task force, consisting of personswith different areas of expertise, can leadthe way in meeting challenges, answeringquestions, giving advice, and moving forwardto ensure risk mitigation. A multi-disciplinaryapproach is an efficient way for accomplishingthe required tasks.A task force might be responsible for activitiessuch as:n Updating privacy and security policiesn Developing an operations manual forprivacy officersn Creating a breach notification workflown Selecting a method for tracking privacybreachesHIPAA was the initial effort to build a platformfor the national electronic health record.The legal infrastructure was put into place forthe technology to follow, and the HITECHAct is building on this foundation. It was thestarting place for the road we continue totravel today.years later. 3 When the HIPAA law wasinitially passed, there was trepidation andmisunderstanding. There were questions,such as:n Can the health care industry advancepatient care and still ensure the privacyand security of confidential information?n Will the benefits outweigh the costs?n Creating a training plan, andn Providing focused trainingThe HITECH Act was passed in 2009;however, similar to HIPAA, the variousprovisions will be phased in over several years.Some due dates have passed, thus attention tocompliance is required.Privacy and security rulesUnderstanding the HIPAA Privacy andSecurity Rules is essential. The Privacy Rulestates that a covered entity is not allowed touse or disclose PHI without permission fromn How strictly will laws be enforced?n Will increased requirements subject us toadded penalties?n How will we address the challenges of newtechnology?Electronic health records and “meaningful use”One provision of the HITECH Act that isgenerating much attention is meaningful use ofcertified EHRs. Similar to HIPAA, the federalthe individual, except as the law allows. TheContinued on page 28Health Care Compliance Association • 888-580-8373 • www.hcca-info.org27March 2011

HIPAA, HITECH, and health information—Past, present and future ...continued from page 27March 201128government is putting the legal infrastructurein place for the technology to follow. Billionsof dollars are at stake over the next few years asincentives for adoption of EHRs by Medicareand Medicaid providers. Not only mustproviders implement certified EHRs, but theymust also demonstrate “meaningful use” bymeeting specific requirements.The final rule, issued in July 2010, contains864 pages and understanding all the variousprovisions will be challenging. Many excellentdocuments containing detailed information areavailable through the CMS website 4 and fromother organizations. Following is a high-leveloverview of useful preparation steps to take.EligibilityThe first step for Medicare or Medicaid providersis to determine eligibility for the program.Medicare-eligible entities include acute carehospitals paid under the Prospective PaymentSystem (PPS) and Critical Access Hospitals(CAHs). Medicaid-eligible hospitals includeacute care, cancer, critical access, and children’shospitals. With the exception of children’s hospitals,Medicaid-eligible hospitals are required tomeet a minimum Medicaid volume thresholdof 10%. A hospital is identified by its uniqueMedicare provider number, thus hospitals withmultiple campuses are considered one provider. 5There are five types of Medicare eligibleprofessionals (EPs):n Doctor of medicine or osteopathyn Doctor of oral medicine or dental surgeryn Doctor of podiatryn Doctor of optometry, andn ChiropractorMedicaid EPs include physicians, nurse practitioners,certified nurse-midwives, dentists,and physician assistants working in a federallyqualified health center or rural health clinicled by a practice associate.Hospital-based EPs (those who furnish 90%or more of their services in the Inpatient orEmergency department of a hospital) are noteligible to participate in the EHR incentiveprogram. 6RegistrationProviders will register for the program onlineat the CMS web site: www.cms.gov/EHRIncentivePrograms/.Organizations are not required to havea certified EHR system in place prior toregistration; however, meaningful use mustbe demonstrated to receive an incentivepayment.CertificationProviders must purchase or develop EHRcertifiedtechnology. A temporary certificationprogram was announced by Health andHuman Services (HHS) on June 18, 2010.It is expected that a permanent certificationprogram will become effective on January 1,2012. The Office of the National Coordinator(ONC), a division of HHS, is responsiblefor the adoption of standards, implementationspecifications, certification criteria, andcreation of a certification program. 7Be cautious when selecting an EHR system,because certification alone does not ensurethat a product is the right fit for an organization.It must be a system that the staff will useto its full potential to reach the establishedgoals, thus demonstrating meaningful use.Meaningful use of certified EHRsThe first qualifying year for demonstration ofmeaningful use of a certified EHR is 2011.During the initial year, a provider must attestto three months of use to qualify for incentivepayments. In subsequent years, meaningfuluse must be demonstrated for the entire year.The meaningful use requirements for EPsand hospitals are numerous; however, the listis shorter than the original proposed rules,thanks to the more than two thousand commentsreceived. Some of the original criteriawere postponed with the publishing of thefinal rules.To qualify for incentives, hospitals mustdemonstrate fulfillment of fourteen specificcore requirements and also must select fiveadditional goals from a menu of ten items.Hospitals must meet fifteen clinical qualitymeasures. One essential difference in thefinal rule is that to receive incentives, ahospital must meet meaningful use criteriain the Emergency Department, as well as forinpatient services. All the criteria are foundin “Medicare and Medicaid EHR IncentiveProgram – Specifics of the Program forHospitals,” published by CMS on August 11,2010.To quality for incentives, EPs must demonstratefulfillment of fifteen specific corerequirements. They also must select fiveadditional goals from a menu of ten items. 8IncentivesAccording to the CMS website, analysis of thefinal rule estimates that incentive paymentsunder Medicare and Medicaid EHR programsfor 2011 through 2019 will range from $9.7billion to $27.4 billion. Payment adjustments(i.e., penalties) for hospitals and physicianswho do not adopt EHR technology willbegin in 2015 under Medicare. There are nopayment adjustments for Medicaid providerswho do not adopt the technology.Hospitals may receive incentives from bothMedicare and Medicaid programs. Acutecare hospitals and critical access hospitalsthat demonstrate meaningful use receive anamount determined by a formula that beginsHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org

with a $2 million base plus a per-dischargeamount. There is no maximum incentiveamount. Medicare incentive payments tohospitals will end after 2016. 5An EP who demonstrates meaningful useof an EHR may receive up to $44,000 forMedicare services over a five year period and$63,750 for Medicaid services over a six yearperiod. The Medicare incentive payments willend after 2016 and Medicaid payments willend after 2021.The federal government has establishedthree stages for adoption of EHRs. Stage 1 isfocused on capturing data. Hospitals and EPsmay quality for their first incentive paymentusing Stage 1 criteria until 2014, whichis an extension from the initial proposedrules. Stage 2 will be focused on reportinghealth information and tracking certain keyclinical conditions. Stage 3 will be focusedon improving performance and outcomes;however, stages 2 and 3 have not been definedin detail. 6ConclusionThe implementation of EHRs will requiremuch preparation and will revolutionize theway health care is provided. The ultimategoals are to:n Improve the quality, safety, and efficiencyof care while reducing disparities;n Engage patients and families in their care;n Promote public health;n Improve care coordination; andn Promote the privacy and security of EHRs. 5The efforts and support of everyone in anorganization are required to meet the objectives.The IT department will be involvedthrough the planning, implementation,and ongoing support. Health InformationManagement will go through many changeswith the conversion from paper to electronicrecords. Clinical workers will have to learnnew processes during this evolution. Similarto the airline industry in the 1950s, healthcare is going through a major transformation.Another goal is to improve public health andget individuals more involved in their ownhealth care. In the same way that travelersreserve hotels and flights online, patientswill schedule medical appointments onlineand communicate with caregivers. However,there is a concern about the portion of thepopulation that is not comfortable with usingcomputers or does not have Internet access.Often, these are the elderly who are most inneed of medical care.The journey will continue to be challenging,remarkable, and exciting, but also confusingand scary at times. Health care organizationsmust do research, create roadmaps, plan, trainemployees, update policies and procedures,and prepare to move forward. EHRs, likethe stethoscope, are here to stay as a vitalpart of providing quality care to patients andcommunities. nThe author acknowledges the contribution ofShelley Koltnow, Vice President of CorporateResponsibility, Via Christi Health.1. Available at http://www.whitehouse.gov/the_press_office/Remarks-of-President-Barack-Obama-Address-to-Joint-Session-of-Congress/.2. Dowling, Alan K: “The Bold New World of ARRA”. Journal ofAHIMA, Vol. 81, No. 8, August 2010, p. 17.3. Harry Bloch: The inventor of the stethoscope: Renne Laennec. Journalof Family Practice, August 1993. Available at http://findarticles.com/p/articles/mi_m0689/is_n2_v37/ai_13248765/4. Centers for Medicare and Medicaid Services website available at http://www.cms.gov/EHRIncentivePrograms/.5. Centers for Medicare and Medicaid Services: Medicare and MedicaidEHR Incentive Program Specifics of the Program for Hospitals, August2010. Available at http://www.cms.gov/EHRIncentivePrograms.6. Centers for Medicare and Medicaid Services: Medicare and MedicaidEHR Incentive Program Final Rule – Implementing the AmericanRecovery and Reinvestment Act of 2009, July 2010. Available at http://www.cms.gov/EHRIncentivePrograms.7. HITECH Temporary Certification Program for EHR Technology,updated September 2010. Available at http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=2887&PageID=19630.8. Centers for Medicare and Medicaid Services. Medicare ElectronicHealth Record Incentive Payments for Eligible Professionals, July 2010.Available at http://www.cms.gov/EHRIncentivePrograms.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgComplianceTodayAuthors&AcademyAlumniReception2011 ComplianceInstitute inOrlando, FLPlease join us on Sundayevening, April 10, from5:30–6:30 p.m. for the HCCAAuthors and AcademiesAlumni Reception at the2011 Compliance Institute.A reception for ComplianceToday Authors andCompliance InstituteAlumni. If you have everwritten for ComplianceToday or attended anyof HCCA’s ComplianceAcademies, PrivacyAcademies, or ResearchAcademies, we hope tosee you for socializing andnetworking.29March 2011

The Health Care ComplianceProfessional’s ManualSUBSCRIPTION SERVICE INCLUDED WITHPERIODIC UPDATES• Hard-copy subscribers receivequarterly updates• Internet subscribers receive updatesas soon as they are issuedThe Health Care Compliance Professional’sManual gives you all the tools you need to planand execute a customized compliance programthat meets federal standards. Available via printor the Internet, the Manual walks you throughthe entire process, start to finish, showing youhow to draft compliance policies, build a strongcompliance infrastructure in your organization,document your efforts, apply self-assessmenttechniques, create an effective educationprogram, pinpoint areas of risk, conductinternal probes and much more.The Health Care Compliance Professional’s Manual shows you how to:• Confidently use OIG publications andFederal Sentencing Guidelines to help youplan and execute a customized compliancestrategy that meets strict federal standards• Perform risk assessments within yourprogram to help you uncover possibleareas of risk• Draft your own compliance policies thatwill form the basis for your organization’sprogram• Develop and reinforce a solidinfrastructure, including guidelines forhiring the right personnel• Design an effective education program thatinstills the importance of compliance• Conduct your own internal probes tosurface and cure questionable activities,thus mitigating possible penalties• Keep continually up-to-date with the latestregulatory changes, including practicalcoverage of federal and state lawsUSED BY HCCA AS THEBASIC TEXT FOR ITSCOMPLIANCE ACADEMYMarch 2011www.hcca-info.org 30| 888-580-8373Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

What’s new forPEPPER: More targetareas, new settingsBy Kimberly Hrehor, MHA, RHIA, CHC, and Dan McCullough, RN, CHCEditor’s note: Kimberly Hrehor is a Project PEPPER, emphasizes the importance of theDirector at TMF Health Quality Institute in reports. “Hospitals can use the comparativeAustin, Texas. Kimberly may be reached by data in PEPPER to identify where theytelephone at 281/859-0331 or by e-mail at might be at risk for unnecessary admissionskhrehor@txqio.sdps.org.or coding errors and take steps to preventimproper payments,” said Kevin Young withDan McCullough is a Program Specialist at TMF the CMS Office of Financial ManagementHealth Quality Institute in Austin, Texas. Dan Provider Compliance Group. 1 CMS feels it ismay be reached by telephone at 512/334-1639 or important to expand the availability of theseby e-mail at dmccullough@txqio.sdps.org. comparative billing reports to other settings,such as critical access hospitals, inpatientCritical access hospitals (CAHs), psychiatric facilities and inpatient rehabilitationfacilities, in support of CMS’ initiative toinpatient psychiatric facilities (IPFs),and inpatient rehabilitation facilities(IRFs) can look forward to receiving free The ultimate goal is to protect the Medicareprevent improper payments at the front end.comparative data reports to support their Trust Fund through proactive activities,internal auditing and monitoring programs. avoiding the pay-and-chase scenario.The Program for Evaluating Payment Patterns What is PEPPER?Electronic Report (PEPPER) provides PEPPER is a free report containing hospitalspecificdata for discharges determinedhospital-specific Medicare claims statisticsfor discharges identified as vulnerable to by CMS to be at high risk for improperimproper payments. PEPPER supports payments due to billing, coding, and/orcompliance efforts by identifying risk areas admission necessity issues.for which a hospital or facility is an outlierin comparison to others. When identified as Each PEPPER contains one hospital’san outlier, hospitals are encouraged to ensure Medicare claims data statistics for the riskpatients are treated in the appropriate setting areas, referred to in the report as “target(e.g., inpatient versus outpatient) and that areas.” The data are presented in tabular form,diagnoses and procedures are coded correctly as well as in graphs that depict the hospital’saccording to coding guidelines. The reports target area percentages over time. Based onhave been available to short-term acute care data restrictions established by CMS, hospitalhospitals (STCHs) since 2003 and long-term data statistics are displayed only if there areacute care hospitals (LTCHs) since 2006. 11 or more discharges in a report time periodin a given target area; if there are fewer thanThe Centers for Medicare & Medicaid 11 discharges in all time periods for all targetPEPPER is the only report where hospitalscan compare their target area percents to threegroups: all hospitals in the state, all hospitalsin the Medicare Administrative Contractor(MAC)/Fiscal Intermediary (FI) jurisdiction,and all hospitals in the nation. PEPPERallows hospitals to identify when their targetarea percentages are outliers and helps themto prioritize target areas for internal review,auditing, and monitoring.Hospitals can use PEPPER to compare theirown data over time to identify significantchanges in billing practices, pinpoint areasin need of auditing and monitoring, identifypotential diagnosis-related group (DRG)under- or over-coding problems, and identifytarget areas where the length-of-stay isincreasing. Many hospitals use PEPPER tohelp prepare for regulatory audits (such asRecovery Audit Contractor [RAC] reviews).PEPPER can help hospitals achieve CMS’goal of reducing and preventing improperpayments.PEPPER was once distributed to hospitals bystate Medicare Quality Improvement Organizations(QIOs) in support of the now-defunctHospital Payment Monitoring Program.QIOs are no longer involved in providingthe report. PEPPER is now distributed tohospitals nationwide by TMF Health QualityInstitute under contract with CMS.What’s new for short-term (ST) PEPPER?The PEPPER for STCHs has undergonedesign changes, such as the following, tomake it easier to use:n Guidance to help the hospital determine ifit should consider auditing/monitoring fora target arean Suggested interventions if the hospital isan outlier for a target area, andn Improved labeling for time periodsServices (CMS), which provides funding for areas, a PEPPER is not created.Continued on page 34Health Care Compliance Association • 888-580-8373 • www.hcca-info.org31March 2011

March 201132Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org33March 2011

What’s new for PEPPER: More target areas, new settings ...continued from page 31March 201134Table 1: Target Areas for ST PEPPER and Potential Target Areas for CAH PEPPERCoding-focused Target Areas Admission Necessity-focused Target AreasStroke/intracranial hemorrhage Transient ischemic attackRespiratory infectionsChronic obstructive pulmonary diseaseSimple pneumoniaPercutaneous cardiovascular procedure with stentinsertionSepticemiaSyncopeUnrelated operating room procedure Circulatory system diagnosesCC/MCC for medical DRGs Other digestive system disordersCC/MCC for surgical DRGs Medical backExcisional debridement3-day stays prior to a SNF admissionVentilator support30-day readmissions to same or elsewhere30-day readmissions to same hospital2-day stays for other vascular procedures2-day stays for heart failure and shock2-day stays for cardiac arrhythmia2-day stays for esophagitis/gastroenteritis2-day stays for nutritional/metabolic disorders2-day stays for renal failure2-day stays for kidney/urinary tract infections1-day stays excluding transfers1-day stays for medical DRGs1-day stays for chest pain/atherosclerosisIn addition, the ST PEPPER will include at CMS’ discretion. A complete listing of theseveral new target areas. Some of these new target area definitions is available at http://target areas were added, based on feedback www.pepperresources.org/LinkClick.aspx?filetreceived from hospitals, such as the target icket=vWFkRnms53A%3d&tabid=39.areas for complications and comorbidities/major complications (CC/MCC) for surgical Changes to long-term (LT) PEPPERDRG, and 30-day readmissions to same LTCHs will continue to receive PEPPER, buthospital. Others were identified through they will notice a change in data aggregation.findings from the RAC demonstration and Previously, the LT PEPPER contained theexpansion projects. See Table 1 for a listing most recent 12 fiscal quarters of data statisticsof target areas to be included in the February (12 data points); this has changed to three2011 release (Note: Target areas may change years of data statistics (three data points).Table 2. Target Areas for LT PEPPER and Proposed Target Areas for IPF and IRF PEPPERLong-term Acute Care Inpatient Psychiatric FacilityHospital Target Areas Proposed Target AreasInpatient RehabilitationFacility Proposed Target AreasSepticemia Outlier payments 30-day readmissionsExcisional debridement Comorbidities Interrupted staysRehabilitation 30-day readmissions Case mix group reportShort staysInterrupted staysHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgIn addition, the distribution schedule willchange from quarterly to annually.These changes were made in an effort toovercome the impact of CMS data restrictionsthat prevent data statistics with numerators/denominatorsless than 11 from beingdisplayed. By increasing the time periodfor aggregating data statistics, more LTCHsshould have reportable data in their PEPPER.A revised format (available for review onwww.PEPPERresources.org) will accommodatethe new data aggregation and incorporatemany of the design changes includedin the ST PEPPER. The target areas for LTPEPPER have not changed (see Table 2).New PEPPERs for CAHs, IPFs, IRFsPEPPER will be available for the first timeand distributed annually to CAHs, IPFsand IRFs nationwide (see the DistributionSchedule, Table 3). The PEPPER format forthese settings will be the same as that of theLT PEPPER (available for review at www.PEPPERresources.org.)CAHs have advocated for receiving the reportfor some time. “As a critical access hospital,we treat many of the same patients as acutecare hospitals, but have not had the PEPPERdata as a resource,” states Terri Camp, RN,MHL, Chief Quality Officer/Chief NurseExecutive at Jefferson Healthcare in PortTownsend, Washington. “We look forward tohaving a PEPPER available to help us trackbilling patterns and compare us to otherCAHs. The recovery audit contractors arealready focusing on CAHs and theyseem to hold us to the same standardas the short-term acute care PPShospitals. We want to be prepared withas much information as possible.”The CAH PEPPER will likely includemany of the same target areas as the ST

Social Networking ...continued from page 19PEPPER (see Table 1). While the target areasfor IPFs and IRFs have not been finalized, theproposed areas are included in Table 2.Training to be ProvidedTMF will develop training for all settings receivingPEPPER (see Table 3). Recorded webinarswill be prepared for short-term and long-termacute care hospitals. Live webinars will beconducted for CAHs, IPFs and IRFs, followedby an audio conference to provide hospitalsand facilities additional opportunities to askquestions and continue learning how to useTable 3. Distribution and Training SchedulePEPPER. All training sessions will be recordedand available at www.PEPPERresources.org onthe “Training and Resources” pages.How can I learn more?Visit www.PEPPERresources.org for moreinformation, and click “Join our e-mail list” toreceive important notifications about PEPPERdistribution and training opportunities. Questionsmay be submitted at any time throughthe PEPPERresources.org Help Desk.n1 Conversation with Kevin Young on September 30, 2010.For the answers to these questions, as wellas others, I encourage everyone to becomeinvolved with the Social Network. It is agreat way to participate in the discussion,review the comments, or just talk with yourpeers. You can access the social networkingsite by going to the following link:www.hcca-info.org/sn nProvider Type Distribution Date Distribution Method TrainingShort-term acute care hospitals Quarterly, on or about February 24,May 24, and August 24, 2011Long-term acute care hospitals Annually, on or about April 25,2011Critical access hospitals Annually, on or about April 25,2011Inpatient psychiatric facilities Annually, on or about June 24,2011Inpatient rehabilitation facilities Annually, on or about September23, 2011My QualityNet secure fileexchangeMy QualityNet secure fileexchange or direct mailMy QualityNet secure fileexchangeDirect mail to facilityadministratorDirect mail to facilityadministratorRecorded webinar, available lateFebruary 2011Recorded webinar, available late April2011Live webinar, to be scheduled lateApril or early May 2011Live webinar, to be scheduled lateJune or early July 2011Live webinar, to be scheduled lateSeptember 2011Compliance Today Editorial BoardThe following individuals make up the Compliance Today Editorial Advisory Board:Gabriel Imperato, Esq, CHCCT Contributing EditorManaging PartnerBroad and CasselOfer Amit, MSEM, CHRCResearch ComplianceAdministratorBaptist Health South FloridaJanice A. Anderson,JD, BSNShareholderPolsinelli Shughart, PCChristine Bachrach, CHCChief Compliance OfficerUniversity of MarylandDorothy DeAngelisManaging DirectorFTI ConsultingDavid Hoffman, JDPresidentDavid Hoffman & AssociatesGary W. Herschman,Chair, Health and Hospital LawPractice GroupSills Cummis & Gross P.C.Eric Klavetter, JD, MS, MAPrivacy and Compliance OfficerMayo ClinicF. Lisa Murtha, JD, CHC,CHRCPartner, Sonnenschein Nath &Rosenthal, LLPRobert H. Ossoff, DMD,MD, CHC, Assistant ViceChancellor for Compliance andCorporate IntegrityVanderbilt Medical CenterDeborah Randall, JDPartnerArent Fox LLPEmily RaymanGeneral Counsel and ChiefCompliance OfficerCommunity Memorial HealthSystemRita A. Scichilone, MSHA,RHIA, CCS, CCS-PDirector of Practice LeadershipAmerican Health InformationManagement AssociationJames G. Sheehan, JDNew York StateMedicaid Inspector GeneralLisa Silveria, RN BSNHome Care ComplianceCatholic Healthcare WestJeffrey Sinaiko,PresidentSinaiko Healthcare Consulting, Inc.Debbie Troklus,CHC-F, CCEP, CHRCAssistant Vice President for HealthAffairs/Compliance, University ofLouisville School of MedicineCheryl Wagonhurst, JD, CCEPPartnerLaw Office of Cheryl WagonhurstLinda Wolverton, CHC,CPHQ, CPMSM, CPCS,CHCQM, LHRM, RHITVice President ComplianceTeam Health, Inc.Health Care Compliance Association • 888-580-8373 • www.hcca-info.org35March 2011

ProductsCorporate Compliance & Ethics WeekOfficial poster for CorporateCompliance & Ethics Week:20" x 28" glossy color poster$6.25 (min. order 10)Highlighter, 5.3", blue ink, withcarabiner top$1.75 (min. order 10)Four colorful glossy posters, 20" x 28", each showcasing a different ethics message(4-pack includes one of each poster). Perforated strip along bottom allows easyremoval of Corporate Compliance & Ethics Week logo once week is over.$30.00 per 4-packMini metal flashlight, 2.4", with carabiner$3.50 (min. order 10)Order atwww.hcca-info.org/complianceweekORDER BEFORE FRIDAY,APRIL 15 to ensure delivery byCompliance Week!Questions, call our order fulfillment centerat 877/646-9226Retractable computer screen cleaner andkeyboard duster, 2.5" closed$3.00 (min. order 10)5-color post-it flag carrier, 3.25" x 2.2"$1.50 (min. order 10)Translucent travel tumbler, 15 oz,with screw-on lid (BPA-free)$4.50 (min. order 5)Jelly smacker stress ball, 2.25" diameterTravel clock/timer with memo-clip top,Retractable ballpoint pen, black ink$4.99 (min. order 5)3.25" x 2.2"$1.35 (min. order 20)Health Care Compliance$3.95 (min. orderAssociation10)• 888-580-8373 • www.hcca-info.orgMarch 201136

2011 Basic compliance academiesscottsdale, aZ | June 6–9new York, nY | August 8–11HCCA CompLiAnCe ACADemieSchicago, il | September 19–22las Vegas, nV | October 24–27orlando, Fl | November 14–17san diego, ca | December 5–82011 Basic ReseaRch academiesaugust 15–18, 2011 | Las Vegas, NV2011 Basic pRiVacY academiesmarch 28–31, 2011 | Orlando, FLoctober 10–13, 2011 | San Francisco, CAcertification exam offered following each academyregistration for each academy is limited to 75 attendees“i just wanted to say thank you for helping to coordinate and present such aneducational and useful compliance academy. if i knew how much i was going learnand how many ideas i would leave with to improve our compliance program i wouldhave attended much sooner. The academy helped to energize and inspire me to takeour compliance program and myself as a compliance professional to the next level.”Michael Scudillo, Chief Compliance Officer, Universal Institute, Inc.www.hcca-info.org • 888-580-8373Health Care Compliance Association • 888-580-8373 • www.hcca-info.org37March 2011

March 201138OIG/GSA sanctionscreening: Creatinga robust complianceEditor’s note: Cynthia L. Palka is OperationsDirector with Evolution Consulting OIG ComplianceNOW. Ms. Palka may be contacted bye-mail at Tia@oigcompliancenow.com and bytelephone at 607/754-3636.Medicaid and Medicare fraud arerampant in our society. Eachweek, numerous health careinstitutions are found guilty of employingexcluded individuals or using excludedvendor organizations, and are heavily finedand ordered to pay millions of dollars inrestitution to the federal government. Recentguidance 1 released by the Health and HumanServices Office of Inspector General (OIG)makes it clear that “not knowing” is not anexcuse, and that the default action of thegovernment will be to presume in favor ofexclusion. Health care institutions need tobe proactive in the set-up and managementof robust employee and vendor complianceprograms so that they can adequately protectpatients, prevent fraud, and preserve theirorganizational integrity.BackgroundMany health care institutions are financiallydependent on reimbursement of monies fromfederal and state health care programs, suchas Medicaid and Medicare, to fund their businessoperations. This includes organizationssuch as hospitals, physicians, home healthprogramBy Cynthia L. Palka, MS, PCCagencies, clinical laboratories, third-partybilling companies, durable medical equipmentcompanies, hospices, nursing facilities,ambulance suppliers, Medicare Advantageinstitutions, pharmaceutical/biologic/devicemanufacturers, and other providers ofhealth care products/services that qualify forreimbursement.The U.S. Department of Health & HumanServices (HHS) is responsible for managingand monitoring reimbursement practices forits various programs, including Medicaid andMedicare. OIG is charged with protectingthe integrity of HHS programs, includingthe health and welfare of the beneficiaries ofthose programs. 2 For many years, under aCongressional mandate, OIG has manageda program to exclude certain individuals andentities from participating in federally-fundedhealth care programs, as per section 1128 ofTitle XI of the Social Security Act. 3 Excludedentities are not permitted to bill governmentprograms for services rendered, and entitieswho employ excluded individuals are notpermitted to bill for services rendered bythose individuals.Why worry about exclusion?With the rampant and widely publicizedepisodes of Medicaid and Medicare fraudin recent years, health care institutions areunder increasing pressure to perform morefrequent sanction screenings by comparingHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgemployees and vendors against federal andstate exclusion lists, in order to ensure thatthe institutions are not billing for the work ofexcluded parties.Organizations that are audited and discoveredto be billing for services rendered byan excluded vendor or individual will befined ($10,000 per occurrence) and will beexcluded from participating in federallyfundedhealth care programs for a period offive years. The effects of exclusion are serious,as outlined on the OIG website 4 and include:n No payment will be made by any federalhealth care program for any items orservices furnished, ordered, or prescribedby an excluded individual or entity.Federal health care programs includeMedicare, Medicaid, and all other plansand programs that provide health benefitsfunded directly or indirectly by the UnitedStates (other than the Federal EmployeesHealth Benefits Plan). For exclusionsimplemented prior to August 4, 1997,the exclusion covers the following federalhealth care programs: Medicare (TitleXVIII), Medicaid (Title XIX), Maternaland Child Health Services Block Grant(Title V), Block Grants to States for SocialServices (Title XX) and State Children’sHealth Insurance Programs (SCHIP, TitleXXI).n No program payment will be madefor anything that an excluded personfurnishes, orders, or prescribes. This paymentprohibition applies to the excludedperson, anyone who employs or contractswith the excluded person, any hospital orother provider where the excluded personprovides services, and anyone else. Theexclusion applies regardless of who submitsthe claims and applies to all administrativeand management services furnished by theexcluded person.

What causes exclusion?As outlined in the Code of Federal Regulations,OIG may exclude an individual fromparticipation in federal and state health careprograms for a variety of offenses. Mandatoryand permissive exclusions include:Mandatory exclusions (no less than 5years)n Conviction of health care program-relatedcrimesn Conviction relating to patient abusen Felony conviction relating to health carefraudn Felony conviction relating to controlledsubstancePermissive exclusions (period variesaccording to nature of offense)n Conviction relating to fraudn Conviction relating to obstruction of aninvestigation or auditn Misdemeanor conviction relating to controlledsubstancen Health care license revocation orsuspensionn Exclusion/suspension under a federal orstate health care programn Claims for excessive charges or unnecessaryservices, and failure to furnish medicallynecessary servicesn Fraud, kickbacks, and other prohibitedactivitiesn Entities controlled by a sanctionedindividualn Failure to disclose required informationn Failure to supply information on subcontractorsand suppliersn Failure to supply payment informationn Failure to grant immediate accessn Failure to take corrective actionn Default on health education loan or scholarshipobligationsn Individuals controlling a sanctioned entityHealth care institutions are expected to performsanction screenings on at least an annual basisfor their employees, both current and new hires.Any vendor organizations that provide servicesto the health care institutions must also bescreened, not only for exclusion of those entities,but for exclusion of any individual employeesworking for the vendors. As stated in multipleplaces in the regulations, OIG has the ability tosanction an individual on the basis of whetherthe person “knows or should know” of theactions constituting the basis for the exclusion.To support health care organizations in theircompliance efforts, various federal and stateorganizations provide online, searchabledatabases and updated database downloads,including:n HHS OIG List of Excluded Individualsand Entities (LEIE)n the United States General ServicesAdministration (GSA) List of PartiesExcluded from Federal Procurement &Non-procurement Programs (EPLS)n the Office of Foreign Assets Control(OFAC) Specially Designated Nationals(SDN) Listn Individual state exclusion databases. Ninestates have individual Office of MedicaidInspector General (OMIG) offices.How the sanction screening program worksOIG has published numerous guidances forhealth care institutions, instructing them onhow to establish robust compliance programs.Each guidance references sanction screeningfor excluded individuals. For example, theOIG Supplemental Compliance ProgramGuidance for Hospitals makes reference toscreening as a necessary part of the hospital’senforcement of disciplinary standards:Are employees, contractors and medicaland clinical staff members checkedgovernment sanctions lists, includingthe OIG’s List of Excluded Individuals/Entities (LEIE) and the General ServicesAdministration’s Excluded Parties ListingSystem? 6The same guidance also references theOIG website, where hospitals can look formore information: “See http://oig.hhs.gov/fraud/exclusions.html. The OIG also makesavailable Monthly Supplements for StandardLEIE, which can be compared to existinghospital personnel lists.”The OIG sanction screening complianceprogram should be set up and integrated withthe health care institution’s overall complianceprogram. Organizations that receive paymentsfrom Medicaid in excess of $5 million dollarsper year should already have a complianceprogram in place under the Deficit ReductionAct of 2005. 7 The compliance programshould include elements such as written policies,management oversight, communication,training for employees, and enforcement/reporting procedures.The technical aspects of the sanction screeningprocess will involve a coordinated effortto compile lists of employees and vendorentities/employees, obtain access to federaland state databases, and conduct screeningand validation of any sanctions found. Selfdisclosureof all violations to federal and stateauthorities must occur within a reasonableperiod, but not more than 60 days. Seriousviolations of administrative, civil or criminallaws, or those that adversely affect the qualityof care to beneficiaries, should be reportedimmediately.Until recently, many health care institutionshave been managing annual sanction screeningon their own, to the best of their abilities.routinely (e.g., at least annually) againstHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgContinued on page 4039March 2011

OIG/GSA sanction screening—Creating a robust compliance program ...continued from page 39March 201140Some states now have their own OMIGoffices and recommend monthly screenings, 8and that, coupled with increased rigor bythe federal government to impose permissiveexclusions on management personnel of sanctionedentities, has led health care facilities toseek the help of third-party organizations toassist with the screening process. In determiningwhich approach would work the best, theinstitution should consider factors such assize/location, extent of federally-reimbursedservices, number of vendors, and internalresources (e.g., IT, HR) to dedicate to theprogram.One option involves the health care institutionpartnering with a vendor that providesa web portal through which the screeningcan be performed. Fees are typically based onthe number of times the portal is accessed.The health care institution is responsible forcompiling all employee/vendor data and actuallydoing the screening, as well as managingany sanctions that are found. It is critical toperform validation of any sanctioned namesprior to taking employment actions againsta vendor or an employee. In this option,the health care institution would have allresponsibility for this process, as well as forany other aspects of the screening complianceprogram (e.g., policies, training, reporting,etc).Another option is to partner with a vendorthat acts like a third-party administrator(TPA) to manage multiple aspects of theprogram. The health care facility provides theTPA with lists of employees/vendors, andthe TPA conducts the screenings, validatesany sanctions, and provides reports back tothe institution. The TPA typically employsprofessional investigators who have accessto more specialized databases and can workeffectively with federal and state agencies tovalidate the sanctions. The TPA also managesthe burden of setup and monthly screeningof huge data sets against multiple databasesources. The TPA can also assist with setupof the internal sanction screening complianceprogram, including the development of policies,vendor management, training, regulationupdates, and procedures to facilitateself-disclosure to OIG.What risks/challenges should be consideredFrom a screening standpoint, the challengewith the central OIG and GSA databases isthat they do not require participation andupdates from all 50 states. Currently, elevenstates do not send any updates to the OIG/GSA lists. Any updates from these stateswould have to be obtained from those statesdirectly. Considering that excluded individualsoften move from one state to another toobtain new employment, it would be risky todepend solely on screening with the centralOIG/GSA lists.It would be prudent to screen other databasesto ensure adequate protection. These includethe National Practitioners database, the Officeof Foreign Assets Control (OFAC) TerroristWatch List, Wanted Fugitives , Social SecurityVerification, and Homeland Security Verification.However, some of these databases areonly accessible to licensed investigators, andnot every health care institution has someonelike this on its staff.Implementation of a sanction screening complianceprogram also impacts an organizationfrom a resource standpoint. The health careinstitution would require the setup of an ITsystem and methodology to manage screeningof multiple, separate database sources(OIG, GSA, OFAC, the eleven states, plusothers), plus the human resources to compileand perform monthly database screens ofcurrent employees and new hires, as wellas any vendor employees. Most health careHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgorganizations have dozens or even hundredsof vendors. And, this is just for the screeningprocess itself, and does not include thecoordination of activities surrounding the fullcompliance program, such as written policies,communication, training, validation ofscreening results, management of employmentactions against sanctioned individuals,coordination with vendors, updates to regulations,auditing, and self-reporting of results toOIG (which must happen within 60 days ofdiscovering any sanctions).ConclusionAll health care institutions have as theirnumber one value to protect the health andwelfare of their patients. New regulations nowrequire a more proactive effort to ensure thata safe and qualified workforce is renderingservices in accordance with that value. Nowis the time for all health care organizationsto create robust OIG sanction screeningcompliance programs to keep patients safeand preserve the integrity of our health caresystem. n1. Office of Inspector General. Guidance for Implementing PermissiveExclusion Authority under Section 1128(b)(15) of the Social SecurityAct. Available at http://www.oig.hhs.gov/fraud/fraudalerts_other.asp2. Office of Inspector General. About the Office of Inspector General(OIG). Available at http://www.oig.hhs.gov/organization.asp3. Social Security Act, Title XI, Sec. 1128. Available at http://www.ssa.gov/OP_Home/ssact/title11/1128.htm4. Office of Inspector General. Exclusions Program. Available at http://www.oig.hhs.gov/fraud/exclusions.asp5. Code of Federal Regulations, 42CFR1001, Program Integrity – Medicareand State Health Care Programs. Available at http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl6. Federal Register/ Vol. 70, No. 19/January 31, 2005. Available at http://frwebgate.access.gpo.gov/cgi-bin/getpage.cgi7. Safian, Shelly C: Essentials of Health Care Compliance. Delmar. NewYork, 2009, p. 148. New York State Office of the Medicaid Inspector General. Explanationand Disclaimer for Restricted, Terminated or Excluded Individualsor Entities. Available at (http://www.omig.ny.gov/data/content/view/71/52/

Letter from the CEO ...continued from page 18most successful years ever. It is not one act ordecision or person that makes an organizationsuccessful. It is the many small acts of manypeople. Jenny O’Brien not only participatedin the in the small leadership group thattook us through this most difficult recession,but she carried the process through thisyear as our current President 2010-11. Ourgrowth and stewardship of the organization’sfinancials is unprecedented during her tenure.Every president has come along at “the righttime,” meaning their primary skill set wasneeded at the moment they were president.Brent Saunders was an entrepreneur and waspresident during a period of great growthand opportunity. Debbie Troklus started ourcertification program, and under her care, ithas flourished. Sheryl Vacca was a veteran ofboard management and was President whenwe decided to discontinue our use of anassociation management company and startour own office. I can not name them all, butthey all contributed greatly, and we are allvery appreciative.We have much work to do. We are appreciative,but never satisfied. We are not hereto serve the elite; we are here to serve themembers and the profession, and to ensurethe implementation of effective complianceprograms. We are now helping with thisprocess in many industries. As a result, ourprofession will not be left in the hands ofothers. It will be left in the hands of thosewho know what they are doing—our volunteerleaders, our members, and our staff. nHCCA Board Election ResultsThe results of the recent elections are in! The HCCA membership voted tohave following individuals serve on the HCCA Board of Directors:Deann M. Baker, CHC, CCEP, CHRCChief Corporate Compliance OfficerAlaska Native Tribal Health ConsortiumRobert Hussar, JD, CHCSenior ManagerForensics and Dispute ServicesDeloitte Financial Advisory Services LLPGabriel L. Imperato, Esq., CHCManaging PartnerBroad and CasselRobert H. Ossoff, DMD, MD, CHCAssistant Vice Chancellor for Complianceand Corporate IntegrityVanderbilt Medical Center (VMC)Re-elected to the HCCA Board:Sheryl Vacca, CHC-F, CCEP, CHRC, CHPCSenior Vice President/Chief Compliance and Audit OfficerUniversity of CaliforniaCongratulations!Health Care Compliance Association • 888-580-8373 • www.hcca-info.org41March 2011

March 201142Improving hospitalrisk assessmentEditor’s note: Mitch Saruwatari is Vice Presidentof Quality and Compliance at LiveProcess inVerona, New Jersey. Saruwatari is a recognizednational health care emergency managementexpert who co-chaired the development of theNational Incident Management System (NIMS)Compliant Hospital Incident Command System(HICS). He may be contacted by telephone at973/571-2500 or by e-mail at msaruwatari@liveprocess.com.James Wadzinski is the Vice President, Operationsand Account Services, for AHA Solutions, Inc.,an American Hospital Association company.With American Hospital Association for morethan 20 years, he is responsible for the strategyof AHA endorsed products and services to helphealth care providers achieve the highest levelof operational performance. His oversight ofthe AHA endorsement ensures all solutionsdemonstrate an outstanding commitment tohealth care and a dedication to helping hospitalsin their pursuit of operational excellence. He canbe contacted at 312/895-2519 or by e-mail atjwadzinski@aha.org.Risk managers and compliance officersin hospitals are well-aware oftheir emergency manager’s ability toplan, respond, and recover from emergenciesand disasters. Most are also aware of theirannual risk assessment of hazards that havethe potential to disrupt hospital operationsand patient care services. However, they maynot be aware that they are required by TheJoint Commission to share their high priorityhazards with community response agenciesand collaboratively develop integratedresponse plans that minimize and mitigateorganizational impacts.By Mitch Saruwatari and James WadzinskiThis collaboration can be very valuable,considering the frequency of disasters thatoccur in the U.S. Each year, the Departmentof Homeland Security’s Federal EmergencyManagement Agency (FEMA) posts on theirwebsite all presidentially declared disasters.In the past ten years, the national numberhas ranged from 45 to 75. Although thisseems like a lot, there are far greater numbersof community emergencies that also requiremobilization of significant communityresources to support local response andrecovery activities. In many cases, these eventsimpact local health care and the ability ofhospitals to provide patient care services.The hospital emergency manager is a richsource of knowledge and experience forassessing these risks and adjusting theresponses, based on community involvement.In addition, emergency managers are familiarwith local, state, and federal assistanceprograms to access resources during responseand recovery activities. They also know thehigh-priority risks and response capabilities oftheir neighboring facilities. They can anticipateboth the direct and indirect impacts ahospital may face.Current state of riskIn this decade alone, over 600 federal disasterdeclarations have occurred for a host of incidents,ranging from earthquakes, wildfires,and flooding to severe storms, mudslides,landslides, hurricanes, and tornadoes. Inroughly a 12-month span in 2004-2005,four major hurricanes, including Katrina andRita, left hundreds dead and wreaked nearly$130 billion in damage in Louisiana, Florida,Mississippi, and Alabama.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgHospitals are not immune to this damage.For example, Maryland hospitals, pummeledby snowstorms in January and February of2010, faced tens of millions of dollars in costsassociated with paid staff overtime, snowremoval, and other related expenses. 1 Also,the renovation costs associated to reopenthe New Orleans hospital (formerly PendletonMemorial Methodist Hospital) wereestimated at a staggering $170 million. 2Another challenge is the greater priority that isbeing placed on hospitals in disaster planning.The Joint Commission has significantly increasedthe emergency management standards over thepast 10 years, and the various federal grant programstargeting community preparedness haveadded many additional hospital requirements.Even so, there remains the risk associated withnot just meeting these requirements, but beingorganizationally competent during responseactions. For example, after Hurricane Katrina,a lawsuit was filed by the family of an elderlypatient who died when the facility’s backuppower failed. The terms of the suit were keptconfidential for fear they would have potentiallyexpanded the liability of health care organizationsfor emergency planning and performance. 3Unfortunately, this sense of protection mayquickly dissolve if another hospital-based patienttragedy occurs during a disaster.Identified gaps in health care planningShortly after the attacks of September 11, 2001two significant presidential directives were givento improve communication and coordinationamong all response organizations. These led tothe implementation of the National IncidentManagement System (NIMS) for preparednessand response competency and the NationalResponse Framework (NRF) to enhance multiagencyand multi-jurisdictional coordinationand collaboration. A clear benefit was that itstandardized response activities which collaterallyprovide a better measurement of readiness.

In addition, health care organizations wereincluded and subsequently are now a formidablecomponent in community planning efforts.However, subsequent events, such as HurricaneKatrina and the recent H1N1 influenzapandemic, continue to highlight unforeseenplanning gaps and offer greater insight for howhealth care can better prepare. Each year, TheTrust for America’s Health and the RobertWood Johnson Foundation evaluate how wellU.S. hospitals are able to respond to disastersand they consider events such as these in theirassessment. In their 2009 publication, 4 theyidentified gaps in hospital surge capability,communication tools and content, surveillanceof patients and victims during a disaster, predefinedcrisis care standards, and limited healthcare resources. Despite the overall improvementsin community and hospital planning,reports like this still emphasize there is stillmuch to do for mitigating health care risks.Considerations for risk reductionChanges in federal guidance and increasedcompliance requirements have caused greaterpressure on hospital emergency managers todo their jobs. They attend many more externalmeetings, are involved in several exercises, andmust now manage grant-funded contracts,including supporting inventory managementof supply caches. In doing all of these activities,hospitals can help reduce organizational risksfor disruptions in services. Unfortunately, thismight be a burden too great for a part-timehospital emergency manager. To maximizethese risk management benefits, hospitalsshould consider providing additional internalfunding and resources to support a full-timeposition within their organization.Hospital risk managers and compliance officerswill also benefit. By reducing the risk ofemergencies and disasters through communityplanning and involvement, organizational riskmanagers can focus attention on other challenges.Quality professionals can have peace ofmind, knowing that emergency managementwill have a better outcome during a JointCommission survey or licensing audit. Also,a full-time emergency management professionalcan assist with addressing patient safetyissues, partner with security and safety, helpwith hazardous materials response and wastemanagement, and may even be able to assist indeveloping memorandums of understandingor similar agreements with other hospitals inthe case of partial or full evacuation, as well asmanaging resource shortages.The hospital emergency manager is really arenaissance professional who has access to manyinternal and external organizations as well asresources, and can be a wealth of knowledge forany hospital. Their unique but broad skill set canhelp reveal unconsidered risks and also provideinsight and actions for mitigating them. n1. Scott Graham: Maryland hospitals look for ways to recoup millions lostfrom snow. Baltimore Business Journal; February 19, 2010. Availableat http://www.bizjournals.com/baltimore/stories/2010/02/22/story2.html?b=1266814800%255E29142012. Gregg Blesch: Weighing the cost of disaster: Trial could raise stakes foremergency planning. Modern Healthcare January 25, 2010. Availableat http://www.modernhealthcare.com/article/20100125/MAGA-ZINE/1001299853. Gregg Blesch, Jessica Zigmond: Katrina Closure: $475 for Charity Hospital,Pendleton settles. Modern Healthcare; February 1, 2010. Availableat http://www.modernhealthcare.com/article/20100201/MAGAZINE/100129960/0&Template=printpicart4. Ready or Not? Protecting the Public Health From Diseases, Disastersand Bioterrorism. Trust for America’s Health. Robert Wood JohnsonFoundation. December 2009. Available at http://healthyamericans.org/reports/bioterror09/pdf/TFAHReadyorNot200906.pdfNeed a quick and cost-effectiveway to earn CEU credits?Want the latest news on breakingissues and best practices?All of this from the convenienceof your own office?Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgTryWebConf_quarterpage_CTad.indd 1Try one of HCCA’supcoming WebConferences, andearn 1.2 CEU credits.It doesn’t get any easier.learn more aboutupcoming webconferences andregister atwww.hcca-info.org/webconferencesPeopleOn the MoveFormer FDA official Steven Niedelmanjoins King & Spalding in Washington DCInternational law firm King & Spaldingrecently announced that Steven M.Niedelman, a former high-ranking officialat the U.S. Food and Drug Administration,has joined King & Spalding’s WashingtonDC office as Lead Quality Systems andCompliance Consultant for the firm’sleading FDA and Life Sciences Practice. Hemay be contacted at King and Spaulding’sWashington Office by telephone at202/737-0500.Bissey named Chief Ethics andCompliance Officer at UMDNJBret S. Bissey, FACHE, MBA, CHC wasrecently named Senior Vice President,Chief Ethics and Compliance Officer,Office of Ethics, Compliance andCorporate Integrity for the University ofMedicine and Dentistry of New Jersey(UMDNJ). Bret may be contacted bytelephone at 973/972-8093.437/8/2010 9:15:55 AMMarch 2011

SAVETHE DATEComing to Your Area in 2011HCCA RegionalConferencesLearn from local experts in your fieldEffective local networking opportunitiesInexpensive local education andnetworking on key compliance topicsUpper North Central | May 6 | Columbus, OHUpper North East | May 20 | New York, NYPacific Northwest | June 10 | Seattle, WAWest Coast | June 17 | Newport Beach, CANew England | September 9 | Boston, MASeptember 25–27, 2011Renaissance Harborplace HotelBaltimore, MDThe Fraud and Compliance Forum is jointly sponsored bythe Health Care Compliance Association (HCCA) and theAmerican Health Lawyers Association (AHLA). It will includean explicit designation of a session as “compliance focused”or “legal focused.” The Planning Committee has includedenough sessions in each designation that an individual couldattend all “compliance” sessions or all “legal” sessions forthe entire program. Yet an attendee also has the optionof selecting a diversity of sessions and networking with anexpanded group of individuals. The Fraud and ComplianceForum has the benefit of combining the quality of HCCAand AHLA sessions with the expanded networking powerof a combined program.Learn more and registerat www.hcca-info.orgUpper Midwest | September 16 | Minneapolis, MNMidwest | September 23 | Kansas City, MONorth Central | October 3 | Indianapolis, INEast Central | October 14 | Pittsburgh, PAHawaii | October 21 | Honolulu, HIMountain | October 28 | Denver, COMid Central | November 4 | Louisville, KYDesert Southwest | November 18 | Scottsdale, AZSouth Central | December 2 | Nashville, TNLearn more andregister now atwww.hcca-info.orgMarch 201144Health Care Compliance Association • 888-580-8373 • www.hcca-info.org2011FraudComp_SaveDate_halfpagead_vert_2c.indd 112/30/2010 11:57:39 AM

Genetic InformationNondiscriminationAct of 2008By K RoyalEditor’s note: K Royal is the Privacy and Why do we have or need GINA?Security Officer and Assistant Vice President, In light of the advancements being made inRegulatory Affairs for Concentra Inc. She can human genome marking and personalizedbe reached at 972/725-6675 or via e-mail at medicine, the National Human GenomeK_Royal@concentra.com.Research Institute and other advocacygroups felt that the potential for misuse ofThe Genetic Informationinformation could stall biomedical research. 1Nondiscrimination Act (GINA) is a Further, if patients feel that their genetic predispositionscould be used against them, theyset of federal laws that prohibits discriminationbased upon genetic information, may not take advantage of genetic diagnosticpassed May 21, 2008. Specifically, GINA tests. 2 The findings by Congress in GINAprohibits insurers and employers from discriminatingagainst individuals on the basis n The medical significance of genetics inacknowledge:of genetics.identification, prevention, and treatment,as well as the potential for misuse;GINA consists primarily of two portions: n That early genetic research spawned legalTitle I addresses insurance coverage andaction such as the sterilization laws, butTitle II is about employer discrimination. that the recent “explosion in the science of(Note: A third portion, Title III: Miscellaneous genetics” compels Congressional action;Provisions, concerns the child labor protections n That many genetics conditions are raciallythat provide for penalties if the violations or ethnically prevalent and may once againimpact child employees.) Although Title I of give rise to a particular stigma, such as thatGINA was effective starting May 22, 2009 seen in sickle cell anemia;according to the plan dates of the particular n Current workplace discrimination, such asinsurance plan, the interim rules to implementit were published Oct. 1, 2009 and Lawrence Berkeley Laboratory 3 ; andthe pre-employment genetic screening atbecame effective after 60 days (December 1, n That national standardization is necessary2009). These rules were published through in light of the disparity and inadequacy inthe Department of Labor, Department of current state laws.the Treasury, and the Department of Healthand Human Services. Title II was effective The first federal bill prohibiting geneticNovember 21, 2009, but the Equal EmploymentOpportunities Commission (EEOC) lowed by several others, but it took thirteendiscrimination was introduced in 1995, fol-only recently published on November 9, years to get a bill passed. GINA amends2010 the final rules that became effective several federal acts: The Employee RetirementJanuary 10, 2011.Income Security Act of 1974 (ERISA), thePublic Health Service Act, Internal RevenueHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgCode, Social Security Act, and the Fair LaborStandards Act.Title I: Genetic nondiscrimination in healthinsuranceTitle I of GINA amends ERISA, the PublicHealth Service Act, and the Internal RevenueCode to prohibit group health plans, individualinsurers, and Medicare supplementalpolicies from requiring higher premiums orcontribution amounts on the basis of geneticinformation. GINA also prohibits requiringindividuals or their family members to takegenetic tests. However, this does not impacthealth care professionals from requiringgenetics tests for treatment purposes, andgroup health plans can use the results ofgenetic tests in payment determinations.Additionally, there are allowances for researchpurposes. Title I also prohibits requesting,requiring, or purchasing genetic informationon an individual before enrollment. Individualhealth plans also cannot restrict eligibilityrules that are based on genetic information.Title I defines these key terms: familymember, genetic information, genetic tests,genetic services, and underwriting purposes.Of particular note are that a “family member”includes up to a fourth-degree relative, andthat “genetic information” includes “manifestationof a disease or disorder” in a familymember – essentially family medical history.When the rules were published, one of thetopics addressed in Title I was the guidanceunder the “incidental collection” exception.If an insurance company happens to collectgenetic information incidentally along withother information, then an exception applies.However, if it is reasonably anticipated that arequest would collect the information, then itis not considered incidental. The unexpectedportion was that this incidental exceptionContinued on page 4645March 2011

Genetic Information Nondiscrimination Act of 2008 ...continued from page 45March 201146limitation has a huge impact on wellnessprograms and health risk assessments. (Moreon this later.)Lastly, all states were required to adapt theirlaws to conform to GINA.Title II: Prohibiting employmentdiscrimination on the basis of geneticinformationTitle II prohibits employers (includingemployment agencies and labor organizations)with 15 or more employees frommaking any employment-related decisionsabout current or future employees on thebasis of genetic information. This prohibitioncovers hiring, firing, or any decisions towardscompensation, terms, conditions, or privilegesthat might limit, segregate, or classify anindividual within employment.The definitions in Title II are similar to Title I,for family member, genetic information,genetic services, and genetic tests (Title IIdoes not include the exception for healthcare professionals testing a manifested diseaseor disorder). Title II does define “geneticmonitoring” as the periodic examinationto determine any damage from exposurethrough employment to toxic substances (i.e.,essentially OSHA surveillance). The actualdefinition in full is:periodic examination of employees toevaluate acquired modifications to theirgenetic material, such as chromosomaldamage or evidence of increased occurrenceof mutations, that may havedeveloped in the course of employmentdue to exposure to toxic substances in theworkplace, in order to identify, evaluate,and respond to the effects of or controladverse environmental exposures in theworkplace.In addition, employers who have medicalinformation that pertains to a manifesteddisease of a disorder that is not “geneticinformation” (even if the disease or disorderhas a genetic base) is not considered to violateGINA.Like Title I, employers cannot request,require, or purchase an employee’s geneticinformation, with some exceptions:n Inadvertent acquisition (i.e., the “watercooler” exception, defined below);n Offering health services, such as a wellnessprogram, as long as there is prior, knowing,and written authorization; only theindividual and health care professionalreceive individually identifiable results;and the employer receives only aggregateresults;n For Family and Medical Leave Act(FMLA) purposes;n In commercially available books anddocuments (not medical databases or courtrecords);n Monitoring of biological effects of toxicsubstances in the workplace, as long as itis required by law and in compliance withany federal and state laws (eg., OSHA),and there is written notice to the employeeand prior, knowing, written authorizationby the employee and the employer; andn Where the employer conducts DNAanalysis for law enforcement purposes as aforensic laboratory.Consider the water cooler exception (inadvertentacquisition). Does this mean that ifa co-worker is dealing with a major familyillness, you can’t ask about it? If an employeevolunteers such information casually, thenthe employer is not held accountable andcertainly, a concerned co-worker can makeempathetic comments in response. Additionally,the discovery of genetic informationthrough social media is consideredinadvertent (Facebook, etc.). The key is tonot seek out this employee and probe forinformation. And, employers can’t use any ofthis information in a capacity regarding thatperson’s file or employment. The new regulationsby the EEOC specifically provide thatif an employer uses the following languagewhen requesting medical information, thenthe employer will not be held accountableif the health care provider includes geneticinformation:The Genetic Information NondiscriminationAct of 2008 (GINA) prohibitsemployers and other entities covered byGINA Title II from requesting or requiringgenetic information of an individualor family member of the individual,except as specifically allowed by this law.To comply with this law, we are askingthat you not provide any genetic informationwhen responding to this request formedical information. `Genetic information’as defined by GINA, includesan individual’s family medical history,the results of an individual’s or familymember’s genetic tests, the fact that anindividual or an individual’s family membersought or received genetic services,and genetic information of a fetus carriedby an individual or an individual’s familymember or an embryo lawfully held byan individual or family member receivingassistive reproductive services. 4Further, the prohibition on acquisition ofgenetic information, including family medicalhistory, applies to medical examinationsrelated to employment. The regulations directemployers that they “must tell health careproviders not to collect genetic information,including family medical history, as part of amedical examination intended to determinethe ability to perform a job.” If the healthcare providers disregard that instruction, thenHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org

employers are directed to take additional not include any genetic information (includingregulations, the payment of virtually anysteps based on the circumstances, includingfamily medical history), or employers type of incentive will be classified as beingno longer using health care providers who may offer a two-part HRA where one part for underwriting purposes, including anycontinue to request or require genetic informationis mandatory and the other part that has the discount or rebate in premiums/contributionsduring medical examinations after the restricted questions is voluntary. Disease and any discount, rebate, or other change inemployer has instructed them not to do so. management programs that are based upon a deductible, co-payment, or co-insurance.If an employer does have genetic information answers to genetic information questions Additionally, it may be that an incentive creditedfrom whatever purpose, then the employer are restricted. If the genetic informationto a health flexible spending arrangementis required to keep that medical information questions are removed, then GINA is not or health reimbursement arrangement mightseparate and secure – as is the case with any triggered. Additionally, an individual may also be considered an incentive. Under Title II,medical information that employers may apply for a disease management program employers can offer incentives to completehave on hand, such as with the Americans and provide genetic information in order to HRAs that include genetic information, aswith Disabilities Act (ADA). This informationqualify under medical appropriateness. long as the employees clearly know that themay only be disclosed:genetic information questions are voluntaryn upon written request by and to the General rule: Genetic information (which and the incentive will be paid whether or notemployee,includes family medical history) cannot be those questions are answered.n to an occupational or other health collected either for “underwriting purposes” orresearcher,“prior to or in connection with enrollment.” HRA compliancen with a court order expressly to the specifiedThere is an exception for genetic information There are a number of strategies that healthinformation and with notification of obtained incidental to the collection of other plans can use to comply with the rules. All ofemployee,information, provided the collection is not these assume that the HRA is not providedn in response to GINA compliance investigationfor underwriting purposes. However, if it is in connection with enrollment.if the medical information is reasonable to anticipate that genetic informa-n Remove the incentives. Although this isrelevant,tion will be received, the incidental collection easy to accomplish, not paying an incentiven in connection with FMLA, orexception does not apply, unless the collectionmay significantly reduce the level ofn to a public health agency of a contagious explicitly provides that genetic information HRA participation.disease that presents an imminent or lifethreateningshould not be disclosed. A reasonable anticipa-n Remove the genetic information ques-harm.tion would include asking the questionstions. Again, this is easy to accomplish,without providing a clear disclaimer that it is but removing genetic information questionsTitle II does not impact a covered entity from optional and should not be disclosed.may reduce the HRA’s effectiveness.any use or disclosure of health informationn HRA bifurcation. Title I rules officiallythat is authorized under HIPAA.Even if genetic information is not collected endorse a two-HRA approach, wherebyfor underwriting purposes, it also must not be one HRA includes all non-genetic informationWellness programs/disease management collected prior to or in connection with enrollment.questions and a second HRAWellness programs and disease management“Enrollment” means before the effective includes all genetic information questions.programs (e.g., weight loss, smoking cessation,date of plan coverage. Whether geneticAny incentive is then only paid for com-lower cholesterol levels, blood pressure information is collected prior to “enrollment” pleting the non-genetic information HRA,control) under GINA can get complicated is determined at the time that it is collected. but the genetic information HRA has nowhen trying to reconcile Title I of insurersincentive. This could also be accomplishedto Title II of employers, especially if an HRAs may impermissibly collect genetic using a single HRA, if the HRA is properlyemployer is self-insured.information. Under Title I, wellness programsstructured and appropriate disclaimersthat provide incentives for completing HRAs and instructions are included.Employers can offer an incentive for completingthat request genetic information violate n Non-plan incentives. GINA only applieshealth risk assessments (HRAs), as long GINA, if the incentive is determined towith respect to the operation of an ERISAas it is clearly stated that the employee should be for underwriting purposes. Under theseContinued on page 48Health Care Compliance Association • 888-580-8373 • www.hcca-info.org47March 2011

Genetic Information Nondiscrimination Act of 2008 ...continued from page 47March 201148group health plan. It is possible that incentivesoutside the traditional health planarena would not trigger GINA.Impact on disease management programsSimilar to the impact on HRAs, diseasemanagement programs are also affectedif they utilize HRA results to determineeligibility. Title II allows employers to offerfinancial incentives for participation indisease management programs or healthcoaching towards particular goals (e.g., weightloss, smoking cessation, lower cholesterollevels, blood pressure control). The diseasemanagement programs available to those whoprovide genetic information should be equallyavailable to those employees whose lifestylechoices put them at risk, whether or notgenetic information is provided.Under Title I, the rules include two similar,yet distinct, examples on this issue. First, if anHRA includes genetic information questions,and the results of those questions are used todetermine whether an individual is eligible fora disease management program, the requestof genetic information included in the HRAviolates the underwriting prohibition. Thisis because the genetic information is usedto determine if the individual is eligible foradditional benefits under the plan (i.e., thedisease management program).As noted previously, plans may limit benefitsbased on medical appropriateness and thedetermination of medical appropriatenessdoes not qualify as an underwriting purpose.If the determination of medical appropriatenessdepends on genetic information, theplan can condition the benefit on geneticinformation, provided the plan only requeststhe minimum information necessary to makethe determination. However, this exceptiondoes not apply if the individual is not seekinga benefit under the plan.This exception for medical appropriatenessimpacts the second example in Title IIrules. The second example provides that aplan may condition benefits under a diseasemanagement program when an individualshows that he/she is eligible for the diseasemanagement program, even if such showinginvolves genetic information. However, thegenetic information can only be used to makea determination that the disease managementprogram is medically appropriate for theindividual.Although these two examples appear similar,the difference appears to be that in the firstexample, the plan is automatically determiningwho is eligible (which violates theunderwriting prohibition); but in the secondexample, the individual must formally applyfor participation in the disease managementprogram, and if the individual is refusedparticipation, he/she can submit geneticinformation to prove eligibility. However,such a distinction cuts a fine line.Keep in mind, these two examples apply toinsurers under Title I. Employers can offera disease management program as long asthe program is available both to those whoare genetically susceptible and those whoselifestyles make them susceptible.Employer action itemsThere are general steps that most employerscan take, although specific questions shouldbe referred to counsel. Verify your insurancecarrier is compliant.n Do not request, require, or acquire/purchasegenetic information about your employees,applicants, or their family members.n If you do request medical information,please indicate that genetic informationshould not be included each time thatmedical information is requested (and usethe safe harbor language above).Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgn If you do need genetic information, pleasekeep the files completely separate anddesignate who should have access tothat file.n If you inadvertently acquire geneticinformation when requesting medicalinformation from a provider, even afteryou request that none be sent, keep itseparated and secured as referenced above(and make no decisions based on geneticinformation).n Post the new EEOC poster as required.n Train your employees about GINA,especially management.More information is available athttp://www.federalregister.gov/articles/2010/11/09/2010-28011/regulations-under-the-genetic-informationnondiscrimination-act-of-2008#p-259.nThese views are solely those of the author, not myemployer’s or my family’s, and should never beused as legal advice. Before acting or not actingon any information provided in this article,readers should perform their own research orseek appropriate legal counsel.1. National Human Genetic Research Institute: Genetic Discrimination:NHGRI Interest in Genetic NonDiscrimination Legislation: Concernsand Activities. Available at http://www.genome.gov/10002077#al-3(last updated September 21, 2009).2. David Resnick: GINA — A Big Step Toward Personalized Medicine.Mass Tech High, The Journal of New England Technology. August 22,2008.3. Norman-Bloodsaw v. Lawrence Berkeley Laboratory (135 F.3d 1260,1269 (9th Cir. 1998)4. 29 C.F.R. 1635.8(b)(1)(i)(B)

New HCCA MembersAlabaman Charlene Cantrell, The Outsource Groupn Elizabeth Conklin, Roman Medical Groupn Kelli Fleming, Burr & Forman LLPn Terrye Liles, RCHP-Florence LLCn Heather Mitchell, Medical Westn Shunda Threat, Children’s Health Systemsn Amy M. Yearwood, Cullman Regional Med CtrAlaskan Thomas Clifton, Alaska Billing ServicesArizonan Robert Cartia, Verde Valley Guidance Clinicn RoseAnn Garcia, Cobre Valley Regional MedCentern Bradley M. Head, Comm Coun Cntrsn Diane Lindquistn Chris L. Meyers, Cobius Healthcare Solutionsn Georgeta E. Mihailovici, Take Care HealthArkansasn Paula Archer, Univ of Arkansas for MedicalSciencesCalifornian Mary Carter Andrues, Arent Fox LLPn Ketan Bhavan, Genentechn Shanley Curran, Cedar Sinai Medical Centern Randy DeBoer, Kaiser Permanente NorthernCalifornian Jennifer Del Villar, GEMCare Health Plan Incn Eileen Eitel, Kaiser Permanenten Nancy Graves, Kaiser Hospitaln Mari Hallex, PulmoCare Respiratory Services, Incn Veronica R. Harris, Kaiser Permanenten Lynda Hughes, Shasta County Mental Healthn Stacy Kusumolkul, Childrens Hospital Los Angelesn Kira B. Kwan, North East Medical Servicesn Marsha Lambert, AccentCaren Ellen Lingar, Univ of California San Franciscon Audrey Mauduit, Saint Louise Regional Hospitaln Jennifer McAleer, Unity Care Group, Inc.n Liatrice S. McFadden, Kaiser Permanenten Rachel McMullin, Kaiser South San Franciscon Brittany L. Miner, Sutter Healthn Carol Pae, Childrens Hospital of Los Angelesn Deborah Pirillo, Valley MRI Centern Mark Rapanut, Kaiser Permanente San JoseMedical Centern Veronica Richardson, L.A. Care Health Plann Michele C. Robinson, Kaiser Permanenten Catherine Sabherwal, Kaiser Permanenten Luiza Tiratsuyan, Kaiser Permanenten Minh Tran, County of Napan Karen M. Underwood, Kaiser Permanenten Joeal Venkatesan, Community Medical CentersColoradon David Friedensonn LaRue Leffingwell, Northeast BehavioralHealth Partnershipn Amalia Maloney, Sorin Group USA, Inc.n Tammie E. Pryor, Memorial Health Systemn Denna Williamson, Team Select Home CareConnecticutn Jennifer L. Bourne, Transgenomicn Tammy Cahill, Freedom Disabilityn Anthony Mio, Stamford Hospitaln Jaime M. Saneca, Saint Raphael Healthcare Systn Jennifer Sutera, Yale New Haven Health Systemn Katharine D. Whiteside, Saint RaphaelHealthcare SystemFloridan Rory E. Brecker, Miami Children’s Hospitaln Jeff Durham, BayCare Health Systemn Annette Gerulski, MedFin Billingn Anthea Greaves, Broward General Medical Ctrn Kathleen M. Hansen, Consultantn Anita Henderson-Sumpter, AmericanAssociation of Clinical Endocrinologistsn Christina L. Jackson, Office of ResearchAdmin/Florida Hospitaln M. Alexandra Johnson, Coleman ConsultingGroup, Inc.n Lidya Lobeto, Miami Jewish Health Systemn Esther Sapayon Dawn Shanahan, Florida Gulf To BayAnesthesian Holly Torina, Connextions, Inc.n Susan Wagner, Cardinal Health Pharmacy SolutionsGeorgian Sharon Allred, LW Consultingn Margaret Callender, Kaiser Permanenten Joan Hudson, Wellington Healthcaren Tricia Lopez-Dobie, Kaiser Permanenten Nicole H. Martin, Kaiser Permanenten Bellinger P. Moody, Medac, Incn Tracy Pope, Gates Mooren Charlene Roberts, Children’s Healthcare of Atlantan April M. White, White’s PediatricsIdahon Cynthie Vialpando, St Luke’s Health SystemIllinoisn Cheryl Dillon, Upstairs Solutionsn Anthony J. DiMaio, Univ of Chicago Medical Ctrn Andrea L. Halley, Hopedale Medical Complexn Julie Katichn Teri Morris, HSHS Medical Groupn Jennifer L. Trajkovski, Deloitten Christy K. Williams, Logan Primary CareHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgIndianan Peggy Rupp, Dekalb Memorial Hospitaln Jeanne Sexton, St Vincent Healthn Justin Taylor, AIT LabsIowan Jacqueline Dawley, Winneshiek Medical Centern Craig M. Freeman, Boone County HospitalKansasn Linda K. DeLozier, Cushing Memorial Hospitaln Sue Johnson, Clinical Reference Laboratory Incn Sheree Marzka, ValueOptionsn Jennifer Melton, Clinical Reference Laboratory, Inc.Kentuckyn Dana Burba, Burba & Company PSCn Rene Goodwin, Humana Incn Mark W. Ianke, Humana Incn Laura W. Kinder, Firstsource Solutions USAn Jamie L. Patrick, Univ of Louisvillen Carol Perkins, Humana Incn Pam Rudell, Humana Incn James S. Theiss, Humana IncLouisianan Margie Bourgeois, Morehouse General Hospitaln Barbara Collura, Ochsner Health SystemMainen Thomas Sahrmann, New England Life Care, Inc.Marylandn Lisa Badie, Kennedy Krieger Instituten Shane Campbell, Maxim Healthcare ServicesMassachusettsn Elizabeth Chevrevski, Caritas Christi Health Caren Carolyn Czopor, Caritas Christi Health Care Systn Anthony DiBonan Mary Beth McKinnon, Boston Scientific Corpn Jodie Medeiros, Caritas Christi Health Caren Audrey SamaraMichigann Neal Cooper, Clark Hill PLCn Debbie L. Dutcher, Spectrum Healthn Lori Gibson, Spectrum Health Continuing Caren Tony Mira, Anesthesia Business Consultantsn Linda T. Prister, Dearborn Sugery Centern Maureen A. Sielinski, St Mary’s of MichiganMinnesotan Sean Bailey, Prime Therapeuticsn Trish Fleischhacker, Medtronicn Barbara D. Graham, Olmsted Medical Centern Melissa M. Hunt, Prime Therapeuticsn Juli Jordan, Health East Care Systemn Stephanie J. Kravetz49March 2011

New Members ...continued from page 49March 201150Minnesota (continued)n Niki Jo Kurtis, Prime Therapeuticsn Kyle Verley, Prime Therapeuticsn Lisa Vonderharr, Prime TherapeuticsMissourin Daniel L. Berry, Southeast Missouri Hospn Brian W. Deutschmann, Centene Corporationn Marilyn Fowlern Faye E. Griffinn Laura K. Hartsock, St Johns Health Systemn Teresa L. Knox, St Johns Health Systemn Jaimi Lafollette, St Johns Hospitaln Barb Puleo, Advanced Pain Centersn Dana J. Quinn, St Louis Connect Caren Neelam Rana, Northwest Health Services, Inc.n Danielle Solomon, St Luke’s HospitalMontanan Linda Jewell Masin, Eastern Radiological AssociatesNew Jerseyn David Bocian, The Cooper Health Systemn Tracey Hyman, Atlanticare Health SystemNew Mexicon Debbie Packard, Jemez Health & Human Srvsn Susan Welker, UNM Medical Group, Incn Margaret A White, ABQ Health PartnersNew Yorkn Regina Alvarado, Bayer HealthCare Diabetes Caren Peter Avellino, Accounting ManagementSolutions, Inc.n Christina Coiro, NYC Health & Hospitals Corpn Lisa Corrigan, DePauln Stephanie Epstein, Apex Laboratory, Inc.n Laurie Fuentes, EHITn Yumiko Fukuda, APICHAn Colleen Gough, Summit Educ Resources, Inc.n Michelle Mignano, County of Onondagan Patricia Nervina, United Health Servicesn Cynthia L Palka, Evolution Consulting OIGCompliance NOWn Bonnie Pecka, Health Care ComplianceEnterprise, LLCn Brad A. Potter, Catholic Charities of Oneida &Madison Countiesn Monica Sharlow, Med Best Medical Mgmt Incn Cynthia Smith, Julia Dyckman Anders MemorialNorth Carolinan Martha Everette, Boice-Willis Clinicn Dalizza Marques, Central Carolina Hospitaln Cindy K. Munson Marsh, Marsh Law Firmn Natalie C. Sharpe, Comm Home Care & Hospicen Furman Walker, Lash Groupn Rebecca Wood, Charlotte Radiology, PANorth Dakotan Jeanne Narum, Noridian Administrative ServicesOhion David B. Amerine, Buckeye CommunityHealth Plann Tiffany Beaumont, Deloitte & Touche LLPn Earlene Christensen, Fayette County MemorialHospitaln Amanda Lenhard, Community Hospitalistsn Joshua Malone, The Christ Hospitaln Kelly Martinelli, Radisphere NationalRadiology Groupn Nancy J. Norbo, Lake Hospital Systemn Andre Perrotta, Advocate Radiology Billingn Marisa M. Scimone, Community Hospitalistsn Scott Seidelmann, Radisphere NationalRadiology Groupn Teri Yates, Radisphere National Radiology GroupOklahoman Charity Robinson, Feetplus LLCn Lisa A. Warren, CompONE Servicesn Andy Wirth, Oklahoma Heart HospitalOregonn Dick Sabath, Agate HealthcarePennsylvanian James Caponi, UHS of Delaware, Inc.n Sherry DeFilippis, Jack Gold SurgicalAppliancesn Kevin C. Flynn, Risk Compliance PerformanceSolutions, LLCn Rhonda Greenblattn Susan M. Heldn D Scott Jones, AHPISn Michelle Matricardin Michael J. Shaw, Fairmount Long Term Care/PNHPuerto Ricon Angel R. Tirado-Morales, Triple-S, IncSouth Dakotan Debra Aman, Sunrise Senior LivingTennesseen Nathan Begani, Simplex Healthcaren Blayne Burns, Health Choice, LLCn Stacey M. Crudup, High Point Health Systemn Jennifer I. Hammonds, Pro Claim AMSn Amanda E. Hood, Simplex Healthcaren Raymond Jacobs, Verisys Corporationn Paige B. Jones, MTPSn Sherry L. Lawson, Cumberland Medical Centern Andrea Lucadon Karen B. McBrien, Vanderbilt Univ Med Ctrn Derek Price, BCBS of TennesseeHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgn Kathy M. Smith, Mountain Youth Academyn Carole D Young, Vanderbilt Univ Med CtrTexasn Kathryn Austin, TMHPOn Susanne Burton, Burton Law Firmn Tarrin L. Degrate, Parkland Health & HospitalSystemn Margaret Drakeley, KelseyCare Advantagen Joy Eckhardt, Children’s Medical Centern Shelia L. Elliott, Parkland Health & HospitalSystemn Marta Genthon, Cole Healthcare Servicesn Cindy Godfreyn Victoria Gonzales, CGI Technologiesn Cathy A. Haliburton, Parkland Hospitaln Ester Jayme, AMN Healthcaren Christopher D. Lewis, Christopher D LewisPLLCn Patricia T. McClelland, South Texas Healthn Ken Murphy, Orthofix Incn Martha Owens, The Methodist Hospitaln Annette Rangel, Parkland Hospitaln Mary Sheppard, Bethany Home Healthn Suzanne Smith, Dallas Nephrology Associatesn Vernell M. Sparks, Parkland Health & HospitalSystemn Ashleigh Wiswell, Moore County HospitalDistrictUtahn Jeremy Ketchum, Molina HealthCare Utahn Lorinda A. Linthicum, Verisys Corporationn Jonathon Thompson, IntermountainHealthcareVirginian Kenneth Coronel, Verisys Corporationn Kitty E. Lee, Valley Healthn James Stratoudakis, Fairfax-Falls Church CSBn Meg Tucker, Bon Secours VirginiaHealthSourcen Aaron D. Yarborough, Virginia Premier HealthPlan IncWashingtonn Sharon Anderson, Providence Health &Servicesn Lisa Norton, Valley General Hospitaln Vicki Osburn, Providence Health & Servicesn Shauna Van Dongen, Providence Health &ServicesWisconsinn Dawn Krautkramer, Advanced PainManagementn Sarah Molenkamp, Bupa Latin America n

Lifting the Burden of Hospital AuditsWith the success of the Medicare RAC program, the number of hospital audits by government and private insurershas soared. Streamline Health’s AuditACE is helping Children’s National meet this challenge and successfullycomply with more than 800 audits per month.A Step Ahead of Audit Compliance(left to right) Linda Metro, RHIA, HIM Director, Children’s National; Julie Roby, Director,Business Operations, Children’s National; Sandra Walter, Corporate Compliance Officer,Children’s National; Mary Daymont, MSN, RN, CCM, CPUR, Executive Director, ClinicalResource Management, Children’s National.Streamline Health’s AuditACE is a suite of flexible audit management workflows that ensures compliance and minimizes audit recovery risks to Medicare, Medicaid,and other payer reimbursements across the enterprise.Key Benefits of Audit Compliance for the Enterprise• Enterprise-wide cash flow risk mitigation; On time, accurate and complete responses; Improved appeal ratios and reduced costs• Flexible workflow-engine driven to meet your unique process and future needs for audit expansion• Proactive recovery prevention reports and analyticsVisit Streamline Health ‘s Booth #512/514 at the Health Care Compliance Institute 2011 Annual Conference for a product demonstration of AuditACE.For more information about the rapid, four-month implementation and the speed to value results Children’s National obtained,visit www.streamlinehealth.net/AuditACEwhitepaper.htmlHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgContact Streamline Health today at 866-639-SLH1 or email: marketing@streamlinehealth.net©2011 Streamline Health Solutions, Inc. All rights reserved. www.streamlinehealth.net51March 2011

REGISTER IN MARCH AND RECEIVE THE BOOKMONITORING & AUDITINGPRACTICES FOR EFFECTIVECOMPLIANCEHCCA’S 15 th AnnualCOMPLIANCE INSTITUTEApril 10–13, 2011 * Orlando, FLThe Walt Disney World Swan and Dolphin ResortGENERAL SESSION HIGHLIGHTSAUDREY T. ANDREWSChief Compliance OfficerTenet Healthcare CorporationKIMBERLY BRANDTChief Healthcare Investigative Counsel for SenateFinance Committee Republican Staff, US SenateJOHN C. FALCETANOChief Audit & Compliance OfficerUniversity Health Systems of Eastern CarolinaODELL GUYTONSenior Corporate Attorney, Director of ComplianceMicrosoft CorporationDANIEL R. LEVINSONInspector General, Offi ce of Inspector General, U.S.Department of Health and Human ServicesDAVID B. ORBUCHChief Compliance OfficerOvationsJAMES STEWARTEditor-at-Large, SmartMoney; Columnist, The Wall StreetJournal; Best-Selling Author and Pulitzer Prize WinnerDEBBIE TROKLUSAssistant Vice President ComplianceUniversity of Louisville HSCTAKE THESE CERTIFICATION EXAMSAT THE COMPLIANCE INSTITUTE(CHC) Certified in Health Care Compliance –OR–(CHPC) Certified in Health Care Privacy ComplianceWednesday, April 13, 2011 | 2:00 – 4:00 PMSessions marked in the brochure with CHPC or CHCmay be helpful.Continuing edication credits are available; visit:www.hcca-info.org/ceu for more information.REGISTER AT WWW.COMPLIANCE-INSTITUTE.ORG