the Co-chairs of HCCA's Upper North East - Health Care ...

7 Steps to InvestigateAlleged EmployeeMisconduct– Now including: Writing ComprehensiveInvestigative Reports!2011Seminar SeriesJoin us for our highly interactive,step-by-step seminar to learn practicalskills for how to investigate and documentallegations of compliance violations, fraud,harassment, discrimination, theft andother employee misconduct.For details, visit:www.globalcompliance.com/seminarCourse OverviewYou are assigned to conduct an internal investigation. The facts areunclear and you are not sure who is telling the truth — yet you mustreach a conclusion. In this hands-on seminar, you will learn practical skillsfor investigating alleged misconduct and ways to balance the rights ofthe complainant and the accused while protecting the interests of yourorganization. Plus, you will learn how to minimize administrative burdenwhile writing effective investigative reports.In this two-day workshop, you will learn:• How to strategically investigate “he said/she said” allegations wherethere are no eyewitnesses• How to interview witnesses using a specific method that enablesyou to gather all relevant information• How the laws have changed regarding investigations(e.g.— is it lawful to use social media in your investigation?)• Techniques and questioning strategies you can use to determinewhether a witness is lying• The rules for searching an employee’s workspace, computer orpersonal belongings• The appropriate standard of proof for imposing discipline• What to include and not include in the report• How to properly document credibility determinations and compile exhibits• Privilege and confidentiality designations and who should see the report• What documents to retain in the investigative fileContinuing Education CreditApplications have been filed with the Society of Corporate Complianceand Ethics (SCCE) for the in-person sessions*, the 7 Steps Webinar hasbeen approved for 6.9 units and the Report Writing Webinar has beenapproved for 3.3 continuing education units toward Certified Complianceand Ethics Professional (CCEP) credit. Multiple state bar associationshave approved our Investigation and Report Writing Seminar forContinuing Legal Education (CLE) credit.2011 Dates and LocationsMay 4–5 ............................. New YorkMay 11–12 .................. Washington, DCJune 1–2 .............................. ChicagoJune 9–10 .............................. AtlantaJune 15–16 ...................... Hartford, CTSeptember 21–22 .................. HoustonOctober 5–6 ......................... ChicagoOctober 12–13 ......................... DallasOctober 19–20 ..................... New YorkNovember 2–3 ................. Los AngelesWebinarsFor the webinars, the Investigations andReporting Writing classes will be offeredseparately.May 18–19:May 25:October 26–27:November 1:December 7–8:December 14:7 Steps to InvestigateAlleged EmployeeMisconductWriting ComprehensiveInvestigative Reports7 Steps to InvestigateAlleged EmployeeMisconductWriting ComprehensiveInvestigative Reports7 Steps to InvestigateAlleged EmployeeMisconductWriting ComprehensiveInvestigative ReportsMay 2011*Our website will be updated when approval is receivedView a detailed course outline,watch a video clip of the seminar, or register atwww.globalcompliance.com/seminar2Phone: 800-443-9037 • E-mail: Health seminars@globalcompliance.comCare Compliance Association • 888-580-8373 • www.hcca-info.org

Publisher:Health Care Compliance Association, 888-580-8373Executive Editor:Roy Snell, CEO, roy.snell@hcca-info.orgContributing Editor:Gabriel Imperato, Esq., CHCEditor:Margaret R. Dragon, 781-593-4924, margaret.dragon@hcca-info.orgCopy Editor:Patricia Mees, CHC, CCEP, 888-580-8373, patricia.mees@hcca-info.orgLayout and Production Manager:Gary DeVaan, 888-580-8373, gary.devaan@hcca-info.orgHCCA Officers:Frank Sheeder, JD, CCEPHCCA PresidentAttorney at LawJones DayShawn Y. DeGroot, CHC-F, CHRC, CCEPHCCA Vice PresidentVice President Of Corporate ResponsibilityRegional HealthJohn Falcetano,CHC-F, CIA, CCEP-F, CHRC, CHPCHCCA Second Vice PresidentChief Audit/Compliance OfficerUniversity Health Systems of Eastern CarolinaGabriel L. ImperatoHCCA TreasurerManaging PartnerBroad and CasselSara Kay Wheeler, JDHCCA SecretaryPartner–AttorneyKing & SpaldingSheryl Vacca, CHC-F, CHRC, CCEP, CHPCNon-Officer Board MemberSenior Vice President/Chief Complianceand Audit ServicesUniversity of CaliforniaJenny O’Brien, JD, CHC, CHPCHCCA Immediate Past PresidentUnitedHealthcare Medicare & RetirementChief Medicare Compliance OfficerCEO/Executive Director:Roy Snell, CHC, CCEP-FHealth Care Compliance AssociationCounsel:Keith Halleland, Esq.Halleland Habicht PABoard of Directors:Urton Anderson, PhD, CCEPChair, Department of Accounting andClark W. Thompson Jr. Professor inAccounting EducationMcCombs School of BusinessUniversity of TexasDeann M. Baker, CHC, CCEP, CHRCChief Corporate Compliance OfficerCorporate Compliance & Integrity ServicesAlaska Native Tribal Health ConsortiumCatherine Boerner, JD, CHCPresidentBoerner Consulting, LLCJulene Brown, RN, MSN, CHC, CPCEssentia Health West RegionRegional Compliance DirectorOrganizational Integrity and ComplianceBrian Flood, JD, CHC, CIG, AHFI, CFSNational Managing DirectorKPMG LLPMargaret Hambleton, MBA, CPHRM, CHCSenior Vice PresidentMinistry Integrity, Chief Compliance OfficerSt. Joseph Health SystemRobert A. HussarSenior Manager, Forensic and Dispute ServicesDeloitte Financial Advisory ServicesRobert H. OssoffAssistant Vice-Chancellor for Compliance &Corporate IntegrityVanderbilt University Medical CenterDaniel Roach. JDVice President, Compliance and AuditCatholic Healthcare WestMatthew F. Tormey, JD, CHCVice PresidentCompliance, Internal Audit, and SecurityHealth Management AssociatesDebbie Troklus,CHC-F, CCEP-F, CHRC, CHPCAssistant Vice Presidentfor Health Affairs/ComplianceUniversity of LouisvilleCompliance Today (CT) (ISSN 1523-8466) is published by the Health CareCompliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN55435. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send addresschanges to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435.Copyright 2011 Health Care Compliance Association. All rights reserved. Printed inthe USA. Except where specifically encouraged, no part of this publication may bereproduced, in any form or by any means without prior written consent of the HCCA.For Advertising rates, call Margaret Dragon at 781-593-4924. Send press releases toM. Dragon, 41 Valley Road, Nahant, MA 01908. Opinions expressed are not those ofthis publication or the HCCA. Mention of products and services does not constituteendorsement. Neither the HCCA nor CT is engaged in rendering legal or otherprofessional services. If such assistance is needed, readers should consult professionalcounsel or other professional advisors for specific legal or ethical questions.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgINSIDE4 Integration of policies and procedures: Documentation ofanother kind By Janet MarcusWritten standards promote consistency and are the foundation oftraining, auditing, and other compliance functions.6 CEU: CMS shifts from “pay and chase” to proactive fraudprevention By Anna M. Grizzle and Krista L. CooperProviders should proceed with caution when enrolling orre-enrolling in federal health care programs.13 Meet the Co-chairs of HCCA’s Upper North East RegionalConference, Caron Cullen and Eric SandhusenAn interview by Roy Snell16 Letter from the CEO By Roy SnellObservations on Governance, Risk, and Compliance19 Social Networking By John FalcetanoAccreditation of psychiatric hospitals19 People on the Move20 ICD-10 readiness and implementation: The clock isticking! By Gloryanne BryantGap analysis and assessments of key work streams will be criticalin the initial phase of this huge initiative.21 Newly Certified CHCs, CHRCs, and CHPCs22 CEU: Auditing services for Medicare patients enrolled inclinical trials By Deborah JohnsonDrug and device trials must follow strict policies forreimbursement of costs associated with the trial.28 Feature Focus: What your board needs to know aboutcompliance and ethics By Frank J. NavranIf your board members are comfortable with rationalizations, it’stime for board ethics training.32 CEU: Compliance issues in hospice and the risks ofmarketing in 2011 By Deborah A. RandallGreater enforcement efforts can be expected if hospice marketingleads to kickbacks or other fraudulent behavior.36 Mentoring: Opportunities and challenges By Danna TeicheiraKnowing what is needed and setting good boundaries will helpboth the mentor and the mentee grow professionally.39 Requests for information: Don’t let PHI includeprosecution and incarceration! By Larry LevineUsing three simple forms can streamline the task and help preventimproper disclosures.42 Cold calls, hot lines: DMEPOS telemarketing andbeneficiary contact By Nathaniel Lacktman and Heidi SorensenGuidance from CMS and OIG differs on what constitutesunsolicited contact of Medicare beneficiaries.46 Face-to-face encounter required for home health andhospice By Whitney Magee Phelps, Francis J. Serbaroli,Nancy Taylor, and Alex T. ParadisoFailure to comply with the new regulations may have seriousconsequences for providers.48 Exhale By Shawn DeGrootConcentrating on music leads to relaxation and productivity.51 Evaluating a safe harbor strategy for patient privacyBy Mac McMillanNine steps to ensure that you are protecting PHI from data breaches.56 Compliance with Stark Phase III: Algorithm and outlineBy Denise A. AtwoodA quick reference guide to the physician self-referral rules.58 New HCCA Members3May 2011

May 20114Integration of policiesand procedures:Documentation ofanother kindBy Janet Marcus, CPCEditor’s note: Janet Marcus is Director of Quality P&Ps can serve as a foundation forRevenue Cycle Services at Sinaiko Healthcare workflow processes, and they also remind staffConsulting, one of the nation’s leading independent of the do’s and don’ts of their everyday tasks.health care management consulting firms, in Los Staff often appreciate the guidelines presentedAngeles. She works with health care organizationsnationwide on a diverse range of compli-uniformity and consistency in workflowin a P&P. The details in a P&P can promoteance issues. Janet may be contacted by e-mail at processes and staff accountability. P&Ps canjanet.marcus@sinaiko.com.also play a role in training staff and in supportingquality reviews of their work product.All health care entities are strongly In addition, most internal and external auditsencouraged to implement policies include a review of existing policies andand procedures (P&P). Sometimes procedures. For example, a P&P that identifieswho in an organization is authorized tothe maintenance of P&Ps can be viewed as justanother task on the long To Do list. However, assign service and diagnosis codes—and morewhen P&Ps are updated and relevant to the importantly, who is not authorized—could beentity’s processes, they can have a valuable reviewed as part of a charge capture, coding,impact on patient care, management, staff, and and/or revenue cycle review process.the overall stability of the health care entity.Active use of P&Ps not only indicates a desire Examples of common areas addressed in P&Psto adhere to industry standards and guidelines, A wide range of areas can be addressed inbut also supports sound business practices. P&Ps. A large medical center or medical groupmay have more than one hundred policies, butImportance of policies and procedures a small physician office may have only twentyfive.When evaluating their inventory of P&Ps,As far back as February 1998, the FederalRegister published The Office of Inspector the health care entity will want to have generalGeneral’s (OIG) Compliance Program Guidancefor Hospitals. 1 And in October 2000, P&Ps, because both are necessary to supportcompliance policies as well as business-specificthe Federal Register published Compliance an effective compliance program. Table 1Program for Individual and Small Group outlines a sample list of policies a health carePhysician Practices. 2 Both publications containreferences to components of an effectiveentity should have.compliance program, and one of those componentsis the implementation of compliance for all your P&Ps. Although Table 1 is aIt is a good idea to maintain a table of contentspractice standards through the development sampling of some of the standard or typicalof written standards and procedures.policies employed by health care entities, weHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgfind that entities create policies that are uniqueto their practice, which we encourage. Forexample, certain policies utilized by an ambulatorysurgical center may not be applicable toa billing company, and vice versa. The policiesshould be tailored to fit your organization andto work for your staff so that the policies aremeaningful and practical.P&P contentP&Ps generally include content such as thepurpose of the policy. For example, commonphrases you may see are: “to ensure the accuracyof” and/or “to promote consistent, timelyprocessing of.” Another specific example for anInsurance Identification and Verification policypurpose statement may read as follows:In conjunction with the pre-registration,emergency admit, and direct admissionprocesses, the Insurance VerificationRepresentative shall validate patient insurancecoverage and limitations on services.By initiating this process, the InsuranceVerification Representative also identifiesthe estimated amount due from patientsso that payment can be collected fromthe patient. This will be accomplished inconjunction with established financialsponsorship policies.P&Ps may also include a statement of policy,such as who the policy is applicable to inthe organization and who is responsible toimplement and enforce it, as well as why thepolicy is important to the health care entity.Other critical data that should be included ina P&P are:n procedures to follow and/or guidelinesthat may include step-by-step actions tobe taken;n the title of the policy, policy number, dateapproved, name and signature of personwho approved the P&P; andn effective date of the policy, along with the

history of revision dates and next date thepolicy should be reviewed.It is important that P&Ps are kept current andthat they reflect existing workflow processes.It is good practice to have the employees attestTable 1: Sample List of PoliciesGeneral Compliance PoliciesComplianceCode of ConductCorporate Compliance OfficeCompliance Committee(s) Roles &ResponsibilitiesCompliance as an Element of EmployeePerformanceConflict of InterestReporting Compliance Concerns &HotlineEmployee Compliance Education andTrainingInvestigations & Corrective ActionsEmployee NoncomplianceScreening for Excluded PartiesCompliance Auditing & MonitoringCompliance Investigations Appeals ProcessNon-Retaliation Whistleblower ProtectionRecord RetentionResponse to Government InvestigationsPrivacyPrivacy ManualVerification of IdentityBusiness Associate AgreementsDisclosure of Protected HealthInformation (PHI)SecuritySecurity of Electronic Health RecordsSecurity ViolationsRemote Access to SystemsAccess Monitoring and Follow-upElectronic CommunicationsWorkstation SecurityPasswordsto the fact that they have read, understood,and will follow the guidelines outlined inthe P&Ps. Health care organizations canapproach the development and maintenanceof P&Ps in a variety of ways. A committeeor team approach is common, which oftenBusiness-specific PoliciesMedical ManagementManagement of Controlled SubstancesPrescription RequestsMedical Device RecallFinancial ManagementMonth-end CloseInternal Controls for Charges & PaymentsTime of Service Payment CollectionPatient Administrative ServicesInsurance Coverage WaiverAssignment of BenefitsNew Patient ArrivalBusiness Office (Coding, Billing &Collections)Write-offsRefundsCharge CorrectionMedical RecordsPhysician Signature LogEmployee Medical RecordsDocument StorageClinical CareConsent for TreatmentReview of Test ResultsProvider-Patient Relationship Terminationincludes leaders from the area of operationsbeing addressed, a compliance representative,clinical and legal representation as necessary,and sometimes outside support is added tocollaborate, facilitate, and share their industryexpertise in this area.Annual compliance training anddepartment-specific P&POn-going employee education on federal andstate health care laws and regulations is essentialto optimal operational performance andcompliant processes. All employees shouldreceive mandatory general compliance andprivacy training annually, with updates whenthere are changes to P&P or regulations. Inaddition, it is essential to update trainingmaterials at least annually so the trainingdoes not become routine and ineffective, andto ensure the content is relevant and up todate with the applicable rules, contract terms,laws, and regulations. Training may be givenin any medium including, but not limited to:n in-person, live sessionsn teleconference and webinarsn electronic independent studyn hard copy independent studyn previously taped audio/video conferencesAdult learning studies indicate employeeretention is higher when the information ispresented interactively and using case studieswith discussion. This is the preferred method;however, the size of your organization willoften drive the education strategy.Health care providers and entities whodevelop, implement, train, and maintainmeaningful P&Ps are demonstrating that theyare serious about following industry standardsand guidelines and conducting business in acompliant manner. n1 Available at http://oig.hhs.gov/authorities/docs/cpghosp.pdf2 Available at http://oig.hhs.gov/authorities/docs/physician.pdfHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org5May 2011

CMS shifts from“pay and chase”to proactive fraudpreventionBy Anna M. Grizzle, Esq. and Krista L. Cooper, Esq.Editor’s note: Anna M. Grizzle is a Partner in The final rule provides a greater ability toBass, Berry & Sims’ Healthcare and Litigationpractice areas, specializing in health care enhances the requirements for providersimpose payment suspensions as well ascompliance, investigations, and litigation enrolling and re-enrolling in the Medicarematters. Anna may be contacted in Nashville program, state Medicaid programs, andby telephone at 615/742-7732 or by e-mail at CHIP. Through these changes, CMS nowagrizzle@bassberry.com.has greater flexibility to prevent entities intenton defrauding Medicare, Medicaid, andKrista L. Cooper is an Associate in Bass, Berry CHIP from accessing the programs, as well& Sims’ Healthcare Regulatory practice area, as creating a faster, less-burdensome methodspecializing in health care transactional and to quickly stop payments to individualsoperational matters. Krista may be contacted by and entities thought to be engaged intelephone in Nashville at 615/742-7734 or by fraud, waste, and abuse. As with manye-mail at kcooper@bassberry.com.other reforms, a significant result of themore stringent process is the imposition ofThe Centers for Medicare and potentially significant administrative burdensMedicaid Services (CMS) published and additional costs on legitimate health carea final rule 1 (hereinafter referred to service providers. To minimize the financialas the final rule) in the Federal Register, effectiveMarch 23, 2011. It implements certain announced changes, providers shouldand business risks associated with the recentlyprovisions of the Patient Protection and educate themselves and their staff on the newAffordable Care Act (ACA), which requires requirements, and plan strategically for anyCMS and state Medicaid agencies to combat upcoming enrollment events.fraud and more closely monitor enrollmentin the Medicare, Medicaid, and Children’s Payment suspensionHealth Insurance Program (CHIP) programs. The final rule broadly expands the ability ofThe final rule represents a monumental shift CMS, Medicare Administrative Contractorsfrom “pay and chase” to proactive fraud (MACs), and state Medicaid agencies toprevention. This shift could have significant suspend payments to Medicare, Medicaid,negative financial implications for providers and CHIP providers and suppliers (hereafterwho unwittingly find themselves under investigationor who have failed to adequately case of suspected fraud. This expansion is acollectively referred to as “providers”) in theprepare for CMS’ expanded focus on enrollmentrequirements.shift towards a less stringent burden for thegovernment.Specifically, the final rule allows the U.S.Department of Health and Human Services(HHS), in consultation with the HHS Officeof Inspector General (OIG), to suspendMedicare payments “pending an investigationof a credible allegation of fraud” unlessthe Secretary determines that there is goodcause not to suspend payments. 2 Further, thefinal rule prohibits the payment of FederalFinancial Participation (i.e., certain Medicaidsupport payments) for items or servicesfurnished while an investigation of a credibleallegation of fraud is pending, unless thestate Medicaid agency determines that thereis good cause not to suspend payments. Thesuspension of payment is not limited to thefunds at issue based on a particular allegation,but rather extends to all payments owed bythe agency to a provider.Medicare programPrevious regulations allowed CMS to suspendpayments to providers for up to 18 monthsbased on having “reliable information” thatthere has been an overpayment, fraud, or willfulmisrepresentation, or reliable informationthat payments may not be correct. 3 The finalrule, however, relaxes the standard by requiringonly a “credible allegation of fraud.”The final rule states that allegations areconsidered to be credible when they have“indicia of reliability,” but that term is notdefined. Rather, the reliability of an allegationis, according to CMS, a process that willoccur on a case-by-case basis in consultationwith the OIG. CMS specifies, however,that a credible allegation of fraud can comefrom almost any source, so long as it has anindicia of reliability. These sources includefraud hotline complaints, claims data mining,patterns identified through provider audits,civil false claims cases and law enforcementinvestigations.May 20116Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

CMS shifts from “pay and chase” to proactive fraud prevention ...continued from page 7May 20118provider community in circumstances ofpayment suspension, CMS admits that thestandards for payment suspension have beenreduced. This reduced standard potentiallysubjects more providers to significant financialrisk during a payment suspension, even ifthey prevail on the claims at issue.The uncertainty of the application ofthe payment suspension rules also raisesconcerns. Exactly how CMS and state Medicaidagencies will exercise their discretionto impose payment suspension remains tobe seen. The final rule did not provide clearguidance on when payment suspensionshould be used, nor did it provide definitionsof the terms used to describe whenpayment suspension should be imposed.Because CMS left itself the flexibility todecide whether a payment suspension isappropriate on a case-by-case basis, theprovider community must adopt a watchfulwaiting position until a sufficient volumeof suspensions permits further meaningfulassessment, or until CMS releases additionalguidance.In light of the significant potential negativeimpact of a payment suspension, providersshould redouble their efforts to ensure thatthey have effective compliance programs inplace. Providers should immediately respondto any reports of potential non-complianceby investigating and taking corrective action,as necessary. If the provider believes that anoverpayment situation has arisen, it shouldpromptly repay the funds at issue.Additionally, if faced with allegations offraud, waste, abuse, or direct threats of possiblepayment suspension, providers shouldimmediately consult legal counsel whilemaintaining a cooperative tone with regulators.In consultation with counsel, providersshould quickly submit a rebuttal letter as wellas any requested records or information assoon as practicable.Screening standardsIn addition to the payment suspensionregulations, the final rule continues toprovide means for CMS to transition from“pay and chase” to proactive fraud preventionby implementing new screening standards.The changes were meant to enhance, ratherthan replace, screening procedures that arecarried out by non-CMS entities, such as thescreening and site visits for Clinical LaboratoryImprovement Amendments laboratories.The screening standards implementation datefor newly-enrolling providers and currentlyenrolledproviders that are submitting arevalidation was March 25, 2011; the implementationdate for other currently-enrolledproviders will be March 23, 2012.Table 1: Risk Categories by Provider TypeHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgMedicare programPrior to the final rule, CMS employed severalmeasures to screen providers who were applyingto participate in the Medicare, Medicaid,and CHIP programs. Such screening measuresinclude confirming that the provider holdsand maintains all necessary state licenses,and performing site visits through privatecontractors for certain DMEPOS suppliersand independent diagnostic testing facilities.Medicare contractors also check nationaldatabases, including Social Security Administration,National Provider Identifier, OIG,and other databases to confirm the accuracyof information provided regarding certaineligible professionals, owners, authorizedofficials, and other individuals involved withMedicare providers.Under the final rule, the prior screeningmeasures will continue with enhancedmeasures added for certain types of providers.Limited Moderate High• Physician or non-physicianpractitioners (nursepractitioners, CRNAs,occupational therapists,speech/language pathologists,audiologists), medical groupsor clinics• Ambulatory surgery centers• Competitive AcquisitionProgram / Part B vendors• End stage renal diseasefacilities• Federally qualified healthcenters• Histocompatibility laboratories• Hospitals• Health programs operated byan Indian Health Program oran urban Indian organizationthat receives funding from theIndian Health Service• Mammography screeningcenters• Mass immunization rosterbillers• Organ procurementorganizations• Pharmacies newly enrolling orrevalidating via CMS-855B• Radiation therapy centers• Religious non-medicalhealth care institutions• Rural health clinics• Skilled nursing facilities• Ambulance service suppliers• Community mental healthcenters• Comprehensive outpatientrehabilitation facilities• Hospice organizations• Independent diagnostic testingfacilities• Independent clinicallaboratories• Physical therapists enrolling asindividuals or group practices• Portable x-ray suppliers• Revalidating home healthagencies• Revalidating DMEPOSsuppliers• Newly enrolling home healthagencies• Newly enrolling DMEPOSsuppliers

All providers will be assigned to a riskcategory based on provider type, and thescreening level will be based on the assignedrisk category. CMS debated the use of factors,such as geography and ownership type, in therisk assessment determination. Specifically,CMS proposed the automatic assigning of allproviders owned by publicly-traded companiesinto the limited-risk category. However,in the final rule, CMS indicates that therisk assessment will be based solely on theprovider type. The screening standards applyto new enrollments, applications for newpractice locations and applications received inresponse to a MAC request for a revalidation(see table 1 on page 8).they are generally highly dependent on federalhealth care programs to pay their salaries andother operating expenses, and are generallysubject to less government or professionaloversight than the limited risk providers.n High risk categoryProviders in the high-risk categories, whichinclude newly enrolling home health agenciesand newly enrolling DMEPOS suppliers, willbe subject to the screening requirements forthe moderate-risk category as well as subjectto criminal background checks and fingerprinting.The fingerprinting requirementwill also be extended to investors who directlyor indirectly hold more than a 5% ownershipinterest in any high-risk provider.are permitted under the new rule to relyon the results of the screening conductedby a Medicare contractor. Similarly, stateMedicaid and CHIP agencies may rely onthe screening conducted by the Medicaidand CHIP agencies in other states. 11 ForMedicaid-only or CHIP-only providers, CMSinstructs the agencies to follow the samescreening procedures as required under theMedicare program. However, state Medicaidand CHIP programs can effectively shiftproviders to higher risk categories based onthe particular state agency’s view of the fraudrisk presented by the provider. 12Enrollment feesBeginning March 25, 2011, in order to covern Limited risk categoryProviders in the limited-risk category, includingbut not limited to physicians, physiciangroups, hospitals, and ambulatory surgerycenters, will be subject to similar screeningprocedures as are required under prior regulations,including state license verification andother database checking, as well as verificationof any provider-specific requirementsestablished by Medicare. 8 In assigning theseproviders to the limited-risk category, CMSindicated that it believes these providers to presentless risk of fraud, waste, and abuse becausethese providers are generally licensed by the stateand CMS has no evidence that they pose anelevated risk to the Medicare program.In addition to categorization based on providertype, providers can also find themselves ina high-risk category based on their personalhistory. Such escalation in risk categorywill occur when a provider (or any of theprovider’s owners who hold a 5% or greaterstake) has had its Medicare billing privilegesrevoked or payments suspended in the lastten years; has been excluded by the OIG;or has been subject to a final adverse action,such as a license suspension or accreditationsuspension in the last ten years. Moreover,for entity providers, such an elevation inrisk category would subject its 5% ownersto fingerprint background checks. Elevationto the high-risk category will also occur forthe costs of enrollment screening and relatedprogram integrity activities, CMS will begincollecting a $505 application fee from institutionalapplicants. The fee will be required fornew enrollments, revalidation applications,and applications for new practice locations.In subsequent years, the fee will be adjustedby the percentage change to the consumerprice index. On a case-by-case basis, CMSmay grant hardship waivers exempting aprovider from the fee. 13Enrollment moratoriaIn addition to the enrollment screeningmeasures, the final rule provided CMS withanother tool to assist efforts to move from“pay and chase” to proactive fraud prevention.n Moderate risk categoryProviders in the moderate risk category(including, but not limited to, independentdiagnostic testing facilities), currently-enrolledhome health agencies, and hospice organizationsare subject to the screening performedon the limited-risk category with the addedscreening of unscheduled site visits. 9 CMSindicated that in assigning these providertypes to the moderate risk category, it based itsany provider whose provider type has beenunder a moratorium. Those providers willbe elevated to the high-risk category for theduration of the moratorium and a period ofsix months following the moratorium.Medicaid and CHIP programsThe new screening standards for state Medicaidand CHIP programs are substantially similarto the Medicare program. For dually-enrolledEffective May 25, 2011, when CMS identifiesa “trend that appears to be associated witha high risk of fraud, waste or abuse” (e.g., ahighly disproportionate number of providersin a category relative to the number of beneficiaries,or a significant increase in enrollmentapplications within a provider category orgeographic area), CMS now has the authorityto impose a temporary moratorium on theenrollment of new Medicare providers inassessment that they present more risk because providers, state Medicaid and CHIP programsContinued on page 11Health Care Compliance Association • 888-580-8373 • www.hcca-info.org9May 2011

ARE YOUPREPAREDFOR THERAC AUDITOR?Take control with a strong defenseThe RAC Auditors will soon be calling on your hospital. The RAC appealsprocess is very complex and missed deadlines can result in the automaticrecoupment of your legitimate revenues. To minimize your risk of financiallosses, you need to be prepared with practical, reliable processes andcontrols to ensure that critical appeals deadlines are met, with complete,substantiated information.May 201110www.compliance360.comCompliance 360 is the leader in compliance and risk management solutionsfor healthcare. More than 300 hospitals nationwide rely on us every day toensure compliance with legal and industry regulations. Using our uniquesoftware solutions, they are always “audit ready” with both proactivedefenses and the audit management tools needed to ensure successfulaudit response and appeals. We are proud to help these healthcareorganizations prevent and contain compliance sanctions and we standready to help you as well.To learn more about the Compliance 360 Claims Auditor for managingRAC audits, visit www.compliance360.com/RAC or call us at 678-992-0262NEEDS A LOHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org

featurearticleMeet the Co-chairs ofHCCA’s Upper North East Regional Conference,Caron Cullen and Eric SandhusenEditor’s note: This interview with HCCA’s 2010top Regional Conference co-chairs was conductedby Roy Snell in February 2011. Co-chair CaronCullen is the Vice President of Compliance &Regulatory Affairs at Affinity Health Plan,Bronx, New York. She may be contacted bye-mail at ccullen@affinityplan.org.Co-chair Eric Sandhusen is the Vice Presidentof Compliance & Audit at Bayonne MedicalCenter in Bayonne, New Jersey. He may becontacted by e-mail at esandhusen@bmcnj.org.Regional conferences are held in 18 cities:Anchorage: Chair Deann M. Baker, CHC, CCEPAtlanta: Co-chairs Wade Miller &Sara Kay WheelerBoston: Co-chairs Lawrence Vernaglia, JD, MPH;& Steve FriedmanColumbus, OH: Chair Lynn L. Hutt, CHCDallas: Chair David LancasterDenver: Co-chairs Jane Wingquist, MBS, MSHA;& Jeff FitzgeraldHonolulu: Co-chairs Debbie Troklus,CHC-F,CCEP-F, CHRC, CHPC; &Sheryl Vacca, CHC-F, CCEP, CHRC, CHPCIndianapolis: Chair Cynthia Pridemore, CPM,CHCLouisville: Chair Brett ShortMinneapolis: Chair Steve Bunde, CHCNashville: Chair Rebecca LovelaceNew York City:Co-chairs CaronCullen, CHC; &J. Eric Sandhusen,CPC, CHC, MPHNewport Beach, CA:Chair Dwight Claustre,CHC, CHROrlando: Co-chairsCherylGolden &Gabriel Imperato, CHCOverland Park, KS:Chair Cori TurnerPittsburgh: ChairLinda Lattner, CHC, ARM, MBA, BSNScottsdale, AZ: Chair Barbara H. Knutson,CHC, MS, RHIASeattle: Chair Ed RauziRS: Congratulations on being named thetop HCCA Regional Conference for 2010.Please tell our readers a little bit about yourselvesand how you became the co-chairsof the HCCA Upper North East RegionalConference.CC: Thank you. We are very proud of ouraccomplishment. I started going to the HCCAconferences in Boston and Baltimore becauseat the time, HCCA did not have any in NewYork City, due to low attendance in the past.I joined the Planning Committee for the NewHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgEngland Regional Conference, which gave mea great knowledge about planning a conference,and it was in Boston that I met Eric.ES: It’s a true honor to be the top RegionalConference. I was really impressed with theNew England Regional Conference, andbelieved that HCCA could do a creditableconference in New York. I had just started atColumbia University, and thought they mightprovide some support, too. Having organizedcompliance conferences in California, Ioffered to give it another try, and HCCAconnected Caron and me.RS: What do you believe accounts foryour achieving the top HCCA RegionalConference for 2010?Continued on page 1413May 2011

Meet the Co-Chairs of HCCA’s Upper North East Regional Conference, Caron Cullen and Eric Sandhusen ...continued from page 13May 201114ES: Some of our success is the region itself,which has a lot of big medical centers, consultingfirms, and a broad array of insurers,device and pharmaceutical companies, andgovernment agencies. Our challenge, ofcourse, is to bring them all together in areasof common interest.CC: I agree with Eric and I also believe thatour success is because of our great PlanningCommittee. Eric and I cannot do it alone.We are fortunate to have active members whotake the planning very seriously. Everyonewants to deliver an exceptional conferencewith a wealth of useful and practicalinformation for our compliance professionalparticipants.RS: Please tell us the names of the peopleon your Planning Committee.CC: The 2010 Planning Committeemembers include: Harry Feder from IPRO[Independent Peer Review Organization],Maria L. Rivera from NYU Langone MedicalCenter, Liza Mermegas from Atlantis HealthPlan, Christine Cox from Christine Cox& Associates, Jaime S. Pego from KPMG,and Beckie Smith from HCCA. Everyonecontributes to the overall success of theconference.RS: Do you send out a call for speakers toHCCA regional members? If not, how do youdetermine the conference topics and speakers?CC: We have not sent out a call for speakers,but we do have a system in place to decidewhat to cover.ES: The Planning Committee startsmeeting about eight months in advance toidentify what we think the hot topics will beat conference time. Then the group makessuggestions for people who can speak to theissues. We’ve been lucky to have a few regularpresenters, too, like New York State MedicaidInspector General Jim Sheehan and otherswho consistently attract an audience.CC: In addition, we pick a variety of topicsto generate interest for all types of complianceprofessionals, whether you are associated witha hospital, physician’s office, managed careorganization, or another type of provider.We also look at the external environment toinclude what is going on with the regulators,both federal and state initiatives.RS: Do you invite regional governmentand enforcement community speakers, andwhat impact do those speakers have on yourconference’s success?CC: Absolutely! It is extremely importantto include government regulators, enforcementauthorities, and community speakers.We draw our speakers from New York, NewJersey, and the surrounding areas because ourparticipant base is from that area.ES: We’ll sometimes have speakers from thedifferent states address a single topic, to getcomparative perspective and make sure it’srelevant to more people. Having governmentagencies there gives us a chance to show thatcompliance professionals in all contexts havea common purpose – efficient and compliantprovision of health care services and benefits.RS: Does the location of the conferenceimpact attendance, and if so, how do youdetermine where the conference is being held?ES: The first Upper North East RegionalConference was at Columbia University, thenmid-town Manhattan, then Newark, NewJersey. We moved around the first couple ofyears, hoping to attract audiences from NewJersey, Connecticut, and beyond.CC: We have finally settled on New YorkCity in 2010 and plan to have it at the samelocation in 2011. It seems most participantslike to be in Manhattan. It is easy to get tofrom all areas, and it certainly provides a lotof options for mass transportation.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgRS: What networking activities do you offerbefore or after the conference? Do you haveany methods of networking particular tothe conference attendees that may draw newattendees to the conference?ES: A few people stuck around for a drinkafter last year’s conference! But really, nothingmore than this so far. Several people havesuggested we have social meet-ups during theyear, with speakers to share their expertise andprovide CHC continuing education credits.RS: Do you also facilitate communicationsamong regional members? If yes, how do youdo this?ES: After last year’s conference, we setup the “New York Metropolitan AreaCompliance Professionals” group onLinkedIn, although it hasn’t hit a criticalmass just yet. We plan to promote it some atthis year’s conference and see if we can makeit an active local resource. Of course, theHCCA Social Network is a great way to stayconnected to the entire community.RS: Would you outline the benefits ofattending your Regional Conference?CC: Besides getting great, timely, and usefulinformation, it is a wonderful opportunity tonetwork with your colleagues and other complianceprofessionals in the tri-state area.ES: And, with the increase of state-specificregulations and enforcement, regionalcompliance conferences are a must.RS: What do you believe accounts for yoursuccess?CC: As we said earlier, we have a greatPlanning Committee and a great New YorkCity location!ES: We’ve also had great support fromthe HCCA national organization, especiallyConference Planner Beckie Smith, who works atpulling everything together—logistics, promotion,coordination. Beckie makes it happen.

RS: What advice would you give to other HCCA RegionalConference planners?CC: Start early and provide a variety of speakers with different expertisewho would appeal to a broad audience.ES: It is also important to see what other regional conferences areoffering, listen to what the attendees want, and avoid duplicatinginformation available at national or other local conferences.RS: How do you mix it up to involve legal professionals,compliance, consultants, etc.?ES: A diverse Planning Committee makes all the difference. Caronworks for a health plan and I’m on the provider side, so that’s a basiccomplement. But with more people involved, you’ll get top qualityrecommendations. We always make sure that for big topics like HealthCare Reform we do a panel so we can have different viewpoints. It’swhere they come together that we get the best synergy.RS: How does the HCCA Regional Conference differ from what youmight learn at the national Compliance Institute?CC: The Regional Conference is a one-day event and focuses on bothlocal and national health care compliance topics, items that we believewill interest our local participants. The Compliance Institute providesa vast array of subjects with hours and days of opportunities to educate,learn, and take home practical information. I actually suggest thatcompliance professionals attend both the Regional Conference in theirarea and the Compliance Institute. They are both great for your professionalcareer.Thank you and Congratulations again on your achievement! nNeed a quick and cost-effectiveway to earn CEU credits?Want the latest news on breakingissues and best practices?All of this from the convenienceof your own office?Try one of HCCA’supcoming WebConferences, andearn 1.2 CEU credits.It doesn’t get any easier.learn more aboutupcoming webconferences andregister atwww.hcca-info.org/webconferencesTryWebConf_quarterpage_CTad.indd 1Health Care Compliance Association • 888-580-8373 • www.hcca-info.org7/8/2010 9:15:55 AM15May 2011

May 201116If you have any questions that you would likeRoy to answer in future columns, please e-mailthem to: roy.snell@hcca-info.org.Observations on Governance, Risk, and ComplianceI’ll admit it, I still don’t get it. Despite reading articles, visiting GRCwebsites, scanning the definition of GRC on Wikipedia, and afterattending GRC presentations, I still have the same thought after beingintroduced to GRC: “Come again?” I have asked a few questions totry to help clear the fog, like: “What is the main purpose of GRC?”Every month that goes by I lose ground. It makes less and less sense,and it concerns me more and more.SilosThe number one reason I heard, about why GRC is necessary, is thatit breaks down silos. My immediate reaction was not positive, becausewhen anyone uses buzz words to promote their new philosophy, I startout suspicious. I am confused, because the whole reason why we havebeen implementing compliance programs is to eliminate silos, so whydo we need GRC? Audit, legal, education, monitoring, ethics, risk,etc. were all siloed in the past. Compliance professionals use all thesetools in a coordinated fashion to prevent, find, and fix regulatory andethics issues.Compliance programs by definition eliminate silos. The tools complianceprofessionals use have all existed for more than 50 years, and thetools failed. They failed to the point that the press, public, and politicianshave had it with corporate America. They failed because thosefunctions were siloed and everyone who used the tools told us threewords in response to the question, “Why didn’t you fix the problem?”Those words were, “Not my job.” Compliance professionals don’t usethose words when someone says we can’t fix a problem.The greatest example of this came during the Congressional hearingsfor Enron, Tyco, HealthSouth, BP, etc. The CEO, CFO, generalcounsel, head of Audit, and others were paraded in front of a committeeand they were asked two questions. The first was, “Did youknow?” The second was, “What did youdo about it?” They all answered “Yes,” and“Not my job.” Compliance programs werenot only developed to coordinate all of theseven elements (audit, risk, legal, education,etc.) but to also change the phrase,“Not my job” into “It’s my job.” We haveeliminated silos, so why do we need GRC?Here is the irony of all ironies. GRC is a silo. It is a silo of Governance,Risk, and Compliance. These ironies tend to happen when yourmain purpose is to sell something, rather than to improve something.I will get into the harm this may cause in a minute. But, I find it veryinteresting that the people who saw fit to grab these three particularbuzz words (GRC) used the buzz phrase of all buzz phrases (“eliminatesilos”) to defend their collection of buzz words. Compliance programsare already in place and they eliminate silos. Doesn’t GRC take usbackward and not forward?Alphabet soupI also wondered, “Why these three words?” I asked one GRC expertwhy these particular three words were combined, and he said thatit also coordinates the activities of Audit, the general counsel, andthe corporate secretary. So I asked, “Why, if that is the case, don’tyou call it GRCAGCCS?” I guess it doesn’t roll off the tongue. Itisn’t cool. I also felt that it was important not to silo monitoring,education, hotlines, and the other tools of compliance, so why not callit GRCAGCCSMEH? Here is another question: Just because we haveto work together, why do we need alphabet soup and a new mythology?When there is a major disaster or crisis, a company’s Governance,Risk, and Communications have to work together. Why don’t theyhave a GR&C? According to the GRC theorists, any time variousdepartments have to work together, we will need an acronym and amethodology. If the theorists were really being honest, they probablywould have said that G, R, and C were the three hottest buzz words,breaking silos is the hottest buzz phrase, and we need to producesomething that CEOs will buy. I am a CEO and I don’t buy anythingif you can’t explain, in a simple manner, why it exists or is needed.And buzz words make me suspicious.Why is GRC a problem?You might ask why anyone would ever care that they made this thingup? “Just let it be.” Compliance programs and compliance professionalsare in a race in corporate America—a race against the enforcementcommunity. We need to find our problems before they do. We haveHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgROY sNELL

to prevent problems before they happen. We don’t have a lot of for the organization, and the willingness of other organizations to trustresources. Our task is complicated. Following all of the thousands of and partner with our organization. Compliance and Governance bothregulations, some of which are a little confusing at times, is a daunting work to make the organization succeed. They just need to focus ontask. We need to be focused. Does GRC help us focus on the regulatoryand ethical crisis in America? I don’t think so.compliance. They need to support compliance. They need to ensuretheir own work, not combine their work. Governance plays a role inenough is being done. But all the rest of what they do, for all intentsLet’s assume that whoever implements GRC pays equal attention and purposes, has little to do with compliance.(33.3%) to all three parts: G, R and C.When Risk is a risk to ComplianceLet’s also assume that governance spends 10% of their time on compliance.That means 90% of the 33.3% of the time spent on “G” has quences. First of all, the Risk department spends a great deal of timeCombining Risk with Compliance has unfortunate unintended conse-nothing to do with compliance.on risks that have nothing to do with risks the company causes others.That time is not helpful to Compliance. It is helpful to the companyLet’s assume that the risk managers in this country spend half of their and is very important, but has nothing to do with Compliance. GRCtime on risks to their organizations, such as the risk of investments, implies that it’s all part of one big effort. GRC implies that everythingstarting new products, opening new offices, etc. That means 50% of Risk does helps Compliance. Risk spends a great deal of time on risksthe time spent on risk is of no help to compliance programs. Complianceonly focuses on risks their organization causes to others.rollout, product development, investments, etc. It is a distraction thethat are sexy and of great importance to the CEO, such as productcompliance professional cannot afford to have. We have limited timeAnd let’s assume that 100% of the time spent on “C” is spent on and resources.managing an effective compliance program.The biggest concern that any compliance professional should haveInstead of 100% of a compliance professional’s time being spent on with the traditional risk methodology is “risk appetite.” Prior tocompliance program management, they have about 52% of their time writing this article, the GRC definition in Wikipedia had a diagram.spent on compliance. All that time the Governance “team” spends Right across from the word Compliance was “risk appetite.” Thoseon financial statements, profitability, management, and the Risk words run shivers down the spine of any experienced compliance professional.Risk appetite has no place in the compliance lexicon. There“team” spends on risks like investments is lost time to the complianceprofessional. Even if you think GRC is not a silo, it has combined should be no “risk appetite” for breaking the law or unethical behavior.three things that approximately 50% of the time have no relevance to In fact, many believe that risk appetite is in part to blame for thecompliance. GRC is a risk to your compliance program.politicians’, public’s and press’ outrage over the situation we are in.Risk appetite is completely appropriate in determining investments.We were distracted in the past and we failed, so we implemented However, the GRC guys’ suggestion to combine Risk and Compliancecompliance programs. And now these people want to distract us again. is potentially harmful to Compliance. Compliance professionals doWhy? Because it’s cool to hang out and talk about governance issues. risk assessments, but they focus only on risks the company causesIt’s easier to work on risks like the risk of investments. Conflicting others. Just because risk managers and compliance professionals usepriorities and conflicting interests are what got us into this ethical and the risk assessment as a tool, doesn’t mean they should be combined.regulatory mess, and GRC adds to the problem.If you GRC guys are trying to sell GRC as a tool to prevent, find, andfix regulatory problems, I suggest you log on to Wikipedia and deleteGovernancethe words “risk appetite.” I am pretty sure the enforcement communityis not going to be impressed with your compliance methodologyGovernance should be focused on financials, profitability, innovation,etc. It’s an important role, but it’s not the compliance professionals’ as long as you are espousing risk appetite as a strategy to use in yourresponsibility. Mixing these concerns (GRC) is why we are where compliance efforts.we are. Compliance focuses only on preventing, finding, and fixingregulatory and ethical issues. Compliance is interested in the longtermculture, employee morale, motivation, the willingness to workContinued on page 18Health Care Compliance Association • 888-580-8373 • www.hcca-info.org17May 2011

Letter from the CEO ...continued from page 17Who is promoting GRC other than “the GRC guys?”The enforcement community and the politicians are promoting complianceand ethics programs as a solution. OIG imposes Corporate IntegrityAgreements (CIAs) on companies that break the law. A CIA is a mandatedcompliance program that forces the company to hire or appoint a complianceofficer and implement a compliance program with all seven elements(e.g., auditing, monitoring, education, investigation, discipline, hotlines,etc.) Nowhere in any of the CIAs do they mention GRC.The United States Sentencing Commission created the Federal SentencingGuidelines that instruct judges to order that you shall receive double ortreble damages unless you have a compliance program. They don’t saya word about GRC programs. Specific industries, like health care andfederal contractors, have been strongly encouraged, and in some casesmandated, to implement a compliance program. No industry has beenasked to implement a GRC program. Who is GRC coming from, andwhy are they implying this is helpful?GRC was invented for the benefit of a few people and not by complianceand ethics professionals. GRC was invented for the benefit of a few peopledespite the suggestions of the Department of Justice, OIG, and USSC.When I ask, “Why GRC?” I am told that GRC’s main function is to breakdown silos. GRC does not break down silos; it builds a silo. I don’t get it.Not only do I not get it, I am concerned about the dilution of the complianceefforts. I am concerned about the non-compliance related distractionsof governance and risk. Compliance programs are a new solutionand our profession is in its infancy. We have a bunch of people, most ofwhom have never been a compliance professional or managed a complianceprogram, telling us how to define our profession. It’s not right. nAuthors Needed for New“Mentorship” Feature inCompliance TodayMerriam-Webster Dictionary defines Mentor: a trusted counselor or guide.Have you been mentored in the compliance profession, and wouldyou be willing to share your experience with your peers? If youanswer “Yes!”, please contact us!E-mail Compliance Today Editor Margaret Dragon atmargaret.dragon@hcca-info.org or call her direct at 781/593-4924.May 201118Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Social NetworkingJohn FALCETANOEditor’s note: John Falcetano, CHC-F,CCEP-F, CHRC, CHPC, CIA is ChiefAudit/Compliance Officer for UniversityHealth Systems of Eastern Carolina andTreasurer of the HCCA Board of Directors.John may be contacted by e-mail atjfalcetano@uhseast.com.This month I thought I would focus on the Behavioral Health Care ComplianceDiscussion Group on the HCCA Social Network. Current discussion isabout the recent approval by the Centers for Medicare and Medicaid Services(CMS) granting The Joint Commission authority for psychiatric hospitals.The four-year CMS designation means that psychiatric hospitals accreditedby The Joint Commission will be “deemed” as meeting the Medicare andMedicaid health and safety requirements. CMS granted the authority toThe Joint Commission in a February 25, 2011 Federal Register notice. CMSfinds that The Joint Commission’s standards for psychiatric hospitals meet orexceed those established by the Medicare and Medicaid programs.Remember, accreditation is voluntary and not a Medicare requirement.That raises the question, “If a psychiatric hospital is accredited by TheJoint Commission for health and safety standards, do they still need a stateMedicaid agency review?” For the answer, go to the Behavioral HealthCare Compliance Discussion Group on the Social Network. Remember,there is something for everyone on the Social Network site.Web 2.0 is about thenew, faster, everyoneconnected Internet.HCCA is embracing this approach and offers youa number of ways to build out your network,connect with compliance professionals, andleverage this new technology. Take advantage ofthese online resources; keep abreast of the latestin compliance news; and stay ahead of the curve.Dozens of discussion groups andmore than 6,800 participantshttp://community.hcca-info.orgProfiles of over 4,500 complianceand ethics professionalshttp://www.hcca-info.org/LinkedInA benefit of participating in social networking is you never know what youwill find and how much it will help you in your everyday job. Join ournetwork and more specifically, join a community. You will be glad you did.To participate in the discussion, review the comments, or just talk withyour peers, you can access the HCCA Social Network site by going to thefollowing link: www.hcca-info.org/sn nFollow HCCA_News to keep up with thelatest compliance news and eventshttp://twitter.com/HCCA_NewsPeople On the MoveMartin T. Biegelman joins Navigant’s GlobalCompliance & Investigations GroupMartin Biegelman recently joined Navigant as a Director in theGlobal Investigations & Compliance Group, further enhancingNavigant’s breadth and depth as a leading provider of anti-corruptionconsulting services.Connect with compliance and ethicsprofessionals on Facebookhttp://www.hcca-info.org/FacebookEach resource is 100% dedicated tocompliance and ethics management.So sign up for whichever one worksbest for you, or for all four if you’realready living the Web 2.0 life.Health Care Compliance Association • 888-580-8373 • www.hcca-info.org19May 2011

ICD-10 readiness andimplementation: Theclock is ticking!By Gloryanne Bryant, RHIA, CCS, CCDSEditor’s note: Gloryanne Bryant is Managing External:Director HIM – Revenue Cycle, NCAL n Communicate with insurers about yourKaiser Permanente in Oakland, California. testing and validation plans.Gloryanne may be contacted by e-mail at n Identify various production scenarios thatGloryanne.h.bryant@kp.org.should be used during the testing period.n Consider getting results from a reimbursementperspective, and validate that theOK, let’s be honest now. Has yourorganization or practice not done payment is similar to what you got under“anything” to prepare for ICD-10 ICD-9-CM.Implementation yet? So stop waiting—there n Confirm go-live date with health plans.is a lot to do! ICD-10 compliance is lessthan three years away.Hospital and health care systems shouldreview all technology vendors, including theWith an ICD-10 implementation date of level of risk associated with each system orOctober 1, 2013, we have to first be cognizantof the 5010 transaction date of January tasks and dependencies to move from thevendor, and perform a gap analysis describing1, 2012. This is the precursor to ICD-10. current ICD-9-CM world (and associatedWithout the 5010 in place and working, we X12 4010 transaction sets) to ICD-10 andcan’t use ICD-10. So, get your Information its associated X12 5010 transaction sets.Technology (IT) team and Patient Financial (Medicare will not accept claims submittedServices (PFS) leadership together and start on the 4010 set after Dec. 31, 2011.)creating a plan. Your IT assessment shouldhave been completed last year. In your IT Some questions to ask include:assessment, you should have included a 1. What parts of the workforce must beprocess with steps to test and validate thesystem(s) both internally and externally.Table 1: Four-Phase Time Linetrained in health plans, health care providerorganizations, and others?2. How will the training be delivered?3. What methods can be used for traininghundreds of individuals?Your ICD-10 Implementation SteeringCommittee should have representation fromthe several departments, but not limited tothose listed here:n Billing or Patient Financial Servicesn Contractingn Compliancen Financen Health Information Management/Codingn Information Systems and Technologyn Revenue Cycle Managementn Quality and Cliniciansn Communicationsn OperationsThe ICD-10 Implementation Steering Committeemembers will vary according to theorganization’s implementation needs. Industryexperts recommend that the planning andimpact analysis should have been completedby no later than the last quarter of 2010.More and more organizations and vendorsare developing tools and information tohelp increase an understanding of ICD-10Some key aspects that should have been2009 - 201020102010 - 20132013 - 2016focused on in the IT assessment include:Internal:PlanningPreparationImplementationPost-Implementationn Populate files used for testing purposes.n Validate that the changes are properlyrecorded in the specific section of theHIPAA transaction standard.Analyze EnvironmentAssess RiskBegin EducationOrganize ApproachPlan Strategy and TacticsEstablish PrecursorsAssign ResponsibilitiesDetail SpecificationsReverse ContractsProgram ReportsModify Test SystemsMitigate RiskAnalyze ImpactModify OperationsOptimize IDC-10 Usen Monitor whether appropriate securitymethods are used including log-in andtracking of individuals.Strategic PlanProject PlanFunctionalOperationsOptimalOperationsMay 201120Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

CCBThe ComplianceProfessional’sCertificationimplementation and also help to increase over allawareness. Gap analysis and assessments of keywork streams will be critical in the initial phaseof implementation. A recent white paper onICD-10 provided Table 1 to help demonstratethe aspects and time line for implementation. 1The American Health Information ManagementAssociation (AHIMA) has created avery detailed website to assist providers. 2 Thisincludes training programs, newsletter, andtools. In addition, the Centers for Medicare andMedicaid Services (CMS) also has developeda robust website for providers with lots ofresources, including “fact sheets.” 3Now granted, there is a large amount of workto do, but there are also benefits for yourefforts. These include, but are not limited to:n improved disease management which canimprove care;n more accurate payments for new proceduresand a better understanding or newprocedures;n fewer rejected claims and fewer improperclaims;n better understanding of health conditionsand health care outcomes;n granularity of disease monitoring and reportingworldwide;n improved ability to conduct research,epidemiological studies, and clinical trials;n improved financial, and administrativeperformance; andn greater ability to prevent and detect healthcare fraud and abuse.Time is wasting away and this is a huge initiative.It will take a lot of time and resources to implementand implement well. Are you going to beICD-10 compliant? Don’t wait to find out! n1 John Kasey, Andrew Naugle, Patricia Zenner: Milliman White Paper:ICD-10 Industry Perceptions and Readiness, January 2010. Available athttp://publications.milliman.com/publications/health-published/pdfs/icd-10-industry-perceptions.pdf.2 Available at http://www.ahima.org/ICD103 Available at http://www.cms.gov/ICD10The CCB offerscertifications inHealthcare Compliance(CHC), HealthcareResearch Compliance(CHRC), and theCertified in HealthcareCompliance Fellowship(CHC-F).Certification benefits:n Enhances the credibilityof the compliancepractitionern Establishes professionalstandards and status forcompliance professionalsin Healthcare andHealthcare Researchn Heightens the credibilityof compliancepractitioners and thecompliance programsstaffed by these certifiedprofessionalsn Ensures that eachcertified practitionerhas the knowledge basenecessary to perform thecompliance functionn Facilitatescommunicationwith other industryprofessionals, such asphysicians, governmentofficials and attorneysn Demonstrates the hardwork and dedicationnecessary to succeed inthe compliance fieldFor more informationabout certification, pleasecall 888/580-8373, emailccb@hcca-info.org, orvisit our website at www.hcca-info.org.The Compliance Certification Board (CCB) compliancecertification examinations are available in all 50 states.Join your peers and demonstrate your complianceknowledge by becoming certified today.Congratulations!! The following individuals have recentlysuccessfully completed the CHC certification exam, earningtheir certification:Nina J. AhluwaliaLuther T. AllisonMark AndesJane D. BrueJeffery A. ButlerPrudence CarterRosalyn CerdaDiana J. ChristieAlejandra Q. ClydeTina M. CorderoMariah E. CourtrightTracy CurnuttRandy K. De BoerJennifer E. Del VillarVickie C. Downing-BoydCarleen A. DunneJimmy D. EatonShelia L. ElliottMerlina F. EstrellaTimothy M. FeldeAnn Marie FordAnnette GerulskiRobin M. GlascoNancy E. GravesLjudmilaHadzikadunicMelodye HarveyBarbara M. HavertyTimothy C. HoganAmy J. HornbacherKelli R. HuntsingerPatricia S. HuseDeborah A. JonesScott JonkmanJennifer L. KiffKira B. KwanDonna L. LewisKimberly M. LiskaVirgie Lluvido-GowinCarla G. MacapinlacGrace M. McLinnRachel A. McMullinJill A. MedleyAndrea C. MerrittAnthony E. MioJennifer A. MocanuDonna E. MorrisEric R. MusialCarol A. ParkerTheresa L. RameyMarcella F. RanickVeronica Y.RichardsonMichelle L. RieglerMichele C. RobinsonDawn D. RockWendi S. RogalinerCory SheedyMaria P. Shinn BouckCathy A. SloaneJackie L. SmithJori L. SnyderHisham SoriJonathon TylerThompsonKaren UnderwoodLisa A. WarrenAnne B. WerringRyan A. WettergrenJeffery A. WigginsJerry WilliamsonDeanna WinterAndrew WirthDavid C. YoungCongratulations!! The following individuals have recentlysuccessfully completed the CHRC certification exam, earningtheir certification:Kari B. AdankSteven R. BorwegeTodd M. BothunJoan McIntyre CaronStephanie LynnDeetschLaverne C. EstanolBenjamin FigueroaAlisa M. FirehockKathleen HiguchiGaylen W. HowellStephanie Jo KravetzMargaret J. LoweryHaley G. McEwanVicki L. MoodySusan S. NightAmy Stone MuraiCynthie M. VialpandoHope M. VioletteSteve ZuckerCongratulations!! The following individuals have recentlysuccessfully completed the CHPC certification exam, earningtheir certification:Jane D. Brue Eric V. Eliason Leslie J. SoltauHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org21May 2011

Auditing services forMedicare patientsenrolled in clinicaltrialsBy Deborah Johnson, MMHC, MEd, CHC, RHIT, CCS-PIn Phase II and Phase III trials, theexperimental study drug or treatment is givento a larger group of people to further evaluateeffectiveness and safety, and/or to collectinformation that will allow safe use.Phase IV trials pertain to post-marketing studiesand provide additional information, such asthe drug’s risks, benefits, and optimal use.May 201122Editor’s note: Deborah Johnson is a CodingCompliance Consultant with the Office of Complianceand Corporate Integrity for VanderbiltUniversity Medical Center in Nashville. Shemay be contacted by e-mail at d.johnson@vanderbilt.edu.Drug clinical trialsClinical trials for drugs essentially fall intotwo general categories: those that have not yetbeen approved, and those that have alreadybeen approved by the FDA for administrationto patients. The already approved substanceshave been determined to be safe by thePhase II – IV may be covered by Medicare ifthe Phase meets coverage criteria for routinecosts (see below).Device clinical trialsFor purposes of regulation, the FDA hasclassified devices into three general categories,For many of our medical centers, FDA and they are now being evaluated in based on the degree of control needed toclinical trials research is a focus of different doses, schedules, and combinations assure the safety and effectiveness of thethe medical mainstream, and where to determine how to optimally use them in devices, and on their intended use. Thislarge amounts of resources are dedicated. Weknow that a clinical trial is a research approachto developing new drug treatments, devices, orsurgical techniques in a clinical setting. Clinicaltrials are an integral component for improvingthe treatment of medical conditions becausethey lead to higher standards of care. In theU.S., all new treatments must proceed throughan orderly clinical trials evaluation process toensure that they have an acceptable level ofsafety and demonstrate benefit for patients whohave a specific condition, before they becomecommercially available to other patients.patient care.Before new drugs or drugs being used ina trial for new indications are introducedto the market, they must go through theInvestigational New Drug (IND) programwhich includes four phases (Phases I – IV)of screening. Basically the IND program isa means by which permission is granted toship an experimental drug across state linesbefore a drug marketing application has beenapproved. The FDA reviews the IND applicationfor safety and effectiveness to assure thatresearch subjects will not be subjected toclassification system is also used to determinereimbursement for clinical trials costs incertain instances.Class I devices must meet certain generalcontrols that relate to issues such as labelingand manufacturing specifications. Class IIdevices must meet any performance standardsor special controls developed by the FDA forthat type of device, in addition to meeting thegeneral control requirements for Class I products.Class III devices are life-supporting/lifesustainingimplantable devices, or devices thatpresent potentially unreasonable risk of illnessAlthough clinical trials have been aroundfor decades, auditing clinical trials servicescan be a challenge. For your complianceprogram to be effective when auditing clinicaltrial documentation and billing practices, theauditors will need to be familiar with the Foodand Drug Administration (FDA) clinical trialdrug screening phases and medical device classificationsystem, and the CMS policies thatsupport Medicare reimbursement of selectedunreasonable risks.In Phase I trials, researchers test anexperimental drug or treatment in a smallgroup of people for the first time to evaluateits safety, determine a safe dosage range, andidentify side effects. Phase I trials usually arepurely investigational, generally do not havetherapeutic intent, and therefore, are notcovered by Medicare.or injury. They cannot be classified into ClassI or Class II due to insufficient informationregarding the adequacy of general controls,performance, standards, or special controls inproviding reasonable assurance of their safetyor effectiveness.In cases where the device manufacturers needto obtain clinical data before submittingan application for product clearance, theclinical trials costs. 1FDA may issue an Investigational DeviceHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org

Exemption (IDE). The FDA will review the providers for certain device costs associated National Coverage Determination (NCD)device and assign an IDE number allowing with some Category B, IDE-approved device For routine costs on clinical trials, the NCDthe product to be shipped lawfully for purposesclinical trials. The Medicare Modernization is used in addition to the Medicare investiga-of conducting the clinical trial. These Act of 2003, section 731(b), expanded the tional device coverage. The NCD, dated Julytrials are generally managed under the direction ability of Medicare to cover costs by authorizing2007, authorizes Medicare to pay for “routineof the hospital’s Institutional Review Boardcoverage for routine costs incurred on or costs” for patients in qualified clinical trial(IRB). Each IDE is assigned a corresponding after January 1, 2005 that were related to IDE for items and services furnished on or afterspecial identifier number by the FDA.Category A devices used in the diagnosis, July 9, 2007. 3 Routine care (sometimesmonitoring, or treatment of an immediately referred to as standard of care) is care thatAdditionally, the FDA assigns all approved life-threatening disease or condition. Note the patient would have received even if theyIDEs to one of two categories to assist the however that the Category A device itself is were not participating in a clinical trial. AMedicare program in determining coverage never billable to Medicare, and coverage of qualified clinical trial is when the servicefor such devices. Category A devices are the trial must be approved by the Medicare provided must be a covered benefit, mustthose devices that are considered experimental,Administrative Contractor (MAC) Medical have therapeutic intent, and unless the trialdo not have a functional equivalent, and Director before Medicare is billed.is designed to study a diagnostic interven-are considered high-risk devices. In othertion, the participants must have a diagnosedwords, questions of safety and effectiveness Medicare may cover services provided using disease. Payment for routine costs is basedremain unresolved.Category B devices if they are considered on the payment methodology specific to thereasonable and necessary. If coverage is based provider and the type of service provided.Category B devices are considered non-experimentalon approval by the MAC, the device may In situations where the payment is bundledand are similar to other devices on be covered, because the contractor has the (DRG payments), Medicare will adjustthe market for which the safety and effectivenessoption of approving coverage of the device in amounts paid for non-covered investigationalof the device have been resolved. 2 addition to routine care. It is recommended items and services for which payment shouldyou contact your local MAC to get approval not have been included as part of the bundledReimbursement policiesfor billing of services related to Category B payment.Medicare has strict policies for the reimbursementdevices before patients are enrolled.of costs related to clinical trials. ForSo, in case there is confusion, let’s review:investigator-initiated trials, you may want to If the MAC determines that a Category B the Medicare investigational device coveragecheck with your facility IRB to determine if device trial is covered, payment will be made regulation provides coverage for the investigationalthe investigator is doing the required work of for the device and related costs. The amountdevice itself. In contrast, Medicare’sa sponsor, per the FDA.is based on, but not to exceed, the amount NCD on clinical trials does not providethat would have been paid for a currently coverage of the Category A investigationalThere are three basic policies that apply to used device serving the same medical purpose device, but provides coverage only for routineMedicare reimbursement to providers of care that has been approved or cleared for marketingcare costs. So, depending on which policy isfor certain costs associated with clinical trials:by the FDA. This should not affect a being applied for, coverage could determinethe Medicare investigational device coverage diagnosis-related group (DRG) payment. reimbursement.regulation; the Medicare National CoverageDetermination (NCD) on clinical trials, and If the MAC determines the Category B trial Coverage with Evidence Developmentreimbursement available through coverage is not eligible for reimbursement, payment (CED) policywith evidence development (CED).for medical and hospital services that are There are two types of coverage with evidencerelated to the use of the device are also not development: (1) Coverage with AppropriatenessMedicare investigational device coverage covered. However, Medicare payment mayDetermination (CAD), and (2) Coverageregulationbe made for services to treat a condition or with Study Participation (CSP). CED is onlyIn 1995, the Medicare program announced complication that arises because of the use of relevant after a formal NCD request has beenthat it would provide coverage and reimburse a non-covered Category B device.Continued on page 24Health Care Compliance Association • 888-580-8373 • www.hcca-info.org23May 2011

Auditing services for Medicare patients enrolled in clinical trials ...continued from page 23Clinical Trial Audit Preparation ChecklistAction IDE Drug CommentReview policies ü üRequest copy of FDAapproval letterLocate IDE numberRequest copy of MACapproval letter for CategoryA or B deviceKnow which phase theservice was renderedRequest copy of patientsigned consent formRequest copy of studyprotocolVerify/review:IDE payment processVerify/review drug paymentprocessüüüüüüüüüüüMedicare Coverage Regulation, MedicareNCD, Medicare CED, and any local coveragepoliciesThe IDE number will also be required on theprofessional and facility claim form(s).The written approval letter should outlinethe coverage and confirm Category A or Bassignment.Review the NCD to determine if the phasemeets NCD criteria for ‘intent and or toxicity’for clinical trials (Phase I typically does notmeet).The consent form will detail for the patientwhat (if any) financial responsibility thepatient and/or the patient’s third-party insurerwill incur.The protocol should include the study budget,which will detail the types of services that thepatient will receive, and should identify servicesthat are paid for by the study, as well as servicesthat are standard of care.(a) Services paid for by the sponsor have notbeen billed to another party; (b) all servicesbilled to Medicare are for standard of care; (c)Category B devices being billed have had priorreview for coverage by Medicare or insurance.(a) Investigational drugs have not been billed;(b) services paid for by the sponsor have notbeen billed; (c) all services billed to Medicareare for standard of care.initiated and coverage approval is usuallycontingent upon the collection of additionaldata. The policy allows for consideration andcoverage approval of FDA-approved medicaltechnologies and services when improvementsin health outcomes have not been inconclusive,even when evidence exists to suggest thatcoverage may provide an important patientbenefit.Medicare coverage policyNow that we’ve reviewed the lingo of clinicaltrials, let’s move on to the requirements forMedicare coverage of routine costs. Trialsmust meet two sets of criteria. For the firstset, any clinical trial receiving Medicare coverageof routine costs must meet the followingthree requirements:1. The subject or purpose of the trial must bethe evaluation of an item or service thatfalls within a Medicare benefit category(e.g., physicians’ service, durable medicalequipment, diagnostic test) and is notstatutorily excluded from coverage (e.g.,cosmetic surgery, hearing aids).2. The trial must not be designed exclusivelyto test toxicity or disease pathophysiology;it must have therapeutic intent.3. Trials of therapeutic interventions mustenroll patients with diagnosed disease,rather than healthy volunteers. Trialsof diagnostic interventions may enrollhealthy patients in order to have a propercontrol group.May 201124Modifiers Q0 or Q1 ü üDiagnostic code V70.7 ü üRequired on outpatient provider claims whereservices/items are provided as part of a Medicarequalified clinical trial, an investigatorinitiated trial, an IDE trial, and when requiredby an NCD for services/items provided in aclinical study.If the care rendered was standard of care,and should be billed to the patient’s personalaccount/insurance, then V70.7 would be listedas an additional diagnosis code; the disease/malignancy code should be listed first.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgAdditionally a clinical trial should have sevendesirable characteristics:1. The principal purpose of the trial is to testwhether the intervention potentially improvesthe participants’ health outcomes.2. The trial is well-supported by availablescientific and medical information, or it isintended to clarify or establish the healthoutcomes of interventions already incommon clinical use.

3. The trial does not unjustifiably duplicateexisting studies.4. The trial design is appropriate to answerthe research question being asked in thetrial.5. The trial is sponsored by a credible organizationor individual capable of executingthe proposed trial successfully.6. The trial is in compliance with federalregulations relating to the protection ofhuman subjects.7. All aspects of the trial are conductedaccording to the appropriate standards ofscientific integrity.Covered vs. non-covered costsMedicare covered costs include any medicalservice normally covered by Medicare (i.e.,usual care costs) when it is provided as part ofclinical research, including tests, procedures,and doctor visits. Usual care costs, even for aservice or item used in the experimental treatment,are covered. For example, Medicarewill pay for the intravenous administrationof a new chemotherapy drug being testedin a trial, including any therapy to preventside effects from the new drug. Also, a testor hospitalization that Medicare wouldordinarily cover for a cancer patient wouldstill be covered, even though the servicesrequired resulted from a side effect from theexperimental drug or treatment.Medicare non-covered costs typically includeinvestigational items or services being testedin a trial (i.e., research costs). Items or servicesused solely for the data collection needs of thetrial (research costs), such as lab test, x-rays,or CT scans that are required more frequentlythan usual for the purpose of research, aretypically not covered. Items provided freeby the sponsor of the trial, such as drugsor specialized procedures, are typically notcovered.Now you are readyArmed with the CMS guidelines, you are nowready to conduct an audit of the documentationand billing associated with clinical trials.Creating a tool, such as a checklist (see page24), will contribute to a standard processof data collection and verification that canbe applied by all. In summary, review thepolicies, collect the FDA approval data, knowwhat services are considered routine, andensure appropriate modifiers and diagnosticcodes are being used. n1 Available at http://www.cms.gov/ClinicalTrialPolicies2 For more information, see https://www.cms.gov/MLNMattersArticles/downloads/MM3548.pdf3 For more information, see http://www.cms.gov/manuals/downloads/ncdHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org25May 2011

May 201126Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org27May 2011

focusfeatureWhat your board needs to knowabout compliance and ethicsBy Frank J. NavranEditor’s Note: Frank J. Navran is the Founder and Principal Consultantof Navran Associates. Frank has worked with clients in more than twentycountries, reducing their risk of ethics and/or compliance failures andcontributing to their success in developing and sustaining strong ethicalcultures. Frank has authored five books and more than two hundredarticles and book chapters. He may be reached at frank@navran.com, orfor more information, www.navran.com.The hospital’s Vice President–Ethics and Compliance had beenwaiting outside the conference room for about ten minutes.The board had been in closed session for almost two hoursand she was next on the agenda. The door opened and she was invitedin to get ready for her presentation while the board took a shortbreak. As she went into the conference room, she heard three of theboard members in heated discussion.You can’t believe what you just heard. The company has strict conflictof interest guidelines that are supposed to apply to everyone and theboard is choosing to violate these policies. What are you to do? Laterthat day you take your concern to the Chief Operations Officer. Afterlistening to your story he says,“This is none of your business. What you heard was not intendedfor your ears. It was board members discussing board business.We have to trust that they know what they are doing. As far as I’mconcerned, no harm, no foul. As far as you’re concerned, it neverhappened. Do I make myself clear?”The behavior of the board members and the COO in this examplerelies on two preconditions: the ability of people to rationalize, and aweak ethics culture.May 201128“We can’t let him get away with this. We have a strict policy Rationalizationagainst this kind of conflict of interest.”Rationalizations are one of the most powerful mechanisms used by“good” people to justify doing “bad” things. Over the years, I have“We have no choice. He’s the only doctor on staff that has his level come to define a rationalization as, “A lie we tell ourselves to give usof certification and experience. If we run him off just because he permission to do what we know is wrong.”owns a bunch of shares in the company that supplies our cardiomachines, we lose him. And that would be a disservice to the community.Consider the lies in this case:Those machines are as good as any others on the market. 1. This is none of your business.It’s not like he’s having an adverse effect on patients.”a. Actually, as the hospital’s Ethics Officer, it was precisely her“business.”“But, how can we apply our Conflict of Interest policy to everyone i. Here is a clear instance of the hospital’s purchasing agentelse and not apply it to him?”being pressured by a member of the board of directors to dobusiness with a vendor with whom the board member has“We just do. We make an exception. This is a special case. To losea significant financial interest—a clear violation of hospitalhim would be a disaster, both in terms of community service andpolicy.our bottom line. No harm, no foul. And, if it comes back to haunt ii. The conversation suggests an implicit (if not explicit) threatus, we can always blame the manufacturer.”from that doctor that changing vendors would result in himleaving the hospital, thus harming the hospital’s ability toHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org

serve both the community and its shareholders. Such threatsalso violate hospital policy.iii. The conversation also implies that the board has just knowinglychosen to ignore this conflict of interest, rather thanrisk the anticipated consequences, thereby violating theexplicit prohibitions in the board bylaws that address thisspecific type of conflict.iv. And perhaps most significantly, this conversation is symptomaticof a board that does not believe that the organization’sethics standards apply to them and their decisions.This suggests that the decision in question might not be anisolated case, but rather indicative of a board that routinelychooses to operate outside the company’s proscribed ethicsstandards.2. What you heard was not intended for your ears.a. The implication is that if you hear something that was notintended for your ears, you have no responsibility to act. That isnot true.i. As an ethics officer, you have both a fiduciary obligation toserve the best interests of the organization and a duty to doso in a manner consistent with all applicable policies andprocedures—and that includes the hospital’s Code of Ethics.ii. As an employee, irrespective of position or title, you shouldhave a copy of the Employee Code of Ethics. If that is wellwritten, it should state that you have “…an affirmative obligationto report any observed or suspected ethics violation.Failure to do so is an ethics violation in its own right.”board applying a double standard.ii. “If it comes back to haunt us, we can always blame the manu-Continued on page 30Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgfacturer” suggests it is serious enough that a plan to deflectresponsibility is warranted.5. As far as you’re concerned, it never happened.a. Unfortunately, it did happen.b. Once that is the case, you have no ethical alternative but to act.These rationalizations were necessary for the decision to “do nothing”to be justified. In this instance, rationalizing both legitimized andforgave an ethical breech. By extension, it also created a precedentfor tolerating future misconduct, thus helping create and/or sustain aboard culture based on lowered ethical standards.Ethical cultureCulture, in this context, can be understood as the commonly heldbeliefs about “how things really work around here”—what we oftencall the unwritten rules. These are rules we need to know about, butwon’t find written down anywhere. Please note, “culture” is differentfrom compliance, because it is based on unpublished standards (i.e.,rules that cannot be researched, printed, distributed, and read).Ethical culture is that aspect of culture that defines what is “right”and what is “wrong” in an organization. It sets boundaries and defineslimits. It is the response to my favorite “diagnostic” question:“If I were a new employee here and you wanted to help me succeed,what one or two things would you tell me that I need toknow, but won’t find written down anywhere?”3. We have to trust that they know what they are doing.I have been asking this question for more than 15 years, in dozens ofa. There is no such obligation to trust.organizational assessments and culture reviews. Among the thousandsi. Trust must be earned.of interviewees, no one, irrespective of seniority, function or level, hasii. It cannot simply be conferred by virtue of title or position. ever said, “We don’t have any unwritten rules.” Quite the contrary.b. In this instance, trust is not deserved.Every respondent has had several examples, and all agree that in a clashbetween the written rules and these unwritten rules, the unwritten4. “No harm, no foul.”rules always prevail.a. There is harmi. In this case the organization was harmed when potentially In this case the board “expects” that conflicts of interest will beimportant data was suppressed. Without that data, the board avoided and, if observed, will be reported. Abiding by that expectationcannot make informed decisions.creates a “climate of trust” in the organization, a belief that decisionsii. The reputation of the board and the company was put at risk. will be made on their merit, in accordance with company policiesb. There is a fouland procedures, and consistent with the organization’s stated values,i. Implicit in the overheard conversation is a problem with the principles, and standards.29May 2011

What your board needs to know about compliance and ethics ...continued from page 29May 201130To violate that standard breaches a trust. This breach, as detailed Then I said,above, may be a unique circumstance or symptomatic of a pattern. “Take one minute and, in no more than 50 words, define whatEither way, these board members have chosen to act unethically. An that means: What is an ethical person? What does an ethicalorganizational culture that encourages and/or tolerates this kind of person do?”breach is a “weak” ethical culture. A strong ethical culture neitherencourages nor tolerates ethical misconduct.One minute later, I randomly selected five people in the room andasked that they read what they had written. I recorded their replies onWhat has this to do with ethics training for my board?a flipchart. As expected, the five replies were each different from theHow is this hypothetical case related to the argument that ethics trainingothers.for boards is necessary? According to The Board Book, 1 one of the n Ethical people don’t lie, cheat, or steal.duties of a board is “…ensuring legal and ethical conduct.” I would n They do the right thing, even when no one is looking.characterize that duty as including the need for creating and sustaining n They treat others according to set of principles such as respect, fairness,a strong ethical culture.and integrity.n They follow policies and procedures.Given that duty, is it reasonable to expect a board to sustain the ethical n They tell the truth, even when it is difficult.standards of a strong ethical culture even if/when those standards havenot been formally communicated to the board? Some have argued that Without commenting on the responses, I addressed the group, saying:the answer is “yes” because ethical standards, the definitions of what is “My assumption is that we are all ethical. Unethical people typicallyright and wrong in the boardroom, are nothing more than “commondo not seek nor rise to the positions represented in this room.sense.” But, can we be confident that is the case? If not, then ethics But, as you can see from the posted responses, we are all “ethical”training for boards becomes necessary.differently. We embrace common values and principles, but interpretand apply them uniquely. A Code of Ethics is not a tool toI have been making the argument for ethics training for boards for teach bad people how to be good. Rather, it fulfills the obligationseveral years, based on a belief that board ethics is not commonof the organization to clearly define for its members that, in thissense. That position “crystallized” for me early on, after working with group, this is what it means to be ethical.”the boards of directors and trustees of a state medical association, acombined group of about 45 working professionals and academics. Substitute “ethics training” for “Codes of Ethics” and this same activityI was invited to facilitate a one-day session on how best to go abouteffectively overcomes the reluctance of many boards to engage inrevising their Code of Professional Ethics for their members. I was also ethics training.advised that I was the third consultant so engaged. The other two hadbeen fired, mid-session.Your board may not need “compliance” training to teach them therules, but they would benefit from a process that helps them reachForewarned, I used a “pre-session” questionnaire regarding the current consensus regarding the principles used to guide their discourse, decisions,Code and discovered that there were two separate “camps” within theoversight, and governance activities. They would benefit fromboard. Most supported the decision to revise the Code. About a third a process that explicitly defines their ethical culture, describing “howof the board thought that revising the Code was “hooey,” and that things work on our board” so that a true common sense – a commonethics is simply common sense.understanding about the ethical underpinnings of the board – can bedeveloped and sustained.I started my presentation with a simple exercise 2 :“Raise your hand if you consider yourself to be an ethical person.” Boards that take the time to deliberate and reach consensus on thevalues upon which their operational culture rests have an advantage.Naturally, every hand went up. (Having done this countless times since, Once the values are agreed upon, the board can then go on to explore:I can report that in every instance, nearly every hand always goes up.The exceptions are those reluctant to participate, and those “testing” me, n how those values will manifest regarding how decisions get made;wanting to see what I might say/do if they do not raise their hand). n operational guidelines, such as what constitutes a “conflict ofHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org

interest” and how such conflicts ought be resolved; and,n how the board will balance the requirements of law, regulation,shared values, individual values, societal expectations, and organizationaleffectiveness in their collective decision-making.That is the ethics training for boards that I am proposing. Provide yourboard the opportunity to develop and then articulate a consensus–based set of principles, an “ethic” for their unique set of obligations.Two additional questions for your consideration:1. At a practical level, how do I, as an ethics/compliance professional,make the case to my board that ethics training is prudent; and,2. If my argument is successful, just what kind of ethics training domy board members need?The argument in support of ethics training could begin with the “ethicalperson” exercise, described above. It can help in making the casethat ethics is not simply a matter of applying one’s “common sense.” Itcan surface the advantages to your board of agreeing on the governingvalues and ethical standards that will define their dialog and decisionmaking.Finally, it can facilitate them agreeing on (and defining inconcrete, behavioral language) the values/principles that ought todefine their individual and collective actions as a board.The training could then explore how, individually and collectively,they might integrate that common sense into those actions andhow that common ethic will affect their choices. Simple cases couldillustrate how a values-based board addresses disagreements, potentialconflicts of interest, and pressures for the board and those they governto perform to expectations, such as those imposed by the media,shareholders, and financial markets.The training can conclude with an action planning session where thefacilitator takes them through the process of applying their agreeduponprinciples to real-life decisions.The outcome of this kind of training is a board that shares a commonvocabulary for discussing the ethics of their decisions and actions.They will also have a framework for assessing the ethics of thosedecisions (i.e., the degree to which a decision conforms to their statedvalues and principles). Finally, they will have a context for assessingthe ethics of the organization they are responsible for overseeing andagreed-to standards for describing what constitutes a strong ethicalculture against which to measure those actions. But….There is always a “but…”What your board needs to know about compliance and ethics, firstand foremost, is that they are not one and the same. Irrespective ofwhether the board chooses to engage in compliance training, ethicstraining is absolutely necessary—and not just so they can “checkthe box.” Every board is at risk if they are not clearly focused on theethical aspects of their working culture and if they are not absolutelycertain that they are meeting all of their ethical obligations. Relyingon the assumption that, “We are ethical people so we don’t need ethicstraining” is both foolish and dangerous.Among my favorite colleagues are some who have gone on record assuggesting that board ethics training is not needed. I contend thattheir remarks may apply to “compliance-oriented” training, but donot apply to training aimed at strengthening the ethical culture of theboard itself. In the above, I argue that ethics training (aimed at helpingboards facilitate and sustain a strong, values-based culture) makes asignificant contribution to the board, its members, and the organizationas a whole. I also suggest a process for making that activity bothpalatable to and effective for your board.My own experience, as the Chair of a small NGO and advisor tonumerous boards (including large, small, local, global, corporate,charitable and professional entities), strongly supports the contentionthat creating a strong ethical culture in a board ought not be trusted tochance. It requires a deliberate and conscientious effort of leadership tocommunicate and establish the values-basis for actions and decisionsin the boardroom. Inall but the rarest ofcases, that outcome isContact Us!more likely when theprocess is deliberate www.hcca-info.orginfo@hcca-info.organd facilitated.We call that “boardethics training.” n1. Susan Schultz: The Board Book:Making Your Corporate Board aStrategic Force in Your Company’sSuccess. AMACOM, 2000, page62. I include the details of the activityfor any readers who wouldlike to use this design in theirown organization or practice.Acknowledging its origin wouldbe appreciated.Fax: 952/988-0146HCCA6500 Barrie Road, Suite 250Minneapolis, MN 55435Phone: 888/580-8373To learn how to place an advertismentin Compliance Today, contactMargaret Dragon:e-mail: margaret.dragon@hcca-info.orgphone: 781/593-4924Health Care Compliance Association • 888-580-8373 • www.hcca-info.org31May 2011

May 201132Compliance issues inhospice and the risksof marketing in 2011By Deborah A. Randall, Esq.Editor’s note: Deborah A. Randall is a Health (OIG), hospice care is being analyzed by stateLaw Attorney and Telehealth Consultant, with Medicaid programs, the Medicare paymentthe Law Office of Deborah Randall, located in contractors (MACs), and special audits byChevy Chase, Maryland. She may be contacted Zone Program Integrity Contractors (ZPICs).by e-mail at drandall.solutions@comcast.net In some respects, these reviews may be theor by telephone at 202/257-7073. For more outcome of successful marketing of hospiceinformation, visit www.deborahrandall as a service, particularly in geographic areasconsulting.com.where competition is intense. However, asin the pharmaceutical industry, 4 marketingThe hospice industry is under itself can become an enforcement focus whenincreasing review by Congress, it promotes or facilitates kickbacks or otherthe Department of Health and fraudulent behavior. A recent case, U.S. ex relHuman Services (HHS), and the MedPac Landis v. Hospice Care of Kansas, 5 discussedCommission, due to the significant growth below, alleges an overly aggressive internalin the amount of Medicare dollars spent marketing program drove illegal hospiceand the perception of higher profit margins behavior.associated with long-length stays in hospicecare. MedPac pressed for a revised methodologyfor Medicare hospice reimbursement in hot spotsHospice compliance programs addressits 2010 Reports to Congress. In the Patient When hospices establish effective complianceProtection and Affordable Care Act of 2010 programs, they focus on at least several areasas amended, 1 Congress has called for HHS to of potential vulnerability.study the hospice payment levels of care,noting particularly “routine” homecare, and Terminal statusto address recommendations by 2013. Medicare pays for hospice care when a patientis within six months of death, if the illnessIn addition, enforcement investigations of proceeds in its normal course. There is noalleged abusive practices continue in several limitation in renewed certification periods, asareas of the country. In the past, investigators long as the forward-looking prognosis profilehave focused on the length of stay for hospice meets the statutory requirement. An effectivepatients, 2 the reliability of the terminal hospice compliance program must focus onillness designation at the time of hospice criteria for which patients are admitted toadmission to care, 3 and the incentives which care and the solidity of the case for terminalmay exist to expand hospice referrals among status, both initially and on-going intoinstitutional providers and physicians in the successive certification periods. Local coveragehealth system. In addition to criminal and determinations (LCDs), now uniform amongfalse claims investigations by the Department the MACs, have been accepted as firmof Justice and Office of the Inspector General guidance by the hospice industry. However,Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgLCDs are not always followed, nor arehospice physicians and medical directors insome providers as fluent as they need to be inthe documentation of terminal status throughLCD affirmation. Self-auditing is essential.Referral relationshipsBecause the competition in the hospice fieldhas increased, marketing to referral sources isextremely important. Referral relationships,especially between hospices and institutionalproviders (e.g., hospitals, nursing facilities,assisted living residences), are contributingto growth in hospice admissions. MedPacand OIG have identified the strength andappropriateness of the marketing by hospicecompanies as areas for review and possibleconcern.Admission and assessmentsThe assessments of patient status, terminality,and the medical necessity for hospice care aredriven by the federal regulatory frameworkof coverage and the Medicare conditions ofparticipation (CoP). However, admissions tohospice and the election of the hospice benefitare increasingly initiated by non-clinicalmarketing staff of hospices, who attempt toaccess patients through cultivating contactswith institutional discharge planning offices.Location of patient residenceWhere hospice patients call “home” haschanged dramatically in the last five years,with substantial increases in the numbers ofnursing home and assisted-living residentselecting hospice. There are complexitiesin having patient care subject to multipleregulatory systems of hospice and a nursingfacility. There are compliance concerns thatoverlapping services be avoided and thatfacilities not be provided inducements torefer long-term care patients to hospice care.Hospice patients do not currently pay co-paysfor services and the hospice pays for all drugs

elated to the terminal illness, so there is little necessity issue and a kickback concern, hospice physicians to ensure administrativeconsumer sensitivity. Medicaid hospice is if documentation suggests a higher level time is not misbilled as reimbursable, and toan optional benefit under state plans. When of care was not warranted. Contracts for provide auditing of any high intensity physiciana patient elects hospice, Medicaid pays the in-patient hospice care should be separatecoding when time with the patient mayhospice for the room and board care, which from contracts for hospices to render routine be very limited, both in the in-patient facilitythe hospice then passes to the nursing home hospice care to residents in a facility, so that and in any private home visits.to cover these services for residents. OIG there is no implication that the nursing facilityhas indicated this is not a per se kickbackwill allow the hospice on-site in return for The numbers of hospice physicians mustarrangement, as long as no additional services the lucrative in-patient services contract. remain reasonable and be justified by dutiesare provided free to the facility by the hospice n Marketing practices/materials of hospices and case load. The CMS Conditions ofand additional contracted services are not are reviewed by compliance officers before Participation for Hospices altered the priorsubject to inflated prices by the facility. 6 The the marketing staff of the hospice approachespractice of multiple “medical directors”Centers for Medicare and Medicaid Servicesnursing facilities, assisted living, and now states that there should be only(CMS) does not require nursing facilities to or group homes. MedPac sees a “correlation”one actual medical director who providesagree that all hospices can serve patients in aof long length of stay and “marketing “overall medical leadership” in the hospice,residence, simply because the resident or the deficiencies.” 7supervises other physicians, and performshospice may wish it. So, marketing to nursingnecessary certification reviews. CMS statedfacilities is fierce and pressures to offer “extras” Marketing to physiciansthat numerous physicians in the medicalcan take marketing to an illegal result. With the new face-to-face regulatory director role “would likely result in inconsistentrequirement that a hospice physician or nursecare and decreased accountability.” 9Compliance officer’s work listpractitioner must see a patient who is entering When a hospice chooses as medical directorAccording to the compliance officer’s work his or her third hospice certification period and a physician who is also medical director oflist for audit and training checklists related to determine continued eligibility, many hospices a nursing facility (which refers to hospice orthe OIG 2011 Work Plan, compliance officershave had to consider hiring physicians—as where hospice patients reside), due care mustshould ensure:contractors and per diem—to perform these be taken in discussing the issues of conflict ofn Services by hospices and by nursing facilitiesvisits. Generally, the visits are non-billable to interest and avoiding kickback implications.are distinct and appropriate.the Medicare program by the hospice, but they The corporate compliance officer should ben Aide services are not provided by hospices could be a new source of income to communityinvolved with discussions in the hospice priorin excess of the hospice resident’s need, orphysicians. The relationships also serve as to such contract opportunities being exploredat odd hours or overnight so that the nursing“marketing” opportunities for the hospice to with outside physicians.facility benefits in the support of other engage with physicians, and should be enteredpatients.into with care. It is also possible that some General hospice marketing tacticsn The CoPs of both facilities are adhered to, hospices may encourage physicians to perform In general, the hospice compliance officerand the contract between them meets the services in the face-to-face meeting to justify a should intervene when any of the followingregulations.billable visit for which the physician will thentake place, and if appropriate in the firstn Coordination of care and care plans demonstratealso be paid. Compliance officers should be place, still monitor the frequency, content,quality of care.alert to, and interview appropriate staff about, cost, and agenda for:n Service and payment arrangements betweensuch inept “marketing” of this encounter, n Office breakfasts and lunches at referralhospice and nursing facility are clear which could generate False Claims Act liability. sites to discuss the field of end of life,of kickback and inducement concerns.palliative and hospice care. These are commonn In-patient hospice care at a skilled nursingOIG has already been studying the patternsin community care where educationfacility (SNF) level in the nursing of billing by hospice physicians and theis important, but there must be restraintfacility (which will then receive a higher underlying justification for physician services and the kickback implications must bereimbursement) is not overly utilized. Inpatientto hospice patients. 8 Corporate compliance rigorously reviewed.hospice claims raise both a medical officers should review the contracting forContinued on page 35Health Care Compliance Association • 888-580-8373 • www.hcca-info.org33May 2011

We’re Changing the Way Healthcare Does Business.Find out how we can help you.MediTract’s Contract Management Solutionhelps healthcare organizations improve thevisibility of contractual obligations, enhancecompliance and streamline operations, allowingyou to focus on your primary objective- providing the highest levels of patient care.Comprehensive management of physician arrangementsOversight of vendor contracts and business critical documentsMonitor compliance with Stark II and HIPAA requirementsStreamline management and reduce operating costsSignificant Return on InvestmentChanging the Way Healthcare Does Business TM

Compliance issues in hospice and the risks of marketing in 2011 ...continued from page 33n What hospice performs as “communityeducation” and what is “coordination ofcare” in reference to physicians, nursingfacilities, and other referral sources.n Adherence to the specific educationalrequirements between hospice and nursingfacilities.n Avoiding providing CEU accredited coursesin which the hospice bears all the costs,including filing fees for non-employees ofthe hospice.n Offering continuous care to patients and“marketing” it to families and personalphysicians. This is a very limited benefit;it is not meant to be provided withoutevidence of medical necessity, and it easilycould be an illegal inducement (and is, insome markets).n Favoring in-patient transfers from hospitalto hospice in-patient unit, rather than todischarge patients to the home. Complianceofficers should stress that in-patient care isfor out-of-control pain under the Medicarebenefit. Hospitals are pressuring hospicesto enter into these “arrangements” to lowerthe hospitals’ death statistics and also toget relief from DRG reimbursementswhich may run out when the hospitalcares for patients at the end of life. Thisis a clear fraud and abuse concern and agrowing issue in hospice marketing.n Any free goods and services to patients.The hospice should not provide unusualhome support services, excessive nutritionsupplements or incontinence supplies toassisted living facilities, and babysitter orother services offered as an inducement topatients to select one hospice over another.Any pre-hospice “bridge” programs mustbe reviewed for kickback concerns.n Liaison arrangements when a hospiceworker is posted at a health facility tosmooth the acceptance of patients tohospice, but the hospice worker may becomedrawn into pre-admission dischargeplanning activities which only the facilityshould be performing (and bearing the cost).New cases on marketing in hospiceThe hospice field may see more investigationscome to the kind of prosecution unfoldingin Landis v. Hospice Care of Kansas. 5 In thatmatter, an internal marketing effort descendinginto illegal activity when the followingalleged activities, noted by the federal court,turned out to be substantiated:n Setting aggressive census targets for staffn Incentives and monetary bonuses formeeting the aggressive census targetsn Threatening staff with terminations/reductionsin hours if census fell below targetsn Instructing staff to inaccurately documentconditions of patients to appear appropriaten Procedures that delay/make dischargedifficultn Challenging or ignoring staff and physicianrecommendations to discharge patientsn Disregarding or ignoring complianceconcerns raised by an outside consultantConclusionBecause of the increased volume of hospiceservices, the complexities of relationships withother providers and the heated marketingcompetition for new admissions, complianceofficers with hospice service oversight needfocused priorities in 2011. n1 The Patient Protection and Affordable Care Act (PPACA, P.L. 111-148,March 23, 2010) as amended by the Health Care and EducationReconciliation Act of 2010, P.L. 111-152, March 30, 2010).2 For example, SouthernCare Hospice settled a fraud case focused onterminality and on long length of care for $24.7 million in 2009.The Corporate Integrity Agreement (CIA) may be found on the OIGwebsite at http://www.oig.hhs.gov/fraud/cia/agreements/southerncare_inc_01132009.pdf.3 For example, Odyssey Hospice settled a fraud case for $13 million in2006. The CIA may be found at http://www.oig.hhs.gov/fraud/cia/agreements/odyssey_healthcare_inc_07072006.pdf.4 Nova Nordisk issued a press release stating it was under investigation formarketing of drugs for off-label or non-FDA approved purposes. Thecompany is among many investigated, and large settlements were signedwith several companies in 2010.5 U.S. ex rel Landis v. Hospice Care of Kansas, U.S. D. Ct. Kansas, Case No.06-2455-CM, defendants’ motion to dismiss was denied on 12/7/2010.6 See OIG Compliance Program Guidance for Hospice, 64 FR 54031; October5, 1999. See also, http://oig.hhs.gov/fraud/docs/alertsandbulletins/hospice.pdf and OIG Updated Compliance Program Guidance for NursingHomes, http://edocket.access.gpo.gov/2008/pdf/E8-22796.pdf.7 Information taken from slides prepared by Kim Neuman, MedPacstaffer, for the January 14, 2011 MedPac Meeting, Washington DC.8 The OIG Work Plan for 2010 contained such a review topic. Seewww.oig.hhs.gov9 Preamble to the Final Revised Conditions of Participation for Hospices,73 Federal Register 32088 at 32138 (June 5, 2008) discussing 42 CFR418.102 Medical Directors. The Federal Register Preamble and revisedregulationare are available at http://edocket.access.gpo.gov/2008/pdf/08-1305.pdfHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org501 Ideas for YourCompliance andEthics ProgramJump-start your programwith SCCE’s best-sellingidea guide! Author JoeMurphy has spent hiscareer collecting greatideas for building an effectivecompliance and ethicsprogram. These practicaltips can have an immediate,lasting impact on yourorganization’s program.Visit the HCCA store at www.hcca-info.org, or call 888-580-8373.35May 2011

MentoringMay 201136Mentoring:Opportunities andchallengesBy Danna Teicheira, CHC, CCEPEditor’s note: Danna Teicheira is the PrivacyOfficer for St. Luke’s Health System in Boise,Idaho. She may be contacted by e-mail atteicheid@slrmc.org.Let’s face it—no matter what area ofcompliance you are working in, thecomplexity of the laws and regulationscan sometimes be daunting. Sometimes,the regulatory part of your job may seemclear, but bridging the gap between law andoperations can seem overwhelming. Or youmay be stuck on a problem and need a freshperspective to get you out of the rut you’rein. A mentor can help you find your waythrough the maze if you and the mentor sharea mutual understanding of what mentoringmeans. The definition of mentoring from theUniversity of South Carolina (USC) Collegeof Mass Communications & InformationStudies (CMCIS) Alumni Mentor Program 1will provide the platform for this discussion:Mentoring is a developmental partnershipthrough which one person shares knowledge,skills, information and perspective tofoster the personal and professional growthof someone else. We all have a need forinsight that is outside of our normal lifeand educational experience. The powerof mentoring is that it creates a one-of-akindopportunity for collaboration, goalachievement and problem-solving. 2Mentoring as developmental partnershipThere are rules of engagement when it comesto mentoring. Both parties (the mentor andthe mentee) must agree that the end goal ofthe “partnership” is for the mentee to gainknowledge that will allow him/her to developconfidence in decision making. When seekinga mentor’s assistance, be prepared to sharewhat knowledge you have about the issue. Ifyou really are “clueless,” then be transparent.However, if you can demonstrate what stepsyou took to answer the question, address theissue, and reach a resolution to the problem,then the mentor can gauge how much timeand effort may be involved in assisting you.As the definition says, mentoring is a developmentalpartnership; it evolves over time.Because I have had experience interactingwith mentors, there are preparatory activitiesI do (and recommend) before seeking amentor’s advice:n Clarify the question/problem/issuen Gather information and/or research to theextent possible, and have the informationavailable during the mentoring sessionn Develop a preliminary answer/alternatives/or resolutionWhat is and what is not mentoringAs Ann Marie Dinkel states in her article,“Mentoring: What it is and is not” 3 “Mentoringis not, in the strictest sense, training,coaching, or teaching. These tend to be shortterm and focused on specific items and goals.”If you are looking for a definitive answerto a specific question, that is not asking formentoring. On the flip side, if you are askeda definitive question, “Do you have a policyon….” or “Do you know where I can find…”then you not mentoring; you are simplyanswering a question.What can you learn from a mentor?You can learn how to problem-solve; you canHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orggain perspective; you can gain confidence inyour own abilities. In short, mentoring offerssubstantial benefits to the mentee. Here aresome examples of how mentoring helped meto grow personally and professionally:n Problem-solving: When I expressed frustrationabout dealing with a complianceissue, my mentor asked me to make a listof my “top 10” things I wanted addressed.It took time to develop that list. When Iwas done, we discussed each item, and Iwas asked to clarify what I meant. At theend of that phase of the problem-solvingsession, I had made quite a few changes,realizing that I what I listed were not reallythe issues I wanted addressed. Next, I wasasked to prioritize the list. That, too, tooksome time and discussion. I was askedto defend my prioritization. Then mymentor asked what items were “non-negotiable.”I chose six of the ten, and thosesix were addressed. Now I have largelyinternalized the process of clarifying andprioritizing issues. However, when I needadvice, I know what to pull together tobegin the discussion.n Perspective: When I was first learningto do investigations, I had a tendencywhen requesting more information to saysomething like: “From your comments itseems…” My mentor pointed out thatI was filtering the comments and ran therisk of skewing responses. Lesson frommy mentor: When investigating, askopen-ended questions and don’t makestatements that could “lead” an individualto an answer.n Confidence: Once I grasped the conceptof mentoring and how it could assist me,I enjoyed the information gathering andresearch I did (and still do) to prepare forthe mentoring session. As I learned tofocus on the issue and to articulate myconclusions, I gained confidence when myconclusions were validated. I also gained

confidence in knowing when to ask forassistance; I know when I’ve reached thelimit of my knowledge and resources.Internal mentor vs. external mentorMentors may or may not be individuals withinyour organization. Internal mentors have theadvantage of knowing the organizational goals.If you and your mentor have a shared understandingof the organization’s mission, vision,and values, the mentoring relationship has afirm development platform. “Mentoring canbe formal or informal. Many organizations,facing growth or the aging of a workforce, havedeveloped formal mentoring processes, matchingmentors and mentees based on organizationalneeds or common interests. Mentoringis also part of succession planning.” 3In contrast to the internal mentor, the externalmentor may provide a “new” perspective onissues. An external mentor must be sure todefine the boundaries of the relationship.The expectations of what information canbe shared should be clearly established. Thementor should take the lead on keeping thediscussion on a general level. The mentorshould be prepared to sever the relationship ifit crosses agreed upon boundaries.Where do you find external mentors? Well,HCCA is a primary source, as well as otherprofessional organization you have joined.Regional conferences, national conferences,and networking activities provide avenues forfinding mentors.Deann BakerI have to give a special nod to one externalmentor I had. Deann Baker was theCorporate Compliance and Privacy Officerof an organization I worked closely within one of my compliance positions. Theboundaries of our mentoring relationshipwere clearly defined: there would be nodiscussion of specific issues, but rather agradual expansion of my basic knowledgeof Privacy and general compliance. Deannshared resources she had gathered overthe years, and I credit her with “weaning”me off of a first review of secondarymaterials. Instead, she taught me to goto the primary regulatory source first. Inworking with Deann, I gained confidencein my ability to research issues and identifyissues. My problem-solving skills expandedwith Deann’s thoughtful and meaningfulguidance.Mentoring is a brainto pick, an ear tolisten, and a push inthe right direction.”John C. CrosbyA call for academia to participateThe importance of mentoring has filtereddown to the academic community. In February2011, Stephen Paulone included a call toaction in his article, “How We Make the NextGeneration of Compliance Leaders:” 4Academia has traditionally played a parentalrole in corporate compliance. Educatorstrain students on rules and regulations,and how to adhere to them. Butwith today’s rapidly changing regulatorylandscape, training alone is not enoughto prepare students to hit the groundrunning when they enter the corporatecompliance industry.Rather, academia needs to stir in a mentoringprogram—something that works closelywith the compliance industry to preparestudents for the world as it exists, and givesthem the basis for developing their moraland ethical compass to apply to whatevercompliance challenges they’ll face.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgPaulone notes that while colleges and universitiesare focused on rules and regulations,most institutions aren’t geared toward integrationwith a mentoring program. He offersthree suggestions for integrating academicswith mentoring:n Consequences: a focus on problemsolvingand applying logic and ethics whenconsidering the rules and regulationsn Practicality: a focus on “how regulationsplay out in actual business settings”n Responsibility: a focus on students understandingand accepting accountability, aswell as understanding that they can be anagent for changeTo incorporate mentoring into the curriculum,Paulone suggests reaching out to complianceprofessionals and incorporating guest lecturers,peer reviews, and business advisory boardsinto the academic programs. The goal of thispartnership would be to develop “independentthinkers who can apply their knowledgeand skills to the ever-changing regulatorylandscape.” 4What can you gain from being a mentor?Mentoring is not an activity that appeals toeveryone. However, if you have the time,mentoring can bring you personal and professionalsatisfaction. On the professional side,mentoring challenges the mentor to draw uponresources and knowledge to provide guidance;mentoring can be regarded as a “self-refresher”course. While the mentee gains confidence,the mentor can also get a confidence “boost”from a successful mentoring session.Mentoring relationships can also develop intofriendships. I have had the good fortune todevelop lasting friendships with two of myformer mentors; Deann, of course, is oneof those friends. I’m happy to say she hasbeen elected to the HCCA Board, so herContinued on page 3837May 2011

Coming to Your Area in 2011HCCA RegionalConferencesLearn from local experts in your fieldEffective local networking opportunitiesInexpensive local education and networking on keycompliance topicsUpper North Central | May 6 | Columbus, OHUpper North East | May 20 | New York, NYMentoring: Opportunities and Challenges...continued from page 37knowledge and skills will now benefit theorganization. To all of those mentors I’ve hadduring my ten years of working in compliance(and I think they know who they are), Ican only say, “Thank you for your guidanceand the opportunity to grow personally andprofessionally.” n1 University of South Carolina CMCIS Alumni Society Mentor Progam.Information available at http://cmcismentorprogram.wordpress.com/mentoring-program-manual/2 Amanda Stone: Definition of mentoring. USC CMCIS Alumni SocietyMentor Program. Available at http://cmcismentorprogram.wordpress.com/mentoring-program-manual/definition-of-mentoring/3 Ann Marie Dinkel: “Mentoring: what it is and is not.” Available athttp://www.alnmag.com/article/mentoring-what-it-and-not?page=0,0 Seealso: http://www.alnmag.com/article/training-counseling-coaching-andmentoring4 Stephen Paulone: How we make the next generation of complianceleaders. Corporate Compliance Insights, February 14, 2011. Available athttp://www.corporatecomplianceinsights.com/2011/how-we-make-thenext-generation-of-compliance-leaders/Pacific Northwest | June 10 | Seattle, WAWest Coast | June 17 | Newport Beach, CANew England | September 9 | Boston, MAUpper Midwest | September 16 | Minneapolis, MNMidwest | September 23 | Kansas City, MONorth Central | October 3 | Indianapolis, INEast Central | October 14 | Pittsburgh, PAHawaii | October 21 | Honolulu, HIMountain | October 28 | Denver, COMid Central | November 4 | Louisville, KYDesert Southwest | November 18 | Scottsdale, AZSouth Central | December 2 | Nashville, TNLearn more andregister now atwww.hcca-info.orgBe Sure to GetYour CHC CEUsArticles related to the quiz in this issue ofCompliance Today:n CMS shifts from “pay and chase” toproactive fraud prevention—ByAnna M. Grizzle and Krista L. Cooper,page 6n Auditing services for Medicarepatients enrolled in clinical trials—By Deborah Johnson, page 22n Compliance issues in hospice andthe risks of marketing in 2011—ByDeborah A. Randall, page 32To obtain one CEU per quiz, go to www.hcca-info.org/quiz and select a quiz. Fill inyour contact information and take the quizonline. Or, print and fax the completedform to CCB at 952/988-0146, or mail itto CCB at HCCA, 6500 Barrie Road, Suite250, Minneapolis, MN 55435. Questions?Please call at 888/580-8373.Each CEU quiz is valid for 12 months,starting with the month of issue. Only thefirst attempt to pass each quiz is accepted.May 201138Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Requests forinformation: Don’tlet PHI includeprosecution andincarceration!Editor’s note: Larry Levine is Vice President,Corporate Compliance with Mercy HealthSystem in Baltimore, Maryland. For additionalinformation regarding requests for information,or for sample forms, contact Larry either bye-mail at llevine@mdmercy.com or by telephoneat 410/332-4877.How many requests for patientinformation does a hospital receiveevery day? How about a solopractitioner? Whether one works for a largefacility or a small office, protected healthinformation (PHI) must be disclosed uponrequest, and the Health Insurance Portabilityand Accountability Act of 1996 (HIPAA)controls how it is disclosed.For those entities using an outside contractorto perform the task of processing PHIrequests, it is important that complianceprofessionals monitor the performance ofthe contractor and understand the rules fordisclosing PHI. If PHI requests are handledin-house, it may be the responsibility of thecompliance or privacy officer to implementthe process and ensure that PHI is disclosedin accordance with entity policies, HIPAA,and state or local regulations.If a HIPAA-covered entity has not reviewedthe process for responding to requests forBy Larry Levine, CHC, CPC, CPC-Hdisclosure of PHI, the review can be donewith a minimum amount of difficulty. Thebenefit of a review is knowing that PHIrequests will be processed appropriately andin a timely manner.The best place to start is by gathering theappropriate team to work on the project. Thenumber of members on the team will dependon the size and scope of the entity. Examplesof members may include but are not limitedto the following:n Compliance officersn Privacy officersn Directors of Health InformationManagement (Medical Records)n Coding managersn Billing managersn Physician practice managersn Legal counselOnce the team has been assembled, the discussionshould start by deciding if the goal isto have an outside contractor process requestsfor PHI, or to process the requests in-house.For those entities that decide to have acontractor process PHI requests, interviewseveral contractors and be sure to interviewreferences as well. Make sure the contractorunderstands the needs of the entity, andhas the knowledge and expertise to processPHI requests quickly, efficiently, and legally.Continued on page 41Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgLegal counsel should review the contractor’sagreement, and make sure that the appropriateBusiness Associate language is part of thecontract or an addendum to the contract. Thecontractor’s performance must be audited ona regular basis, perhaps monthly for the firstthree months, then quarterly for the balanceof the year and thereafter.If an in-house team will be processingrequests for PHI, there are three importantdocuments that any team must have: aRequest for Information form, a form toreview requests for information, and adocument to respond to non-compliantrequests for information. These forms caneasily be made using Microsoft Word and/or Microsoft Excel. In addition to HIPAArequirements, be sure to review state and locallaws before creating the forms. Remember,state and local laws supersede HIPAA if thelaws provide patients with greater privacyrights, greater access to information, orgreater privacy protections.Request for Information formThe Request for Information form shouldinclude the following information:1. Name of the specific provider or medicalfacility from which the patient is requestinginformation.2. The patient’s demographic information:n Name (last name, first name, middleinitial)n Street addressn City, state, ZIP coden Home phone numbern Work phone numbern Mobile phone numbern Medical record numbern Social Security numbern Date of birth39May 2011

CTfpAD:Layout 1 2/3/11 3:59 PM Page 1Let's you and I talk about effectiveHealthcare Corporate & HIPAA compliance trainingfor your staff, contractors, and physiciansHealthcare facilities that are serious abouttraining and educating their staff chooseeHealthcareIT and PricewaterhouseCoopers.We don’t need to tell you, healthcare compliance is a veryserious business. In fact, one of the greatest risks to consider in2011 is the increase in targeted healthcare fraud enforcementefforts by the government’s Health Care Fraud Preventionand Enforcement Action Team (HEAT).ExpertisePricewaterhouseCoopers’ Health Industries Practice andeHealthcareIT is comprised of highly qualified healthcareprofessionals specializing in regulatory compliance. Includedwithin this group of professionals are physicians, registerednurses, certified coding specialists, registered recordsadministrators, certified public accountants and attorneys.You know as wellas we do that onesize does not fit all:• Over 100 engaging,department specificHIPAA Compliance,Clinical ResearchCompliance, andCorporate Compliancecourses.• Customization that allowyou to embed yourpolicies, procedures,welcome messages, sitespecific pictures and“contact information”.• Department specific topicsensures that your staffwill receive complianceeducation geared specificallyto their needs andresponsibilities.Your compliance educationshould not be a matinee atthe movies. ContacteHealthcareIT for furtherinformation or consultation.Engaging & Practical LearningReliable, engaging, IT friendly and up to date content is keyto a successful compliance education program, which is whateHealthcareIT brings to the table.eHealthcareITe L e a r n i n g & I T S o l u t i o n semail: info@ehealthcareit.comor call 1-800-806-0874.www.ehealthcareit.com

Requests for information: Don’t let PHI include prosecution and incarceration! ...continued from page 393. The authorization statement. Example:protected by federal law, but may be n NotificationsI, the undersigned, hereby authorize the protected under (name of state) law. o Patients may revoke the request in writing(above/below) named provider or medical n The patient is free to revoke this authorizationo PHI disclosed prior to the revocation isfacility to disclose in writing to the individual,at any time by submitting a written not covered by the revocationentity, facility, or company named request to the entity/provider disclosing o Treatment, payment, enrollment, and/(above/below) my PHI contained in my the PHI. Any uses or disclosure of my PHI or eligibility is not conditioned uponmedical record. I further authorize the prior to receipt of the revocation cannot be the request for information(above/below) named provider or medical reversed and will not beo PHI disclosed as a result of the requestfacility to disclose my PHI electronically covered by the revocation.may be re-disclosed and may no longerand/or discuss my PHI verbally with the 4. The patient or the patient’s legally appointed be protected by privacy lawsindividual, entity, facility, or company representative’s signature. If a legally n The request for information does notnamed (above/below). I hereby authorize appointed representative signs the form, appear to be alteredthe disclosed PHI to include:documentation establishing the authorityn The authorization has not been combined ton The list of records requested (e.g.,of the legally appointed representative make a compound authorizationclaims, progress notes, radiologyshould be included with the request (e.g.,records, any and all records).Power of Attorney for Health Care, Other items on the checklist will apply only ton The beginning and ending dates covered Letters of Administration).certain populations, and will have requirementsby the request.that vary from jurisdiction to jurisdiction:n The purpose of the request (e.g., The review of a Request for Information form n Minor patientscontinued medical care, insurance Not all requests for information will be n Emancipated minorsapplication).HIPAA-compliant and/or compliant with n Requests signed by persons other than then Additional information (Be sure to state and/or local regulations. When requests patient (e.g., lawyers, insurance companies)check state and local laws to ensure for information are processed in-house, it is n Workers’ compensationall notifications and restrictions are important to make it as easy as possible for n Subpoenasincluded in this section.)staff to evaluate whether a request is compliant.o The PHI requested may include diagnosisThe easiest way for staff to evaluate a The review form should be signed and datedand treatment information, HIV request for information is to develop a checklistto authenticate who processed the request. Instatus, mental health information,that includes all of the required elements. addition, there should be a place on the formalcohol and substance abuse information,The staff can then compare the request for the reviewer to document whether theand genetic testing results. received against the checklist. There will be Request for Information form submitted waso Whether the patient signs this many items on the checklist that will apply approved or rejected. For approved Requestauthorization or not, the patient will to all requests, including:for Information forms, the review formstill receive all the treatment he/she is n Legibilityshould include the date that the PHI was sententitled to from the provider/facility. n Patient demographics sufficient to identify as requested. For rejected forms, a Responseo This authorization will expirethe patientto a Request for Information form should be(length of time) after the date of n Specificity of PHI requestedsent to the requestor.the patient’s signature below unless n Specificity of individual, entity, or facilitya shorter time period is stated here requested to release the PHIResponse to a Request for Information form___________________. (Must be a n Specificity of individual, entity, or facility Once a review of a Request for Informationtime period or date, not an event or receiving the PHIform has been created, it is easy to createcondition).n The purpose for disclosing the PHI a Response to a Request for Informationo Information used or accessed under n The request is signed and dated within a form. The response form should include thethis authorization may be re-disclosed certain time period, as required by law patient’s name and the name and address ofby the recipient and no longerthe requestor(s). Then, it’s almost as easy asContinued on page 45Health Care Compliance Association • 888-580-8373 • www.hcca-info.org41May 2011

May 201142Cold calls, hotlines: DMEPOStelemarketing andbeneficiary contactBy Nathaniel Lacktman, Esq., CCEP; and Heidi Sorensen, Esq.Editor’s note: Nathaniel (Nate) Lacktman isSenior Counsel in the Tampa office of Foley &Lardner LLP and a member of the Health CareIndustry Team. He advises DMEPOS suppliersand manufacturers on a range of business andregulatory issues. Nate may be contacted bye-mail at nlacktman@foley.com.Heidi Sorensen is Of Counsel in the WashingtonDC office of Foley & Lardner. She is the formerChief of the Administrative & Civil RemediesBranch in the Office of Counsel to the InspectorGeneral at the Department of Health & HumanServices. She advises DMEPOS suppliers andmanufacturers on a range of business and regulatoryissues. Heidi may be contacted by e-mailat hsorensen@foley.com.This article is the first in a series on DMEPOSmarketing compliance by Foley & Lardnerpublished in Compliance Today. Next month,the authors will develop this topic by providing apractical summary of the various telemarketingrules, strategic advice for DMEPOS telemarketing,and guidelines for applying the rules toreal-world situations. Subsequent articles willdiscuss DMEPOS marketing arrangements underthe Anti-kickback Statute, HIPAA, practicalsolutions for obtaining beneficiary consent tomarketing, and strategies for allowable crosspromotionand co-promotion of DMEPOS items.Suppliers of durable medical equipment,prosthetics, and orthotic supplies(DMEPOS), whether home carecompanies, mail-order suppliers, or manufacturers,provide an important service to amedically-frail group of people. The Medicarepopulation, in particular, constitutes animportant customer base and a significantsource of revenue for DMEPOS suppliers.Understandably, suppliers continue to seeknew ways to reach out to Medicare beneficiariesand grow their customer base. However,agencies such as the Centers for Medicareand Medicaid Services (CMS) and the Officeof Inspector General (OIG) have announcednew restrictions on how DMEPOS supplierscan conduct telemarketing activities andsolicit beneficiaries.The Telemarketing StatuteThe Telemarketing Statute 1 prohibits suppliersfrom making unsolicited telephone calls toMedicare beneficiaries regarding the furnishingof covered DMEPOS items unless one ofthree exceptions apply. The statute does notapply if:n the beneficiary has given the supplier writtenpermission to contact him/her by telephone;n the supplier has already furnished acovered item to the beneficiary andthe supplier is contacting the beneficiaryregarding the furnishing of thatitem; orn the supplier has furnished at least onecovered item to the beneficiary during thepreceding 15 months, in which case thesupplier may discuss or promote othercovered items with the beneficiary.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgA point of caution: a supplier cannot avoidapplication of the statute by contractingwith a third-party vendor or telemarketingcompany. The statute also applies to vendorsor agents working on the supplier’s behalf. Ifthe vendor violates the telemarketing statute,both the vendor and the supplier can be heldresponsible.The penalties for violating the statute canbe severe. If a supplier knowingly submits aclaim for an item in violation of the statute,CMS must deny payment. Violations of thestatute, particularly a pattern of violations,can expose suppliers to potential civil, criminal,and administrative penalties, includingexclusion from participation in federal healthcare programs.OIG Guidance and Updated Special Fraud AlertOIG has long cautioned suppliers againstimproper telemarketing practices and noted,in its DMEPOS Compliance ProgramGuidance, 2 that suppliers are prohibitedfrom making unsolicited telephone contactto Medicare beneficiaries. OIG also issueda 2003 Special Fraud Alert 3 reiterating theprohibition on unsolicited telemarketing.Both publications reference the TelemarketingStatute but do not expand on the scope of thestatutory language.In 2010, OIG issued an Updated SpecialFraud Alert on DMEPOS telemarketing,drawing attention to the telemarketing activitiesof independent marketing firms that makeunsolicited telephone calls on behalf of suppliersto Medicare beneficiaries to market the suppliers’products. 4 In the updated alert, OIGexplained that the practice violates the TelemarketingStatute because “suppliers cannotdo indirectly that which they are prohibitedfrom doing directly.” OIG has indicated thatthe need for the Special Fraud Alert grewdirectly out of ongoing enforcement activities

it was undertaking in conjunction with theDepartment of Justice (DOJ).Asked Questions (FAQs) regarding telemarketing.The CMS FAQs differed from theOIG alert, and many believed CMS tookthe part of the supplier whether to collectand obtain such documentation for theirrecords.”The updated alert took the position that,when a physician sends a supplier the writtenor verbal order for a beneficiary, and the suppliercalls the beneficiary regarding that order,such telephone contact is a violation of theTelemarketing Statute. OIG reasoned that “aphysician’s preliminary written or verbal orderis not a substitute for the requisite writtenconsent of a Medicare beneficiary.”a more reasonable interpretation consistentwith how the DMEPOS industry operates.The fact that CMS responded with differingguidance so quickly after the OIG’s release ofthe Updated Special Fraud Alert suggests thatOIG and CMS did not coordinate prior tothe OIG release. The CMS FAQs includedthe following guidance:n If a supplier returns a beneficiary’sphone call, the supplier’s contact is notn If a supplier makes solicited contact with abeneficiary for a particular covered item,the supplier cannot speak with thebeneficiary about other covered itemsduring that same contact. This generallyapplies to new customers because, after thesupplier has provided a covered item tothe beneficiary, the supplier may then subsequentlycontact the beneficiary to offerother covered items in accordance with theA number of industry representatives criticizedthe OIG’s position, because it is commonpractice for physicians to send orders directlyto the supplier. Requiring physicians to obtaina beneficiary’s written consent for each newpatient could be a challenging task, particularlybecause the already busy physicians haveno incentive to add this step to theirpaperwork process. It would be similarlychallenging to require the supplier to obtainthe written consent. For example, it wouldbe impractical, costly, and inefficient for asupplier, after receiving the physician order, tothen mail a written authorization card to thenew patient and wait for a signed responsebefore contacting the patient by telephone toarrange for delivery of the ordered item.unsolicited.n If a physician contacts a supplier on behalfof a beneficiary and with the beneficiary’sknowledge, and a supplier then calls thebeneficiary to confirm or gather informationneeded to provide that particularcovered item (including delivery and billinginformation), then that contact is notunsolicited. The beneficiary need only beaware that a supplier will be calling him/herregarding the covered item, recognizingthat the appropriate supplier might notbe identified at the time of the physician’sconsultation. This guidance providedflexibility, because the physician need notinform the patient that a specific supplierwill call the patient. It also did not requirea physician to obtain the beneficiary’sexceptions in the Telemarketing Statute.The CMS FAQs elucidated a reasonableposition consistent with existing businesspractices and the Telemarketing Statute,and provided useful and practical guidanceto DMEPOS suppliers. OIG indicatedboth informally, and through a cover letterdistributing the FAQs to suppliers that itwould defer to these interpretations by CMS.However, the CMS FAQs differed from theOIG’s published position and, moreover,CMS continued to change its position inthe regulations and a second set of FAQs, asdiscussed in detail below.New regulations and Preamble commentaryIn August, 2010, CMS released finalFrom a legal perspective, it is unclear whetherthe OIG’s expanded interpretation isadequately rooted in the language of the TelemarketingStatute and, at the time the updatedalert was issued, no regulations were in place.From an operational perspective, the OIG’sinterpretation would likely result in significantdelays before patients could receive theirprescribed items, thereby limiting beneficiaryaccess to essential Medicare-covered items.written consent.n If a supplier calls a beneficiary based solelyon the physician order, but the beneficiarydid not know a supplier would call him/her,that call would be unsolicited contact. Thephysician must let the beneficiary knowthe physician will send the order to aDMEPOS supplier and a supplier will callthe beneficiary.n A supplier is not required to collect andmaintain documentation from the physicianregulations updating the DMEPOS supplierenrollment standards. 6 The regulationsintroduced new telemarketing rules, imposedstricter program standards for suppliers, andimplemented many of the standards in CMS’2008 proposed regulations. 7 The regulationstook effect on September 27, 2010 and allsuppliers must meet these standards.The Preamble to the regulations containstwelve comments regarding telemarketingCMS response to Updated Special Fraud AlertA month after the OIG released its updatedreflecting that the physician informed thebeneficiary that a supplier will call. CMSand beneficiary contact. CMS’s comments inthe Preamble are consistent with its FAQs;alert, CMS responded by issuing Frequently stated “It would be a business decision onContinued on page 44Health Care Compliance Association • 888-580-8373 • www.hcca-info.org43May 2011

Cold calls, hot lines: DMEPOS telemarketing and beneficiary contact ...continued from page 43May 201144namely, while a Medicare beneficiary mustknow that a supplier will be contacting him/her, nowhere did CMS state that the referringphysician must obtain the beneficiary’s writtenpermission. For example, CMS stated:[A] supplier may contact a beneficiaryif a physician contacts a DMEPOS supplieron behalf of a beneficiary with thebeneficiary’s knowledge, and then a suppliercontacts the beneficiary to confirmor gather information needed to providethat particular covered item (includingdelivery and billing information). In thatinstance, the contact would not be considereda direct solicitation and therefore,would not implicate [the TelemarketingStatute].However, CMS also stated it considers theTelemarketing Statute to apply not only tosolicitation by telephone, but also by “e-mail,instant messaging, or in-person contact.”That position represented a significant expansionon the statutory language. Althoughe-mail and instant messaging may arguablybe sufficiently similar to telephone calls tobe a reasonable extension of the statute,CMS offered no basis to support its positionthat the prohibition on telephone contactwould also ban in-person contact. OIG haspreviously expressed concerns with in-persondirect marketing, but that OIG positioncannot serve as the basis for expanding thestatute.In addition, the regulation required that areferring physician obtain written permissionbefore the supplier may contact the beneficiary.It required that “[t]he individual has givenwritten permission to the supplier or theordering physician or non-physician practitionerto contact them concerning the furnishing ofa Medicare-covered item that is to be rentedor purchased.” (emphasis added)Yet, the Telemarketing Statute has always heldthat if a beneficiary gives written permissionto a supplier, the supplier may contact thatbeneficiary. It seemed to many that thelanguage “or the ordering physician or nonphysicianpractitioner” was misplaced and didnot belong in the regulation because it meanta physician must obtain written permission(not simply inform the beneficiary) before thesupplier could contact the beneficiary.CMS could have expressed a more consistentposition by deleting the language “orthe ordering physician or non-physicianpractitioner.” Suppliers could then refer to thePreamble to understand that the beneficiarymust know that a supplier will contact him/her. This approach would have remedied theinconsistency between the regulations andthe FAQs and Preamble, and provided clearinstruction to suppliers who receive ordersfrom referring physicians. This approachwould also have been also consistent with currentindustry practices and standards. Instead,the regulation triggered the same concerns asthe OIG’s Updated Special Fraud Alert, andsuppliers were concerned that a requirementfor written permission would be burdensome,costly, and cause potential delays for Medicarebeneficiaries.CMS 2011 FAQsCMS received a number of critical responsesto the regulations and, in January 2011,issued updated FAQs addressing the industryqueries. 8 For suppliers, these 2011 FAQswere even more problematic than theregulations. CMS seemed to take someinexplicable and highly unfavorable positionsregarding telemarketing and beneficiarycontacts, including:n The 2011 FAQs expanded telephonecontact to include mailings made throughthe US Post Office. The 2011 FAQsprohibit “targeted mailings to specificbeneficiaries,” although “general massadvertising” is allowed. CMS offered noexplanation of what those terms mean orhow the Telemarketing Statute could applyto direct mail.n A supplier may not contact a beneficiarybased solely on a physician order unlessthe physician obtains the beneficiary’swritten permission. This position is consistentwith the language of the regulation,but differs from the guidance in CMS’previous FAQs.n If a supplier makes solicited contact witha beneficiary for a particular covered item,the supplier cannot speak with the beneficiaryabout other covered items duringthat same contact. This position is largelyconsistent with CMS’ previous FAQs.n For companies with multiple subsidiaries,if one subsidiary is permitted to contacta beneficiary (e.g., by written permissionor by previously providing covered items),a related company under the same parentcorporation may not make contact withoutseparately meeting one of the exceptionsin the Telemarketing Statute. Even if allthe subsidiaries are enrolled DMEPOSsuppliers, CMS seems to view each as aseparate entity and require each to meet anexception to the Telemarketing Statute inorder to contact beneficiaries.Rather than providing clarity, the 2011 FAQsserved to increase confusion about CMS’restrictions on telemarketing and beneficiarysolicitation.Revised regulationsOn April 4, 2011, CMS released a proposedrule revising supplier standards, particularlysupplier standard 11. 9 CMS acknowledgedthat its expanded interpretation had beencriticized as overly broad and prohibitedmarketing activities in a manner that wouldbe unfeasible for DMEPOS suppliers toHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org

implement. CMS indicated that it willfurther investigate how to address its concernsof abusive DMEPOS marketing practices. Inthe interim, CMS will instruct its contractorsto apply the restrictions on telephonesolicitation that were in effect prior to theAugust 2010 regulations (rather than all typesof beneficiary solicitation and contact).The current proposed rule deletes the referenceto direct solicitation and instead focuseson telemarketing, tracking the exceptionsunder the Telemarketing Statute. It alsodeletes the language that requires a referringphysician to obtain the beneficiary’s writtenpermission. CMS did not include any commentsregarding its 2010 or 2011 FAQs, norhow suppliers should interpret the proposedregulations in light of those FAQs , nor whichFAQs still remain in effect.ConclusionThe changing landscape and conflictingguidance has led to much confusion amongDMEPOS suppliers regarding telemarketingand beneficiary solicitation. Penalties forfailing to comply with the telemarketing rulesare severe. Because these rule changes havea significant impact on suppliers’ businessoperations and marketing efforts, it is imperativefor suppliers that serve Medicare beneficiariesto be aware of the restrictions. Despitethe confusion, the various guidance can beboiled down into a manageable set of practicalrules suppliers can use in their marketingactivities, particularly as new communicationtechnologies and marketing approacheschange these activities. Next month’s articlewill set forth those practical rules, apply themto a series of real-world DMEPOS marketingsituations, and highlight key opportunitiesand approaches suppliers can take whilestill complying with the telemarketing andbeneficiary solicitation rules. n1. Section 1843(a)(17)(A) of the Social Security Act; 42 U.S.C. §1395m(a)(17)(A).2. 64 FR 36368, 36380 (July 6, 1999).3. 68 FR 10254 (Mar. 4, 2003).4. 75 FR 2105 (Jan. 14, 2010).5. Available at www.cms.gov/MedicareProviderSupEnroll/Downloads/DME%20Supplier%20Telemarketing%20FAQ.pdf.6. 75 Fed. Reg. 52629 (Aug. 27, 2010).7. 73 Fed. Reg. 4503 (January 25, 2008) (proposed rules); 42 C.F.R. §424.57(c) (supplier standards).8. Available at www.palmettogba.com/Palmetto/Providers.Nsf/files/FAQS6036FINAL.pdf/$File/FAQS6036FINAL.pdf.9. 76 Fed. Reg. 18472 (April 4, 2011)Requests for information: Don’t let PHI include prosecutionand incarceration! ...continued from page 41copying the review form onto the responseform. Once the copy-and-paste is completed,add citations of applicable federal or state lawwhere appropriate. This last recommendationis particularly important when rejectingrequests from attorneys and insurancecompanies. It is very helpful for attorneyand insurance company requests, particularlythose from out-of-state, if the requestor isprovided with specific information aboutwhy the request was rejected.ConclusionRequests for information can be a timeconsumingheadache for any health careorganization. However, with the help of theright team members, and the design andimplementation of effective forms, the taskcan be streamlined, and the risk of improperdisclosure of PHI can be significantlyreduced. nThe Health Care ComplianceProfessional’s ManualWith Annual Subscription Service• Hard-copy subscribers receive quarterly updates• Internet subscribers receive updates as soon as they are issuedPublished by CCH and HCCA Members: $369/year Non-members: $409/yearThe Health Care Compliance Professional’s Manual gives you all the tools you need to plan and execute a customizedcompliance program that meets federal standards. Available via print or the Internet, the Manual walksyou through the entire process, start to finish, showing you how to draft compliance policies, build a strongcompliance infrastructure in your organization, document your efforts, apply self-assessment techniques,create an effective education program, pinpoint areas of risk, conduct internal probes and much more.To order, visit the HCCA website at www.hcca-info.org, or call 888-580-8373.Health Care Compliance Association • 888-580-8373 • www.hcca-info.org45May 2011

Face-to-faceencounter requiredfor home health andhospiceBy Whitney Magee Phelps, Esq.; Francis J. Serbaroli, Esq.;Nancy Taylor, Esq.; and Alex T. Paradiso, Esq.Timing for face-to-face encounterThe final regulation allows the face-to-faceencounter to occur up to 90 days prior to thestart of the home health service. Alternatively,if no encounter is made before the start ofservices, then a face-to-face encounter mustoccur within 30 days after the start of homehealth services. In either case, the face-to-faceencounter must relate to the patient’s need forhome health services.May 201146Editor’s note: Whitney Magee Phelps is OfCounsel, Francis J. Serbaroli is a Shareholder,Nancy E. Taylor is a Shareholder, and Alex T.Paradiso is an Associate, all with the GreenbergTraurig, LLP law firm.Whitney Magee Phelps may be contacted bytelephone in Albany, NY at 518/689-1427 orby e-mail at phelpsw@gtlaw.com. Francis J.Serbaroli may be contacted in New York Cityby telephone at 212/801-2212 or by e-mail atserbarolif@gtlaw.com. Nancy E. Taylor maybe contacted in New York City by telephone at212/331-3133 or e-mail at taylorna@gtlaw.com.Alex T. Paradiso may be contacted in Albany,New York by telephone at 518/689-1486 or bye-mail at paradisoa@gtlaw.com.The Patient Protection and AffordableCare Act (PPACA) creates newconditions of participation in theMedicare program. Specifically, PPACArequires that before ordering home healthand hospice services or durable medicalequipment (DME), a physician or otherauthorized practitioner must document andcertify that a face-to-face encounter with thepatient took place.On November 17, 2010, the Centers forMedicare and Medicaid Services (CMS)released final regulations that address theface-to-face encounter requirements forhome health and hospice services, includingthe time frame within which the encountermust occur and the documentation standardsrequired. 1 Accordingly, compliance officersfor home health agencies (HHA) and hospiceproviders must ensure compliance with theregulations, as summarized in this article.Home health servicesPhysicians have always been required tocertify a patient’s eligibility for home healthbenefits. In an effort to achieve greateraccountability for the home health benefit anda patient’s plan of care, PPACA now requiresthat the physician responsible for performingthe initial certification or an otherwiseauthorized non-physician practitioner (NPP)conduct a face-to-face encounter with thepatient. This encounter is a condition of paymentapplicable to the initial certification—notsubsequent re-certifications. The face-to-faceencounter, which can be accomplished viatelehealth (as defined in 42 USC §1395m(m)),must also be documented and certified bythe physician.Who can perform the encounter?Either the certifying physician or an NPP canperform the encounter. An NPP is definedto include a: (1) nurse practitioner or clinicalnurse specialist working in collaboration withthe physician in accordance with state law;(2) certified nurse midwife, as authorized bystate law; or (3) physician assistant, under thesupervision of the physician.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgDocumentationIn addition to certification of eligibility forhome health services and the face-to-faceencounter, the physician must documentthat the face-to-face encounter occurred.Such documentation must indicate thatthe encounter related to the primary reasonfor home health services and provide theclinical findings to support the conclusionthat the patient is homebound and in needof intermittent skilled nursing or therapyservices. The certifying physician must documentthe face-to-face encounter, regardless ofwhether the physician or an NPP performedthe encounter. If the encounter is performedby an NPP, then the NPP must also providethe clinical findings of the encounter andcommunicate those to the certifying physician.CMS proposes that documentation of theencounter be a separate and distinct sectionor an addendum to the certification andinclude the title, date, and signature of thecertifying physician.These requirements are a condition ofpayment; therefore, HHAs are ultimatelyresponsible for ensuring that documentationof the encounter exists. It is anticipatedthat Medicare Program Integrity SafeguardContractors will monitor compliance withall of these provisions. As such, HHAcompliance officers should ensure that eachmedical record contains: (1) a physicianplan of care, (2) a physician-signed order,

(3) a physician-signed certification, and (4)a physician encounter that is documented ineach medical chart when home health servicesare ordered. In the absence of such documentation,payment made may be denied orrecouped. Furthermore, compliance officersshould ensure that a physician or an NPPwho has a financial relationship with an HHAdoes not conduct the face-to-face encounter,unless an exception exists.hospice patients who enter the third or laterbenefit period in 2011. The benefit periodincludes total stays across all hospices that areanticipated to reach the third benefit period.However, the rules apply only to Medicarehospice patients, so non-Medicare stays arenot considered part of the benefit period forpurposes of calculating the timing of the faceto-faceencounter. An additional face-to-faceencounter is required at least 30 days prior toeach subsequent recertification.encounter. The certification and recertificationmust be signed and dated by thephysician and include the benefit perioddates to which the certification applies.n If the physician is the clinician whoperformed the encounter, then the samephysician must compose the narrative andsign the recertification.n Electronic signatures are permissible forthe certification, recertification, narrative,and attestation of the face-to-faceHospice servicesTo ensure adequate accountability for hospicebenefits, Section 3132 of PPACA requiresthat, beginning on January 1, 2011, a hospicephysician or nurse practitioner (NP) conductsa face-to-face encounter with every hospicepatient prior to the 180-day recertification todetermine continued eligibility, and for eachsubsequent recertification, and attests thata visit occurred. As is the case with homehealth services, a physician must certify andrecertify a patient’s eligibility for hospice services(i.e., terminal illness with a prognosis of sixmonths or less). In addition, the hospicephysician or NP must now perform a face-tofaceencounter and provide documentationthat such encounter occurred. A “hospicephysician” is defined as a physician employedby or contracted with a hospice, includingvolunteer physicians. A certifying NP is anurse practitioner employed by a hospice (i.e.,receives a W-2 form from a hospice or is ahospice volunteer).Hospices are responsible for verifyingwhich benefit period a patient is in at thetime of admission to determine when theface-to-face encounter must be conducted,and they should document their verificationefforts. Hospice providers should check theCommon Work File (CWF) 2 for the ninehost sites or the Health Insurance Portabilityand Accountability Act (HIPAA) EligibilityTransaction System (HETS), the 270/271transaction, 3 to determine accurate beneficiaryinformation. In addition, providers shouldtalk with the patient and family to determineif the patient previously was a hospice patient.DocumentationIn addition to the certification and narrativerequirements for hospice services, the physicianor NP who performs the face-to-face encountermust attest to that encounter. If the nursepractitioner provides the encounter, then theattestation must state that the clinical findingswere reported to the certifying physicianencounter.n It is the responsibility of the hospiceprovider to ensure that the face-to-faceencounter occurred, and not the long-termcare or skilled nursing facility where thehospice patient resides.n The face-to-face encounter should notbe billed separately because it is includedin the hospice per diem rate, unless thephysician or NP provides reasonable andnecessary non-administrative patient careduring the visit (e.g., medication or symptommanagement).Providers must ensure compliance with theserequirements. Failure to comply with anyof these new face-to-face encounter requirementscan have serious consequences forproviders of home health or hospice services.Services that are billed to Medicare but notproperly documented as required by laws andregulations are not only recoverable by Medicare,but can also be considered violationsof the federal False Claims Act. Moreover,Timing of face-to-face encounterCMS has defined the “180-day certification”to be the recertification that occurs at thestart of the third benefit period or after thesecond 90-day benefit period. The face-tofaceencounter must occur within 30 daysprior to the 180-day certification. In otherwords, the encounter must take place nomore than 30 days prior to the third benefitfor purposes of recertification. The documentationshould comply with thefollowing requirements:n The attestation of the face-to-face encountermust be a separate and distinct section,or an addendum to, the recertificationform and narrative. The attestation mustbe clearly titled, dated and signed by thephysician or NP who conducted theif a provider becomes aware that it has notproperly documented services and fails tonotify the government and return any payments,this can be considered an overpaymentunder PPACA and trigger False Claims Actliability. CMS has indicated that it expectshome health agencies, physicians, and hospiceproviders to implement internal processes tocomply with these rules in the first quarter ofperiod recertification. The new rule applies to encounter and include the date of theContinued on page 49Health Care Compliance Association • 888-580-8373 • www.hcca-info.org47May 2011

ExhaleBy Shawn DeGroot , CHC-F, CCEP, CHRCMay 201148ShawnDeGrootis HCCASecond VicePresidentand servesas VicePresident ofCorporate Responsibility at Regional Health inRapid City, South Dakota.Shawn DeGrootWhat keeps you up at night? Send me an e-mailat sdegroot1@regionalhealth.com and shareyour approach to handling the press, maintainingbalance in your life as a compliance officer or amember of the compliance team, or preparing toself-disclose an issue. As a unique group of profoundprofessionals, we can weather this perfectstorm, provide support, and Exhale together.After working in the compliance fieldfor two years, attending the BasicCompliance Academy, and thenattending the HCCA Advanced Academy sixyears ago, Linda Wolverton, Vice Presidentfor Compliance at TeamHealth in Knoxville,Tennessee determined that she would sitfor the compliance certification (CHC).Linda’s diverse background in quality, riskmanagement, case management, medical staffmanagement, and credentialing provided anexcellent foundation for her new career inCompliance. However, Linda soon becameentrenched in her new role, working 6:30 a.m.to 7:30 p.m., without seeing the light at theend of the day. I am sure many complianceofficers can relate.First, here’s a little information aboutTeamHealth, which was founded in 1979. Itis one of the largest suppliers of outsourcedhealth care professional staffing and administrativeservices to hospitals and other healthcare providers in the U.S. Through its sixprincipal service lines located in 13 regionalsites, TeamHealth’s more than 5,600 affiliatedhealth care professionals provide emergencymedicine, hospital medicine, anesthesia,pediatric staffing, and management services tomore than 530 civilian and military hospitals,clinics, and physician groups in 44 states. Thedaunting task of oversight for a complianceprogram with a staff of three people in sucha robust company would be overwhelming;however, Linda attributes the success ofthe compliance program to the tone set byTeamHealth’s leaders and the board of directors’support.What keeps Linda up at night?“Not knowing what is happening out thereand the workload.” Linda is on multiplelist-serves and the electronic informationcan inundate any professional—basically,information overload. Over the past sixyears, noted improvements have been madeto streamline the compliance program andcreate a more effective program with limitedstaff. An area that consumes the majority ofLinda’s time pertains to auditing, monitoring,investigations, and training.Linda extracts information from the FederalRegister, settlements, and hotline calls tocontinuously modify the electronic employeetraining programs. Separate modules on theelectronic learning management programare specific to coders, billers, clinicians, andmid-levels. New Associate training statisticsare produced every month and distributed tomanagement for follow-up, because lack ofparticipation in compliance training impactsan individual employee’s performance, raise,and/or bonus opportunity.Other area’s that contribute to the workloadare risk assessments and 300-350 event callsto the hotline and office with complianceissues. Although TeamHealth also outsourcesa hotline service, Linda believes that theHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgelevated number of calls to her office phoneis evidence that the level of trust in the organizationis high. Internal Audit is externallyoutsourced and RACs (Recovery AuditContractors) are managed by the Billing andLegal departments, but managing the complianceprogram oversight with the abundanceof regulations can still be overwhelming.After assessing the compliance program,Linda assessed her personal life and determinedthat if she is unhealthy, she is no goodto her company or her spouse. Furthermore,she considered that conducting an investigationin an exhausted state of mind could bedetrimental to the outcome.What was Linda’s answer to complianceworkload and information overload?1. Linda tried running and walking, but shecould still think of all of the issues waitingfor her at work! While the approach reducedher cholesterol, the ability to thinkabout work did not reduce her stress level.2. Since childhood, Linda had a desire totake piano lessons; however, she thoughther age was a deterrent. With a neighbor’sencouragement, Linda decided totake piano lessons once a week. Lindadiscovered that concentrating on a noteor a tone and focusing on reading musicdoes not allow her to think about work.When Linda plays music, she simply“gets lost” and finds herself ready to takeon the world the next day. This springshe graduates with eight levels of pianoeducation!3. After her interest in music increased,Linda changed her work hours to 7:00 a.m.(vs. 6:00 a.m.), ending her day at 5:30-6:00 p.m. (vs. 7:00 p.m.). This modificationallows her time every evening toexpress her feelings through music. Lindais happier the next day and definitelymore productive!

4. Subsequent to her new passion for music,Linda is now taking opera lessons. Withthat venue, she is learning Italian, concentratingon pronunciation, and hitting thatperfect note.SAVETHE DATEIn response to a question on the future, Lindaresponded, “I am going to continue my musiclessons because, while playing music, thereis no room in my head for problems—onlymusic.” nFace-to-face encounter required for homehealth and hospice...continued from page 472011. CMS will expect providers to be in fullcompliance with the requirements beginningin the second quarter of 2011.All home health care agencies and hospicesservicing Medicare patients should takeimmediate steps to ensure that face-to-faceencounters take place and are properlydocumented within the time period specifiedfor certification or recertification. n1 See Home Health CY 2011 PPS Final Rule, 75 Fed. Reg. 70372, 70427(Nov. 17, 2010).2 Applicable CWF query systems include the Eligibility Home HealthInquire (ELGH) and the Health Insurance Query for Home HealthAgencies (HIQH). Both of these query systems provide real time datato aid in determining which benefit period a hospice patient is in.3 Providers can go to http://www.cms.gov/HETSHelp/ for informationon the HETS 270/271 transaction, or they can call 1–866–534–7315.HCCA has stepped up ourenvironmental responsibilityby printing ComplianceToday on recycled paper. Theinterior pages are now printedon paper manufactured with100% post-consumer waste. The cover stock ismade up of 10% post-consumer waste and islocally produced in Minnesota near our printingfacility. In addition, the energy used toproduce the paper is 100% renewable energy.This is not to mention that the ink used in ourmagazine is 100% soy based water soluble inks.Certifications for the paper include The ForestStewardship Council (FSC), Sustainable ForestryInitiative (SFI), and Green-e.org.September 25–27, 2011Renaissance Harborplace Hotel | Baltimore, MDThe Fraud and Compliance Forum is jointly sponsored by the HealthCare Compliance Association (HCCA) and the American HealthLawyers Association (AHLA). It will include an explicit designation ofa session as “compliance focused” or “legal focused.” The PlanningCommittee has included enough sessions in each designation thatan individual could attend all “compliance” sessions or all “legal” sessionsfor the entire program. Yet an attendee also has the optionof selecting a diversity of sessions and networkingwith an expanded group of individuals. TheSPONSORSFraud and Compliance Forum has the benefit ofcombining the quality of HCCA and AHLA sessionswith the expanded networking power ofa combined program.Learn more and register atwww.hcca-info.orgHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org2011FraudComp_SaveDate_2columnad_vert_2c.indd 1493/30/2011 2:47:20 PMMay 2011

HCCA BASIC COMPLIANCE ACADEMIES2011 Basic Compliance AcademiesScottsdale, AZ | June 6–9New York, NY | August 8–11Chicago, IL | September 19–22HCCA Conference AdLas Vegas, NV | October 24–27Orlando, FL | November 14–17San Diego, CA | December 5–82011 Basic Research AcademiesLas Vegas, NV | August 15–182011 Basic Privacy AcademiesSan Francisco, CA | October 10–13San Diego, CA | December 5–8JUSTADDEDCERTIFICATION EXAM OFFERED FOLLOWING EACH ACADEMYREGISTRATION FOR EACH ACADEMY IS LIMITED TO 75 ATTENDEES“I just wanted to say thank you for helping to coordinate and present such aneducational and useful compliance academy. If I knew how much I was goinglearn and how many ideas I would leave with to improve our complianceprogram I would have attended much sooner. The academy helped toenergize and inspire me to take our compliance program and myself as acompliance professional to the next level.”Michael Scudillo, Chief Compliance Offi cer, Universal Institute, Inc.www.hcca-info.org • 888-580-8373

Evaluating asafe harbor strategyfor patient privacyBy Mac McMillanEditor’s note: Mac McMillan is Chief Executive appropriately implement safeguards are permitted.The Breach Notification Rule neitherOfficer of CynergisTek, Inc. in Austin, Texas,and Chair, HIMSS Privacy & Security modifies responsibilities under the HIPAACommittee. He may be contacted by e-mail at Security Rules, nor imposes new requirementsmac.mcmillan@cynergistek.com.to encrypt “all” PHI. For compliance officers,this means looking beyond encryption, andIn 2011, organizations have begun attestationsfor Meaningful Use of electronic include encryption as just one element of anany effective safe harbor strategy shouldhealth records, which will include a integrated approach.statement that they have assessed risks andremediated gaps in their security. As part Truly effective or “in depth” security involvesof this process, they must address incident a compensating, overlapping, and complementaryset of controls, often described as “securityresponse, encryption, access controls, auditing,and more as part of making sure they are in depth.” No one control is foolproof, andready to demonstrate compliance and meaningfuluse. Despite these efforts, eliminating Encryption is not possible everywhere onthis is particularly true with encryption.risk completely will continue to be impossible. every system in an organization’s environment,so any strategy based on encryptionIncidents will occur, and when they do, organizationswill need to demonstrate that they alone will have gaps. Encryption relies ontook reasonable actions to minimize risk. other controls and network integrity to makeit effective, and systems compromised byHIPAA requires that organizations take poor patching can obviate encryption. It alsoreasonable precautions to secure protected does not address appropriateness of action,health information (PHI) from unauthorized so it can only partially meet the requirementaccess, use, or disclosure. It requires administrative,physical, and technical controls amount of information to perform the task.to disclose only the “minimum necessary”where appropriate, with flexibility in selecting For example, an encrypted thumb drivecontrols and designing programs. The Breach ensures physical protection, but not whetherNotification Rule provides requirements the data should be there in the first place.for notification, defines what constitutesunsecured PHI, and identifies specific The Breach Notification Rule does provide arequirements for achieving a safe harbor from safe harbor when a breach occurs. If it is determinedthat patient information was encryptedbreach notification, including rendering PHIinaccessible, unreadable, or indiscernible. appropriately using an approved methodology,the organization avoids notification. Organizationswill want to incorporate encryption withIt is important to remember that encryptionis just one method of achieving this goal, other best practice controls to ensure patientand that any measures that reasonably and privacy is protected adequately.Continued on page 52Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgTaking your strategy apartStep 1: Think “information first”Ask yourself if your organization hasadequately assessed its risks. Have youconducted a thorough data discovery projectto identify exactly where all PHI resides andwhere it is going? Before you apply encryptionor any control measure, first ask whether it isnecessary and appropriate for PHI to residein a particular location or be transmitted via acertain mechanism. The most effective way todo this is to employ a data discovery tool thatsearches structured and unstructured data andreviews network traffic content to more effectivelyinform control selection. Complianceofficers should ask how their organization hasdeveloped their risk baseline and what thatPHI map looks like, to know what to assessnext. When you think “safe harbor,” thinkabout authorization, accessibility, acquisition,and use – not just encryption. If data can berendered inaccessible, then encryption may notbe needed. If we can restrict locations wherePHI resides, then other areas may require lessstringent controls. Compliance officers shouldask what we have done to reduce the riskprofile and therefore, the need for encryption.Step 2: How strong is your house?One of the best ways to restrict accessibilityis to “architect” it into how you build andmanage the network. Traditionally, mostnetworks were “flat,” meaning you could gofrom any point to any other point, and everyasset on the network was at risk if any elementwas compromised. Today, we reduce that riskthrough architectural design and controls thatcreate secure areas within the network throughsegmentation and access restrictions, whichcan mitigate the need for encrypting data atrest. Compliance officers should assess howsegmentation has been used to protect criticalassets, separate networks of differing accesslevels, and isolate vulnerable systems.51May 2011

Evaluating a safe harbor strategy for patient privacy ...continued from page 51May 201152Step 3: Cleaning up the clutterOnce we know what we have (i.e., PHI) andhave limited access architecturally, we needto look at the universe of systems and deviceswhere data resides and how each is secured.These can include applications, databases,storage, backup tapes, shares, USB/CD,websites, desktops, laptops, personal devices,printers/copiers, e-mail, file transfers, andsocial media. Options for securing each ofthese are many, and all should be consideredwith a focus on eliminating, restricting, orcontrolling access.In many instances, this will come down toconfiguration, but the process can includevirtualization of systems, using group policiesto control actions or lock systems, anddisabling/enabling services or functionality.Compliance officers need to ensure thateach asset/device with PHI in the enterprisehas been identified and considered. Ideally,measures that eliminate the risk of exposureare best, and where exposure cannot beeliminated, encryption should be considered.Let’s look at a couple of examples.Desktop computersUnfortunately, these assets are susceptible totheft and will be re-purposed or eliminatedeventually. If we permit PHI on a desktop,we need to encrypt the asset. However, thisdoes not address the whole of the problem.It protects for breach notification, but it doesnot, for instance, ensure that data (i.e., PHI)placed on the desktop is protected againstdestruction if the system fails. Why? Becausedata saved locally on a desktop is not backedup. The question to ask is: “Does PHI, orany data, need to reside there?” If not, thenconsider virtualization, using group policyto lock down the desktop, or deploying adata loss prevention (DLP) agent to restrictsensitive data from being saved locally. All ofthese eliminate the risk to PHI, but the lastallows greater flexibility in how the desktopis configured and used. None require theaddition of encryption or its overhead, butthey effectively eliminate notification, therebyeliminating the need to exercise safe harbor.Printers/CopiersThese assets are almost always shared, andmany have a processor that can store thousandsof documents. Together, this creates an assetwith potentially a lot of PHI that no onein particular is watching. To make mattersworse, many older systems do not haveautomatic erase or encrypt functions, creatinga physical security/accountability challenge.The only safe approach from a safe harborperspective is to upgrade to newer systemswith automatic overwrite, erase, and/orencryption capability when practical to do so.In the near term, for older systems placement,accountability, audit, and reuse/disposalprocesses need to be strictly followed.Step 4: Shoring up controlsThere is only so much an organization can dowith architecture and organic controls. Forremaining gaps, other technologies will needto be considered. Encryption is one of these,but again, we want to consider all options, andespecially ones that create inaccessibility to thethreat. These include other technologies thatsupport, enable, or enforce features and eliminateor control access, configuration settings,actions, or behaviors. Examples of technologiesin this category include:n Configuration management tools formonitoring and enforcing settings.n Host and network-based IPS for monitoringaccess to critical systems, such asintegration engines and to provide earlydetection of threats and anomalous behavior,and forensics.n Data loss prevention tools for data discovery/mapping,enforcing policies aroundPHI and assisting endpoint security.n Vulnerability scanners for ongoing threatawareness and maintaining integrity.Compliance officers need to appreciate thatdue to complexity of information technologyenvironments today, manual processes andorganic controls alone are not sufficient toensure compliance. They should assess whattechnologies the organization has for protectinginformation and enabling safe harbor, if needed.Step 5: Sometimes you need a fenceSometimes, due to the nature of the system,operational environment, or threats, technologyjust isn’t enough. Physical security controls(e.g., alarms, access controls, cameras,radio-frequency identification [RFID], etc.)can complement other security measures andcompensate for lack of controls on devicessuch as printers/copiers, modalities, etc. Insome cases, such as with legacy printers/copiers,physical security may be the only reasonablemeans of security. Compliance officers shouldbe reviewing facility security plans specificallyfor the level of integration between physicaland technical security measures aroundinformation technology.Step 6: EncryptionBy now you should have discerned that I recommendminimizing the use of encryption. I’dmuch prefer to eliminate the risk than to haveto encrypt. First and foremost, this is becauseencryption relies on other measures and userbehavior to be successful. Also, the operationalimpacts, user workflow issues, maintenance,and administrative requirementsand costs can be significant. Also, rememberthat encryption that meets HITECH isstandards-based, and as standards are updatedand methodologies/algorithms change,organizations will have to refresh theirsolutions. Encryption does play an importantrole in the overall solution when used aspart of an integrated security architecture.Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Consider encryption in circumstances whererisk to PHI cannot be reasonably eliminated,encrypt mobile devices with PHI regardlessof other measures deployed, and encrypt datain motion. Last, but not least, encryption isrequired to meet the safe harbor if a breachoccurs, so it should be considered whereverrisk to patient information remains.Step 7: Neighborhood watchEveryone knows intuitively that security isheightened when everyone pays attentionto what’s going on around them. Even withthe best security, bad things can happen, andinformation system risk is amplified by thenumber of people who have or seek to gainaccess. For that reason, we need ongoing riskmanagement supported by real-time networkand user monitoring. Because it may not befeasible to encrypt everything to achieve a safeharbor, we need to ensure that other controlsand processes are being enforced and areeffective. Fortunately, many of the technologiesused to enable and enforce protections alsooffer monitoring capability. Take advantage ofaudit capabilities in DLP, network monitors,configuration managers, e-mail encryptionappliances, vulnerability scanners, etc. Utilizelog managers to monitor controls and useractivities, and conduct independent processand controls audits to supplement audit technicalcontrols. Developing this informationsystem activity review capability is not only aHIPAA requirement, but it is critical to identifyingareas where breach could occur and,therefore, for predicting where your controlsneed to focus on achieving safe harbor.Step 8: Never forget peopleThey say the only secure computer is one thatis disconnected, turned off, and at the bottomof the Marianna Trench. People are always avery important part of any security program(including safe harbor) and are usually thelast line of defense. Because encryptionrelies on other measures to create a secureenvironment, what people do (whether theyare helping to manage the system or are endusers) will remain important. For all securitymeasures requiring user interaction – not justencryption – there should be clear policiesand procedures in use, and people should betrained on what to do if an incident occurs.User training should be customized, start atorientation, and be reinforced frequently.Activities should be openly monitored and, inthe case of an event, needed sanctions shouldbe clearly articulated and enforced. Mostimportantly, users need to understand the safeharbor requirements and the importance ofimmediately reporting any incident involvingPHI. The better they understand the safeharbor plan, the better they will support it.Step 9: TransferenceThere will always be some residual risk, andorganizations may elect to share or transfersome risk. Outsourcing may provide aviable alternative that enhances securityand serves to share risk. Whether it’s takingadvantage of software as a service (SaaS) oran application service provider (ASP) service,or moving to the “cloud,” organizations cantake advantage of vendors’ security controlsto augment their own. However, BusinessAssociate Agreement security considerationsare very important in any such decision.Business associates have proven that theyare not immune to incidents, so vet vendorscarefully, provide a security checklist,interview or even make a site visit if possible,and articulate security requirements in detail.Having security requirements addressed upfront as part of the contracting process willhelp ensure success. Absolutely review allplans for encryption of data in transfer and atthe vendors location.The last consideration of a best practiceprogram that can have a bearing on safeharbor is cyber insurance to address not onlythe residual risk, but protect against the costsof a breach. Many organizations see this asa reasonable precaution, and following thesesteps to incorporate a safe harbor strategyin your security program will position youfavorably to satisfy most cyber insuranceunderwriting requirements.ConclusionHIPAA and HITECH are about managinginformation responsibly, and organizationscan employ “any” security measure thatreasonably safeguards patient information.To be most effective, a security strategyshould include encryption as one elementof an integrated approach that “uses” allreasonable and appropriate safeguards tomanage risk and meet a safe harbor, if needed.Sixty percent of breaches in health care lastyear involved data that was unencrypted, andmany organizations had no idea what was onthose devices. More importantly, though,there were no policies or controls to assess theappropriateness of the data being placed thereor to enforce restrictions.Safe harbor is an opportunity to reconsiderour data security strategy as a whole. Itemphasizes breach, encryption, and notification,but the smart approach is to focus onreal protection of data with the understandingthat security controls and technologies, ifdeployed properly, can provide overlappingand complementary effects that can addressmultiple HIPAA/HITECH requirements andreduce the need for a safe harbor.The following are some suggested questionsthat the Compliance department can ask toassess their organization’s readiness around asafe harbor strategy. Although not all-inclusive,answers to these questions will allow you toascertain not only what the organization isContinued on page 55Health Care Compliance Association • 888-580-8373 • www.hcca-info.org53May 2011

egister beforeSeptember 8 tosave $250 off yourregistrationincludespre-conferencefor freeHCCA AdPhysician Practice/ClinicCompliance ConferenceOCtOber 16–18, 2011PhiladelPhia, PaWhy yOu ShOuld AttendPhysicians, compliance officers, coders, and managers will learn to managean effective compliance program. designed with networking in mind, theconference provides many opportunities for choosing breakout sessionscovering topics of interest for all. Participants will learn about complianceprogram development and management as it relates to physician practices;current government initiatives in the field of health care compliance specific tophysicians and their group practices; correct documentation, billing and codingpractices for physicians; and best practices utilized in physician practices.www.hcca-physician-conference.org

Evaluating a safe harbor strategy for patient privacy ...continued from page 53doing, but also how they are approaching thesafe harbor requirements.n Is there a data life-cycle model?n Have we discovered/mapped where PHI iswithin the enterprise?n Have we determined where PHI “needs”to be accessible and how?n How do we utilize the IT architecture toisolate critical assets, networks, and data?n Do we use application firewalls and/oraccess control lists to create truesegmentation?n Do we deploy network access controls toavoid unauthorized connections?n Do we conduct ongoing vulnerabilityanalysis and remediate issues?n How does IT verify and ensure thatpolicies/settings are enforced?n How does IT ensure that actions involvingPHI are appropriate?n How does IT handle ongoing integrityreview?n Where do we have systems wherevulnerabilities cannot be addressedadequately?n What compensating measures does ITpropose to mitigate this risk?n How do we monitor outbound transmissionsfor inappropriate content?n Have all systems/data sources and theirlocations that require physical controlsbeen identified?n Have alarm and monitoring requirementsbeen determined?n Does the HIPAA Facility SecurityPlan reflect accommodation of theserequirements?n Have departments/management/staffbeen made aware of heightened need foraccountability/observance?n Has IT identified all systems with embeddedencryption that do not meet theNational Institute of Standards andTechnology (NIST) standards?n Has IT determined which systems requireencryption?n Has IT ensured appropriate encryption onwireless and web-based systems?n Have users been made aware of theirresponsibilities and risks with encryption?n Has a long-term plan been developed forcompliance and maintenance of encryptioncontrols?n Does IT/Security monitor all systemswith PHI?n Is there an audit strategy to periodicallyreview effectiveness of controls?n Are incidents and anomalous behaviorinvestigated in a timely manner?n Is evidence of tampering or willful disablingof controls reported?n Are processes and procedures associated withcontrols easy to understand and follow?n Have users been trained properly on boththe technology and the processes theymust employ? nNOW AVAILABLE:The HCCA HIPAA Training HandbookOrder NowHCCA MEMBER DISCOUNTS# of handbooks cost per bookThe Health Insurance Portability and Accountability Act (HIPAA) has hadlasting impact on U.S. health care providers since its passage in 1996. NowHIPAA, along with HITECH, affect health care professionals on a dailybasis. This newly revised handbook is intended for anyone who needs a basicunderstanding of the privacy and security regulations governed by HIPAA andHITECH. Suitable for staff training courses, it covers:• Who must comply with HIPAA and HITECH• When and by whom is the use or disclosure of protected healthinformation (PHI) permitted?• What rights does an individual have regarding his or her PHI?• What are the basic safeguards required to protect the security of e-PHI?• What happens when a breach occurs?• And much moreThis handbook can prepare all health care professionals to help protect theprivacy and security of their patients’ health information.: visit www.hcca-info.org/books, or call 888-580-8373THE HCCA HIPAA TRAINING HANDBOOKQty________ HCCA Members ($25 or see chart at left)Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgCost$ __________Make check payable to HCCA and mail to:HCCA, 6500 Barrie Road, Suite 250Minneapolis, MN 5543555May 2011

Compliance withStark Phase III:Algorithm andoutlineBy Denise A. Atwood, RN, BSS, JDStark law. It is not intended as an exhaustiveresource addressing the Stark law.On page 57, table 1 is an outline that isintended as quick reference guide to assisthealth care providers in locating appropriateUnited States Code (U.S.C.) and Code ofFederal Regulation (C.F.R.) citations relatedto the Stark law.Editor’s note: Denise A. Atwood, RN, BSS, JD,is Admin. Director Medical Services ProviderContract, Maricopa Integrated Health System,Phoenix, AZ. She may be contacted by telephoneat 602/344-1345 or by e-mail at denise.atwood@mihs.orgThe final rule promulgated fromthe third phase of a final rulemakingprocess (a.k.a. Stark Phase III)amended the regulations regarding the physicianself-referral prohibition found in section1877 of the Social Security Act. The finalrule was effective on December 4, 2007.Under the Medicare program, Stark Phase IIIaddresses physicians’ referrals to health careentities with which they or their immediatefamily members have financial relationships.The first page of the Stark algorithm (figure 1below) is intended as a quick reference guideto assist health care providers in complyingwith the Stark law, specifically 42 U.S.C.§1395nn, by identifying exceptions to theBecause of the harsh penalties and sanctionsassociated with Stark law non-compliance,it is always recommended to seek legalassistance or an advisory opinion relatedto health care provider or facility questionsdealing with financial relationships, compensation,ownership, or investment interests ifthe arrangement is not specifically listed as anexception to the Stark law. nFigure 1: Stark Algorithm:Limitation on certainphysicians.START HERE: Does physician or immediatefamily member have a direct or indirectfinancial relationship or compensationarrangement with entity referring patient to?If NO,referral notsubject toSTARKIf YES, does anexception apply?GENERAL EXCEPTION(to ownership &compensation):(1) Physicians’ services(2) In-office ancillary services(3) Prepaid plans withcontract(4) Other permissibleexceptions(5) Electronic prescribing(1395w-104(e)(6))GENERAL EXCEPTION(to ownership or investment inpublicly traded securities &mutual funds):(1) May be purchased onterms available to the publicAND are listed on a regionalexchange with daily publishedquotes AND traded underNational Association ofSecurities Dealers ANDstockholder equity >$75,000,000 on average inprevious 3 fiscal years(2) Shares in regulatedinvestment company asdefined in IRC section 851 ifcompany total assets >$75,000,000 on average inprevious 3 FYEXCEPTION(to ownership or investmentprohibition):(1) Hospitals in Puerto Rico(2) Rural providers(1395ww(d)(2)(D))(3) Hospital ownership(not subdivision or specialtyhospital) by referring physicianauthorized to perform servicesEXCEPTIONS(to compensation arrangements)(1) Rental of office space or equipment -agreement must be in writing, signed bythe parties with a term of at least 1 year(2) Bona fide employment relationshipswith remuneration at fair market value (FMV)(3) Personal service arrangements mustbe in writing, signed by the parties with aterm of at least 1 year (includes physicianincentive plans)(4) Remuneration unrelated to designatedhealth services (DHS)(5) Physician recruitment(6) Isolated financial transactions(7) Group practice arrangements with ahospital (before 12/19/89)(8) Payments by a physician for items andservices at FMVIf NOEXCEPTIONAPPLIES,referral isprohibitedEXCEPTIONNOT METreferral isprohibitedEXCEPTIONNOT METreferral isprohibitedEXCEPTIONNOT METreferral isprohibitedEXCEPTIONNOT METreferral isprohibitedMay 201156Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Table 1: Stark Outlines: 42 U.S.C. § 1395nn, Sanctions & Definitions, and 42 C.F.R. §§ 411.535 – 411.36142 U.S.C. §1395nn.(g) Sanctions(1) Denial of payment(2) Requiring refunds for certain claims(3) Civil money penalty and exclusionfor improper claims(4) Civil money penalty and exclusionfor circumvention schemes(5) Failure to report information(6) Advisory Opinions(A) In general(B) Application of certain rules(C) Regulations(D) Applicability42 U.S.C. §1395nn.(h) Definitions andspecial rules(1) Compensation arrangement;remuneration(A) Compensation arrangement defined(B) Remuneration defined(C) Remuneration described(2) Employee(3) Fair market value(4) Group practice(A) Definition of group practice(B) Special Rules (profits, bonuses,practice plans)(5) Referral; referring physician(A) Physicians’ services(B) Other items(C) Clarification respecting certainservices integral to a consultationby certain specialists(6) Designated health services (DHS)(A) Clinical laboratory services(B) Physical therapy services(C) Occupational therapy services(D) Radiology services (includes MRI,CAT scan and ultrasound)(E) Radiation therapy services andsupplies(F) Dural medical equipment andsupplies(G) Parenteral and enteral nutrients,equipment and supplies(H) Prosthetics (devices and supplies)and orthotics(I) Home health services(J)(K)Outpatient prescription drugsInpatient and outpatient hospitalservices(7) Specialty hospital(A) In general(B) Exception42 C.F.R. §411.353 Prohibition on certainreferrals by physicians and limitations onbilling(a) Prohibition on referrals(b) Limitations on billing(c) Denial of payment for servicesfurnished under a prohibited referral(d) Refunds(e) Exception for certain entities(f) Exception for certain arrangements(g)involving temporary noncomplianceSpecial rule for certain arrangementsinvolving temporary noncompliancewith signature requirements42 C.F.R. §411.354 Financial relationship,compensation, and ownership or investmentinterest(a) Financial relationships(b) Ownership or investment interest(c) Compensation arrangement(d) Special rules on compensation42 C.F.R. §411.355 General exceptionsto the referral prohibition related to bothownership/investment and compensationThis prohibition on referrals set forth in§411.353 does not apply to the followingtypes of services:(a) Physician services(b) In-office ancillary services(c) Services furnished by an organization (orits contractors or subcontractors)(d) [Reserved](e) Academic medical centers(f) Implants furnished by an ASC(g) EPO and other dialysis-related drugs(h) Preventive screening tests, immunizations,and vaccines(i) Eyeglasses and contact lenses followingcataract surgery(j) Intra-family rural referrals42 C.F.R. §411.356 Exceptions to thereferral prohibition related to ownership/investment interestsFor the purpose of §411.353, the followingownership or investment interests do notconstitute a financial relationship:(a) Publicly-traded securities(b) Mutual funds(c) Specific providers42 C.F.R. §411.37 Exceptions to the referralprohibition related to compensationarrangementsFor the purpose of §411.353, the followingownership or investment interests do notconstitute a financial relationship:(a) Rental of office space(b) Rental of equipment(c) Bona fide employment relationships(d) Personal service arrangements(e) Physician recruitment(f) Isolated transactions(g) Certain arrangements with hospitals(h) Group practice arrangements witha hospital(i) Payments by a physician(j) Charitable donations by a physician(k) Nonmonetary compensation(l) Fair market value compensation(m) Medical staff incidental benefits(n) Risk-sharing arrangements(o) Compliance training(p) Indirect compensation arrangements(q) Referral services(r) Obstetrical malpractice insurancesubsidies(s) Professional courtesy(t) Retention payments in underservedareas(u) Community-wide health information systems(v) Electronic prescribing items andservices(w) Electronic health records items andservices42 C.F.R. §411.361 Reporting requirements42 C.F.R. §411.370 Advisory opinionsrelating to Physician Referrals42 C.F.R. §411.372 Procedure for submittinga request [for an advisory opinion]Health Care Compliance Association • 888-580-8373 • www.hcca-info.org57May 2011

May 201158New HCCA MembersThis listing – from South Carolina to Puerto n Linda Steen, Dept of Veterans AffairsRico is continued from the last month’s New n Robin K. Stults, Parkland HospitalMember listingn Daniel T. Valdez, Maxim Healthcaren Max Weber, Univ of Texas MD AndersonCancer CenterSouth Carolinan Christy S. Fleming, Greenville Hospital Systemn Bernadette Henry, Sisters of Charity ProvidenceHospitalsn Edward Jones, Cornichon HealthcareInnovations, LLCn Cindy J. Moore, PHT Services LtdSouth Dakotan Nancy Klunder, Regional HealthTennesseen Harolyn Acklin, Center for Spinal Surgeryn Teri Campbell, RegionalCare Hospital Partnersn JoAnna Crooks, Life Care Centers of American Toby L. Dalton, Life Care Centers of American Keith Goss, Life Care Centers of American Jerod Holloway, FTI Consultingn Jerome Jacques, Memphis Jewish Homen Debbie Johnson, Life Care Centers of American MaryAnna Kaplan, Memphis Jewish Homen Terry Leonard, Life Care Centers of American Scott Long, St. Jude Children’s Research Hospitaln Yvonne Mazareddo, Erlanger Health Systemn Dee McCarthy, Life Care Centers of American Kay McCollough, Memphis Jewish Homen Joyce Morgan, THMn Tina Qualls, LifePoint Hospitals, Incn Mike Reams, Life Care Centers of American Micki Roy, St. Jude Children’s Research Hospitaln Annie Smith, Memphis Jewish Homen Cynthia Stigall, Tennessee Health ManagementTexasn Shannon Albers, AFV Home Health & Hospicen Robert Barber, Children’s Medical Centern Arlene Baril, Sinaiko Healthcare Consulting, Inc.n Jackie Brownn Renee E. Duncan, R&M HealthcareConsultants of South Texasn Myron Ells, JPS Health Networkn Kimberly Fields, Nova Medical Centersn Stephanie Hill, Law Office Stephanie L. Hilln Louise Janis Johnson, Stebbins Five Companiesn Beth Linnehan, Driscoll Children’s Hospitaln Carla D. Miller, Harris County Hospital Districtn Karen Moore, Children’s Medical Centern Michael Paten Ann Platt, Medco Medical Supplyn Melanie Roden, Baylor College of Medicinen Wendi Rogaliner, Rogaliner Law Firmn Janet Schumacher, Medical Clinic of HoustonVirginian Tina M. Allen, CHKD Health Systemn Sharon C. Chase, Bon Secoursn Adrienne Gingras, MedeAnalyticsn Julie Longn Patti Paule-Carres, M.E.D.I.C., Inc.n William Perrine, LFG TrustWashingtonn Robin Dale, Lane Powell PCn John Fugate, Microsoft Corporationn Terri Leathers, Life Care Centers of AmericaWisconsinn Julie Haglund, Ministry Health Caren Karen M. Jensen, Gundersen Lutheran HealthPlann Kathleen H. Leick, Marshfield Clinic ResearchFoundationn Rachael L. Noffke, Affinity Health Systemn Melissa M. Ostrowski, Marshfield ClinicResearch Foundationn Megge M. Stein, GroupHealth Cooperative- SCWn Barbara Thiermann, Turville Bay MRI &Radiation Oncology CenterPuerto Ricon Enid Dohnert, Auxilio Mutuo HospitalAlabaman Sharon D. Hamlin, Pickens County Med CntrAlaskan Michelle Lisper, Alaska Dept Health & SocialServicesArizonan Patty Dal Soglio, Phoenix Health Plann Michele Nielsen, CIGNA Healthcare of ArizonaArkansasn George Chapman, Walmart Stores, Incn Dadrion A. Gaston, Wal-Mart Stores Incn Timothy R. Koch, Walmart Stores, Incn Debbie Mack, Wal-Mart Stores Incn Terry L. Sauls, Neurosurgery Spine CenterCalifornian Genna S. Comara, Kaiser Permanenten Christopher Cox, Advanced Medical Reviewsn Lee Harrisonn Kelli Huntsinger, Northern Inyo HospitalHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgn Annie Y. Kuo, Citizens Choice Healthplan HMOn Timothy Matthew Montanon Danielle Pallo, DaVitan Lisa Paulo, Salinas Valley Memorial HealthcareSystemn Joy Ramos, Asian Americans for CommunityInvolvementn Julie A. Ramsey, Central Valley Indian Health, Inc.n Lillian A. Rosales, Kaiser Permanenten Brian G. Rouse, Adventist Healthn Randy Stewart, Health Net, IncColoradon Deanna Allen, Poudre Valley Hospitaln Maureen Dickson, Physician Health Partnersn Lori L. Hopper, Centura Healthn Oda Roozeboom, Memorial Health SystemConnecticutn Sherry Harper, St Francis Hospital & Med CntrFloridan Larry W. Field, Medical Analytics Group Incn Janet Green, WellCare Health Plansn Marie Hunniecutt, H Lee Moffitt Cancer Cntrn Melvin B. Price, Riverview Foot & AnkleSpecialistn Blair Todt, WellCare Health Plans, Inc.n Anahita Yousefiani, Wellcare Health PlansGeorgian Kimberly Frye, Premier Kids Care, Inc.n Stephanie Fuller, King & Spaldingn Angela Randazzo, Georgia Health Sciences UnivIllinoisn Linda Buck, Proctor Health Care, Incn Sandra Campbell Burbridge, Northwestern Univn Jerry E. Lear, CHAN Healthcare Auditorsn Catherine Ostapina, Univ of Chicago Med Cntrn Katherine WolebenKansasn Karen Wenzelburger, Girard Medical CenterKentuckyn Emily Reinach Lannan, RecoverCareLouisianan Missy Cotita, P & S Surgical HospitalMarylandn Jerry Bowen, Stella Maris Incn Monique K. Burnett, Life Bridge Healthn Sonja Goss, Life Bridge Healthn Walter E. Johnson, Kaiser Permanenten Donald E. Ray, Maryland General Hospital n

Check yourcompliancelife signsUndetected risk can hurt an otherwisehealthy organization. Ask EthicsPointhow to better collect, manage and learnfrom your risk-related data.Visit us at www.ethicspoint.com.Health Care Compliance Association • 888-580-8373 • www.hcca-info.org59May 2011

ReseaRchComplianceHCCA AdRegister todayand enjoy theflexibility of twoconferences forthe price of one!Complimentary access toSCCE’s Higher EducationCompliance Conferenceis included with yourResearch ComplianceConference registration.The parallel schedulegives you the freedom toattend sessions at eitherconference—two for theprice of one.ConferenceJune 12–15, 2011 | austin, TXCome to Austin, Texas, June 12–15 to learn best practices and the latest thinking on:• Implementation of the Sunshine Act provisions to the Health Care Reform Package• Handling the updates to the Medicare as Secondary Payer Rules and the effect onresearch‐related injury• Responding to changes to CMS Clinical aResearch Policy (replacing the MedicareNCD for Clinical Trials)• And much, much moreYou’ll hear directly from representatives from NIH, OHRP, ORI, the FDA, the OIG, andthe DOJ, and from other industry experts who can provide practical perspectives forhow to handle your research compliance risks.LeaRn moRe and RegisTeR aTwww.hcca-research-conference.orgMay 201160Health Care Compliance Association • 888-580-8373 • www.hcca-info.org