INSIDE INSIDE - Health Care Compliance Association

Volume SixNumber TenOctober 2004Published MonthlyMeetKarenCollierREGISTER TODAY!FOR THE PHYSICIAN PRACTICE COMPLIANCE CONFERENCEOCT 7- 8, 2004, SIR FRANCIS DRAKE HOTEL SAN FRANCISCOFor more information go to the HCCA Website, www.hcca-info.orgor see page 48 of this issue.INSIDELeadership letter23346911121418222526News FlashOn the calendarMock surveys infecthospital complianceNonprofit hospitallitigationSeven componentframeworkWeblinksCompliance insideand outMeet Karen CollierEvidencing effectivecostCEO’s letterFYINonprofit governance

AL JOSEPHSHCCA PresidentDearColleaguesI recently attended the freshman convocation where my daughterwill be attending college. It included the most succinct code ofconduct I have come across.Honor Code:An _ _ _ _ _ does not lie, cheat or steal or tolerate those that do.We often make things harder than they need to be.Know the code.HCCA’SHCCA exists to champion ethicalpractice and compliance standardsMISSIONin the health care community andto provide the necessary resources for compliance professionalsand others who share these principles.HCCA • 5780 LINCOLN DRIVE, SUITE 120 • MINNEAPOLIS, MN 55436October 20042Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

NEWSFLASHCMS to strengthen efforts to reduce Medicare andMedicaid Fraud and AbuseOn August 27, Centers for Medicare & Medicaid Services(CMS) Administrator Mark B. McClellan, M.D., Ph.D.announced a new CMS initiative and a proposed regulationto protect the nation's largest federal health programs fromfraud and abuse and further reduce improper paymentsthrough the use of enhanced electronic tools now available.The CMS Press Release about this new initiative follows:"America's taxpayers - and all of our beneficiaries - put theirtrust in us to protect both Medicare and Medicaid fromunscrupulous persons looking to steal from the taxpayer,"said Health and Human Services Secretary Tommy G.Thompson. "By using all of the means we have available,along with more targeted education efforts to health careproviders, we can do even more to protect these programsagainst both fraud and abuse."CMS is building on its current program integrity efforts byimplementing new steps to analyze program data to detectimproper payments and potential areas of fraud and abusein the Medicare and Medicaid programs more quickly andaccurately. CMS is using these analyses to more effectivelyeducate providers and beneficiaries about ways to preventand minimize waste, fraud, and abuse. CMS' program integrityefforts are being expanded beyond fee-for-serviceMedicare to encompass oversight of the discount drug cardprogram, Part D prescription drug benefit and the newMedicare Advantage plans. CMS is also planning to focusmore efforts on its oversight of Medicaid program integrity.HCCAONTHEONCALENDAR2004 CONFERENCES:(See page 5 for upcoming audioconferences)LOS ANGELES, CA■ HIPAA Security WorkshopOctober 21 - 22■ Resident Compliance TrainingOctober 20SAN FRANCISCO, CA■ Physicians PracticeCompliance ConferenceOctober 7 - 8ORLANDO, FL■ Southeast Area MeetingOctober 22■ Compliance AcademyNovember 8-11CHICAGO, IL■ North Central Area MeetingOctober 1■ HIPAA Security WorkshopOctober 18-19■ Resident Compliance TrainingNovember 5BALTIMORE, MD■ AHLA/HCCA Fraud andCompliance ForumSeptember 26-28LAS VEGAS, NV■ Advanced AcademyOctober 25 - 29■ Desert Southwest AreaMeetingNovember 5■ Research ComplianceNovember 7-9NEW YORK, NY■ Central Northeast AreaMeetingNovember 15PHILADELPHIA, PA■ Mid Atlantic Area MeetingOctober 15■ Resident Compliance TrainingDecember 32005LOS ANGELES, CA■ Compliance AcademyFebruary 7-10, 2005NEW ORLEANS, LA■ 2005 Compliance InstituteApril 17-20LAS VEGAS, NV■ HIPAA Security WorkshopJanuary 27-28DALLAS, TX■ HIPAA Security WorkshopJanuary 24 - 25 ■RESOURCES"The vast majority of health care providers want to do theright thing," said CMS Administrator Mark B. McClellan,M.D., Ph.D. "One of the most important ways to preventfraud and abuse is for us to be clear about what theMedicare and Medicaid rules are, and that means educationand collaboration with responsible providers."In addition to announcing its enhanced steps to analyze programdata, CMS issued a proposed regulation calling onstates to report improper payments in Medicaid and StateChildren's Health Insurance Programs to HHS. Under theContinued on page 24HCCA • 888-580-8373 • www.hcca-info.orgFor more information aboutevents or resources, checkout the HCCA Website,http://www.hcca-info.org orcall 888/580-8373.■ Monitoring & AuditingPractices for EffectiveCompliance■ Compliance, Conscience,and Conduct , a videobasedtraining program■ Compliance 101■ Individual & Small GroupPhysician PracticeCompliance: What everyphysician should know■ Privacy MattersA video-based HIPAATraining Program■ HCCA’s New Guide toResident ComplianceTraining ■October 20043

By Stephanie L. Bayer, J.D.Editor's note: Stephanie L. Bayer, JD,is Director of Accreditation andCompliance at Magruder Hospital inPort Clinton, OH. She may bereached by telephone at 419/734-1313 extension 3431.The Joint Commission onAccreditation of HealthcareOrganizations (JCAHO) instituteda new tracer methodology this year toensure health care organizations complywith their national standards. Now, whenJCAHO arrives at an organization to trienniallyverify health care institutions arepracticing safe medicine, surveyors randomlyfollow a patient through theorganization, "tracing" the same steps thepatient took anywhere from admitting todischarge. JCAHO argues that in tracingthe process a patient follows, surveyorscan get a better pulse of the reality ofpatient care. The smokescreen someorganizations previously created to veilany problems in prior years is dissipated.The underbelly is revealed. We all learnwhat is really going on.As Director of Accreditation and Compliance,my job is to ensure our hospitalis preparing for JCAHO, as well as strivingfor excellence in overall complianceinitiatives. To achieve my objectives, amock survey or mock tracer process hasbeen developed. This process dictatesthat once a week, we randomly andunannounced present ourselves in someclinical area and spend an hour "tracing"a patient, much as JCAHO will do.We spend this hour reviewing apatient's chart, asking caregivers questions,and surveying the overall processof communication and care. We areconducting mini-audits directly involvingthe frontline staff.Several exciting developments are comingout of this process. First, staff isbecoming familiar with the new JCAHOprocess, not only eager to perform wellfor us, but to show off for their coworkers.This familiarity can only be of benefitwhen JCAHO arrives. Second, we cantroubleshoot. If we find a problem duringour mock surveys, it truly becomesan opportunity for improvement, andeducation can occur right away with theinvolved parties. Third, we are developinga culture of ownership for complianceissues. The staff understands theyare responsible for excellent performanceon our JCAHO survey and they areresponsible for safe patient care. Four,this process helps make compliance professionalsmore approachable and familiarto the staff. I would like to think Iam no longer seen as someone sitting inan office looking for faults, but rathersomeone they can interact with for clarificationand direction.Fifth, minimal input for maximum outputis achieved. It only takes an hour aweek out of my schedule, yet the randomnessof the process coupled withthe natural desire people have to performwell, is creating a culture in whichpeople are prepping each other andeagerly getting involved.A journal is being kept recording theweekly tracers. This documentationSTEPHANIE L. BAYERallows an opportunity to review commonthemes to help develop organizationalwide education and ensure everyarea is being included. This documentationalso can be forwarded on to thecompliance committee and activity thenreported to the Board of Directors,involving even our highest level indirectlyin the process.The mock survey process is so successfulit may be expanded to incorporateother areas of compliance includingEMTALA surveys and HIPAA surveysamong others.Finally, we have developed a mini-audittechnique giving ownership and participationto the important people whodeserve it; the important people whotreat and care for our community on aday-to-day basis.Maybe JCAHO is on to something withtheir new tracer methodology…ormaybe we are with our preparation.Either way, compliance responsibilityand consciousness is no longer containedsolely in the administrative hallwaybut now infecting the entire organization;an epidemic this hospital ispleased to be contending with. ■October 20044Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Join us for the followingHCCA AudioConferencesGet the latest “how to” information–tools you canimplement–without even leaving your office! Register on theHCCA Website–www.hcca-info.org. You will receive an emaila few days before the conference with any conference handouts,and dial-in information and instructions.➤➤➤➤ Charge Masters - Two-Part SeriesSpeakers: Michael Kovar and Dan GuatschiSeptember 21 and 22➤ Quality Initiatives - Part ISpeakers: Georgette Gustin, Al Josephs and Rory JaffeOctober 5➤ Qui Tam Cases - Two-Part SeriesSpeakers: Marc Raspanti and Dan AndersonOctober 7 and 8➤➤➤➤➤➤ Quality Initiatives - Part IISpeakers: Georgette Gustin, Dr. Mike Myers and Ruthann RussoOctober 12➤ Quality Initiatives - Part IIISpeakers: Cheryl WagonhurstOctober 28➤ Measuring Effectiveness - Two-Part SeriesSpeaker: Kim Brandt and Lisa EgglestonNovember 3 and 8➤ 2005 OIG Work Plan—Your Action PlanSpeakers: Steve Ortquist, Howard Young and Sheryl VaccaNovember 18➤ Initiatives at Program IntegritySpeaker: Kim BrandtDecember 1 and 6HCCA Audio Conferences are a fastand easy way to aquire HCCB CEUs!Health Care Compliance Association • 888-580-8373 • www.hcca-info.org 5

By John P. KraveEditor's note: John P. Krave, Esq. is a exempt status and nonprofit governance;both lay and religious organiza-partner in the Los Angeles office ofDavis Wright Tremaine LLP. He can tions have been targets of suit. Plaintiffs'be reached by telephone at 213/633- lawyers are class-action specialists adept6873 or by email atat bringing and maintaining such suits,Johnkrave@DWT.com.often attracting governmental involvementon the side of claimants. AlthoughClass action lawsuits have cut a the merits of plaintiffs' complaintsheavy swath across American appear legally questionable and factuallyincorrect in many respects, theybusiness, often harvesting billionsof dollars in damages from major allege provocative facts that mayindustries and only slightly less in fees enflame a public frustrated by thefor the claimants' attorneys. Massive litigationagainst companies that produced dotal evidence of health care dysfunc-proverbial $10 aspirin and other anec-everything from tobacco to fast food to tion. The net result of the litigation may,guns has produced many different outcomesand achieved mixed success, but coerced changes in business practices.in some cases, be costly judgments andhas always caused major headaches anddisruption for named defendants, Because the lawsuits are apparentlyregardless of culpability. Nonprofit hospitalsystems are the latest sector of corspondinglaw firms, their allegationsfiled on a coordinated basis by correporateAmerica targeted by plaintiffs' and theories of recovery are similarlawyers, and nonprofit providers may throughout the country. The class actionhave a prolonged fight on their hands. suit filed in a San Francisco federalcourt against Sutter Health (Sutter), aSince early summer, class-action litigationhas commenced against 28 (and 20 hospitals in Northern and Centralnonprofit health care system that ownscounting) nonprofit hospital systems California, illustrates allegations commonto these suits. The named plaintiffthroughout the country based onallegedly discriminatory pricing, inadequatecharity care policies, inappropri-uninsured individuals who receivedand other unnamed class members areate collection practices, and other services from a Sutter facility and evidentlywere charged full rates. A keyimproper business activities. The onlylink among defendants is their tax-allegation in the complaint againstSutter states the factual gist of plaintiffs'complaint in a few short lines:While it promises to provide affordablecare to the uninsured poor,Sutter has engaged, and continues toengage, in a pattern and practice ofcharging unfair, unreasonable andinflated prices for medical care to itsuninsured patients who are generallythe least able to pay these inflatedand unreasonable charges. Sutter, asa self-proclaimed charity, also pursuesaggressive collection techniquesthat often result in lawsuits, judgments,garnishments and bankruptciesagainst uninsured persons.Plaintiff translates these alleged factsinto several novel alternative legal theories,all of which are at least questionablefrom a technical legal perspective,regardless of the defendant's or its affiliates'actual conduct:1. Breach of Contract. Sutter hasallegedly reaped a valuable benefitresulting from its federal tax exemptionunder Section 501I (3) of theUnited States Internal Revenue Code,and has thereby entered into contractswith the United States and/orthe uninsured, pursuant to which itagreed to operate exclusively forcharitable purposes, provide "affordable"medical care to the plaintiff andother uninsured persons, and avoid"aggressive, abusive, and humiliating"collection tactics. Plaintiff and otheruninsured persons are either party to,or were the intended beneficiaries of,this agreement and are entitled toenforce its terms. Sutter allegedlybreached the contract by chargingplaintiff and other uninsured personstheir full, undiscounted rates, whilecharging discounted rates to insuredpatients, failing to use its net assetsOctober 20046Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

to provide affordable care to theplaintiff and class members, and useof abusive and degrading collectionspractices.2. Breach of Covenant of Good Faithand Fair Dealing. In California andmany other states, the parties toevery contract promise by theiractions to act fairly and in good faithin the course of their business dealings.By reason of alleged conductthat amounted to a breach of contractas previously described, Sutterhas violated that covenant.3. Breach of Charitable Trust. By acceptingits federal tax exemption, Sutterallegedly agreed to hold its assets intrust for the benefit of the public.The terms of this trust (called a"charitable trust"), require it to provideaffordable medical care to uninsuredpersons. Sutter allegedlybreached the trust by engaging in thebilling and collections practices previouslydiscussed.4. Violation of State Unfair CompetitionLaws. Like most states, California haslaws that prohibit all forms of unfairand fraudulent business practices,which it describes in broad and generalterms. Sutter allegedly violatedthese laws by charging full rates tothe uninsured, and by deceiving thepublic as to its true corporate character.In some states, the outcome ofthis legal theory is unpredictable dueto the vagueness of unfair competitionlaws and the absence of "onpoint" appellate decisions.5. Unjust Enrichment. Sutter allegedlyunjustly enriched itself by failing toprovide affordable medical carewhile reaping the benefits of its federaltax exemption.Plaintiff and the other class members"pray" for a broad variety of relief,including restitution of unjust benefits,mandatory changes in businesspractices, and attorneys' fees.The settlement reached by NorthMississippi Health Services, Inc. (NMHS)and its affiliates in a threatened (but notfiled) charity care class action may typifythe forms of relief sought by classaction plaintiffs. A press release byplaintiffs' counsel claims that the settlement"could relieve poor patients fromstress of more than $150 million indebt." Subject to federal court approval,the providers agreed to provide discountedcare on a sliding scale to uninsuredpersons with incomes less than400% of the federal poverty limits. Theproviders will issue refunds to uninsuredpatients who have paid in excessof such amount within the past threeyears, and have agreed to comply withfair debt collection practices, and refrainfrom placing liens on real estate orreporting patients to credit reportingagencies for their inability to pay bills.In order to ensure disinterested corporategovernance, NMHS and its affiliatesalso agreed to enact portions of theSarbanes-Oxley corporate reforms thatimpose strict conflict of interest policies.Many nonprofit systems would benefitby reform of their charity care, governance,and collections practices, but fewwish to accomplish these goals at thethreat of protracted litigation, where theonly certainties are extraordinary attorneys'fees and some measure of publicembarrassment. We believe, however,that plaintiffs' lawyers will select targetsbased upon perceived weakness in theseareas of operation, and will be reluctantto expend resources in pursuit ofproviders who demonstrate good faithcompliance with well-conceived policiesdesigned to achieve the very objectivespurportedly advanced by the litigation.The reforms may not even prove costlyon a marginal basis upon considerationof historically low recoveries from privatepatients and the avoidance of attorneys'fees and other resources drained inthe swamp of litigation.More specifically, a proactive strategyshould incorporate elements rangingfrom assessment to monitoring to remediation.For each of their facilities, nonprofithospitals and systems shouldundertake a thorough examination of (i)the amount of financial assistance in theprovision of charity care to the uninsured;(ii) discriminatory pricing that disfavorsthe uninsured when comparedwith other income classes; and (iii) abusivebilling and collection practices. Inorder to ensure that the results of theassessment remain confidential, therequest to individual facilities to compilethe information should be issued throughlegal counsel who should also retain anyoutside experts deemed necessary.Nonprofit providers should considerreviewing existing corporate and hospitalpolicies for comparison with the policiesapproved in February 2004 by the stateand local organizations, and other pertinentindustry standards. They should thenconsider reviewing facility complianceboth with both their own corporate standardsand the industry benchmarks.Knowledge of practices of other localfreestanding and networked nonprofitfacilities may also be relevant to determiningappropriate standards. Legal counselContinued on page 8Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgOctober 20047

Nonprofit hospital systems ...continued from page 7who work with a variety of hospitals maybe a good source of this information.Nonprofit providers should monitorfacility compliance through the use ofsurveys designed to elicit: (i) financialinformation concerning charity care aspublicly reported and as otherwisemeasured by their system, (ii) compliancewith existing policies as establishedby the system and state and regionalhospital associations, (iii) discountsaccorded to private pay patients whohave personal resources, (iv) relationshipswith collection agencies, (v) recentlitigation against individual patients ortheir families, and (vi) admissions documentsthat describe each patient's financialobligations. The hospitals should beespecially vigilant concerning litigationtactics directed against individualpatients (whether by the hospital or onits behalf by collection agencies) whichcould appear abusive or overly aggressiveto plaintiffs' attorneys or the newsmedia. Confidential telephone interviewswith hospital personnel may be a valuabletool for carrying out the assessmentssuggested here.Nonprofit hospitals and systems shouldalso monitor disputes with state andlocal taxing authorities that focus on theprovision of charity care or taxation ofunrelated income. As suggested by theMississippi action discussed above, itwill also be necessary to learn of freehealth care goods and services providedto Board members and other influentialpersons capable of compensating thehospitals for care. "Sweetheart" businessdealings with physicians and boardmembers may also prove an issue. Theselective adoption of Sarbanes-Oxleyprinciples may constitute an inexpensive,yet prudent, means of avoidingthese controversies.Finally, nonprofit hospitals should preparepress releases which describe insome detail their historical mission anddedication to charitable activities. Thematerial should be suitable for immediaterelease so that no delay will occurin the event a lawsuit is filed or otheradverse publicity occurs. The publicrelations effort should highlight notablysuccessful, publicly visible charitableprograms, and demonstrate the advantagesof a financially stable hospital ornetwork in providing high volumes ofquality care to all. Providers should prepareto highlight all of their charitableactivities whether related to patient careor not. Research, education, communityservice, and religious activities are noless important than the treatment ofuninsured patients. Such informationwhen gathered can then be provided asneeded to friends and allies in local,state, and federal government.In the case of nonprofit hospital systems,individual hospitals should consideramending local policies that fail tosatisfy network or industry standards asdiscussed previously. While considerableuniformity among various systemfacilities is desirable, the standardsshould also reflect local issues (e.g., languageor special outreach programs)and different levels of resources availableto various hospitals. Additionally,informal "plans of correction" may benecessary to remedy local hospitals'noncompliance with applicable policies.However, care should be taken thatsuch activities be kept confidential so asnot to suggest the recognition of anexisting problem. To that end, you maywish to utilize legal counsel as a conduitto gain the protection of theattorney-client privilege. ■To order Compliance Today (CT) complete this couponFull Name:Title:Organization:Address:City/State/Zip:Telephone:Fax:E-mail:HCCA individual membership costs $295.00; corporate membership(includes 4 indiv. memberships, and more) costs $2,500.00.CT subscription is complimentary with membership.HCCA non-member subscription rate is $357.00/year.❑ Payment enclosed❑ Pay by charge: ❑ AmEx ❑ MasterCard ❑ VisaCard #:Exp. Date:Signature:❑ Please bill my organization: PO#Please make checks payable to HCCA. Please return subscriptioncoupon to 5780 Lincoln Drive, Suite 120, Minneapilis, MN 55436.October 20048Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

COMPLIANCEFOCUS HCCA/AHIAGROUPOne of the key HCCA/AHIA team initiativesis the Seven Component"SevenComponent Framework. This framework was initiallyFramework" for developed by the AHIA auditing andcompliance auditing & monitoring in monitoring workgroup (A&M workgroup)health care organizationsand has been further refined by theBy: Debi J. WeatherfordHCCA/AHIA team. We believe that bothcompliance and auditing professionalsEditor's note: Over the next several will benefit from using this framework asmonths Compliance Today will a guide in considering the importantpublish articles written by the components of a comprehensive auditingHCCA/AHIA Focus Group. The next and monitoring process. The followingthree priorities for the focus group contains excerpts from this compliancewill be to publish articles and guidancematerials in November andauditing and monitoring framework.December 2004 on (1) planning Compliance auditing and monitoringand performing a compliance risk Achieving effective and compliantassessment; (2) identifying key compliancemonitoring activities with out well defined and ongoing compli-health care functions cannot occur with-references to applicable laws and ance auditing and monitoring processes.regulations; and (3) providing complianceauditing methodologies, serve as the bridge to integrate hospitalAuditing and monitoring processestools and techniques. Debi J.clinical and non-clinical departmentsWeatherford is Director, Internal and allow for addressing critical businessrisks and compliance issues. TheAudit & Corporate Compliance atChildren's Healthcare of Atlanta. following overview identifies the needShe may be reached by email at for auditing and monitoring and outlinesthe seven key components thatdebi.weatherford@choa.orgwill serve as an industry standardA focus group of Health Care Compliance framework for compliance auditing andAssociation (HCCA) and Association of monitoring processes.Healthcare Internal Auditors (AHIA)members met in spring 2004 to explore The AHIA workgroup initially began byopportunities to better define and explain questioning what was needed in the healthauditing and monitoring, and to clarify care arena to improve not only the internalthe roles of compliance and internal audit auditor's role but also non-functioningfunctions as they address issues within health care processes as a whole. It wastheir health care organizations.determined that there was a commondilemma within many health care systemsThe HCCA/AHIA team concluded that where the clinical and financial areas didthere is a need to co-develop auditing not communicate or work together, therebycreating difficult compliance challengesand monitoring materials to assist ourconstituents in more effectively addressingcompliance auditing and monitoring An illustration of such challenges is pro-and inherent risks to the organization.requirements and challenges.vided as follows: Compliance with mostHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgof the high risk Medicare and Medicaidregulations (such as those billing issuesthat create false claims) begins at thepatient point of entry to a health caresystem (outpatient or inpatient services)and continues throughout the revenuecycle until the issuance of a claim forservice(s) rendered. Generally, clinicaloperations govern a patient's medicalservices at the point they enter a healthcare facility. It is during this time thatdocumentation occurs in the medicalrecord, physicians order tests and prescriptions,therapists render therapy services,radiology takes x-rays, phlebotomiststake blood, pharmacy issuesdrugs, etc. While each individual area isgenerating daily charges, there is no correspondingcoordinated review of thefinal claim for complete and appropriatecharges. The patient financial servicesdepartment is typically in a separatebuilding and processes claims based onwhat the clinical personnel submit tothem, either manually or electronicallyvia the patient management and billingsystem. While everyone in these areashas a specific function and duty withinhealth care clinical and financial operations,there are usually a very limitednumber of employees who actuallyunderstand both components and areable to work towards integrating the clinicaland financial functions to produceresults that are compliant with the myriadof applicable laws and regulations.By definition, the roles of the internalauditor and the compliance officerinclude the ability and responsibility toview and function in a health careorganization at a macro as well as amicro (departmental) level (also knownas top down, bottom-up approach).Continued on page 10October 20049

Seven Component Framework ...continued from page 9Without understanding how the entirerevenue cycle fits together, neither internalaudit nor compliance can do theirjob effectively. In recognizing this, wedetermined that auditing and monitoringoperations for compliance were twoessential functions, as well as essentialsteps, in the OIG Model ComplianceGuidance. The OIG and the health careindustry have not yet provided effectivespecific guidance on auditing and monitoringtechniques in sufficient detail formost HCCA and AHIA members to rapidlyramp up and begin implementingthese important aspects of their overallcompliance programs.Our workgroup defined below the differencebetween auditing and monitoringin the context of regulatory complianceas opposed to other financial andoperational aspects of health care thatmay also be subjected to auditing andmonitoring activities:■ Monitoring is a process involvingongoing "checking" and "measuring"to ensure quality control. The processof monitoring is generally less structuredthan auditing and is typicallyperformed by departmental staff.Monitoring involves daily, weekly, orother periodic spot checks to verifythat essential functions are being adequatelyperformed and that processesare working effectively. The processof monitoring can indicate the needfor a more detailed audit.■ Auditing is a more systematic andstructured approach to analyzing acontrol process. It is a formal review(performed by an individual(s) independentof the department) that usuallyincludes planning, identifyingrisk areas, assessing internal controls,sampling of data, testing of processes,validating information, and formallycommunicating recommendationsand corrective action measuresto both management and the BoardIn this regard, while internal audit andcompliance often work hand-in-hand,compliance is typically responsible forproviding oversight and direction forcompliance monitoring processes andinternal audit is typically responsible forproviding oversight and direction ofcompliance audit activities.The Seven Component Framework forauditing & monitoring processesAuditing and monitoring are essentialbut often missing links in health careoperations and the internal audit andcompliance arenas. The lack of adefined framework to address and correctcompliance related issues that arehandled either by compliance auditorsor internal auditors is a critical void thatwe believe should be addressed byorganizations adopting the SevenComponent Framework developed byour workgroup.The Seven Component Frameworkfor compliance auditing and monitoringwill add value by providing organizationswith a methodical approach tomore effectively address difficult complianceissues. The seven componentsare inter-related but do not alwaysneed to be addressed sequentially.Each component should be reviewed inthe most appropriate sequence for thespecific issue or immediacy of the evaluationprocess. We believe that thinkingabout compliance auditing and monitoringin terms of this framework willserve as a useful and effective tool toensure compliance as well as assist inbetter integration of various aspects ofclinical and financial oversight andmanagement functions within healthcare systems.It is important to note that we do notassume that one person will or shouldbe responsible for all the components.Instead, the intended goal is that thesesteps can be used to create a commonmethodology or road map among ateam of leaders for addressing issuesand validating compliance.The Seven Component Frameworkfor compliance auditing and monitoringis comprised of the following:■ Perform a risk assessment and determinethe level of risk■ Understand laws and regulations governingthose areas to be monitoredand possibly audited■ Obtain and/or establish policies forspecific issues and areas, defineaccountability in the policy, and developprocedures to support the policies■ Educate on the policies and proceduresand communicate awareness ofkey requirements.■ Monitor compliance with Laws,JCAHO, and organization's policiesand procedures■ Audit the highest risk areas■ Re-educate staff on the law, policiesand procedures, issues identified inthe audit, and corrective actionsplanned or takenImplementing the Seven ComponentFramework for auditing & monitoringEffective coordination, joint annualplanning, and specific project planningby compliance and internal audit functionsare essential for successfully integratingauditing and monitoringOctober 200410Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

processes within an organization.The HCCA /AHIA auditing andmonitoring focus group believes thatcustomization of the framework foreach organization will depend on eachhealth care entity's organizational structure,assigned resources to complianceand internal audit functions, governancemodel, and related strategies. Asfuture articles are developed to expandon each component of the SevenComponent Framework, further guidancewill be provided on recommendedroles and responsibilities for the complianceand internal audit functions.About the focus group:The HCCA/AHIA auditing and monitoringfocus group will be developing aseries of additional articles regarding theseven components to expand on theroles of compliance and internal auditfunctions, provide detailed "how tosteps", and discuss the essential coordinationlinks between compliance, internalaudit, legal, and management thatare necessary for each component.HCCA / AHIA focus groupMembers are:■ Randall K. BrownBaylor Health Care SystemRandalBr@BaylorHealth.edu■ Britt H. CrewseDuke University Health Systemcrews012@mc.duke.edu■ Al W. JosephsHillcrest Health Systemal.josephs@hillcrest.net■ Glen C. MuellerScripps HealthMueller.glen@scrippshealth.org■ Debi J. WeatherfordChildren's Healthcare of Atlantadebi.weatherford@choa.org ■WeblinksStaff; Hospital Bed System DimensionalGuidance to Reduce Entrapment;CMSAvailability■ CMS Discussion http://a257.g.akamaitech.net/7/257/Paper on USP Draft Model Guidelines 2422/06jun20041800/edocket.accesshttp://www.cms.hhs.gov/medicarereform/USPWhitePaper.pdf.gpo.gov/2004/04-19656.htm■ August 27 - CMS - Proposed Rule■ Changes to the Hospital Outpatient Medicare: Civil money penalties, assessments,and exclusions and relatedProspective Payment System forCalendar Year 2005appeals procedures, Correction,http://www.cms.hhs.gov/providers/ho http://a257.g.akamaitech.net/7/257/pps/2005p/1427p.asp?2422/06jun20041800/edocket.access.gpo.gov/2004/04-19257.htm■ CMS proposed regulation calling onstates to report improper payments in ■ Medicaid and Medicare: NationalMedicaid and State Children's Health accreditation organizations; approval-Insurance Programs to HHS.Utilization Review Accreditationhttp://a257.g.akamaitech.net/7/257/2422 Commission,/06jun20041800/edocket.access.gpo.gov/2004/04-19603.htm )■ CMS: Medicare Program; HospiceFor more:Wage Index for Fiscal Year 2005http://www.cms.hhs.gov/media/press/ http://a257.g.akamaitech.net/7/257/release.asp?Counter=11782422/06jun20041800/edocket.accessFact Sheet:.gpo.gov/2004/04-19697.htmhttp://www.cms.hhs.gov/media/press/release.asp?Counter=1179■ August 11 - Final RuleMedicare Program; Changes to the■ CMS Will Pay for Liver Transplants at Hospital Inpatient Prospective PaymentMethodist Dallas Medical CenterSystems and Fiscal Year 2005 RatesFor more:http://a257.g.akamaitech.net/7/257/http://www.cms.hhs.gov/media/press/ 2422/06jun20041800/edocket.accessrelease.asp?Counter=1173.gpo.gov/2004/04-17943.htm■ CMS: 2.9% Increase Predicted in ■ August 16 - Proposed RuleMedicare Rural Hospice RatesMedicare Program; Proposed ChangesFor more:to the Hospital Outpatienthttp://www.cms.hhs.gov/media/press/ Prospective Payment System andrelease.asp?Counter=1176Calendar Year 2005 Payment Rates;http://a257.g.akamaitech.net/7/257/Federal Register2422/06jun20041800/edocket.access■ August 30.gpo.gov/2004/04-18427.htm ■FDA - Draft Guidance for Industry andFood and Drug AdministrationHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgOctober 200411

By Jo Anne E. BurkhardtEditors note: Jo Anne E. Burkhardt, and develop policies and procedures tois President of PMC Solutions, Inc., ensure that the practice started with ain Vernon Hills, IL. JoAnne may be good foundation. He insisted on beingreached by phone at 847/549-8081 involved every step of the way. Dr.Example was motivated both by theIf you were one of the fortunate fear of the monetary penalties and hispeople to attend the HCCA desire to do things right. He realizedCompliance Institute in Chicago that he had little knowledge of theyou probably heard several of the billing regulations and other issues. Hespeakers discuss the potential compliancerisks that we face as Compliance pliance problems were not addressed.understood fully the risks if these com-officers today.Dr. Example executes a narcotic agreementwith every patient that clearly out-In the physician environment there areusually very few dollars actually allocatedto compliance. Generally the Practice discussed with each patient at the timelines the patient's role. The agreement isManager is asked to wear yet another of the first encounter. Dr. Example will"hat" and assume the role of the not renew prescriptions without seeingCompliance Officer. It is genuinely a the patient to evaluate whether thechallenge to try to manage a physician medication is working and if there aremuch less adequately address the risks any problems. Each patient is requiredof compliance.to establish one pharmacy to obtainprescriptions and Dr. Example and hisCertainly each specialty also presents its staff establish a rapport with the pharmacyto inform them of their narcoticown set of risk areas. In the area ofpain management, the physician is agreement and the patient's role.especially challenged by the narcoticprescriptive issues. Much has changed Dr. Example has an electronic medicalover the years and the pain managementspecialist has truly had to adjust. ters and procedures are documented.record where all prescriptions, encoun-When a pharmacy calls, his staff is ableDr. Example is an interventional pain to immediately review the records tomanagement specialist who established determine what was done. Dr. Examplea compliance program in the early has tried to do things correctly. Whatnineties recognizing that there were Dr. Example did not realize is that compliancerisks do not only occur fromnumerous risk areas. He was, at thetime, an independent solo practitioner within the practice. Patients also presentwho decided to add physicians to his genuine compliance challenges.practice and wanted a base line audit toidentify the risk areas and develop a John Doe came to Dr. Example's practicein late 2003. He was a young gen-plan to address the risks. He enlistedthe assistance of consultants to develop tleman who had been injured in anthe plan, perform the baseline audit, automobile accident and had chronicneck and back pain. His internist recommendedthat he see a pain managementspecialist for pain control. A completeH&P was done, and tests wereordered to determine the extent of theinjuries as these tests were not availablefrom the internist. Based on the tests,interventional procedures were ruledout and pain medications were recommended.John Doe returned to the clinicas required for medication management.He was the "ideal patient" as healways followed Dr. Example's instructionsand the medications seemed to beworking. In early 2004, Dr. Example'sPractice Manager received a call fromJohn Doe's pharmacy verifying his diagnosis.The Practice Manager was curiouswhy the pharmacy was questioning thediagnosis since they had been filling theprescription for months. The pharmacistindicated she was new and that shesimply wanted to understand why thepatient needed all these medications. Inresearching this further the PracticeManager found that the pharmacy hadfilled multiple prescriptions for severaldrugs. These were all scripts supposedlywritten by the practice. The PracticeManager asked the pharmacy to faxover the original scripts so she couldverify them. In the meantime, she calledother pharmacies in the area and askedthem is they had filled any scripts forthe practice for John Doe. She learnedthat ten pharmacies had scripts from thepractice for John.After reviewing the scripts and verifyingall of them the Practice Manager discoveredthat the majority of them were forgeries.Very concerned at this point shespoke to Dr. Example to determine howto proceed. Dr. Example was angeredand directed her to call the police andOctober 200412Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

eport the crime. She called the localpolice and filed a report.The next day the local police called andtold her that they had no jurisdictionover the crime and she would have tocontact the police in the suburbs wherethe pharmacies were located. They indicatedthat there was no crime committeduntil the script was presented to thepharmacy. The Practice Manager arguedthat the crime was forgery and that Dr.Example did have a claim but she wastold that there was no forgery until thescript was presented. She contacted thelocal police in the suburbs where thepharmacies were located. She was toldthat the doctor could not file a complaintonly the pharmacy.She then called each pharmacy and was toldthat they were part of a large corporationand the attorneys for the corporation wouldhave to decide if a complaint could be filed.She was infuriated that no one seemed concernedabout this issue. She called several ofthe pharmacies and asked for the attorney'sname and then called each attorney.She happened to read the article inCompliance Today about identitytheft and realized that Dr. Example'sidentity had been stolen. This patientused Dr. Example's DEA # and reproducedhis script and forged his signature.Inspired by this article, sheresearched the identity law and calledthe police back. She told them that Dr.Example had every right to file a claimbecause of identity theft. This patientused his DEA # which is his identityand forged his signature on scripts. Sheknew that the penalties were severeand that the claimant is the individualwho suffered from the theft. A Detectivewas then assigned to review the matter.Evidence was turned over to supportthe claim and the suspect was apprehended.It was determined that JohnDoe sold the drugs at a significant profit.John Doe is being prosecuted undermany counts.What did we learn from this as complianceprofessionals? We learned:1) Our roles in compliance are alwayschanging and we have to understandthat we must constantly stay informedabout all aspects of compliance.2) Risk areas are not always from withinand we must be sure that our complianceaudits includes external forcesas well as internal.3) Many times we are faced with stumblingblocks in our pursuit of what isright and we have to be creative infinding solutions.4) We must always understand the lawsand regulations fully as they apply toa particular problem.5) Once we identify a problem we mustlook for ways to ensure that it islikely not to recur.6) We are not alone and we must seekassistance from the invaluableresources available to us.Dr. Example was pleased with the outcome,however he realized that hispractice was vulnerable. He decided tomake the following changes to addresshis concerns:1) He now prints his narcotic agreementon the bottom of every script so thatthe pharmacy knows the patient'sresponsibilities regarding medicationmanagement.2) He is now requesting from the pharmacyon a random basis, a list of allprescriptions for randomly selectedpatients. The narcotic agreementgives him the right to do so.3) He developed a brochure to send tothe pharmacy that describes his protocolfor medication managementand encourages the pharmacy to callhim if they have any concerns abouthis patients. The brochure outlinesthe types of narcotics that are notprescribed and the usual frequencyand dosages of the medications thatmay be used by the practice.4) He changed the message on hisanswering machine for the pharmacyline to state once again the policy forscripts and asking the pharmacy'shelp in identifying if patients areabusing the system.Dr. Example thanked his PracticeManager for her tenacity and creativity.He knew that if she had not been sopersistent the matter would never havebeen resolved. The Practice Managerwas grateful for the support given byHCCA and all the resources that wereavailable to her through their websiteand reference materials.Just as the compliance risks are insideand out so are the solutions. Seek outwhatever assistance you need fromwhatever reputable resources necessaryand encourage your physicians to supportyour need to do so. ■ResidentComplianceTrainingWorkshopsLos Angeles, CA Oct 20, 2004Chicago, IL, Nov 5, 2004Philadelphia, PA, Dec 3, 2004Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgOctober 200413

BC: What in your background doyou feel prepared you for life as a complianceprofessional?KC: Having the legal education, andfrankly, having enjoyed law school asmuch as I did, really helps when I haveto slog through mountains of regulations,rules, NPRMs, and that type ofstuff. I probably shouldn't admit this, butI actually like reading that kind of matefeaturearticleMeet Karen L. CollierOctober 200414Editor's note: HCCA Board memberBritt Crewse conducted this interviewwith Karen L. Collier, CorporateCompliance and Privacy Officer forEmergency Physicians BillingServices. She may be reached by telephoneat 800/962-3303 or by emailat collierk@epbs.comBC: Karen, tell me about your backgroundprior to compliance?KC: Looking back, it seems like mycareer has followed a natural progressionto where I am today, which I findinteresting, because the position ofcompliance officer wasn't even somethingI had heard of when I first startedin this field. I've been working exclusivelyin health care law and policy forover twelve years now. After a stint inan oil and gas law firm, I was an AssistantAttorney General for the State ofOklahoma in the early nineties. I leftthere to take a legal analyst position ona two-year study grant with the OklahomaGovernor's office. It was a StateInitiative on health care financingreform, funded by the Robert WoodJohnson Foundation. There were sevenof us on the grant, working with thevarious state agencies, medical schools,hospital and medical societies, consumeradvocates, and policymakers todevelop proposals for a new health carefinancing structure that would allow themost efficient and effective use of theCorporate Compliance and Privacy Officerfor Emergency Physicians Billing Servicesstate's health care dollars. It was anenormous task. We also staffed theGovernor's Commission on Health Care,which was an appointed body primarilylooking to solve the state's Medicaidfunding crisis.That was one of the most fascinatingexperiences of my professional lifeso far. I learned a huge amount abouthealth policy and the financial side ofhealth care in those two years, as wellas the nitty-gritty of the political process,and the maze of regulatory hurdles payors,providers, and patients face. Thiswas the era of the White House TaskForce on Health Care, so we had lots ofnational debate going on at the sametime. It was a pretty wild time to be afledgling health care policy wonk.When the grant was completed, Ifollowed our principal investigator tohelp him start up a new state healthcare authority, which took over the runningof the Medicaid program from thetraditional welfare agency. We wrote anew state plan to shift the program to amore managed care approach, and Iwas the Director of Health Plan Designfor the SoonerCare program when itfirst came into being. I worked on RFPsand contracts for the managed careplans serving the Medicaid population,Health Care Compliance Association • 888-580-8373 • www.hcca-info.organd served as a liaison with the feds atHCFA during that time. After putting infive years at the agency, the programwas pretty much developed, and Imoved to my current position back inthe private sector.

ial most of the time. The state governmentexperience, both at the AG's officeand the Oklahoma Health CareAuthority, helped to give me a regulator'sview of certain things, which hascome in handy at times. Also, the policybackground is great for me, because Ideveloped the ability to look at thingsfrom all sides, to see the big picture onissues, which I think makes me betterable to analyze and explain changes toregulations and system structure issues.My undergraduate degree is in finance,so having that business backgroundhelps out, too, especially in the nonclinicalsetting I'm in.BC: Tell me a little about your position,what your title is and what doyour responsibilities include?KC: I've served as the CorporateCompliance Officer for MedicalConsultants, Inc. for almost five yearsnow. That's the official corporate namefor the company, although our biggestline of business is EmergencyPhysicians Billing Services. We alsohave a dictation service, and do practicemanagement and consulting, aswell as some billing for other types ofproviders, but most people know usunder the EPBS name.I was hired to operate the complianceprogram right after the companyhad signed a five-year CorporateIntegrity Agreement (CIA) to settle alawsuit that had dragged on for severalyears. That was in 1999, and we are atthe end of the CIA period this year. Sofar, my primary responsibility for thecompany is to make sure we are incomplete compliance with the terms ofthat Agreement with the government.There are reporting and auditingresponsibilities with the CIA, as well astraining and education, etc.—really allthe things that a good compliance programhas. The EPBS compliance programstructure under the CIA looks verymuch like the model structure youwould put in place under the OIG'sGuidances. So even though the CIA willbe over in a very short while, myresponsibilities, and our program, won'tchange all that much.In addition to answering questions,investigating issues, and doing a lot ofresearch, and writing on rules and regulations,I run the compliance training,which we provide in live, classroomsetting format for all new hires on amonthly basis, as well as the annualrefresher training for all employees. Ichair the Corporate ResponsibilityCommittee, handle communication withthe OIG, write articles on compliancetopics for our monthly Client Bulletins,and try to serve as a resource to anyonein the company or with a clientgroup who has an issue or question.Our internal quality assurance processis performed at the operational departmentlevel, but I and my committeereview audit results and try to monitorthe QA process from a centralized positionin the company. We have almost450 employees here in Oklahoma City,so there's quite a lot to keep an eye on.BC: What are the unique compliancechallenges of working with a billingservices company?KC: In some ways it's nice to be in aniche environment, where we primarilyspecialize in just one area of healthcare, concentrating on the coding andbilling piece. On the other hand, we dobusiness in over thirty states, with literallyhundreds of payors, so it is complicatedfrom a business-wide standpoint.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgBRITT CREWSEIt's also challenging to work with somany different physician groups, rangingfrom a handful of doctors to severalhundred per group.As the compliance officer for anational company, I have to be able tospeak intelligently on a variety of differenttopics with my clients and colleagues,and it's really the state-to-statedifferences, as well as the practice differences,that make it complex. Primarily,we work for independent emergencyphysician groups around thecountry, but we also do coding andbilling for hospitals on behalf of theirEDs, groups which staff urgent careclinics, and some other outpatient andhospital-based specialties.BC: What do you find yourself followingmore—the ComplianceGuidance for Physician Group Practicesor the Compliance Guidance for Third-Party Medical Billing Companies?KC: That's a good question, becauseI've used both as resources over theyears, but I'd have to say that I've usedthe billing company guidance more asfar as our own company's compliancestructure. I often work with our clientsin helping the physician groups set up,Continued on page 16October 200415

Karen L. Collierimplement, and refine their complianceprograms, and so I use the physicianpractices guidance more in those settings.I pull from both in doing mycompliance training, both for ouremployees and the compliance presentationsI do for our clients. After seeingthe new and improved format and contentof the proposed supplementalGuidance for hospitals, I look forwardto seeing something along those linesfor billing companies and physicianpractices, too.BC: As a compliance officer withEmergency Physicians Billing Services,are there separate compliance officersor contacts for the hospital, clinics, etc?Do you work on a compliance liaisonapproach?KC: Most, if not all, of our clientgroups have named a compliance officerof their own. A few of the really biggroups have full-time staff serving ascompliance officers, but most of ourclients use a high-ranking physicianmember of the group in that function.The facilities that our clients staff alsohave their own compliance officers, andI frequently interact with the hospitals'compliance people on contract issues,etc. Some of the groups have their ownreporting hotlines, etc., but others, especiallythe smaller ones, may rely on thehospitals' programs more heavily. I reallytry to reach out to the physician complianceofficers and give all the assistanceI can for their compliance efforts.While our company's focus is almostexclusively on coding, billing, and paymentissues, our clients have Stark,Anti-Kickback, EMTALA, clinical, andother issues incorporated in their programs.I have to be up to speed on allthose areas in order to work with themeffectively.EPBS publishes a monthly ClientBulletin that includes articles on compliance,medical record documentationissues, hot topics, and other informationin each issue. We send these monthlyBulletins out to each individual physicianelectronically, and not just to thegroup leaders, and have received a lotof good feedback from the docs. Itgives them a regular avenue to learnand stay caught up on important complianceissues. We also have professional-levelpersonnel in our organizationthat work with each client group andgive training and feedback on documentationissues, contracting, financialand practice management, and the like.BC: What does the compliance organizationalstructure look like? Howmany staff do you have and what positionsdo they hold?KC: I have a small office, with onestaff member, but many of the departmentleaders, client representatives, anddepartmental QA staff really performcompliance functions regularly. My righthandperson is the Coding ComplianceOfficer for the company. She's an amazingstorehouse of knowledge about codingand reimbursement issues, and areal expert on Medicare, having workedfor the Oklahoma Medicare carrier formany years before coming to EPBS. Sheworks with the Coding department andour fifty-plus coders, and with theclients and our Client Services departmenton all sorts of issues. She alsokeeps track of all ongoing audits, internal,external, payor audits, etc., for thewhole book of business.BC: What are the top challengeswhen dealing with physicians in regardsto compliance, and how do you dealwith them?KC: I consider myself very fortunateto work with so many smart, dedicatedprofessionals. Having said that, doctorsare notoriously independent and mostaren't really enamored of compliancetopics, to say the least. So, one of thebiggest challenges for me is to communicatewhy this stuff is important tothem. I will say, with EPBS' experienceduring the lawsuit in the mid-nineties,most of our clients realize that evenwhen you try to do the right thing, itcan still go wrong, and that it takeseffort to achieve compliance goals. Thatfact, as well as the extremely strong corporatesupport my office has from thecompany, helps me draw a bright linewith clients in communicating complianceexpectations. Frankly, we don'tparticularly want clients who aren'ttuned in to basic compliance issues. Ifwe need to help them get there, wewill, or if they don't want to be there,maybe they should go elsewhere. I'mhappy to say that we haven't had a caseof a client refusing to adapt behaviors orimprove in areas that might cause concern.But I'm confident that if we did,my CEO would be more sympathetic tomy position on the compliance issuesthan just to the financial aspects of therelationship.BC: What impact has HIPAA Privacyimplementation had on your office?KC: In my previous job at theOklahoma Health Care Authority, I haddone a lot of research and study onHIPAA Administrative Simplification, sowhen I joined EPBS, it seemed like anatural fit that I should work on ourHIPAA projects, too. So, several yearsago, I approached the CEO and asked ifOctober 200416Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

he would make me the HIPAA pointperson, which evolved into the PrivacyOfficer for the company. I've headed upthe implementation of our HIPAA effortsfor privacy, and worked with the I.S.department on the TransactionsStandards and Security regulations.For the most part, the HIPAA privacyrules didn't cause us to make anymajor changes to our procedures. Wehave always been very strict with confidentiality,and had most of our privacysafeguards and processes in place longbefore HIPAA required us to. We haveimplemented tracking systems for disclosureerrors or violations, and I havetrained all our employees on thespecifics of the HIPAA regs. Werevamped our Confidentiality andSecurity Agreements that all employeesand contractors sign, to incorporateHIPAA privacy and security safeguards.Other than that, we didn't have to do awhole lot—our offices are secure andnot open to the public, and our computersand files have always beenlocked up and key card or passwordprotected.BC: How do you deal with theeveryday stress of being the complianceofficer for a billing company with somany different physician groups?KC: For me, a sense of humor is themost important thing in life, and it surehelps at work, too. I have very openrelationships with my colleagues. I canblow off steam with a lot of them whenI need to without worrying about howthey're going to take it. Frequently,when things get really wound up,someone will plan and carry out anelaborate prank that breaks the tension.One time when I got back from a conference,my entire office was crawlingwith little green army men, marchingalong all the bookshelves, staging battleson the work table, and holding mydesk toys hostage. Human Resourcescame and took pictures, and the wholecompany enjoyed the joke. It took memonths to find and gather up all thoselittle guys.We have a good working environmentat EPBS, and one of the bestthings about the corporate culture isthat if somebody is going through a badtime, people will really step in withsupport. When I leave work after astressful day, I try to decompress on theway home, but if I can't, I throw myselfinto cooking or working on an art projector one of my hobbies to release andredirect the stress. Learning new thingsand having a variety of outside interestsseems to keep me in balance no matterwhat is going on at work.BC: What do you see as the next bigagenda item for compliance?KC: Keeping things fresh and relevantwill continue to be important, andfinding the most effective way toachieve our compliance goals withbudget and resource constraints is goingto be a real challenge. I think as we getmore into Medicare Part D and HIPAASecurity, those will be the focus in theshort term. As far as longer term, myhealth policy background makes mehope that the level of regulation andcomplexity in financing health care canbe reduced. I hope compliance professionalscan play a role in a broaderdebate about our health care deliverysystem in general, including the way wehandle uninsured patients, insurancecontracting, and discounting, and thelike. To be frank, I think as long as thegovernment and the payors make thingscomplicated for the providers, we willhave good job security.BC: What is it about your role ascompliance officer that you most enjoy?KC: I enjoy doing the new hire trainingand having the opportunity to interactwith people all over the companyon a regular basis. Also, I admitted earlierthat I'm a bookworm at heart, and Ireally do enjoy reading and studyinglaws and regulations in order to explainthem, write about them, or implementpolicies based on what I've analyzed. Ilike working with our clients and otherpeers in the industry, and really enjoypublic speaking and doing presentationsto groups about compliance topics.Pretty much, I like everything except filingand organizing all the reams ofpaper with which I deal.BC: What words of advice do youhave for individuals seeking positions ascompliance officers?KC: Pick a good place to work. Thatwill make or break it, as far as I'm concerned.If you believe in what you'redoing, enjoy reading and learning, andcan handle confrontation and stand upfor yourself, you can make a good complianceofficer just about anywhere. Sothe real key is to find a supportive environment,where top management buysinto the compliance concept, and willwork with you, not against you. Life'stoo short to have to constantly fight forevery little thing, or to justify your existenceto your boss and colleagues. Thisis a great profession, with lots of roomfor growth and change. Just make sureyou're spending your time and energieswisely, and with people who appreciatewhat you're bringing to the table. ■Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgOctober 200417

By Lance S. Loria, CPA, CHE, FAAMAEditor's note: Lance S. Loria, CPA, ance risks emanating from classificationCHE, FAAMA, is President of Loria of costs, even when such costs have littleor no impact on the settlement. OneAssociates, LLC, located in Houston.He has 32 years of health care standard used by regulators is the challengeof whether or not the submittedindustry experience. Lance is amember of HCCA, an advanced information was "false or misleading" tomember of HFMA, and recipient of a government agent or auditor. In onethe Founders Medal of Honor case, a hospital CFO instructed anAward. Lance can be contacted for employee to classify certain allowablequestions regarding this article at marketing costs in the administrative andlanceloria@aol.com.general (A&G) cost center rather than inthe marketing department cost center.Today, a significant majority of He reasoned that since those costs hadhospital, nursing home, home been consistently audited and allowedhealth, and other provider in prior audits, that this reporting treatmentwould minimize unnecessary auditservices are reimbursed under prospectivepayment systems. So, why is a "cost scrutiny and simplify the audit. Unfortunately,a jury disagreed and he wasreport" still referred to as a cost report?And why does anyone care if costs are convicted of filing a false statement inreported in compliance with reimbursementguidelines if the payment method-no reimbursement impact.the cost report…even though there wasology is no longer affected by actualcosts? One reason is that CMS continues Cost reports contain an extraordinaryto utilize hospital and other provider amount of detail financial and statisticalreported costs in the determination of data, much of which is not subject toprospective rates. As a result, the mandateremains that such costs be correct-departmental statistical data is accumu-external audit or review. Typicallyly stated in filed cost reports. Another lated by employees from applicablereason is that costs still affect some provider departments (e.g., dietary andaspects of reimbursement such as outlierpayments, transitional PPS rates, and and residents rotation or assignmentcafeteria meals served statistics, internskidney acquisition among others. counts, home health visits, patient days,etc.). Sometimes financial data is developedby accounting department staffIncreasing cost report scrutinyIn recent years, regulatory scrutiny over after year-end in support of cost reclassificationsand adjustments. All too cost reports has increased with compli-fre-LANCE S. LORIAquently, these types of statistical andfinancial data are accepted at face valueor with only minimal comparison toprevious years' data and then reportedin the submitted cost report. It is commonto find in cost report workpaperse-mail communications to documentdata requests and responses that resultin cost report entries. If you have everprepared or reviewed a cost report, thistype of practice is likely to be familiar.If you are one of the chosen few designatedto sign a cost report, the practicesdescribed above could (and should)keep you awake at night.Culpability scoreThe culpability score is an integral partof the Federal Sentencing Guidelineswhich are used to assess the seriousnessof compliance violations and arriveat an appropriate penalty. Culpability isevaluated in terms of:1. The steps taken prior to the offenseto prevent and detect criminalconduct2. The level of involvement andtolerance of the conduct by certainpersonnel3. The actions taken by organizationsfollowing the offenseOctober 200418Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

The culpability score is a range of zeroor less to 10 or more (effectively a 10-point scale). An organization with acompliance violation automaticallybegins with a score of five points. Tothat minimum score may be addedpoints for such matters as:■ Involvement of high-level personnelin the offense or tolerance of theoffense by substantial authority personnel(add 3-5 points depending onorganization size)■ Past history of the same offense within10 years following a civil oradministrative settlement or within 5years following a criminal adjudication(add 1-2 points)■ Violation of a judicial order or conditionsof probations (add 1-2 points)■ Obstruction of justice (add 3 points).The culpability score may be reducedby the following:■ The existence of a program to preventand detect violations of the law(deduct 3 points); and■ Self-reporting, cooperation in theinvestigation, or affirmative acceptanceof responsibility for the conduct(deduct the greatest of 3, 2, or 1points, respectively).In order to minimize the sentencingrisk, an organization can take advantageof the latter item, but most likely needsto have an effective compliance programto detect violations prior to initiationof a qui tam suit, special audit orregulatory investigation to have thegreatest benefit.Federal Sentencing GuidelinesamendedOn April 8, 2004, the U.S. SentencingCommission amended the FederalSentencing Guidelines to provide,among other things, a greater emphasison compliance program effectiveness.Chapter Eight, Part B was amendedwith the addition of a new subpart 2titled, "Effective Compliance and EthicsProgram." This new subpart states inpart:"Such compliance and ethics programshall be reasonably designed,implemented, and enforced so thatthe program is generally effective inpreventing and detecting criminalconduct."To ensure that the compliance programis "generally effective" the followingsteps, among others, are specified:"(5) The organization shall take reasonablesteps-(A) to ensure that the organization'scompliance and ethicsprogram is followed, includingmonitoring and auditing todetect criminal conduct;(B) to evaluate periodically theeffectiveness of the organization'scompliance and ethicsprogram;"While the actual auditing and monitoringsteps are up to the discretion of theprovider to design and implement, it isclear that a regulatory agency will applyjudgment in assessing the effectivenessof the program. A provider will have tojustify to the agency's satisfaction that themonitoring and auditing was effective.Compliance effectiveness studyAn empirical research study of effectivecompliance was published in 2001 andexamined the statistical relationshipbetween a seven-element complianceprogram* and the effectiveness (asdefined by the study) of each element,and discovered that not all of the sevenelements contribute equally to effectivecompliance. Those elements with thegreatest impact on compliance effectivenesswere determined to be:■ Element 3, Training and Education■ Element 4, Lines of Communication■ Element 5, Auditing and Monitoringand■ Element 7, Response and PreventionEvidencing compliance effectivenessManagement is responsible for theimplementation and effectiveness ofmandatory corporate compliance programs.It is critical to build internalcapabilities in light of the increasingregulatory oversight of cost reports andthe recently amended sentencing guidelines.Key components include:■ Confidence that internal controls areoperating to minimize risk■ Competency to assess control, complianceand monitoring procedures■ Confirmation that systems can copewith rapid changes and increasedpublic scrutiny■ Credibility in demonstrating they aredoing all that is reasonably possibleto ensure control systems are up tothe taskAlthough many providers have takensteps to document policies and proceduresrelative to cost reporting matters,significantly fewer have gone as far asthey could to evidence the effectivenessof internal controls.As mentioned earlier, much of the costreport data is accumulated outside ofthe general ledger from operations statisticsand specific financial informationContinued on page 20Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgOctober 200419

Evidencing effective cost ..continued from page 19requests. Such information is not generallysubjected to the broader internalcontrols of the organization.So what can be done? In this author'sopinion, the implementation of a CostReport Compliance Review which focuseson the overall reimbursement managementsystem should be considered.An effective Cost Report ComplianceReview may include a Base LineEvaluation of internal controls over thesources of statistical and financial dataused in the cost report coupled with anAnnual Review to assess the consistentapplication of adequate internal controlprocedures over the accumulation andreporting of information in submittedcost reports. This Annual Review assessmentmay or may not include the"audit" of the underlying financial andstatistical data.Base line evaluationIllustrative Workplan tasks for a base lineevaluation may include the following:1. Evaluate compliance policiesa. Review/update written compliancepoliciesb. Compare existing policies toindustry best practicesc. Assess adequacy of compliancepolicies2. Evaluate procedures and practicesa. Review reconciliation worksheetsfor financial/statistical datab. Evaluate the integrity of datac. Assess supporting documentationd. Review consistency of datae. Assess evidence of internal independentreview3. Evaluate internal review scope andprocessa. Determine the extent and timingof independent internal reviewb. Review internal workpaper documentationand scope of reviewc. Evaluate skill and experience ofindependent reviewerd. Assess procedures relative to clearingreview points, unusual datafluctuations, and other issuesnoted in the reviewe. Assess evidence of internal review(e.g., reviewer initial/sign-off)4. Evaluate procedures for identifying andreporting related party transactions5. Evaluate procedures relative to physicianremuneration and contractualmatters6. Evaluate procedures relative toprovider-based-provider issues7. Evaluate procedures relative to highpriorityfocus issues (e.g., DSH, Baddebts, GME, Kidney acquisition,Adjustments/reclassifications, andnon-allowable costs)8. Evaluate processes and proceduresfor considering industry-wide sensitivecost report issues (e.g., OIGworkplans, DOJ investigations, OIGadvisory opinions,Annual reviewIllustrative Workplan tasks for an AnnualReview may include the following:1. Review existing control environmentpolicies, procedures and practicesbetween the Base Year or Prior Yearto the Current report yeara. Review/update written compliancepoliciesb. Compare existing policies toindustry best practicesc. Assess adequacy of compliancepolicies, procedures and practices2. Review specific key focus areas inrecent OIG Workplans3. Identify regulatory changes and costreport revisions requiring new typesof data4. Evaluate procedures applicable forassuring the integrity of data for sensitivecost report issues (see item 7 inmiddle column)5. Assess the integrity and adequacy ofreview and reconciliation proceduresapplied to statistical and financialdata6. Evaluate procedures for identifying andreporting related party transactions7. Evaluate the cost report reviewprocess8. Evaluate policies, procedures andpractices relative to the proper treatmentand disclosure of the following:a. Non-allowable costsb. Related party transactionsc. Use of estimatesd. Physician remuneration and contractualarrangementse. Issues reported to preserve appealrightsf. Recurring transactions adjusted inprevious auditsg. Other significant and/or sensitivetransactions and issues9. Evaluate process for ensuring compliancewith regulatory developments,OIG advisory opinions, DOJ investigativeinitiatives, and other sensitivecost report matters.For both the base line and annualreview, the findings and recommendationsshould be documented on a basissimilar to other internal monitoring andauditing performed for compliance purposes.To ensure that the review isobjective and comprehensive, it may beuseful to engage external assistancewith the Base Line Evaluation and initialAnnual Review. Based upon whether ornot the review will include an "audit" ofOctober 200420Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

submitted data, an external consultantshould be engaged under the direction ofcounsel to ensure that any findings remainprivileged until fully researched. While theabove described Workplan tasks may not be allinclusive,they are representative of the types ofsteps that can be taken to further evidence management'saffirmative attempts to ensure complianceand evidence the effectiveness of the compliancemonitoring program. The evidencing ofthese procedures is a key factor in the benefitswhich may be realized by the organization in theevent of a compliance violation.The consequences of non-compliance with costreporting rules may run from AdministrativeSanctions, Civil Money Penalties or ProgramExclusion. Since the penalties may be severe, itcould be well worth the additional effort toensure that cost report compliance procedures arenot only effective, but evidenced through anappropriate Cost Report Compliance Review. ■* The seven elements of an effective corporate compliance planare mandatory requirements set forth in the 1991 U.S.Sentiencing Commission Guidelines for Organizations and thegovernment expects all seven elements to be present in acorporate compliance plan.ResearchComplianceConferenceNovember 7 – 9, 2004Aladdin HotelLas Vegas, NVRegister atwww.hcca-info.orgCHCThe Healthcare ComplianceCertification Board (HCCB) compliancecertification examination isavailable in all 50 States. Join yourpeers and become Certified inHealthcare Compliance (CHC).CHC certification benefits:■ Enhances the credibility of the compliancepractitioner■ Enhances the credibility of the complianceprograms staffed by these certifiedprofessionals■ Assures that each certified compliancepractitioner has the broad knowledgebase necessary to perform the compliancefunction■ Establishes professional standards andstatus for compliance professionals■ Facilitates compliance work for compliancepractitioners in dealing withother professionals in the industry,such as physicians and attorneys■ Demonstrates the hard work and dedicationnecessary to perform the compliancetaskCERTIFIED INHEALTHCARECOMPLIANCEThe ComplianceProfessional’s CertificationCongratulations on achievingCHC status! The HealthcareCompliance CertificationBoard announces that thefollowing individuals haverecentlysuccessfully completed theCertified in HealthcareCompliance (CHC) examination,earning CHCdesignation:Lynette M. BergerElizabeth D. ClarkKaren L. CollierAndrea G. CooperBritt H. CrewseDawn M. GoodmanEvelyn F. McClainStephen A. MorrealeJeffrey A. NagelWendy J. ReynoldsNigel M. ThomasCHC Certification, developed and managed by HCCB, became availableJune 26, 2000, since that time hundreds of your colleagues have becomeCertified in Healthcare Compliance. Linda Wolverton, CHC, Director,Compliance, Triad Hospitals, Inc. says that she sought CHC Certificationbecause “...many knowledgeable people work in compliance, and I wantedmy peers to recognize me as ‘one of their own’.” With certification sheis “recognized as having taken the profession seriously, having met thenational professional standard.”For more information on how you can become CHC Certified,please call 888/580-8373,email hccb@hcca-info.org, or visit the HCCA Website:http://www.hcca-info.org/Template.cfm?section=HCCB_CertificationHealth Care Compliance Association • www.hcca-info.orgOctober 200421

The Society ofCorporate Complianceand EthicsRoy SnellAs a part of HCCA'sstrategic planning processthe Board identifiedseven key priorities. Oneof the key priorities isbroadening our scope. As a result, Dan Roach, Chair of thiskey priority, has been working with others to set up a "specialinterest group" ofHCCA called the Societyof Corporate Complianceand Ethics (SCCE).SCCE's mission is tohelp compliance professionalsin other industriessuch as transportation,communication,utilities, finance, etc.As with HCCA, this isdone primarily througheducation and networking.Education and networkingis accomplishedthrough conferences,audio conferences, e-magazines, products,newsletter, workshops,etc. Prior to identifyingbroadening our scope asa key priority, HCCAheld a CorporateResponsibility meetingin 2002 and 2003. Themeeting was also held in2004. This meeting was geared toward industries other thanhealth care. A great deal of experience was gained byHCCA. Odell Guyton, our 1st VicePresident and Compliance Officerfor Microsoft, hosted this meeting.Many Board members have been toat least one of the CorporateResponsibility meetings. Thesemeetings have provided the Boardwith a foundation for their strategicplanning process.“Other industries are experiencingOther industries are experiencing what the health careindustry experienced six years ago, when health care complianceprofessionals had only a rough idea of what wasnecessary to implement a compliance program. Since then,many compliance professionals have struggled with decidingwhere to focus their attention. Many industries are focusingon ethics and others arefocusing on compliancebut struggle, as healthcare has, with how toutilize their resources.what the health care industry experiencedsix years ago, when health careIt has been fascinatingto watch health carecompliance professionalssit next to complianceprofessionals fromother industries. SeveralBoard membershave said that theCorporate Responsibilitymeetings are thebest meetings they haveattended in years. Itmay be because theyare listening to speakersfrom other disciplinestalking about newissues. Boundaries arepushed and new ideasare generated. Manybelieve that it not onlyfulfills the spirit of thestrategic plan to start the special interest group—SCCE—butthat helping others appears to be helping ourselves. ■compliance professionals had only arough idea of what was necessary toimplement a compliance program.Since then, many compliance professionalshave struggled with decidingwhere to focus their attention. Manyindustries are focusing on ethics andothers are focusing on compliancebut struggle, as health care has, withhow to utilize their resources.”October 200422Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Share Compliance DocumentsWith Other HCCA Members...And win one of 12 Dell pocket PC’sCourtesy of:Announcingour 9th winner:LAVONAASHINGEach time you add a compliance documentto the HCCA Websiteyou will have an additionalchance to win a Dellpocket PC* **, courtesyof Sheeder & Welch.Add 30 documentsand you will have 30chances to win eachmonth for a period of12 months–November 2003to October 2004.One Pocket PC willbe given away eachmonth for 12 months. Anynon-copyrighted compliancedocument will count, such aspolicies, procedures, forms, memos, presentations,educational tools, governmentdocuments, articles, white papers, ormiscellaneous documents. Just visiteCommunities on the HCCA Website:www.hcca-info.org*No repeat winners.**HCCA staff members are not eligible.Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgOctober 200423

Medicare and Medicaid Fraud and Abuse ...continued from page 3proposed rule, which is open for publiccomment until September 27, CMSwill require states to estimate theseimproper payments by reviewing amonthly sample of Medicaid andSCHIP claims. This information will beused to determine the accuracy of thepayments based on whether the individualwas eligible for the program,medical review, and data processing.Once CMS receives this informationfrom all 50 states and the District ofColumbia the national error rate will becalculated. (The proposed rule can befound at:http://a257.g.akamaitech.net/7/257/2422/06jun20041800/edocket.access.gpo.gov/2004/04-19603.htm )With the implementation of theMedicare Modernization Act (MMA),CMS has additional responsibilitiesrequiring increased oversight, includingthe Medicare-approved drug discountcard program, Medicare managed careplans, and ultimately the prescriptiondrug benefit.CMS has contracted with a ProgramSafeguard Contractor (PSC), Integri-Guard, to monitor the activities associatedwith drug cards. A critical task ofthis PSC is a weekly assessment of thesponsor's drug pricing information toidentify any "bait and switch" activities.Additionally IntegriGuard will be workingwith CMS to identify and preventpotential fraudulent activities involvingthe discount drug card program, suchas counterfeit cards and identity theftschemes. The PSC will also conduct asurvey of weaknesses in Medicaid drugprograms and how states deal withthose to help CMS prepare for potentialissues and the possible resolutionof those issues that may arise in thenew Medicare Prescription drug benefit."Now, as we get ready to begin anew prescription drug benefit inMedicare, it is the perfect time for usto focus our attentions on strengtheningthe program safeguards," said Dr.McClellan. "We will be able to use theinformation we get to design evenmore appropriate safeguards we canuse in the future as we develop theprescription drug benefit."Program specific vulnerabilities are notthe only area where CMS will be focusingits integrity efforts. Several areas ofthe country have been identified asfraud "hot spots" where unscrupulousindividuals systematically defraud theprograms. To help combat the fraud inone of these areas, Southern California,CMS will open a satellite office in theLos Angeles area to focus Agencyefforts on the large number of reportedfraud activities that have been occurringin that area. Current CMS oversightefforts have identified many illegalstorefront operations set up to defraudthe Medicare and Medicaid programsby billing for services never provided,including an aggressive effort to curbfraudulent billing activities at a numberof home health agencies in theSouthern California area. CMS' effortsin this area have resulted in the successfulsuspension of payments tomany fraudulent entities, stopping paymentsof more than $260 million insavings to the Medicare trust fundbetween January 2003 and June 2004."These illegal operations and otheractivities conducted by unscrupulousindividuals force both federal and stategovernments to pay out millions of taxpayerdollars in improper Medicare andMedicaid payments," Dr. McClellansaid. "We have been successful in lookingclosely at our data to find patternsof fraud, abuse, and improper paymentsand will continue to do just that,while we use even more of ourresources to help reduce simple errorsthrough the use of education efforts."To augment the Agency's new dataoriented approach to program integrity,it is expanding the Medicare-Medicaid (Medi-Medi) match programwhere claims data from both programsare analyzed together to detect patternsthat may not be evident whenbillings for either program are viewedin isolation. As a result of combiningthe data, CMS can identify previouslyundetected patterns, such as "timebandits," providers who bill for a totalof more than 24 hours in a day inboth programs. CMS' goal is to ultimatelyreview this data in "real time."Given its success in the first sevenstates (California, Florida, Illinois, NewJersey, North Carolina, Pennsylvaniaand Texas), CMS is expanding theMedi-Medi project to the states of Ohioand Washington. Federal expendituresin these states exceed $28 billion.CMS recently announced a pilot projectto assess the effectiveness of hospitalcompliance programs by tyingthe elements of a compliance programto data outcomes. While otheragencies in the Department of Healthand Human Services uses complianceprograms, such as the Office of theInspector General's CorporateIntegrity Agreements, there havenever been any definitive studies ofOctober 200424Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

whether those compliance programshave a direct impact on thequality of health care billings. TheCMS pilot will endeavor to showwhether particular actions by a healthcare provider, such as aggressiveauditing and monitoring, have adirect impact on their billings (resulting,for example, in lower claimdenial rates). At the end of the pilot,CMS will issue best practices guidancedetailing the findings of thepilot and educating the provider communityon effective compliance practicesidentified through the pilot. CMSintends to expand this effort to otherprovider types if it proves successful.CMS has seen success through itsComprehensive Error Rate Testing(CERT) program, resulting in anadjusted error rate of 5.8 percent in2003, down from 14 percent in 1996.The CERT program combines dataanalysis with extensive educationefforts to health care providers andthe private companies that payMedicare claims. To build upon theCERT program, CMS is implementingan initiative to determine the paymenterror rate for the Medicaid programand the State Children's HealthInsurance Program."This new technology based approachto program integrity will help ensurethat CMS continues to be a goodsteward of the Medicare and Medicaidprograms," said Dr. McClellan.CMS Program Integrity Initiative FactSheet link:http://www.cms.hhs.gov/media/press/release.asp?Counter=1179 ■FORYOUR INFODowney Regional Medical Center settlementannouncedFirst On August 18, U.S. Attorney for theconviction for Central District of California DebraHIPAA violation W. Yang announced that DowneyThe U.S. Attorney's Office for the Regional Medical Center (DRMC), aWestern District of Washington200-bed hospital located in Downey,announced on August 19 that Richard California, has paid the UnitedW. Gibson, age 42 of SeaTac, Washingtonpleaded guilty to wrongful disclo-resolve allegations that the hospitalStates more than $2.2 million tosure of individually identifiable health submitted false claims to Medicare,information for economic gain. This is the taxpayer-funded health carethe first criminal conviction in the insurance program for many of theUnited States under the health informationprivacy provisions of the Health settlement amount—which totalednation's elderly and disabled. TheInsurance Portability and Accountability $2,220,060—is two times the lossAct (HIPAA) which became effective in suffered by the Medicare program.April, 2003. Those provisions made itillegal to wrongfully disclose personally According to the government pressidentifiable health information. As set release, "Between 1992 and 2001,forth in the Plea Agreement, Gibson hospitals were generally reimbursedadmitted that he obtained a cancer by Medicare for their reasonable,patient's name, date of birth, and social necessary and actual expensessecurity number while Gibson was incurred in providing certain hospitalservices to Medicare patients.employed at the Seattle Cancer CareAlliance, and that he disclosed that DRMC allegedly claimed andinformation to get four credit cards in received reimbursement fromthe patient's name. Gibson also admittedthat he used several of those cards taxpayers who fund the program—ofMedicare—and ultimately from theto rack up more than $9,000 in debt in expenses which were non-allowablethe patient's name. Gibson admitted he and non-reimbursable pursuant toused the cards to purchase various applicable Medicare statutes anditems, including video games, home regulations, including certain:improvement supplies, apparel, jewelry, ■ interest expenses associated withporcelain figurines, groceries, and gasolinefor his personal use. Gibson was Bonds issued by the CaliforniaSeries 1993 Hospital Revenuefired shortly after the identity theft was Health Facilities Financingdiscovered. For more:Authorityhttp://www.usdoj.gov/usao/waw/pres ■ lobbying, legal and marketings_room/2004/aug/gibson.htmexpensesPlea Agreement:■ consulting and management feeshttp://www.usdoj.govFor more:/usao/waw/press_room/2004/aug/pdf http://www.usdoj.gov/usao/_files/cr04_0374rsm_plea.pdf cac/pr2004/106.html ■Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgOctober 200425

October 200426By Michael W. Peregrine and Monte DubeEditor's note: This is Part I of a twopartseries on nonprofit corporategovernance best practices. Part IIwill continue a review of best practicesfrom the Audit Committee (7)through Reviewing Transactionswith Disqualified People (13) as outlinedin a white paper published byMcDermott Will & Emery LLP.Monte Dube is a partner in the lawfirm of McDermott Will & Emery LLPbased in the Firm's Chicago office.As head of the Firm's HealthDepartment, he represents hospitals/healthsystems nationwide andhas served as counsel in the sale,merger, affiliation and acquisitionof hundreds of hospitals and academicmedical centers, hospitalrestructurings, public hospital privatizations,joint ventures, certificateof need and reimbursement litigation,and hospital and medical staffoperational legal issues of all types.He may be reached at 312.984.7549or by email at mdube@mwe.com.Michael W. Peregrine is a partner inthe law firm of McDermott Will &Emery LLP, resident in the Firm'sChicago office. As a member of theHealth Department, he concentrateshis practice in the representation ofnonprofit health care facilities andsystems and other charitable organizations,with particular focus on thecorporate, fiduciary duty, tax andcharitable trust issues facing suchorganizations. He may be reachedby telephone at 312/984-6933 or byemail at mperegrine@mwe.com.With the second anniversary of theSarbanes-Oxley Act now behind us, theimplications of that seminal legislationon nonprofit health care are nowbecoming clear. While the majority ofthe Act's provisions focus on publiclyheld corporations, the "corporateresponsibility environment" spawned bythe Act has most definitely impacted thenonprofit world through a combinationof new legislation, increased judicialscrutiny and heightened expectations ofgovernance accountability generally.Particularly noteworthy among thesedevelopments has been the emergenceof corporate governance "best practices",from a variety of sources; e.g.,the self regulatory agencies, businessgroups and professional associations.These best practices are intended toserve as aspirational goals for corporategovernance in an environment wheremuch greater emphasis is being placedon more attentive board leadership andoversight. There has been a generalrecognition that these "best practices"have a general relevance to nonprofitcorporations, to the extent that theyaddress issues of equal importance tothe stakeholders of public companies,and the constituencies of nonprofitorganizations.The value of "best practices" in the nonprofitworld has recently achieved greaterattention with the June 22 hearings of theSenate Finance Committee on nonprofitcorporate governance, and the expectationthat the Committee may soon introducefederal legislation designed to providefederal oversight and authority withHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgMICHAEL W. PEREGRINErespect to nonprofit corporate governance.The potential for "federalization"of nonprofit corporate law, together withthe materially enhanced scrutiny of nonprofitoperations by state charity officials,provides much greater incentive for nonprofitsin every industry to consider governance"best practices" and adapt theirgovernance behavior as may be appropriate.This is particularly the case inhealth care, which has experienced inrecent years material regulatory and judicialattention to governance oversightconcerns.It is in that context that McDermott Will& Emery has developed the followingset of guidelines as "food for thought”concerning governance "best practices"to assist nonprofit corporations inresponding to the current corporateresponsibility environment. To set theproper perspective, a few importantcaveats are in order. First, these are“Best Practices” guidelines, and do notin most instances, reflect current legalrequirements. Instead, the guidelinesreflect our perspective on evolvingtrends in nonprofit governance and law.There exists no overwhelming legalmandate for their adoption, and a decisionnot to do so is not indicative of a

MONTE DUBEbreach of fiduciary duty.Second, "one size does not fit all."Whether a nonprofit corporation shouldadopt some or all of these "BestPractices" is a decision uniquely withinthe prerogative of each organization'sBoard of Directors based upon a varietyof facts and circumstances unique tothat corporation. It may also be importantto evaluate the impact of state-specificnonprofit corporate and federalexempt organization tax laws and regulationson the implementation of certainguidelines.Third, relevant public policy shouldnot be undermined in situations wherea board elects to combine or consolidatecomponents of individual "BestPractices" guidelines to meet the particularcharacteristics of its institution. Thepolicy goal of enhanced corporate governanceshould not be compromised bywell-conceived variances from theseguidelines: for example, requiring onlya majority (as opposed to complete)control of key committees in "independent"directors; combining certain discretefunctions under one committee forefficiency; and where there is no corporategeneral counsel, identifying an outsidelaw firm to perform certain of thesuggested reporting roles.In the final analysis, the goal of "BestPractices" is the preservation and effectivestewardship of the charitable assetsof the nonprofit corporation.Best Practice No. 11.0 CONSISTENCY WITH CHARITABLEMISSION AND VISION1.1 The Board is ultimately responsiblefor reviewing the Corporation's effectivenessin satisfying its charitablemission. This typically will include:a) Evaluating and modifying (wherenecessary, and subject to receiptof any required regulatory andjudicial approvals) the charitablemission of the Corporationb) A periodic assessment of theCorporation's performance andeffectiveness in achieving missionrelatedgoalsc) Requesting from management, ona periodic basis, reports identifyingspecific means to address perceiveddeficiencies in missioneffectiveness.1.2 The Board periodically should documentits review of the Corporation'scharitable activities in the Corporateminutes.1.3 The Board should be responsible forunderstanding its charitable mission,including the periodic review of theCorporation's Form 1023, Applicationfor Recognition of Exemption,annual Form 990s, and any subsequentcorrespondence with theInternal Revenue Service relating toits tax exempt status. (See Section5.4). The Board should monitor theCorporation's compliance with themanner in which the Corporation'sactivities were described to theInternal Revenue Service and consultwith legal counsel if there hasbeen or will be any material changein operations subsequent to the filingof its Form 1023 with theInternal Revenue Service.1.4 The Board should stay informedregarding material developments inthe laws governing charitable organizationsthrough periodic educationalsessions.Best Practice No. 22.0 RELATIONSHIP OF BOARD ANDSENIOR MANAGEMENT TEAM2.1 Establish an appropriate balancebetween the CEO and BoardChairman roles, either through separationof offices or establishment of"Lead Independent Director" position.2.2 Clearly articulate the role of thenon-executive Chairman (or of theLead Independent Director).Best Practice No. 33.0 FULFILLMENT OF THE BOARD'SOVERSIGHT OBLIGATIONS3.1 The Board should commit to theactive, informed and independentoversight of the Corporation's businessaffairs and of senior management.3.2 At least a majority of the membersof the Board (or of the "Parent"Corporation, if one exists) should be"independent," both in fact andappearance.3.3 The independent directors shouldmeet periodically in executive session(that is, outside the presence ofany senior executive officer).a) The Board should adopt writtenguidelines to assist it in determiningdirector independence, whichHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgOctober 200427

guidelines should be based uponthe absence of any material director indirect relationship with theCorporation, consistent with allfacts and circumstances.b) All members of the Board shouldbe identified as either "independent"or "non-independent" accordingto the Board guidelines. "Nonindependent"directors make valuablecontributions to the Board,and their continued service isstrongly encouraged.3.4 Individual directors should discloseto the Board all information andanalyses of which they becomeaware that may be relevant to theexercise of the Board's oversightobligations. The Board shouldrequire similar disclosure by membersof senior management.3.5 Directors should have reasonableaccess to all officers, senior executiveemployees and professionaladvisors of the Corporation. Anysuch access should be arrangedthrough the CEO or the CEO'sdesignee.3.6 The Board (directly or through theExecutive Compensation or othercomparable Committee) should beresponsible for evaluation of theperformance of the CEO, and forCEO selection and managementsuccession.Best Practice No. 44.0 DUTY OF LOYALTY COMPLIANCE4.1 A written conflict of interest policyshould be adopted that complieswith existing state law requirementsand Internal Revenue Service nonbindingguidance and that recognizesthe potential for conflict arisingfrom material financial and nonfinancialrelationships.4.2 If the Board encounters more than afew conflict of interest issues eachyear, a standing committee comprisedentirely of independent directorsshould be designated to evaluatepotential or actual conflicts ofinterest which are disclosed to theBoard, and any other material transactionbetween the Corporation anda senior executive officer or otherinterested party.4.3 Policies addressing confidentialityand appropriation of corporateopportunities should be adopted tohelp preserve proprietary information,assets and business interests ofthe Corporation.Best Practice No. 55.0 FINANCIAL ACCOUNTABILITY ANDTRANSPARENCY5.1 The Board (working with its Audit orsimilar Committee) should be responsiblefor ensuring the transparencyand the integrity of corporate financialstatements, whether audited orunaudited. In furtherance thereof, theBoard and Audit Committee shouldbe responsible for:a) The adoption of policies addressingaudit partner rotation, properaccounting treatment of materialcorrecting adjustments, off-balancesheet arrangements, and relatedparty transactionsb) The adoption of policies addressingaudit-related activities of corporateemployees formerlyemployed by the Corporation'sauditorc) The adoption of policies prohibitingexecutive interference with theaudit processd) In conjunction with the ExecutiveCompensation or other Committee,and legal counsel, approving allloans, credit extensions and incentivecompensation arrangementsextended to directors and officersof the Corporatione) The adoption of a "Code of Ethics"or "Code of Conduct" for the seniorfinancial officers of theCorporationf) In consultation with legal counsel,ensuring the sufficiency, clarityand timeliness of all financial disclosuresof the Corporation5.2 The Board should ensure the consistencyof corporate expenditureswith statements made in corporatecharitable solicitations, and compliancewith all donor restrictions.5.3 In satisfaction of these standards theBoard should ensure that:a) An appropriate limitation (consistentwith industry standards) isplaced on the amount of administrative/overheadexpenses spent inconnection with charitablemission-related activitiesb) An appropriate limitation (consistentwith industry standards) is placedon the amount of contributionsspent on fund raising activitiesc) The accumulation of funds that arenot used for current program activitiesis no more than the Board,in consultation with managementand advisors, determines to beprudent given the Corporation'sfinancial condition, short- andlong-term needs, and industrytrendsd) Financial information concerningthe Corporation, prepared inaccordance with generally acceptedaccounting principles, shouldbe available to the public onOctober 200428Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

equest. Such information shouldaccurately reflect the Corporation'sexpenses related to fund-raisingactivities, among other expenses.5.4 The Board should ensure that theForm 990 filed annually by theCorporation with the InternalRevenue Service contains as muchinformation as reasonably possibleconcerning mission, goals, programsand other key developments of theCorporation relating to its charitable,exempt status, and is available forinspection by the public in accordancewith applicable federal andstate legal requirements.Best Practice No. 66.0 THE GOVERNANCE/NOMINATINGCOMMITTEE6.1 A standing Governance/NominatingCommittee, comprised entirely ofindependent directors, should beappointed for the purpose of recommendingto the Board:a) Board size, director terms andterm limitsb) Standards for director qualificationsc) Candidates for directorsd) Mumber, structures and membershipof committeese) Committee assignments and rotationof membersf) Director orientation and continuingeducationg) CEO succession policies and candidatesh) Changes to corporate organizationaldocumentsi) Other governance policies andproceduresBibliography1. The Report of the American Bar Association TaskForce on Corporate Responsibility. (James H. Cheek,Esq. Chair); ©2003 American Bar Association (hereinafter,"Cheek Report"). The Cheek Report is availableat http://www.abanet.org/buslaw/corporateresponsibility/final_report.pdf.Note: It is the editors' perspective that the "Cheek Report"is a significant and meritorious development in termsof corporate responsibility and governance oversight.Several of the individual best practices reflected aboveare based upon the specific recommendations set forthin Sections IV and VI of the Cheek Report.2. The Sarbanes-Oxley Act, 15 U.S.C. 7201 et. seq.3. Better Business Bureau Wise Giving Alliance Standardsfor Charity (March 3, 2003), available athttp://www.give.org/.4. United States Sentencing Commission, "SentencingGuidelines for United States Courts," available athttp://ussc.gov./2004guid/2004cong.pdf/.5. "Restoring Trust"; Report to The Hon. Jed. S. Rakoff,The United District Court for the Southern District ofNew York, on Corporate Governance for the Future ofMCI, Inc. (Breeden, Richard C., Corporate Monitor).6. OIG, HHS Compliance Program Guidance for Hospital(1998), available at http://www.org.hhs.gov.//authorities/docs/cpghosp.pdf/.7. Office of Attorney General Tom Reilly, (Proposed) AnAct to Promote the Financial Integrity of PublicCharities (Draft).8. Corporate Responsibility and Corporate Compliance: AResource for Health Care Boards of Directors (April,2003, The Office of the Inspector General of the U.S.Department of Health and Human Services, and TheAmerican Health Lawyers Association), available athttp://oig.hhs.gov/fraud/docs/complianceguidance/040203corpresprsceguide.pdf.9. The Conference Board, Commission on Public Trustand Private Enterprise (Part 2; January 9, 2003).10. The Business Roundtable, Principles ofCorporate Governance (May, 2002).11. General Electric Company, GovernancePrinciples (http://www.ge.com).12. SEC Release No. 34-48745 (November 4, 2003),approving NASDAQ Corporate Governance Proposalsand NYSE Corporate Governance Rules, available athttp://www.sec.gov/rules/sro/34-48745/.13. Report of the NACD Blue Ribbon Commissionon Executive Compensation and the Role of theCompensation Committee ©2003, The NationalAssociation of Corporate Directors.14. Executive Compensation; Principles andCommentary, November, 2003 ©Business Roundtable.15. The Boeing Company, Corporate GovernancePrinciples, available at http://www.boeing.com/.16. General Motors Company, GovernancePrinciples, available at http://www.gm.com/.17. Corporate Governance Principles ofHealthSouth Corporation, available athttp://www.healthsouth.com/.18. ISS Domestic Corporate Governance Policy,(2004 Updates), Institutional Shareholder Services.19. Steven T. Miller, "Easier Compliance is Goal ofNew Intermediate Sanction Regulations," 2001 TaxNotes Today 14-148 (Jan. 22, 2001).20. Gitterman and Friedlander, ""Automatic" ExcessBenefit Transactions Under Section 4958," ExemptOrganizations Continuing Professional EducationTechnical Instruction Program for Fiscal Year 2004.Health Care Compliance Association • 888-580-8373 • www.hcca-info.org21. Brauer and Kaiser, "Tax-Exempt Health CareOrganizations," Exempt Organizations ContinuingProfessional Education Technical Instruction Programfor Fiscal Year 1997.22. Report of the Governance Advisory Panel tothe Executive Committee and the Board of Governorsof the Nature Conservancy, March 19, 2004, availableat http://www.nature.org/.23. Independent Sector Model Code of Ethics forNonprofits and Foundations, February 10, 2004, availableat http://www.independentsector.org/.© Copyright 2004 McDermott Will & Emery.These materials may be considered advertising under therules regulating the legal profession.McDermott Will & Emery conducts its practice throughseparate legal entities in each of the countries where ithas offices. ■Call for authors!Please email your article or topicideas to Compliance Todayeditor, Margaret Dragon, atmargaret.dragon@hcca-info.org.Be sure to include your telephonenumber. Or you may callMargaret at 781/593-4924 todiscuss your article ideas.Issues to consider: EMTALA,Sarbanes-Oxley Act, the Board’srole in compliance, Backgroundchecks: Who and when;Compliance program monitoring;Risk assessment, and more!● September 15(November Compliance Today)● October 15(December Compliance Today)● November 15(January Compliance Today)● December 10(February Compliance Today)● January 14, 2005(March Compliance Today)October 200429

October 200430The Health Care Compliance Associationwelcomes the following new membersand organizations (States Guam -Missiouri). All member contact informationis available on the HCCA website inthe Members Only section -http://www.hcca-info.org - Pleaseupdate any contact information using theHCCA Website or email April Kraft(april.kraft@hcca-info.org) withchanges or correction toy our membershipinformation.Guam■ Angelina Franquez, Information,Training & Dev Group, IncHawaii■ Norman S. Matthews, BBA, CPA,CIA, HMSA Blue Cross Shield of Hawaii■ Nina Viloria, Hawaii Health SystemsCorporationIowa■ Lora Dinsdale, Covenant Health Sys■ Coleen Kelleher, Iowa RadiologyProf Medical Mgmt■ Tony Manderschied, Iowa HealthSystem■ Mary Spitz, Mitchell Co RegionalHealth Center■ Gail Stork, RN, MBA, St Luke'sHospital■ Michael Thilges, Clarke Co.Hospital■ Jerry L. Worden, St Luke's HospitalIdaho■ Amy Bailey-Muckler, CPC, CHC,Hooper CornellIllinois■ Donnica Austin, Sinai Health System■ Kirstin Baum, NorthwesternMemorial Hosp■ Ms. Judy Benninger, RN, MA,Christie Clinic■ Bonnie G. Boerger, NorthwesternMemorial Physician's Group■ Laura Bohler, Downers GroveFamily Practice PC■ Cynthia E. Boyd, MD, MBA, Rush-Presbyterian-St Lukes Med Center■ Jennifer R. Breuer, JD, Gardner,Carton & Douglas■ Gerry Cervone, The Univ ofChicago Hospitals■ April Cueller, Pediatric FacultyFoundation■ Lucy Davis, CIGNA■ Steven Disseler, The GoodSamaritan Home of Quincy■ Michael Dunlap, Protiviti■ Kathy Enbom, Perry MemorialHospital■ Anna V. Evans, JD, Southern IllinoisUniversity■ Gail Fritz, RN, MS, Lake ForestHospital■ Dianna Graham, RN, OSF HealthSystem■ Joseph J. Hrncirik, BCBSIL■ Jennifer Humbert, BA, HeartlandHlth Outreach■ Renita Jackson, Carle ClinicAssociation■ Sheena Jones, Rapid Claim Svcs■ Rajesh Kapoor, PhD, TakedaPharmaceuticals■ Matthew Kates, Deloitte■ Susan Kolk, Covenant RetirementCommunities■ Mary Kong, Evanston NorthwesternHealthcare■ Lisa Lawrence, RN, MidwesternRegional Med Ctr■ Wendy Anne Little, HCSC■ Craig Mack, Gottlieb MemorialHospital■ Tonya Mahomes, Harmony HlthPlan of Il, Inc■ Andrew Melka, Rush Univ Med Ctr■ April Mestousis, KLO ProfessionalBilling, Inc.■ Bret A. Moberg, JD, LLM, RosalindFranklin Univ of Medicine & Science■ Penny Mueller, RN, BA, SpringfieldClinic■ Phil Picchietti, Cancer TreatmentCenters of America■ Debbie Piercy, CHC, Carle ClinicAssociation■ Susan Piland, Massac MemorialHospHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org■ Jeanne Potter, CCS-P, CPC, CCP,Rush Univ Medical Center■ Richard Prebil■ Robyn Ringa, Lake Forest Hospital■ Leatrice E. Schmidt, RN, JD■ Nancy Scott, American HospitalAssociation■ Stephanie M. Serritella, MPH,RHIA, CPC, KPMG, LLP■ Tara R. Shewchuk, ResurrectionHealth Care■ Sharon Sofinski, CCH, Inc■ Michael L. Sumrall, Rush UnivMedical Center■ Masami Tanaka, Protiviti■ Cecilia Taylor, MBA, MidwesternRegional Medical Center■ Holly A. Traversa, Rush UnivMedical Center■ Kimberly Zajczenko, Rush UnivMed Ctr■ Johanna R. Zandstra, BSW, FHA,CCP, Rest Haven Christian Svcs■ Kristina Zane, Crawford MemorialHospIndiana■ Michael Joseph Armstrong,King's Daughters Hosp & Hlth Serv■ Linda Barrett, BS, MT (ASCP),Community Hospital of Bremen■ Lesly Davis, Behavior Corp, Inc.■ LaMont Freeze, Memorial HealthSystem■ Beverly Gault, St Vincent Health■ Cheryl E. Harrison, LutheranHospital of IN■ Kristi Higgins, Goshen HealthSystem, Inc■ Gary Kreigh, Clarian HealthPartners■ Susan B. May, American HealthNetwork, Inc■ Michael K. McKnight, JD, Zimmer, Inc■ Tracy Mitchell, CPA, Bradley &AssociatesKansas■ Joannah M. Applequist, HaysCanterbury Center■ Susan Blackburn, Stanton Co. Hospital■ Annis Werth, Hays Medical Center, Inc.

Kentucky■ Rose Brock, RN, BSN, Lex-FayetteCo Hlth Dept■ Teresa Denny, Anthem■ Nicole Gaines, Bluegress FamilyHealth■ Betty Giarth, Humana, Inc■ Therese Hughes, RN, MPA, FamilyHealth Centers Inc■ Jessica Kearney, Bluegrass FamilyHealth■ Debra Minton, Lifeline HealthGroup, Inc■ Lisa Ray, BSMT, Mary Chiles Hospital■ Henry Lloyd Smith, AppalachianRegional Healthcare■ Gary Thompson, Humana Inc.Louisana■ Susan Jackson, Synergy HealthcareGroup■ Maggie Jarreau, RN, Pointe CoupeeGeneral Hosp■ Fran Nigrello, MPH, PromiseHealthcare■ Betty Rowe, Caldwell MemorialHospitalMaine■ Jean Audsley, CCS, CPC, MaineGeneral Health■ Lynette Berger, CPC, MaineGeneral Health■ Sally Howard, Maine CoastMemorial Hospital■ Asher Kramer, MBA, Martin's PointHealth CareMaryland■ Leslie C. Bender, JD, ROIWebEd■ Kathy Chavis, JD, MPP, Office ofthe Inspector General■ Frances Christmon, MBA, McBeeAssociates Inc■ Diana Fogle, CSC■ Randy Komenski, CPA, CPA, CIA,Bon Secours Baltimore Health System■ Karen McGovern, RN, Sheppard Pratt■ Lynn Pascoe, BS, CPC, Mid-AtlanticNeurology Associates PA■ Yvonne A. Payne, St JosephMedical Ctr■ Caroline Rader, Anne ArundelHealth System■ Ms. Shirley R. Smith, CoventryHealth Care, Inc■ Susan Steinberg, JD, MentalHygiene Administration■ Charles R. Stewart, Southern MDHospital Center■ Sanford V. Teplitzky, Esq., Ober,Kaler, Grimes, & Shriver■ Susan C.L. Theuns, CHC, PA-C,CPC, Medstar Physician Partners■ Joann Wagner, MBA, KennedyKrieger Institute■ Nancy Woods, MHS, Way Station IncMassachusetts■ John Burke, Harvard Pilgrim HealthCare■ Richard L. Dropski, RN, MSN,MPH, Neighborhood Health Plan■ Nina G. Edwards, Esq, Donoghue,Barrett & Singal PC■ Nancy E. Forbes, Ropes & Gray■ Paul Hayes, Hayes ManagementConsulting, Inc.■ William Hrubes, B.S., BS, FreseniusMedical Care■ Karen E. Murphy, RN, JD, BostonMedical Ctr■ Michael T. Myers, Jr., MD, MBA,MDXcel Consulting■ Susan T. Nicholson, Ropes & Gray■ Cathleen O'Keefe, RN, BSN, JD,Presenius Medical Care■ Denise Pedulla, MPH, RN, CHC,Pedulla & Assoc, PC■ Sarah A. Peix, BA, MBA, HealthNew England■ Alice Polley, MBA, Sturdy MemorialHospital■ Lawrence W. Vernaglia, MPH, JD,Hinckley, Allen & Snyder LLP■ Richard P. Ward, Ropes & Gray■ Delia Y. Wolf, MD, MSCI, PartnersHlthcare System IncMichigan■ Steve Bender, St Joseph MercyOakland■ Felicia Douglas, BA, The Wellness Plan■ Sharon Lynn Heath, Blue CareHealth Care Compliance Association • 888-580-8373 • www.hcca-info.orgNetwork of MI■ Judy Kell■ Joan Kirkwood, Spectrum HealthKent Community Campus■ Roy A. Luttmann, Cox, Hodgman& Giarmarco, P.C.■ Gay Marrs, Spectrum Hlth-Reed CityCampus■ Joseph F. Page, Cox, Hodgman &Giarmarco, P.C.■ Meredith Phillips, MSHA, HenryFord Health System■ Bridget Tucker Gonder, RN, JD,Spectrum Health■ Mary-J Waterstraat, Michigan StateUniversity HealthteamMinnesota■ Roseanne Byrne, St Mary's DuluthClinic■ Jeanne Chapdelaine, PartnersHlthcare Consulting Inc■ Linda Ann Jax, Colwell■ John Jensen, University ofMinnesota AHC■ Tonia Lauer, Albert Lea MedicalCenter■ Janet Murphy, MBA, VHA■ Diane Nesset, Ovations■ Sheva J. Sanders, Medtronic, Inc■ Sharon Wilson, Augustana Care Corp■ Kathryn Wrazidlo, RHIA, OlmstedMedical CenterMissouri■ Christine Comer Alfaro, JD,Sonnenschein Nath & Rosenthal, LLP■ Patricia Cook, St Anthony's MedicalCenter■ Brian Elsbernd, JD, MallinckrodtGroup■ Jan Jackson, BA, JD, MOConsolidated Health Care Plans■ Michelle Stark Kaufman, JD,Sonnenschein Nath & Rosenthal, LLP■ Mike L. Lynch, MPA, Univ ofMissouri Healthcare■ Robert Miromouti, Centene Corp■ Steven L. Robino, Coventry HealthCare■ Carey Smith, Univ of MissouriHealthcareOctober 200431

Publisher:Health Care Compliance Association, 888/580-8373Executive Editor:Roy Snell, CEO, HCCA, roy.snell@hcca-info.orgContributing Editor:Al Josephs, President, HCCA, 254/202-8620Layout:Gary DeVaan, HCCA, 888/580-8373, gary.devaan@hcca-info.orgStory Editor:Margaret R. Dragon, HCCA, 781/593-4924, margaret.dragon@hcca-info.orgAdvertising:Stephanie Lentsch, HCCA, 888/580-8373, stephanie.lentsch@hcca-info.orgHCCA Officers and Board of Directors:Al W. Josephs, CHCHCCA PresidentDirector of Corporate ComplianceHillcrest Health SystemOdell GuytonHCCA 1st Vice PresidentSenior Corporate Attorney,Director of Compliance,US Legal-Finance & OperationsMicrosoft CorporationDaniel Roach, Esq.HCCA 2nd Vice PresidentVP & Corporate Compliance OfficerCatholic Healthcare WestAllison Maney, CPA, CHCHCCA TreasurerDirector of Claims Research andResolutionPacificareSteven Ortquist, CHCHCCA SecretaryVP of Ethics & Compliance,Chief Compliance OfficerBanner Health SystemAlan Yuspeh, JD, MBAHCCA Imme. Past PresidentSenior Vice PresidentEthics, Compliance & CorporateResponsibilityHCA, Inc.Julene Brown, RN, BSN, CHC, CPCBilling Compliance ManagerMeritCare Health SystemCEO/Executive Director:Roy Snell, CHCHealth Care Compliance AssociationBritt Crewse, MBA, MHS, CHCAssociate VP and Chief ComplianceOfficerDuke University Health SystemShawn Y. DeGroot, CHCVice President of CorporateComplianceRapid City Regional HospitalSuzie Draper, BSN, RNCorporate Compliance Officer andPrivacyOfficerIntermountain Health CareRory Jaffe, MD, MBAChief Compliance OfficerU.C. Davis Health SystemF. Lisa Murtha, Esq., CHCPrincipalParente RandolphJohn Steiner, Jr., JDChief Compliance OfficerThe Cleveland Clinic Health SystemDebbie Troklus, CHCAssistant Vice President for HealthAffairs/ComplianceUniversity of Louisville, School ofMedicineSheryl Vacca, CHCDirector, National Health CareRegulatory Practice, Deloitte &ToucheGreg Warner, CHCDirector for ComplianceMayo FoundationCounsel:Keith Halleland, Esq.Halleland Lewis Nilan Sipkins &JohnsonCompliance Today (CT) (ISSN 1523-8466) is published by the Health Care ComplianceAssociation (HCCA), 5780 Lincoln Drive, Suite 120, Minneapolis, MN 55436. Subscriptionrate is $357 a year for non-members. Periodicals postage-paid at Minneapolis, MN 55436.Postmaster: Send address changes to Compliance Today, 5780 Lincoln Drive, Suite 120,Minneapolis, MN 55436. Copyright 2004 the Health Care Compliance Association. All rightsreserved. Printed in the USA. Except where specifically encouraged, no part of this publicationmay be reproduced, in any form or by any means without prior written consent of theHCCA. For subscription information and advertising rates, call HCCA at 888/580-8373. Sendpress releases to M. Dragon, PO Box 197, Nahant, MA 01908. Opinions expressed are notthose of this publication or the HCCA. Mention of products and services does not constituteendorsement. Neither the HCCA nor CT is engaged in rendering legal or other professionalservices. If such assistance is needed, readers should consult professional counsel orother professional advisors for specific legal or ethical questions. October 200432 Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance AssociationpresentsPHYSICIAN PRACTICECOMPLIANCE CONFERENCEOctober 7- 8, 2004SIR FRANCIS DRAKE HOTELSAN FRANCISCO, CA2004 PROGRAM WILL FEATURE:TENET’S NEW COMPLIANCE AND QUALITY INITIATIVESNATIONAL EXPERTS DISCUSS PHYSICIAN’S LEGAL ANDREGULATORY COMPLIANCE ISSUESCOMPLIANCE PROGRAM DESIGNAUDIT AND MONITORINGHOT TRENDS IN ENFORCEMENTTOPICS APPLICABLE FOR BOTH SMALLAND LARGE PHYSICIAN GROUP PRACTICESHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org33

Pickup page 32 from August 2004 issueKing & Spalding 1/2 pageHealth System Concepts 1/2 pagePlease send me these files.34 Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org35

Join your Compliance Colleaguesfor theHCCA’s Compliance AcademyFebruary 7-10, 2005, Park Hyatt Los AngelesLos Angeles, CAOr ForHCCA’s Advanced AcademyOctober 25-29, Aladdin Resort & Casino, Las Vegas, NVAbout Compliance AcademyThe HCCA Compliance Academy is a four-day program focusing on subject areas at theheart of healthcare compliance practice. Courses are designed with the expectation thatparticipants have a basic knowledge of compliance concepts and have some professionalexperience (6-18 months) in a compliance function.About the Advanced AcademyThe HCCA Advanced Academy of Compliance if a four-day program focusing onadvanced issues and topics within healthcare compliance. Courses are designed for thosewho have an advanced knowledge of compliance concepts and have had a minimum of 18months in a compliance function.Academy vs. Advanced Academy:The Academy will cover the basic seven elements of healthcare compliance. The AdvancedAcademy provides individuals with the application of the basic elements through extensivecase studies. While not required for certification, both programs fulfill the required amountof HCCB continuing education credits to sit for the CHC (Certified in HealthcareCompliance) Examination.Corporate ResponsibilityAuditing & MonitoringComplianceHIPAAEthicsSAVE THE DATE!REGISTRATION IS LIMITED TO 75 ATTENDEES36 Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

HIPAA SecurityWorkshopsA Path to Compliance with the HIPAA Security RuleOctober 18 - 19October 21 - 22January 24 - 25January 27 - 28Chicago, ILLos Angeles, CADallas, TXLas Vegas, NVThese workshops offer a practicalexplanation of the legal and technicalissues related to security compliance,and promote collaboration betweencompliance officers and informationtechnology professionals.Register now and receiveA Path to Compliance with The HIPAASecurity Rule Guide FREE!(A $295 value)37

38 Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org39

PlaceMediRegsad here: full page(August 2004 page 41Sept pg 37)File name: MediRegs.pdfPlease send me this file41

Finally – Audited Compliance Standardsfor Records Destruction Companies.Records destruction contractors that are certified by the National Associationfor Information Destruction (NAID) have gone beyond claims and promises bysubmitting to a close examination of every aspect of their security. NAID asksthe right questions and verifies the relevant facts to ensure the records destructioncontractor you hire is doing the job you’re paying them to do. By ensuringtheir compliance, NAID Certification ensures your compliance.42www.naidonline.org/certified

MC Strategies – ConsultingFacilitating performanceand compliance.WebInservice ® – TrainingImproving efficiencythrough knowledge.HCPCS/CPT, APC, ICD-9. No wonderyou have to be compliant to the letter.At MC Strategies, we can help you get there. Our consultants provide comprehensiveassessments, such as Chargemaster reviews that help you identify billingissuesand ensure HCPCS/CPT accuracy. And APC validations that include CPT and ICD-9 accuracy verification. But helping you get compliant is only part of what we do.Our WebInservice ® online training features the industry‘s most comprehensive setof compliance curricula. Our EduCode ® Compliance curriculum is a practical yetextremely informative program that covers general compliance as well as the highlytechnicaland high-risk areas of billing and coding compliance. And because allWebInservice training is delivered online, you can rest assured that you‘re tappinginto the most efficient and cost-effective training method available today.Achieving compliance today is a complex task. And it takes more than knowingthe basics, but rather, knowing it all from A to Z. To learn more, log ontowww.mcstrategies.com or call us at 800-999-6274.46

Research Compliance ConferenceNovember 7 – 9, 2004 | Aladdin Hotel, Las Vegas, NVGiven the increased enforcement focus of the OIG, NIH/OHRP,and the DOJ, (not to mention private litigants) clinical researchsponsors, sites and investigators must strengthen internalcontrols and compliance to avoid costly investigations, settlementsand litigation.Topics include:● Latest enforcement initiatives from the DOJ, OIG, and NIH/OHRP● A Pharmaceutical Company CEO’s perspective on compliance● Overview of the Common Rule and FDA rules related to clinical research● Research privacy issues for sponsors, sites and investigators● Anti-Kickback issues in clinical research● Strategies for effective informed consent● Clinical Trial Billing and Process Improvement● Conflicts of Interest● And more...REGISTER ONLINEWWW.HCCA-INFO.ORGRESEARCH COMPLIANCE FOR SPONSORS AND SITESTHE FINAL COMPLIANCE FRONTIERAIS’s Report on Medicare ComplianceAIS’s Report on Research ComplianceClinical Trials ComplianceFor more information contact the HCCA office at: www.hcca-info.org5780 Lincoln Drive, Suite 120 Minneapolis, MN 55436 (888) 580-8373 Fax 952-988-0146