Permissible vs. Proper - Health Care Compliance Association

Transcription

Compliance
TODAY
January 2014
a publication of the health care compliance association
www.hcca-info.org
Permissible vs. Proper:
The fine line between rules and values
an interview with Michael Josephson
President and Founder, Josephson Institute of Ethics
and 2014 Compliance Institute Keynote Speaker
See page 16
28
Physician practice management
arrangements: State fee-splitting
prohibitions and the corporate
practice of medicine
Janice A. Anderson and
Cullin B. Hughes
35
Some
thoughts
on
tone at
the top
Bret S. Bissey
42
Compliance and
quality of care, Part 2:
The physicians’ perspective
Michelle Moses Chaitt, Mark L.
Mattioli, Richard E. Moses,
and D. Scott Jones
47
New developments
in data analytics:
From data
mining to
data prospecting
Karen Nelson
Improving Governance Practices
Audit &
Compliance
Committee Conference
February 24–25, 2014 | Scottsdale, AZ
What you’ll learn
– The impact of health care reform on
regulatory risk and compliance obligations
– Fulfilling your fiduciary obligations
as board members
– Improving your board performance
Buy one
registration
for $695
and get one
for $395
This conference is designed for board members
and members of a board Audit and/or Compliance
Committee of not-for-profit health care organizations.
Compliance officers and other senior leaders in the
organization are welcome to accompany board members.
REGISTER NOW: SPACE IS LIMITED TO 70 ATTENDEES
www.hcca-info.org/audit
Attendees receive a complimentary, 1-year,
digital subscription to Corporate Board Member
(an $89.95 value) with access to the iPad app.
LETTER FROM THE CEO
by Roy Snell, CHC, CCEP‑F
Compliance programs are
being implemented beyond the
for-profit business environment
I
Snell
have long believed that compliance programs are a tool that can help solve many
problems. There are many organizations
in this country, beyond general for-profit
businesses, that could benefit from hiring
a compliance officer and implementing the
elements of a compliance program.
You don’t have to look far to find an
organization that did not look for
problems, or did not respond properly
when it found a problem. Their problems are being brought to light and
the damage they caused by not dealing with their problems is staggering.
As a father of four daughters who participated in sporting activities, including team
travel, it was important to me that we could
trust the organizations we were involved with.
Kim Otte, Mayo Clinic Integrity and
Compliance Officer, recently shared with me a
link to the U.S. Figure Skating Association website
(http://bit.ly/usfsa-safesport ). The organization uses a compliance program to prevent, find, and fix issues.
This organization provides opportunities
for young women to safely participate in sports.
They do so by implementing a compliance program and appointing a compliance officer. They
use all of the elements of a compliance program
to prevent, find, and fix the following issues
that are common in youth sports:
··
··
··
··
··
··
Sexual abuse and misconduct
Physical abuse and misconduct
Emotional abuse and misconduct
Bullying, threats, and harassment
Hazing
Willfully tolerating misconduct
You don’t have to look
far to find an organization
that did not look for problems,
or did not respond properly
when it found a problem.
Each U.S. Figure Skating club is asked
to appoint a SafeSport Compliance Chair,
essentially a compliance officer. They manage
the background checking process, monitor,
educate, enforce policies, respond to reports,
and disclose problems— essentially a
compliance program. There are many other
organizations in this country that could
benefit from, and I believe soon will follow
this model. The fact that our non-profit
organizations in this country have problems
does not surprise me. What surprises me are
the countless crimes that they covered up.
What surprises me is that society sits by while
the cover-ups occur over and over again and
we take no action. We should insist that these
groups implement compliance programs and
follow the rule of law.
888-580-8373 www.hcca-info.org Compliance Today January 2014
Please don’t hesitate to call me about anything any time.
612 709-6012 Cell • 952 933-8009 Direct
roy.snell @ corporatecompliance.org
3
Contents
January 2014
FEATURES
16 Meet Michael Josephson
COLUMNS
3 Letter from the CEO
ROY SNELL
an interview by Adam Turteltaub
28 Physician practice management
by Janice A. Anderson and Cullin B. Hughes
Unlicensed persons may be construed to be practicing medicine
if various state laws governing the management of physician
practices are not followed.
35 Some thoughts on tone at the top
25 Exhale
SHAWN DEGROOT
39 The Compliance–Quality
Connection
DAVID HOFFMAN
53 Reflections in Research
KELLY WILLENBERG
by Bret S. Bissey
Questions to ask when you are evaluating the effectiveness of
a compliance officer and the culture of the organization.
42 [CEU] Compliance and quality of care,
Part 2: The physicians’ perspective
by Michelle Moses Chaitt, Mark L. Mattioli,
Richard E. Moses, and D. Scott Jones
Strategies for educating physicians about fraud, abuse,
and malpractice issues that stem from care delivery and
documentation of patient visits.
Compliance Today January 2014
47 [CEU] New developments in data
analytics: From data mining
to data prospecting
by Karen Nelson
Expect more enforcement actions as CMS uses data mining and
data prospecting to identify and end improper payments.
DEPARTMENTS
6 News
12 People on the move
82 HCCA congratulates
newly certified designees
84 HCCA welcomes new members
86 2013 Compliance Today index
89 Takeaways
90 Events calendar
Compliance Today is printed with 100% soy-based, water-soluable inks on recycled paper, which includes includes 10% post-consumer waste. The remaining fiber
comes from responsibly managed forests. The energy used to produce the paper is Green-e certified renewable energy. Certifications for the paper include
The Forest Stewardship Council (FSC), Sustainable Forestry Initiative (SFI), and Programme For the Endorsement of Forest Certification (PEFC).
4 www.hcca-info.org 888-580-8373
®
“
Every company has
three types of employees:
the saints… the sinners…
and everyone else…
See page 23
”
ARTICLES
Compliance
TODAY
EDITORIAL BOARD
Gabriel Imperato, Esq., CHC, CT Contributing Editor,
Managing Partner, Broad and Cassel
Ofer Amit, MSEM, CHRC, Manager, Research Operations,
Miami Children’s Hospital
Janice A. Anderson, JD, BSN, Shareholder, Polsinelli PC
Christine Bachrach CHC, Chief Compliance Officer,
University of Maryland
Dorothy DeAngelis, Managing Director, FTI Consulting
Gary W. Herschman, Chair, Health and Hospital Law
Practice Group, Sills Cummis & Gross P.C.
David Hoffman, JD, President, David Hoffman & Associates
F. Lisa Murtha, JD, CHC, CHRC, SNR Denton US LLP
Building and maturing sustainable
compliance programs
Robert H. Ossoff, DMD, MD, CHC, Special Assistant to the ViceChancellor for Health Affairs, Vanderbilt University Medical Center
by Kurt Long
The new regulations remove the “harm standard” and offer care providers
the opportunity to realistically assess, investigate, correct, and report breach
vulnerabilities.
Deborah Randall, JD, Law Office of Deborah Randall
61 Essential health benefits under the ACA
by Natalie Franklin
Private health plans and Medicaid Alternative Benefit Plans offered on the new
insurance marketplaces must offer coverage in ten statutory categories.
63 Risk management 2-5-3:
Two pages, five minutes, and three steps
to an effective program
by Mike Walker
A simple tool for boards to use when evaluating and managing risks supports
due diligence and is easily implemented with existing resources.
67 [CEU] Medicare gets egg on its face
by Edward L. Vishnevetsky
A landmark case in Texas may change the way the rules in Medicare manuals
can be interpreted.
70 Mandatory compliance and long-term care:
Part 2
by Tom Ealey and Marcy Corbat
Thirteen standards of effectiveness for building a compliance program until
the official regulations are issued.
79 Overpayments and other common reasons
for denial of Medicare enrollment: An update
by Lester J. Perling
On October 17, 2013, CMS clarified some of the issues about how an unpaid
overpayment would affect an applicant’s Medicare enrollment application.
Jacki Monson, JD, CHC, Chief Privacy Officer, Sutter Health
Emily Rayman, General Counsel and Chief Compliance Officer,
Community Memorial Health System
Rita A. Scichilone, MSHA, RHIA, CCS, CCS-P, Director of Practice
Leadership, American Health Information Management Association
James G. Sheehan, JD, Chief Integrity Officer, New York City Human Resources Administration
Lisa Silveria, RN, BSN, Home Care Compliance,
Catholic Healthcare West
Jeff Sinaiko, President, Altegra Health Reimbursement and
Advisory Services
Debbie Troklus, CHC-F, CCEP-F, CHRC, CHPC,
Managing Director, Aegis Compliance and Ethics Center
Cheryl Wagonhurst, JD, CCEP, Partner,
Law Office of Cheryl Wagonhurst
Linda Wolverton, CHC, CPHQ, CPMSM, CPCS, CHCQM, LHRM,
RHIT, Vice President Compliance, Team Health, Inc.
EXECUTIVE EDITOR: Roy Snell, CHC, CCEP‑F, CEO, HCCA,
roy.snell @ hcca-info.org
MANAGING EDITOR: Brook Matthiesen, 888-580-8373,
brook.matthiesen @ hcca-info.org
NEWS AND STORY EDITOR/ADVERTISING: Margaret R. Dragon,
781-593-4924, margaret.dragon @ hcca-info.org
COPY EDITOR: Patricia Mees, CHC, CCEP, 888-580-8373,
patricia.mees @ hcca-info.org
DESIGN & LAYOUT: John Goodman, 888-580-8373,
john.goodman @ hcca-info.org
Compliance Today (CT) (ISSN 1523-8466) is published by the Health
Care Compliance Association (HCCA), 6500 Barrie Road, Suite 250,
Minneapolis, MN 55435. Subscription rate is $295 a year for nonmembers.
Periodicals postage-paid at Minneapolis, MN 55435. Postmaster:
Send address changes to Compliance Today, 6500 Barrie Road, Suite 250,
Minneapolis, MN 55435. Copyright © 2014 Health Care Compliance
Association. All rights reserved. Printed in the USA. Except where
specifically encouraged, no part of this publication may be reproduced,
in any form or by any means without prior written consent of the HCCA.
For Advertising rates, call Margaret Dragon at 781-593-4924. Send press
releases to M. Dragon, 41 Valley Rd, Nahant, MA 01908. Opinions
expressed are not those of this publication or the HCCA. Mention of
products and services does not constitute endorsement. Neither the
HCCA nor CT is engaged in rendering legal or other professional services.
If such assistance is needed, readers should consult professional counsel
or other professional advisors for specific legal or ethical questions.
VOLUME 16, ISSUE 1
55 HIPAA Omnibus Rule regulatory milestone:
Richard P. Kusserow, President & CEO, Strategic Management
5
NEWS
Market and demographic factors in forming ACOs
In a press release, Dartmouth Institute
recently announced the release of its report,
“Market and Demographic Factors in
Forming ACOs.”
According to the press release,
“Accountable care organizations are rapidly
being formed with the implementation of
the Affordable Care Act, and they are being
established in areas where it may be easier to
meet quality and cost targets, researchers at
The Dartmouth Institute for Health Policy &
Clinical Practice said in a study published in
the journal Health Services Research.
“An accountable care organization
is a group of providers collectively held
responsible for the overall cost and quality
of care for a defined patient. ACOs and other
value-based payment reforms are intended to
address long-standing problems confronting
U.S. health care: uneven quality, unsustainable
costs, and care that is fragmented.
“Dartmouth researchers looked at the
scope of ACO implementation because little
is known about what is driving the locations
where they are being established. They found
that more than half the U.S. population lives in
areas where ACOs have been formed, although
not all are being treated by physicians that are
part of an ACO.”
For more: http://bit.ly/1jcNyqc
Kroll Global Fraud Report:
Significant surge in corporate fraud
According to the 2013 Kroll Global Fraud
Report, the number of companies falling
victim to fraud has increased in the past
year. According to the Kroll press release
announcing the report, “Overall, 70 per cent of
companies were affected by fraud in the past
12 months, up from 61 per cent the previous
year, and there was an increase in every category of fraud covered by the study.
“The report reveals that the globalisation
of business is increasing exposure to fraud, as
businesses seek expansion into riskier overseas
markets and use greater levels of outsourcing.
The sharpest increase was in vendor, supplier
or procurement fraud, suffered by one in five
businesses (19 per cent), up from 12 per cent last
year. Indeed, of those companies that fell victim
to fraud in the past 12 months, one third (30 per
cent) experienced fraud perpetrated by vendors
or suppliers while 11 per cent suffered at the
hands of joint venture partners.
“In a year where several companies have
been rocked by high profile corruption scandals, the proportion of companies affected
by corruption and bribery increased from
11 per cent to 14 per cent. Corruption is by
far the most important element dissuading
companies from doing business in certain
markets, such as Africa, Latin America and
India. Almost half (46 per cent) of companies
have refrained from expanding into a foreign
market, citing corruption as the main reason.
In fact entry to new, riskier markets has
increased the vulnerability of almost one in
three companies (30 per cent) to fraud.”
For more: http://bit.ly/19drqoa
Read the latest news online · www.hcca-info.org/news
NEWS
Regulatory News
Recently, The Joint
Commission announced in
a press release that it has
“issued a Sentinel Event Alert
urging hospitals and ambulatory surgery centers to take
a new look at how to avoid
mistakenly leaving items such
as sponges, towels and instruments in a patient’s body
after surgery.
“Known in medical terminology as the unintended
retention of foreign objects
(URFOs) or retained surgical
items (RSIs), this is a serious
patient safety issue that can
cause death or harm patients
physically and emotionally. The Joint Commission
has received more than 770
Hospital errors are the third
leading cause of death in U.S.;
New hospital safety scores
show improvements
are too slow
According to a recent press
release from The Leapfrog
Group, “New research estimates up to 440,000 Americans
are dying annually from preventable hospital errors. This
puts medical errors as the
third leading cause of death
voluntary reports of URFOs
in the past seven years. These
cases resulted in 16 deaths,
and about 95 percent of these
incidents resulted in additional
care and/or an extended hospital stay. Beyond the human
toll, studies have shown that
objects left behind after surgery may cost as much as
$200,000 per case in medical
and liability payments.”
The following are just
a few of the recommended
actions outlined by the Joint
Commission:
·· Create a highly reliable
and standardized counting system to prevent
URFOs – making sure all
surgical items are identified and accounted for.
·· Develop and implement
effective evidence-based
organization-wide standardized policy and
procedures for the prevention of URFOs through
a collaborative process
promoting consistency
in practice to achieve
zero defects.
·· Appropriate documentation should include the
results of counts of surgical items, instruments,
or items intentionally left
inside a patient (such as
needle or device fragments deemed safer to
remain than remove), and
actions taken if count discrepancies occur. Tracking
discrepant counts is
important to understanding practical problems.
in the United States, underscoring the need for patients
to protect themselves and
their families from harm, and
for hospitals to make patient
safety a priority.
The press release noted,
“the Fall 2013 update to The
Leapfrog Group (Leapfrog)
Hospital Safety Score assigns
A, B, C, D and F grades to
more than 2,500 U.S. general
hospitals. It shows many
hospitals are making headway
in addressing errors, accidents,
injuries and infections that kill
or hurt patients, but overall
progress is slow. The Hospital
Safety Score is calculated
under the guidance of the
Leapfrog Blue Ribbon Expert
Panel, with a fully transparent methodology analyzed in
the peer-reviewed Journal of
Patient Safety.”
For more: http://bit.ly/IBiVfN
For more: http://bit.ly/1c7fYv7
Read the latest news online · www.hcca-info.org/news
Joint Commission Alert:
Preventing retained
surgical items
7
Managed Care
Compliance Conference
February 9–11, 2014 | Scottsdale, AZ
Westin Kierland Resort & Spa
Join us in Scottsdale
Hot topics will include:
for the primary networking and educational
event for those involved with managing
compliance health plans.
Integration Meets Regulation: Compliance Challenges
Plan to attend if you are a compliance
professional from a health plan (all levels from
officers to consultants), in-house or external
counsel for a health plan, an internal auditor
from a health plan, regulatory compliance
personnel, or a managed care lawyer.
Managed Care Drug Programs and Health Care Reform:
and Risks for Health Plans When Integrating Physical and
Behavioral Health Information
Focus on 340B Drug Program, the Medicaid Rebate
Program, and other drug programs
Lessons Learned from a CMS Part D
and Part C Appeals and Grievances
Audit: What to Expect and How to
Prepare
Navigating Compliance Program
Obligations in the Exchange World
And much more!
Learn more at www.hcca-info.org/managedcare
HCCA NEWS
HCCA conference news
18th Annual Compliance Institute
Audit Committee Compliance Conference
March 30–April 2 | San Diego, CA
February 24–25 | Scottsdale, AZ
www.compliance-institute.org
www.hcca-info.org/audit
Register and listen to these
General Session speakers:
Topics being covered:
·· OIG update
Daniel Levinson
Inspector General, HHS-OIG
·· Compliance Plus:
Creating an Effective Compliance
Program Using an Ethics Framework
Michael Josephson
President and Founder, Josephson Institute
·· Influencing Decision-Making
Jenny O’Brien
Chief Compliance Officer, UnitedHealthcare
Kimberly Otte
Chief Compliance Officer, Mayo Clinic
·· Corporate Governance & Liability:
Panel Discussion
Gabriel Imperato
Managing Partner Broad & Cassel
Gregory Demske
Assistant Inspector General, HHS-OIG
Dr. David Herman
CEO, Vidant Health
Ryan Meade
Partner, Meade Roach & Annulis, LLP
Daniel Roach
General Counsel, Optum 360º
·· Introduction to Healthcare Risk Areas
& Compliance
·· Introduction to Healthcare Accounting
·· Health South: Lessons for Board Members,
Audit Committees, & Managers
·· Case Study for Crisis Management
·· What it Takes to be a Good Board Member
·· Enterprise Risk Management
·· Role and Responsibility of the
Audit & Compliance Committee
·· Healthcare Reform, Clinical Integration,
and Compliance
·· Enforcement Actions
Basic Compliance Academies
www.hcca-info.org/academies
These are limited to 75 attendees and very often
sell out. If you are interested in attending an
Academy in 2014, register today. Below are the
dates and locations.
·· January 20–23 | New York
·· February 3–6 | Puerto Rico
·· February 17–20 | San Francisco
Managed Care Compliance Conference
·· March 17–20 | New Orleans
February 9–11 | Scottsdale, AZ
·· April 14–17 | Boston
Learn essential information for those involved
with the management of compliance at health
plans. Plan to attend if you are a compliance
professional from a health plan (all levels from
officers to consultants), in-house or external
counsel for a health plan, internal auditor from
a health plan, regulatory compliance personnel,
or managed care lawyer.
·· June 9–12 | Scottsdale
·· August 4–7 | New York
·· September 29–October 2 | Nashville
·· October 20–23 | Las Vegas
·· November 17–20 | Orlando
·· December 1–4 | San Diego
Find the latest conference information online · www.hcca-info.org/events
www.hcca-info.org/managedcare
9
HCCA NEWS
HCCA website news
Contact Tracey Page at 952-405-7936 or email her at tracey.page @ hcca-info.org with any questions about HCCA’s website.
Compliance Institute 2014 San Diego
Letters From the CEO
The Compliance Institute may still be months
away, but you can find all the update information you’d like online anytime.
Some things you might want to do
before the conference…
·· View the Sessions and Speakers
Read the session bullets and speaker bios
to see what session interest you the most
in 2014.
·· Choose your sessions
Don’t miss out on any of the advanced
discussions; pre-register to make sure
you get a seat. This is also where you
can sign up for the volunteer project,
the author’s reception/Academy reunion,
and session recordings.
1. Go to www.hcca-info.org/myevents.aspx
2. Click on View Registration for the
2014 Compliance Institute
3. Choose the functions you
want to attend
4. Click Submit
·· Sign up for Speed Networking
and Speed Mentoring
Help the profession by becoming a
mentor at the Compliance Institute.
Share what you’ve learned with other
compliance professionals. New to compliance? Mentor with the best. Sign up
online at www.compliance-institute.org/network .
·· Hotel
Book your hotel early, stay a few extra
days, and enjoy the California sun.
All the information for booking your
hotel is available on the website at
www.compliance-institute.org/hotel .
Read through the past issues of Roy Snell’s
Letter from the CEO online. Since 2001, Roy
has been musing on current compliance and
ethics issues in his monthly letter. Access all
these articles online at www.hcca-info.org/ceoletters .
Still reading a paper magazine?
Not only does your HCCA membership
include monthly delivery of the print
version of Compliance Today, it also includes
access to a variety of digital versions, which
can be read in any web broswer—or in
mobile apps, customized for reading
on Apple- or Adroid-based
tablets and smartphones.
Go to www.hcca-info.org/compliancetoday and
login to your account to start reading issues
on a web browser; or search your mobile
device’s App Store for “HCCA Magazine”
and download the free HCCA Compliance
Today Magazine app to start reading issues
on-the-go.
Find the latest HCCA website updates online · www.hcca-info.org
HCCA NEWS
news
Contact HCCA at 888-580-8373 or email us at [email protected] with any questions about HCCAnet.
®
Your complimentary social network
of healthcare compliance professionals
Explore these current HCCAnet discussions
HCCAnet is the most comprehensive
social network for compliance and ethics
professionals, now with more than 12,424
members. Subscribe to discussion groups
and get your compliance questions answered.
Stay informed on the latest healthcare
compliance news and information. Login to
your complimentary healthcare compliance
social network at www.hcca-info.org/HCCAnet .
®
Once logged in to HCCAnet, click My Subscriptions
and subscribe to more than 40 healthcare compliance-related groups, including these popular
ones for news and information:
·· Chief Compliance and Ethics Officer
Health Care
·· HIPAA
www.hcca-info.org/hipaagroup
·· CHC Certification Study Group
www.hcca-info.org/chcgroup
http://bit.ly/AccountingDisc
·· Advice on potential HIPAA violation
http://bit.ly/HIPAA-Advice
·· Breach or no breach
http://bit.ly/breachnobreach
·· EOBs and Privacy
http://bit.ly/EOBs-Privacy
Subscribe to popular discussion groups
www.hcca-info.org/ccogroup
Review these recent discussions to explore
how HCCAnet can help answer some of your
healthcare compliance questions.
·· Accounting of Disclosure
·· Fax Cover Sheets
http://bit.ly/FaxCovers
·· Not a Wish List Please… But a Genuine List
of What Folks Are Doing
http://bit.ly/GenuineList
·· On-site patient injury form
http://bit.ly/injury-form
·· Physicians as BAAs?
http://bit.ly/physicians-baas
·· Posting Notice of Privacy Practices
http://bit.ly/Posting-Notice
Earn CEUs without leaving your desk…
Attend an HCCA Web Conference!
TOPICS INCLUDE:
• Audits and the
2-midnight rule
• Claims Overpayment
…and many more!
• Auditing & Monitoring
• HIPAA Omnibus Rule
• SNF Compliance
• RAC
CHECK OUT HCCA’S FULL LIST OF UPCOMING WEB CONFERENCES AT
www.hcca-info.org /webconferences
Find the latest HCCAnet updates online · www.hcca-info.org/HCCAnet
888-580-8373 www.hcca-info.org 11
PEOPLE ON THE MOVE
· Carolyn Barton was
recently named Chief
Compliance and Ethics
Officer for Group Health
based in Seattle, WA.
· The WIRB-Copernicus
Group, the world’s largest provider of regulatory and ethical
review services for clinical
research, announced the
recent appointment of Lindsay
McNair, MD, MPH, MSB,
to the new position of Chief
Clinical Research Officer.
· Jacki Monson, JD, CHC,
is the Chief Privacy Officer
for Sutter Health in
Sacramento, CA.
· Eric Newman, JD, CCEP,
former Social Media Manager
for SCCE/HCCA, has been
named Privacy Officer for Sutter
Health in Sacramento, CA.
PEOPLE
on the
MOVE
· Chad Ross was recently
named Vice President of
Operations at Mary Rutan
Hospital in Bellefontaine,
OH. He will also join the
hospital’s leadership team
as Compliance and Privacy
Officer, replacing team
member Cheryl Brooks, who
is retiring after 26 years of
service with the hospital.
Received a promotion?
Have a new hire in
your department?
· Daniel R. Roach, JD is
the General Counsel for
Optum360º, a healthcare revenue cycle technology and
services company.
· Michael Shearn, Esq.,
CHC, CHPC has joined the
Oberheiden Law Group, PLLC
in Dallas, as Of Counsel.
Are you subscribed to
· If you’ve received a promotion,
award, or degree; accepted
a new position; or added a
new staff member to your
Compliance department, please
let us know. It’s a great way to
keep the Compliance community
up-to-date. Send your updates to
margaret.dragon @ hcca-info.org.
HCCA NEWS
This Week in Corporate Compliance?
If not, you should be. It’s informative… and FREE.
Once subscribed, TWCC will arrive every Friday in your email with
a wrap-up of the week’s healthcare compliance-related news.
To subscribe, visit:
www.hcca-info.org/twcc
Help Keep Your
Compliance Program
Fully Staffed
List Your Job Openings
Online with HCCA
It’s hard to have an effective compliance program
when you have openings on your team. Help fill
those openings quickly—list your compliance job
opportunities with the Health Care Compliance
Association.
Benefits include:
• Listing is posted for 90 days to maximize exposure
• Targeted audience
• Your ad is also included in our biweekly HCCA Jobs
Newsletter, which reaches more than 24,000 emails
Don’t leave your compliance positions open any longer
than necessary. Post your job listings with HCCA today.
Visit www.hcca-info.org/newjobs
Or call us at 888-580-8373
FEATURE
Michael Josephson
President and Founder,
Josephson Institute of Ethics,
Los Angeles
an interview by Adam Turteltaub
Meet Michael Josephson
2014 Compliance Institute Keynote Speaker
This interview with Michael Josephson ([email protected])
was conducted by Adam Turteltaub (adam.turteltaub@
corporatecompliance.org), Vice President of Membership
for HCCA.
between a rules-oriented compliance perspective and a values-based ethical perspective in
the way people are trained and in the kind of
culture each perspective produces.
AT: An ethicist isn’t the typical keynote
speaker for us at HCCA. Why should healthcare compliance professionals care more than
they already do about ethics?
MJ: I am sure most healthcare compliance
professionals care a great deal about ethics,
but as in other highly regulated industries I’ve
worked with, many are so concerned with the
compliance aspect of ethics that they don’t pay
adequate attention to the underlying moral
principles. I will try to illustrate the difference
AT: Do you see the ethical challenges in
the business of healthcare, (rather than in the
actual medicine) being any greater than in
other industries?
MJ: Yes, I think the challenges in healthcare are greater in many respects, because
the stakes are so high when legal or ethical
violations occur and there is such an intense
scrutiny. The patient care and product safety
aspects of healthcare are especially challenging, because people can die or suffer great
FEATURE
injury from mishaps or business strategies
that do not pay adequate attention to the vital
importance of trust.
AT: You’re not an ethicist by training,
but an attorney. What led you to create the
Institute?
MJ: I was a law professor for 20 years. I
initially approached the teaching of law as
I was taught: Stake a morally neutral stand,
zealously pursue the best interests of the
client, and when it comes to potential ethical
issues, do a cost-benefit analysis. I was always
attracted to the competitive advocacy aspect
of the law (my wife used to say I would even
try to win phone calls), so I gravitated to the
“warrior courses” involving trial practice and
negotiation.
I prided myself on being tough and
responding in kind to the tactics of the lawyers who opposed me (“If you want to play
hardball, I’ll play hardball”) and I felt justified
and comfortable using every legal technique
or strategy (I never
believed in lying,
fabricating, or
acting dishonorably within the
framework of zealous advocacy) that
would advance my
client’s interests
(i.e., help me win).
I was pretty good
at it, and I taught
my students this approach. I bulwarked their
advocacy orientation by quoting Aaron Burr:
“The law is what is boldly asserted and plausibly maintained.”
I taught that way for nearly 10 years, but
my life and my outlook on lawyering changed
dramatically when two events coalesced in
1976. First, I was assigned to teach a newly
required course in legal ethics. This was a
direct outgrowth of the Watergate scandal
that involved more than 20 lawyers. Second,
I became a father for the first time with the
birth of my son Justin (I now have 5 children
including four teenaged girls ages 14-19).
While trying to put my son to sleep in the
middle of the night (he had colic), I started to
think about my ethics course the next morning, and it struck me that my “what’s the
downside risk” approach I had been taking
was a horrible parenting strategy. I realized
I did not want my son to view ethics only as
a risk-management issue; I wanted him to
become a good person, and it changed my
frame of reference completely.
This perspective made me newly sensitive
to my opportunity and obligation to define
and instill ethical values and good character in
my son and to be a good role model attempting to reinforce those values with my students.
I started looking at ethics in a very different way. I no longer would assume that an act
is ethical simply because it is legal, and I came
to realize that a
person could be
both a good lawyer
and a good person
if he went beyond
asking “What is
permissible?” and
started asking
“What is proper?”
Consequently,
I induced the Dean
of Loyola Law
School in Los Angeles to allow me to create a
new four-unit course (that was the most they
would assign to any course) called Ethics,
Counseling and Negotiation, where I would
combine the teaching of legal ethics (based on
a narrow Code of Professional Responsibility)
with real ethics (based on universal notions
of morality and ethics such as honesty, fairness, respect, and responsibility) in the context
…I came to realize that a
person could be both a good
lawyer and a good person if
he went beyond asking “What
is permissible?” and started
asking “What is proper?”
17
FEATURE
of the very practical lawyering functions of
counseling and negotiation. I also brought
my new ethical sensibilities to my teaching of
trial practice and other courses. This began
my new lifelong journey to better understand
the nature of ethics and how to instill within
ambitious and highly intelligent law students
a deeper desire to live honorably.
This passion to find the formula for being
both a good lawyer and a good person became
the focus of my professional life and in 1985,
I had an opportunity to sell a successful, private, educational, legal education business that
produced study materials and prepared students to pass the bar exam. I accepted the offer
of nearly $10 million and I used a significant
portion of the proceeds to found the non-profit
Joseph & Edna Josephson Institute of Ethics
(named after my parents). Until June of 2012,
I worked as a full-time volunteer, receiving no
compensation for my work.
AT: It’s worth noting that this is a labor of
love. You’re a non-profit. Why did you choose
the non-profit route?
MJ: I had done pretty well in law school
and was selected to give the valedictory
address for all UCLA graduate departments
at our 1967 graduation ceremony. I had lots of
good opportunities after graduation, but I was
filled with ’60s idealism and I chose to work
for the U.S. Department of Justice Civil Rights
Division. Unfortunately, the Viet Nam War
intervened and virtually all of my graduating class expected to be drafted. I was always
much more interested in social significance
than material wealth, and believed Eldridge
Cleaver (a black militant of my time) who said,
“If you are not part of the solution, you are
part of the problem.”
I interned in the summer of 1966 with
Senator Earnest Gruening, one of only two
Senators who adamantly opposed to the War
and this strongly influenced my views. To
avoid the choice between the possibility of
becoming a conscientious objector, fleeing to
Canada, or going into the Army to participate
in a War I thought was immoral, I discovered that one of the few job categories that
came with a draft deferment was teaching. I
accepted an offer to become an instructor (the
lowest academic position) at the University of
Michigan Law School.
I came to love teaching and I chose to stay
within the groves of academe, rather than
enter law practice. When I had the opportunity to sell my publishing company (designed
to help law students), found the Josephson
Institute, and still have enough money to live
comfortably, I grabbed it. It never crossed my
mind to work in any form other than a nonprofit corporation and to work for free as long
as I was able to.
AT: You started back in the 1980s, well
before Enron. How have you seen the environment for ethics education change?
MJ: When I started the Institute, the concept of ethics education was very primitive.
Only a tiny handful of companies had ethics
programs or codes, and character education in schools was the concern of only a
few educators.
The game changer in thinking about ethics
in business came out of the healthcare case
of the Tylenol poisonings in 1982. The way
Johnson & Johnson dealt with deaths due to
tampering—they recalled the entire product
until they developed the tamper-proof packaging that later became an industry norm.
Johnson & Johnson demonstrated that a company could (and suggested that a company
should) be willing to do more than the law
requires in order to protect its customers.
Another major healthcare case came to
public attention in the early ’90s (although the
product, the Shiley heart valve had been withdrawn in 1986), revealing a very different and
FEATURE
more troubling corporate response to information that its product was killing people. In this
case, Shiley’s owners settled lawsuits when
evidence emerged that the company failed to
disclose to the FDA fatal incidents relating to
its product.
These cases thrust the healthcare industry in an unwanted leadership role in terms
of both the ethics
and compliance.
Serious public
concern about
ethics was spurred
in 1987 with three
major events highlighting the choice
between right and
wrong, rather than
just legal or illegal.
Gary Hart, a
Senator seeking
the Democratic
nomination for
President, was quite literally caught with his
pants down in a steamy adulterous relationship with a model named Donna Rice (forever
opening the character issue to journalistic
inquiry). During the same year, headlines
were made by massive financial manipulation
by junk bond king Michael Milken for Drexel
Burnham, and arbitrager Ivan Boesky.
Ethics has been on the agenda ever since,
and the Enron scandal was simply the most
visible of dozens of cases of accounting and
other frauds that highlighted the inadequacy
of existing laws. Enron also highlighted the
need to bulwark more laws and regulations
with a higher degree of sensitivity to ethics.
And new laws like the Foreign Corrupt
Practices Act, Sarbanes-Oxley, Dodd-Frank,
and the Federal Sentencing Guidelines have
substantially increased the complexity of
legal-oriented ethics and the need for companies to have codes, training, and other
protocols to avoid prosecution. They also have
seen the high cost of scandal when the company is perceived to be unethical, whether or
not provable illegal acts were committed.
Like business organizations in other fields,
healthcare organizations, have recognized the
need to address the possibility of reputation
damaging and resource draining scandals and
lawsuits resulting
from both illegal
and unethical conduct. The dominant
motivation, however, does not seem
to be a morally
based concern
for customers or
consumers, but a
need for a sensible
risk-management
strategy. And in
terms of risk, illegal
conduct is far more
certain to cause harm to the organization than
lawful behavior which may be unethical.
Thus, most organizations have tried
to create a rules-based compliance culture
rather than a values-based ethical culture that
encompasses but goes beyond compliance.
Compliance still is stuck in the question: Is it
legal? We think it is not only more honorable
and sustainable, but more effective, to ask, “Is
it right?” We stress the comment of former
Supreme Court Justice Potter Stewart who
said, “There’s a big difference between what
you have a right to do and what is right to do.”
AT: Your focus is on character. What led
you to make that choice?
MJ: Character is ethics in action. It not only
is a vital concept driving school reforms focusing on the teaching of core ethical values and
principled decision-making, it is also an issue
worthy of emphasis in the workplace. People
Character is ethics in action.
It not only is a vital concept
driving school reforms
focusing on the teaching
of core ethical values and
principled decision-making,
it is also an issue worthy of
emphasis in the workplace.
19
FEATURE
without character, who have no moral compass
or commitment to ethical principles, create an
unreasonably high risk for companies that will
pay the price of their moral deficiency. Hence,
we advocate: Hire for character, train for skills.
We also think character can be developed in a
workplace context and measured as part of a
performance review.
AT: Do organizations have a character?
MJ: Yes, I think we can perceive a company
in terms of character but it is probably more
accurate and helpful to think of the equivalent
of character as a culture. The organizational
culture of Johnson & Johnson was so heavily
customer focused that it did far more than
it was required to do in face of the Tylenol
poisoning crisis, while the culture of the
company manufacturing the Shiley
heart valve sought
to minimize the
financial impact of
discovered defects
by concealment.
Although we are
most likely to associate the character of an
organization with its
reputation, reputation
is what we think of
the organization, but character is what it really
is. Abraham Lincoln once drew an important
distinction saying, “Character is the tree, reputation is the shadow cast by the tree.”
MJ: If one wants to be effective, both content and context matter. The content for our
youth-based programs and our organizational
culture workplace programs are derived
from the same core ethical principles we call
the Six Pillars of Character (i.e., trustworthiness, respect, responsibility, caring, fairness,
and citizenship) and various delivery and
decision-making strategies seeking the best
possible result. Nevertheless, there is substantial difference in sophistication and the
need to teach practical application in our
workplace programs, but the context of our
audiences requires customization to the industry involved and to the level of authority of
our audience, from boards of directors to line
employees. Thus, the focus on producing or
supporting ethically competent and committed individuals with
good character is a
common element, but
strategies of delivery
and content vary
rather dramatically.
We find most people are
truly engaged and grateful
when we offer a sensible,
inspirational-based
framework to think about
their legal and ethical
responsibilities.
AT: What’s notable about your organization
is it’s not just focused on healthcare and other
business entities, but also on school children,
government officials, and police. Do you take a
common approach to all of these audiences? I
know the principles of character you promote
are the same, but is the program as a whole
largely the same in its focus?
AT: What do you
find the audiences
have in common?
MJ: The most
common element in
our workplace audiences, from corporate executives to police
officers, is the risk-management concern of the
organization that sent us to them. Employees
tend to be skeptical at best and are often outright hostile. These negative attitudes are
fueled by training approaches and online
requirements that are usually boring, often not
pertinent to the job function of the attendee,
and plainly inadequate in instilling a deeper
understanding of and personal commitment to
ethical conduct. Frankly, we benefit from low
expectations. We find most people are truly
engaged and grateful when we offer a sensible,
FEATURE
AT: And the next natural question is, how
do they differ? Obviously they face different
challenges, but are there different ways of
thinking that have to be addressed?
MJ: You have to remember that when we
begin to interact with employees of any private
or public organization—whether it is in a class
setting or during personal or group interviews,
or even through online surveys—we will detect
the effects of that organizational culture in the
way they approach issues of ethics. Culture not
only varies depending on the industry, but also
by region and function (e.g., highly regulated
industries like healthcare companies tend to
be far more compliance oriented and ethics
concerned than marketing organizations or
professional services, such as public relations
and law). For example, when we did a comprehensive survey as part of a culture-building
program for a huge federal agency with more
than 100,000 employees, we found both function
and region had a major impact. In other words,
there was no single organizational culture.
Generally, public service organizations
are much more receptive to thinking ethically,
not merely legally. A major part of our public
service trainings emphasize five principles of
public service ethics, including the principle
that a public employee must not only avoid
impropriety (a broader concept than illegality),
but the appearance of impropriety. This is a
very different mindset than the one normally
promoted by internal auditors or the general
counsel in private organizations.
AT: What do you think business could
learn from these other groups?
MJ: The better corporate programs are
adopting the values-based ethical mindset
more commonly found in public service. In
the end, however, the most important thing is
what the organization demands and allows.
What you allow, you encourage—and many
private organizations allow narrow legalistic
approaches that are bound to get the company
in trouble eventually.
AT: When people are in the business of
savings lives, they may feel that it is okay to
break the rules in pursuit of what they see
as a higher good. How do you address that
thinking?
MJ: I think this is a very dangerous and
self-defeating rationalization.
When people are in the business of saving
lives, expectations of trust defined by public
opinion, as well as laws and regulations, are
extremely high. The “ends justify the means”
is an extremely dangerous mindset. Think of
how we react when the government or police
try to justify their behavior on this rationale.
Any shortcuts made in the name of expediency are so destructive to the credibility and
reputation of the organization that they are
both unwise and unethical.
AT: Medicine often requires practitioners
to have a great deal of confidence in their own
judgment. With that comes a risk of arrogance.
I imagine you see the same thing in your work
with first responders. How do you overcome
this risk?
inspirational-based framework to think about
their legal and ethical responsibilities. What we
teach has such obvious implications, not only to
every aspect of their job-related duties and relationships, but to the way they function in their
private lives. Most people really do want to live
worthy and ethically noble lives.
But, I have to emphasize training is only
a small aspect of creating and sustaining an
ethical culture. We use the Federal Sentencing
Guidelines as an organizational framework to
help companies create and maintain not only
the kind of programs that will comply with
the rigorous federal standards, but that also
will increase productivity and morale.
21
DON’T GO
HALFWAY.
GO 360.
MANAGE CLAIM AUDITS WITH CoMpLIANCE 360.
Multiple audits, hundreds of
claims, dozens of team members, zero free time. Miss one date and you forfeit hard-earned revenue. With so much
complexity - and so much at stake - only Compliance 360 offers the confidence of a 24x7 Virtual Audit Coordinator
that manages every step of every audit in one central system. No gaps, no guesses, no gotchas.
Visit www.compliance360.com/ClaimsAuditor to learn how we’re helping thousands of providers protect their
revenues - and their peace of mind.
www.compliance360.com
GET THE 360° VIEW.
C o m p l i a n C e 3 6 0® G R C S o l u t i o n S
FEATURE
AT: You’ve written that stretch goals and
unrealistically high performance expectations
can lead people to step out of bounds, ethically
and legally. Many healthcare organizations are
public corporations under tremendous pressure
to make or increase profits. What are some of
the other pitfalls that you see in business in
general and healthcare in particular?
MJ: Every company has three types of
employees: the saints, who have been raised to
think and act ethically and can’t be tempted into
acting improperly (they would rather lose their
jobs); the sinners, who are willing to and often do
whatever it takes to get what they want, including
approval and promotion from superiors (these
folks don’t respond to training or appeals to a
higher purpose); and everyone else (the rest of us),
who are generally ethical and honorable, but are
vulnerable to external pressures and incentives, as
well as their own internal rationalizations.
The challenge for leadership in a corporation, especially ethics and compliance folks, is to
be vigilant to deter, apprehend, and discipline
the sinners and to assure that the culture (largely
determined by all personnel issues—recruiting,
hiring, training, performance reviews, promotions, compensation, and discipline) promotes
ethical behavior in matters large and small.
Very few companies I’ve seen are willing to devote the energy needed to create and
sustain a truly ethical culture because, in the
last analysis, it is bottom-line performance that
makes or breaks careers. Just as I had to learn
how a person could be both a good lawyer and
a good person, many executives have to learn
how a company can be both profitable and
honorable. It’s not as easy as one would hope.
Healthcare organizations have a huge
potential advantage over other organizations
in terms of creating and sustaining an ethical
culture, if they sincerely and pervasively stress
the inherent worthiness of the mission. Most
people want to do good and be thought of as
good, and doing one’s job right in the healthcare industry can produce both the feeling and
the reputation.
AT: You’re a proponent of character-based
ethics as opposed to a compliance-based
approach. What led you to conclude that one
is superior?
MJ: We would not raise our children
depending on them to do the right thing
because of the rules we make or enforce. We
teach them values and hope they will use
them, even when there is no realistic possibility of getting caught or punished. Similarly,
there are companies that believe that even
robust compliance programs (and there are
very few of those) will provide either the
deterrence or guidance to assure ethical conduct. It’s been said that character is revealed
by how you behave when no one is looking,
and since in many business contexts no one is
looking, we need character, not just rules.
AT: Thank you for sharing your insights
with us.
MJ: There is of course a fine line between
confidence and arrogance and it is important
that doctors, first responders, and police officers
have enough confidence to trust their judgment
when rapid decisions are required. In many
cases, however, there is time to reflect and even
seek the perspective of colleagues. The ideal
professional is humble enough to know his/her
judgments are fallible, wise enough to seek
counsel of others when it is feasible, but confident enough to take action when needed.
Frankly, the issue of arrogance, often associated with doctors and surgeons who make
life and death decisions on a regular basis, is
not so much focused on their medical judgments, but on their behavior toward others.
The concept is captured in the well-worn joke:
“What’s the difference between a doctor and
God?” “God doesn’t think he’s a doctor.”
23
MASTER OF SCIENCE IN
Regulatory Compliance
•Learn in a program offered in partnership with Northwestern University’s
Feinberg School of Medicine and from a curriculum informed with the
latest insights on healthcare, translational research and regulation.
•Develop the interdisciplinary core competencies needed for leadership
roles in the regulatory compliance field.
•Focus on your area of interest by choosing from tracks in healthcare
compliance, clinical research and quality systems.
•Earn your Northwestern University master’s degree by attending parttime evening courses in Evanston and Chicago.
Apply today — the summer application deadline is April 15.
www.scs.northwestern.edu/msrc • 312-503-6950
EXHALE
by Shawn DeGroot, CHC-F, CCEP, CHRC
Don’t say a word
Navigant Consulting in Denver. Shawn is also the Immediate Past President
of the HCCA Board of Directors.
I
n the Compliance field, we are blessed (or
cursed, depending on personal perspective)
with delivering messages to a variety of
audiences. We listen, educate, investigate, question, ponder, and respond. We routinely digest
regulatory information in preparation for the
next question during an investigation
or to provide training to an audience.
Our verbal messages can be succinct
and clear, yet misinterpreted if incongruence exists with our body language.
The human face has more than
52 muscles and can make up to 5,000
DeGroot
expressions. Darwin first wrote about
his theories of expression in 1898; yet,
many of us concentrate only on our intellectual intelligence without much consideration
of the messages we are delivering with our
facial expressions and body. Six universal
expressions of emotion have been identified
associated with the human face—surprise,
anger, disgust, fear, sadness, and joy. Those
common expressions are easily identifiable,
but the 5,994 remaining expressions also have
an impact. A raised eyebrow acknowledges
that we are listening or the speaker has our
attention (at least for those who have not subjected their face to botox). For individuals in
the second half of their life, another benefit of
lifting your eyebrows slightly when someone
is speaking is that they can see the whites of
your eyes, sending a signal of trust.
Over the years, many of you have heard me
speak at both HCCA and SCCE Compliance
Institutes about the importance of nonverbal
communication. I, too, was not of the mindset
to study and/or read about nonverbal communication until I was confronted by a vice
president, who was asked to talk to me about
the reorganization within the C-suite. He and
others assumed I was “stressed” about the
changes occurring and stated that everyone
seemed to be handling it all quite well, except
me. I was mortified and quite shocked at the
assumption. When I asked how that conclusion
was reached, he observed that at the meeting
when the changes were announced, I seemed
disengaged (eyes looking down). Secondly, I
crossed my arm, and my face appeared to show
anger or worry (mouth turned down, eyebrows
frowning and staring along with a few subtle
sighs). Finally, he stated that I was “fidgeting”
in my chair often (signs of being uncomfortable). He added that he was originally planning
to enter the field of psychology and studied
nonverbal communication. The CEO noticed as
well and asked him to reach out to me.
Our verbal messages
can be succinct and clear, yet
misinterpreted if incongruence
exists with our body language.
After I shared with him that the evening
prior to the C-suite announcement, my home
had been burglarized and that I was struggling
with feeling violated (not angry), we had a great
laugh on the assumptions based on my body
language. As a matter of fact, I did not want to
be at work that day after such a sleepless night,
but I felt trapped because I couldn’t relax in my
own home either.
Since that event, I realized my expressions
say 1,000 words, without speaking. I have read
Shawn DeGroot ([email protected]) is an Associate Director at
25
How can being
right today, put you
at risk tomorrow?
Know what’s right, right now with
ComplyTrack
Proactively assess, communicate, and — most importantly — mitigate risk across your entire enterprise in the
face of constant regulatory change with ComplyTrack. This powerful solution gives you the visibility, controls,
and workflow tools you need to manage your GRC program from the top-down and the bottom-up. Our up-todate regulatory content and unparalleled expertise are woven into the question sets and controls for complete
decision support. Confidently manage risk and drive compliance with our customized, scalable SaaS solutions
created and supported by experts in healthcare risk, audit, and compliance.
complytrack.com
EXHALE
numerous books on body language and
frequently visit the website of The Center for
Nonverbal Studies ( www.center-for-nonverbal-studies.org ).
Understanding that 93% of a message is based
on nonverbal communication with only 7%
based on actual words may impact how you
want to “carry” a message to the board, CEO,
or an external investigator. Many investigators in fraud, the police, and of course those in
the psychiatry field, are trained in nonverbal
communication, specifically when they are
attempting to find the truth in a matter.
Furthermore, within the 7% of the verbal
communication is another value—how people
feel based on your choice of words. People
may not be able to recite one sentence of what
you stated, but they will remember how your
message made them feel (e.g., sick to their
stomach, angry, relieved, or excited). Voice
intonation, facial expressions, hand position
(e.g., open, closed, down, fisted), how you sit
in a chair, and whether you rock back and forth
when speaking impact the message more than
you realize. Take time to better understand your
body language, facial expressions, and create
self-awareness about your communication
style. It is important to articulate regulatory
content succinctly, but a powerful a message
can be relayed or lost without saying a word.
Add value
for colleagues
— AND —
earn live CCB CEUs
Law360 has named
King & Spalding’s
healthcare practice as
a Health Care Practice
Group of the Year
for 2012.
We achieved this by
delivering value and
security to our clients
every day.
at www.hcca-info.org/HCCAnet
·· Post one discussion topic each day of the week.
·· Each daily topic should tie-in to one overarching theme.
·· Respond to posts.
·· Receive 10 live CCB CEUs for the entire week (2.0 per day).
Contact HCCA to learn more.
www.kslaw.com/health
888-580-8373 www.hcca-info.org 27
FEATURE
by Janice A. Anderson and Cullin B. Hughes
Physician practice
management arrangements:
State fee-splitting prohibitions
and the corporate practice
of medicine
»» Physician practice management arrangements often implicate state laws on corporate practice of medicine (CPOM) and
fee-splitting prohibitions.
»» The CPOM doctrine can dictate the form of physician entity to be used in a physician practice management arrangement.
»» Fee-splitting prohibitions may prevent certain management fee structures that are common to physician practice management
arrangements.
»» Laws vary from state to state, so these laws should be examined for each state in which services will be provided under a
physician practice management arrangement.
»» Violation of CPOM or fee-splitting prohibitions can lead to serious consequences for both the physician practice management
company and the physicians involved in an arrangement.
Janice A. Anderson ([email protected]) is a Shareholder in the
Chicago office of Polsinelli PC and Cullin B. Hughes ([email protected])
is an Associate in the Kansas City office of Polsinelli PC.
P
hysician practice management companies (PPMs) have been around
only for a quarter-century or so, but
they have experienced a tumultuous history
in that relatively short period of time. The
industry saw PPMs grow at a frenzied rate
through the early to mid-1990s, only to watch
a number of large PPMs file for bankruptcy
protection by the end of the decade. At the
same time many PPMs were experiencing
financial troubles, others went through very
public divorces with their associated physician
groups, many of which resulted in protracted,
contentious litigation.
Although PPMs never went away
entirely, their numbers significantly
declined. The PPM model is viable
today and, when structured properly,
can provide financial gain for the
PPM and significant benefits to the
physicians involved. As new PPMs
enter the marketplace, parties on
both sides of a PPM relationship (the
PPM itself and the physicians it manages) need to understand the legal
pitfalls that apply to PPMs which, if
not handled correctly, can jeopardize
the success of any PPM arrangement.
This article discusses two important legal requirements that must be
understood and applied correctly to
the structure of any PPM: state laws
Anderson
Hughes
FEATURE
governing the corporate practice of medicine
(CPOM) and state fee-splitting prohibitions.
What is a PPM?
In general terms, a PPM is an entity that manages one or more non-clinical aspects of a
physician practice’s business. PPMs manage
physician practices of all types and sizes,
including primary care, single-specialty,
multi-specialty, and hospital-based practices.
A PPM can provide a physician practice
with a full suite of management, administrative, financial, and
operational support
services, handling
virtually every aspect
of the practice’s
business other than
clinical operations, or
can offer a more limited set of services.
PPMs are typically
owned by non-physician investors, and
thus do not have any involvement in patient
care or clinical decision-making (and are often
prohibited from doing so legally, as discussed
in more detail below).
The business rationale behind the PPM
model is relatively straightforward – physicians are generally focused on providing
patient care, and often do not have the time,
energy, or resources to effectively and efficiently manage the “business” aspects of a
medical practice. In addition, a PPM, which is
funded by investors, offers a physician practice access to capital that would otherwise
be unavailable, which is vitally important in
an era that pits decreasing reimbursement
against increasing regulatory requirements.
PPMs with large networks of physician practices also can negotiate better payer contracts
and provide access to clinical protocols and
other benefits.
The typical “full-service” relationship
between a PPM and a physician practice
involves the PPM providing office space,
equipment, supplies, non-professional staff,
and most everything else that is necessary for
the practice to operate on a day-to-day basis.
A PPM-practice affiliation often begins with a
PPM “acquiring” an existing physician practice
by purchasing all of the practice’s assets and
assuming the practice’s office and equipment
leases, all of which the PPM then leases back
to the practice. In this scenario, the practice’s
physicians usually
receive a significant
payment as consideration for the sale of
the practice’s assets
at the time of the
affiliation with the
PPM. Alternatively,
some PPMs operate
under a model in
which they recruit
individual physicians
from existing practices or from residency and
arrange for office space, equipment, staff, etc.
to be provided to a new or de novo physician
practice entity that the PPM forms. In either
case, the relationship between the PPM and the
practice is governed by a long-term management agreement (often with a term of 10 years
or more), which sets forth all of the services
to be provided by the PPM and the rights and
obligations of both parties during the relationship. In addition, the PPM typically requires
the physicians to enter into employment agreements with the practice (or amendments to the
physicians’ existing employment agreements)
containing restrictive covenants that prevent
the physicians from leaving the practice and
directly competing with the practice. The
PPM also may “hand pick” the physician who
is the shareholder of the practice, creating a
“friendly” physician practice entity, restricting
PPMs with large networks
of physician practices also
can negotiate better payer
contracts and provide access
to clinical protocols and
other benefits.
29
FEATURE
the physician-owner’s ability to sell or transfer his or her shares to others and requiring
the physician to transfer his or her shares to
another physician (of the PPM’s choosing) if the
physician for any reason is no longer associated
with the PPM.
PPMs can be compensated in a number
of ways. The practice and the PPM can agree
upon a payment arrangement that includes a
fixed fee, a percentage of the practice’s revenue
or profits, a share of cost savings that the PPM
helps the practice realize, or some combination
of these different elements. However, the most
common end-result is that the PPM guarantees
the practice’s physicians a generous salary and
benefits, but then keeps all profits generated by
the operation of the practice. The model makes
perfect sense from a business perspective, as
discussed below, but PPMs must be wary of
state law requirements that could dictate the
terms under which the PPM-physician practice
arrangement must be structured.
The corporate practice of medicine doctrine
The PPM model involves an arrangement
between licensed physicians on one hand and a
business entity owned by non-licensed persons
on the other. It would be easy and straightforward if the PPM could simply employ
the physicians, allowing the PPM to pay the
physicians’ salaries and benefits and all other
expenses of the practice while keeping the profits
generated by the physicians’ services. What
may seem to be a very simple and straightforward arrangement can become exceedingly
complex, however, because of a legal doctrine
known as the prohibition against the CPOM,
and any PPM arrangement should be carefully
examined for compliance with the CPOM doctrine in each state in which a PPM-affiliated
physician practice renders services. Generally
speaking, the CPOM doctrine prohibits a lay
corporation (i.e., one that is owned by nonprofessionals) from practicing medicine, either
through the corporation itself or by employing
licensed physicians, under the theory that the
medical profession may be practiced only by
professionals that have been duly licensed by
the state’s medical board or other licensing
agency. A majority of states maintain some form
of the CPOM prohibition on the books today.
Depending on the state, the CPOM prohibition may be based upon a statute, case law,
or an attorney general opinion. Most states
have statutes allowing for physicians to form a
professional corporation, professional limited
liability company, or other form of entity to
provide professional medical services. This
affords the physician-owners the benefits of
a traditional corporation or limited liability company (e.g., liability protection) while
allowing them to avoid the state’s CPOM
prohibitions. However, most of these statutes
restrict the ownership of such physician services entities to only those individuals who
are licensed physicians. Thus, in states with
CPOM restrictions, it is generally illegal for
a PPM to directly employ physicians, and a
separate physician-owned entity must be used.
PPM arrangements can also implicate the
CPOM doctrine in other ways. First, if the form
of entity of the physician practice (e.g., corporation, limited liability company, professional
corporation) is not one that can lawfully employ
physicians, the practice can be deemed to have
violated the state’s CPOM prohibition. This issue
can arise when the PPM forms a series of de novo
physician practice entities in various states and
then recruits physicians to join the PPM’s practice. Often, the PPM relies upon the law of one
state that allows, for example, limited liability
companies to render professional services and
then erroneously assumes that other states
similarly allow LLCs to employ physicians.
Second, the PPM can exercise too much
control over the practice, which could lead
to the conclusion that the PPM is effectively
engaged in the practice of medicine in violation
FEATURE
of the CPOM doctrine. This was the conclusion
reached by the Texas Court of Appeals in finding that the CPOM doctrine had been violated
by a PPM that, through a management agreement, had the right to 66.67% of the practice’s
profits, frequently commingled the practice’s
and PPM’s funds, pledged the practice’s assets as
collateral for the PPM’s debt, and had the right
to hire staff for the practice to use in hospitals
where the practice contracted to
provide services.1
The court looked
beyond the form
of the arrangement
and found that the
practical effect was
that the physician
was an “employee”
of the PPM, a
business corporation, and that the
arrangement allowed the PPM to indirectly
practice medicine, something that it could not do
directly under the Texas Medical Practices Act.
When structuring a PPM arrangement, it
is important to review the CPOM prohibitions
and exceptions that exist in each state in which
the PPM plans to provide services, to verify
that the entity type chosen for the practice may
in fact provide professional medical services
or employ physicians to practice medicine. In
addition, in states with strong CPOM prohibitions, the PPM and affiliated practice should
be careful in structuring the arrangement so
that the PPM will not be viewed as indirectly
practicing medicine through its control over the
physician practice entity. Further, a number of
states’ statutes contain requirements that the
owners of a physician practice entity must be
professionals licensed to practice the profession in that particular state. For PPMs using a
“friendly” physician (i.e., one that is an officer,
director, or employee of the PPM) to be the sole
or majority owner in each physician practice
that is affiliated with the PPM, these laws may
require the “friendly” physician to be licensed
in each state where the PPM provides services.
Fee-splitting
Although sometimes misconstrued as part of
the CPOM doctrine, the prohibition against physician fee-splitting is a distinct concept and may
exist in a state even if
an arrangement does
not implicate a particular state’s CPOM
prohibition. Although
the fee-splitting prohibition is rooted
in a proscription of
physicians sharing
their professional
fees for the referral of
patients, some states
flatly prohibit any
dividing of professional fees between physicians and other persons or entities (whether or
not tied to referrals of patients).
Fee-splitting is commonly included in state
statutes relating to licensure of medical professionals. Often, fee-splitting is identified as one of
many things constituting “unethical” or “unprofessional” conduct in such statutes, which could
subject an offender to disciplinary action.
The prohibition on physician fee-splitting is
of great relevance to PPM arrangements, because
most PPMs seek to be compensated (at least in
part) based upon a percentage of the revenues or
profits of their affiliated physician practices. In
states that strictly prohibit any form of physician
fee-splitting, such as Illinois, such percentagebased compensation physician-management
arrangements are simply not allowed (although
percentage-based billing and collection fees are
permitted). In other states where fee-splitting
proscriptions are limited to the division of professional fees when tied to patient referrals, a
Often, fee-splitting
is identified as one of
many things constituting
“unethical” or “unprofessional”
…which could subject an
offender to disciplinary
action.
31
FEATURE
Potential consequences of violating
the CPOM or fee-splitting prohibitions
Violating a state’s CPOM or fee-splitting prohibitions can have serious consequences. In most
jurisdictions, the courts have the authority to
enjoin the unlawful practice of medicine by a
PPM in violation of the state’s CPOM prohibition. In addition, a physician could be subjected
to disciplinary action by the state medical
board or other licensing agency, including
loss of the physician’s license to practice medicine, for engaging in an improper fee-splitting
arrangement. Some states also have criminal
penalties associated with their fee-splitting
prohibitions, which could subject the parties
involved to fines or, in a particularly egregious
case, imprisonment.
Further, many PPMs may not realize that
if an arrangement runs afoul of a CPOM or
fee-splitting prohibition, the illegality of the
arrangement could be used as a defense to
enforcement of a contract between the PPM and
the physician practice or physicians under the
theory that the contract is void as a matter of law.
For example, the Florida case described above
arose out of an attempt to enforce a non-competition covenant in a physician’s employment
agreement. The physician argued that the
management agreement, which contained the
unlawful compensation term, served as consideration for the non-competition covenant that he
had agreed to, and therefore, the non-competition covenant should be found to be invalid.
Conclusion
The physician practice management model is a
viable alternative to the “independent” medical practice in which physicians are responsible
for all of the practice’s clinical and business
operations. Successful PPM arrangements can
provide sound financial returns for the PPM
while allowing the physicians involved to focus
on patient care and be paid a generous salary
without having to deal with the administrative burdens associated with managing the
day-to-day operations of the medical practice.
However, when structuring a PPM arrangement, the parties should be careful to comply
with the CPOM and fee-splitting prohibitions
in each state that the PPM-affiliated practices
will conduct business, because a failure to do so
could result in serious, adverse consequences
for the PPM and the physicians involved.
1.
Flynn Bros, Inc. v. First Medical Assocs., 715 S.W.2d 782 (Tex. App. 1986).
2.
Gold, Vann & White, P.A. v. Friedenstab, 831 So. 2d 692, 695 (Fla. Dist. Ct.
App. 2002).
percentage-based management fee may not, on its
face, violate the proscription. However, a deeper
look must be given to case law and administrative
interpretations of the relevant statutes to determine the exact scope of the prohibition.
For example, in Florida, the fee-splitting
statute prohibits “any split-fee arrangement…
for patients referred…” At first glance, this statute does not appear to prohibit a management
fee that is based upon a percentage of revenues
or profits, because the PPM’s management fee is
typically thought of as being for management
services provided by the PPM. However, the
Florida courts have interpreted this statute to
prohibit the payment of a percentage of incomebased management fee to a PPM when the
PPM provided marketing and managed care
contracting services to the physician practice,
because the percentage-based management fee,
in essence, rewarded the PPM for increasing
business or referrals to the practice.2
Structuring PPM arrangements in states
with strong fee-splitting restrictions can be
challenging, because the general business goal
of allowing the PPM to retain the profits from
the practice after paying all expenses can be
hard to achieve. In strict fee-splitting jurisdictions, creative approaches to assessing the
management fee must be developed to allow
the PPM to achieve its desired result through a
series of fixed fee payments.
33
2014
BASIC COMPLIANCE
ACADEMIES
from the Health Care Compliance Association
REGISTER EARLY to reserve your place.
Registration limited to 75 for each Academy.
HCCA’s Basic Compliance Academy
is an intensive three-and-a-half-day
program focusing on subject areas
at the heart of health care compliance
practice.
The Academy is designed for
participants with a basic knowledge
of compliance concepts and
some professional experience in a
compliance function.
Want to become Certified in Healthcare Compliance (CHC)® ?
Take the certification exam on the last day of the Academy.
Learn more and register at www.hcca-info.org/academies
January 20–23
New York, NY
LIMITED SEATS REMAIN
February 3–6
Puerto Rico
February 17–20
San Francisco, CA
March 17–20
New Orleans, LA
April 14–17
Boston, MA
June 9–12
Scottsdale, AZ
August 4–7
New York, NY
September 29–
October 2
Nashville, TN
October 20–23
Las Vegas, NV
November 17–20
Orlando, FL
December 1–4
San Diego, CA
FEATURE
by Bret S. Bissey, MBA, FACHE, CHC
Some thoughts on
tone at the top
»» The compliance officer should be free to have open and transparent dialogue with the board.
»» The compliance officer should be included and involved in key operational decisions.
»» Compliance should be a standing agenda item in board and/or audit committee meetings.
»» The compliance officer must be given the authority and control over investigations and risk assessments without intimidation.
»» The separation of Compliance and Legal is fundamental to an effective program.
Compliance Services with MediTract in Chattanooga, TN.
O
Bissey
ne of the questions frequently asked
when analyzing the effectiveness
of compliance program is “What is
the tone at the top of the organization?” This
question broadly speaks to how engaged an
organization’s top leadership are with the
compliance program. Is compliance
part of the real culture of an organization or is the program just in place
because it is a requirement?
I believe to answer the question
about whether you have the proper
compliance tone at the top requires some
detailed analysis prior to providing an
answer. I would also mention that I am
a strong proponent that governance and board
oversight of a compliance program is critical to
organizational success. Some (especially those
in non-compliance roles) would suggest that
because you have in place policies and procedures that say leadership is engaged, it must be
so. I maintain that to answer the question accurately requires a deeper dive into the topic.
Assessing tone at the top
To answer the question properly requires first
some observations being made into behavior(s)
of your board and senior management in
reaction to different situations that might be
occurring within an organization. Let’s look
at some topics and scenarios that might assist
your organization, board, and the compliance
officer to assess “tone at the top.”
Free and open dialogue with the board
·· As the compliance officer, do you know
the board representative who has oversight
responsibility for compliance?
·· What is the access you have to this individual?
·· If you have a matter of importance to discuss, can you simply pick up the phone
and call him/her or must the interaction be
“coordinated” via another department?
·· Can you have that discussion without
looking over your shoulder, wondering
if the president, CFO, general counsel, or
someone else might be upset with you for
making the call?
·· Have the board and president established and
agreed that if there is something going on
that might be a risk to the organization, your
obligation is to notify them immediately?
·· Do you have regularly scheduled meetings
with the assigned board member?
·· Is the president or your direct report supportive of you communicating directly with
the board member?
Bret S. Bissey ([email protected]) is Senior Vice President,
35
FEATURE
·· Does anyone try to “control” the message to
the board or president, or are you working
in a totally transparent environment?
·· Do you ever get a question presented to you
by a member of management that implies
“You don’t really need to tell the board,
do you?”
·· In meetings attended by both the board and
management, if asked difficult questions by
the board, are you able to respond honestly
and with total transparency without the
risk of negative consequences coming
your way?
The slant of these questions is to assess
whether the compliance officer can speak
freely and openly to the board and not worry
about any risk of any retaliation or negative
consequences. Being an effective compliance
officer means not only delivering the good
news, but also potentially bad news (in the
viewpoint of some), which could be in the
form of investigative
reports, audit findings
resulting in reimbursements, or worse actions.
Sometimes there are
individuals in an organization who don’t like
the bad news. The compliance officer needs
to be reassured by the
board and leadership
that the “tone at the
top” constantly supports the transparency
message as a core value of the organization.
possibly providing meeting minutes and
copies of any presentations?
Inclusion and involvement is key
·· Where does the compliance officer stand
organizationally compared to the senior
executives of the organization?
·· Does the compliance officer know what is
going on in the organization?
·· If there are important decisions being
made, is the compliance officer notified?
The easiest way to ensure involvement
is to mandate that the compliance officer is a
member of senior management and invited to
attend all meetings. The board must make this
a requirement, rather than a recommendation,
to the president.
Case in point
A compliance officer colleague of mine was
recently surprised to learn of some new electronic medical record
(EMR) systems being
implemented in his hospital. Because he wasn’t
made aware in the planning phase, he was not
able to proactively assess
billing, documentation
risks, etc. This most
likely occurred because
he wasn’t invited to the
top-level meetings where
EMR project was introduced, discussed, and
debated. Someone either made the decision
that the compliance officer did not need to be
involved, or they simply forgot to invite him.
Is the compliance tone at the top proper
at this hospital? Probably not—the president
and/or board must assure that the compliance
officer is an active participant in pertinent topics.
Is the compliance officer presenting on
topics as a standing agenda item to the board
The slant of
these questions is
to assess whether the
compliance officer can
speak freely and openly
to the board…
If you have a Compliance Committee:
·· Is a board member a participant?
·· Is he/she attending the meetings?
·· Is he/she knowledgeable on the matters
being discussed?
·· If he/she doesn’t attend, do you meet
and provide a summary of the meeting,
FEATURE
and/or audit committee meetings? The key
point here: Is the compliance officer presenting? Certainly there may be times where
the compliance officer may be bringing in
an expert consultant to support the
discussion, but the
compliance officer
needs to be in front
of the board and
leadership to lead the
discussion on key
topics. Compliance
discussions should
not be assigned to
others to lead, nor be
subverted by another executive. They should
be the compliance officer’s responsibility.
Finally, are the discussions frank, honest,
and speaking directly to the risk of different
matters, including sometimes unpopular
actions that may need to be taken to correct
a problem?
to overpayments that go something like this:
“You looked at the wrong accounts; you hired
the wrong consultant; etc.”
The board and leadership must ensure
that this type of
behavior/approach
does not happen.
Likewise, “opinion
shopping” the matter
for analysis until
they get the “right”
answer is also a very
dangerous approach
to take. Simply stated,
the CO should have
the authority and
control to run these engagements without
interference or intimidation from others in
the organization.
Likewise,
“opinion shopping”
the matter for analysis until
they get the “right” answer
is also a very dangerous
approach to take.
In closing
To be an effective compliance officer means
that you are able to influence decision-makers
in your organization. I believe a key component of having an effective compliance
program is to have the proper tone at the top.
As described above, we have outlined some
criteria to review to help assess whether the
proper tone exists within an organization.
From my experiences as a CO at three
different organizations functioning under
corporate integrity agreements, I have seen
different approaches to the “tone at the top”
mantra. The organization that gave me
the most comfort that I was managing an
Authority and control without intimidation
Let’s move to a real life scenario. Suppose the
compliance officer has identified a potential
billing overpayment matter. What is the first
step? Who does the CO notify first? Hopefully,
the board wants to know about these types
of situations and they give the CO complete
control over the analysis of the topic. The CO
should be given the authority to determine
whether to hire consultants, make reimbursements, enhance education, halt billing etc.,
without interference from other parties in
the organization.
I am not suggesting that other leaders in
the organization not be engaged and informed
on progress and outcomes, but way too often
in my career I have seen a negative reaction
directed back at the CO rather than efforts and
energies being expended to remedy the problem.
I have seen reactions, especially when related
The separation of compliance and legal
There is much debate about the relationship
between Compliance and Legal. That is not
the focus of this article, other than to say that
whoever is performing your compliance function must be able, as directed by the board,
to function independently of management in
certain situations.
37
FEATURE
effective compliance program was the one
that required total transparency with the
board. For that organization, the board was
engaged with the CO (myself), the president,
general counsel, and other senior managers
to assure there were no surprises. If problems
were identified, they were communicated to
the proper parties, corrective actions were
assigned to accountable individuals, and
follow-up actions were taken to assure that the
problem was corrected. This organizational
structure mandated monthly audit committee meetings, bi-weekly calls with the audit
committee chairman, mandatory review of all
audits (internal and external) with the audit
committee, inclusion of compliance matters
as standing agenda items on all management
team meetings, planned and approved compliance work plans which took into consideration
an active risk assessment, and the necessary
budget allocation to get the job done. This was
an organization whose culture was focused
on compliance. Tone at the top needs to be
more than a statement or direction—it needs
to be demonstrated on a daily basis within
your organization.
Preview
2014 COMPLIANCE INSTITUTE SESSION 403 2
014 Review of the OIG Work Plan
for Post‑Acute Providers
Monday, March 31 4:30–5:30 pm
Gavin Gadberry
Shareholder,
The Underwood
Law Firm, PC
Paula Sanders
Want to know what the OIG knows? Ever wonder what tools they use
Healthcare Chair,
Post & Schell, PC
for enforcement and how they choose which areas to focus? This session
will highlight the 2014 OIG Work Plan and discuss best practices to stay
ahead of the OIG with regard to compliance. We will review recent OIG
enforcement cases and lessons learned from Corporate Integrity and Quality of Care Agreements. Take home a
checklist to review your company’s Compliance Plan to see if it meets the 7 Pillars to avoid fraud and abuse.
Preview
2014 COMPLIANCE INSTITUTE SESSION W2 Building a Compliance Dashboard:
Tips for Creating High-Level Reports
for Tracking Progress, Improvement,
and Risks for Your Compliance Program
Wednesday, April 2 8:00–9:45 am
Jordan Muhlestein
Regional Compliance
Manager, Intermountain
Healthcare
Ryan Williamson
Senior Compliance
Consultant, Intermountain
Healthcare
Compliance programs manage and evaluate so many different issues,
it can be difficult to provide a simple explanation of how a program is functioning. This presentation will provide
specific guidance for building and implementing a Compliance scorecard that will allow you to both track your
work and provide a simple summary of your overall Compliance efforts.
To hear more, attend HCCA’s 18 th Annual Compliance Institute in San Diego, CA!
Visit www.compliance-institute.org for more information or to register.
THE COMPLIANCE–QUALITY CONNECTION
by David Hoffman, Esq.
Compliance as a means to
achieving “high reliability”
& Associates, PC, a national health care consulting firm in Philadelphia, dedicated
to assisting healthcare providers in complying with regulatory requirements and
ensuring patient safety through legal and clinical compliance.
I
n preparing for a lecture to my Regulating
Patient Safety class at the Earle Mack
School of Law at Drexel University, I came
across a very interesting article titled “HighReliability Health Care: Getting There from
Here.”1 High-reliability science is the study
of organizations in industries like
commercial aviation and nuclear
power that operate under hazardous
conditions while maintaining safety
levels that are far better than those
of healthcare. The authors evaluated
highly reliable organizations2 and
Hoffman
found that “an environment of ‘collective mindfulness’ in which all
workers look for, and report, small problems
or unsafe conditions before they pose a substantial risk to the organization and when
they are easy to fix” was effective in achieving
high-reliability.3 Doesn’t that sound like what
a culture of compliance is all about? The creation of a corporate culture of compliance that
mandates that every employee has the obligation to report possible non-compliant activity
has the exact same mission.
The authors further noted that:
“[H]ospitals are currently characterized by
low reliability. This fact implies strongly
that hospitals cannot solve these problems
[unsafe conditions] by simply and directly
adopting high-reliability principles and
practices all at once. Imagine what might
happen if all the workers in a hospital
suddenly acquired a keen sense of collective mindfulness and began to recognize
and report all the unsafe conditions and
errors they encountered from the moment
they arrived at the hospital. The organization would soon be deluged with such
reports that its capacity to fix the problems
uncovered by the reports would be overwhelmed, and many unsafe conditions
would necessarily remain unaddressed.”4
Imagine what might happen
if all the workers in a hospital
suddenly acquired a keen sense
of collective mindfulness and
began to recognize and report
all the unsafe conditions and
errors they encountered…
In adapting high-reliability science to hospitals, the authors maintain that three major
changes would have to occur in order to move
toward high reliability:
1. The leadership’s commitment to the
ultimate goal of zero patient harm;
2. The incorporation of all the principles and
practices of a safety culture throughout
the organization; and
3. The widespread adoption and deployment
of the most effective process improvement
tools and methods.5
David Hoffman ([email protected]) is President of David Hoffman
39
ACADEMIES
FILL FAST
ES
I
M
E
D
A
AC
T
FILL FAS
r
e
t
s
i
g
e
R
early
Register
early
Healthcare
Research
Privacy
Basic Compliance
Academies
Las Vegas, NV
Basic Compliance
Las Vegas, NV
March 10–13
Orlando, FL
November 3–6
With a wide range of research-related issues
becoming hot topics with enforcement agencies,
HCCA’s Research Basic Compliance Academy®
provides the opportunity to get information on many
areas that affect research compliance officers and
their staff on a day-to-day basis. A small audience
encourages hands-on educational techniques,
small group interaction, and networking.
Learn more & register at
Academies
March 10–13
San Diego, CA
June 16–19
Orlando, FL
November 3–6
HCCA’s Healthcare Privacy Basic Compliance Academy®
is comprehensive, covering a broad spectrum of laws and
regulations that affect healthcare organizations: HIPAA
privacy, general compliance, the Federal Privacy Act, and
other privacy‑related topics relative to healthcare. The faculty
has many years of experience in healthcare compliance and
is well‑versed in healthcare privacy. The Academy is also
helpful in preparing for healthcare privacy certification.
THE COMPLIANCE–QUALITY CONNECTION
Again, these principles are consistent with
“effective” compliance principles, including
leadership commitment, using compliance principles throughout the organization, and using
effective compliance policies and procedures.
But, I was puzzled by the authors’ conclusion that leadership (i.e., board, CEO/
management) and physicians, all critical components to an effective compliance program,
were deemed as in the “beginning stages of
organizational maturity” when the “Board’s
[and CEO/management] quality focus is
nearly exclusively on regulatory compliance.”6
Interestingly, there was no definition of regulatory compliance offered in the article.
I have maintained for years that regulatory compliance and quality are inextricably
linked. I have counseled every healthcare client
that compliance officers must have a seat at
the Quality table and vice versa. Regulatory
compliance is not just about billing activities; it
must be defined to include the delivery of quality healthcare to patients and residents in order
to support the submission of claims for services
rendered. Whether the stage of development
is deemed to be “beginning” or “approaching”
organizational maturity, the role of compliance
officers in assisting hospitals in achieving high
reliability is without question. If we view regulatory compliance through a clinical lens, it is
apparent that patient safety is paramount. As
such, the Compliance department must be an
integral part in any healthcare provider’s drive
to becoming a high-reliability organization.
1.Mark R Chassin and Jerod M. Loeb: “High-Reliability Health Care:
Getting There from Here.” The Milbank Quarterly 2013; vol. 91, no. 3,
pp. 459-490.
2.Id. at 459
3.Id. at 461
4.Id. at 467 citing Weick, K.E., and K.M. Sutcliffe, . 2007. Managing the
Unexpected. 2nd ed. San Francisco: Jossey-Bass
5 Id. at 468
6.Id. at 474 (Table 2).
Preview
2014 COMPLIANCE INSTITUTE Monday, March 31 1:30–2:30 pm
John Joseph
Principal,
Post & Schell, PC
Government enforcement of healthcare fraud is as vigorous as ever,
Dwight Claustre
and with the new health care reform laws, voluntary self-disclosures
Healthcare Compliance
are a growing piece of the enforcement arsenal. In fact given the new
Professional
repayment requirements, it is questionable as to whether self-disclosures
are even voluntary anymore. Knowing how the process works is critical
to navigating the gauntlet of government enforcement options to make sure your entity is fairly treated and that
healthcare fraud exposures are reduced as much as possible. This session will provide an insider’s view into this
process, as well as practice tips to make the experience as painless as possible.
SESSION 206 Voluntary Disclosure: When and Where
41
FEATURE
by Michelle Moses Chaitt, Esq; Mark L. Mattioli, Esq; Richard E. Moses, DO, JD; and D. Scott Jones, CHC
Compliance and quality of care,
Part 2: The physicians’
perspective
»» Learn strategies for educating physicians about compliance issues.
»» Key teaching principles have proven useful in educating physicians.
»» Identify the most common compliance and quality risks for physicians and include them in educational materials.
»» Make compliance a solid and real concept for physicians by pointing out the role of compliance in preventing
malpractice claims.
»» Malpractice insurance carriers are starting to offer privacy breach insurance as well.
Michelle Moses Chaitt ([email protected]) is an Associate in the Healthcare
Liability Practice Group and Mark L. Mattioli ([email protected]) is Chair of
the Health Law Practice Group, Chair of the Healthcare Governmental Compliance
Practice Group, and Co-chair of the Privacy and Data Security Practice Group at
Marshall Dennehey Warner Coleman & Goggin in Philadelphia. Richard E. Moses
([email protected]) is a practicing physician, board certified in Internal
Medicine, Gastroenterology, and Forensic Medicine; an Adjunct Clinical Associate
Professor of Medicine and Law at the Temple University Schools of Medicine and
Law, respectively; and serves as the Associate Medical Director for Medical Staff
Development and Integration at Jeanes Hospital, part of the Temple University
Healthcare System in Philadelphia. D. Scott Jones ([email protected]) is
Senior Vice President for Claims, Risk Management, and Corporate Compliance
for the Healthcare Providers Insurance Exchange (HPIX) in Philadelphia.
“Physicians drive compliance. A major concern for compliance officers continues to be
ensuring that physicians understand their
role in preventing fraud, abuse, and waste…”1
T
his quote, written by a physician/attorney
and a compliance officer, clearly illustrates
the need for compliance officers to educate physicians. It also addresses a key concept:
Physicians can drive compliance and quality at
the intersection of physician and patient, where
effective care is delivered and the fundamental
acts of compliance occur. The quote
further illustrates that an aware physician recognizes that compliance occurs
(or fails to occur) at the moment care is
delivered and documented in a manner
that allows an organization to bill for
services provided.
Educating physicians about compliance is an ongoing challenge for
compliance officers and organizations.
At the heart of that challenge lays the
task of making compliance a solid and
real concept. Patient care providers are
justifiably focused on delivering the
medical care that is needed to treat a
patient’s condition. As their primary,
if not only, focus they usually fail to
consider compliance and potential risk
management issues concurrently, or
prospectively for that matter.
One issue keenly understood
by physicians is that of medical
malpractice. Most physicians have
been or will be involved in malpractice lawsuits during their career.
Healthcare organizations obtain lists
Moses Chaitt
Mattioli
Moses
Jones
FEATURE
·· providing “case study” examples of compliance violations and the consequences of
those violations;
·· encouraging physicians to share their
experiences and concerns, especially
during group teaching sessions;
·· rating physicians against their peers (using
a system that protects individual identities,
but allows a doctor to determine if they are
an “outlier”); and
·· requesting, reviewing, and implementing
feedback from physicians.
Physician perspectives vary on compliance
issues, and many do not understand compliance as a discipline or how it relates to their
primary concern, providing care to patients.
To better understand how physicians think,
compliance officers and healthcare counsel
should consider the following:
·· Physicians are taught to assess, diagnose,
and implement correct treatment, and be
individually responsible for outcomes.
·· Physicians are competitive, detailed oriented,
and over-achievers and/or survivors.
·· Physicians have little tolerance for
ambiguity.
·· As scientists, physicians respect facts and
data supported by quoted research.
·· Physicians understand, but often dislike,
peer review.
·· Physicians dislike being embarrassed,
especially before their peers.
·· Physicians generally want to do the “right
thing.” As far as compliance is involved,
they frequently may not know the right or
correct approach.
To make compliance “real” to physicians
and other providers of care, educational programs should focus on the areas of concern
they deal with on a daily basis. Physicians in
particular are attuned to professional medical
liability and malpractice issues. Recognizing
of malpractice actions when considering providers for medical credentials. The National
Practitioners Data Bank (NPDB) maintains a
list of all providers involved in malpractice
indemnity payments, along with descriptions
of the incidents involved. This permanent
record follows a doctor throughout his/her
career. The OIG frequently cites medical
malpractice lawsuits as an indicator of overutilization or improper utilization. Compliance
officers must clarify the connection of medical
malpractice, quality, and compliance to physicians. Good compliance can equal fewer
malpractice lawsuits. The career implications
of this equation are crystal clear to physicians
and are a profound motivator.
The need to educate physicians is more
acute for many healthcare organizations in the
wake of the past several years of medical practice acquisition, ongoing practice management,
and physician employment arrangements.
Compliance officers face a need to provide
education to an increasing pool of doctors, all
of whom are providing care to patients while
trying to learn about compliance. Physicians
are highly independent, self-reliant, and have
a sense of personal responsibility. These
characteristics are inculcated throughout
their training and education. They also create
unique challenges for compliance officers.
Authors Moses and Jones documented
specific tenets of an effective educational
program for physicians. An essential step in
the process of developing and implementing
an educational program for physicians is to
comprehend how physicians think and communicate, and to recognize that physicians
receive little training with regard to fraud,
abuse, or medical malpractice issues.2
Key teaching principles that have proven
effective with physicians include:
·· maintaining a positive approach that
encourages and compliments, while avoiding confrontation and intimidation;
43
FEATURE
how failures in quality of care could be both
compliance and malpractice concerns is an
effective means of making the case for compliance and quality.
Physicians need to understand the following areas of risk exposure:
·· Electronic medical records (EMR) —
With the advent of EMR, and a rush to
implement electronic health record (EHR)
systems in all types of healthcare organizations, physicians are working with
systems that allow them to use drop-down
box lists and pre-populated templates.
OIG Work Plans and other investigative
documents detail concerns about cloned
medical records and systems that “optimize” coding.
·· HIPAA Privacy and Security — Many
healthcare providers are uncertain about
what information they can safely communicate and be consistent with the
Privacy and Security Rules promulgated
under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA).
The Department of Health and Human
Services (DHHS) Office of Civil Rights
(OCR) maintains an effective summary
that can be useful as a teaching tool for
physicians.3
·· Informed consent — A Top 10 medical
malpractice allegation for all medical specialties is inadequate informed consent.
Discussion of this issue should include
analysis of the current process used by
healthcare organizations and physicians.
The analysis should consider who takes
consent, who signs documents, and how
appropriate the education and timing of
education is for patients.
·· History and physical (H&P) — Failure
to obtain a complete H&P is common and
frequently cited in medical malpractice
allegations. Failure to obtain a complete
H&P often drives improper allocation of
evaluation and management (E&M) codes
from the American Medical Association’s
Current Procedural Terminology, Version
4 system (CPT-4 ) used by physicians. As
it relates to EMR, physicians must be cautious when using cut-and-paste features,
to avoid transferring incorrect information
or appearing to expand the actual level of
service provided.
·· Abnormal test results — Many organizations encounter frequent failures in
how abnormal test results are identified,
transmitted to providers of care, and acted
upon. The process of notifying patients
is frequently haphazard and may be
incomplete.
·· Medication management — Patients have
more co-morbidity and are taking more
medications than in the past. Errors in
medication management occur throughout
healthcare organizations and, frequently,
are driven by failures to obtain complete
medication lists and failures to assess
medications for contraindications.
·· Patient handoff — The process of transferring patients from one provider of care
to another is a significant opportunity
for error. The handoff process must be
scripted and timed carefully, providing
specific information in a controlled
manner from one doctor to another.
Immediate followup must be provided by
the receiving physician and support staff.
®
®
When working with physicians, the
authors found that the most effective means
of communicating compliance concerns to
doctors involves a physician educator paired
with a compliance officer. A physician educator offers the teaching advantage of sharing
real time practice experiences as they relate to
compliance issues. When addressing a physician audience, this enhances credibility of
compliance issues for everyone involved in
FEATURE
the teaching process. As a team, the physician
educator and compliance officer can provide
real world examples with both perspectives,
and analyze how failures in quality of care
can become both compliance issues and potentially medical malpractice issues.
Moreover, not only is compliance the
right thing to do, but very soon, it will be
mandatory. Under the Patient Protection and
Affordable Care Act
(PPACA), compliance
programs that were
once voluntary will be
mandatory for providers who participate in
any federal healthcare
program.4 For example,
skilled nursing facilities were required to
have compliance plans
in place by March 23,
2013.5 Although the
regulations have yet to
be published, the Office
of the Inspector General
(OIG) has issued compliance guidelines for the different segments
of the healthcare industry. These guidelines
may very well be what the DHHS uses when
formulating its regulations. OIG offers compliance guidelines for:
·· Nursing facilities
·· Hospitals
·· Pharmaceutical manufacturers
·· Ambulance suppliers
·· Small group physician practices
·· Medical equipment and prosthetics
manufactures
·· Third-party medical billing companies
·· Clinical laboratories, and
·· Home health agencies.6
Medicare and Medicaid Fraud and Abuse7 designed
to educate physicians about the fraud and
abuse laws that apply to them, including the
False Claims Act.
Insuring healthcare compliance
Many providers may be unaware that some
forms of compliance are now insurable.
Medical malpractice carriers may offer certain
types of coverage for
breaches of protected
health information (PHI)
under the Privacy and
Security provisions of
HIPAA.8
As the range of
fines and penalties
is fixed and there is
published data on the
number and frequency
of data breaches, insurance carriers are able
to actuarially project
loss costs and thus, are
able to offer coverage as
“breach insurance.” In
some cases, a malpractice carrier simply added
coverage cost to existing insurance policies
using an “opt out” method. If the purchaser
did not opt to deny coverage, it was added to
the policy. One area of concern for healthcare
counsel should be the actual coverage provided.
It is limited to defense expense cost, but in
many policies, the actual amount provided
may be inadequate to defend or does not contemplate the full exposure if a data breach of
over 500 medical records occurred. The remedies
for a large scale data breach are onerous and
costly, including ongoing credit monitoring for
each patient involved in a loss of data.9
Insurance coverage also may be obtained
for Recovery Contractor (RC), formerly
Recovery Audit Contractor (RAC) audits. By
using off-site data monitoring, RC and other
OIG also offers a free web-based course
entitled A Roadmap for New Physicians: Avoiding
…[the OIG] has
issued compliance
guidelines for the
different segments of
the healthcare industry.
These guidelines may
very well be what the
DHHS uses when
formulating its
regulations.
45
FEATURE
types of audits assess utilization of services.
Contractors then contact providers and organizations seeking repayment of services deemed
to be over-utilized. Auditors retain a percentage of as much as 15% of any overpayments
recovered. Repayments are required within
60 days of notification.10
Most RC audit coverage is limited to a
fixed amount of defense and response cost.
Again, counsel should analyze if the amount
provided is adequate to provide an effective
defense. Coverage for fines and penalties
assessed for non-compliance is not available
through current insurance markets.
Health Care
Auditing & Monitoring Tools
The 1,000+ pages of materials in this toolkit
includes more than 100 sample policies,
procedures, guidelines, and forms to enhance
your compliance auditing and monitoring efforts.
The toolkit is updated twice a year with new tools:
The first two updates are free, and an
annual subscription can be purchased
to receive subsequent updates.
Find just one tool to help your program
improve, and you’ve achieved a
positive return on your investment.
For more information
visit www.hcca-info.org/books
or call 888-580-8373
Conclusion
Educating physicians on regulatory compliance
issues has always been, and will continue to
be, a great challenge for compliance programs
and compliance officers. The new paradigm of
employment by a healthcare system may serve
to exacerbate education challenges rather than
improve them. Many physicians employed by
health systems have the impression that issues
like billing, collections, and compliance are
being dealt with by someone else. They can now
concentrate on seeing patients and let billing and
compliance people worry about those issues.
Central to a successful education program
is the core concept that physicians drive compliance. Reaching out to doctors and teaching
them, based on educational concepts that work
for high-level professionals, is a key goal for
compliance programs today. If the compliance
officer keenly understands the audience, it is
more likely an educational program will be
effective and achieve meaningful results. The
concepts outlined in this article have been used
by the authors to teach groups of hundreds of
physicians and are well received by this unique,
driven, and time constrained audience.
Grounding compliance education in
concepts important to doctors—those of
improving quality of care, avoiding National
Practitioner Data Bank reports, and avoiding
medical malpractice lawsuits—are key means
to reach the audience in a way that is important to them and their careers.
1.Moses RE, Jones DS: “On the Front Lines: Educating Physicians on
Fraud and Abuse Compliance Issues.” CCH Health Care Compliance
Newsletter, June 19, 2012, pp. 4-6.
2.Id.
3.The OCR website is located at http://1.usa.gov/IAIddL.
4.Patient Protection and Affordable Care Act (ACA), §6401.
5.ACA, § 6201.
6.Office of Inspector General: Compliance Guidance. Available at
http://1.usa.gov/18VuF7d
7.OIG web-based course. Available at http://1.usa.gov/1htG6Yo
8.The Department of Health and Human Services Office of Civil
Rights maintains an effective summary of the Privacy Rule at
http://1.usa.gov/IAJiSV. The summary contains direct links to the
actual statute and relevant laws and regulations.
9.Jones DS, Moses RE: Insuring Health Care Compliance: “The Nexus
of Medical Malpractice Litigation and Government Regulation.”
Journal of Health Care Compliance, Volume 13, Issue 5, SeptemberOctober, 2011, pp.27-30, 62
10.CMS maintains a comprehensive informational site on RAC audits
at http://go.cms.gov/1eQ1WSu
FEATURE
by Karen Nelson
New developments in data
analytics: From data mining
to data prospecting
»» CMS has employed predictive data analytics on Medicare fee-for-service claims data.
»» Predictive analytics may result in earlier governmental intervention.
»» Medicaid Fraud Control Units are authorized to begin data mining.
»» The organization can take simple steps to protect itself by using internal data proactively.
»» Compliance efforts can be quantified in monetary terms.
of the DLA Piper law firm. She is a former Chief Counsel to the Texas Medicaid
Inspector General.
M
Nelson
ost compliance professionals are
aware that Medicare and Medicaid
agencies analyze claims data to
identify risks of fraud, waste, or abuse and
to establish the targets of audits or investigations. In addition to the government’s current
broad use of data analytics, a recent
regulatory development now allows
criminal enforcement authorities to
analyze Medicaid claims data for fraud
risks and requires them to report on
the monetary results of prosecutorial
efforts. Data analytics may allow the
government to turn off payments early
in the investigative process, instead of
trying to recoup inappropriate payments. Many
large healthcare organizations are becoming
subjects of government investigation, because
of data analytics alone.
Data prospecting vs. data mining
There are two types of data analysis: data
prospecting (figuring out where to dig) and
data mining (actual digging). For data mining,
the government typically uses a defined
set of claims data. It has already identified
the type of improper payment and it drills
for specific instances of those claims. Data
mining may involve simple queries, edits, and
anomaly screens.
Data prospecting is a more recent development that has become possible with the advent
of greater technological capabilities. It goes
beyond drilling for known fraud or abuse patterns. It allows regulators and enforcers to
scour the data landscape to identify previously
unknown aberrant patterns and establish new
possibilities for identifying improper payments.
Consolidated data sets
Data prospecting is different from data
mining in four significant manners. First, it
relies on multiple data sets containing massive volumes of data. In addition to claims and
health records, data prospectors consolidate
information from corporate records, driver’s
license and vehicle records, banking records
(if authorized by law), property records,
professional licensing board databases, beneficiary data, social media, news articles,
Karen Nelson ([email protected]) is Of Counsel in the Austin office
47
FEATURE
prescription databases, vital statistics records,
and compromised provider or recipient
number databases.
One common form of data prospecting is link
or graph pattern analysis. This type of analysis
looks for relationships and associations among
providers, beneficiaries, vendors, silent partners,
and hidden brokers.
For example, a physician who refers all of
his pain management
patients to the same
pharmacy may be
in collusion with the
patients or the pharmacy to commit fraud.
In another example,
organizational providers may be engaging
vendors who employ excluded individuals or
who have previously undisclosed familial relationships with executive management. As the
trend toward acquisitions, joint ventures, and
other consolidated business arrangements continues, it becomes increasingly important for
organizations to discover links and associations
that may not be immediately apparent.
tools, it applies them across a broader array of
data. Data prospecting requires a long-term
historical data set from which the government
can identify aberrant billing patterns. As new
algorithms are developed and their outcomes
assessed, the historical patterns are constantly
refined for more precision and reliability in
the results; the process improves as it
continues.
The objective of data
prospecting is the prevention
of overpayments and early
intervention in the claim
process, rather than the
traditional pay-and-chase
recoupment model.
Immediacy
The second distinguishing feature of data prospecting is immediacy. Data mining typically
relies on paid claims data, but data prospecting
uses more current or even real-time data. The
objective of data prospecting is the prevention of
overpayments and early intervention in the claim
process, rather than the traditional pay-and-chase
recoupment model. Risk factors and red flags may
support a decision to deny claims or subject them
to additional review prior to payment, before a
government payer incurs substantial losses.
Complexity
Data prospecting is more complex than data
mining. Although it may use some of the older
Predictive patterns
The fourth distinction
is that data prospecting is predictive.
As the government
develops a reliable set
of aberrant billing patterns and risk factors
for one provider, it improves its ability to predict
similar behavior by others and identify entities
for investigation that might not otherwise merit
or receive scrutiny. The use of multiple risk factors serves as a filter to reduce the number of
responses, so that the results are more likely to
warrant further inquiry. A provider’s association with known risk factors may activate an
investigation before there is any other outward
evidence of fraud or abuse by that provider. This
is a particularly big risk for organizations that
receive substantial government reimbursement.
For example, a data mining query may
flag a physician who treats a small numbers of
patients with an excessive number of services.
Predictive modeling would, by using additional data points, increase the risk score if the
physician was also in an urban location, but
the beneficiaries were dispersed over a wide
geographic area. The score might be raised
further if the urban area historically demonstrated a high incidence of fraud or abuse.
None of these factors, standing alone, would
appear to be suspicious. Taken together, however, they form a cluster of traits that could
FEATURE
Medicare fee-for-service data
Congress has required CMS to use predictive analytics technologies with Medicare
fee-for-service data. CMS is tasked with these
objectives:
·· Capture provider and beneficiary activities to identify networks, billing and
utilization patterns, and identify high risk
activity;
·· Integrate data alerts into the claims flow
process;
·· Analyze large data sets for factors linked
to fraud, waste, or abuse and identify them
prior to making payment;
·· Capture outcome information on adjudicated claims to refine the precision of data
alerts; and
·· Prevent the payment of potentially invalid
claims until they have been verified.1
CMS is required to report annually on
actual and projected savings and cost avoidance due to predictive analytics, as well as
its return on investment from employing
these techniques.2
Although CMS was initially required to
employ predictive analytics in the ten states
with the highest risk of fraud or abuse, it has
already implemented nationwide data prospecting for Medicare fee-for-service claims.
As part of the continual refinement process,
CMS determined that several of the algorithms
resulted in excessive false-positives and discontinued their use.
Medicaid Fraud Control Units
Data mining has historically remained within
the purview of CMS and single state Medicaid
agencies. On May 17, 2013, however, the
Department of Health and Human Services
(HHS) adopted the final rule, allowing state
Medicaid Fraud Control Units (MFCUs) to
engage in data mining.3 Before this rule was
adopted, HHS refused to fund any MFCU
activities involving the use of data mining to
screen claims or analyze patterns of practice
to identify fraud risks.4 Now, however, MFCUs
may participate in data prospecting and mining
under certain conditions, and HHS will fund
those activities at a 90% cost matching rate.
The results of data analytics may be used to
support a criminal prosecution or a credible
allegation of fraud and ensuing suspension
of Medicaid payments to the provider.5
A MFCU must meet certain conditions
before engaging in this practice, such as
amending its federally-required Memorandum
of Understanding with the single state Medicaid
agency to describe interagency coordination,
avoid duplication of effort, provide for Medicaid
agency support, and designate individuals
to serve as primary points of contact for data
mining. It must identify the staff who will
conduct data mining and provide specialized
training in data mining techniques to those
employees. The MFCU must also describe
the anticipated costs of implementing a data
mining program. The HHS Office of Inspector
General, in consultation with CMS, must
approve or deny the MFCU’s proposals within
90 days of receiving the application and any
requested supplemental materials. After 90 days
have expired, the request shall be considered
approved.6 The MFCU must reapply for approval
every three years.
indicate overutilization or even billing for
phantom patients.
In a health system, there may be gaps if
any adjunct service or acquired entity employs
a different claims, billing, or documentation
system. Predictive modeling could be used to
craft a set of factors that would identify misapplied claims or payments, absences of expected
follow-up services, or the provision of duplicate services. Even large, stable, and reputable
healthcare organizations with strong compliance programs may be flagged by this process.
49
FEATURE
If approval is granted, the MFCU must
report to CMS annually on the following
metrics:
·· All costs expended that year on data
mining activities;
·· The amount of staff time devoted to data
mining activities;
·· The number of cases generated from those
activities;
·· The outcome and status of those cases,
including the expected and actual monetary recoveries; and
·· Any other “relevant indicia of return on
investment from such activities.7
Preventive measures
The trend is clear. Enforcement authorities
are increasing their use of data mining and
data prospecting, they are interceding earlier
to suspend claims payments, and they are
incentivized to report publicly on the financial
returns from these activities. It is, therefore,
increasingly important that compliance
professionals learn to use internal data proactively. Any organization can take simple steps
toward this goal.
The compliance professional has several
advantages in this regard. First, the organization understands its own data better than an
external reviewer will. Because claims data
fields are not standardized, it may be difficult for an enforcement agency to compare
one organization’s data against another’s.
Investigators may not understand the organization’s internal practices, systems, or
data entry conventions, and they often must
invest resources in follow-up interviews and
data conversion.
Furthermore, the government’s data
analysis, without more effort, rarely results in
an actionable finding. Unless the data query
results in a clearly disallowable claim (e.g., for
a service rendered after the patient’s date of
death), an agency will almost always need to
confirm the findings by reviewing the chart
or other extrinsic documents. Again, this
requires the agency to invest further investigative resources before it can capitalize on its
data mining efforts.
The organization that monitors internal
data and addresses issues before they turn
into more pervasive problems has an opportunity to diminish the risks associated
with investigations and risk-based audits.
Governmental agencies may be less likely to
apply their resources toward data-identified
targets if the dollar amounts are insignificant,
and an organization’s ability to demonstrate
that it is vigilant about data monitoring can
help persuade the government not to seek
severe outcomes.
Simple initial efforts
Even modest steps can be worthwhile. If you
do not have well-developed data queries,
begin by walking around. Get acquainted
with the individuals in the Claims and Billing
departments. Ask what types of claim denials they receive most frequently. Ask for their
opinions about the types of claims they think
pose the highest risk for disallowance. Ask
them about their “problem providers,” utilization trends, and the kinds of claims that are
giving them the most trouble.
Similarly, talk to IT staff members or vendors. Learn what pre-payment claim edits are
in place, if any. Determine the existing capability for implementing edits and the costs of any
necessary upgrades. Identify reports that are
readily available that could be useful from a
compliance standpoint.
Looking at internal data
Once these foundations are in place, begin
expanding the use of data internally. Develop
monthly reports and internal pre-filing claim
edits based upon the organization’s particular risk factors. Review provider enrollment
FEATURE
applications and disclosure statements to ensure
that they comply with recent ACA requirements,
and amend those processes as necessary.
Legal counsel can assist in identifying and
prioritizing risks so the Compliance department can allocate its resources appropriately.
Counsel can also develop defensive elements
that should be included as data fields in
queries or reports. This will ensure that the
data reflects a balanced, complete picture.
Legal counsel can also assist with reviewing business associate agreements, conflict of
interest responses, and other documentation
and disclosures to ensure that they will reveal
related-party transactions or ineligible silent
partners. It is essential to determine whether
such inquiries should be conducted under
attorney-client privilege or the attorney work
product doctrine.
Internal data mining can be a process
of continual development and refinement.
The ultimate result should be a set of regular, automated queries designed to alert the
organization to problems before they rise to a
level warranting governmental scrutiny. The
approach does not have to be elaborate or timeconsuming. The necessary data and reports are
usually already available. Keep it simple.
Finally, develop a method for quantifying
the results of these compliance efforts. The
organization should benefit from cost savings,
cost avoidance and reduced potential for abuse
due to the sentinel effect. Reporting these
results in monetary terms provides another
opportunity to underscore the value of the
compliance team.
Be proactive
Although data prospecting is expected to
continue, it is a new tool. Governmental agencies
and health industry professionals will all learn
by trial and error. This is the time to begin
reviewing and understanding the hidden
messages within your own data.
1.42 U.S.C. § 1320a-7m(b)
2.42 U.S.C. § 1320a-7m(e)(1)(B); see also U.S. Government
Accountability Office, Report No. GAO-13-104 (October 2012)
3.42 C.F.R. § 1007.20. MFCUs have criminal investigative and
prosecutorial authority.
4.42 C.F.R. § 1007.19(e)
5.42 C.F.R. §§ 455.2, 455.23
6.U.S. Department of Health and Human Services Office of Inspector
General, State Fraud Policy Transmittal No. 2013-2.
7.42 C.F.R. § 1007.17(i)
Don’t forget to earn CEUs for this issue
Complete the Compliance Today CEU quiz for the
articles below from this issue:
You may also email, fax, or mail the completed quiz.
·· Compliance and quality of care, Part 2:
by Michelle Moses Chaitt, Mark L. Mattioli,
Richard E. Moses, and D. Scott Jones (page 42)
FAX: 952-988-0146
·· Medicare gets egg on its face
by Edward L. Vishnevetsky (page 67)
To complete a quiz: Visit www.hcca-info.org/quiz,
log in with your username and password, select
a quiz, and answer the questions. The online quiz is
self-scoring and you will see your results immediately.
MAIL: Compliance Certification Board
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
United States
To receive one (1) CEU for successfully
completing the quiz: You must answer at least
three questions correctly. Only the first attempt
at each quiz will be accepted. Each quiz is valid
for 12 months, beginning on the first day of the month
of issue. Quizzes received after the expiration date
indicated on the quiz will not be accepted.
Questions: Call CCB at 888-580-8373.
·· New developments in data analytics:
From data mining to data prospecting
by Karen Nelson (page 47)
EMAIL: ccb @ compliancecertification.org
51
Register now for
HCCA’s
Regional
Conferences
HCCA’s Regional Conferences provide high-quality,
convenient, inexpensive education and
networking opportunities. Don’t miss the
opportunity to attend one in your area!
Start planning now for 2014
Southeast
Delaware Valley
Mid Central
January 24
June 6
November 7
•
Atlanta, GA
Philadelphia, PA
•
Louisville, KY
•
South Atlantic
Pacific Northwest
Desert Southwest
February 7
June 13
November 14
•
Orlando, FL
•
Seattle, WA
•
Phoenix, AZ
Cascade Range
West Coast
South Central
February 14
June 20
November 21
•
Portland, OR
•
Newport Beach, CA
•
Nashville, TN
Southwest
New England
Upper West Coast
February 21
September 12
December 5
•
Dallas, TX
Alaska
February 27–28
•
Anchorage, AK
September 19
December 12
March 7
September 29
•
Minneapolis, MN
•
Kansas City, KS
DC Metro
North Central
March 14
October 6
•
Washington DC
•
East Central
May 1–2
October 10
San Juan, Puerto Rico
•
Hawaii
May 9
October 16–17
Columbus, OH
Upper Northeast
Mountain
May 16
October 24
•
New York, NY
Houston, TX
Pittsburgh, PA
Upper North Central
•
•
Indianapolis, IN
Puerto Rico
•
San Francisco, CA
•
Gulf Coast
Midwest
St Louis, MO
Boston, MA
Upper Midwest
Greater St Louis
•
•
•
•
Honolulu, HI
Denver, CO
www.hcca-info.org/regionals
REFLECTIONS IN RESEARCH
by Kelly Willenberg
Kelly Willenberg ([email protected]) is President and CEO of Kelly
Willenberg, LLC in Chesnee, SC..
W
elcome to the new Reflections in
Research column. My goal is to
provide you with a current, careful
consideration in research every other month.
In January of 2014, there are two “hot”
fundamental changes in research. The first is
the mandatory reporting of an 8-digit
clinical trial number on claims. This
number will be placed on claims
for items and services provided in
clinical trials that are qualified for
coverage as specified in the Medicare
National Coverage Determination
Willenberg
Manual, Section 310.1. (NCD 310.1)
This number will be required on
professional and facility/institutional claims
in a designated position when the claim has a
V70.7 and condition code 30. Work with your
billing staff on this new requirement in your
process of identifying clinical trial routine cost
and tracking trial patients. The number can
be found at www.clinicaltrials.gov and is assigned by
the National Library of Medicine when a new
study appears in the data base. The number is
always preceded by NCT.
Also, January 1, 2014, Section 2709 of
the Affordable Care Act (ACA) goes into
effect, mandating that commercial group
health plans (including new self-funded
arrangements) and state licensed health
insurance issuers cover the routine costs
associated with participation in a clinical
trial. This follows the NCD 310.1 and mirrors
the definitions pertaining to routine costs in
qualifying trials. Ensuring that you know
what the routine costs vs. the research-related
procedures are by doing a coverage analysis
will help you to know what is billable under
the guidelines. Review guidelines and
understand NCD 310.1 when implementing
this new mandate. But remember that when
a state’s clinical trials’ coverage law is more
generous or provides greater protections to
patients, health insurance plans must comply
first with it. Section 2709 is establishing the
minimum for clinical trial coverage except for
“grandfathered” plans.
A “grandfathered” plan is defined as a
group health plan (which includes single
employer plans and multi-employer plans,
whether insured or self-funded) or health
insurance coverage in which an individual
was enrolled on March 23, 2010 (the date
of enactment of the ACA). Plans with
grandfathered status are exempt from the
clinical trials coverage provision. Once a
plan either reduces benefits or increases costs
to enrollees, it loses grandfathered status
and must comply with all ACA provisions,
including the clinical trials coverage provision.
Check with your managed care department
to verify what this means for your institution
or practice.
Two new developments
in January
53
Now Available!
HIPAA… HITECH… GINA…
Omnibus Final Rule…
The regulations governing the privacy and security of
patient data just keep getting more complex. Now, more
than ever, compliance and ethics professionals need to be
sure all employees are up to date with their training.
The HCCA HIPAA Training Handbook, Third Edition,
is here to help. This newly updated guide offers nurses,
physicians, admins and everyone else who has access
to personal healthcare information the essential, basic
knowledge they need about privacy and security regulations
to do their jobs effectively.
Topics include:
• Who must comply with the regulations?
The HCCA
With
Omnibus
Rule
Coverage
HIPAA
Training Handbook
Third Edition
• What counts as PHI and e-PHI?
• Who is allowed access to e-PHI?
• When and by whom is the use or disclosure
of e-PHI permitted?
• What rights does an individual have regarding
his or her own PHI?
• What happens when an impermissible
disclosure of e-PHI happens?
• What safeguards must employees follow
to protect the security of e-PHI?
• Who is at risk for penalties for
noncompliance?
Members: $25 | Nonmembers: $30
Bulk discounts available for HCCA members.
Visit www.hcca-info.org/books to order.
by Kurt Long
HIPAA Omnibus Rule
regulatory milestone: Building
and maturing sustainable
compliance programs
»» The final Omnibus Rule removes the ambiguity and uncertainty surrounding healthcare privacy and security compliance requirements.
»» With the removal of legal ambiguity, care providers can now confidently establish and mature sustainable compliance programs.
»» User activity monitoring is likely to be a focal point for the Office for Civil Rights’ (OCR) ramped-up 2014 HIPAA audit schedule.
»» Resources are available to overcome technology, governance, and workforce challenges.
Kurt Long ([email protected]) is Chief Executive Officer of
FairWarning, Inc., in Clearwater, FL.
®
I
Long
n January of 2013, the HIPAA final
Omnibus Rule, was handed down
with a September 23, 2013 deadline for
enforcement. The final Omnibus Rule was
designed to strengthen security and privacy
protections of electronic protected health
information (ePHI) originally established under the Health Insurance
Portability and Accountability Act
of 1996 (HIPAA) and it will indeed
do that—strengthen the privacy
and security of ePHI. But it also
represents a paradigm shift for the
healthcare industry in which this
important regulatory milestone
removes the ambiguity and uncertainty surrounding healthcare privacy and security
compliance, enabling care providers to confidently establish and mature sustainable
compliance programs.
Borrowing the lessons learned from the
financial services’ migration through SarbanesOxley, we know that maturation of compliance
as a core business function requires several
things: specificity of the law, the industry’s
comprehensive understanding of the regulatory
requirements, a clear understanding of the cost
of non-action, and qualified and knowledgeable staff that can build and support affordable
and sustainable compliance programs. What
the final Omnibus Rule offers care providers
are new regulations that provide a level of legal
specificity around issues, including definition of
a breach, what is reportable, the care provider’s
responsibility to prove that the ePHI was not
compromised by the potential breach, and what
care providers must do to have a legally defendable position relative to a breach. This specificity
coupled with heightened enforcement by the
Office for Civil Rights (OCR) creates the impetus for care providers to move swiftly toward
achieving sustainable compliance as a critical
component of their business.
»» For compliance to be sustainable and affordable, care providers must view compliance as a core and critical function of their everyday
operations and work.
55
From uncertainty to certainty
Prior to the final Omnibus Rule, the roadmap
to sustainable compliance was less than clear.
HIPAA’s definition of a “breach” referred to
“the acquisition, access, use, or disclosure of
protected health information in a manner not
permitted [under subpart E] which compromises the security or privacy of the protected
health information.” The Health Information
Technology for Economic and Clinical Health
Act (HITECH) attempted to more clearly
define a breach as an impermissible use
or disclosure under the Privacy Rule that
compromises the security or privacy of the
protected health information such that the use
or disclosure poses a significant risk of financial, reputational, or other harm to the affected
individual.” However the definition of “harm”
was not clearly outlined and, prior to the final
Omnibus Rule, could be subjectively applied
by the care provider.
Today, the final Omnibus Rule offers care
providers a regulatory gift—the removal of the
“harm standard” and immunity against civil
monetary penalty (CMP) if the care provider
can demonstrate they are proactively discovering breaches and subsequently investigating,
remediating, correcting deficiencies, and meeting federal reporting requirements. Now, with
removal of the harm standard under the final
Omnibus Rule, all care providers are bound by
the same legal requirement to demonstrate that
the ePHI was not compromised as a result of a
breach. Additionally, the new regulations offer
care providers the opportunity to realistically
assess and therefore correct breach vulnerabilities by virtue of the mandate to report all
breaches. In essence, through the final Omnibus
Rule, the government is acknowledging that
breaches occur within every care environment
and is compelling care providers to:
·· first, accept that breaches occur in their
organization,
·· second, swiftly investigate and remediate
the breach, and
·· most importantly from a compliance
perspective, accept that they are legally
obligated to report discovered breaches to
Health and Human Services (HHS).
Proactive care providers committed to
sustainable compliance are doing just this—
discovering the breach, remediating and
sanctioning, and reporting the breach to the
Preview
2014 COMPLIANCE INSTITUTE SESSION 304 LoProCo: Understanding and Applying
the Four Factor Assessment Model
for Presumed Breaches
Frank Ruelas
Privacy, Security, and
Compliance Officer,
Gila River Health Care
Monday, March 31 3:00–4:00 pm
OK… it happened; your organization has identified an impermissible use or disclosure of Protected Health
Information (PHI). Furthermore, the presumption of a breach now exists and this has triggered the required breach
notifications. Wait! Before you go too far down Breach Blvd, take advantage of learning about LoProCo, what it is
and how it is used to assess an incident to determine if it is a breach.
appropriate parties. In a recent article,1 the
fall-out resulting from the misuse of access to
celebrity Kim Kardashian’s medical records
was chronicled and included the firing of five
employees and the dismissal of a volunteer.
What was of particular note was that the
breaches were discovered through an
audit of access to the
VIPs record.
Pam Dixon, founder
of the World Privacy
Forum, was interviewed
for the article and stated
that she was impressed
by how quickly the care
provider used technology to quickly turn
around its investigation
of the breach noting, “I anticipate as audit systems get better, this problem will be resolved.
I think that’s actually the cure, and having a
robust system of checks and balances where
people are actually looking at the audit results.”2
It appears that Dixon is not alone in this
opinion. Access audits or user activity monitoring is not only a requirement under HIPAA,
but OCR has signaled that it will be a focal
point for its ramped-up schedule for HIPAA
audits in 2014. With the removal of the harm
standard, care providers must now prove that
the information was not “compromised.” The
ability to “prove” will be predicated on the
care provider’s ability to conduct user activity monitoring and, without the ability to
audit access, it is virtually impossible to detect
breaches involving misuse of access.
As care providers begin considering sustainable compliance, they must careful consider that
failure to discover and report breaches, or implement user activity monitoring, will likely result
in certain and costly consequences that reach
far beyond a failed audit, an HHS resolution
agreement, or a $1.5 million fine. Breaches that
appear in the media create significant damage
to a care provider’s reputation. According to a
report released in 2011, 64.1% of patients noted
that if they learned of a breach through the
media, they would no longer seek care from
that provider. Patient attrition is likely to be one
of several factors that
would carry a negative
financial punch.3
A breach made
public through the
media as opposed to
self-reported would
likely trigger an OCR
investigation. Costs
associated are likely
to include but are not
limited to: legal fees,
forensic investigation
fees, and C-suite time. In the case of an audit,
these fees would rocket exponentially, and a
failed audit could result in a resolution agreement that may include required third-party
monitoring, unannounced random audits, and
costly processes and technologies required to
close vulnerabilities.
The certainty that the final Omnibus Rule
conveys is that it will require a shift in the
organizational mindset, one that mandates an
acceptance that breaches occur within the care
providers, and breaches must be reported. Once
this mindset is achieved, care providers must
evaluate their current processes, procedures,
and technologies to ascertain whether their current resources are capable of supporting breach
discovery and reporting requirements and support the goal of sustainable compliance.
Office for Civil Rights and its focus
As the privacy rights enforcement arm of
HHS, OCR has long been perceived as the Big
Bad Wolf within industry. However, what the
final Omnibus Rule intimates is that OCR’s
mission is not to be punitive as it relates to
A breach made
public through the
media as opposed to
self-reported would
likely trigger an
OCR investigation.
57
privacy breaches that are proactively discovered, reported, and remediated. This regulatory
milestone signals the government’s recognition that breaches occur and dictates how care
providers must handle these breaches. OCR is
committed to educating care providers as to
their regulatory obligations; however, they are
equally committed to enforcing compliance
with regulations designed to protect patient
privacy without discrimination. What OCR is
expecting of care providers is that they “will do
the right thing.” But, for the care providers who
are willfully neglectful, OCR will come down
with a heavy hand.
As care providers build or enhance their sustainable compliance programs, they will need
to do so with a sense of urgency. Increased OCR
enforcement is a certainty and as noted before,
the consequences of non-action are steep and
costly. As of 2012, OCR had conducted 115 audits
which revealed user activity monitoring was the
number one deficiency. The majority of care providers failed to demonstrate the use of systemic
and automated user activity monitoring. These
care providers were unable to document and
capture which employee accessed what patient
record and for what reason. This lack of audit
data is a direct violation of the audit requirements under the HITECH Act.
Now, OCR is gearing up for an expanded
audit program which will commence in
October 2013 for fiscal year 2014. According to
OCR Director Leon Rodriguez, OCR the 2014
audits will be more “streamlined in process,
and include an expanded pool of organizations.” Though the scope of the permanent
audit program has not been publicized, the
agency has likely completed an assessment
of its audit pilot and has identified the most
common vulnerabilities or areas of non-compliance relative to the 169 requirements under
HIPAA. In a direct quote from Rodriguez,
he states “we want to hit more entities and
be more focused on parts of the privacy and
security rules for which breaches are at high
risk. We want to be focused on things that
really matter in terms of compromising patient
confidentiality.”4 Care providers should expect
2014 audits to be laser focused on user activity
monitoring.
Based on the findings of the 115 HIPAA
audits, it is probable that many unaudited
care providers have deficiencies that mirror
those discovered in the audits. Among audited
organizations, user activity monitoring was
the most common security deficiency. These
care providers were unable to document
and capture which employee accessed what
patient record and for what reason. This lack
of audit data is a direct violation of the audit
requirements under HITECH. With the final
Omnibus Rule’s removal of the harm standard, in order to be prepared for a HIPAA
audit, care providers will be forced to accept
that user activity monitoring is mission critical
to their compliance program. Without the ability to audit access, it is virtually impossible to
detect breaches involving misuse of access.
Components of a sustainable
compliance program
Care providers must leverage best practices and
technologies to resolve deficiencies including
user activity monitoring, encryption, identity
management, risk assessment, reporting, and
governance-related issues. But in many cases,
this is easier said than done. Care providers
will be challenged to ensure they:
·· can gather, collect, analyze, and correlate
the data from their electronic health record
(EHR),
·· have the proper technology solutions,
·· have required processes in place to support
government requirements, and
·· ensure they have the right type of privacy
and security talent—professionals with an
investigative mind who understand clinical
workflows and have a privacy background.
Shortfalls in any of these areas should lead
to consideration of partnering with an expert
technology and services firm.
Up until the passage of the final Omnibus
Rule, for many organizations, compliance was
a distraction to their core business—providing quality care to patients. In some cases, care
providers have adequate staff and well-trained
privacy and security professionals who are
adept at building and supporting sustainable
compliance programs. Many understand compliance must be core to their business; however,
they are finding that privacy and compliance
skills require special expertise that is difficult
to find. These organizations are increasingly
partnering with a privacy partner that can help
build sustainable and affordable HIPAA compliance programs and prepare the organization
for an OCR HIPAA audit. Specifically these privacy partners can help care providers overcome
the challenges associated with:
·· developing, rolling-out, and operating
a privacy program;
·· conducting internal or external audits;
·· hosting the privacy monitoring solution
hosting;
·· reducing risk associated with attrition of
privacy and security staff; and
·· eliminating interruptions or risk to sustainability of the compliance program
associated with HR challenges.
Conclusion
The final Omnibus Rule represents a critical
shift for organizations that are committed to
building sustainable and affordable compliance programs. With the removal of legal
ambiguities, proactive care providers are have
a clear roadmap of legal requirements that
enable the development of programs with
certainty as it relates to compliance requirements. For compliance to be sustainable and
affordable, these care providers must view
compliance as a core and critical function of
their everyday operations.
1.Joseph Conn: “Medical record breaches following Kardashian birth
reveal ongoing issue.” Modern Health Care, July 15, 2013. Available at
http://bit.ly/1bdzdSN
2.Id.
3.New London Consulting/FairWarning: How Privacy Considerations
Drive Patient Decisions and Impact Patient Care Outcomes.
September 13, 2011. Available at http://bit.ly/18bCXHm
4.Joseph Goedert, “What HHS/OCR Will Look for in HIPAA
Compliance Audits.” Health Data Management, March 21, 2013.
Available at http://bit.ly/1dLKzVM
Authors Earn CEUs:
CCB awards 2 CEUs to authors of articles
published in Compliance Today
Compliance Today needs you!
Every month Compliance Today offers health care
Articles are generally between
compliance professionals information on a wide variety
1,000–2,500 words (not a limit).
of enforcement, regulatory, legal, and compliance
Submit your article as a Word
program development and management issues.
doc with limited formatting.
Compliance
TODAY
January 2014
A PUBLICATION OF THE HEALTH CARE COMPLIANCE ASSOCIATION
WWW.HCCA-INFO.ORG
compliance concerns involving hospitals, outpatient
services, behavioral health, rehab, physician practices,
The article title and author’s
contact information must be
included in the article.
28
Cullin B. Hughes
35
Some
thoughts
on
tone at
the top
Bret S. Bissey
42
Compliance and
and D. Scott Jones
47
New developments
in data analytics:
From data
mining to
data prospecting
Karen Nelson
long-term care/homecare/hospice, ambulatory surgery
Email margaret.dragon @ hcca-info.org
centers, and more.
with your topic ideas, format questions, and more.
We are particularly interested in articles covering
See page 16
59
Now Available!
Research Compliance
Professional’s Handbook Second Edition
Get HCCA’s practical guide
to building and maintaining a
clinical research compliance
& ethics program
Clinical research is highly regulated, so the role
of compliance professionals is vital to meeting
the demands of a wide range of governing entities.
This new edition of the handbook offers comprehensive,
up-to-date guidance to get you on the right track.
Written by experts with hands-on experience in clinical research compliance,
this book is intended for anyone with compliance duties or a need to understand
such key areas as:

human subject protections

effort reporting

biosecurity and biosafety

clinical trial billing

research using animals

records management

scientific misconduct

data and safety monitoring

conflicts of interest

role of oversight entities

privacy and security

auditing & monitoring

grant and trial accounting

integrating research compliance
into corporate compliance
Visit www.hcca-info.org/books to order.
by Natalie Franklin
Essential health benefits
under the ACA
»» Ten statutory essential health benefit (EHB) categories were established under the ACA.
»» Private, employer-based, and Medicaid health plans must provide minimum EHBs.
»» Four coverage groups (Bronze, Silver, Gold, and Platinum) are available.
»» Open enrollment in the state health insurance marketplaces started October 1, 2014.
»» Fee or “tax” for failure to obtain coverage starts in 2014.
Compliance Manager for Symbius Medical, a nationwide durable medical
equipment company in Phoenix, AZ.
T
he Patient Protection and Affordable
Care Act1 (enacted on March 23, 2010)
was amended by the Health Care and
Education Reconciliation Act of 20102 (enacted
on March 30, 2010). Nevertheless, three years
after its promulgation, the Affordable Care
Act (ACA) remains widely misunderstood. Few truly understand its
basic foundations, and details on its
implementation are still emerging,
still being crafted. Thankfully, there is
some help out there to help navigate
the new world of healthcare.
Franklin
Beginning in 2014, non-grand
fathered individual and small group
health plans, as well as Medicaid benchmark
and benchmark-equivalent plan must provide
the essential health benefits (EHBs) designated
under the ACA. EHBs are designed to be
equal to the scope of benefits provided under
a typical employer-sponsored health plan and
are the minimum services a health plan must
cover. The final rules published in the Federal
Register on February 25, 20133 and July 15, 20134
outline the EHB that private health plans
and Medicaid Alternative Benefit Plans,
respectively, must provide, consistent with
Section 1302 of the ACA. EHBs will include
items and services in ten statutory benefit
categories, including:
·· Ambulatory patient services
·· Emergency services
·· Hospitalization
·· Maternity and newborn care
·· Mental health and substance use
disorder services, including behavioral
health treatment
·· Prescription drugs
·· Rehabilitative/habilitative services
and devices
·· Laboratory services
·· Preventive and wellness services
and chronic disease management
·· Pediatric services, including oral
and vision care
Uniformity and transparency of coverage
provisions are expected to fuel competition
between health plans, and many insurers will
likely offer more than the minimum. So, how
will one know which plan to choose?
Individuals are able to shop for insurance
coverage on state health insurance exchanges,
called “marketplaces.” These marketplaces are
intended to allow an apples-to-apples comparison of insurance plan offerings. In addition to
Natalie Franklin ([email protected]) is the Corporate
61
catastrophic plans, insurance packages will be
categorized under four groups: Bronze, Silver,
Gold, and Platinum. These plans are defined
by law to denote increasing levels of coverage
from 60%–90% of actuarial value, also called
“metal levels.” Further, the ACA requires
a standardized Summary of Benefits and
Coverage (SBC). All of these rules are intended
to allow consumers to simplify benefit package comparison and make an informed choice
concerning their coverage. Open enrollment
began on October 1, 2013, with coverage beginning on January 1, 2014. Still, for many people,
trying to navigate coverage and get the best
bang for the buck is a daunting process.
Nevertheless, it behooves one to choose
coverage before 2014, because most individuals
who remain uninsured after that date (either
through an employer-based or individual plan,
Medicare, Medicaid, or through the health
insurance exchange) will wind up paying a fee
or “tax,” as well as remaining responsible for
the full cost of their health care. This fee begins
at 1% of annual income or $95 per person,
whichever is higher, and increases to 2.5% or
$695 per person in 2016. Households between
100%–400% of the federal poverty level comprised
of persons who are in the U.S. legally, enrolled
in a qualified health plan, and not eligible for
Medicare, Medicaid, or an employer-sponsored
health plan may be eligible for premium tax
credits. The Internal Revenue Service recently
launched a website, Affordable Care Act Tax
Provisions,5 to provide guidance to individuals,
employers, tax preparers, and others about the
financial impacts of the ACA.
Contact us
email
helpteam @ hcca-info.org
phone888-580-8373
fax952-988-0146
mailHCCA
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Managed care plans should carefully craft
their policies in compliance with the mandates
of the ACA. Smart plans will also strive to
be a patient advocate, mindful that patients
have more choices, and will enjoy more
transparency than ever before. It is critical to
provide sound information to allow consumers to make an informed choice, and be able
to explain different coverage options and
provide appropriate referrals. Insurers must
be prepared to explain what services are covered under each category in plain language.
For instance, what specific treatment or care
will be available as a habilitative service, considering there is really no consensus among
insurers to define this category other than the
Medicaid definition? What behavioral health
services will each plan offer, considering the
ACA requires coverage consistent with the
Mental Health Parity and Addiction Equity
Act?6 And ultimately, why should a consumer
purchase their health insurance from your
company? How do your plans stand out
among all the rest?
The U.S. Centers for Medicare and Medicaid
Services launched a website7 to help answer
questions about health insurance market places,
the ACA, and coverage choices. Don’t wait until
the last minute to know your options.
1.Pub. L. 111-148
2.Pub. L. 111-152
3.78 Federal Register, No. 37, February 15, 2013. Available at
http://1.usa.gov/1dLKQZ1
4.78 Federal Register, No. 135, July 15, 2013. Available at
http://1.usa.gov/1bbeHWi
5.IRS Affordable Care Act Tax Provisions. Available at
http://1.usa.gov/1bdzXY7
6.42 U.S.C. 18031(j). Available at http://1.usa.gov/IAL0n8
7.The Centers for Medicare and Medicaid Services: Healthcare.gov
website. Available at: www.healthcare.gov
To learn how to place an
advertisment in Compliance Today,
contact Margaret Dragon:
email
phone
Compliance
TODAY
January 2014
A PUBLICATION OF THE HEALTH CARE COMPLIANCE ASSOCIATION
WWW.HCCA-INFO.ORG
See page 16
margaret.dragon @ hcca-info.org
781-593-4924
28
Cullin B. Hughes
35
Some
thoughts
on
tone at
the top
Bret S. Bissey
42
Compliance and
and D. Scott Jones
47
New developments
in data analytics:
From data
mining to
data prospecting
Karen Nelson
by Mike Walker, PhD, MA, MS, CFE, CHC
Risk management 2-5-3:
Two pages, five minutes,
and three steps to an
effective program
»» Healthcare operations are under increased scrutiny from the federal government.
»» Boards and senior administrators are being criminally prosecuted.
»» Current enterprise risk management (ERM) processes appear complicated, burdensome, and/or arcane.
»» The Inventory, Evaluate, Act model (IEA) offers a simplified and efficient approach.
»» Governing boards are responsible for risk oversight and need to act.
Officer with the University of Connecticut, in Storrs, CT.
W
Walker
hy risk management and why now?
Boards and chief executive officers
(CEOs) are experiencing increased
scrutiny, higher accountability, litigation, and in
numerous cases, criminal prosecution. Pressure
is coming from multiple fronts, including
regulatory mandates, increased government enforcement, and stakeholder
demands. We are seeing government
scandals of entire agencies and widespread misconduct of public officials.
No industry is immune to the highspeed ability of social media and
Internet connectivity to broadcast the
latest bad news. The best strategy to
avoid these scenarios is prevention—and the
best prevention is risk management.
Enterprise risk management (ERM)
From an outsider’s perspective, ERM appears
complicated, burdensome, and bureaucratic.
Board chairs and CEOs need an easily
understood process that assists, rather than
complicates decision-making. Decisions
on strategy, major initiatives, budgets and
personnel must be made on time with due
diligence—decisions today, not tomorrow.
Agility, speed, and timeliness are keys in business decision-making. Consequently, chairs
and CEOs must have a tool or process that
identifies risks and opportunities, determines
priorities, and ensures a high probability of
success. This must be accomplished within the
framework of ethics, institutional culture, and
limited resources. Highly structured or diffused, most organizations are practicing some
form of risk management already.
ERM “lite” or IEA
As mentioned, current writing on the topic
suggests a variety of methods including cubes,
graphs, charts, metrics, and methodologies
that are cumbersome, slow, and arcane. There
is a better way. The solution is a simple threestep process called the Inventory, Evaluate, Act
Mike Walker ([email protected]) is Chief Audit, Compliance and Ethics
63
model (IEA). It is low cost, easily understood,
and effective. IEA reflects due diligence and
is easily implemented with existing resources.
No bells, no whistles, no smoke and mirrors—
a simple, well-designed tool that works.
The IEA concept is not a new paradigm,
not a revolution in thinking, nor a mathematical algorithm. IEA takes the best of everything
that exists in ERM literature and reduces the
process, eliminates the non-essential, and
focuses on engagement, quality, speed, and
action. Most organizations already have the
essentials to implement IEA. Operational
owners, compliance staff, and internal auditors
provide the core that makes IEA possible.
Operational owners worth their salt know
what their top risks are and generally know
the priority and resources necessary to mitigate, eliminate, etc. Embedded compliance staff
monitors policies, processes, and procedures for
regulatory compliance. Additionally, internal
auditors routinely conduct some fashion of risk
assessment to drive their annual audit plan.
Also, many organizations, particularly in
healthcare delivery, have a chief compliance officer (CCO) who coordinates compliance activities
across the spectrum of the regulatory landscape.
CCOs typically develop a monitoring plan
in collaboration with
Internal Audit’s chief
audit executive (CAE) to
ensure coverage of high
risk areas. IEA leverages
these existing resources
to accelerate the identification of risks, development
of strategies, and implementation of action plans.
Evaluate: “E”
The recognized “best practice” to evaluate
risks is on a probability and impact scale.
The collective experience and skill sets of the
risk management team should determine the
level of risk facing the organization. This is
a judgmental process that considers the full
range of risks, strategic
issues, and operational
concerns. Further,
evaluation of existing
controls may cause “risk
migration,” that is, risks
may move higher to
lower and vice versa,
depending on the presences and effectiveness
of existing policies,
procedures, resources,
etc. Other issues to consider are government
enforcement, litigation, personnel turnover,
and past reports, such as internal audits.
IEA leverages these
existing resources
to accelerate the
identification of risks,
development of strategies,
and implementation
of action plans
Inventory: “I”
A designated office,
such as Internal Audit
and the CAE, can take the lead in this effort.
Additional support can be garnered with the
help of the CCO and possibly other embedded
compliance staff. These are the professionals
in the organization who routinely address risk
in developing their annual audit and monitoring plans. They can provide the leverage,
expertise, and institutional memory that
catalogs known and emerging risks.
In concert with operational owners, an
inventory of risk is developed. Engagement
of a cross section of the organization is
highly desirable. Information gathering is
typically through direct interviews, surveys,
literature review, industry specific litigation,
etc. Interviews should be conducted with key
board members, the CEO, and members of
his/her senior staff. Other interviews should be
considered for external auditors and key stakeholders. Developing a comprehensive inventory
is an essential process that leads to evaluation,
analysis, and priority setting.
Previous consulting engagements and external while management is responsible for impleaudits are also useful tools in the evaluation
menting risk management strategies.
process. When it comes to evaluating risk, you
Summary
have to ask the central question: “What keeps
IEA is a simple, straightforward process that
you up at night?”
reduces risk management to three distinct
The process will reduce the comprehensive
and equally important steps: inventory, evaluinventory to a more manageable list of high,
ation, and action.
medium, and low
This is not a fullrisk areas. Once
Figure 1:
scale ERM effort.
a control assessThe IEA model
However, boards
ment is applied,
should review the
the “true” risk level
Act
ERM literature and
will emerge, and
decide the level of
then priorities can
implementation
be established and
appropriate for their
resources applied.
Evaluate
organization. A
Low risk areas
short presentation
should be reviewed
to the full board or
periodically to
Inventory
the audit/compliance
ensure they have
committee can take
not migrated to the
as little as five minmedium or high
“I-E-A” Model
utes. Make the decision, then implement.
category. Of immediate concern are the high
The IEA model or “ERM lite” can act as a
impact/high probability risks that threaten
stepping stone or catalyst toward a fully functhe core mission and stated objectives of the
tioning ERM program. IEA is easy to digest,
organization. At this point, the comprehensive
leverages existing resources, and contains the
inventory is complete, priorities are set, and
critical elements that demonstrate due dilinow it is time to act.
gence. It’s preventative medicine necessary
for organizational health. In addressing risks,
Act: “A”
doing nothing is not an option. We cannot
The final step in this process is to implement
stick our collective heads in the sand and hope
action plans that seek to mitigate, transfer,
the risk will go away. Hope is not a course of
retain, or eliminate the risk. Strategies are
action, and denial is not a river in Egypt.
applied and periodic checking is conducted
to determine the effectiveness. Checking the
References
1.Association of Governing Boards and United Educators. The State
progress can take the form of internal audits,
of Enterprise Risk Management at Colleges and Universities Today, 2009
[Online]. Available at: http://bit.ly/I7nEXa
external audits, consultant evaluation, self2.
Enterprise Risk Management-Integrated Framework, Executive Summary,
Committee of Sponsoring Organizations of the Treadway Commission,
assessments, peer group assessments, etc.
September 2004.[Online]. Available at: http://bit.ly/IBxaBp
3.Institute of Internal Auditors, January, 2013. IIA Position Paper: The
Inherent in action planning is the reporting
Three Lines of Defense in Effective Risk Management and Control. [Online].
Available at: http://bit.ly/1g07L2Q
of progress to senior leadership and gov4.KPMG, April, 2011. Risk Management: A Driver of Enterprise Value in the
Emerging Environment.[Online]. Available at: http://bit.ly/186tBPA
ernance. These two levels typically control
5.Peter Tufano, Managing Risk in Higher Education, 2011. Forum Features,
pp. 54-58, Forum for the Future of Higher Education. [Online].
the resources and set the tone, priority, and
Available at: http://bit.ly/1eItPv6
6.PWC, December, 2008. A Practical Guide to Risk Assessment-How a
direction of the organization. Boards have
principle-based risk assessment enables organizations tp take the right
risk. [Online]. Available at: http://pwc.to/1cOnRHJ
responsibility for risk management oversight,
65
Products
2014 Corporate Compliance & Ethics Week
Laws control
the lesser man.
Right conduct controls
the greater one.
Character. . . is a habit,
the daily choice of
right over wrong.
— Charles McMoran Wilson
Ethics is knowing
the difference between
what you have a right to do
and what is right to do.
Success
doesn’t count
unless you earn it
fair and square.
— Potter Stewart
— Michelle Obama
— Proverb (author unknown)
2014-ccew-official-poster.indd 1
9/9/13 2:15 PM
2014-ccew-quotes-posters.indd 1
9/5/13 9:55 AM
9/5/13 9:55 AM
Official Poster
Poster 4-Pack (with removable logo strip)
$6.25 (min. order 5)
$30.00 per 4-pack
Official poster for Corporate
Compliance & Ethics Week:
20" × 28" glossy color poster
9/5/13 9:55 AM
9/5/13 9:55 AM
Four colorful glossy posters, 20" × 28", each showcasing a different ethics message
(4-pack includes one of each poster). Perforated strip along bottom allows easy
removal of Corporate Compliance & Ethics Week logo after the week is over.
6-Piece Screwdriver Set
Case has dual magnetic bit holders
with three Phillips-head and
three flat-head bits; 4 ¼" × 1 ¼" × 5⁄8"
Silicone Awareness Bracelet
7 15⁄16" circumference by ½" high.
$0.50 ea. (min. order 50)
Genuine Bic retractable, soft
rubber-grip pen, black ink.
Jelly-Smacker Stress Ball
Mini Flashlight/Lantern
Note Pad & Sticky Flag Set
3" × 3" white note pad and five
stacks of mixed color sticky flags.
Wide-Body Pen
Semi-solid gel material makes
“smacking” sound when
squeezed; 2 ½" diameter.
Aluminum flashlight with
bright LED bulb; frame extends
to create mini-lantern; 3" × 5⁄8"
FRONT
Metallic Tumbler
Silicone Phone Holder
Stainless steel outer with BPA-free
plastic liner; 15 oz. capacity; screw-on,
leak-resistant slider lid; 8 ½" × 2 7⁄8"
Collapsible stand with sticky
surface holds smart phone
upright; 2 ½" × 4 ¾"
www.hcca-info.org/CandEWeek
BACK
Pre-printed Table Tents
Pre-cut 4" × 6" two-sided
cardstock tent; promotes
simple ways that employees
can make a difference.
Order Deadline April 4, 2014
by Edward L. Vishnevetsky
Medicare gets egg on its face
»» Many providers/suppliers do not appeal Medicare overpayments to federal court.
Edward L. Vishnevetsky ([email protected]) is an Attorney in the
Summary of Elgin lawsuit
Business Litigation section of the Dallas office of Munsch Hardt Kopf & Harr.
In Elgin Nursing Rehabilitation Center v. U.S.
Department of Health and Human Services,1 a landmark case decided in May 2013, the Fifth Circuit
Court of Appeals (Fifth Circuit) addressed the
amount of deference that should be afforded to
the Centers for Medicare & Medicaid Services’
(CMS) interpretation of the State Operations
Manual (SOM), a Medicare Internet-only manual.
The case arose from the Texas Department
of Aging and Disability’s (TDAD) survey of
Elgin Nursing Rehabilitation Center (Elgin
NRC), a long-term care facility in Texas that
participates in Medicare and Medicaid.
During TDAD’s visit, surveyors noticed two
breakfast plates with egg yolk “smeared
around the plate.” TDAD determined that
soft cooked eggs could lead to serious illness
and, therefore, cited Elgin NRC for violating a
federal regulation requiring facilities to serve
food under “sanitary conditions.”
CMS accepted TDAD’s findings and
imposed the following civil monetary penalties
(CMP) against Elgin NRC: (a) a fine of $5,000;
(b) denial of payment for new admissions;
(c) withdrawal of Elgin NRC’s approval to conduct nurse training; (d) and termination of Elgin
NRC’s provider agreement. After a resurvey,
CMS chose to enforce only the CMP fine.
His practice emphasis is on healthcare and commercial litigation.
O
ver the past several years, the
Medicare administrative appeal
process has significantly changed.
Specifically, Medicare contractors are
increasingly applying their own interpretations of vague and ambiguous provisions
in Medicare manuals and policies
when reviewing audits, thus upholding overpayments and making
it difficult for providers to argue
against allegations of lack of medical
necessity. Subsequently, administrative law judges (ALJs) and the
Vishnevetsky
Medicare Appeals Council defer to
the contractors’ interpretations. Most
providers do not appeal the overpayments
to federal court, because of the prohibitive cost of suing the federal government as
well as the prolonged recoupment period,
which may exceed two years before a final
administrative decision is reached. However,
one provider recently pursued an appeal to
federal district court (and beyond), and set
precedent that may change the landscape of
audits going forward.
»» Administrative Law Judges (ALJs) and the Medicare Appeals Council are deferring to RAC, MAC, and ZPIC interpretations and
upholding payment denials.
»» A landmark case in Texas may change the way rules and guidelines in Medicare manuals can be interpreted by federal agencies
and federal contractors.
»» When challenged, the Fifth Circuit Court vacated a sanction against a nursing home, denying deference to CMS and an ALJ’s
interpretations of a Medicare manual rule.
»» The Supreme Court has not ruled on the level of deference a court should give to an agency that interprets manuals and guidelines.
67
An ALJ upheld CMS’s findings and concluded that the CMP was reasonable. The
Medicare Appeals Council affirmed the ALJ’s
decision and Elgin NRC appealed (ultimately)
to the Fifth Circuit.
The Fifth Circuit was charged with determining whether CMS reached the appropriate
decision in its analysis. According to the Fifth
Circuit, CMS applied the following three-step
program:
1. CMS applied a regulation (42 C.F.R. §
483.35(i)(2)) requiring facilities to serve
food under “sanitary conditions.”
2. Because the term “sanitary conditions” is
not defined in the regulation, CMS relied
on a Medicare manual to clarify the term;
specifically, the SOM. Appendix PP to
the SOM requires unpasteurized eggs to
be cooked at “145 degrees Fahrenheit for
15 seconds; until the white is completely
set and the yolk is congealed.”
3. CMS interpreted the semi-colon in
Appendix PP to mean that an egg must
be cooked at 145 degrees Fahrenheit and
the white must be completely set and the
yolk firm, whereas Elgin NRC interpreted
the semi-colon to mean that an egg must
be cooked at 145 degrees Fahrenheit or
the white must be completely set and
the yolk firm.
Whenever a federal agency (i.e., CMS)
interprets a statute or regulation that affects
a provider, and that provider appeals the
agency’s interpretation, a court is left to decide
what level of deference to give the agency’s
interpretation. The Supreme Court has held
that courts should defer to agency interpretations of statutes unless the interpretations are
unreasonable (termed “Chevron deference”2).
However, the Supreme Court has not ruled on
the amount of deference a court should give to
an agency that interprets rules and guidelines.
As such, in this case, the Fifth Circuit was left
to determine what level of deference to give to
CMS’s interpretation of the SOM. CMS argued
that the Court should give “great deference”
to its interpretation of the SOM, but the Fifth
Circuit rejected CMS’s argument.
In its analysis, the Fifth Circuit stated that
“affording deference to agency interpretations of
even more ambiguous regulations would allow
the agency to function not only as judge, jury,
and executioner but to do so while crafting new
rules.” The Fifth Circuit reasoned that adopting
a policy in which agencies, such as CMS, are
allowed to issue ambiguous requirements, and
then create and enforce ambiguous interpretations of those requirements, would foreclose
agency interpretations from judicial review
by “punishing ‘wrongdoers’ without first
giving fair notice of the wrong to be avoided.”
Furthermore, the Fifth Circuit stated that its
refusal to defer to CMS’s interpretation of the
SOM is based on the notion that deferring to an
agency’s interpretations of its own rules would
encourage “the agency to enact vague rules
which give it the power, in future adjudications,
to do what it pleases.” In turn, that would frustrate the notice requirement and would unfairly
surprise the sanctioned party, because the
sanctioned party would not have fair warning
of the conduct a regulation prohibits. For these
reasons, the Fifth Circuit decided not to defer to
CMS’s interpretation of the SOM.
Pursuant to the Fifth Circuit’s refusal to
grant deference to CMS’s interpretation of the
SOM, the Court found that the SOM’s directive was inherently ambiguous, and that CMS
failed to offer substantial evidence that Elgin
NRC had violated the SOM. Therefore, the Fifth
Circuit granted the petition for review and set
aside the finding of a deficiency and the CMP.
Elgin’s Impact on Medicare Part A and B
providers, ALJs, and contractors
The decision in Elgin affects the level of deference a court must give to a federal agency or
Deference to CMS’s
interpretation of its manuals
In Elgin, the Court held that an agency
cannot interpret the ambiguous language
of its own manuals. This outcome is critical,
not only for long-term care facilities, but for
all Medicare providers whose claims are
denied for violations of ambiguous Medicare
manual provisions. For example, the Medicare
Program Integrity Manual (PIM), which outlines standards to be used by CMS contractors
during pre-payment and post-payment audits,
and consequently leads to significant fines and
penalties assessed against Medicare providers, has provisions in it that are vague and
ambiguous. CMS consistently offers its own
interpretation of certain PIM provisions at
ALJ hearings. ALJs commonly defer to CMS’s
interpretation of the provisions, which, in
effect, leads to denied claims, recoupments,
and the imposition of CMPs against the provider. If courts apply the Elgin court’s logic,
ALJs should not, as a matter of course, defer
to CMS’s own interpretation of the ambiguous
provisions of the manuals like the PIM. This
may lead to significantly fewer claim denials,
recoupments, and CMPs imposed against
Medicare providers.
Deference to an ALJ’s
interpretation of CMS manuals
The holding in Elgin should also be applied
to an ALJ’s interpretation of the Medicare
manuals. Although agency manuals are not
necessarily binding, ALJs commonly rely on
these manuals when adjudicating cases. As it
relates to Medicare, an ALJ is an employee of
the United States Department of Health and
Human Services (HHS), an administrative
agency of the federal government. Therefore,
if CMS is prohibited from interpreting agency
guidelines and manuals, other administrative agencies of the government, such as HHS
(and its employees, ALJs), should also be prohibited from interpreting agency guidelines
and manuals.
Deference to Medicare contractors’
interpretation of CMS manuals
Although Medicare manuals were created to
clarify certain Medicare regulations, many
provisions remain vague. As agents of CMS
and HHS, contractors, such as the Medicare
Administrative Contractors (MACs), Recovery
Audit Contractors (RACs), Zone Program
Integrity Contractors (ZPICs), and Quality
Improvement Contractors (QICs) should be
held to the same standard as any agency (or
agent of an agency) regarding the interpretation of an ambiguous Medicare manual
provision. Using the Fifth Circuit Court’s
logic in Elgin, contractors should not be able
to approve or deny claims based on their
interpretation of an ambiguous provision in
a Medicare manual.
Conclusion
Elgin has multiple theoretical and practice
applications, including, but not limited to the
following: If an agency (e,g., CMS, HHS) or
one of its contractors (e.g., ZPIC, RAC, MAC,
QIC, ALJ, etc.) denies a claim, recoups money,
revokes a license, or imposes a CMP against
a Medicare provider (or upholds any of the
preceding actions), based on an interpretation of a vague or ambiguous provision of a
manual (e.g., PIM), and the provider can offer
an alternate interpretation of the provision to
demonstrate compliance with the law, then the
agency’s (or agency contractor’s) interpretation
should be rejected at all levels of administrative appeal.
1.
Elgin Nursing Rehabilitation Center v. U.S. Department of Health and
Human Services. No. 12-60086, 2013 WL 2149873 (5th Cir. 2013).
2.
Chevron v. Natural Resources Defense Council, 467 U.S. 837 (1984).
its contractors when interpreting ambiguous
provisions in a Medicare or Medicaid manual.
69
by Tom Ealey and Marcy Corbat, MHSA
Mandatory compliance
and long-term care: Part 2
»» Long-term care (LTC) facilities need to be intentional and thorough about compliance, just as they have been about performance
and documentation rules.
»» A perfect compliance program is not expected or required, but a good-faith effort to provide quality services and business integrity
is essential.
»» Compliance programs should focus on preventing risks, discovery of existing risks, and mitigation.
»» Improvements in revenue cycle management can offset the cost of maintaining an effective compliance program.
»» An LTC facility must act as a fiduciary for Medicaid residents’ allowed personal funds, in accordance with state law.
Tom Ealey ([email protected]), a Professor of Business at Alma College in Alma, MI
has three decades of involvement in long-term care finance, operations, and
regulatory compliance. Marcy Corbat ([email protected]) is an Administrative
Fellow with the Trinity Health St. Mary Mercy organization in Livonia, MI.
T
he Patient Protection and Affordable
Care Act (PPACA)1 changed the landscape of compliance programs for
skilled nursing facilities (SNFs) and nursing
facilities (NFs), transitioning from an era of
recommended compliance programs into the
era of mandatory compliance programs. SNFs
and NFs must have an effective compliance
and ethics plan in place as of March 23, 2013.
When this article went to press, the regulations defining effective programs had not
been issued, so facilities must use prior official
guidance and known best practices to craft
effective plans.
Compliance finds its origins in, of all
places, the criminal Federal Sentencing
Guidelines (FSG). A notion developed that
a having a good-faith compliance program
would mitigate sentencing recommendations,
and lack of a compliance program signaled
possible bad faith and, therefore, harsher
penalties.
Long-term care has
advantages and disadvantages
Nursing facilities have been doing
compliance work for decades as a
means of surviving micro-regulation,
and the disparate activities were not
necessarily a “program” per se. Longterm care (LTC) facilities were singled
out with specific language in PPACA.2
Compliance programs have normally
focused on billing and transactional
integrity, but LTC is hit with quality
measures as well. LTC facilities need to
be intentional and thorough about compliance, just as they have been about
performance and documentation rules.
Ealey
Corbat
Where to turn for guidance?
The 2000 and 2008 OIG guidance statements
published by the Office of the Inspector General
(OIG) outline the components of a compliance
program and the probable risk areas.3
The 2008 OIG compliance guidance publication lists five operational areas in LTC facilities
that are likely to create compliance risks:
·· Quality of care
·· Submission integrity
·· Anti-kickback violations
·· HIPAA compliance
·· Other risks
residents. Professional provider association
memberships (state and national) are helpful in keeping current, as is the Health Care
Compliance Association.
All of these categories are important, but
quality of care is the most important in LTC.
The required program allows a great deal
of latitude in design and operations (pending
the regulations), and a compliance program
can and should be customized in to fit the size,
resources, and risks of the organization. There
are many sources of policy templates but
“cookbook” compliance programs should be used with
great caution.4
The seven standard OIG
recommendations for compliance plan elements are listed
here, with a cross reference
to the equivalent PPACA
sections:
·· Development of compliance policies and
procedures, including
standards of conduct
[(4)(A)]
·· Designation of a compliance officer and
compliance committee [(4)(A)]
·· Developing open lines of communications
[(4)(D)]
·· Appropriate training and teaching [(4)(D)]
·· Internal monitoring and auditing [(4)(D)]
·· Response to detected deficiencies [(4)(G)],
and
·· Enforcement of disciplinary standards
[(4)(F)]
Compliance is a risk management tool
Risk management focuses on protecting the
organization from unwelcome claims on
assets, including civil litigation and civil and
criminal penalties.
Facilities receive plenty of feedback from
many sources: survey reports, billing rejections, audits, residents’
complaints, and resident
councils, family complaints
and concerns, staff complaints and concerns, and
the general information
stream from provider associations and government
agencies. The facility should
use the feedback to pinpoint
risk areas and to manage
the risks.
Key techniques of risk
management are:
·· first, prevent negative occurrences;
·· second, mitigate the damage from such
occurrences; and
·· third, transfer risk to other parties when
possible (e.g., insurers).
All of these
categories are
important,
but quality
of care is the
most important
in LTC.
Litigation catastrophe
Imagine in 2014 your Medicare and Medicaid
billings for 1999-2003 are declared false claims
by a jury in a civil trial, with the facility
subject to repayment plus triple damages for
violating the False Claims Act. An Illinois
facility is facing just such a scenario.6 Quoting
Regulatory updates are critical. For
example, an updated MDS 3.0 RAI Manual
was published in May 2013, and facilities
should download that manual.5 Minimum
data set (MDS) is a standardized assessment tool for evaluating the physical and
psychological health status of nursing home
Most of your efforts should be focused
on preventing risk events, with the compliance program also focused on discovery and
mitigation.
71
from the civil complaint filed in federal district court:
This is a Qui Tam action brought by
plaintiffs…to recover treble damages and
penalties arising from defendants’ knowing submission of thousands of false
claims to the Medicare and Medicaid
programs for services they purport to provide to residents of Momence Meadows
Nursing Center.
Notice the key terms “knowingly” and
“services they purport to provide.” Providing services is not enough; providing quality services is
required. (Trying to defend what happened ten
or more years earlier is likely to be a nightmare
of fading memories, missing witnesses, and lost
paperwork. What were you doing in 1999?)
Quoting further:
The services provided to the elderly and
disabled residents at Momence Meadows
were so inadequate they were, and are,
tantamount to providing no services at
all or substantially diminished services.
Defendants regularly failed to provide
for basic human needs of their residents,
placing them at substantial and unreasonable risk of harm and resulting in multiple
resident’ deaths, bodily harm and unnecessary pain, suffering, disease and illness.
The complaint specifically alleged that, at
the insistence of management, medical records
were forged and destroyed, false records created,
signatures forged, and staffing sheets falsified.
Management attempted to conceal all of those
documentation changes, which were done in
order to disguise neglect, suffering, and death.
One of the more interesting legal documents
is the subpoena from the Inspector General to
the facility (April 27, 2005). The wide-ranging
subpoena requested thousands of pages of
documents for a six-year period covering all kinds
of business and clinical matters. How well kept
are your record archives? How about backup?
The verdict of $28 million in judgments
against the nursing home was nothing short of
stunning. (We offer no opinion on the merits
of the case or the accuracy of the verdict.) If
there was ever any doubt, an effective compliance program is a must.
What is effective?
The existence of a compliance plan is not
enough, the plan must be effective. What is
effective? There is no set definition, but the
government “knows it when they see it.”
Perfection is not expected or required, but a
good faith effort to provide quality services
and business integrity is expected.
Each facility should have some variation
of a continuous quality improvement (CQI) or
total quality management (TQM) program in
place. If not, why not?
After scanning hundreds of pages of compliance law and expert guidance, we suggest
these standards for “effectiveness:”
·· The compliance program is not a “paper
plan”; the program springs from and reinforces a culture of ethics and quality. The
compliance program is where the culture is
validated and documented.
·· Billing is honest and accurate; billing errors
and omissions are detected and corrected.
·· Billing codes and accompanying information are accurate, neither upcoded nor
downcoded.
·· Billing is followed through, and such
matters as credit balances, refunds, and
repayments to the government are completed promptly and correctly.
·· Government reporting, including cost
reporting, is timely and accurate (in the
case of long-term care, MDS 3.0 and
Resource Utilization Groups [RUGs]
classification as well)
·· Records needed to document clinical
care and financial transactions are accurate, thorough, in proper form, easy to
retrieve, and backed up.
·· HIPAA and all medical records regulations are strictly adhered to.
·· Failures of clinical care and customer service are detected and corrected – every
mistake is a training opportunity.
·· Failures to properly document clinical care
and customer service are detected and corrected. Training ensures no recurrence.
·· Training is regular and thorough, and is
taken seriously from the top to the bottom
of the organization.
·· All transaction are conducted in a legal
and ethical manner, with special attention to the Stark Laws, the Anti-Kickback
Statute, the False Claims Act, etc. The
state laws that mirror
the federal laws are
also followed.
·· Compliance is
cost-beneficial and
improves revenue cycle
management.
·· Senior management and
ownership take seriously
the reports from compliance personnel and
whistleblowers.
clinical follow up) is not being done, the organization is at risk and probably under-performing.
And yes, LTC facility staffs are chronically
overworked and perpetually busy, but “mandatory” is a very clear standard.
The compliance program should formalize
and document work already occurring in the
facility, and should also be used to improve
revenue cycle management. The program can
be cost effective by improving revenue flow.
Building the compliance program
Several areas must be addressed when evaluating the effectiveness of a compliance program.
The costs of compliance
Governance
Compliance is not really about audits and surveys and checklists. Compliance is about ethics
and culture. Implementation must be preceded
by clear signals from
senior management. Those
signals must emphasize
ethics, quality, and compliance with regulations.
A culture of ethics and
quality starts at the top.
Multi-facility groups
have disadvantages and
advantages; the longer
span of control is a disadvantage, the greater
resources of a home
office are an advantage.
Standardization is an
advantage, as long as differences in facilities
can be factored into the work. Small facilities
have the advantage of limited span of control,
but the disadvantage of limited resources and
difficulty with separation of duties.
Compliance programs have costs, but need not
be costly. How does this work?
Much of the work for a compliance program
is already being done or should be. If the work
(e.g., billing review, medical records review,
Sequence
There is no exact sequence for developing (or
updating) a compliance program, but we recommend the following:
Is this list scary?
Everything on the list is
already included in the duties of management.
We have just formalized and documented
the work.
And yes,
LTC facility staffs
are chronically
overworked and
perpetually busy,
but “mandatory”
is a very clear
standard.
73
·· Attain governance buy-in and consensus
from the top of the organization
·· Survey existing compliance program/
self-audit procedures and survey quality
controls
·· Analyze current and potential risk factors
·· Update reference materials and library
materials
·· Prepare a to-do checklist
·· Work systematically from general policies
and procedures through detailed activities
·· Do a consistency check on all policies and
procedures, manuals, training materials,
etc.
·· Begin training and retraining
·· Operate the plan, monitor the results, take
corrective actions, and update the plan
Facing risk
Discovering risk in LTC is easy—walk in the
door and risk factors take your breath away.
There are performance failure risks, regulatory
risk (not always tied to any real failures), and
the administrative risk of operating and billing
in a complex financial environment. Two kinds
of risks should be cataloged and assessed:
(1) the risks all LTC facilities face, and (2) risks
specific to performance issues in each facility.
Facilities have no lack of feedback. Every
negative indicator gives us information on
risk (e.g., incident reports, family complaints,
resident councils, survey reports, billing correspondence, new regulatory efforts) all serve to
scream, “Danger, danger!” Understanding risk
factors allows management to target solutions.
Risks will change over time, both from within
and without, and staying current is important.
We are big believers in checklists—checklists for clinical performance issues and for
business office risks. Checklists facilitate a critical function of LTC management—follow up.
A management note: Employees feel under
siege most of the time, and waving checklists
under their noses does not help. Facilities need
a special kind of management and leadership
that is supportive and visible. A compliance
program should support your employees, not
target them.
Do not forget your state auditors and
regulators. States usually have a more direct
enforcement role in quality of care, and states
are increasingly vigilant as Medicaid costs
weigh on state budgets. States are not always
consistent with the federal government, and
often are not consistent within their own
enforcement operations. Vigilance is required.
Legal counsel
Every LTC provider should have a regular
relationship with legal counsel fully qualified in healthcare regulatory and transaction
law. Counsel should be utilized in compliance
matters when:
·· the program is created and for major
updates and upgrades;
·· the government changes programs, adds
programs, or issues new regulations;
·· specific problems are detected
(e.g., problems requiring self disclosure);
·· whistleblowers exist inside or outside
the organization; and
·· regulators make specific claims
or accusations of bad conduct
(e.g., a problematic survey).
Using existing resources
Most facilities are already doing this work perhaps without calling the work “compliance.”
Most work focused on quality and accuracy
can be integrated into a compliance program.
Review of the revenue cycle should be a
regular management function anyway, and
documenting the work more thoroughly will
integrate it into a compliance program. Most
revenue cycle review focuses on each account
as an individual balance to be billed and collected. Compliance work looks for patterns of
errors and omissions, and areas for further
Policy and procedure
Written policy and procedure (P&P) statements have been a staple of LTC management
for decades, and if anything, administrative
and nursing functions are buried in P&P. All
clinical and financial P&P are effectively incorporated into the compliance program, although
additional policy statements specific to compliance will be required, such as qualifications of
compliance officers, the duties of the compliance officer, whistleblower language, etc.
Policy is a general statement of objective;
procedures are the nuts-and-bolts of implementation. In drafting the statement, be careful with
reading levels, excess jargon and acronyms, and
excessive detail. A Goldilocks standard should
apply to length and detail, not too much, not too
little, but just right. Easier said than done. (The
authors have provided free sample policies at
www.issuu.com. Search “healthcarethinktank”
and open the long-term care stack.)
Policy and procedure are guidance, not
ironclad law. Crises and common sense may
require improvising and even bending the
rules. A fine touch is required to balance
enforcement with reality.
Consistency
All written materials in the facility (e.g., P&P,
training, orientation, forms, etc.) should be
consistent. Some will need to be updated. An
annual update and consistency check is not a
bad idea, considering the changes in healthcare and personnel regulations. Reading and
editing P&P statements is not exciting work,
but it is necessary work.
A schedule can be set within the facility for an annual review, with a piece of the
documentation scheduled for review each
month (e.g., January = employee handbook,
February = medical records policies, etc.).
P&P must also be reviewed whenever there
are major regulatory changes, major operational
changes, and any licensing/certification changes.
Providers should stay close to professional
associations and review current educational
and newsletter materials constantly.
During the adjustment settling-in period,
newly hired administrators and directors
of nursing should scan P&P documents
and other critical documents (i.e., employee
handbook) to achieve a level of familiarity.
A complete review of the structure and history of the compliance plan should be in the
calendar during the first month.
Training
Every involved employee from the CEO on
down must have training in appropriate
compliance topics. The training should be
somewhat customized by employment level
and job description, and when in doubt, too
much training is better than not enough.
HIPAA training and retraining should be
coordinated with general compliance training.
Training need not be long or overly technical. Prepared, organized, and concise training
is a sign of competent management and, more
importantly, a show of respect to employees.
More than retaining all of the compliance
details, employees need to be comfortable looking at situations through a “compliance lens,”
know where to find information, know when to
ask questions and whom to ask, and understand
that asking questions is encouraged conduct.
New employees should receive training
and written materials early on, and continuing
employees should receive training at least once
a year and whenever there are major changes or
additions. Assuming there are at least quarterly
training sessions (and if not, why not?) on various topics. Compliance information and HIPAA
reminders can be worked into the programs.
review. In clinical areas, a facility should be
relentlessly reviewing charts, 24-hour reports,
medicine administration records (MARs), therapy records, etc., for quality control purposes.
75
JOIN HCCA
ON SOCIAL MEDIA
hcca-info.org/hccanet
twitter.com/theHCCA
hcca-info.org/linkedin (GROUP)
hcca-info.org/li (COMPANY)
facebook.com/hcca
hcca-info.org/google
youtube.com/
compliancevideos
WWW.HCCA-INFO.ORG
All training materials and attendance rosters
should be retained for at least seven years.
4.
5.
6.
7.
This is a strict compliance matter, no errors
allowed.
And don’t forget HIPAA
Privacy and security require program development, training, and compliance monitoring.
Whenever possible, incorporate these functions
into an on-going compliance program. The
federal government is becoming much more
aggressive with enforcement and penalties,
and HIPAA compliance must be thoroughly
documented as a separate function, but HIPAA
monitoring can certainly be incorporated into
the general compliance program.
The government does seem to understand
that a nursing home is really a “home” and
a community, and not all standard HIPAA
techniques apply. Depending on governmental
common sense carries its own risk, of course.
1.The Patient Protection and Affordable Care Act (Public Law 111-148)
as supplemented by the Health Care and Education Reconciliation
Act of 2010 (Public Law 111-152)
2.PPACA: Subtitle B, Nursing Home Transparency and Improvement,
Part I, Section 6102
3.Y2008 OIG guidance statement available at http://1.usa.gov/1bbm0x2.
Y2000 OIG guidance statement available at http://1.usa.gov/1gz4fKc
4.See http://go.cms.gov/IGy6oG; http://go.cms.gov/IBGsNS; and
http://go.cms.gov/1bdIVEB
5.Updated MDS 3.0 Resident Assessment Instrument (RAI) Manual
available at http://go.cms.gov/IBH9GY
6.See United State of America and the State of Illinois ex rel v Absher and
Mitchell (whistleblowers) v. Momence Meadows Nursing Center, Inc. et al.
Available at http://bit.ly/19dBm0S
7.Peter Eisler: Thefts from nursing home trust funds target the elderly.
USA Today, October 21, 2013. Available at http://usat.ly/18yA7yT
Resident personal funds
LTC facilities have an issue most other providers do not—resident personal funds. The
facility must act as a fiduciary for Medicaid
residents’ allowed personal funds, in accordance with state law in each state. This is a
strict enforcement area with little flexibility.
The amounts in these accounts are relatively
small, but the fiduciary duty is extremely
strict, with very strong rules against even
accidental co-mingling or accidental use to
purchase items required to be supplied by
the facility. Small fiduciary errors in LTC
get more attention than huge errors in the
financial markets. Not only must you answer
to the resident, but also, on occasion, to family
members, ombudsmen, Medicaid auditors,
Medicare auditors, probate courts, and state and
federal surveyors. In October 2013, USA Today
published two scathing articles on failures of
long-term care facilities to protect and account
for resident personal funds.7
Each facility administrator and business
manager must be fully aware of the general
federal requirements and the very specific
state regulations for these funds. Procedures
must be thorough and must be followed in
excruciating detail.
Some important operational rules are:
1. Keep funds separated from all other
facility accounts.
2. Keep the funds in interest bearing
accounts, even if the funds fall below
the mandated minimum, and prepare a
spreadsheet to allocate interest.
3. Be certain purchases do not cover items
to be purchased by the facility. When in
doubt, reimburse the resident account.
Residents do have the right to personal
preference, so if the facility provides soap
and shampoo, the resident does have the
right to purchase a different product with
personal funds.
Accounting must be hyper-meticulous,
even for minor purchases.
Keep the records for at least seven years,
including receipts for $2.00 purchases.
Limit access to the funds and review the
records at least monthly.
Keep appropriate family members, powersof-attorney, and guardians informed.
77
Update Your HIPAA Training with:
HIPAA
Rules &
Compliance
A DVD produced by DuPont Sustainable Solutions
The Health Insurance Portability and Accountability Act (HIPAA) has undergone several modifications
since its enactment in 1996, from the Genetic Information Nondiscrimination Act (2010) to the HITECH Act.
Recently, the Department of Health and Human Services issued the HIPAA Omnibus Rule to revise,
enhance, and strengthen HIPAA yet again.
With these layers of changes,
how can employees know what has stayed
constant, expanded, or altered altogether?
And how does this new rule impact your
compliance strategies?
HIPAA Rules & Compliance, a 15-minute DVD, reviews basic,
unchanged requirements, qualified standards,
and the latest critical changes.
Its learning objectives:
• Identify the requirements
of the HIPAA Privacy rule
• Identify the requirements
of the HIPAA Security rule
• Recognize the HIPAA Breach
Notification requirements
Includes
electronic
leader’s
guide
• Understand how HIPAA is enforced
and the penalties for non-compliance
265 for HCCA members | $295 for non-members
$
www.hcca-info.org/duphipaadvd
by Lester J. Perling, Esq., CHC
Overpayments and other
common reasons for denial of
Medicare enrollment: An update
»» An individual or entity on a Medicare-approved payment plan will not be denied Medicare enrollment for an overpayment of
$1,500 or more.
»» A partial owner with an overpayment will not preclude Medicare enrollment for the provider.
»» A sole proprietor physician may not re-enroll in Medicare under a different name to avoid overpayment liability.
»» The rule on enrollment denials based on overpayments applies only to physicians, practitioners, and owners.
Lester J. Perling ([email protected]) is a Partner with the
Fort Lauderdale office of Broad and Cassel.
O
Perling
n October 17, 2013, the Centers for
Medicare & Medicaid Services (CMS)
revised the MLM Matters article
Enrollment Denials When Overpayment Exists.1
The revision clarifies/modifies some of the
issues discussed in the article Overpayments
and Other Common Reasons for Denial
of Medicare Enrollment that was published in the November 2013 issue
of Compliance Today. That article
addressed the denial of a provider’s
Medicare
application if
one of the current owners
with a partial ownership interest has an
outstanding overpayment. However, the
MLM Matters article clarifies that if a physician with an unpaid overpayment is a partial
owner of a provider that submits a Medicare
provider application for new enrollment or
change of ownership, then a denial of the
application is not warranted. Additionally,
the MLM Matters article also clarifies that
a Medicare provider application will not
be denied if the individual or entity is on a
Medicare-approved payment plan. See below
for more examples.
Pursuant to 42 F.C.R. 424.530(a)(6), CMS
may deny a Medicare enrollment application
if the current owner of the applying provider
or supplier—or the applying physician or
non-physician practitioner—has an existing
or delinquent overpayment that has not been
repaid in full at the time the application was
filed.2 An overpayment
is a Medicare payment
that a provider or supplier has received in
excess of the amounts
due and payable under
the statute and regulations, and is considered
a debt owed to the United States government.
The Medicare administrative contractor will
review a Medicare provider/supplier enrollment
application to determine if the applicant has an
…[an] application will not
be denied if the individual
or entity is on a Medicareapproved payment plan.
»» Compliance officials must stay informed to keep up with the ever-changing regulatory environment.
79
From the Society of
Corporate Compliance and Ethics:
Establish a career where you can
MAKE A DIFFERENCE
“This book is an immensely
valuable contribution to the field.
It will not only help guide a new
generation of compliance and
ethics officers through the many
professional challenges that
await them, but will also provide
considerable useful insight and
know-how to their experienced
counterparts.”
— Jeffrey M. Kaplan
Partner, Kaplan & Walker LLP,
a compliance law firm; former program
director of the Conference Board’s
Business Ethics Conference
An authoritative, step-by-step guide to entering
one of the fastest growing fields in the business world
To order, visit www.hcca-info.org/books or call 888-580-8373.
These clarifications reduce the potentially
negative impact of the existing rule. The fact
that this article had to be updated so quickly
after its publication reflects the rapidly
changing regulatory environment in which
compliance professionals must exist and stay
informed. A ceaseless effort!
1.Department of Health and Human Services, Centers for
Medicare & Medicaid Services: MLN Matters®: “Enrollment
Denials When Overpayment Exists.” Oct. 17, 2013. Available at
http://go.cms.gov/18hYZVQ
2.42 C.F.R. § 424.530(a)(6).
SCCE/HCCA 2013–2014 BOARD OF DIRECTORS
EXECUTIVE COMMITTEE
John Falcetano, CHC-F, CCEP-F, CCEP-I, CHRC, CHPC, CIA, CICA
SCCE/HCCA President | Chief Audit/Compliance Officer, Vidant Health,
Greenville, NC
Gabriel L. Imperato, JD, CHC
SCCE/HCCA Vice President | Managing Partner, Broad and Cassel,
Fort Lauderdale, FL
Sara Kay Wheeler, JD, CHC
SCCE/HCCA Second Vice President | Partner, Attorney at Law, King & Spalding,
Atlanta, GA
Urton Anderson, PhD, CCEP
SCCE/HCCA Treasurer | Director, Von Allmen School of Accountancy,
Gatton College of Business and Economics, University of Kentucky
Robert H. Ossoff, DMD, MD, CHC
SCCE/HCCA Secretary | Special Assistant to the Vice-Chancellor for
Health Affairs, Vanderbilt University Medical Center, Nashville, TN
Shin Jae Kim
SCCE/HCCA Non-Officer Member of the Executive Committee | Partner,
TozziniFreire Advogados, São Paulo, Brazil
Shawn Y. DeGroot, CHC-F, CCEP, CHRC
SCCE/HCCA Immediate Past President | Associate Director, Navigant Consulting,
Denver, CO
EX-OFFICIO EXECUTIVE COMMITTEE
Roy Snell, CHC, CCEP-F
Chief Executive Officer, SCCE/HCCA, Minneapolis, MN
Keith Halleland, Esq., CCEP, CHC
SCCE/HCCA Legal Counsel | Halleland Habicht, PA, Minneapolis, MN
BOARD MEMBERS
Deann M. Baker, CHC, CCEP, CHRC
Sutter Care at Home Compliance Officer, Sutter Health, Fairfield, CA
Margaret Hambleton, MBA, CPHRM, CHC, CHPC
Senior Vice President, Ministry Integrity, Chief Compliance Officer,
St. Joseph Health System, Orange, CA
Debra Hinson, MBA, RRT, CHC, CCEP, CHRC
President & CEO, Compliance Consultants, Inc., Mineral Bluff, GA
Robert A. Hussar, JD, CHC
Counsel, Manatt, Phelps and Phillips, Albany, NY
Jenny O’Brien, JD, CHC, CHPC
Chief Medicare Compliance Officer, UnitedHealthcare Medicare & Retirement,
Minnetonka, MN
Daniel Roach, JD
General Counsel, Optum360º, San Francisco, CA
Frank Sheeder, JD, CCEP
Partner, Attorney at Law, DLA Piper, Dallas, TX
Lori Strauss, RN, MSA, CPC, CPC-H, CHC, CHP, CHPC
Chief Corporate Compliance & Privacy Officer, University of Virginia Health
System, Charlottesville, VA
Debbie Troklus, CHC-F, CCEP-F, CHRC, CHPC, CCEP-I
Managing Director, Aegis Compliance and Ethics Center, Chicago, IL
Sheryl Vacca, CHC-F, CHRC, CCEP, CHPC, CCEP-I
Senior Vice President and Chief Compliance and Audit Officer, University of
California, Oakland, CA
Art Weiss, JD, CCEP-F, CCEP-I
Chief Compliance & Ethics Officer, TAMKO Building Products, Inc.
existing or delinquent overpayment. The application will be denied if an owner, physician, or
non-physician practitioner has an overpayment
of $1,500 or more. However, if an individual or
entity is on a Medicare-approved repayment
plan, or if the overpayment is either being
offset or appealed, the application will not be
denied based on the above provision.
The following are examples from CMS
of how an unpaid overpayment would affect
an applicant:
·· A doctor whose practice is set up as a sole
proprietorship and who incurs an overpayment and subsequently terminates his
Medicare enrollment, cannot later attempt
to enroll as a sole proprietorship under a
new practice name, because the overpayment attached to him as a sole proprietor.
·· If the same doctor in the example above
later attempts to enroll as an LLC with a
different practice name, of which he is only
a 30% owner, then a denial of the application is not warranted, because the provision
applies to “all” owners collectively, and the
overpayment is attached only to the doctor.
·· Similarly, if a hospital with an unpaid
overpayment terminates its enrollment
agreement and later opens under a new
name and submits a new application,
then a denial of the application is not warranted, because the provision only applies
to physicians, practitioners, and owners.
81
Congratulations,
newly certified designees!
Achieving certification required a diligent effort by these individuals. Certified individuals promote organizational
integrity through the development and operation of effective healthcare compliance programs.
Certified in Healthcare Compliance (CHC)
®
Marcela Alaniz
Stephanie Baker
·· Lori L. Beckmann
·· Julie H. Boerger
·· Janet Bolstad
·· Malayan D. Boyd
·· Amanda J. Braxton
·· David A. Brown
·· Natalie Bulger
·· Brett Burrell
·· Jeremy Shane Campbell
·· Edward G. Case
·· Stacey Cassaday
·· Sonya Castro
·· Bonita Cooper
·· Neal Cooper
·· Jarred D. Corum
·· William D. Cundiff
·· James M. Cussins
·· Rick Dodds
·· Brandy Dowdy
·· Nancy E. Eberhard
·· Derek C. Eiri
·· Sanga B. Emmanuel
·· Jayne Fleck Pool
Oliviya N. Floyd
Brandy Fournet
·· Vickie C. Futrell
·· William P. Gedman
·· Rani Gill
·· Gagan Grewal
·· Matthew J. Hammond
·· Kathleen M. Harkness
·· Ryan C. Harper
·· Kathy M. Harris
·· Veronica R. Harris
·· Lisa S. Harrison
·· Becky Hartless
·· Amy R. Hendrix
·· Jeannie J. Hoover
·· Terry Hu
·· Michelle Jenson
·· Julianne Johnson
·· Colleen M. Kelly
·· Purvi S. Khare
·· Htwe K. Khin
·· Leslie A. King
·· Mary L. Kuffner
·· Kristina Lee
·· Robert J. Liskey
Barbara Malone
Danette Manzi
·· Marianna Martinez
·· Bobbi J. McColley
·· Stephanie K. McDonald
·· Brenda McMillin
·· Kendall B. Miller
·· Robert C. Miller
·· Debra Mussen
·· Dinah Myers
·· Amber Nicholson
·· Michele Nielsen
·· Richard J. O’Block
·· Tonya Okon
·· Tracy Patterson
·· Cheri Pfannes
·· Dustin Plumadore
·· Sandra G. Pudinas
·· Rory Rahn
·· Tanisha Raiford
·· Michael Rose
·· Brenda Ross
·· Shawna Russell-Young
·· Theresa R. Schaefer
·· Sherri A. Schenk
Trisha Schock
Sara M. Schroeckenthaler
·· Michael A. Smith
·· Andrew W. Smith
·· Linda Steward
·· Laurel A. Stoimenoff
·· Jennifer L. Strickland
·· Patrick Sulzberger
·· Michael V. Ta
·· Kori L. Taylor
·· Alicia O. Temoche
·· Diana Thomas
·· Andrei Trifonov
·· April Vogel
·· Rebecca Wahler
·· Amanda Ward
·· Lori Weigel
·· Erinne A. Wells
·· Beverly A. Welshans
·· Richard W. Westling
·· Anthony T. Williams
·· Phyllis Wilmoth
··
··
··
··
··
··
··
··
Certified in Healthcare Research Compliance (CHRC)
®
··
··
Zuraya Aziz
Aurea M. Flores
··
··
Sherri A. Matthews
Sharon S. Parsley
··
Kyle R. Weller
Certified in Healthcare Privacy Compliance (CHPC)
®
··
··
Steven R. Baruch
Karin M. Butikofer
··
··
Tony M. Krawat
Nisha Nair
··
··
Rebecca Wahler
Wendy P. Wright
CCB offers these certifications: Certified in Healthcare Compliance (CHC),
Certified in Healthcare Compliance Fellow (CHC-F), Certified in Healthcare
Research Compliance (CHRC), and Certified in Healthcare Privacy Compliance
(CHPC). To learn more, please contact us at ccb @ compliancecertification.org,
visit www.compliancecertification.org, or call 888-580-8373.
®
®
82
Want to become
Certified in Healthcare
Compliance (CHC) ?
®
BE RECOGNIZED for your experience and knowledge!
The Certified in Healthcare Compliance (CHC)
designation demonstrates expertise in the
healthcare compliance field. Earn yours today:
®
• Meet eligibility requirements in both
work experience and continuing education
• Pass the CHC exam
• Maintain your designation by earning
Questions? Contact
ccb @ compliancecertification.org
approved continuing education units
For more details on earning and maintaining this
designation, please find the CHC Candidate Handbook
or other information at www.compliancecertification.org
under the “CHC” tab.
HCCA welcomes NEW MEMBERS
ALABAMA
GEORGIA
Jaima Binzer
·· Dave Dombrosky, Stratus Orthopedic Supply, Inc
·· Denise Moore, HealthSouth Corporation
··
··
ALASKA
··
··
Altagracia Hodgkins, Anchorage Community Mental Health Services
Ken Howell, Anchorage Community Mental Health Services
ARIZONA
Megan King, CVS Caremark
Elizabeth Montemayor, Banner Research
·· Nora Navarro-Hernandez, CODAC Behavioral Health Services, Inc
·· Ryan Roberts, Phoenix Children’s Hospital
·· Jennifer Schulte, Northern Arizona Health Care
··
··
CALIFORNIA
Neslihan Akbas, Sutter Health System Office
Gabrielle Ault-Riche, Health Plan of San Mateo
·· Lindsey Barr, Clinica Msr. Oscar A. Romero
·· Odalis Bigler, San Francisco Health Plan
·· Brendamarie Curtis, Kaiser Permanente
·· Nicolle Ealey, Pacific Medical Management
·· Kimberly Gillespie, University of California, San Diego
·· Amy Guardino, Good Samaritan Hospital
·· Steve Hack, Pacific Medical Management Services, Inc
·· Sara Love, Memorial Care Health System
·· Maninder Madan, Kidney Center, Inc
·· Barbara McClung, Dell for DCHS
·· Janet Meredith
·· Virginia Razo, Tahoe Forest Hospital District
·· Sandra Toledo, Western Medical Center Business Office
·· Regina Wong, Carrington College California
·· Seth Zajac, Sovereign Health Group
··
··
COLORADO
··
··
Greg Ahern, Catholic Health Initiatives
Thomas Loff, East Morgan County Hospital
FLORIDA
Renee Baine, Jackson Health System
·· Lloyd Chesney, MDLIVE
·· Joy Easterwood, HealthPlan Holdings, Inc
·· Julie Gallagher, Akerman Senterfitt
·· Jenny Groves, Physicians Independent Management Services, Inc
·· Alan Heck, JKM Healthcare Consultants, LLC
·· Khalelah Jones, Halifax Health
·· Brittany Juliachs, Health Care 2000, Inc
·· Susan Kennedy, Lee Memorial Health System
·· Donna Loyko, Cornerstone Hospice
·· Niurka Manzano, University of Miami
·· Luis Martinez, Jackson Health System
·· Nancy McGovern, Lee Memorial Health System
·· Julianne Mesa, Suncare Respiratory Services
·· Sherry Moore
·· Kevin Newman, Flagler Hospital
·· Joel Perales, McKesson Medical – Surgical
·· Victoria Prescott, McBroom Consulting, LLC
·· Monica Rodriguez, Allied Orthopedics
·· Julie Sager, Rose Radiology
·· Cara Sansonia, The Sansonia Law Firm, PL
·· Amber Thomas, Jackson Health System
··
Tashaleema Avery, DaVita
Kristi Ford, Delta Dental Insurance Company
·· LaWanda Gray, Columbus Regional Healthcare System, Inc
·· Susan Hurley, South Georgia Medical Center
·· Wanda Kemp, Centene Corporation
··
HAWAII
Carl Kim, Better Care Inc
Christine Kim, Better Care Inc
·· Lauren Kwak, University Clinical, Education & Research Associates
··
··
ILLINOIS
Jodie Carey, SIU School of Medicine
Yolanda Davis, Hospice of Kankakee Valley
·· Lee Forth, Banner Health
·· Kristin Kurczewski, Centegra Health System
·· Marilu Luna, University of Illinois at Chicago
·· Timeka Russell, Rockford Memorial Hospital
··
··
INDIANA
Meghan Faherty, Byron Health Center
Kristine Georges, The Heart Hospital at Deaconess Gateway
·· Norma Gilbert, Indiana University Health Arnett
··
··
KANSAS
··
Alex Moseley, Via Christi Health
KENTUCKY
··
Katrina Howard, Pathology & Cytology Laboratories, Inc
LOUISIANA
··
··
Christine Goletz, Ochsner Health System
Mary Lapworth
MARYLAND
··
··
Jane Andrews, Aetna
Stacey Wolff, Myers & Stauffer, LLC
MASSACHUSETTS
David Abelman, DentaQuest, LLC
Heidi Batista, Therapy Resources Management
·· Craig Bennett, Children’s Hospital Boston
·· Nancy Eddy, Fresenius Medical Center
·· Kirsten Mayer, Ropes & Gray LLP
·· Tammy Richardson, The MENTOR Network
··
··
MICHIGAN
··
··
Christina Flint, Diplomat Specialty Pharmacy
Diana Napoleon, eHealth
MINNESOTA
Elise Brown, Geraghty, O’Loughlin & Kenney, PA
Jennifer Forcier, Sibley Medical Center
·· Barry Marston, Quadris Medical
·· Twila Neset, Migrant Health Service Inc
·· Tiffany Schmidt, St Cloud Hospital
··
··
MISSISSIPPI
··
Heather Muzzi, Mid South Rehab Services
HCCA | The Association for Health Care Compliance Professionals
MISSOURI
PENNSYLVANIA
Garrett Jackson, Thompson Coburn LLP
·· Elizabeth Parker, Management Performance Associates, Inc
·· Margaret Scavotto, Management Performance Associates, Inc
·· Janie Smith, Reliant Care Rehabilitative Services
··
MONTANA
··
Stacey Bradley, Kalispell Regional Healthcare
Patrick Carone, DNA Advanced Pain Manangement
Jamie Kauwell, Geisinger Health System
·· Daryl Marks, Asbury Heights
·· Brennan Martin, St. Luke’s University Health Network
·· Michael Onusko, Southwest Regional Medical Center
·· Andrea Riccelli, St. Lukes University Hospital
··
SOUTH DAKOTA
NEBRASKA
··
Amy Bones, Children’s Hospital & Medical Center
·· Delinda Lampe, Catholic Health Initiatives
·· Kris Maples, Hillcrest Health Services
··
··
NEW JERSEY
··
··
Lynne Koller, Raritan Bay Medical Center
Clifford Simmons, Baratz & Associates, PA
NEW MEXICO
··
Purvi Mody, University of New Mexico Hospitals
NEW YORK
Lesli Giglio, St. Francis Hospital
·· Sharon Gobbi, Prime Choice Healthcare
·· Yasmine Gourdain, Bronx Lebanon Hospital Center
·· Rose Harper
·· Maura McGrath, Amida Care
·· Christal Montague, Services for the Underserved
·· Ellen Redling, NYS Office for People With Developmental Disabilities
·· Joseph Samet
·· Linda Spas, Rochester Rehabilitation
·· Josephine Tramontana, Sunrise Adult Day Health Care Center
··
NORTH CAROLINA
Wanda Wahl, Regional Health
TENNESSEE
Jennifer Baldock, Symbion, Inc
Amy Campbell, University of Memphis
·· Stephanie Ellis, Ellis Medical Consulting, Inc
·· Carol Hanschke, OrthoLink Physicians Corp/USPI
·· Donna Hinton, Community Health Systems
·· Zena McConnell, USPI
·· Kathryn McManus, Take Care Health Systems
··
TEXAS
Yvonne Ervin, First Continental Life and Accident Insurance Company
Randy Langenderfer, Baylor College of Medicine
·· Annette McGee, APM Compliance LLC
·· Anne Mercer, Universal American Corp
·· James Peacock
·· Ed Schreibman, Expert Global Solutions
·· Belinda Simpson, Victory Healthcare
·· Cindy Smith, Texas Tech University Health Sciences Center
·· John Steen, MB2Dental Solutions
·· Earnesta Taylor, Leonce-Taylor & Associates, PLLC
·· Joseph Wardlow, Memorial Hermann Health System
·· Wollard, Victory Healthcare
··
··
··
VERMONT
··
··
David Baxter, Sumrell Sugg
Canelia Blackwell, OptiCare Managed Vision
·· Lyn Lyman, Health Systems Management
·· Selenna Moss, Partners Behavioral Health Management
·· Cheryl Scharoun, Rytes Company
·· Shelley Scott, Paragon Revenue Group
OHIO
··
Michelle Cordeiro, Rutland Regional Medical Center
Marny Krause, Southwestern Vermont Health Care
VIRGINIA
··
··
Toni Burton, VCU Health Systems
Aaron Goldstein, Xicon Solutions, LLC
··
WASHINGTON
··
··
James Bosse, Graceworks Lutheran Services
Shakeba DuBose, The DuBose Law Firm, LLC
·· Linda Fowler, Digestive Specialist Inc
·· Kellie Hall, Akron General Medical Center
·· Alexis Johnson
·· Chad Ross, Mary Rutan Hospital
·· Alana Rothman, WellPoint
·· Michelle Smith, SummaCare, Inc
Lori Giesen, Molina Healthcare of Washington
Erin Jones, Riverview Retirement Community
·· Tania Mazumdar, UW Medicine Compliance
·· Holly Remington, Prestige Care, Inc
·· Adam Romney, Davis Wright Tremaine
·· Theresia Russell, Pacific Rim Outpatient Surgery
·· Amy Wolff, Southlake Clinic
··
OKLAHOMA
WISCONSIN
Angela Fernow, LMH Development, LLC
·· Dawn Lantero, Integris Health
·· Diane Medders, GlobalHealth, Inc
··
··
OREGON
Chelsea Bill
Steven Rinkle, Pacific Retirement Services, Inc
·· Sue Xiong, Salem Hospital
Beverly Frase, Mayo Clinic Health System
Catherine Maurice, Children’s Hospital of Wisconsin
·· Jennifer Rutkowski, Grant Regional Health Center
·· Paul Triezenberg, ThedaCare
··
··
··
WASHINGTON DC
··
Kimberly Bradford, Heartland Fidelity
PUERTO RICO
··
Nilda Albizu, St. Lukes Episcopal Church Home Care Program
··
85
2013 Index
Accreditation
·· Self-inspection: Empower your personnel, assess inspection readiness,
and satisfy requirements. May, p. 69; E.J. Waterhouse, C. Copie
ADA/Discrimination
·· Surviving the ongoing focus on medical necessity and short stays.
June, p. 56; K. Sauders, C. Golden, N.T. Perilstein, J. Haller
·· ICD-10: Payer and provider implementation strategies. June, p. 67;
S. Haseley, J. Strauss
·· Are you wasting time with appeals? August, p. 49; M. Howe
·· Compliance officers’ newest challenge: HIV discrimination.
August, p. 55; G. Nowakowski, T. Mantese
·· Recent settlements should compel provider review of ADA auxiliary aid
compliance. December, p. 71; R.V. Bachman
·· Medicaid vs. Medicare claims audit appeals: A road less clear.
October, p. 27; C.M. Dorfschmid, L. Shuman
Auditing and Monitoring
·· Structuring the Chief Ethics and Compliance Officer position: Frequently
asked questions. January, p. 39; D. Boehme
·· Five guidelines for a compliant shared savings arrangement.
January, p. 59; A. Higgins
·· Compliance challenges: Lessons from Oregon’s Coordinated Care
Organizations. February, p. 39; A. Beidler
·· Compliance as an opportunity for growth. March, p. 27; R.E. Powers
·· HIPAA audits: Are you ready? January, p. 69; R. Bowen
·· Taking the mystery out of RAT-STATS: Simplified approach.
April, p. 47; M. Wagonhurst
·· OIG’s updated Provider Self-Disclosure Protocol: Sampling and
overpayment extrapolation. August, p. 27; C.M. Dorfschmid
·· Audit Committee’s role in compliance. November, p. 23; K. Nueske
·· Compliance officer and the audit committee: Building an effective
relationship. December, p. 23; S. Forman
Behavioral Health
·· Changes in community mental health center scrutiny. January, p. 77;
S. Nance
Book Review
·· Changing minds, including your own (Switch: How to Change Things
When Change is Hard by Chip Heath and Dan Heath). March, p. 49;
A. Turteltaub
Bullying
·· Handling conflicts or bullying. July, p. 21; S. DeGroot
·· Beyond the schoolyard: Workplace bullying. September, p. 47; J. Dade
CMS/OIG
·· OIG 2013 Work Plan sheds light on new compliance projects: Part 1.
January, p. 25; N. Lacktman
·· OIG 2013 Work Plan sheds light on new compliance projects: Part 2.
February, p. 25; N. Lacktman
·· Physician-owned distributors drawing scrutiny: 2013 OIG Work Plan
includes PODs. March, p. 57; M.T. Morrell
·· How does your RAC stack up? May, p. 31; J.T. Lundy
·· Clinical co-management arrangements: The OIG speaks. May, p. 63;
C. Oppenheim, S. Krul
·· RAC update. June, p. 80; J. Lundy
·· OIG’s updated Provider Self-Disclosure Protocol: Sampling and
overpayment extrapolation. August, p. 27; C.M. Dorfschmid
·· OIG issues updated guidance on exclusion: What it means for providers.
October, p. 41; L.J. Perling
·· Overpayments and other common reasons for denial of Medicare
enrollment. November, p. 35; L.J. Perling
Compliance
TODAY
Compliance
·· What every compliance officer should know about payment changes for
2013. April, p. 22; J.A. Anderson, J.T. Van Leer
·· STARK 101: Essential questions for every Stark analysis. May, p. 55;
D.Z. Bartlett, B.M. Smyer
·· Conflict of interest management after the Physician Payment Sunshine
Act. June, p. 73; L. Goldman
·· After an allegation: Conducting an effective, efficient internal
investigation. July, p. 38; R. Cepielik, M. Little, G. Garrison
·· Should readmissions be on a compliance officer’s radar? August, p. 4;
M. Reizen
·· Compliance officers’ newest challenge: HIV discrimination.
August, p. 55; G. Nowakowski, T. Mantese
·· How to avoid the CIA: The high price of non-compliance.
September, p. 23; G. Goodman
·· After the investigation: What do you do when you are done?
September, p. 31; M.C. Bloch
·· Compliance officers: Is your organization ready for The Sunshine Act?
September, p. 42; T. Mantese, C. Laney, A. Varbanov
·· Be part of the solution: Stop medical identity fraud. October, p. 47;
M. Janiga
·· Finding your Snowden: Identifying insider threats by employees and
contractors. October, p. 53; A. Greene
·· Immigration compliance: A stealth risk management concern for
healthcare employers. November, p. 45; R. Groban, Jr., C. Silie
·· The Stark road ahead: A roadmap for providers. December, p. 65;
D.Z. Bartlett, B.M. Smyer
Compliance 101
·· Developing an effective compliance training program. January, p. 81;
R. Crosby
·· Making a difference with Value Based Purchasing. March, p. 61;
P. Kennedy
·· What Corporate Integrity Agreements reveal. November, p. 67;
L.G. Angus, K. Sigler
·· Recent settlements should compel provider review of ADA auxiliary aid
compliance. December, p. 71; R.V. Bachman
Coding, Billing, and Claims
Compliance Program
·· Coding and documentation crimes: Are you a suspect? January, p. 63;
G. Dixon
·· Systemic issues in claims submission: CMS, Medicare contractors,
and providers. February, p. 65; S. Nance
·· The risk of improper billing. April, p. 33; D. Piatt, K. Willenberg
·· Ingredients for establishing compliance best practices. March, p. 37;
A. Finkelstein
·· Compliance programs for cost-conscious physician groups.
March, p. 43; B. Chung
·· Project management methodologies for an effective compliance
program. June, p. 53; B. Santo
·· Putting “effective” into your compliance program implementation is
more than a word. August, p. 44; K.R. Taylor, S. Blackwood
·· Fostering a culture of compliance: Taking your program to the next
level. September, p. 51; J. Hogarth
·· Anatomy of an overpayment: What providers need to know now.
April, p. 53; J.M. Kreisel
·· Billing compliance under the Incident To provision: What’s the risk?
June, p. 39; K.C. Loya, C. Friederich
2013 Index
·· Why monitoring use of antipsychotics is a compliance function.
September, p. 39
·· Hospital readmissions and discharge planning: Part 1. October, p. 51
·· Discharge planning, Part 2: The patient/resident ping-pong effect.
November, p. 43
·· What did we do to deserve this? December, p. 47
Corporate Compliance & Ethics Week
·· Celebrating Corporate Compliance & Ethics Week. December, p. 16;
N. Gordon
·· Compliance is sweet! December, p. 63; C.E. Murray
Electronic Health Record
·· The data breach dilemma: Steps providers can take to secure PHI and
EHR. May, p. 49; L.F. Bruno
·· An enterprise-wide approach to PHI disclosure management.
July, p. 53; D. Hardwick
Exhale by Shawn DeGroot
·· A retail perspective. January, p. 23
·· The Rat Pack. February, p. 23
·· Southern hospitality. March, p. 19
·· ACOs: Process vs. regulation. April, p. 21
·· Mindfulness. May, p. 23
·· Don’t judge a book by its cover. June, p. 25
·· Handling conflicts or bullying. July, p. 21
·· Journal of a compliance officer. August, p. 25
·· Preparing for a blitz. September, p. 21
·· Common sense with HIPAA and disasters. October, p. 25
·· Sphere of influence. November, p. 21
·· Digital asset risk assessments. December, p. 21
Feature Interview
·· Meet Art Weiss. January, p.18; J. Falcetano
·· Meet Lew Morris. February, p. 18; G. Imperato
·· Meet Donna Abbondandolo. March, p. 16; D. Hinson
·· Frank Sheeder’s commitment to compliance certification. April, p. 16;
R. Snell
·· Meet Scott Killingsworth. May, p. 16; E. Newman
·· Meet Tessa Lucey. June, p. 16; M. Hambleton
·· Meet Stephen Kiess. July, p. 16; J. Falcetano
·· Meet Mark Leep. August, p. 20; D. Hinson
·· Meet Ted Doolittle. September, p. 16; S. DeGroot
·· Meet Loretta Lynch. October, p. 16; A. Turteltaub
·· Meet HCCA’s summer interns. November, p. 16; B. Matthiesen
·· Celebrating Corporate Compliance & Ethics Week. December, p. 16;
N. Gordon
Government/Enforcement/Regulation
·· New developments in the Department of Justice’s national ICD
investigation. February, p. 43; B.M. Smyer
·· What constitutes “reckless disregard” under the FCA. March, p. 21;
M. Matthews, A.J. Richlin
·· Avoiding the mourning after: Minimizing FCPA risk of pass through or
successor liability. March, p. 31; P. Pelletier, N. Fischman
·· First settlement for a smaller HIPAA breach. April, p. 59; S.H. Salimone
·· The Lilly FCPA enforcement action: Key lessons learned. May, p. 43;
T. Fox
·· Don’t fear the Sunshine (but wear your sunscreen). July, p. 22;
M.B. Langowski, K.E. Ratcliff, R.J. McKnight
·· Responding to technical violations of the Stark Law. July, p. 57;
R.A. Wade, M.T. Morrell
·· The ACA and lessons from the Quality Corporate Integrity Agreements.
July, p. 63; A.D. Stegemann
·· Dealing with an even more aggressive year of enforcement.
August, p. 37; B.G. Flood
·· Sixth Circuit Court of Appeals limits the reach of the False Claims Act.
August, p. 41; G. Imperato, S. Mankodi
·· The not-so-usual suspects: Four laws that may impact your compliance
focus. September, p. 26; L.J. Acevedo, B.B. Heger
·· Government targets healthcare for disability violations.
September, p. 35; K.R. Glickstein
·· Compliance officers: Is your organization ready for The Sunshine Act?
September, p. 42; T. Mantese, C.J. Laney, A. Varbanov
·· Sunshine Act reporting: Minimizing consulting and royalty payment
risks. October, p. 35; S. Kravetz
·· DOJ seeks reversal of decision that could significantly impair False
Claims Act enforcement. November, p. 39; A.S. Lurie, J.L. Avergun
·· Health Insurance Exchanges: What they are and what they change.
November, p. 51; S. Swank
·· Could your healthcare organization be a federal contractor?
November, p. 59; T. Blair
·· Physician-owned entity fraud alert: Hospital compliance officers take
note. December, p. 36; T. Bulleit, E. Andonova, N.D. Morris
HCCA
·· Letter from the President: Year in review. January, p. 3; S. DeGroot
HIPAA/HITECH
·· HIPAA audits: Are you ready? January, p. 69; R. Bowen
·· Regulatory pressures and patient privacy concerns: Adopting more
encompassing strategies. February, p. 57; K. Long
·· HIPAA enforcement: A practical checklist for breach incidents.
March, p. 51; J.D. Hogarth
·· To be—or not to be—a business associate. April, p. 39; M.A. Knutson
·· Complying with the new HIPAA Omnibus Rule: Part 1. May, p. 36;
A.H. Greene, R.L. Williams, L. Barash, J. Hodges-Howell
·· Complying with the new HIPAA Omnibus Rule: Part 2. June, p. 31;
A.H. Greene, R.L. Williams
·· Seven tips to improve relationships with business associates.
July, p. 70; M. Bruemmer
·· HIPAA Omnibus Rule compliance for physician practices.
September, p. 59; J.R. Jones
·· Risk analysis: Fundamental to HIPAA security compliance.
September, p. 68; D. Pollack
·· The HIPAA final rule: Transforming the business associates’ landscape.
October, p. 75; D. Ross
·· The Omnibus Rule: Identify, investigate, and implement.
November, p. 61; M. Valentin
·· What every compliance officer should know about release of
information. December, p. 51; S. Blackwood, S.P. Limmroth
Home Health/Hospice
·· Face-to-face requirements: What pitfalls lie ahead for home health
agencies. October, p. 58; K. McDonald, L. Lonergan, K. Shah
Hospital
·· Patient privacy in an open-access environment. April, p. 66; T.D. Nuss,
L. Bryant, M. Edwards
·· Wearing multiple hats: The rural provider dilemma. May, p. 61;
T.L. Davis
The Compliance–Quality Connection by David Hoffman
Compliance
TODAY
87
2013 Index
·· PATH rules for physician oversight and billing. July, p. 27; B. Moran,
B. Sherman
·· Should readmissions be on a compliance officer’s radar? August, p. 4;
M. Reizen
·· Active management: The new frontier for hospital compliance.
August, p. 51; G. Peace
·· How to avoid the CIA: The high price of non-compliance.
September, p. 23; G. Goodman
·· Hospital readmissions and discharge planning: Part 1. October, p. 51;
D. Hoffman
·· Discharge planning, Part 2: The patient/resident ping-pong effect.
November, p. 43; D. Hoffman
·· Tax-exempt hospitals: Putting your hospital’s IRS exemption at risk.
December, p. 28; G. Griffith, J. King, C. Livingston
·· Physician-owned entity fraud alert: Hospital compliance officers take
note. December, p. 36; T. Bulleit, E. Andonova, N.D. Morris
In Memorium
·· Chris Bangerter, (April 30, 1966-May 3, 2013). August, p. 9; D. Lewis
Letter from the CEO by Roy Snell
·· Code of conduct. January, p. 5
·· Commotion in the New York enforcement community. February, p. 3
·· Using social media to improve your position in our profession.
March, p. 3
·· Business ethics vs. Save the World ethics. April, p. 3
·· Our future looks bright. May, p. 3
·· Compliance professionals struggle for independence. June, p. 3
·· How did Corporate Compliance and Ethics Week come about? July, p. 3
·· Do we have a problem with tone at the top, or a problem
communicating that we have tone at the top? August, p. 3
·· Diluters and distractors take heed: Your “noise” will not deter our focus.
September, p. 3
·· Just when you think you have seen all the stupid you can handle…
October, p. 3
·· You just might not be a compliance expert if… November, p. 3
·· Certification of Compliance Professionals, December, p. 3
Long-term Care/Skilled Nursing
·· For skilled nursing and nursing facilities, compliance counts.
April, p. 75; W. Chan, V. Pastora
·· SNF Advance Beneficiary Notice: Avoiding financial liability and
Medicare sanctions. June, p. 77; W. Wright
·· Mandatory compliance and long-term care: Part 1. July, p. 45; T. Ealey,
M. Gilstad
·· Effective compliance program in a skilled nursing facility. August, p. 61;
C. Shaw-Burns
Medicare and Medicaid
·· New Medicare provider enrollment regulations: What compliance
officers need to know. February, p. 35; I. Cabrera, A. Monte
·· Using Local Coverage Determinations to your advantage. April, p. 62;
T. Mantese, C.J. Laney, C. Bores
·· Medicare Coverage Analysis: Protecting your institution. May, p. 25;
A. Burleigh
·· Protecting your organization from exclusion sanctions.
September, p. 64; A.J. Markenson, K. Skeat
·· Overpayments and other common reasons for denial of Medicare
enrollment. November, p. 35; L.J. Perling
Outpatient Therapy/Rehabilitation
·· Rehab risks in a RAC world. October, p. 71; N. Beckley
Compliance
TODAY
Quality and Patient Safety
·· Radiation dose safety: Best practices. January, p. 65; B. Taggard, N. Mullens
·· Compliance, quality, and the role for unbiased peer review.
February, p. 69; M. Friedman, R. Lehman, H. Gahbauer
·· Quality fraud: Two pathways to trouble. June, p. 27; A.G. Gosfield
·· The ACA and lessons from the Quality Corporate Integrity Agreements.
July, p. 63; A. Stegemann
·· Compliance and quality of care, Part 1: Laws and case studies.
December, p. 40; M.M. Chaitt, M.L. Mattioli, R.E. Moses, D.S. Jones
Research
·· New Public Health Service/NIH regulation: Investigator responsibilities.
February, p. 53; T.J. Sullivan, L. Bickford
·· Schooled in fraud: Compliance lessons from the “Lying Dutchman”.
October, p. 63; S. Killingsworth
Risk
·· Avoiding the mourning after: Minimizing FCPA risk of pass through or
successor liability. March, p. 31; P. Pelletier, N. Fischman
·· Billing compliance under the Incident To provision: What’s the risk?
June, p. 39; K.C. Loya, C. Friederich
·· Finding your Snowden: Identifying insider threats by employees and
contractors. October, p. 53; A.H. Greene
healthcare employers. November, p. 45; R.S. Groban, Jr., C.F. Silie
·· Digital asset risk assessments. December, p. 21
Security
·· Navigating security concerns with clinician tablet usage. June, p. 45; R. Frigy
·· Texting and mobile devices: Partners in health care. July, p. 31;
J. Sheldon-Dean, V. Phalke
·· Be part of the solution: Stop medical identity fraud. October, p. 47; M. Janiga
Social Media
·· Privacy Officer’s Roundtable. January, p. 57; J. Falcetano
·· Social media and HIPAA compliance: Balancing benefits and risks.
February, p. 47; J. Sheldon-Dean, V. Phalke
·· Who “owns” social media—you or your employees? November, p. 29;
K.R. Glickstein, L.N. McDowell
·· Social media risk management: A healthcare provider’s guide to
appropriate use. December., p 49; E. Hess
Staffing/Screening
·· Avoid liability: Consistent screening of both permanent and temporary
staff. January, p. 45; V.T. Do
·· The changing role of the executive assistant: A hidden opportunity?
January, p. 73; V. Loyola, J. Sinaiko
·· OIG issues updated guidance on exclusion: What it means for providers.
October, p. 41; L.J. Perling
healthcare employers. November, p. 45; R.S. Groban, Jr., C.F. Silie
Training
·· Best practices: Training programs to combat fraud, waste, and abuse.
January, p. 51; E. Leinfuss
·· Compliance 101: Developing an effective compliance training program.
January, p. 81; R. Crosby
·· Best practices in delivering effective compliance training.
December, p. 57; A. Beidler
January 2014
Compliance
TODAY
Tear out this page and keep for reference, or share with a colleague. Visit www.hcca-info.org for more information.
Janice A. Anderson and Cullin B. Hughes
(page 28)
»» Physician practice management arrangements
often implicate state laws on corporate
practice of medicine (CPOM) and fee-splitting
prohibitions.
»» The CPOM doctrine can dictate the form of
physician entity to be used in a physician
practice management arrangement.
»» Fee-splitting prohibitions may prevent
certain management fee structures that are
common to physician practice management
arrangements.
»» Laws vary from state to state, so these laws
should be examined for each state in which
services will be provided under a physician
practice management arrangement.
»» Violation of CPOM or fee-splitting prohibitions
can lead to serious consequences for both the
physician practice management company and
the physicians involved in an arrangement.
Some thoughts on tone at the top
Bret S. Bissey (page 35)
»» The compliance officer should be free to have
open and transparent dialogue with the board.
»» The compliance officer should be included and
involved in key operational decisions.
»» Compliance should be a standing agenda item
in board and/or audit committee meetings.
»» The compliance officer must be given the
authority and control over investigations and
risk assessments without intimidation.
»» The separation of Compliance and Legal is
fundamental to an effective program.
Compliance and quality of care,
Part 2: The physicians’ perspective
Michelle Moses Chaitt, Mark L. Mattioli,
Richard E. Moses, and D. Scott Jones
(page 42)
»» Learn strategies for educating physicians
about compliance issues.
»» Key teaching principles have proven useful in
educating physicians.
»» Identify the most common compliance and
quality risks for physicians and include them
in educational materials.
»» Make compliance a solid and real concept
for physicians by pointing out the role of
compliance in preventing malpractice claims.
»» Malpractice insurance carriers are starting to
offer privacy breach insurance as well.
New developments in data analytics:
From data mining to data prospecting
Karen Nelson (page 47)
»» CMS has employed predictive data analytics on
Medicare fee-for-service claims data.
»» Predictive analytics may result in earlier
governmental intervention.
»» Medicaid Fraud Control Units are authorized to
begin data mining.
»» The organization can take simple steps to
protect itself by using internal data proactively.
»» Compliance efforts can be quantified in
monetary terms.
HIPAA Omnibus Rule regulatory
milestone: Building and maturing
sustainable compliance programs
Kurt Long (page 55)
»» The final Omnibus Rule removes the ambiguity
and uncertainty surrounding healthcare privacy
and security compliance requirements.
»» With the removal of legal ambiguity, care
providers can now confidently establish and
mature sustainable compliance programs.
»» User activity monitoring is likely to be a focal
point for the Office for Civil Rights’ (OCR)
ramped-up 2014 HIPAA audit schedule.
»» Resources are available to overcome
technology, governance, and workforce
challenges.
»» For compliance to be sustainable and
affordable, care providers must view
compliance as a core and critical function of
their everyday operations and work.
Essential health benefits under the ACA
Natalie Franklin (page 61)
»» Ten statutory essential health benefit (EHB)
categories were established under the ACA.
»» Private, employer-based, and Medicaid health
plans must provide minimum EHBs.
»» Four coverage groups (Bronze, Silver, Gold,
and Platinum) are available.
»» Open enrollment in the state health insurance
marketplaces started October 1, 2014.
»» Fee or “tax” for failure to obtain coverage
starts in 2014.
Risk management 2-5-3: Two pages,
five minutes, and three steps to an
effective program
Mike Walker (page 63)
»» Healthcare operations are under increased
scrutiny from the federal government.
»» Boards and senior administrators are being
criminally prosecuted.
»» Current enterprise risk management (ERM)
processes appear complicated, burdensome,
and/or arcane.
»» The Inventory, Evaluate, Act model (IEA) offers
a simplified and efficient approach.
»» Governing boards are responsible for risk
oversight and need to act.
Medicare gets egg on its face
Edward L. Vishnevetsky (page 67)
»» Many providers/suppliers do not appeal
Medicare overpayments to federal court.
»» Administrative Law Judges (ALJs) and the
Medicare Appeals Council are deferring to RAC,
MAC, and ZPIC interpretations and
upholding payment denials.
»» A landmark case in Texas may change the way
rules and guidelines in Medicare manuals can
be interpreted by federal agencies
and federal contractors.
»» When challenged, the Fifth Circuit Court
vacated a sanction against a nursing home,
denying deference to CMS and an ALJ’s
interpretations of a Medicare manual rule.
»» The Supreme Court has not ruled on the level
of deference a court should give to an agency
that interprets manuals and guidelines.
Mandatory compliance
and long-term care: Part 2
Tom Ealey and Marcy Corbat (page 70)
»» Long-term care (LTC) facilities need to be
intentional and thorough about compliance,
just as they have been about performance and
documentation rules.
»» A perfect compliance program is not expected
or required, but a good-faith effort to provide
quality services and business integrity is
essential.
»» Compliance programs should focus on
preventing risks, discovery of existing risks,
and mitigation.
»» Improvements in revenue cycle management
can offset the cost of maintaining an effective
compliance program.
»» An LTC facility must act as a fiduciary for
Medicaid residents’ allowed personal funds,
in accordance with state law.
Overpayments and other common
reasons for denial of Medicare
enrollment: An update
Lester J. Perling (page 79)
»» An individual or entity on a Medicare-approved
payment plan will not be denied Medicare
enrollment for an overpayment of
$1,500 or more.
»» A partial owner with an overpayment will not
preclude Medicare enrollment for the provider.
»» A sole proprietor physician may not re-enroll
in Medicare under a different name to avoid
overpayment liability.
»» The rule on enrollment denials based on
overpayments applies only to physicians,
practitioners, and owners.
»» Compliance officials must stay informed to
keep up with the ever-changing regulatory
environment.
s
Takeaways
89
HCCA’s 2014 Upcoming Events
Learn more about HCCA’s educational opportunities at www.hcca-info.org/events
January 2014
Sunday
Monday
Tuesday
Wednesday Thursday
1
Friday
2
February 9–11 • Scottsdale, AZ
Saturday
3
4
Audit & Compliance Committee
Conference
February 24–25 • Scottsdale, AZ
18th Annual Compliance Institute
HCCA OFFICE CLOSED
New Year’s Day
5
6
7
8
9
10
11
March 30–April 2 • San Diego, CA
AHLA/HCCA Fraud & Compliance Forum
October 6–8 • Baltimore, MD
Clinical Practice Compliance Conference
12
13
14
15
WEB
CONFERENCE:
PEPPER: The Psychiatric
Interpretation
16
17
18
Mawlid an-Nabi begins
19
20
21
WEB
CONFERENCE:
2014 OIG Work Plan, Part 1:
Hospitals
Basic Compliance Academy
New York, NY
22
WEB
CONFERENCE:
Physicians
23
WEB
CONFERENCE:
Home Health
CHC Exam
Southeast
Regional
Conference
Atlanta, GA
24
25
HCCA OFFICE CLOSED
Martin Luther King Jr Day
26
27
28
29
30
31
October 12–14 • Philadelphia, PA
January 20–23 • New York, NY — LIMITED SEATS
February 3–6 • Puerto Rico — LIMITED SEATS
February 17–20 • San Francisco, CA — LIMITED SEATS
March 17–20 • New Orleans, LA
April 14–17 • Boston, MA
June 9–12 • Scottsdale, AZ
August 4–7 • New York, NY
September 29–October 2 • Nashville, TN
October 20–23 • Las Vegas, NV
November 17–20 • Orlando, FL
December 1–4 • San Diego, CA
Research Basic Compliance Academies
March 10–13 • Las Vegas, NV
February 2014
Sunday
Monday
Tuesday
Health Care Privacy
Wednesday Thursday
Friday
Saturday
1
March 10–13 • Las Vegas, NV
June 16–19 • San Diego, CA
Regional Conferences
2
3
4
5
WEB
CONFERENCE:
Proactively Detect Privacy
Breaches by Insiders
San Juan, Puerto Rico
6
CHC Exam
7
8
14
15
South Atlantic
Regional
Conference
Orlando, FL
Groundhog Day
9
10
11
12
WEB
WEB
CONFERENCE:
CONFERENCE:
Privacy and Security
Under the Microscope:
Challenges in Integrated Care Audits During the
Implementation Period
of the Two-Midnight Rule
13
Cascade Range
Regional
Conference
Portland, OR
Scottsdale, AZ
Valentine’s Day
16
17
18
WEB
CONFERENCE:
When Employees Become
Patients: Navigating Dual
Roles and Responsibilities
19
San Francisco,CA
20
WEB
CONFERENCE:
Expanded Rights to Request
Restrictions: Are You Ready?
CHC Exam
21
Southwest
Regional
Conference
Dallas, TX
Presidents’ Day
23
24
25
WEB
CONFERENCE:
Credential With Confidence
Audit & Compliance
Committee Conference
Scottsdale, AZ
26
27
28
WEB
CONFERENCE:
The Evolving Role of the
Compliance Officer in the
Age of Accountable Care
Alaska Regional Conference
Anchorage, AK
Maha Shivaratri
Dates and locations are subject to change.
22
Southeast • January 24 • Atlanta, GA
South Atlantic • February 7 • Orlando, FL
Cascade Range • February 14 • Portland, OR
Southwest • February 21 • Dallas, TX
Alaska • February 27–28 • Anchorage, AK
Greater St Louis • March 7 • St Louis, MO — NEW
DC Metro • March 14 • Washington DC — NEW
Puerto Rico • May 1–2 • San Juan, Puerto Rico
Upper North Central • May 9 • Columbus, OH
Upper Northeast • May 16 • New York, NY
Delaware Valley • June 6 • Philadelphia, PA — NEW
Pacific Northwest • June 13 • Seattle, WA
West Coast • June 20 • Newport Beach, CA
New England • September 12 • Boston, MA
Upper Midwest • September 19 • Minneapolis, MN
Midwest • September 29 • Kansas City, KS
North Central • October 6 • Indianapolis, IN
East Central • October 10 • Pittsburgh, PA
Hawaii • October 16–17 • Honolulu, HI
Mountain • October 24 • Denver, CO
Mid Central • November 7 • Louisville, KY
Desert Southwest • November 14 • Phoenix, AZ
South Central • November 21 • Nashville, TN
Upper West Coast • December 5 • San Francisco, CA
Gulf Coast • December 12 • Houston, TX
Health Care Compliance Association’s 18 th Annual
COMPLIANCE
INSTITUTE
®
March 30–April 2, 2014
Manchester Grand Hyatt | San Diego, CA
Try following a
learning track
; General Compliance/Hot Topics ; Physician Compliance
Here’s the track for everything
from the basics of Compliance
101 to hot topics like healthcare
reform. Learn what you need to
know from compliance officers,
regulators, outside counsel, in-house
counsel, auditors, providers, and
industry experts.
; Long-Term Care
Keep on top of changing regulations
for skilled nursing facilities,
including best practices for
developing an effective compliance
program, and learnthe latest
information on auditing and
monitoring compliance programs
now regulated by the Patient
Protection and Affordable Care Act.
; Privacy & Security
Understand the privacy and
information security compliance
issues that continue to emerge,
and learn how to integrate privacy
and security issues into your overall
compliance program.
Cover information related to small
and large physician practices,
research billing for physicians,
academic medical centers, and
hospitals and health systems.
; Compliance Lawyer
Learn the legal basis for the
compliance issues you manage.
Compliance lawyer track sessions
will be presented by experienced
and knowledgeable lawyers from
inside and outside the government.
They understand the law and can
make it more understandable to you.
; Auditing & Monitoring
How do you know your compliance
program is working? Auditing and
monitoring is key to measuring
effectiveness and improvement.
Learn the practices that you need
to read the vital signs of your
compliance program.
Register for the Compliance Institute at
www.compliance-institute.org
Register early!
Save $575 when you
register by January 7, 2014
; How to Succeed as a
Compliance Professional
The more effective your leadership,
the more effective your compliance
program. Sessions in this track
will help you develop your skills
and increase your value to the
compliance program and the
organization for which you work.
; Quality of Care
Quality of care is one of the newest
compliance challenges. Hear from
compliance officers, doctors, nurses,
and other healthcare providers
as they provide you with the
information, tools, and processes
needed to help you do quality work
on quality of care.
; Advanced Discussion Groups
If you’re an experienced compliance
and ethics professional, or if you’re
looking for a more interactive
program, this track is
for you. Each session
is designed to involve
everyone in the room.
There are no formal
presentations, just
discussion facilitated by
industry experts.