volume eleven number three march 2009 published monthly · 42 standing at the crossroads by michael...

Volume ElevenNumber Three

March 2009 Published Monthly

Feature Focus:

Executive compensation in

troubled timespage 32

Meet

Bill Parke Vice PresidentCorporate Compliance Rutherford Hospitalpage 14

Unauthorized access to protected health

information: Educating the workforce

page 10HCCA is going green HCCA conference attendees will NOT automatically receive conference binders. If you would like to purchase conference binders, please choose that option on your conference registration form. Attendees will receive electronic access to course materials prior to the conference as well as a CD onsite with all the conference materials.

Earn CEU Creditwww.hcca-info.org/quiz, see page 13

Organizational climates change asorganizations grow and evolve. So, how canyou ensure attitudes and behaviors remainconsistent with core values? Look to GlobalCompliance, the single provider offering acomprehensive framework to protect yourorganization from financial, legal, andreputational harm.

• Ethics and compliance riskassessment

• Code of conduct• Communication campaigns• Online, computer-based, andinstructor-led training

• Hotlines/Helplines• Case management• Investigations• Data analytics• Mystery shopping• Ethics and compliance evaluations• Employee exit interviews

Contact the ethics and compliance leaderthat is already serving over one-half ofAmerica’s Fortune 100 and one-third ofAmerica’s Fortune 1000 along with colleges,universities, and government entities. And,we’re proud to claim greater than 450health care organizations as clients.

With 27 years of experience and the mostcomprehensive product and service offeringin the industry, Global Compliance canhelp you develop and maintain an ethicalclimate that’s appealing to employees,patients, and stakeholders.

What’s Your Ethical Climate?

13950 Ballantyne Corporate Place • Charlotte, NC, USA 28277866-434-7009 • [email protected]

www.globalcompliance.com

© 2008 Global Compliance. All Rights Reserved.

Making the world a better workplaceTM

2008.3 GC_Umbrella_Ad:8.5 x 11 1/11/08 4:41 PM Page 1

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgMarch 2009

3

INSIDEINSIDE4 New developments in payment and public reporting

of quality of care By Janice Anderson, Cheryl Wagonhurst, and Anil ShankarPenalties and incentives are steps toward pay for performance in Medicare reimbursements.

10 CEU: Unauthorized access to protected health information: Educating the workforce By Mark C. RogersBest practices to implement now to prevent fines, civil lawsuits, and adverse publicity later.

14 Meet Bill Parke, Vice President, Corporate Compliance, Rutherford Hospital An interview by Greg Warner

18 Letter from the CEO By Roy Snell Ethics works if everybody is ethical

21 RAC demonstrations and inpatient rehabilitation—Vision of things to come? By Jane Snecinski Documenting “medical necessity” is key to avoiding RAC denial of payment for inpatient rehab facilities.

25 Ask Leadership By John FalcetanoRed Flag identity theft rules

27 Newly Certified CHCs

28 Physician office compliance—Are you monitoring your auditing and monitoring program? By Melissa MoralesOpportunities to identify needed changes and corrective actions may be hiding just out of sight.

32 CEU: Feature focus: Executive compensation in troubled times—Part 1 By Gerald M. GriffithEconomic pressures, increased transparency, fiduciary duties, and stakeholder interests make compensation decisions more than a numbers game.

38 Compliance 101: I just received a subpoena - Now what? By Andrea Ebreck and Karen CincioneState and federal privacy laws affect the appropriate response to requests for protected health information.

40 Go Local

42 Standing at the crossroads By Michael SpakeCombining rules-based compliance with ethical and moral decisions to form an integrated operations model for excellence.

46 Cyber Doctors By Sonya Burtner Electronic communications facilitate telemedicine, but also raise legal and compliance issues.

51 Mandatory Stark reporting: Is a denouement nigh, or just another chapter in the saga? By Edwin Rauzi and Lisa HaywardCMS wants 400 hospitals to respond to its request for information.

53 CEU: Charge Description Master compliance assessments By Joel W. Lipin Tips for assessing the accuracy of your CDM.

55 Increased government oversight of managed care plans— Are you ready? By Steven E. Skwara Governmental requirements for detecting, investigating, and reporting fraud and abuse by “downstream” entities.

61 New HCCA Members

HCCA Officers:

Rory Jaffe, MD, MBA, CHCHCCA PresidentExecutive Director, California Hospital Patient Safety Organization (CHPSO)

Julene Brown, RN, MSN, BSN, CHC, CPC HCCA 1st Vice PresidentCompliance OfficerMeritCare Health System

Jennifer O’Brien, JD, CHCHCCA 2nd Vice PresidentShareholderHalleland Lewis Nilan & Johnson PAUrton Anderson, PhD, CCEPHCCA TreasurerChair, Department of Accounting andClark W. Thompson Jr. Professor in Accounting EducationMcCombs School of Business University of Texas

Gabriel Imperato, Esq, CHCHCCA SecretaryManaging PartnerBroad and Cassel

Shawn Y. DeGroot, CHC-F, CCEPNon-Officer Board Member of Executive CommitteeVice President Of Corporate ResponsibilityRegional Health

Steven Ortquist, JD, CHC-F, CCEP, CHRCHCCA Immediate Past PresidentPartnerMeade & Roach

CEO/Executive Director: Roy Snell, CHC, CCEPHealth Care Compliance Association

Counsel: Keith Halleland, Esq.Halleland Lewis Nilan & Johnson PA

Board of Directors:

Marti Arvin, JD, CHC-F, CPC, CCEP, CHRCPrivacy OfficerUniversity of Louisville

Angelique P. Dorsey, JD, CHRCResearch Compliance Director MedStar Health

Dave HellerChief Ethics & Compliance OfficerQwest Communications

Joseph Murphy, JD, CCEPCo-Founder Integrity InteractiveCo-Editor ethikos

Karen A. Murray, MBA, FACHE, CHC, CHACorporate Compliance OfficerYale New Haven Hospital

F. Lisa Murtha, JD, CHCManaging DirectorHuron Consulting Group

Daniel Roach, Esq.Vice President Compliance and AuditCatholic Healthcare West

Frank Sheeder, JD, CCEPPartnerJones Day

Debbie Troklus, CHC-F, CCEP, CHRCAssistant Vice President for Health Affairs/Compliance University of Louisville

Sheryl Vacca, CHC-F, CCEP, CHRCSenior Vice President/Chief Complianceand Audit Officer University of California

Greg Warner, CHCDirector for ComplianceMayo Clinic

Publisher: Health Care Compliance Association, 888-580-8373Executive Editor: Roy Snell, CEO, [email protected] Editor: Gabriel Imperato, JD, CHC, 888-580-8373Managing Editor/Articles and Advertisements: Margaret R. Dragon, 781-593-4924, [email protected] Editor:Patricia Mees, CHC, CCEP, 888-580-8373, [email protected]:Gary DeVaan, 888-580-8373, [email protected]

Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Com-pliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Sub-scription rate is $295 a year for nonmembers. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright 2009 Health Care Compliance Association. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means without prior written consent of the HCCA. For subscription information and advertising rates, call Margaret Dragon at 781-593-4924. Send press releases to M. Dragon, PO Box 197, Nahant, MA 01908. Opinions expressed are not those of this publication or the HCCA. Mention of products and services does not constitute endorsement. Neither the HCCA nor CT is engaged in render-ing legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.


4

Editor’s note: Janice A. Anderson is a partner in Foley and Lardner, LLP in Chicago. She is a member of the Health Care Industry Team with 25 years’ experience focusing on health regula-tory and compliance issues and over 30 years’ experience working in the health care industry. She may be contacted by e-mail at [email protected] or by phone at 312/832-4500.

Cheryl L. Wagonhurst is a partner with the Los Angeles office of Foley & Lardner LLP and a member of the firm’s Health Care Industry Team and White Collar Defense & Corporate Compli-ance Practice. Ms. Wagonhurst is a former mem-ber of the board of directors of the Health Care Compliance Association and currently serves on the advisory board of the Society of Corporate Compliance and Ethics. She may be reached by telephone at 213/972-4681 and by e-mail at [email protected].

Anil Shankar is an associate with Foley & Lardner LLP in Los Angeles, California, and is a member of the firm’s Health Care Industry Team. He may be reached by phone at 213/972-4584 or by e-mail at [email protected].

The long-term plan of Congress and the Center for Medicare and Medicaid Services (CMS) to tie

health care reimbursement to the quality of health care services has been well-docu-mented. CMS recently issued final rules that extend quality initiatives beyond inpatient hospitals to health care professionals and hos-pital outpatient departments. Authorized by the Medicare Improvements for Patients and

Providers Act of 2008 (MIPPA), CMS has now created incentive programs that affect the reimbursement of certain healthcare professionals and outpatient departments of hospitals.

As a result of changes authorized by MIPPA and implemented through the 2009 Physician Fee Schedule Final Rule (PFS Final Rule), physicians and other eligible professionals may earn a 2% bonus for the reporting of quality data specified by the Secretary of the Department of Health and Human Services (Secretary-HHS), and a separate 2% bonus for successfully transitioning to an electronic prescription system. The 2009 Outpatient Prospective Payment System Final Rule (OPPS Final Rule) implements a similar quality data reporting incentive that applies to hospital outpatient departments. The OPPS Final Rule authorizes a 2% payment reduction for outpatient departments that fail to meet certain outpatient reporting require-ments during FY 2009. Finally, three recently published National Coverage Determinations from CMS will make certain “never events” non-covered services.

The onset of “pay for reporting” incentives can affect the pocketbook of professionals and entities which treat Medicare patients, but the incentives are also significant as a signal of CMS’ continued commitment to tying payment to the quality of services provided. The long-term move toward a “pay for qual-ity” system (called a “value based purchasing plan” by CMS) has been implemented

New developments in payment and public

reporting of quality of care

By Janice Anderson, Cheryl Wagonhurst, and Anil Shankar

Affinity Group MeetingsHold your own

meeting in conjunction with HCCA’s 2009

Compliance Institute!Planning on attending the Compliance Institute? Need to hold a meeting of your own? Affinity group meetings are now available in conjunction with the Compliance Institute.

Not only do you get the benefit of holding your meeting along-side the most comprehensive compliance conference for compliance professionals, but you also receive complimentary meeting room space at the conference site, your choice of a complimentary continental breakfast or an am or pm break, and registration at the HCCA Member rate for your attendees.

Affinity Group Meetings may be held on one of the following days:

Saturday, April 25, 2009 Wednesday, April 29, 2009 (afternoon)Thursday, April 30, 2009

To apply, please visit www.compliance-institute.org (conference tab) and fill out the Affinity Group Meeting form. Please return the completed form to the HCCA office.

Questions? Contact Jodi Erickson Hernandez at 952.405.7926 or email her at jodi.ericksonhernandez @hcca-info.org


5

incrementally, and CMS has made clear that the programs discussed below are intended as steps toward that goal. Many of the pay for reporting initiatives began as voluntary programs, designed to familiarize providers with the process of reporting and allow CMS to receive data on quality issues around the country. Under the new incentive programs, reporting remains voluntary, but there are now significant financial implications for reporting quality data. CMS makes clear that future programs may make reporting manda-tory, and that payment may be tied to how well a provider performs on reported quality measures, rather than just on reporting.

Physician Quality Reporting Initiative

The Physician Quality Reporting Initia-tive (PQRI) began with the passage of the Tax Relief and Health Care Act of 2006 (TRHCA), which directed the Secretary-HHS to implement a system for certain healthcare professionals to report data on selected quality measures.1 Reporting began in July 2007. (Previously, physician’s could choose to participate in a Physician Voluntary Reporting Program.) Reports were not mandatory, but submission of the data in accordance with prescribed standards gener-ated a bonus payment of 1.5% of the amount paid to the eligible professional for covered professional services during the reporting period. In July, 2008, MIPPA extended PQRI indefinitely and raised the bonus for years 2009 and 2010 to 2%.2 The eligible professionals who can submit PQRI and receive the reporting bonus include certain midlevel practitioners, physicians, occupa-tional therapists, qualified speech-language pathologists, and (starting in 2009) qualified audiologists.3

The importance of PQRI for physicians and other eligible professionals should not be underestimated. CMS has made clear

that “pay for reporting” programs are a step toward a “pay for performance” or “pay for quality” reimbursement model (called a “value-based purchasing plan” by CMS). MIPPA directs the Secretary-HHS to submit to Congress a plan for the transition to pay for performance (P4P) with regard to physicians and other practitioners by May 1, 2010.4 On November 26, 2008, CMS presented an issues paper which outlines the initial framework for such a plan, and conducted a day-long listening session to discuss the anticipated transition.5

The incremental movement toward P4P mirrors the approach taken with regard to hospitals. The Deficit Reduction Act of 2005 (DRA) established a 2% penalty for hospitals (referred to as subsection (d) hospitals)6 that fail to report quality data, and directed the Secretary-HHS to develop a plan for implementing P4P for these hospitals for 2009.7 That plan was submitted to Congress in November of 2007, but legislation has not yet been enacted in response. Subsection (d) hospitals are hospitals in the 50 States, Washington DC, and Puerto Rico, except for psychiatric hospitals, rehabilitation hospitals, hospitals whose inpatients are predominantly under 18 years old, and hospitals whose average inpatient length of stay exceeds 25 days. A current bill drafted by Senator Baucus (D-Montana) and Senator Grassley (R-Iowa) would implement P4P for subsection (d) hospitals starting in 2012, and phase in over a five year period until 2016.8 Similar legislation, or an expansion of the current bill, which extends P4P to physicians and other healthcare professionals should be anticipated.

The ability to measure the quality of health care services accurately and efficiently is at the heart of CMS’ vision of a value-based purchasing plan. When PQRI was first implemented in 2007, the data tracked 74

quality measures. The PFS Final Rule expands PQRI to include 153 quality measures for 2009, up from 119 measures in 2008, but less than the 175 measures originally proposed by CMS. MIPPA requires the Secretary-HHS to ensure that the affected professionals have an opportunity to provide input during the development or selection of quality measures, and CMS has invited comments on the mea-sures both for PQRI and for the anticipated transition to P4P.

The 2009 quality measures include the 2008 PQRI measures plus certain measures endorsed by the National Quality Forum (NQF) and/or the AQA (formerly the Ambu-latory Care Quality Alliance). The 2009 PQRI program also divides certain measures into seven measure groups, which are subsets of PQRI measures that have a particular clini-cal condition or focus in common. Details regarding the specific measures and measure groups included in PQRI for 2009 can be found at www.cms.hhs.gov/pqri. Technical specifications for reporting the measures and measure groups in the 2009 final listing can be found in the “Measures/Codes” tab of the PQRI section of CMS’ website.

In addition to the quality measures which can be reported, the PFS Final Rule contains the criteria for submission which must be met to qualify for the incentive payment. In the past, reporting has encountered numerous hiccups. CMS data reveal that in 2007, just over half of those who participated successfully met the program and reporting requirements and received the reporting bonus.9 In addition, many participants had difficulty accessing the confidential feedback reports CMS provided. These reports contained information as to whether the participant had met the criteria for satisfactory reporting, the amount of the incentive earned, and

Continued on page 7

March 2009

6

Compliance 360 assists Healthcare Organizations comply with:

www.compliance360.com

678.992.0262

AUTOMATE YOUR COMPLIANCE AND RISK MANAGEMENT PROGRAM

Policy ManagementContract ManagementRemediation Projects

Enterprise Risk ManagementIncident Management & Reporting

Audit ManagementRegulation Management

Surveys

Where Compliance Comes Full Circle

Mitigate Risk • Reduce Liability•

Increase Productivity•

DriveAccountability•EnhanceComplianceVisibility•

Decrea

seCo

st•

Enfo

rceCo

nsist

ency•

Streamline Processes •

CMS

US Sentencing Commission Guidelines OIG’s Annual Work Plan

Stark Law

Medicare Part D

HIPAA

Integrity Agreements

Contact us today to view a free demo.


7

Continued on page 9

New developments in payment and public reporting of quality of care ...continued from page 5

their measure performance rates. CMS has worked to streamline the process and educate eligible professionals about how to meet the requirements and is seeking ways to make accessing the feedback reports easier, but these difficulties emphasize the importance of becoming familiar with the system prior to the anticipated transition to a P4P reimburse-ment scheme.

Eligible professionals have several options available for reporting the data and qualify-ing for the 2% bonus. The options differ based on whether the professional chooses a claims-based or registry-based approach and whether the reporting pertains to individual measures or measure groups. The options available for claims-based submission of individual measures are the most restrictive. Registry-based reporting permits a physician to report through an authorized outside organization, such as certain trade associa-tions. Registry-based submission using several different options is permitted and, for 2008 PQRI, there are 32 registries qualified to submit quality measures on behalf of eligible professionals. The PFS Final Rule sets forth the process that registries must go through in order to be qualified to submit data for eligible professionals for the 2009 PQRI program. There are six options available to a professional reporting on measure groups.

CMS does not, at this time, accept quality data through electronic health record (EHR) submission; however, it intends to test EHR vendors and their products during 2009 to determine if EHR reporting can be used in the future. If EHR vendors meet CMS’ qualifications to participate in the PQRI test-ing process, their systems can submit quality measure data to CMS for PQRI on behalf of eligible professionals who use the systems.

In addition, MIPPA directs CMS to publicly

report the names of eligible professionals who satisfactorily report quality data for 2009.10 This marks a significant departure from the PQRI programs of 2007 and 2008, and is another of CMS’ strategies for improving the quality of health care services. The names of successful reporters will be posted in 2010 on a “Physician and Other Health Care Profes-sional Compare” website.11 Although the individual quality data will not be posted, the PFS Final Rule responded to comments about publishing the data and stated that CMS’ goal was to “eventually make performance information available.”12 The public posting of successful reporters should be regarded as the first step toward this process, and will lead to a website for physicians and other eligible professionals comparable to http://hospital-compare.hhs.gov.

E-Prescribing incentive program

MIPPA and the PFS Final Rule also enact a separate incentive payment program for health care professionals who transmit a majority of their prescriptions electronically (e-prescribe). As with PQRI, the e-prescrip-tion incentive program is the next step in a long-term plan to improve the quality of care in the United States. Congress, in response to findings that e-prescription could prevent a significant number of medical errors, enacted a law in 2003 to help develop the infrastructure for its wider use.13 The law made drug plans’ acceptance of e-prescriptions a requirement for participa-tion in the part D prescription drug benefit under Medicare, beginning in 2006, and CMS proclaimed the measure to be “one of the key action items in the government’s plan to expedite the adoption of electronic medical records and build a national electronic health information infrastructure in the United States.”14 MIPPA takes the next step toward greater use of e-prescribing by creating significant financial incentives

for physicians and other professionals who qualify as successful e-prescribers.

Under MIPPA, a successful e-prescriber is an eligible professional who, for a given report-ing period, reports all the quality measures specified by the Secretary-HHS that relate to e-prescribing in at least 50% of the instances in which the measure could be reported by the professional. However, the PFS Final Rule included only one quality measure to be reported in the e-prescribing program, which relates to the capacity for and use of e-prescribing measures. In 2008, this quality measure was included in the PQRI, but was removed by MIPPA and made part of the separate e-prescribing incentive program for 2009. Although there is only one measure for the 2009 reporting period, CMS has said that it intends to consider the use of additional prescribing events as the basis of the incentive payment in future years.15

The reporting of e-prescription occurs through Medicare billing codes. To report one of the available codes for e-prescriptions, profes-sionals must have a qualified e-prescribing system in place, and must have: (1) used it for all the prescriptions; (2) not generated any prescriptions during the encounter; or (3) been prevented from using the system by law, request of the patient, or the inability of the pharmacy system to receive e-prescriptions. CMS compares reported e-prescribing billing codes against the events reported to determine whether the professional qualifies as a success-ful e-prescriber.16 Professionals have discretion in choosing the system they wish to use for e-prescribing; however, the system chosen must have the functionality established by the Medicare Part D e-prescribing standards.17

The financial incentives authorized by MIPPA take two forms. Starting in 2009, successful


8


9

e-prescribers will receive an incentive payment. The bonus begins at 2% for years 2009 and 2010, but decreases in subsequent years and is eliminated entirely by 2014. The payment is separate from the incentive payments made under the PQRI, meaning eligible professionals could receive incentive payments of up to 4% in 2009. Second, beginning in 2012, a payment differential takes effect which penalizes prescribers by 1% if they do not qualify as successful e-prescribers. The amount of this differential increases in subsequent years to a maximum reduction of 2% by 2014. Thus, eligible pro-fessionals are offered incentives to transition to e-prescribing in the short-term, but these incentives steadily transition into penalties for failure to adopt and use an e-prescribing system in the future.

The definition of “eligible professionals” for the e-prescribing initiative is the same as for the PQRI, and includes physicians as well as physician assistants (PAs), nurse practitioners (NPs), clinical psychologists, registered dietitians, physical therapists, and qualified audiologists. However, eligibility is restricted to only those professionals who have prescrib-ing authority, which may vary from state to state for certain types of practitioners, based on the scope of their practice. Moreover, to qualify for the incentive, the reported code for e-prescribing must constitute at least 10% of the professional’s total Part B allowed charges. This limitation was enacted by Congress so that only those physicians or other eligible professionals who have the opportunity to prescribe a sufficient number of prescriptions can receive the incentive.

CMS will publish the names of successful electronic prescribers for the 2009 E-Prescrib-ing Incentive Program on the Physician and Other Health Care Professional Compare Website (http://www.medicare.gov/Physician/

Home.asp?bhcp=1). This means that both successful PQRI reporters and successful electronic prescribers now will be publicly reported by 2010.

Hospital outpatient quality data reporting

program

The OPPS Final Rule, released November 18, 2008, implements another incentive program designed to encourage reporting quality data.18 The rule expands upon existing hospital reporting requirements for outpa-tient services and implements the Hospital Outpatient Quality Data Reporting Program (HOP QDRP), which reduces hospital outpatient payment rates by up to 2% if the hospital fails to meet the outpatient reporting requirements.

HOP QRDP was authorized by the Tax Relief and Healthcare Act (TRCHA) in 2006, to begin operating in 2009.19 The 2008 OPPS Final Rule established seven quality measures relating to outpatient services, which were to be reported beginning in April, 2008.20 Five of these measures apply to emergency departments and relate to acute myocardial infarction treatment, and two relate to outpatient surgery and the preven-tion of surgical infection. This year’s OPPS Final Rule adds four new quality measures for FY 2009, focused on MRI of lumbar spine, mammography, abdominal CT, and thoracic CT. The adequate reporting of these measures will be used to determine if a hospital should be subject to the 2% reduction for FY 2010. The OPPS Final Rule also lists 18 different measures in nine measure sets from which additional quality measures could be selected for inclusion in HOP QDRP for FY 2011 and beyond.

The OPPS Final Rule explains the manner by which CMS will apply the 2% reduction in OPPS payment rates if a hospital fails to meet

reporting requirements under HOP QDRP. The national unadjusted payment rates for many services paid under OPPS equal the product of the OPPS conversion factor and the scaled relative weight for the ambulatory payment classification (APC) to which the service is assigned. The OPPS conversion factor is updated annually, and CMS proposes to apply the 2% reduction to the conversion factor for purposes of implementing the HOP QDRP payment adjustment. This means that the payment reduction for failing to report under HOP QDRP will only apply to those OPPS services which are adjusted annually based on the conversion factor. For CY 2009, the reduction would be determined by multiplying the full national unadjusted payment rate for the applicable CPT code by 0.981.

Like the “Reporting Hospital Quality Data Annual Payment Update” program, CMS intends that reporting under HOP QDRP will be made public and has stated that the data will be posted to the CMS website by 2010. Hospitals will have an opportunity to review the data prior to publication. CMS is exploring whether Hospital Compare or other sites might be used for reporting of hospital outpatient quality data.

Health care-associated conditions and

“never” events

Part of the value-based purchasing program already implemented by CMS has been a denial of payment for certain conditions con-sidered to be preventable. In October 2008, CMS implemented its Hospital-Acquired Condition payment penalty to further that initiative.21 Applicable to inpatient services only, the penalty denies any additional DRG payment for certain preventable complica-tions that were not present on admission. Examples of hospital-acquired conditions

Continued on page 52



10

Editor’s note: Mark C. Rogers is a member of the Health Care and Corporate Practice Groups at The Rogers Law Firm (www.therogerslawfirm.com) in Boston, Massachusetts. He is also a member of the firm’s Consulting Division (www.trcgsolutions.com). Mark is Co-Editor of The Boston Health Law Reporter and is an adjunct faculty member at New England School of Law, where he teaches Health Law. Mr. Rogers may be reached by e-mail at [email protected] or by telephone at 617/723-1100, ext. 229.

H ealth care entities have come a long way in terms of health informa-tion privacy since the enactment

of the HIPAA [Health Insurance Portability and Accountability Act] Privacy and Security Rules. The overwhelming majority of health care entities have worked to create a culture of commitment to protecting the health information of their patients. Nevertheless, despite this commitment to privacy, health care entities continue to face violations of the HIPAA Privacy and Security Rules by mem-bers of their workforce--including physicians, nurses, technicians, aides, administrative assistants, managers, and executives. One of the more common of these violations, and certainly one of the most well-publicized, is unauthorized access to protected health infor-mation (PHI). In layman’s terms: looking at other people’s medical records when there is no legitimate reason to be doing so.

Although there are well-publicized incidents of this occurring with the medical records of celebrities, a health care entity is much

more likely to encounter this problem in the context of a workforce member inappropri-ately accessing the medical record of either a co-worker or a family member or friend. Beyond the consequences to the workforce member who commits the violation, the health care entity also faces exposure to fines, civil lawsuits, and adverse publicity. This article looks at the issue of unauthorized access to PHI by workforce members and what health care entities can do to address this growing problem.

Increasing number of incidents

Over the last two years, there has been an increase in the number of workers within health care entities who inappropriately access, and in some cases disclose, the PHI of celebrities. Britney Spears, Maria Shriver, and George Clooney are just a few of the celebrities who have reportedly had their PHI inappropriately accessed in a health care entity setting.1 Recently, Richard Collier, an offensive tackle with the National Football League’s Jacksonville Jaguars, had his PHI inappropriately accessed while he was recover-ing from surgery at a Jacksonville, Florida hospital. According to reports of the media, twenty hospital employees accessed Col-lier’s online medical file using the hospital’s computer system.2

Perhaps the most well-best known incident of a celebrity’s PHI being inappropriately accessed is that of Hollywood actress, Farrah Fawcett. In February of 2008, Lawanda Jackson, a former administrative specialist for

the UCLA Health System, was indicted by a federal grand jury for illegally accessing the PHI of Fawcett and selling it to the National Enquirer for $4,600. Jackson faces up to ten years in prison if she is convicted. It is also possible the National Enquirer could be charged as a result of the ongoing investiga-tion by the U.S. Attorney’s Office.3 The indictment of Lawanda Jackson was the result of an investigation by the State of California into unauthorized access to PHI within the UCLA Health System. The investiga-tion showed that in addition to celebrities, workforce members had inappropriately accessed the PHI of over 1,000 other patients since 2003.4

The problem with unauthorized access to PHI is, of course, not unique to the UCLA Health System. Health care entities across the country face this problem on an ongoing basis. For the most part, unauthorized access to PHI within a health care entity is most likely to occur in the context of a workforce member inappropriately accessing the PHI of a fellow co-worker, friend, neighbor, or relative who was a patient at the facility.

Potential consequences

The unauthorized access of PHI by a work-force member of a health care entity presents a liability exposure to both the workforce member and the entity. The workforce mem-ber faces:n Disciplinary action by the covered entity,

from a verbal warning to termination of employment. If the individual is a member of the health care entity’s medical staff, he/she also faces disciplinary action under the entity’s Medical Staff Bylaws.

n A potential civil lawsuit from the indi-vidual whose PHI is the subject of the unauthorized access. Depending upon the circumstances of the underlying incident, this can include such claims as invasion

Unauthorized access to protected health

information: Educating the workforce

By Mark C. Rogers, Esq.


11

of privacy and infliction of emotional distress.

n Criminal fines and/or penalties under both state and federal laws. An individual who knowingly obtains or discloses PHI in violation of HIPAA faces a fine of $50,000 and up to one year in prison. The criminal penalties increase to $100,000 and up to five years in prison if the wrongful conduct includes false pretenses, and up to $250,000 and ten years in prison if the wrongful conduct includes the intent to sell, transport, or use individually identifi-able health information for commercial advantage, personal gain, or malicious harm.5 In addition, the workforce member likely will face state criminal charges as there have been a number of states that have recently strengthened their criminal laws pertaining to the privacy of personal information.

The health care entity also faces a significant potential liability exposure as a result of a workforce member’s unauthorized access to PHI. First, the entity faces an investigation by both the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS) which is the agency that enforces the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Ser-vices (CMS) which is the agency that enforces the HIPAA Security Rule. Such investigations could lead to a potential fine of $100 per failure to comply with each HIPAA Privacy or Security Rule requirement.6 Second, as with a workforce member, the entity also faces a lawsuit from the individual whose PHI is the subject of the unauthorized access. The law-suit would likely include claims of negligence, negligent supervision and negligent infliction of emotional distress. Third, the entity faces civil fines and penalties under state law. Finally, workforce members’ unauthorized access to PHI can result in adverse publicity

for the entity which has the potential to affect patient volume and in turn, revenues.

All of this leads to the question as to how it is that incidents of unauthorized access to PHI are discovered. Certainly, audits performed by the entity which are mandated by the HIPAA Security Rule are a source of these discover-ies.7 However, it is more likely that the audits are simply confirming what is already a rumor within the halls of the entity. Just as some may argue that it is human nature for a workforce member to “snoop” into another individual’s medical record, it is also human nature for that workforce member to discuss the contents of the medical record with others within the entity. This “water-cooler effect” necessitates that an entity undertake an investigation to determine whether there was indeed an incident of unauthorized access to PHI. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by the use or disclosure of PHI by its workforce in violation of the HIPAA Privacy Rule.8 If an entity has confirmed through an investigation that an incident of unauthorized access to PHI occurred, an often overlooked provision of the HIPAA Privacy Rule requires the entity to list the incident and the name of the workforce member who committed the violation on the patient’s accounting of disclosures maintained by the entity.9 Thus, by reviewing the accounting of disclosures, the patient will know who accessed their PHI and under what circumstances.

Addressing the problem

Even with the continued advancement of health information technology, it is unlikely that health care entities will ever be able to eradicate the problem of unauthorized access to PHI by members of their workforce. The temptation by certain individuals to view the PHI of others will, on occasion, overcome

the compliance efforts by health care entities. Nevertheless, the response by health care entities to this inevitable truth cannot be to ignore the problem. To do so creates a significant potential liability exposure in an environment of increasing compliance enforcement. The Office of Inspector General of HHS recently criticized CMS for its failure to oversee and enforce the HIPAA Security Rule.10 Such a public rebuke is likely to spur an increase in HIPAA enforcement by both CMS and OCR. Therefore, now is the time for health care entities to address the issue of unauthorized access to PHI by members of their workforce.

Preventive measures

The first step for a health care entity to effec-tively address the problem of unauthorized access to PHI is to undertake an assessment of its current HIPAA Privacy and Security poli-cies and procedures. At the time the HIPAA Privacy and Security Rules became effective, many health care entities rushed to promul-gate the required policies and procedures to meet the government-imposed deadlines. In doing so, they created the potential for gener-ating inaccurate or inappropriate policies and procedures. Furthermore, the assessment and evaluation of a health care entity’s HIPAA Privacy and Security policies and procedures presents an opportunity to incorporate the best practices that have developed over the last several years with respect to HIPAA compliance. This includes best practices for detecting and preventing unauthorized access to PHI by a health care entity’s workforce members.

This, in turn, leads to the second step a health care entity should undertake to effec-tively address the problem of unauthorized access to PHI by members of its workforce -- adoption of best practices. Obviously, a


Enhance Quality of Care and Reimbursement Processing with:

This one kit offers a handbook, strategy guide and training system to improve your organization’s

clinical documentation quality. A Compelling Case for Clinical Documentation introduces the CAMP Method for Clinical Documentation Training – scientifically proven to substantially improve clinical documentation quality. Nominated for the Best Theory to Practice Award by the Academy of Management, this kit offers the most comprehensive guide on clinical documentation training every published. The kit includes:

3 a two-volume strategy guide:1. Use Clinical Documentation to Achieve Strategic

Alignment With Your Medical Staff2. Use the CAMP Method to Improve Clinical

Documentation Quality3 the CAMP Method Overview training DVD3 the training system resource CD

What is CAMP Method Training?Developed by Ruthann Russo, PhD, JD, MPH, RHIT, a lawyer with more than 20 years of experience consulting for health care organizations, the CAMP Method is based on the established theories and practices of self-efficacy education. It relies on four components to increase participant self-efficacy: Coaching, Asking, Mastering, and Peer learning. The CAMP training system gives physicians the tools needed to consistently produce high quality clinical documentation and the conviction needed to do so.

A Compelling Case for Clinical Documentation offers a complete, scientifically tested training system you can put to work, starting today. You are provided with a DVD that overviews the CAMP training system, as well as a resource CD with the precise training sequence and all the needed testing forms. For more information, visit www.hcca-info.org/books/.

Qty Cost

________ HCCA Member Price ...$355 $ _________

________ Non-member Price........$395 $ _________

________ Join HCCA!...................$200 $ _________Non-members, add $200 to join HCCA, and pay

member prices for your order (regular dues $295/year)

Bulk discounts available for HCCA members only. See chart at left to figure cost. All purchases receive free FedEx Ground shipping within continental U.S.

Please make your check payable to HCCA.

For more information, call 888-580-8373.

Mail check to: 6500 Barrie Road, Suite 250 Minneapolis, MN 55435

Fax order to: 952-988-0146

Total: $

Please type or print:

HCCA Member ID

First Name M.I. Last Name

Title

Organization

Street Address

City State Zip

Telephone

Fax

E-mail

My organization is tax exempt

Check enclosed

Invoice me PO #

Charge my credit card:

Mastercard VISA American Express

Account number

Expiration date

Cardholder’s name

Cardholder’s signature

Federal Tax ID: 23-2882664

Prices subject to change without notice. HCCA is required to charge sales tax on purchases from Minnesota and Pennsylvania. Please calculate this in the cost of your order. The required sales tax in Pennsylvania is 7% and Minnesota is 6.5%.

A Compelling Case for Clinical Documentation


13

Unauthorized access to protected health information: ...continued from page 11

health care entity needs to approach the issue with a mindset that not all of the practices are best suited for their entity. A health care entity needs to go through the exercise of what best practices work for them. The following are just a handful of those best practices which health care entities have adopted in an attempt to detect and prevent unauthorized access to PHI by members of their workforce:n Auditing, auditing, auditing: Health care

entities should enhance their auditing of electronic health records to ensure that members of their workforce are accessing only those records to which access is ap-propriate. Also, health care entities should communicate this enhancement and audit-ing to their workforce members.

n VIPs/Workforce members: Health care entities should engage in targeted auditing of the electronic health records of workforce members and VIPs (celebrities, politicians, sports figures, trustees, donors, etc.) to assess for unauthorized access.

n Reminders: Health care entities should consistently remind its workforce members that they are prohibited under federal law (and in some instances state law) from un-authorized access to PHI. These reminders should come in varying forms, including e-mails and mailings to their departments, offices, and homes. Also, it is worthwhile to have the compliance and/or privacy of-ficer make these reminders in person (such as at departmental meetings).

n Honeypots: Health care entities should consider using “honeypots” —which is the practice of creating a fictitious electronic health record (oftentimes using the name of a celebrity or VIP) and then monitoring that electronic health record to see if it is inappropriately accessed by a workforce member. Honeypots can be used as a general compliance tool or in instances where there is a suspicion that a specific

workforce member or department is inap-propriately accessing electronic health records.

n Disciplinary actions: Perhaps the best method for a health care entity to demon-strate to its workforce how serious it takes the use of unauthorized access to PHI is to take strong disciplinary action in response to an incident. It is now common to suspend or terminate a workforce member who engages in this activity. A health care entity can get the attention of its workforce by publicizing these disciplinary actions (without identifying the specific workforce member involved).

The final and perhaps most important step for a health care entity to take to effectively address the issue of unauthorized access to PHI is education. Health care entities need to educate their workforce about this topic and the consequences they face as individuals as a result of engaging in this type of activity. This education should take place at the time the individual enters the entity’s workforce (as part of a more comprehensive HIPAA training program) and should be mandatory. Continuing education programs should also reinforce the importance of this issue and should be mandatory. Again, it is critical that workforce members be educated about the potential consequences they face as a result of unauthorized access to PHI.

Conclusion

Health care entities face a significant liability exposure as a result of unauthorized access to PHI by members of their workforce. The most effective way for a health care entity to address this serious problem is to undertake (and follow through with) a comprehensive assessment and education plan. Although it is unlikely that a health care entity will be able to completely eliminate incidents of unauthorized access to PHI through such a

course of action, it will nevertheless serve to minimize the entity’s liability exposure and demonstrate its commitment to protecting the health information of its patients. n

1 Orenstein, Charles, Ex-worker indicted in celebrity patient leaks, Los An-geles Times (April 30, 2008); Orenstein, Charles, UCLA worker snooped in Spears’ medical records, Los Angeles Times (March 15, 2008).

2 20 hospital workers fired for viewing Collier’s medical records, News-4JAX.com (November 17, 2008).

3 Orenstein, Charles, Ex-worker indicted in celebrity patient leaks, Los Angeles Times (April 30, 2008); United States of American v. Lawanda Jackson, February 2008 Grand Jury Indictment.

4 AP News, Not-guilty plea in celebrity medical snooping case, (Novem-ber 3, 2008).

5 42 U.S.C. § 1320d-6.6 42 U.S.C. § 1320d-5.7 45 C.F.R. § 164.312(b).8 45 C.F.R. § 164.530(f ).9 45 C.F.R. 164.528.10 Memorandum from Daniel R. Levinson, Inspector General of the

United States Department of Health and Human Services to Kerry Weems, Acting Administrator of the Centers for Medicare and Medicaid Services, regarding “Nationwide review of the Centers for Medicare and Medicaid Services Health Insurance Portability and Accountability Act of 1996 oversight” (A-04-07-05064) (October 27, 2008).

Be Sure to Get Your CHC CEUs

The CEU quiz will no longer be mailed with each issue of Compliance Today.To take the quiz and obtain credit, please go to www.hcca-info.org/quiz and select a quiz. Fill in your contact information and answer the questions. Print the completed form and FAX or MAIL it to Liz Hergert at HCCA.

Articles related to the quiz in this issue of Compliance Today:n Unauthorized access to protected

health information: Educating the workforce — By Mark C. Rogers, page 10

n Feature focus: Executive compensation in troubled times—Part 1 — By Gerald M. Griffith, page 32

n Charge Description Master compliance assessments — By Joel W. Lipin, page 53

Questions? Please call Liz Hergert at 888/580-8373.

Please note that credit will be given only for quizzes received before the expiration date indicated on the quiz.

R


14

Editor’s note: This interview with Bill Parke was conducted by Greg Warner, Director for Compliance, Mayo Clinic and a member of the HCCA Board of Directors. Greg may be reached by telephone at 507/284-9029. Bill Parke may be reached in North Carolina by telephone at 828/286-5360.

GW: I always find it interesting to learn how others found their way into Compliance. Would you share a little of your background and how you ended up in Compliance?BP: I came to the health care field later, rather than sooner. I graduated with a degree in Economics from SUNY Cortland and spent several years trying my hand at a variety of “opportunities” in other industries. At the encouragement of a former professor, I interviewed for a position in administration at a small nursing home in rural Ohio. It was there that I started what has proven to be a very fulfilling career in health care administra-tion. After doing some coursework at Ohio State University, I obtained my nursing home administrator license and worked for several years in the long-term care industry. Moving to western North Carolina, I eventually became the administrator of a hospital-based nursing home run by Rutherford Hospital, Inc. (RHI), a position I held for several years. As often happens in smaller hospital systems, you end up wearing more than one hat and that was my experience; I ended up being one of the corporate vice presidents with additional operational responsibilities. In

1998, our then-CEO called me into his office for a chat. He said that there was a new push in the industry to establish something called a compliance program. Our CFO had been putting the program together, but now he had been informed that having a CFO heading up a compliance program was not going to be viewed as “a good thing.” That’s when I was asked to take over the task of getting a compli-ance program up and running across the various divisions of the hospital. He assured me that this was a time-limited project—that once the program was in place, it would pretty much take care of itself. Ten years later, as the Vice President of Corporate Compliance, I’m still trying to figure out how to finish the job!

GW: Please describe the scope of your compliance responsibilities and your reporting process – both management and programmatically.BP: As Vice President of Corporate Compliance, I have a dual reporting relation-ship - as a member of senior management, I report directly to our CEO and I also have the authority to report directly to our Board of Trustees. Along with my compliance officer duties, I still have responsibilities over a couple of support services departments. In addition, I serve as our Privacy Officer and I oversee our contract management program. With the addition of a Compliance Assistant last spring, our Compliance department is now a two-person shop. It goes without saying that I rely heavily on the efforts of the

other members of our senior management team to make compliance work at RHI. Having such a strong leadership team to work with, a team that has truly taken the compliance discipline to heart, has been an amazing help to me. They carry a substantial part of the responsibility for the day-to-day maintenance of the compliance program, and without their support and assistance, my job would be impossible. Early on, our senior management team decided to emphasize the link between quality issues and compliance, so we’ve had quality elements as part of our annual Compliance Work Plan for several years. That linkage was carried over to our governing body as well. The board formed a separate committee called the Personnel, Compliance, and Quality Committee (PCQ) to oversee those three areas. This has proven to be one of the more

featurearticleMeet Bill Parke

Vice President, Corporate Compliance, Rutherford Hospital


15

prescient steps we’ve taken. When the empha-sis on issues of quality intensified nationally, we were already well positioned at the gover-nance level with a well-informed board com-mittee that was ready and able to manage their increasing oversight responsibilities. I’m fortunate to have the opportunity to have significant levels of personal interac-tion with our board. I am chairman of our Compliance Committee and there is board representation on that committee. I make regular compliance reports to the PCQ Committee every month, and I attend the monthly board meetings, having scheduled time on their agenda quarterly to discuss compliance issues. Being allowed to have this amount of face time with our board is a reflection of just how committed they are to having a compliance program that is well grounded and effective. Whenever there is something new to be implemented or there is an evolving issue that RHI is confronting, getting the board’s support early on goes a long way to keeping things moving forward.

GW: I understand Rutherford Hospital participated in the OIG Roundtable discus-sion regarding dashboards and quality indica-tors. Tell us a little about your journey to developing your dashboard and how you and your organization are using the information.BP: One of the unintended consequences of developing the PCQ reporting channel was the increasing amount of data that was being reported to that committee. When you consider all the regulatory requirements that have been added to the compliance umbrella in the last several years, add on all the issues related to quality and patient safety, and then mix in personnel matters and physician credentialing, the PCQ members ended up in the proverbial position of “drinking from a fire hose.” There is only so much informa-tion that can be taken in, and we found that the PCQ members were being overwhelmed

with data. Ultimately, some sort of filtering process had to be put into place and that’s where the dashboard came into play. We had already developed a basic dashboard format for tracking issues reported to our Quality Management Committee, so that model served as the starting point for what later became our corporate dashboard. Our CFO has been instrumental in championing this effort over the last 18 months, and it has proven to be a much more complex process than one would imagine. Identifying what information should be on the dashboard was just the tip of the iceberg. We then had to identify what objective comparative benchmarks would be used, what reporting thresholds would be established, what sources of data would be used, what the reporting period intervals would be, who would be responsible for compiling the data, how would the accuracy of the data be ensured, how would differing lag times in data availability be handled, etc. But in the end, the dashboard is serving its purpose; it is focusing the PCQ member’s attention on not only our current status on important issues, but it is also allowing them to monitor trending over time – some-thing that is critical when making decisions on the appropriate allocation of finite resources.

GW: Tell us about the resources you find helpful for moving your program forward. BP: During my years as a nursing home administrator, I looked to national and state professional associations as my primary resources for information and education. When I became a compliance officer in 1998, the first thing I did was try to find a compa-rable professional organization that I could look to for help. That’s when I first became aware of HCCA, and I’ve depended on them ever since for resources that would help me be successful in my new role. I still have a well worn copy of The Health Care Compliance Professional’s Manual sitting on my office shelf. It served me well when I was just getting

started and it served me well when I was pre-paring for my CHC credential. I‘ve attended at least one HCCA conference every year since 1998 and they have provided more than just food for thought. There is a real and obvious value in hearing what the leaders in our industry have to say about properly building and maintaining a compliance program. But to also hear directly from leaders of regulatory and enforcement agencies - to actually hear first hand their thoughts, concerns, and ideas – has provided just so much more value. The conferences also serve as my “early warning system” when new things are coming down the pipeline. RHI has a history of being an early adopter and that has proven to be true for our compliance program as well – thanks in large part to the contacts I’ve made through HCCA.

GW: How do you see Compliance evolving? That is, will we continue to inte-grate with Quality, Accreditation, Safety, etc. or should we be more stand–alone?BP: When I started in this field, Compliance was truly only about coding and billing, and there was enough regulatory risk there (and still is) to go around. But now we all know that it’s not just coding and billing that can land your organization in the hot seat. A groundskeeper improperly disposing of excess


Gr

EG

WA

rn

Er


16

Meet Bill Parke ...continued from page 15

pesticides can get you into an awful lot of difficulty, too. In an increasingly complex regulatory environment, the Compliance dis-cipline we have honed over the years with its metrics of clear standards – responsible lead-ership, adequate training, internal controls, reporting mechanisms, and corrective action – are applicable across the entire enterprise. Our philosophy is to make our compliance program a resource for helping stakeholders manage regulatory risk wherever it is found – from EMTALA to disaster preparedness, from HIPAA to wage and hour laws. That doesn’t mean we “own” those opera-tional processes, only that we assist those who do own them to manage them in a more consistent manner. For example, in the last couple years we found ourselves assisting in matters related to governance. Specifically, we helped our board incorporate certain elements of Sarbanes Oxley into their com-mittee processes and we also helped establish a rebuttable presumption process to protect against excess benefit transactions. This year we’ll be keeping up with the work being done to comply with the new IRS Form 990 reporting requirements and, relatedly, assist-ing in the refinement of the processes for the gathering and compiling of information that will be incorporated into our Community Benefit program. Our assistance is pretty much always the same, no matter what regu-lation is at issue. We go back to those basic compliance metrics and try to apply them through the same model. Personally, I think that Compliance will soon become so common an expectation that it will become essentially ubiquitous in all areas of operations. I can envision a time when we will no longer have discussions about what operational process is – and what operational process is not – included in “Compliance.” The real discussion will be (1) What’s the regulation? (2) How do we ensure an on-going compliant process that meets the regulation?

and (3) How do we prove it? Much like Perfor-mance Improvement, I think that Compliance will ultimately be a built-in expectation.

GW: What areas of your compliance responsibilities do you find particularly chal-lenging and/or rewarding?BP: I see several emerging issues on the horizon that are going to be challenging. I am just now starting to sort through how to identify my role in ensuring the integrity of the data that RHI collects and presents to others. In this day of reimbursements that are linked to performance outcomes, etc., just how far down in the weeds should a compliance officer go to validate the accuracy of data being reported and to ensure that no one has “tinkered” with it? I also think that we’ll need to revisit data privacy and security again soon. The elec-tronic world that we now live in is far differ-ent from that of even 5 years ago. Because potable devices and the Internet are now pervasive everywhere in our lives (and per-haps because we are now hiring a generation of workers who literally grew up with them), it is my perception that we have grown far too casual in the use of emerging technolo-gies. Staff are going to need renewed privacy and security training that has been updated to the paradigm of smart phones, picture phones, instant messaging, social networking, etc. I find it inexplicable that the same staff who would never share sensitive information in the course of their job duties are having a hard time seeing why it’s a problem putting that same sensitive information on MySpace. Likewise, our IT departments are going to need a lot of support in painting bright–lines as they move towards the goal of an interoper-able health record. I serve on a work group in western North Carolina that is helping with the development of a RHIO [Regional Health Information Organization]. The potential benefits are amazing, but ensuring that proper

internal controls are effectively deployed to keep up with the rapid evolution of connectivity and data-sharing regionally is a unique challenge. But by far, the place where I find myself spending the most time recently is in the area of contracts. Like the rest of the country, our area is experiencing a realignment of hospital and local medical community. Through employment and/or acquisition, RHI has been changing the nature of our relationships with several physicians/physician practices. That has meant a lot of work to ensure that every process step along the way was compli-ant. Whether that step involved business valuation, facility appraisal, pro forma devel-opment, compensation modeling, or crafting purchase or employment agreements, we had a great deal of due diligence to complete.

GW: In your role as a mentor, what advice would you give to a junior associate who is interested in Compliance?BP: As I said, I was fortunate to be allowed to hire a Compliance Assistant this year. Although she has health care experience, none of it is in the compliance field. As we talked about her interest in the position, I gave her some things to think about as she considered whether or not she wanted to jump into Compliance as a career. First, be patient and take it one piece at a time. There is no way that anyone can absorb all there is to know about health care compliance without spending a good amount of time in the field working and studying. No one has it all under their belt – that is why peer relationships are so important. Second (and this may reflect my own experiential bias), be willing to get out of the office, walk around, and be visible. Get to know health care operations whenever and wherever you can; spend time in peoples’ work environment to get a better under-standing of what they are really dealing with. Be curious and don’t be afraid to ask ques-


17

tions anytime, anywhere. Third, understand that when you have seen one compliance program you have seen just that – one compliance program. The model that I helped put together, though based on the OIG’s Model Guidance, is unique to RHI and may be abso-lutely wrong for another organization. Guidance is just that, guidance. It’s the level of commitment of the people working within that proven, general framework who will ultimately make a compliance program rise or fall. Fourth, understand that you have to work with and through other people in the organization to get things done. The overwhelming majority of them want to do their jobs correctly, so appreciate them and value their time and efforts accordingly. And lastly, when push comes to shove (and it will), be willing to stand for what is right, even when that stance is less than popular. A zeal for doing things right, coupled with a thick skin and a measure of compassion, will go a long way in making a successful compliance officer.

GW: In the slowing economy with health care entities needing to reduce expenses, what are the best arguments we can make to our management to preserve our Compliance budgets?BP: Trying to quantify the financial benefit of a compliance program has always been hard. How do you identify the cost of a violation that didn’t happen because there was a mechanism in place that ensured that the process in question was compliant? I don’t know. But I do know that it is extremely expensive when things do go wrong. Conducting even an internal investigation is costly - much more so when a third party has to be brought in to assist or advise. And the time spent on such an investigation has an associated opportunity cost as well, i.e. every hour spent investigating is an hour not spent on the training, monitoring, etc. necessary to prevent the next problem from happening. Maybe we should try to identify other ways that the compliance program can be leveraged to help an organization. If you look around today, the demand for accountability and transparency is coming from everywhere. I would think that an effective compliance program may have added value to the organization in meeting those demands. Perhaps using some of the metrics of the Compliance discipline as a spring board for driving performance improvement efforts is another way of demonstrating value. As I said earlier, Compliance is not going away, but it may become something much more built-in.

GW: Bill, thanks for taking time to share these comments. What other observations would you like to share with your HCCA member colleagues?BP: I feel privileged to have been allowed to work in this field for the last 10 years and I’ve enjoyed seeing it grow and mature into a valued field of expertise. I find it refreshing to see the new faces of a younger generation joining our ranks. They are young professionals seeking careers in a field that, not so long ago, didn’t even exist. That’s amazing. It’s an exciting time to be in health care, I hope they think so too. Compliance is a fascinating field with new adventures every day. It is the very best job there is. n


18

rO

Y s

nEL

L

I have been in a constant battle with the entire universe about Compli-ance vs. Ethics. I feel ethics is an outcome (there is at least one excep-tion) and compliance is a process that leads to ethical behavior. You can’t talk about ethical behavior and achieve an ethical environment; you must enforce it with the Seven Elements of Compliance. Please send all your hate mail to Dan Roach at [email protected]. He will agree with you, he is on our Board, and he will beat me up personally. If you want to get to me directly, e-mail me at [email protected]. I will forward them all to Dan.

Let’s talk about the exception I know of. There may be more, but I haven’t seen it. By looking at this exception, I think you will see how rare it is. You will see how unrealistic it is. It’s extremely difficult to duplicate. The exception is professional golfers. I am sure there are a few exceptions, but these guys are maniacally honest. They call penalties on themselves all the time. They can do it, because they all do it. Everyone expects it. It is an ethical culture, because somebody said it would be ethical and it worked. Everyone agreed and followed through.

Let me give you the most amazing example. J.P. (John) Hayes was playing in the PGA tour qualifier. Qualify and you play in most any tournament you want the next year. If you don’t qualify, you can still play in some tournaments but the financial difference is staggering. J.P. played in the qualifier and, for two strokes, used a ball that was not “approved.” He realized his mistake immediately and changed balls. On the hole where he used the unapproved ball, he played badly, one over par. A few days after the qualifier, he realized that there was a rule stating that if you used an unapproved ball, even for one shot, you were disqualified. He called the ball manufacture, who said the ball would probably be approved but it was as he thought, not yet approved.

No one saw him play it. No one would ever know he played it. If he called and turned himself in, it would make life very difficult for him and his family. He did not hesitate. He called and told the Pro-fessional Golfers Association that he must be disqualified. With a few exceptions, he will not be playing on tour next year.

As a side note, almost all tournaments have a couple exemptions they give out to anyone. They often give their few exemptions to someone who will be a big draw, some young up-and-comer for example. J.P. Hayes does not qualify as a draw, but those people better all give him one of their exemptions or they will be hearing from me. I am sure they are quaking in their boots.

Golfers are the real deal. J.P. Hayes exemplifies what we are all fighting for in compliance and ethics. The number of exemptions J.P. gets will be a great test of our society’s respect for integrity. Don’t hold your breath. As I write this, two Minnesota Viking football players have been suspended for the last four games of the season for using a banned substance. The Vikings have a shot at winning the division. The press has covered it more than the Hayes case. Lawyers are fight-ing to block the suspensions. A judge has issued a stay. The players union is spending hours defending these guys. Pardon my pessimism, but I just don’t think that the average person really gives a crap about Hayes. It was an interesting story for a while, but if you want to get everyone’s attention, start talking about winning a football game. That is why I think it is difficult to expect “ethics” to be enough or better or more effective than compliance. People don’t do what you expect; they do what you inspect. They don’t reward integrity; they reward winning, productivity, the bottom line, glamour, etc.

When people tell me ethics is enough or better than compliance, I get mad. Like everyone, I wish it were true. I wish it would work. But if you look at the facts, such as there are few examples of cases where it works, it is difficult to support the concept that ethics is enough. Have I seen it work anywhere? Do I see constant examples where the ethics video by the CEO and code of conduct are not enough? I just don’t think that flailing away at variations of “do the right thing” works in many environments. Can you tell me another example, other than golf? I am sure there are a few companies. I can’t imagine there are many. And, if you do find an ethical environment, there is probably no tolerance for poor behavior. In other words, there are

Ethics works if everybody is ethical


2300 lawyers in 30 locations. www.jonesday.com

Contribute a compliance-related document to the HCCA Compliance Library and you could win an iPod Nano. Each month, the individual who submits the most documents to the library

receives one of 12 iPod Nanos! This Giveaway begins July 1, 2008 and ends June 30, 2009.

Log on to the HCCA web site (www.hcca-info.org) and go to “Communities” for more details

about the Jones Day/HCCA iPod Giveaway!

Share your ideas — contribute compliance-related documents to the HCCA Compliance

Library by emailing them to Caroline Lee Bivona at [email protected].

About Jones Day . . .

Jones Day’s Health Care Practice is an interdisciplinary practice team of legal counsel

aligned to facilitate the exchange of information and targeted knowledge about the health

care industry and the ever-changing health care regulations, to better meet our clients’

needs. Learn more about Jones Day at www.jonesday.com.

The Jones Day/HCCA iPod® Nano Giveaway!July 1, 2008 through June 30, 2009

you can only win one iPod. hCCA/SCCe and Jones Day staff are not eligible for the giveaway.

Qty Cost HCCA Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $149.00

Non-members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $169.00

Join HCCA! Non-members, add $200 and pay the member price for your order . . . . . . . . . . . . . . . . $200.00 (Regular dues $295/year)

Please type or print:

HCCA Member ID

First Name M.I. Last Name

Title

Organization

Street Address

City State Zip

Telephone

Fax

E-mail

Mail check to: 6500 Barrie Road, Suite 250 Minneapolis, MN 55435

Fax order to: 952-988-0146

Total: $ My organization is tax exempt

Check enclosed (payable to HCCA)

Invoice me PO #

Charge my: Mastercard VISA American Express

Credit Card Account Number

Credit Card Expiration Date

Cardholder’s name

Cardholder’s signature

Prices subject to change without notice. HCCA is required to charge sales tax on purchases from Minnesota and Pennsylvania. Please calculate this in the cost of your order. The required sales tax in Pennsylvania is 7% and Minnesota is 6.5%. All purchases receive free FedEx Ground shipping

within continental U.S. (Federal Tax ID: 23-2882664)

6500 Barrie Road, Suite 250 Minneapolis, MN 55435Phone 888-580-8373 | Fax 952-988-0146 www.hcca-info.org | [email protected]

Order Now

HCCA’s New Research Compliance Guide

Research Compliance Professional’s Handbook The Practical Guide to Building and Maintaining a Clinical Research Compliance & Ethics ProgramClinical research is highly regulated, so the role of compliance profession-als is vital to meeting the demands of a wide range of governing enti-ties. HCCA’s new reference manual, Research Compliance Professional’s Handbook, offers comprehensive, up-to-date guidance to get you on the right track. Written by experts with hands-on experience in clinical research compli-ance, this book is intended for anyone with compliance duties or a need to understand such key areas as:

l human subject protectionsl scientific misconductl conflicts of interestl grant and trial accounting l effort reporting l privacy and securityl clinical trial billing l records management l data monitoring committees l role of oversight entitiesl auditing & monitoringl integrating research compliance

into corporate compliance


21


Editor’s note: Jane Snecinski is Principal at No-blis, Center for Health Innovation, headquar-tered in Falls Church, VA. Ms. Snecinski may be reached by e-mail at [email protected] for additional information.

The past two years have proven to be very challenging for providers of reha-bilitation services—both inpatient and

outpatient. This article is one of two specifi-cally written to focus on the compliance issues that have been brought into focus by the Recovery Audit Contractors (RACs). These issues have increased the financial risk for providers of rehabilitation services. This article specifically looks at the issues for providers of inpatient rehabilitation services.

For providers of inpatient rehabilitation programs, the change with the greatest public awareness has been the increased focus on the “75% Rule,” which has been modified in regula-tion to have a 60% threshold; that is, 60% of the patients admitted to an inpatient rehabilitation program must have a diagnosis that is included in a list identified in regulation. In addition to having the diagnosis identified, the medical record must support that the beneficiary has received treatment for the identified diagnosis. If the threshold is not maintained on an annual basis, the organization stands the risk of losing their Medicare rehabilitation provider status.

However, although the enforcement of the

75% Rule has placed an increased focus on the diagnoses of the patients admitted to inpatient rehabilitation programs, the work of the demonstration Recovery Audit Contractors (RACs) has the potential to have a staggering significant and immedi-ate financial impact on any provider of inpatient rehabilitation programs/services. The focus of these audits, primarily, has been on “medical necessity,” as defined by federal regulation, guidelines, and the Conditions of Participation for inpatient rehabilitation. Moreover, even though medical necessity is a long-standing cornerstone of health care, the review of medical necessity is relatively new to the rehab market. This issue, it appears, is even more important than a diagnosis that is identified as compliant with the 75% Rule, because if the admission to inpatient rehabilitation is not deemed medically neces-sary, then the admission is denied—even if the patient has a “compliant” diagnosis.

As addressed in Section 306 of the Medi-care Prescription Drug Improvement and Modernization Act of 2003, the RAC demon-stration project began in 2005 in Florida, California, and New York. The RACs have several objectives, but they are incentivized to recoup reimbursement for the Medicare program through denials of reimbursement for services. Inpatient rehabilitation was a primary focus of the RAC efforts in the demonstration states, including California

and Florida. Although the plan was for CMS to expand the RAC program to all states within an established timeline, they have accelerated their implementation plan, due to the perceived success of the program. It is anticipated that the RAC program will be instituted in all states by 2009 (slightly delayed from the original plan).

The mission of the RAC demonstration project (announced January 11, 2005) was to “reduce Medicare improper payments through the efficient detection and collection of over-payments and underpayments and the imple-mentation of actions that will prevent future improper payments.” 1 Because the range of providers that receive Medicare payment is so broad, post acute providers, specifically provid-ers of inpatient and outpatient rehabilitation, were reviewed by the RACs within the scope of their contract. As with all Medicare provid-ers, improper payments in the post acute set-tings can be received for three primary reasons:n Services are provided and payment

received for services that have not been deemed as ‘medically necessary’ for the level of care in which they were provided;

n Codes/scores are submitted that result in payment that may not be completely cor-rect or accurate, (e.g., inaccurate diagnos-tic coding, inaccurate coding of functional status, coding of diagnoses without docu-mentation of treatment); and

n The medical record/documentation does not ‘tell the story’ and provide enough support for the claim for which payment has been received.

The understanding of these issues and integra-tion into the documentation of inpatient rehabilitation, as well as proactive auditing and associated corrective actions, will be critical to surviving under the permanent RAC program.

RAC demonstrations and inpatient

rehabilitation – Vision of things to

come?By Jane Snecinski, FACHE


22

The impact on inpatient rehabilitation

The RAC demonstration project resulted in the identification of approximately $1.03 billion in improper payments (actual figures vary slightly, based on source). Of that amount, $59.7 million or 6% of the total was identified from inpatient rehabilitation providers. (These figures represent the dollar amounts without adjustment for successful appeal processes.) The efforts focusing on inpatient rehabilitation providers did not take place in all three RAC demonstration states, but only in California. The most recent evaluation of the demonstration project reports: “The RAC demonstration had a limited financial impact on most providers,” however this was clearly not the case for the inpatient rehabilitation providers in California. Moreover, even an informal extrapolation to all of the 50 states will provide the reader with the potential impact of these denials on a larger scale.

The following table depicts the circumstances, or noted errors that resulted in the improper payments.

Table 1: Overpayments Collected by Error and Provider Type2

Error Type Percent of Total

Medically Unnecessary 5.63

Incorrectly Coded 0.00

No/Insufficient Docu-mentation 0.44

Other 0.00

Total 6.07

When considering the error type, it is clear that the comprehensiveness and accuracy of the documentation of the patient’s stay in an inpatient rehabilitation program is a key factor in the denial process; that is, the ability of the medical record to “tell the story” and demon-strate, without a doubt, that the patient required an admission to an inpatient rehabilitation pro-gram to care for their medical and rehabilitation

needs, and that the diagnoses identified were treated during the hospital stay.

Medical necessity – What does that mean?

There is no standardized definition or inter-pretation of ‘medical necessity,’ which leads to confusion as to the necessary content of medi-cal record documentation and what to review as part of a proactive audit. It is important to keep in mind that inpatient rehabilitation beds are licensed as acute care beds and certified by Medicare as inpatient rehabilitation beds. Therefore, it is important to document that the patients have a medical condition(s) that, in conjunction with their needs for an intensive, inpatient rehabilitation program, require admission to a licensed acute care bed that has been certified by Medicare as a ‘rehabilitation bed.’ If a patient does not exhibit the medical need or does not need, cannot tolerate therapy, or could make as much progress from another level of care, then it is the perception of the RAC that the patient could be admitted to another level of care and medical necessity for inpatient rehabilitation is not demonstrated.

When describing medical necessity for inpatient rehabilitation, all sources refer to the Medicare Beneficiary Manual,3 Chapter 1, Section 110: Inpatient Stays for Rehabilitation Care, and the Code of Federal Regulations.4 In the Medicare Beneficiary Manual, the following caveats are provided:n “The services must be reasonable and

necessary (in terms of efficacy, duration, frequency and amount) for the treatment of the patient’s condition; and

n It must be reasonable and necessary to furnish the care on an inpatient hospital basis, rather than in a less intensive facility such as a SNF, on an outpatient basis.”

In order for the admission to be medically necessary, patients admitted to an exempt inpatient rehabilitation program must require

and receive care as described in Medicare Beneficiary Manual, Chapter 1, Section 110. There are several components in the chapter that note: if a particular component in isolation was not provided, that, in and of itself, would not be justification of deny-ing payment. However, although the RAC identification of improper payment for “medical necessity” did not identify specific components of the referenced chapter as not having been demonstrated, it stands to reason that when documentation does not support several of the components, medical necessity may be questioned. The specific components identified in this document are:1. Preadmission screening2. Admission orders3. Inpatient assessment of individual’s status

and potential for rehabilitation

In addition to these issues, there are basic Hospital Screening Criteria as identified in the Code of Federal Regulations, Section 42:1. Close medical supervision by a physician

with specialized training or experience in rehabilitation;

2. Rehabilitation nursing;3. Relatively intense level of rehabilitation

services;4. Multi-disciplinary team approach to

delivery of program;5. Coordinated program of care;6. Realistic goals; and7. Significant practical improvement.

What is interesting to note is that although most inpatient rehabilitation providers are knowledgeable about these conditions, they have not internalized them into practice within their delivery of care. Therefore, the documentation of the patient’s care is unlikely to focus on the issues to demonstrate the medical necessity as described in the Manual chapter. It is this situation that places an inpa-tient rehabilitation provider at risk under the

RAC demonstrations and inpatient rehabilitation – Vision of things to come? ...continued from page 21


23

RAC program. The documentation of these conditions, then, is integral to a successful proactive audit of inpatient rehabilitation.

Proactive auditing in preparation for the RACs

A proactive RAC audit should be conducted by individuals who have clinical knowledge of multiple levels of post acute care as well as the regulations, Medicare Beneficiary Manual, and Hospital Screening Criteria for inpatient rehabilitation, so it can be determined if the medical record supports the admission of the patient to inpatient rehabilitation versus any other level of care. An in-depth working knowledge is valuable, not only in identifying issues, but in developing corrective actions to improve document and support the admission to inpatient rehabilitation, if possible. Because the definition of “medical necessity” is not crystal clear, it is suggested that the strictest interpretation of the criteria for inpatient rehabilitation be used during the audit.

A word of caution is given, however, that after the audit is complete, it may become evident that the documentation does not support admission to inpatient care, because the patient’s condition is actually more appro-priate for another level of care. Hopefully however, the audit will reveal that the patient is appropriate for an inpatient rehabilitation program, but some components are missing from the medical record. Then, corrective actions can be implemented to improve documentation to support the admission.

The following questions should be positively answered, without a doubt, as a result of an audit of inpatient rehabilitation records:1. Preadmission screening

Does the documentation of the preadmission screening reflect the decision-making process and justification for why the patient has to be admitted to an inpatient rehabilitation program versus any other level of care?

2. Admission orders Do the admission orders for inpatient rehabilitation reflect care and an intensity that cannot be provided in any other level of care? (For example, many orders reflect services to “evaluate and treat,” but evalu-ation and treatment can be provided in many levels of care, not only an inpatient rehabilitation setting.)

3. Inpatient assessment of individual’s status and potential for rehabilitation oes the result of the assessment of the patient, in the initial assessment period, support the lack of functional abilities that would require an admission to an inpatient rehabilitation level of care?

4. Close medical supervision by a physi-cian with specialized training or experi-ence in rehabilitation Is there a rehabilitation physician provid-ing close medical supervision, and does the medical record (e.g., physician progress notes, etc.) demonstrate the medical neces-sity of the physician’s involvement in the pa-tient’s care? (For example, a physician’s note consisting of “Vital signs stable. Continue rehab” does not contain the content neces-sary to support an inpatient rehabilitation stay, a physician’s visit, or a hospital stay.)

5. Rehabilitation nursing Is the nursing documentation unique for inpatient rehabilitation and reflect the need for rehabilitation nursing?

6. Relatively intense level of rehabilitation services Is there evidence that the patient received a minimum of three hours of physical and occupational therapy and/or speech language pathology for a minimum of five days for each seven days?

7. Multi-disciplinary team approach to delivery of program Is there team documentation clearly reflected as the primary focus of care, or is care represented by documentation of

unique disciplines,(e.g., physical therapy, nursing, etc.)?

8. Coordinated program of care Is there an interdisciplinary plan of care and is there discussion of the implementa-tion and accomplishment of the plan of care in a conference?

9. Realistic goals Can the patient achieve the identified goals and does the patient need intensive rehabil-itation services, rehabilitation nursing, and an interdisciplinary approach to do so?

10. Significant practical improvement Did the patient make significant improve-ment as a result of participation in the program or did the progress occur regardless of the program? (For example, if a patient did not receive an interdisciplinary approach, rehabilitation nursing, and an intensive level of therapy, then the patient could have made the same progress in another level of care.)

In summary, the regulations and criterion referenced in order to demonstrate medical neces-sity are not new, but the RACs significantly and quickly increased the scrutiny placed on inpatient rehabilitation providers to demonstrate meeting these criteria. The majority of denials for improper payments to inpatient rehabilitation providers in the RAC demonstration project were the result of a lack of documentation as medical necessity. A proactive audit is the best way to identify and resolve any potential issues beforehand that could be problematic during a RAC audit for inpatient rehabilitation. n

1 Available at www.cms.hhs.gov/RAC/05_MissionStatement.asp2 The Medicare RAC Program: An Evaluation of the 3-Year Demonstra-

tion, June, 2008. Available at http://www.cms.hhs.gov/RAC/Down-loads/RAC%20Evaluation%20Report.pdf.

3 Medicare Benefit Policy Manual, Chapter 1 – Inpatient Hospital Ser-vices Covered Under Part A, “Inpatient Stays for Rehabilitation Care” Available at http://www.cms.hhs.gov/manuals/downloads/bp102c01.pdf

4 Available at http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&rgn=div6&view=text&node=42:4.0.1.4.18.1&idno=42


24

CEO: ...continued from page 18

Quality of Care March 5 and 13, 2009, Two Parts

The Agency for Healthcare Research and Quality (AHRQ) Guide on Adoption of Health Care Innovations – What does mean? Where are we now?

Lisa Murtha, Managing Director Health and Education Consulting Practice Huron Consulting Group, and Compliance OfficerCheryl Wagonhurst, Partner, Foley and LardnerCory Flickinger, Huron Consulting Group.

Conflict of Interest March 12, 2009

Kendra Diamond, Director, Daylight Forensic & Advisory LLC, Angelia Dorsey, Research Ccompliance Officer, MedStar Health

To Register visit www.hcca-info.org

Past Audio/Web conferences are available on CD at

www.hcca-info.org/pastweb

probably auditing and monitoring, enforcement discipline, etc. supporting the ethical behavior. Golf is the only place where I see little enforcement and tremendous results. It doesn’t work in any other sport I know of. If a player called a foul on themselves in football, they would be gone in 60 seconds.

For instance, all four of my girls play(ed) volleyball. The coaches don’t teach the players to call fouls on themselves. I used to play volleyball in pick-up games without refs at the YMCA. We had to use the honor system, somewhat like golf. There were disagreements, but most of the players were pretty good about it. In volleyball, you can’t touch the net. The one rule that stood out the most was: If you touched the net, you would grab the net and shake it until the play stopped. My friends and I often called ourselves on the net when no one would ever have seen it. Some touches were so slight that the net hardly moved, but we knew and we would call it. I liked the integrity of those games at the YMCA. I want my daughters to play with integrity, but they don’t. They can’t.

If they called a foul on themselves, nobody would accept it. The coach would blow a gasket. The players would ostracize them. The fans would boo them. In most cases, the refs wouldn’t even acknowledge the call. The system is set up to “get away with it if you can.” The system that works in golf is the only effective ethics system I know.

I don’t think ethics alone will work. That is why the enforcement community requires compliance programs in some settlements and encourages them everywhere else. The US Sentencing Commission added ethics to the US Sentencing Guidelines recently, but judges still look for compliance programs to determine if a company is trying to find and fix problems. The judges don’t mandate ethics programs. Recently, a law was passed to mandate compliance programs for government contractors. The lobbyists got it reduced to a code of conduct, just before the regulation was published. The Department of Justice (DOJ) got mad and supported a “Contractors Fraud Loophole Act.” The Act said that government contractors had to implement the seven elements as described in the Sentencing Guidelines. The DOJ considered the last minute change from compliance to ethics to be a loophole. They want both, but they really are looking for compliance programs. I keep hearing the people who are horribly conflicted (they don’t want the pain and cost of compliance) or idealistic saying that ethics is enough. I keep hearing the people who are tired of chasing down cheaters (the enforcement community) say that if you want to be effective or if you want a break, put in a compliance program.

Ethics works if every one is ethical. Everyone else needs a compliance program. Ethics is important. Having a code of ethics and telling everyone to do the right thing is important. However, if you want to get people to be ethical, you must establish standards and procedures, audit and monitor, investigate, discipline, train and educate, and report to the Board. n

Health Care IT Security – A Corporate Compliance Matter March 24, 2009

Carolyn Regen, Interim Chief Compliance Officer and Privacy Officer of the Corporate Compliance and Privacy Administration of Gwinnett Hospital System, Inc. Michele Madison, Partner Morris, Manning & Martin LLPJ. Tom Jinks, Director, Moore ColsonBret Roy, Partner, Moore Colson


25

John asks the leadership

your questions

Editor’s note: John Falcetano is Chief Audit/Compliance Officer for University Health Systems of Eastern Carolina and a long-time member of HCCA. This column has been created to give members the opportunity to submit their questions by e-mail to [email protected] and have John contact members of HCCA leadership for their response.

QUESTION: What are Red Flag Identity Theft Rules and do they apply to health care

organizations?

ANSWER: provided by John C. Falcetano, MA, CHC, CIA, Chief Audit & Compliance Officer,

University Health Systems of Eastern Carolina Greenville, NC

The FDIC, along with the other federal financial institution regulatory agencies and the Federal Trade Commission, issued the Red Flags provision of the Fair and Accurate Credit Transactions Act in October 2007. The final rules and guidelines on identity theft red flags took effect on November 1, 2008, although enforcement has been suspended until May 2009. The rules require financial institutions to establish reasonable procedures for identifying and preventing identity theft.

The rules apply to health care providers because they use consumer reports to check for criminal backgrounds and credit histories as part of their employment process. In addition, many health care providers are considered creditors, because they do not require payment when services are rendered. Creditors in the health care field must also watch for signs of medical identity theft (i.e., someone obtaining medical services or benefits by using stolen health insur-ance information).

Although the rules allow organizations flexibility in establishing their own internal compliance programs, there are some mandatory requirements that must be included in order to comply with the rules. For example, the rules require:n Each financial institution or creditor to develop and implement a written identity theft

prevention program to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.

n Credit and debit card issuers to assess the validity of notifications of changes of address under certain circumstances.

n If there is a conflict between information provided on applications and credit reports, finan-cial institutions must review discrepancies.

Examples of identity theft red flags that financial institutions should consider as part of their identity theft prevention programs are also included in the rules. Information about the rules can be found at: http://www.fdic.gov/news/news/financial/2007/fil07100.html n

LEADERSHIPASKASK

JO

Hn

FA

LCET

An

O

The Health Care Compliance Associa-tion (HCCA) is seeking authors for Compliance Today. Every month Compliance Today offers health care compliance professionals information on a wide-variety of enforcement, regu-latory, legal, and compliance program development and management issues. To do this we need your help!

We are particularly interested in articles covering compliance concerns involving all segments of the health care industry, including Behavioral Health, Rehabili-tation, Physician practices, Long-Term Care, Homecare and hospice, Ambula-tory Surgery Centers, etc.

For Details: E-mail Margaret Dragon with your topic ideas, format questions, etc. at [email protected] or call her at 781/593-4924.

Articles generally run between 1,250 and 2,500 words; this is not a limit, just a guide. Compliance Today uses the Chicago Manual of Style. We require footnotes to be 10 or less. All references must appear at the end of the article. Please do not use the footnote feature in Word. The author’s contact information must be included in the article as well as the article title. Articles should be sub-mitted as a Word document with very limited formatting. Anyone interested in submitting an article for publication in Compliance Today should send an email to [email protected] which includes the article topic and deadline selected from the list below.

IMPORTANT: For those who are Certified In Healthcare Compliance (CHC), please note that CCB awards 2 CEUs to authors of articles published in Compliance Today.

Upcoming Compliance Today Deadlines:

n April 2n April 20n May 6

n May 18n June 1n June 15

Compliance Today Needs You!


26

13th Annual Compliance InstituteApril 26–29, 2009 | Caesars Palace | Las Vegas, NV

Register now at www.compliance-institute.org

512• Running Successful Hospital Exercises: Planning, Execution, and Assessment (Mitch Saruwatari, VP Quality and Compliance, LiveProcess; Michael Bowers, Director of Facilities & Engineering, Riverside County Regional Medical Center)

711• Where’s That Policy? Solving the Pitfalls of Paper-Based and Internally Built Policy & Procedure Systems (Robert Tietjen, CEO, PolicyTech)

W1• The Road Ahead and How to Navigate It: Panel Discussion on Challenges for Health Care Organizations in 2009 and How to Address Them (Frank Sheeder, Partner, Jones Day)

Health Care Compliance Association’s

Updated Sessions

AGENDA AVAILABLE ONLINE

VISIT WWW.COMPLIANCE-INSTITUTE.ORG

GROUP DISCOUNTS AVAILABLE

(see registration form)

Register in MARCH and receive a free copy of Building a Career in Compliance and Ethics*

*New registrations only


27

Declining economy has increased

compliance risks

On January 6, 2009, the Health Care Compliance Association reported the results of a survey it recently conducted with the Society of Corporate Compliance and Ethics. The survey reveals that the declining economy may be increasing the risk of legal and ethics violations in business. In addition, this increased risk is occurring at a time when budgets to manage those risks are expected to at best hold steady, if not decline.

The survey, based on an online questionnaire completed by more than 600 compliance and business ethics professionals, showed that 85% feel that the current economy greatly or somewhat increases the risk of compliance and ethics failures. To download the entire survey results: http://www.hcca-info.org/Content/NavigationMenu/ComplianceRe-sources/Surveys/Survey_Form.htm

For the press release: http://www.hcca-info.org/Content/NavigationMenu/AboutH-CCA/PressReleases/SurveyResults.pdf

Former HCCA President Odell Guyton

recognized

Society of Corporate Compliance and Ethics Co-Chair, Health Care Compliance Associa-tion Past President and Microsoft Corpora-tion Director of Compliance Odell Guyton has been named to Ethisphere Magazine’s 100 Most Influential People in Business Ethics 2008. Also named to the prestigious list are United States President Barack Obama, Hedge Fund Chairman T. Boone Pickens, and Triple Pulitzer Prize winner and New York Times columnist Thomas Friedman. For the complete list: http://ethisphere.com/100-most-influential-people-in-business-ethics-2008/ n

cERtIfIED InHEALtHcARE comPLIAncECHCCHC

The Compliance Certification Board (CCB) compliance certification examination is available in all 50 states. Join your peers and become Certified in Healthcare Compliance (CHC).

CHC certification benefits:n Enhances the credibility of the

compliance practitioner n Enhances the credibility of the

compliance programs staffed by these certified professionals

n Assures that each certified compliance practitioner has the broad knowledge base necessary to perform the compliance function

n Establishes professional standards and status for compliance professionals

n Facilitates compliance work for compliance practitioners in dealing with other professionals in the industry, such as physicians and attorneys

n Demonstrates the hard work and dedication necessary to perform the compliance task

Since June 26, 2000, when CHC certification became available, hundreds of your colleagues have become Certified in Healthcare Compliance. Linda Wolverton, CHC, says she sought CHC certification because “many knowledgeable people work in compliance and I wanted my peers to recognize me as one of their own.”

For more information about CHC certification, please call 888/580-8373, e-mail [email protected] or click on the CCB Certification button on the HCCA Web site at www.hcca-info.org

The Compliance Professional’s Certification

Congratulations on achieving CHC status! The Compliance Certification Board announces that the following individuals have recently successfully completed the Certified in Healthcare Compliance examination, earning CHC designation:

Lisa J Adamson

Katherine E Baxter

Michael David Beck

Robert H Bowker

Pamela Elaine Brotherton-Sedano

Camille Ann Cassell

Michelle Lynn Castle

Rocio Chavez

Terri L. Clark

Maureen Ann Clements

Patrick Collins

Charla R. Craig

Lucas D. Crater

Benjamin D. Cripps

Tammy L. Danek

Haley Beth Denzer

Connie S. Dunn

Michele Renee Durocher

Deana Anne Estes

Nayfe S. Faillace

Grace Pamandanan Fernandez

Diana D. Fourney

Stephen Glenn Gerwolds

Nancy Annette Godby

Kim Renae Gonseth

Carolyn Denise Graham

Regina F. Gurvich

Elizabeth Wade Hall

Janet Anne Herbold

Natalie A. Herron Welch

Karla M. Homelvig

Sharon K. Howard

Dianna Dawn Johnson

Donald R. Jones

Thomas Robert Kane

Jean Kelly

Holly A. Kessler

Ginny Kim

Jennifer D. Malone

Jennifer J. Mayberry

Tina M. Meli

Harlan L. Menkin

Keith L. Morgan

Lorelei C. Mulanax

Joyce K. Nakamura-Tanoue

Kimberly J. Oka

Jeff Brian Paul

Maria D. Pearson

Shannon Ladon Perkins

Karen Theresa Quintal

Christy Heather Richardson

Andrew Thomas Rosdahl

James S. Rundell

Marilyn K. Schmidt

Debbie Schneider

Patricia S. Slater

Roianne Summers

Donald Tannenbaum

Tiffany Brooke Thompson

Robert N. Ulrich

Peggy Jo Upson

Kayme L. Voelker

Cynthia Lou Vordenbaum

Blaire Ann Zummak

FYIFYI foR YoUR InfoRmAtIon


28

Editor’s note: Melissa Morales is a consultant working in the Healthcare Industries section of PricewaterhouseCoopers in San Francisco. She may be reached by e-mail at [email protected].

Physician compliance auditing and monitoring programs can be unique, depending on the practice and

type of provider operations. Such programs require specific experience and skill sets such as expertise in audit and coding, to determine what areas need to be monitored and how to develop work plans that encompass the organization’s high risk areas. Auditing and monitoring programs conduct various types of review throughout the year as part of an organization’s compliance plan to help pre-vent, detect, and correct noncompliance with regulations. The program is established on the fundamental aspects of the organization’s processes, such as charge capture, billing forms, claim scrubber functionality, physi-cian education, compliance, and billing office operations.

With the day-to-day perspective of an orga-nization’s operation, it’s not uncommon for staff to become consumed with the routine of scheduled reviews, which may cause them to loose sight of the direction they are heading and any imperative trends. It’s important to take a step back and evaluate any data collected and analyze those results. Careful

analysis of such data can help identify trends and/or abnormalities that are not often appar-ent on the surface of a review. Without such analysis, you could be missing key opportuni-ties for change and corrective action.

So what should be incorporated in an auditing and monitoring program to prevent process breakdown?

First, you must ascertain the organization’s compliance mission and objectives, such as safeguarding health information, assigning subject matter experts to the audit process, and identify key high-risk areas. Organiza-tions should also use the current year’s Office of the Inspector General (OIG) Work Plan1 as a base to identify various factors, events, emerging issues, and any priority shifts within Congress that may be an area of concern in the upcoming year.

Secondly, the organization should perform a risk assessment, and determine areas of high concern. This will allow for better determina-tion of what should be a high priority within the practice, allow for planning and imple-mentation of the work plan.

Thirdly, set up an internal audit plan that outlines audit coverage, scope, and objectives, such as formal vs. informal reviews, type of review (e.g., compliance, coding, or pay-ment), and areas of concern (e.g., high dollar

procedures, or teaching physician environ-ments). Internal audits should have a quality review process to verify accuracy, establish controls, identify best practices, and measure results against national benchmark data.

Part of the audit plan should establish a reporting and feedback mechanism to provide information regarding the audit and its find-ings. Monthly reports should be generated for management and those being audited to review audit results, provide education, establish corrective action plans, and review any trends identified. It is imperative that the information found through audit is commu-nicated to those who were audited, not just the chiefs or management of the department. In order to assist with accuracy rate improve-ment and address any noncompliance with regulations, everyone participating in the audit should be notified of their results. If there were deficiencies identified through the audit, the reporting mechanism can help determine what departments or areas need to be re-evaluated and need continuous monitoring. When auditing accuracy and proper documentation of evaluation and management (E&M) codes, the accuracy rate needs to be established by the organization. Any physician who falls below that range should be continuously monitored until their accuracy rate has improved.

Routine reports are instrumental in per-formance improvement initiatives as well as in making recommendations for process improvements or corrective actions.

Fourthly, evaluate the performance of the process by analyzing the results along various factors as well as monitoring the process frequently to make sure there are no loop holes within the process.

Lastly, examining and re-evaluating your

Physician office compliance – Are you monitoring

your auditing and monitoring program?

By Melissa Morales, CPC


29

sampling methodology is vital in determining any flaws in the system and to ascertain that the appropriate sample is being reviewed. The proper sampling methodology ties back to the type of review that you are performing. The frequency and type of review, whether pay-ment or coding related, should be determined before setting the sample size. There are several mechanisms and methodologies that can be used to determine sample sizes. A common method is to use software to assist with the sampling. RAT-STATS (statistical software available through the Office of the Inspector General website) assists in selecting random samples and evaluating results.2

In addition to reviewing the process of an effective auditing and monitoring program, organizations should review common and potential risk areas that Compliance departments face. Common issues that are often missed or not addressed properly are the overuse and misuse of modifiers, claims scrubbers, and thorough review of charges and payments. The misuse of modifiers 24 and 25 leads to overpayment for services that are either included in an E&M visit or part of the global surgical package. In this case, the sampling method needs to be carefully analyzed to make sure various factors are reviewed as well as the frequency of use. If only high level evaluation and management codes are sampled, a potential exists for miss-ing the use of modifier 25. Another sampling issue can lie with pulling procedure codes and not breaking them down to individual global period days to determine if there were distinct services provided where the modifier would have been appropriate.

Use of modifier 25 (to identify a significant and separately identifiable service was pro-vided on the same date as another service)3 requests additional reimbursement from payers when performing additional work. It’s

imperative to monitor so inappropriate pay-ment isn’t received. The frequency of the use of this modifier should be monitored closely. OIG published a report on “Modifier 25” in November 2005, and in this report, OIG indicated that if modifier 25 is appropriately appended in an encounter when an E&M service and a minor procedure were per-formed on the same day. It should not exceed more than 50% of the billable items.4 The requirements for the proper use of this modi-fier should be carefully reviewed to prevent incorrect application. Some areas to watch for are:n Is the modifier being used every single

time there was a procedure and E&M performed?

n Is the modifier being appended by alter-nate staff, such as billing staff, through claim scrubber edit work queues?

Modifier 24 poses another issue of receiving payment for services that are encompassed with in the global surgical package and separately billable. Part of the problem begins with not knowing the global period associated with certain procedures, and there is often confusion with how physicians are designated when they belong to the same group specialty and practice. Physicians are often unaware that they are considered one physician when they belong to the same specialty/department within the organization. Medicare defines the “same physician,” within the definition of modifier 24, as the same physician who performed the procedure or a member of the same group within the same specialty.5 Appli-cation of modifier 24 should not be done automatically during a post-operative period. The modifier should be appended by the physician or by coding staff who have access to the surgical dates and are able to review medical records to determine if the service provided during the post-operative period was unrelated to the surgery. Understanding the

appropriate use of modifier 24 allows provid-ers to append the modifier correctly and helps reduce compliance risks.

An auditing and monitoring process should also include a review of the use of claims scrubber edits to ensure that there are no hard stop edits that will randomly append modi-fiers 24 and 25. Overview of billing work queues to resolve modifier edits is essential in ensuring proper reimbursement. This can be a daunting task, because some of these reviews can require review of the medical record to make certain procedures were unrelated to the E&M service, or in the case of modifier 25, if the procedure was indeed separately identifi-able from the original service provided.

Ensuring processes are in place to monitor your audit program and the frequency of modifier use is critical. Monthly report-ing will allow the organization to monitor various departments and processes to ensure billing, coding, and operations are compli-ant. Reporting is one step to improve your program, in addition to having a compre-hensive communication mechanism to assist in improving overall processes. An effective auditing and monitoring program requires expertise from several individuals and areas within an organization. Compliance depart-ments that decide to partake in a thorough audit program will benefit from step-by-step planning that will help determine the funda-mentals that are needed to provide direction for an accurate and compliant review. Participation from everyone with in the organization is central to having a successful program and facilitating any recommenda-tions and changes. n

1. 2009 OIG Work Plan is available at: http://www.oig.hhs.gov/publica-tions/docs/workplan/2009/WorkPlanFY2009.pdf

2. RAT-STATS software is available at: http://www.oig.hhs.gov/organiza-tion/oas/ratstats.asp

3. Current Procedural Terminology 2009, AMA4. OIG report, No.OEI-07-03-00470, Nov.1, 2005 retrieved from http://

www.oig.hhs.gov/oei/reports/oei-07-03-00470.pdf5. Medicare Claims Processing Manual, Chapter 12: Physician and non-

physician practitioners


30


31

n


32

By Gerald M. Griffith, JD

Editor’s note: Gerald Griffith is a partner in the Chicago office of Jones Day where he practices as a member of the Health Care and Tax Practice Groups. He may be reached by telephone at 312/269-1507 or by email at [email protected].

For many nonprofit healthcare organizations, front page stories on executive compensation have become an annual event due to the information publicly available on Form 990. Recently,

the Internal Revenue Service (IRS) has increased the scrutiny of executive compensation among all nonprofits, including hospitals and academic medical centers, with three separate, detailed compliance checks sent to several hundred organizations in the past five years. In addition to educating the nonprofit sector, those compliance checks have sought to enforce the excess benefit sanctions that impose excise taxes of up to 225% on any insider compensation above reasonable amounts.

With healthcare and other sectors facing a difficult economic situation, including the highest rate of mass layoffs rates in more than ten years,1 compensation for health care executives is coming under increasing scrutiny. Executive compensation packages that may be viewed as rich in cash compensation by “Joe the Plumber” standards, or include hot button perquisites (e.g., first class travel), are drawing more intense media and government scrutiny. This article will explore how that added scrutiny has manifested itself, and what steps can be taken to minimize the negative publicity associated with executive compensa-tion, protect it against IRS sanctions, and demonstrate to policy makers, regulators, and charitable donors that nonprofit healthcare organizations can control executive compensation without additional regulation or investigations. Those proactive steps can be described as following best practices in the compensation approval process, obtain-ing appropriate comparability data, and adopting a compensation plan design that ties compensation to both financial and non-financial goals.

Effect of economic downturn on executive compensation

It is unusual now to hear news stories about prospective bailout pack-ages that do not also include calls for limits on executive compensa-tion. Just as the Sarbanes Oxley Act arguably started a transparency trend that has permeated healthcare governance thinking, so too may rules on executive compensation in Corporate America from the bailouts filter through to healthcare organizations facing their own financial challenges.

Economic pressuresMany health care organizations are feeling the pressure of the strug-gling economy, through reductions or delays in payment from govern-ment payment programs such as Medicaid, tougher negotiations with private payers, increased numbers of uninsured patients, mounting property tax exemption challenges, tighter credit, and plummeting investment returns. In what is not likely to be an anomaly, one highly regarded suburban hospital in a particularly hard-hit industrial state recently announced a voluntary turnaround plan to reduce a projected multi-million dollar loss in 2008, including a 10% pay cut for the CEO and other top executives and employed doctors, and a 4% pay cut for department managers as an alternative to lay offs. Sources esti-mated the pay cuts would save 225 jobs at the hospital.2 With rising unemployment rates, other health care organizations may feel the need to make similar reductions as part of an overall cost-cutting strategy.

With various sectors (e.g., financial, automotive) seeking federal bailouts, Congress has turned its attention once again to potential abuses in executive compensation. In a recent press release regarding the federal financial rescue program, the Senate Finance Committee strongly urged the Secretary of the Treasury to implement proposed limits on executive compensation for senior executives of institutions that receive federal bailout funds and ensure transparency in the bailout process.3 Those limits in Sections 162(m)(5) and 280G(e) of the Internal Revenue Code would limit deductibility to the first $500,000 of compensation and eliminate the exception allowing higher deductibility for performance-based compensation.4 In response

feature

Executive compensation in troubled times – Part 1

focus

n


33

to earlier concerns over corporate governance and transparency in the wake of the Enron scandal, Congress enacted other limits on executive compensation for public companies in the Sarbanes Oxley Act (SOX), including clawback provisions that would require repayment of certain compensation received by the CEO and CFO of any public company that issues a material restatement of its financials to comply with securities laws. Affected executives are required to repay (1) any bonus, incentive-based or equity compensation received within twelve months after release of the noncompliant financials; and (2) any profits realized from the sale of any securities of the employer during that same period.5

Congress also has a recent history of closely examining executive compensation in the nonprofit healthcare sector.6 Senator Grassley in particular has been very vocal about compensation levels in the nonprofit sector, noting that the “lack of transparency” in executive compensation and “the champagne lifestyles of certain non-profit executives” leave no room for doubt that the IRS needs to adopt clear guidelines on disclosure and acceptable compensation levels for nonprofits. In Senator Grassley’s view, “some individuals running charities view it as an opportunity to do well for themselves as opposed to doing good for those in need.”7 As pressure mounts on health care organizations to care for the uninsured and deal with declining reimbursement while stemming losses to keep programs afloat, execu-tive compensation levels and program design are likely to come under increased legislative scrutiny.

Moreover, a high ranking IRS official recently noted the current economic situation makes it even more important to ensure “proper stewardship of the tax subsidy” that nonprofits receive and to improve transparency in governance.8 In that regard, the IRS also remains highly interested in executive compensation at nonprofit organizations as reflected in the new Form 990 (described below). The same official noted that a pending report on the 2006 survey of nonprofit hospital executive compensation practices “will reveal high levels of executive compensation as well as extensive use by nonprofit hospitals of the rebuttable presumption of reasonableness.” He also implied that the IRS will look more closely at how well that process is being followed in upcoming audits, noting that the existing excess benefit rules of Sec-tion 4958 may not be adequate to challenge high compensation levels that may be defensible under the rebuttable presumption standard but may not satisfy the public and other interested parties. He also raised questions about the propriety of current law that allows a nonprofit to use compensation at for-profit companies as part of the comparable data in determining reasonable compensation at the nonprofit.9

Effects of increased transparencyMany local papers run annual stories listing top paid executives, including senior management of hospitals and other healthcare orga-nizations. For public companies, these figures are reported in securities filings and can be readily compared on public websites,10 or gleaned manually from reviewing SEC filings online.11 For nonprofits, this information is typically drawn from annual Forms 990 filed with the IRS, which are subject to public inspection after filing at the organiza-tion’s offices and, after a lag time, are available online.12

In recent years, the level of detail and number of executives included in the Form 990 compensation disclosures has expanded steadily. With the redesigned Form 990 for tax years beginning in 2008, that expansion will result in disclosure of base compensation, bonus and incentive compensation, other compensation reported on Forms W-2 or 1099-MISC (e.g., debt forgiveness, gross-up payments for taxes on cell phones), deferred compensation, and non-taxable benefits for all current and former (within the past five years) officers, directors, trustees, “key employees” and the top five highest paid other employ-ees.13 In addition, Parts I and III of Schedule J will require disclosure of a variety of hot button perquisites provided to executives, including first class or charter travel, spousal/companion travel, tax gross-up payments (e.g., to pay the executive’s tax liability on certain fringe benefits), discretionary spending accounts, housing, health club or social club dues and initiation fees, and various personal services (e.g., maid, chauffeur, chef ). Organizations are also required to disclose whether they follow the IRS-prescribed rebuttable presumption procedure (described below) for approving executive compensation,14 and whether they intend to rely on the initial contract exception for any compensation arrangements.15

The IRS is also becoming more attuned to process issues in audits and compliance checks. For example, the executive compensation por-tion of the Hospital Project Compliance Check Questionnaire (May 2006) asked: n Whether officer, director, trustee and key employee compensa-

tion was approved in advance by disinterested individuals (The Instructions to the new Form 990, Core Form, Part VII define “key employees” as the twenty highest paid employees paid more than $150,000 for the year by the organization and all related organiza-tions, and who have responsibilities, power or influence over the organization as a whole, manage a discrete segment or activity of the organization accounting for more than 10% of the organiza-tion’s activities, assets, income or expenses, or have sole or shared



34

Research Compliance AcademySan Francisco, CA | June 15–18

HCCA’s Advanced Compliance Academy offers four days of intensive, in-depth health care compliance education for the experienced compliance professional.

With a wide range of research-related issues becoming hot topics with enforcement agencies, this academy provides attendees with the opportunity to get information on many areas that affect research compliance officers and their staff on a day-to-day basis. A small audience encourages hands-on educational techniques, small group interaction, and networking.

AdvAnced compliance AcademiesSan Francisco, CA | June 22–25

March 9–12 | Dallas, TX

June 1–4 | Scottsdale, AZ

October 26–29 | Denver, CO

November 16–19 | Orlando, FL

basic compliance academies

register now for hcca’s 2009 Academies (revised dates)

register now at www.hcca-info.org

This four-day intensive program focuses on subject areas at the heart of health care compliance practice. Courses are designed for participants who have a basic knowledge of compliance concepts and some professional experience in a compliance function.


35

Executive compensation in troubled times – Part 1 ...continued from page 33


authority or control over determinations of 10% or more of the organization’s capital expenditures, operating budget or employee compensation);

n Who exactly approves the compensation, n What comparability data is relied on in the process, n Whether the compensation was within the range of that data, and n Whether the comparables included compensation levels at other

tax-exempt hospitals.16

The IRS has also instructed agents to focus on the effectiveness of internal financial controls when auditing exempt organizations to help shape the course and scope of the audit – consistent with the IRS view (and a theme of the new Form 990) that organizations following good governance practices are more likely to be in compliance with the tax laws.17 As part of the opening document requests in hospital audits, IRS agents are now asking for compensation committee minutes as well as internal audit reports.

Fiduciary dutiesSetting appropriate parameters for executive compensation is not only likely to be viewed by the public as the right thing to do in tough economic times, it is also good business and in the best interest of the organization. In that regard, directors and officers of nonprofit corporations owe fiduciary duties of care, loyalty, and obedience to the corporation. Those fiduciary duties require directors and officers to act in good faith and in a manner they believe to be in the best interests of the corporation as opposed to their own personal interests.18 In fulfilling those duties in the area of executive compensation, directors and officers may rely on:

“information, opinions, reports, or statements, including financial statements and other financial data, if prepared or presented by … legal counsel, public accountants or other persons as to matters the director reasonably believes are within the person’s professional or expert competence.”19

When the process breaks down, directors and officers are at risk for state attorneys general seeking to recoup excessive payments, including bonuses and other insider deals.20

Although fiduciary duties for nonprofits arise under state law, they also can lead to federal tax compliance concerns including imposition of excise taxes at rates up to 225% for excess benefits under Section 4958 if executive compensation exceeds fair market value. In the redesigned Form 990, the IRS will be asking a number of new and

expanded questions regarding board independence, conflicts of interest procedures, disclosure of financial statements, governance policies, and compensation review procedures. These questions are consistent with the IRS’s view that a well governed exempt organization is also a compliant one. Now the IRS intends to prove that theory.

In its FY2009 work plan released in late November, the IRS Exempt Organizations Division (EO) announced a new three-part initiative aimed at nonprofit governance issues. EO will continue its work in the nonprofit governance area by focusing on three areas:

First, EO will develop a checklist to be used by agents in examina-tions of exempt organizations to determine whether the organization’s governance practices impacted the tax compliance issues identified in the examination and to educate organizations about possible gover-nance considerations.

Second, EO will commence a training program to educate its employ-ees about nonprofit governance implications in the determinations, rulings and agreements, and education and outreach areas.

Third, EO will begin identifying Form 990 governance questions that could be used in conjunction with other Form 990 information in possible compliance initiatives, such as those involving executive compensation, transactions with interested persons, solicitations of noncash contributions, or diversion or misuse of exempt assets.21

Given the emphasis on compensation matters in recent IRS compli-ance initiatives, it is likely that these new governance initiatives also will include close scrutiny of executive compensation processes. Failure to provide proper oversight of the executive compensation process, including an appropriate conflict of interest policy and ensuring that compensation levels and plan design are reasonable, also may lead to state law allegations of a breach of fiduciary duty. Compensation deci-sions, however, are more than a pure numbers game, whether for state law or federal tax purposes. Simply limiting total compensation does not necessarily better serve the organization, if it is done at the expense of recruiting and retaining qualified executives or compromising job performance (by providing little or no incentive for improving the organization’s performance in financial and non-financial areas).

Emphasis on process

Real estate experts are fond of saying that the value of property is all about location, location, location. For executive compensation, at least


36

Executive compensation in troubled times – Part 1 ...continued from page 35

as far as the federal tax-exemption rules are concerned, it is all about process, process, process.

Rebuttable presumptionDespite recent criticism of the rebuttable presumption process as potentially protecting compensation levels that the public would not be satisfied with, the law remains clear. If an organization successfully establishes a rebuttable presumption of reasonableness, the burden shifts to the IRS to prove that compensation of disqualified persons (including many senior executives) is unreasonable. As noted above, by the admission of a senior IRS official, that is often a difficult task. In addition, establishing the presumption ordinarily protects organiza-tion managers against imposition of the 10% excise tax that applies to anyone approving an excess benefit transaction.22 Given the increased scrutiny of executive compensation decisions in nonprofit health care, it is more important than ever for hospitals to take steps to establish a rebuttable presumption of reasonableness for executive compensation packages.

To establish a rebuttable presumption, the compensation package must be reviewed and approved in advance by an independent board or committee as being consistent with fair market value based on appropriate market data for comparable compensation arrangements. The decision also must be documented on a timely basis (within 60 days or prior to the next meeting) in the board or committee records (e.g., minutes), and the minutes or other records of the board or committee must note the terms of the compensation package that was approved, the members who were present for the debate and voted on the arrangement, the comparability data relied on and how it was obtained, and any actions taken with regard to the arrangement by any member with a conflict of interest in relation to the transaction.23

The presumption is available for all fixed compensation (i.e., specific dollar amounts, fixed formulas that are not subject to discretion such as certain percentage formulas or payments conditioned on achieving specific goals, or approval of a maximum payment as reasonable).24 To avoid disagreements over whether a particular compensation method-ology is a “fixed formula,” organizations may wish to include a cap on total compensation at a reasonable level.

If the board or committee approves compensation that exceeds the range of comparable data reviewed, the rebuttable presumption can still be established if the reasons for exceeding the range are recorded in the minutes.25 Acceptable reasons for exceeding the range may include some combination of a prior history of below-market compen-sation, specific increased duties or time commitment, truly exceptional

performance that far exceeds expectations (which may be easier to demonstrate with reasonable performance goals clearly defined in advance), bona fide competing offers from unrelated entities, and demonstrated difficulty in recruiting or retaining executives.26 Failure to follow the rebuttable presumption procedure does not necessarily mean that compensation is excessive,27 but the IRS reports on the Executive Compensation Initiative and the Hospital Project suggest that following this procedure is a best practice.

Conflicts of interestIn recent years the IRS also has shown an increasing interest in good governance practices in general, issuing and revising both a model conflicts of interest policy (available in the Instructions to Form 1023) and good governance guidelines.28 The model conflict of interest policy is a starting point for many health care organizations in developing their own conflict of interest policy, which can be helpful in minimiz-ing the excess benefit, inurement, and tax risks of executive compensa-tion and other insider transactions. The IRS also included specific safe harbors in the regulations to determine when a board or committee will be sufficiently independent to be able to meet the requirements for establishing the rebuttable presumption of reasonableness.

Specifically, a member of the reviewing body will be deemed to be independent for that purpose if he or she: n Is not a disqualified person (insider) or family member of a

disqualified person who participates in or benefits economically from the transaction (For this purpose, “family members” include spouses, ancestors, brothers and sisters (whether whole or half blood), children (whether natural or adopted), grandchildren, great grandchildren, and spouses of brothers, sisters, children, grandchil-dren, and great grandchildren);

n Is not an employee of or supervised by a disqualified person who participates in or benefits economically from the transaction;

n Does not receive compensation or other payments subject to approval by a disqualified person who participates in or benefits economically from the transaction;

n Has no material financial interest affected by the transaction; and n Does not engage in vote swapping (i.e., trading his/her vote

for approval of another transaction that benefits the member economically).29

Board independence is also relevant for disclosure purposes on Form 990, and the degree of independence of the board may affect how the IRS, the media and the public perceive an organization and its com-pensation practices. The Instructions for the new Form 990 define


37

independence for board members in this context using a three-part test, and all three parts must be met: 1. No compensation to the member as an officer or employee of any

related entity; 2. Total of all other payments to the member for the tax year from

any related entity do not exceed $10,000 (reasonable directors’ fees for board service and reimbursement of expenses under a plan requiring documentation of amounts and business purpose do not count toward the $10,000); and

3. Neither the member nor his/her family were directly or indirectly involved in a transaction with any related entity that must be reported on Schedule L (or would be reportable on Schedule L if the related entity were a 501(c)(3) organization).30

IRS compliance checksThe IRS, however, is doing more than just talk about the compensa-tion process – it is also examining developing trends among non-profits and building a database for more effective, focused audits. For example, the report on the IRS Executive Compensation Initiative noted among other things that: n Over 30% of the organizations surveyed did not report compensa-

tion correctly on Form 990;n Form 990 reporting requirements for executive compensation

needed clarification (which the IRS has since addressed); n The IRS should revisit (i.e., expand) the circumstances under which

it assesses penalties for filing an incomplete Form 990;n Following the rebuttable presumption procedure to establish execu-

tive compensation levels is a common practice, though only 51% of organizations surveyed addressed all three requirements for the presumption and many organizations may have difficulty in under-standing, applying or meeting all of the requirements;

n Future compliance initiatives should focus on the correlation between meeting the rebuttable presumption requirements and rea-sonableness of compensation (including 5% of organizations where the affected person did not leave the meeting prior to a vote on his or her own compensation); and

n Loans to insiders present a high potential for abuse (followed by excessive compensation and personal use of exempt organization as-sets – likely a reference in part to employer-provided cell phones).31

A report on the executive compensation phase of the Hospital Project that started in May 2006 is expected to be released in early 2009. Another compensation review project involving approximately 400 colleges and universities, including some academic medical centers, is currently in progress, following an extension of the due date for initial

responses (to February 6, 2009). With the substantial increase in disclosure requirements for executive compensation in the new Form 990 (described above), it is also likely that the IRS will continue to use similar compliance checks to find potentially abusive or excessive compensation arrangements among nonprofits nationally, including in health care. Those compliance efforts at the IRS likely will be aided to some extent by whistleblowers, who are able to recover a bounty of up to 30% of the taxes and penalties collected by the IRS in cases over $2 million, or 15% in smaller cases.32 n

Part 2 of this article will appear in the April issue of Compliance Today and will address comparability data and compensation plan design.

1 See J. Carlson, “Healthcare Nears 10-year Record for Mass Layoffs,” ModernHealthcare.com (Nov. 21, 2008) (mass layoffs are more than 50 employees from a single employer).

2 See J. Greene, “Beaumont Hospitals to lay off employees, cut millions from 2009 budget,” Crain’s Detroit Busi-ness (Nov. 17, 2008).

3 The November 19, 2008 news release is available on the Committee’s website at http://finance.senate.gov/press/Bpress/2008press/prb111908e.pdf.

4 See Notice 2008-94, 2008-44 I.R.B. 10.5 15 U.S.C. § 7243.6 G. Griffith and J. King: “The dollars and sense of executive compensation,” Compliance Today p. 20 (HCCA,

April 2007).7 Press Release, “IRS report on non-profits’ executive compensation” (March 1, 2007), available online at http://

finance.senate.gov/press/Gpress/2007/prg030107.pdf.8 Remarks of Steven T. Miller, Commissioner TEGE (IRS), Western Conference on Tax-exempt Organizations

(Nov. 20, 2008), available online at http://www.irs.gov/pub/irs-tege/stm_loyolagovernance_112008.pdf.9 F. Stokeld, “IRS Interest in EO Executive Compensation Strong, Official Says,” Tax Notes Today, 2008 TNT

226-3 (Nov. 21, 2008).10 Two such websites are http://www.vault.com and http://swz.salary.com/.11 SEC filings are available on the EDGAR system at http://www.sec.gov/edgar.shtml.12 Forms 990 can be accessed free of charge for three years on www.guidestar.org, or for all available years with a

paid subscription.13 Form 990 (2008), Schedule J, Part II, available at www.irs.gov/charities/article/0,,id=185561,00.html. 14 Form 990 (2008), Part VI, Line 15a & b, Schedule J, Part I, Line 3 and Schedule L, Part II, Column (f ).15 Form 990 (2008), Schedule J, Part I, Line 8; see also 26 C.F.R. § 53.4958-4(a)(3).16 Copies of the questionnaire and IRS report are available online at http://www.irs.gov/charities/charitable/

article/0,,id=172267,00.html.17 See F. Stokeld, “IRS to Ask About Internal Controls During EO Exams,” Tax Notes Today, 2008 TNT 226-3

(Nov. 21, 2008).18 See Griffith & King, supra; Revised Model Nonprofit Corporation Act, § 8.30(a)(1) (1987) (the “Model Act”).19 Model Act, § 8.30(b).20 See, e.g., J. Glater & V. Bajaj, “Coumo Seeks Recovery of Bonuses at A.I.G.,” N.Y. Times (Oct. 16, 2008) (de-

mand for repayment of multimillion dollar bonuses citing “unwarranted and outrageous expenditures” including “a lavish golf outing and an overseas hunting trip that cost nearly $100,000”); State v. Anclote Manor Hospital, 566 So. 2d 296 (Fla. Dist. Ct. App. 1990), rev. den., 576 So. 2d 296 (Fla. 1991) (suit to require directors of a nonprofit to disgorge the profits from a self-dealing transaction); 2008 Fla. Stat. § 617.2003; E. Brody, “A Taxing Time for the Bishop Estate: What Is the I.R.S. Role in Charity Governance?”

21 University of Hawaii Law Review 537 (Winter 1999) (removal and repayment of excessive compensation allegedly paid to trustees of nonprofit school).

21 IRS Exempt Organizations Division Work Plan (FY2009), p. 20, available online at www.irs.gov/pub/irs-tege/finalannualrptworkplan11_25_08.pdf.

22 26 C.F.R. § 53.4958-1(c)(4)(iv).23 26 C.F.R. § 53.4958-6(c)(3)(i) & (ii).24 26 C.F.R. § 53.4958-4(a)(3)(ii) & -6(d).25 26 C.F.R. § 53.4958-6(c)(3)(ii).26 See, e.g., Choate Construction Co. v. Commissioner, 74 T.C.M. (CCH) 1092 (1992); Medina v. Commissioner,

46 T.C.M. (CCH) 76 (1983); 26 C.F.R. § 53.4958-6(c)(2)(i). In one exempt organization case where such arguments were made they were rejected for lack of substantiation. See Northern Illinois College of Optometry v. Commissioner, 2 T.C.M. (CCH) 664 (1943).

27 26 C.F.R. § 53.4958-6(e).28 The revised good governance guidelines are available on the IRS website at http://www.irs.gov/pub/irs-tege/

governance_practices.pdf. For a summary of the good governance guidelines and other considerations for good governance please see the Commentary at http://www.jonesday.com/pubs/pubs_detail.aspx?pubID=S4013.

29 26 C.F.R. § 53.4958-6(c)(1)(iii) and 26 C.F.R. § 53.4958-3(b)(1).30 Form 990, Instructions for Core Form, Part VI, Line 1.31 The full report is available online at http://www.irs.gov/pub/irs-tege/exec._comp._final.pdf.32 26 U.S.C. § 7623; 26 C.F.R. § 301.7623-1(c).


38

I just received a subpoena – Now

what?!By Andrea Ebreck and Karen Cincione

Editor’s note: Andrea Ebreck and Karen Cincione are health care attorneys at the law firm of Vorys, Sater, Seymour and Pease LLP in Columbus, Ohio. Ms. Ebreck may be reached at 614/464-4951 or by e-mail at [email protected]. Ms. Cincione may be reached at 614/464-6201 or by e-mail at [email protected].

A s a new health care compliance professional, it is just a matter of time before you are called upon to

respond to a request from an attorney for the production of medical records. In respond-ing to these requests, you must be very care-ful to do so in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal confi-dentiality laws.

Identifying the request

The first order of business after receiving a subpoena is to review it in order to determine what is being requested, when, by whom, and in what type of legal action. Each state has laws governing the form, content, and service of a subpoena, and some state laws require witness or mileage fees to be included with a subpoena.

To determine how to best respond to a sub-poena, you must first identify the basics of the request. These include:n What type of legal action is involved (fed-

eral or state court, juvenile, probate, etc.)?

n What is the name of the individual for whom information is being sought?

n What is the information that is being sought (entire record vs. certain specific information)?

n What does the subpoena direct the health care provider to do (produce records, testify, both)?

n Who is requesting the information (attor-ney for the person about whom informa-tion is sought or attorney for another party)?

n Whether the individual whose information is sought is currently, or has ever been, a patient for whom the health care provider has records.

n Whether the health care provider has the specific information sought by the subpoena.

n Whether the individual whose information is sought has authorized the disclosure.

n Whether the information sought is confi-dential or privileged under federal or state law (see discussion below).

n Whether the person seeking the informa-tion has provided evidence of “satisfactory assurances” that the person has notified or attempted to notify the individual whose information is sought (see discussion below).

n Whether a court has ordered the disclosure of the information sought (apart from issuance of the subpoena).

Many times, a call to the subpoenaing attorney can resolve questions about what information is sought (perhaps the entire record is not really needed), whose informa-tion is sought (surprisingly often, this is not clear from the face of a subpoena), whether authorization for disclosure is sought, whether appearance at a trial or deposition is really necessary, or whether a certified copy of records will suffice.

Applying the law

Once you have identified the request, you must then determine whether there are any federal or state laws that would prevent you from complying with the subpoena. In this regard, it is important to consider the application of HIPAA, the physician-patient privilege, and a number of other state and federal confidentiality laws.

HIPAA. Generally, HIPAA prohibits covered entities from disclosing protected health information (PHI) except as permitted or required by law. PHI is defined as informa-tion held or disclosed by the covered entity in any form (electronic, paper records, oral communications) that identifies an individual and relates to the individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual.1

HIPPA allows for the disclosure of PHI in response to a subpoena in the following two instances. First, the information may be disclosed if the individual who is the subject of the information properly authorizes the disclosure. Second, the information may be disclosed without the individual’s authoriza-tion if the covered entity receives “satisfactory assurance” from the party requesting the PHI that it has made reasonable efforts to give notice of the request to the individual who is the subject of the PHI or has made reasonable efforts to obtain a qualified protective order.2

Generally, “satisfactory assurance” that efforts have been made to provide notice to the individual requires a written statement and accompanying documentation that: 1. The party requesting such information

has made a good-faith attempt to provide written notice to the individual;

101 COMPLIANCECOMPLIANCE


39

2. The notice included sufficient informa-tion about the litigation or proceeding to permit the individual to raise an objection to the court or administrative tribunal;

3. The time for individual to raise objections to the court or administrative tribunal has elapsed; and

4. No objections were filed, or any objection filed by the individual have been resolved by the court or administrative tribunal.3

A “qualified protective order” means an order of a court or tribunal or stipulation of the parties to the proceeding that:1. Prohibits the parties from using or dis-

closing the protected health information for any purpose other than the litigation or proceeding for which the information was requested, and

2. Requires the return to the covered entity or destruction of the protected health information at the end of the proceeding.4

Other federal and state laws

Even if disclosure is permitted under HIPPA, there may be other reasons to hesitate before disclosing medical records without a patient’s written authorization. Practically speaking, the subpoena will likely be issued without any determinations regarding the application of privilege. Although no federal law governs the application of the physician-patient privilege, state law generally recognizes a patient’s right to keep information shared with their doctor and other health care practitioners from being disclosed in a legal proceeding. State laws establish privileges and often create exceptions to their applica-tion. Often, a health care practitioner served with a subpoena will not have enough information to know whether an exception to privilege exists or whether or not the patient may have waived the privilege. The patient may also indicate that he or she does not want the information sought to be disclosed.

In these situations, it is best for the health care practitioner to assert the privilege and let the court determine an exception to privilege exists or a waiver has occurred. Depending on a particular state’s laws, a health care provider that prematurely hands over patient records to opposing counsel in response to a subpoena could be sued for negligence for failing to protect the privilege, even if the disclosure is authorized under HIPAA or other state confidentiality laws.

Additionally, medical information may be protected under state and federal law when it relates to a specific medical condition or type of information. For example, federal law protects all information about any person who has applied for or been given diagnosis or treatment for alco-hol or drug abuse at a federally assisted program.5 This law further states that a subpoena or warrant signed by a judge or an order agreed upon by the parties is insufficient to support the disclosure of patient identifying information by any federally assisted program unless: (1) the subpoena and/or warrant is accompanied by an authorizing court order issued after specified procedures are followed; or (2) the individual has authorized the disclosure. When the patient does not consent to the disclosure, the law prohibits substance abuse treatment programs from releasing information in response to a subpoena unless a court has issued an order that complies with applicable law.6 Most states also have laws governing the confidentiality of HIV-related information, mental health treatment records, and medical records. When a state or federal confidentiality law is more restrictive than HIPPA, health care providers must follow the stricter state law. For example, if a program has disclosed patient records that include references to HIV treatment after the patient has signed a consent form that is proper under HIPAA, compliance personnel must also determine whether the state imposes any additional requirements for disclosing this type of information, such as a special consent

form. Conversely, in instances in which a state confidentiality law or any other state law is less protective of confidentiality than the federal law, however, federal HIPPA rules will control.

The role of the compliance professional

Many health care providers find that the most effective way to ensure a correct response to subpoenas is to designate a compliance professional to review and coordinate or assist in responding to subpoenas.

By becoming knowledgeable about the records, staff credentials, and the laws govern-ing information in the health care provider’s possession, compliance professionals can facilitate appropriate disclosures and protect the privacy of the provider’s patients. Com-pliance professionals often play a crucial role in ensuring that clinical staff who have been subpoenaed to testify are aware of any limita-tions or requirements with respect to their testimony. In many instances, compliance professionals are also called upon to commu-nicate with attorneys who seek privileged or otherwise confidential information and make them aware of governing health care laws.

Above all, the role of the compliance profes-sional is to ensure that a subpoena is never ignored! Even if a federal or state law pro-hibits the requested information from being disclosed, you must still take some action with respect to a subpoena. When in doubt, you should always seek advice from legal counsel to ensure that your response or objection to a subpoena is appropriate and lawful. n

1 45 C.F.R. §§ 164.501, 164.502(a)2 45 C.F.R. § 164.512(e)3 45 C.F.R. § 164.512(e)(iii)4 45 C.F.R. § 164.512(e)(1)(v)5 42 CFR §2.116 42 CFR §§ 2.63 through 2.67


40

2009 regional Conferences

Columbus, OH ....................... May 8

new York, nY ...................... May 15

seattle, WA ........................... June 5

Los Angeles, CA ................ June 26

Boston, MA ...............september 11

Minneapolis, Mn ......september 12

Kansas City, Ks .......september 26

Pittsburgh, PA .................October 9

Honolulu, HI ..................October 16

Denver, CO ....................October 23

nashville, Tn ...............november 6

Louisville, KY ............november 13

Phoenix, AZ ...............november 20

Join us at HCCA’s 2009 Regional ConferencesHCCA’s regional conferences take place throughout the year, all over the United States. You’re sure to find one that works for you!

Visit www.hcca-info.org for registration information

HCCA RegionAl ConfeRenCes


41

October 16 Honolulu, HI

UpComing RegionAl ConfeRenCes

October 23 Denver, CO October 9

Pittsburgh, PA

November 13 Louisville, KY

November 6 Nashville, TNNovember 20

Phoenix, AZ

May 8 Columbus, OH

May 15 New York, NY

June 26 Los Angeles, CA

June 5 Seattle, WA

September 11 Boston, MA

September 18 Minneapolis, MN

September 25 Kansas City, KS

HCCA is going green HCCA conference attendees will NOT automatically receive conference binders. If you would like to purchase conference binders, please choose that option on your conference registration form. Attendees will receive electronic access to course materials prior to the conference as well a CD onsite with all the conference materials.


42

Editor’s note: Michael Spake is Director, Compliance & Privacy with MCG Health, Inc. in Augusta, Georgia. He may be reached by e-mail at [email protected] or by telephone at 706/721-0900.

“A new beginning has to be made from the lowest foundations, unless one is content to go round in circles forever”.

—Francis Bacon1

Ethicists and hospital ethics com-mittees originated as support func-tions of hospital operations during

the second half of the 20th century.2 The idea of a hospital employing an ethicist to create, implement, and oversee a hospital ethics committee materialized as a result of technological developments in the medi-cal field, new ideas about patients’ rights, and scenarios that brought to the forefront conflicts between moral perspectives and medical judgments. As a result, the function of hospital ethics committees and the defini-tion of ethics in the hospital setting centered on clinical-based decision-making between a physician and a patient, case consultations, and closed-door discussions about human-subjects research.

Since 1990, almost every US hospital has similarly hired a compliance officer to create, implement, and oversee a legal compliance program. Compliance programs have been built around systems focused on preventing, detecting, and punishing violations of the law. Their existence and function was a direct response to the federal government’s scrutiny and challenge to hospitals to reduce fraud, waste, and abuse, as well as the cost of health care to federal, state, and private health insur-ers. The goals of a compliance program cen-

ter on demonstrating the seven elements of a compliance program as identified by the U.S Department of Health and Human Services Office of the Inspector General.3 These are viewed as fundamental to an effective com-pliance program. The seven elements are:1 Designing and distributing standards of

conduct including policies and procedures to address areas of potential fraud, such as claims development and submission process, and financial relationships with physicians and other health care profes-sionals;

2 Designating a chief compliance officer and other appropriate bodies charged with the responsibility of operating and monitoring the compliance program and who report directly to the CEO and the governing body;

3 Developing and implementing regular, effective education and training programs for all affected employees;

4 Maintaining a process, such as a hotline, to receive complaints, and adopt procedures to protect the anonymity of complainants and to protect whistleblow-ers from retaliation;

5 Developing a system to respond to allega-tions of improper/illegal activities and to enforce appropriate disciplinary action against employees who have violated internal compliance policies, applicable statues or regulations of federal health care program requirements;

6 Auditing evaluating, and monitoring compliance and assist in the reduction of identified problem areas; and

7 Investigating and taking remedial actions.

The Next Generation model

Today, many hospitals are questioning the status quo of both their hospital ethics com-

mittee and compliance program in an effort to determine their effectiveness. In addi-tion, hospitals are being challenged by the United States Sentencing Commission to establish organizational cultures that pro-mote compliance and ethics. Pursuant to the United States Sentencing Commission, an organization may mitigate criminal fines and penalties by establishing and implement-ing an effective compliance program.4 As a result both ethics and compliance programs are simultaneously striving to gain greater effectiveness by achieving a level of success coined “Next Generation” status.5 The Next Generation model is guided by the following principles: 1 Committees are proactive, not just

reactive; 2 Committees are organizationally

integrated, not isolated; 3 Committees are accountable for perfor-

mance, based on demonstrable outcomes, not just good intentions; and

4 Committees are oriented around organi-zational core values, not just regulatory/accreditation requirements.

Today, compliance programs are making improvements towards greater effectiveness by moving from prevention and detection programs of retrospective review to programs that promote organizational ethics and encourage employee commitment to organi-zational values. Hospital ethics committees are simultaneously moving from mechanisms that provide only clinical consultations to becoming the center of ethical responsibility for operational decision-making. However, neither will independently achieve Next Generation status. Instead, Next Generation status will only be achieved when ethics and compliance are molded into an integrated operational model that (1) aligns the organization’s separate ethics and compliance support functions to build capacity into the

Standing at the crossroads

By Michael Spake, MHA, JD


43

operational decision-making process and (2) shifts from programmatic and individual responsibility for compliance and ethics to organizational commitment that permeates the entire organizational culture.

Most compliance programs put in place by health care organizations have been designed and implemented to meet the legal require-ments established by federal and state govern-ment. They tend to set minimum standards aimed at meeting a clear and measurable goal: “Is it legal?” Such compliance programs are rules-based and often result in a policing function that “pushes” individuals and the organization away from awareness of an institutional ethic. Unfortunately, many com-pliance programs have not striven beyond this minimum-standard mentality of achieving and documenting legal compliance. Ethics and values, by contrast, are managed on an ad hoc basis or as a retrospective review to either justify a decision or analyze a failure. As a result, values analysis and ethical discernment remain excluded from management decision making. In most cases, decision making is limited to financial, legal, and market share analyses.

Many hospitals have inadvertently created this shortfall by creating an erroneous division between compliance and ethics. The narrow concentration of ethics and compli-ance has lead to the correlation of compliance with business transactions (i.e., Business Ethics) and ethics with clinical care (i.e., case consultation). Values analysis and ethical discernment should be carefully distinguished from compliance analysis.

Compliance requirements do not always reflect society’s moral standards and values, even when the law is directly concerned with ethical or moral problems. The mere fact that something is legal does not make it morally

acceptable. At the same time emphasizing ethics without stressing the necessity of rules and laws can leave employees in a vulnerable position. Taken as a whole, hospitals should acknowledge this distinction; but it should be acknowledged by recognizing compliance and ethics within the scope of an overall intuitional ethic composed of the following elements:n Clinical ethicsn Research ethicsn Social responsibilityn Professional responsibilityn Business ethics, and n Compliance

Currently, hospitals are operating each ethics component as a separate and divergent func-tion through ethics committees, institutional review boards, Mission departments, Human Resources, and Compliance offices. How-ever, when aligned in an integrated ethics model (Figure 1) they assert an institutional ethic that embraces compliance with legal requirements and the values of the entire organizational culture. Such a model not only takes into account the minimal consider-ations of the organization’s legal duties and the moral rights of others, but it aligns ethics components in a manner that emphasizes a systematic approach and takes into account

that a single compliance/ethics incident can be reflective of a larger organizational ethic.

This integrated operating model develops organizations beyond meeting the basic compliance and regulatory requirements and better positions them to react to changing expectations. The model moves past rules-based compliance, policing employee actions, and catching lawbreakers, and simultaneously expands the current, narrow ethics strategy of clinical consultations to a larger total organizational ethic. Such a model clarifies to employees what conduct is appropriate to the mission and values of the organization – and what it not. At the same time it acknowledges that emphasizing mission, ethics, and values without stressing the necessity of rules and laws can leave employees in a vulnerable position. As a result, the integrated opera-tions model would answer the question “Is it legal?” however, it would continue its evalua-tion to include identification of all stakehold-ers, identification of values and concerns, and consideration of alternatives.

Moreover, an integrated operational model would be capable of not only defending its choice, but also helping the organization understand why it decided against other


MISSION

Executive ManagementGovernance

INSTITUTIONAL ETHICClinical OperationsFinancial Operations

Risk ManagementHuman Resources

OPERATIONAL SUPPORT ELEMENTS of COMPLIANCE & ETHICS

Business Ethics& Compliance

Social Responsibility

ProfessionalResponsibility

ResearchEthics

ClinicalEthics

Figure 1: The integrated operations model

March 2009

44

SAVE THE DATESAHLA/HCCA Fraud & Compliance ForumOctober 4–6, 2009 | Baltimore, MD Register online now at www.hcca-info.org/fraud

Quality of Care Compliance ConferenceOctober 11–13, 2009 | Philadelphia, PARegister online now at www.hcca-info.org/quality

Physician Practice Compliance ConferenceOctober 11–13, 2009 | Philadelphia, PARegister online now at www.hcca-info.org/physicians

Research Compliance ConferenceOctober 18–20, 2009 | Minneapolis, MNRegister online now at www.hcca-info.org/research

Health Care Compliance Association6500 Barrie Road, Suite 250

Minneapolis, MN 55435888-580-8373 (p) | 952-988-0146 (f)

[email protected] | www.hcca-info.org


45

alternatives. Finally, by practicing such discernment, a health care organization can clearly identity its motivations by having a deeper understanding of its actions.

This integrated operating model cannot be achieved by a single department or ethic component. Instead it involves an integrated structure (as described above) that, through a broader ethics mechanism, builds capacity within the operating functions6 of a hospital. Creating capacity throughout such a broad ethics mechanism includes building tools as uncomplicated as a simple checklist for a single decision maker to ensure that he or she is considering all the relevant dimensions of a complex issue.

Also, and more importantly, it integrates eth-ical discernment into the organizational deci-sion making process. For example along with financial, legal, and market share analyses, an organization’s management team that is practicing an integrated ethics model would also consider the following when evaluating a project or course of action:n Is the action consistent with the organiza-

tion’s basic duties?n Does the action respect the rights and

other legitimate claims of the identified stakeholders?

n Does this action reflect a “best practice?”n Is the action consistent with the organiza-

tion’s mission, vision, and values?7

These questions elicit minimal considerations that address the organization’s duties and the moral rights of others. However, it also raises considerations beyond the minimum standard and emphasizes an ethic demonstra-tive of leadership organizations.

Leadership

Once a health care organization has achieved an integrated ethics model, the final barrier

to achieving Next Generation status is shifting the organizational culture from one of individual responsibility for compliance and ethics to one in which the organiza-tion is committed to achieving operational excellence in ethics. The compliance officer cannot serve the roles of both oversight and owner of corporate compliance. Similarly, ethicists should not be the sole decision-makers when evaluating an organizational situation. Instead, leadership should embrace the integrated model under the framework that everyone is responsible for pursuing the institutional ethic. Success in building such an integrated model requires leaders across all disciplines who have a clear conception of the organization’s values, talent management, mission, and community commitment.

Leaders must learn and build ethical aware-ness into the culture of the organization. This type of compliance and ethics strategy cannot be guided by one ethics officer, but requires a multi-dimension strategy built from each ethical component that facilitates values-based decision-making at every level of management on a day-to-day basis. Such a strategy is based upon having a culture of openness, organizational responsibility, and a commitment to ethics within each business goal. Successfully implementation of this strategy requires not only intellectual commitment of leadership and all employees, but also a sense of shared values and purpose throughout the organization. The end result is leadership committed to problem finding, not merely problem solving, and to accepting responsibility at all levels.

Finally, an organization’s compliance and/or ethics failure cannot be viewed as a program-matic failure or individual shortfall. Instead, it is an organizational opportunity to reflect upon the entire ethical situation as opposed to scrutinizing the situation. For example,

after screening employee applications and qualifications, interviewing candidates, background checks, and calling references, the department of an organization hires a new employee. After the first six months, which included training and later a remedial work-plan, the employee continues to have below average productivity. During this period, it is evident the new employee is becoming frustrated and angry at his situation. Finally, the new employee gives-up; but rather than resign from his position, he/she commits an act of workplace violence, nearly injuring his supervisor and co-worker. His actions result in a criminal charge of attempted murder.

Afterwards, a compliance investigation is conducted. The investigation concludes that all actions taken to “help” the new employee were in accordance with the organization’s formal published policies. The investigation further includes that no one was hurt and the wrong-doer will be punished not only by immediate termination, but also in his/her upcoming criminal trial. The investiga-tion is completed and documented in the Compliance log. Overall, the situation was a near-miss, but considered a success.

An organization that practices the integrated ethics model would examine the incident beyond the facts/legalities and consider whether or not this one instance is reflective of a larger organizational ethic. The organiza-tion would identity and explore its motiva-tions and the new employee’s, and thereby have a deeper understanding of the actions of all parties involved. More specifically, the organization will take accountability and ask if it failed the new employee.n Did the organization’s screening process

fail?n Did the organization fail to develop the

new employee appropriately?

Standing at the crossroads ...continued from page 43



46

Editor’s note: Sonya Burtner works as a compli-ance specialist for Shands Health-Care in Gainesville, Florida, a seven-hospital health care system. She may be reached at 352/733-0057 or by e-mail at [email protected].

When my parents lived in Chicago in the 1950s, it was not uncommon for my mother to call our family doctor, about me or one of my siblings, to discuss a medical issue. The doctor would direct the sick child to cough into the phone. A prescription was then called in.

Patient care at a distance is certainly not a new practice. There are many examples in our history illustrating this concept. In 1642, Theophraste Renaudot, a French physician and philanthropist, created a patient booklet with lists of symptoms and simple body diagrams. The patients would check off the symptoms they were experiencing from the list and used the diagrams to identify the body parts that were troubling them. This innovative booklet enabled a patient to receive a diagnosis and treatment by post without a personal visit to the physician. Other doctors also engaged in such practices, such as William Cullen (1710-1790) of Edinburgh, Scotland and John Morgan (1735-1789) of Philadelphia, who were both equally active with postal consultations.1

In more recent years, due to the vast improve-ment of modern technology, care at a distance has become more sophisticated and developed into what we now know as telemedicine. This article explores current applications of telemedi-cine, the benefits, and some of the associated compliance and legal risks that hospitals have to contend with when practicing telemedicine.

DefinitionsThe American Telemedicine Association

(ATA) defines telemedicine as “the use of medical information exchanged from one site to another via electronic communications to improve patients’ health status.” Medical information can now be communicated via the Internet, video conferencing equipment, and satellite technology. Telemedicine is as basic as a telephone call between two providers discussing the case of a patient, or as complex as using satellite technology for robotic surgery.

The terms telehealth and telemedicine are often used interchangeably. Telemedicine is most often defined as focusing on clinical services and the curative aspect, whereas telehealth has a broader meaning and can refer to clinical and non-clinical services, such as medical education, administration, and research, in addition to clinical services.

Other terms used in the industry are the “originating site” which is the site where the patient receiving the service is located, as opposed to the “distant site,” the site where the physician providing the service is located. Also, services where both parties are interact-ing at the same time with a communications link between them are called “real time” services or synchronous telemedicine. In contrast “store and forward technology” refers to the asynchronous transmission of medical information to be reviewed at a later time.

Current applications

The dramatic growth of technology and the Internet has provided great benefits to health care. Consumers all over the world have a wealth of health information at their fingertips and can receive diagnostics and purchase pharmaceuticals. A few of the many applications of telemedicine are described below.

Teleradiology/telepathology - One of the most common applications of telemedicine is teleradiology and telepathology. A smaller hospital, for example, with limited staffing resources may contract with a bigger hospital for the purposes of interpretation and/or consultation of tests for trauma patients after hours. Radiological patient images, such as x-rays, CAT scans, and MRIs, are transmitted from the originating site to the distant site.

This saves time and improves patient care by allowing hospitals to access radiology services 24/7. Teleradiology can be accomplished with an international distant site as well. In fact, outsourcing teleradiology services overseas (in countries such as India, Israel, and Australia) is becoming popular to cover the night hours along with radiologists in other US time zones, hence the term of “nighthawk” radiol-ogy services. Similarly, telepathology activities occur to provide urgent services at sites without a pathologist. Both teleradiology and telepathology are instrumental in providing consultative services with immediate access. This can be extremely beneficial to physicians in rural areas or for a physician seeking a second opinion in emergency situations.

Telephone and online patient consultations Patients consulting their physicians over the phone or by e-mail via the Internet is not a new practice, but until recently, there were no CPT codes to report these services. The CPT codes for telephone services have been updated for 2008 to 99441, 99442, and 99443 and are based on the amount of time spent discussing the medical issue. And in 2008, the CPT code 99444 became available to report online services. According to the AMA Current Proce-dural Terminology (CPT), the services can only be reported for an established patient and only once for the same episode of care in a seven-day-period. The service must include all other communications, such as related phone calls,

Cyber doctors By Sonya Burtner, MA, CHC, CPC, CPC-H


47


prescription, and lab orders. The e-mails must be kept in permanent electronic or hardcopy storage. Even though the guidelines are strict, the assignment of these CPT codes is very encouraging for telemedicine providers, because it is a start towards acknowledging these types of services for reimbursement purposes in a time where phone and Internet communica-tions have so many appeals to patients.

Note: The above CPT codes were the only existing “tele” codes before July 1, 2008, because all other telemedicine activities are reported using the same CPT codes as the service conducted without telemedicine. Effective July 1, 2008, the AMA intro-duced new CPT Category III Codes to report remote real-time interactive video-conferenced critical-care services. The codes are 0188T and 0189T. The creation of new CPT codes to accurately capture telemedicine activities will probably increase every year.

TelemarkerA special portable phone used in Israel can assist in the determination of a real heart attack. The process is simple. If a patient is experiencing chest pain, a simple self blood test (called Tele-marker) is performed. The test can detect the presence of two proteins, which are bio-chemi-cal precursors of a heart attack. The device sends the information to a center through a modem, and the doctor can analyze the results and determine if there is a real medical emergency.This device avoids unnecessary hospitalizations and reduces unnecessary costs.2

iPathA telemedicine network developed at the University of Basel, iPath allows publication and discussion of medical cases for second opinion consultations. iPath is a secure teleconsultation tool that enables virtual communities of care profes-sionals to exchange advice about the management of clinical cases in several expertise domains. The

network has been active since 2001 and is used in 15 French-speaking African countries, including Mali, Mauritania, Morocco, Tunisia, Senegal, Cameroon and the Ivory Coast.3

Telesurgery On September 7, 2001, a team of French surgeons located in New York performed a gall bladder removal with the Zeus Robotic System (at this time, no longer on the market) on a 68 year-old woman located in Strasbourg, France – 4,000 miles away. “Operation Lindbergh” took 45 minutes and was the first robotic transAtlantic telesurgery. The procedure was successful with no complications and the patient was discharged two days after the operation.4 Telesurgeries (also known as remote surgeries) have not yet occurred with patients in the U.S.; however, robotic systems are being used for surgeries when a physician is in the same room with the patient. The Food and Drug Administration (FDA) first cleared the da Vinci Robotic System in 2000 for general laparoscopic surgeries, such as a gall bladder removal and for treatment of severe heartburn. Since then, use of the system has increased and expanded into several other surgical areas.

The da Vinci Robotic System allows surgeons to operate from a distance with a minimally invasive approach that uses small incisions. The robotic system includes a post with multiple arms which is positioned over the patient. The surgeon is seated across the room from the patient and has his/her arms inserted in a con-sole. The surgeon manipulates the robot’s arms while looking at magnified 3D images of the surgical site. Remote surgery is still considered investigational within the U.S. and “should not be performed except under IRB [Investiga-tional Review Board] approval and by persons thoroughly familiar with the technology.”5 Nevertheless, the revolutionary event of Opera-tion Lindbergh supports the incredible potential of telesurgery, bringing new opportunities to the

delivery of patient care. Some day, telesurgery may enable surgeons to operate from remote locations to help fallen soldiers in a battlefield or even astronauts in space.

Benefits of telemedicine

The Internet is dramatically changing the way consumers access health information, receive diag-nostics, and purchase pharmaceuticals, and plays a key role in expanding the reach of telemedicine. Telemedicine appeals for a host of reasons:n Increased access to health care –

Telemedicine increases access to health care in a variety of situations: the Emergency department physician can seek a second opinion quickly, the isolated community can access a specialist when there is none in the area, the understaffed hospital can contract radiology services af-ter hours and support emergency services.

n Cost savings to patients – Telemedicine offers certain conveniences, such as allow-ing the patient to contact his/her family doctor without leaving home or to use the Telemarker test to save a trip to the emer-gency room. Internet communications are convenient and efficient for simple medical problems and save both time and money. The health care consumer nowadays is much more informed, educated, and accus-tomed to using electronic sources to gather and transfer information, and is more likely to ask for advice by e-mail or phone.

n Cost savings to providers – Providers also benefit from telemedicine. Travel time for providers can be significantly reduced as well. Many radiologists have opted to get the applicable equipment installed in their homes when participating in teleradiol-ogy services, thus saving on transportation expenses with the additional attraction of flexible working hours.6

n Improved patient outcomes – Telemedicine provides quicker delivery of


48

Cyber doctors ...continued from page 47

care, which leads to improved continuity of care. Doctors can get a more accurate diagnosis of their patients with the quick access to a second opinion by teleconsult-ing with a specialist.

n Cutting edge opportunities – State of the art equipment, such as remotely controlled surgical robots, are opening up many future opportunities for research, the military, and NASA.

Compliance and legal issues

The telemedicine industry faces many challenges. Hospitals and other providers need to conduct due diligence before engaging in any telemedicine activities. Below are some of the issues.

Interstate licensingThe essence of telemedicine is practicing medicine without borders. Technology enables the provider to render an opinion or interpret a test on a patient who lives down the road as easily as one living in a different state or across the world. However, when telemedicine is practiced across state lines, licensure becomes an issue. The patient’s physical location (i.e., the originating site) identifies the location where the health care is provided, so a provider must abide by the laws of that state. In many cases, this may mean that the provider has to get licensed in that state. This can be quite burdensome for a telemedicine provider who may have to fill out multiple licensure applications and pay multiple registration fees in order to practice. In addition, each state has its own licensure laws regulating telemedicine with varying degrees of restrictions or exemp-tions. In Arizona, licensure requirements do not apply if a doctor licensed in another state engages in an episodic consultation about a patient with a doctor licensed in Arizona. Montana, on the other hand, prohibits the practice of telemedicine without a telemedicine certificate issued by the State Board of Medical Examiners.7,8 Some states have not determined

how they want to address the out-of-state providers licensure issue.

It is not just a physician issue. Hospitals may be viewed as “aiding and abetting” the physician who is practicing telemedicine without a license in another state. A hospital must carefully review each state’s requirements with their Legal depart-ment before engaging in any kind of telemedicine involving physicians in other states.

Several medical specialties, such as the American College of Radiology (ACR), have developed guidelines for telemedicine activities to ensure the protection of the patient. On the topic of overseas contracting for teleradiology, the ACR recommends that the overseas radiologist “be licensed by the state(s) and credentialed by the U.S. hospital(s) that contracts for their services as stated in the American College of Radiology Tel-eradiology Technical Standards.” The interpret-ing physician should also be covered by medical malpractice insurance. Hospitals should conduct due diligence when entering into contractual arrangements with teleradiology companies.

Discussions are underway to try to resolve these licensure dilemmas. The 2001 Telemedi-cine Report to Congress outlined different alternatives to address these issues, includ-ing assessing the feasibility of developing common licensure application forms.

Credentialing issuesAnother dilemma for which solutions are not clearly defined by the regulations are creden-tialing issues. Must a telemedicine provider be credentialed in the state in which the patient is located? Various credentialing organiza-tions, such as the Joint Commission of Accreditation (JCAHO), have provided some standards for telemedicine which indicate that a licensed practitioner who is responsible for the care of a patient via a telemedicine link is subject to the credentialing and privileging

processes of the originating site. However, the originating site can use the credential-ing information from the distant site, if the distant site is a JCAHO–accredited organiza-tion (Standard MS.13.01.01). JCAHO does not address all areas of telemedicine services. Consultative services, for example, fall outside the scope of the JCAHO telemedicine stan-dards.9 And, what about the teleradiologist who is unaffiliated with a particular hospital and practices independently? Telemedicine is still an underdeveloped medical-legal frontier.

Security and privacy issuesPrivacy, security and confidentiality issues are not unique to telemedicine. Similar to any other electronic transactions, hospitals must ensure that adequate precautions are taken when transmitting protected health information (PHI) out of the hospital networks. Because telemedicine activities can be broadcast anywhere, the concerns are perhaps more prevalent. The America Medical Association (AMA) has developed guidelines for physician–patient e-mail communications. Advances in technology have brought great benefits as well as drawbacks in this area.

Informed consentPhysicians who practice telemedicine must also consider informed consent requirements, which vary from state to state. In some states, the informed consent requirements do not apply if the patient is not involved directly in the tele-medicine activity (such as consultative services). In addition, the physician’s home state may have different informed consent requirements than the state where the patient resides. The treating physician should explain to the patient, not only the risks associated with the telemedicine service, but issues such as which state the telemedicine provider is licensed/credentialed in, the process for follow up care, the equipment required, and the operating staff that may be required at the originating site and at the distant site.10


49


Telemedecine equipmentThe technology involved with a telephone or simple videoconference hookup for telemedicine services is easy to use and readily available. However, depending on the type or equipment or technology used in the telemedicine service, the provider may be required to abide by state and federal regulations related to the use of such equipment. The Federal Food and Drug Administration (FDA) has the responsibility for regulating the safety and effectiveness of medical devices, and therefore, may regulate software and hardware used to practice telemedicine. Also, tele-medicine providers must consider particular state regulations. Some states have instituted specific rules governing the use of the Internet, e-mail and similar technologies when treating patients.

Hospitals and telemedicine providers need to review FDA and state regulations in telemedicine arrangements in reference to equipment, related technologies, and the use of the Internet in the treatment of patients.

Reimbursement issues

The lack of reimbursement for the provision of this mode of treatment is an obstacle to the expansion of telemedicine. Congress has taken some action in the Balanced Budget Act (BBA) of 1997 where some Medicare reimbursement for telehealth services was authorized. Congress has further directed The Centers for Medicare & Medicaid Services (CMS) to establish a payment methodology for telemedicine services in rural shortage areas if certain conditions are met.11

MedicareThe Medicare Policy Benefit Manual has specific guidelines for coverage and payment for telehealth services. The list of services covered are: consultations, office visits, individual psychotherapy, pharmacologic management, psychiatric diagnostic interview examination, end-stage renal disease-related services, individual medical nutrition therapy, and most recently

added in 2008, neurobehavioral status exam. The CPT codes used to report telehealth services are no different than regular services performed without the use of a telecommunications system (with the few exceptions already mentioned for telephone and online consultations and remote-real time interactive video-conferenced critical care services). The originating site must be located either in a rural health professional shortage area (HPSA) or in a county outside of a metropolitan statistical area (MSA). Authorized originating sites are limited to a physician’s office, a hospital, a critical access hospital, a rural health clinic, or a federally qualified health center. On July 16, 2008 Congress passed H.R. 6331, which expanded Medicare coverage beginning January 1, 2009, to include skilled nursing facilities, in-hospital dialysis centers, and community mental health centers as telemedicine sites.

The guidelines further state: “For Medicare payment to occur, interac-

tive audio and video telecommunica-tions must be used, permitting real-time communication between the distant site physician or practitioner and the Medicare beneficiary. As a condition of payment, the patient must be present and participating in the telehealth visit.”

The payment amount is equal to the reimbursement of the service without the use of telemedicine. There is one exception to the interactive telecommunications requirement in the case of federal telemedicine demonstration programs, such as the ones conducted in Alaska or Hawaii. In those cases, Medicare payment is permitted for “store and forward technology”.12

Telephone calls and online consultationsMedicare does not pay for telephone calls or online consultations at this time. In fact, the Medicare Benefit Manual Medicare, Chapter 15 states that telephone call services are consid-ered an integral part of the physician services

and there is no separate payment. Though this article does not focus on non-federal payers, it is worth mentioning that Aetna and CIGNA HealthCare are already paying some physicians for online patient consultations.13

Home healthFederal regulations require face-to-face visits for home health, and telemedicine cannot be used as a substitute for those visits. However, a telemedicine encounter may be used as a supplement to the required face-to-face visits. The Medicare Benefit Policy Manual, Chapter 7 can be reviewed for further detail.

Teleradiology outsourcingWith respect to teleradiology that is outsourced to a different country, CMS prohibits pay-ments to providers outside the United States. Hospitals with such arrangements would have to pay the overseas radiologists directly. The ACR has voiced concern about the interpreta-tion of radiology images outside of the U.S., because of the risk that a US radiologist would be signing off on the “ghost-read” radiographs without a careful review.14

MedicaidCMS has not formally defined telemedicine services for the Medicaid program; however, in some states, Medicaid reimbursement is available for certain services.

2009 OIG WorkPlan

It is noteworthy that some form of telemedi-cine auditing is included in the 2009 Work Plan. OIG will be reviewing the appropriate-ness of Medicare claims for long-distance evaluation and management services:

“Pursuant to the CMS ‘Medicare Benefits Policy Manual,’ Pub. No. 100-02, ch. 15, § 30, a service may be considered a physician’s service if the physician either examines the


50

Cyber doctors ...continued from page 49

patient in person or is able to visualize some aspect of the patient’s condition without a third person’s judgment. Although services provided by means of a telephone call be-tween the physician and the beneficiary may be covered under Medicare, there are certain services that require a face-to-face visit. Previous OIG work identified instances of physicians billing for services that would nor-mally require a face-to-face examination for beneficiaries who lived a significant distance from the physician. We will also examine factors that contribute to the submission of long-distance physician claims.”

Per the Medicare Benefit Policy Manual, Chapter 15, Section 270.2,

“the use of a telecommunications system may substitute for a face-to-face, ‘hands on’ encoun-ter for consultations, office visits, individual psychotherapy, pharmacologic management, psychiatric diagnostic interview examination, end stage renal disease related services, and individual medical nutrition therapy.”

However, because the CPT codes used are,

in most cases, the same as non-telemedicine encounters, it is unclear how the OIG will pull the data for this review.

Conclusion

Telemedicine plays a critical role in providing access to health care, especially in underserved areas. Providers must ensure that the risks of providing telemedicine services do not outweigh the benefits, carefully enter into agreements with the assistance of their Legal department, and should develop telemedicine policies. n

1 Wikipedia, the Free Encyclopedia – http://en.wikipedia.org/wiki/In_absentia_health_care

2 Official Site of the French/Israeli Chamber of Commerce - Article by Michael Finkelstein – 9/27/2008 - Available at: http://www.israelvalley.com/news/2008/09/27/19708/israel-medical-abecedaire-telemedecine-peut-savoir-si-le-risque-de-crise-cardiaque-est-reel-grace-a-un-telephone-portable-special

3 Reseau RAFT Network - http://raft.hcuge.ch/4 Surgeons perform successful near real time telesurgery from New York

on patient in France. Available at: http://www.hoise.com/vmw/01/articles/vmw/LV-VM-10-01-20.html

5 Society of American Gastrointestinal Endoscopic Surgeons (SAGES) 2000 - Remote Surgery Guidelines

6 Radiology Today - “Remote Reading -PACS and Teleradiology Let Radiologists Work Almost Anywhere.” - Dan Harvey - 4/10/06

7 AMA - Physician Licensure: An Update of Trends – Janice Robertson- 2/27/2008

8 Lynn D. Feisher and James C. Dechene, Eds: Telemedicine and E-Health Law. Law Journal Seminars Press; Lslf edition (December 5, 2004) Chapter 1

9 JCAHO Perspectives - Existing requirements for telemedicine practitio-ners explained – Feb 2003. Available at: http://americantelemed.i4adev.com/files/public/abouttelemedicine/JCP_2_2_2003.pdf



12 Medicare Benefit Manual – Chapter 15 – Section 270 – Telehealth Services13 New, Revised CPT Codes Target Online, Telephone Services - Sheri Porter

– 2/29/08 – Available at: http://www.aafp.org/online/en/home/publica-tions/news/news-now/practice-management/20080229cptcodes.html

14 The American College of Radiology ( ACR) - Revised Statement on the Interpretation of Radiology Images Outside the United States – 5/23/06

n Is there a higher-level management issue within the department?

n Because the employee has a pregnant wife who is about to deliver, should the organization maintain their benefits? If so, for how long?

Overall organizational responsibility and commitment to the institutional ethic recognized by this model is dependent on the commitment of the organization’s governance and executive leadership. Almost every hos-pital operates each of the ethics components described in this model. The model proposed in this paper, though, is just a model. At the end of the day, what counts is how the organization places this model (or any model) into practice; and more importantly, how it is promoted and practiced by its executive leadership and board.

As organizations and the delivery of health care evolves, our system of caring is becoming more complex. As a result, we as providers of health care, both clinical and non-clinical, will face more multifaceted ethical and legal challenges. The strategy above is neither a “golden hammer,” nor a one-size-fits-all resolution to the challenge. Instead, it is an attempt to encourage rethinking of our overall ethics strategy and commitment to mission driven health care. n

1 Bacon, Francis, ed. Lisa Jardine. New Organon. Cambridge University Press. March 2000.

2 See “Success and Failures of Hospital Ethics Committes: A National Survey of Ethics Committee Chairs” Gleen McGee. Cambridge Quarterly of Healthcare Ethics, Volume 11, Issue 1, January 2002 p87. (Healthcare ethics committees formally began with the adoption of Committees for the Discussion of Morals in Medicine at U.S. Catholic hospitals in the 1960s.).

3 See 63 Fed Reg No. 35, 8987 (February 23, 1998). 4 U.S. Sentencing Commission Guidelines, November 1, 2006, Chapter

8.5 See Murphy PhD, Kevin. “A ‘Next Generation’ Ethics Committee.”

Health Progress. March-April 2006. 6 Clinical Operations, Finance, Risk Management, and Human Re-

sources7 Paine, Lynn Sharp. Ethics: A Basic Framework. Harvard Business

Review. October 12, 2006.

Standing at the crossroads

...continued from page 45

CCB Accredited

Certificate in Health Care Compliance

Gain the knowledge compliance officers need in a unique setting

• Interactive courses from industry leaders

• Part time program for working professionals

• Practical knowledge to prepare for the certification exam—and a meaningful new career

www.hamline.edu/law/health | 651-523-2625 | [email protected]

C R E D I B I L I T Y


51


Editor’s note: Ed Rauzi and Lisa Hayward are partners in the Seattle Office of Davis Wright Tre-maine, LLP. They work for clients in the health care delivery system full-time, all the time. Ed may be reached by telephone at 206/757-8127 and Lisa’s number is 206/757-8058.

A lthough it receives scant atten-tion, the Stark Law has always authorized the Secretary of Health

& Human Services to require hospitals to submit information concerning financial relationships such hospitals have with physi-cians. Regulations purporting to implement that authority have existed since 1991.1 To date, however, there is no evidence that the Centers for Medicare and Medicaid Services (CMS) has ever used its authority, even in an investigation. That may soon change.

In a filing with the Office of Management and Budget (OMB) on December 18, 2008, CMS sought approval of documents that will require selected hospitals to disclose in writing the financial relationships they had with physicians in calendar year 2006. OMB’s permission is required under the Paperwork Reduction Act, which prohibits a federal agency from subjecting any person to a penalty for failing to respond to a request for information unless the request includes an OMB authorization number.

If CMS gets its way, 400 hospitals will soon be receiving a form letter transmitting a

packet of information and eight Microsoft Excel spreadsheets. The letter will inform the hospitals that they have 60 days to compile a comprehensive list and provide documenta-tion of virtually all financial relationships with physicians and their immediate family members.2 The disclosing hospitals will need to identify and disclose each financial rela-tionship with each physician. As compliance officers know, a hospital is prohibited from submitting a claim to the Medicare program based on an order or referral from a physi-cian with whom the hospital has a financial arrangement that does not satisfy a Stark exception. The CEO, CFO or “comparable officer” will be required to certify that the information is “true and correct, to the best of my belief and knowledge.”

This is not CMS’s first attempt at obtaining approval to send out a demand for information. As Compliance Today noted in its September 2007 edition, CMS has been pursuing this initiative for some time.3 Perhaps in response to criticism by lobbyists and the hospital industry, the last iteration of the packet was withdrawn by CMS on April 10, 2008. CMS began retracing its steps with the publication of a notice solicit-ing additional comments in the April 30, 2008, edition of the Federal Register.

The details CMS changed in the new packet include:n Reducing the number of hospitals to be

surveyed from 500 to 400;

n Increasing the estimate of time that will be spent in responding from six to 100 hours;

n Disclosing that the responses will be evaluated initially by a Program Safeguards Contractor;

n Requiring the disclosure of the National Practitioner Identifier numbers of physicians (instead of Unique Physician Identification numbers);

n Acknowledging that “some” hospitals may solicit legal review of the information before it is submitted;

n Clarifying that transactions in each direc-tion (e.g., leases to physicians by hospitals as well as leases from physicians by hospi-tals) are included; and

n Warning that the government will not be “estopped” from asserting that an arrange-ment the hospital characterizes as compli-ant is non-compliant.

Many more things in the packet stayed the same. In addition to the certification requirement:n The deadline to respond remains 60 days

after receipt (although CMS will consider granting extensions);

n The sanction for late responses is poten-tially $10,000 per day;

n Unless the hospital has a calendar fiscal year, information (and contracts) for two fiscal years will be required;

n Unless groups of agreements are “substan-tially the same,” copies of each agreement must be submitted;

n The hospital must assert whether each agreement satisfies all of the elements defined in the applicable regulation;

n The hospital must identify not only recruiting, personal service and rental ar-rangements that they believe fit within an exception, but also relationships that are “implicated” by those exceptions; and

n That the information obtained may be “shared” with other government agencies.

Mandatory Stark reporting: Is a

denouement nigh, or just another chapter in

the saga?By Edwin Rauzi and Lisa Hayward


52

Mandatory Stark reporting:


One conundrum that hospitals are likely to face is whether each contract with each physician for each portion of the two year period must be provided to CMS. If the hospital’s contracts are “uniform,” then only a sample must be provided. An agreement is uniform if “all of the elements present in the arrangements are materially the same.” Given the language in the certification, the stakes involved, and the nature of contracts between physicians and hospitals, contracts that are “uniform” may prove to be the exception rather than the norm.

The names of approximately 290 hospitals that will receive the packet can be identified. Those hospitals are either physician-owned or competitors, who failed to respond to an earlier “voluntary” request for information. At the time this article goes to press, it is not possible to identify the remaining 110 hospitals. It seems likely, however, that at least one hospital in each state (and more likely, two) will be chosen.

Hospital compliance officers are well-advised to show the Certification Statement and Worksheet 7 to the CEO and CFO, along with the form’s cover letter.4 A candid discus-sion of whether the hospital could respond with the scope and quantity of information required and in the time allotted should ensue. The hospital may choose to play “Russian Roulette” and gamble that it is not one of the hospitals chosen, but woe to the compliance officer whose senior management is “surprised” at receiving CMS’s demand. n

1 56 Fed. Reg. 613742 The instructions state: “For any question pertaining to the financial rela-

tionship between a physician and the Hospital or entity or individual, “physician” shall include each immediate family member of the physi-cian, as defined in 42 CFR §411.351.”

3 CMS sought public comment in Federal Register notices that published on May 18, 2007 (72 FR 28056), and September 14, 2007 (72 FR 52568). CMS began the process anew in the FY 2009 IPPS proposed rule (73 FR 23700).

4 The full packet is available at http://www.cms.hhs.gov/PaperworkReduc-tionActof1995/PRAL/itemdetail.asp?filterType=none&filterByDID=-99&sortByDID=2&sortOrder=descending&itemID=CMS1218565&intNumPerPage=10

include: retained foreign object after surgery, air embolism, blood incompatibility, stage III & IV pressure ulcers, falls and traumas such as electric shock and burns, and manifesta-tions of poor glycemic control.

Two recent developments signal CMS’ intent to expand this policy to professionals and to entities other than inpatient hospitals. First, in the OPPS Final Rule, CMS discussed in detail its intent to expand its Hospital-Acquired Conditions program to outpatient hospital and other settings. Coining the term “healthcare-associated conditions,” CMS signaled its intent to extend the IPPS policy to hospital outpatient departments, ambulatory surgical centers (ASCs), skilled nursing facilities (SNFs), home health, physician practices, and other settings where preventable conditions can arise. Although no definitive policy changes were adopted in the OPPS Final Rule, CMS made clear that it views the ongoing problem of preventable healthcare-associated conditions in outpatient settings as a key strategy in its attempt to use Medicare payments to drive quality of care. This issue likely will be included in the joint IPPS/OPPS listening session that CMS intends to schedule this winter.

Second, CMS has taken its focus on “never” events in a different direction. Instead of including certain “never” events among the hospital-acquired conditions for which it currently denies payment if not present on admission, CMS has proposed three National Coverage Determinations (NCDs) eliminating payment for three serious medical errors: per-forming the wrong surgical or other invasive procedures on a patient; surgical or other inva-sive procedures performed on the wrong body part; and surgical or other invasive procedures performed on the wrong patient. The three NCDs were released on December 2, 2008, and CMS’ goal is to issue them in final form

by March, 2009. By using the NCD approach, the payment denial policy will extend beyond inpatient hospital care, affecting payment to physicians, hospital outpatient departments, and all other health care providers or suppliers which may be involved.

Conclusion

As the foregoing developments indicate, CMS continues to aggressively pursue strategies to tie payment to quality. It is expanding the scope of its pay-for-reporting initiatives to new settings and types of providers as a transition to pay for quality (value-based purchasing), and continues to expand the number of measures used to monitor quality. All healthcare entities and professionals are well advised to stay abreast of these new developments and to participate in them if they can, as payment tied to demonstrated quality of care is the Congressional goal in the not too distant future. n

1 Tax Relief and Health Care Act of 2006, Pub. Law 109-432 (Dec. 20, 2006), adding subsection (k) to SSA § 1848 and 42 U.S.C. § 1395w-4.

2 The Medicare Improvements for Patients and Providers Act of 2008, Pub. Law 110-275 § 131(b) (July 15, 2008), amending SSA § 1848(k), (m) and 42 U.S.C. § 1395w-4(k), (m).

3 SSA § 1848(k)(3)(B); 42 U.S.C. § 1395ww-4(k)(3)(B).4 Pub. Law 110-275 at § 131(d). 5 HHS, Development of a Plan to Transition to a Medicare Value-Based

Purchasing Program for Physician and Other Professional Services (Nov. 26, 2008), available at http://www.cms.hhs.gov/PhysicianFeeSched/downloads/PhysicianVBP-Plan-Issues-Paper.pdf.

6 Subsection (d) refers to SSA § 1886(d); 42 U.S.C. § 1395ww(d). Subsection (d) hospitals are hospitals in the 50 States, D.C., and Puerto Rico, except for psychiatric hospitals, rehabilitation hospitals, hospitals whose inpatients are predominantly under 18 years old, and hospitals whose average inpatient length of stay exceeds 25 days.

7 Deficit Reduction Act of 2005, Pub. Law 109-171 § 5001(a), (b) (Feb. 8, 2006).

8 The drafted legislation is currently titled the Medicare Hospital Quality Improvement Act of 2008 (not yet numbered).

9 CMS, Physician Quality Reporting Initiative: 2007 Reporting Experi-ence (Dec. 3, 2008) available at http://www.cms.hhs.gov/PQRI/Down-loads/PQRI2007ReportExperience.pdf.

10 Pub. Law. 110-275 § 131(b)(3), adding SSA § 1848(m)(5)(G); 42 U.S.C. § 1395w-4(m)(5)(G).

11 2009 Physician Fee Schedule Final Rule, 73 Fed. Reg. 69725, 69846-47 (Nov. 19, 2008).

12 Id. at 69845.13 Medicare Prescription Drug Improvement and Modernization Act of

2003, Pub. Law 108-173 (Dec. 8, 2003), adding SSA § 1860D-4(e), 42 U.S.C. § 1395w-104(e).

14 CMS, Overview of E-Prescribing program, http://www.cms.hhs.gov/eprescribing/.

15 2009 Physician Fee Schedule Final Rule, 73 Fed. Reg. 69725, 69848 (Nov. 19, 2008).

16 For specific codes, see CMS, Medicare’s Practical Guide to the E-prescribing Incentive Program (Nov. 2008), available at http://www.cms.hhs.gov/partnerships/downloads/11399.pdf.

17 Information about the qualified e-prescribing systems can be found at CMS, 2009 Electronic Prescribing Incentive Program – Adoption/Use of Medication Electronic Prescribing Measures, (Nov. 7, 2008) available at http://www.cms.hhs.gov/PQRI/Downloads/E-PrescribingMeasure-Specifications.pdf.

18 73 Fed. Reg. 68502, 68758 (Nov. 18, 2008)19 Pub. Law. 109-432 Part B § 109 (Dec. 20, 2006), adding SSA § 1833(t)

(17), 42 U.S.C. § 1395(l)(t)(17).20 72 Fed. Reg. 66580, 66860 (Nov. 27, 2007).21 Inpatient Prospective Payment System FY 2009, 73 Fed. Reg. 48434,

48471 (Aug. 19, 2008).



53


Editor’s note: Joel W. Lipin is Managing Director, Reimbursement Services with Sinaiko Healthcare Consulting, Inc. in Los Angeles. He may be reached by telephone at 310/551-5252.

Y ears ago (not to reveal my age) the Charge Description Master (CDM) was an unknown entity.

I remember numerous occasions in which I entered a CFO’s office and tried to convince the staff that they needed to pay attention to the data within their CDM. Many times I experienced reluctance during these visits. I now look back on those times and realize that CDM awareness has truly evolved to a point now where most healthcare-related magazines have an article about the CDM on some regular basis.

The CDM is a critical component within the middle section of the revenue cycle that brings together charging, coding, and billing functions as the computerized warehouse for charge descriptions, coding, and pricing for all charges incurred within a hospital setting. Because there are two distinct sources of coding, from the CDM (hard-coded) and Health Information Management (HIM) (soft-coded), it is important to understand where the coding is derived for each of the various departments. Some examples are the laboratory, which usually is hard-coded from the CDM; the Surgical Services areas are usually soft-coded by HIM, based upon the medical record documentation.

To ensure that your CDM maintains accurate information, it is mandatory to conduct CDM compliance assessments at least once a

year. With CPT/HCPCS codes being revised as each Centers for Medicare and Medicaid Services (CMS) memorandum is issued, it is even more important to review the accuracy of each line item within your CDM in accordance with federal, state, and third-party regulatory requirements. The basic assessment should include, at a minimum, an evaluation of appropriate CPT/HCPCS codes, UB-04 revenue codes, accurate and consistent descriptions, appropriate and consistent pricing of line items, as well as verification that services are accurately identified during the charge capture process.

The project scope should include all line items within the CDM, because several procedures and services will occur across many depart-ments. In most cases, these procedures and ser-vices are performed in a like manner and should be represented from a description, coding, and pricing perspective as the same. Not only is this a potential compliance risk if one department is charging a different price than another or charging the same for services that should be efficient by setting, but pricing transparency and defensible pricing issues are also at risk.

More than ever, hospitals need to be cog-nizant of how their charges are established, whether they reflect prices above the highest fee schedule price, are greater than calculated costs, and are mindful of CPT/HCPCS coding hierarchy relationships. One example of the coding relationship includes the three CPT codes within radiology for magnetic resonance imaging of the brain, (i.e., CPT codes 70551, without contrast; CPT code 70052, with contrast; and CPT code 70553,

without followed by contrast). In this case, the price for the procedure without contrast should be lower than the procedure with contrast, which in turn should be lower than the procedure that includes both a study without contrast followed by the procedure with contrast. Too often a CDM becomes incongruent as a result of yearly percentage price increases without a concern for these relational hierarchy issues.

The CDM assessment should also include detailed face-to-face meetings with each department and should include an analysis of existing processes surrounding charge capture, CDM maintenance, and updates. Discussions with the department directors should identify potential breakdowns within the middle section of the revenue cycle (where the CDM resides) and work towards developing recommendations to resolve any identified issues. The approach for the departmental meetings should include discus-sions toward:n Compliance, medical necessity, charge

capture, current correct coding initiatives, and national and local coding decisions;

n Procedures and services that are provided and not currently captured;

n Procedural methodology confirmation;n Controls, reconciliation, and/or policies

and procedures related to charge capture, CDM, and pricing;

n Charge tickets or electronic order entry screens to the CDM for appropriate line item additions, deactivations, or variances;

n Line-by-line review to determine accuracy of the charge description, CPT/HCPCS code(s), UB-04 revenue code(s) and the price;

n Procedures that may or may not be ap-propriate for bundling or unbundling;

n Inclusion of separate line-item billing for Medicare-reimbursable supplies and

Charge Description Master compliance

assessmentsBy Joel W. Lipin, MD, MPH


54

pharmaceuticals and other Ambulatory Payment Classification (APC) pass-through items, and identifying chargeable verses non-chargeable line items;

n Appropriate use of modifiers (especially related to the rehabili-tation services, physical, occupational, speech, audiology); and

n The use of unlisted CPT codes as potential “black holes” for lost charges, as well as other pertinent coding issues as needed.

As more hospitals create positions for CDM coordinators, we are seeing the need for a specific skill set; one which includes knowl-edge of the clinical terminology and an understanding of the vari-ous procedures performed in a given specialty area, coupled with a solid understanding of coding and billing functions. Therefore, the CDM coordinator has evolved into a liaison between the front, middle, and back ends of the revenue cycle. This person, supported by the appropriately sized departmental staff (depending on the size of the facility), needs to maintain a proactive approach to the compliance and maintenance of the CDM. Staying current regard-ing specific regulatory changes and relating them to the applicable department must be a critical component of this individual’s job description.

It is recommended that a CDM task force team be developed in order to continually communicate, monitor, maintain, and meet with each department at various intervals throughout the year. The task force should be comprised of the CDM coordinator, Compli-ance coordinator, director of HIM, director of Patient Financial Services (PFS), representative from Information Technology (IT), and the department director(s) relevant for a given meeting. Maintaining an accurate and compliant CDM is a complex task that requires the full time attention of a CDM coordinator and the CDM task force.

The efforts described above should be coupled with intermittent, more detailed compliance audits, including sample charge capture, coding and documentation assessments, audits of claims data rela-tive to charge entry, and effective staff education on accurate CDM usage to mitigate significant compliance risks for your facility. The heightened scrutiny by governmental agencies has made it more important than ever to tighten your controls over these areas. So, when and if CMS or another governmental fraud agency sends a letter, your facility will be in a position to react quickly and your response won’t be one which is defensive, but rather one of confidence, knowing that these issues have already been monitored and explored for potential exposure. n

Charge Description Master compliance assessments


Becky Cornett, PhD, CHCDirector, Fiscal IntegrityFinance AdministrationThe Ohio State University Medical Center

James G. Sheehan, JD New York State Medicaid Inspector General

Gabriel Imperato, JD, CHCCT Contributing EditorManaging PartnerBroad and Cassel

Jeffrey SinaikoPresidentSinaiko Healthcare Consulting, Inc.

Kirk Ruddell, CHC, MBACompliance OfficerIsland Hospital

Cheryl Wagonhurst, JD, CCEPPartner

Foley & Lardner LLP

Lisa Silveria, RN BSNHome Care ComplianceCatholic Healthcare West

Deborah Randall, JDPartnerArent Fox LLP

Bonnie-Lou BennigDirector of Corporate Compliance & Quality ImprovementVanguard Healthcare Services, LLC

Cynthia Boyd, MD, MBAAssociate Vice PresidentChief Compliance OfficerRush University Medical Center

Christine Bachrach, CHCSenior Vice President – Compliance OfficerHealthSouth

Compliance Today Editorial BoardThe following individuals make up the Compliance Today Editorial Advisory Board:

Eric Klavetter, JD, MS, MAPrivacy and Compliance OfficerMayo Clinic

David Hoffman, JDPresidentDavid Hoffman & Associates

F. Lisa Murtha, JD, CHC Managing DirectorHuron Consulting Group

Debbie Troklus, CHC, CCEPAssistant Vice President for Health Affairs/ComplianceUniversity of Louisville School of Medicine

José A. Tabuena, JD, CFE, CHCVP Integrity and Compliance/Corporate SecretaryMedicalEdge Healthcare Group, Inc.

Gary W. HerschmanChair, Health and Hospital Law Practice GroupSills Cummis & Gross P.C.


55

Editor’s note: Steven E. Skwara is a partner in the Washington, DC offices of Epstein Becker & Green, P.C. He may be reached by telephone at 202/861-4192 or by e-mail at [email protected].

Medicare Advantage, Medicare Part D, and Medicaid managed care plans should assess whether they are prepared for sure-to-be-increased governmental oversight of their monitoring, investigating, and reporting of providers and other “downstream” entities for fraud and abuse. To that end, the first part of this article discusses specific govern-mental compliance requirements for fraud and abuse programs, particularly as they pertain to third-party monitoring, auditing, and investigation. The second part of this article discusses the implications of those fraud and abuse compliance requirements for government-contracted health plans, the reasonableness of those requirements (or lack thereof ), and common indicia of an effective, and presumably compliant, fraud and abuse program.

Increased fraud and abuse compliance

requirements

Both federal and state government agencies expect contracted Medicare and Medicaid health plans to act as sentinels against provider and “downstream” fraud and abuse. Although prosecutors will continue to rely on “whistleblowers” for federal, and increasingly, state-level, fraud or False Claims Act cases, recent comments show that prosecutors are affirmatively expecting increased referrals for

health care fraud prosecution from program safeguard contractors.1 Safeguard contractors, in turn, rely on the reporting of fraud and abuse by the front-line health plans.

The seemingly inexorable result of this governmental sentinel effort, as evidenced by increasingly specific regulatory and contrac-tual requirements regarding fraud and abuse, is that government-contracted health plans will have to demonstrate the efficacy of an outward-looking fraud and abuse program as part of an overall compliance portfolio. As to Medicare, the Centers for Medicare and Medicaid Services (CMS) has set forth specific fraud and abuse requirements for Medicare D plans and has stated its intention to issue fraud and abuse requirements for Medicare Advantage plans early in 2009. In light of recommendations made by the General Accounting Office in a recent report, increased CMS auditing of the fraud and abuse programs of Medicare Part D plans appears imminent and has been identified as an area of focus in the HHS-OIG FY 2009 Work Plan. As to Medicaid, against a backdrop where the federal government has recently renewed emphasis on Medicaid fraud and abuse, state Medicaid agencies increas-ingly require Medicaid HMOs systematically to address fraud and abuse in their provider networks.

Medicare Part D requirements for plan sponsors Congress and CMS have required Medicare Part D plan sponsors to guard against fraud

and abuse by pharmacy benefits managers (PBM), pharmacies, prescribing physicians, pharmaceutical manufacturers, and others, as part of a comprehensive compliance program. Under the Medicare Modernization Act of 2003,2 the federal government mandated that Part D plan sponsors establish a program to control fraud and abuse.

CMS has issued guidance to “assist Spon-sors in implementing a comprehensive program to prevent and detect fraud and abuse in the prescription drug program” in Chapter 9 of CMS’ Prescription Drug Benefit Manual (Manual). Although many of the Manual’s recommendations purport to be aspirational (e.g., “this chapter provides recommendations,”3), in reality, many Part D plan sponsors view the “recommendations” as mandatory, because those sponsors may soon be subject to CMS reviews focused in part on the efficacy of the sponsor’s fraud and abuse program. Indeed, the HHS-OIG FY 2009 Work Plan specifically identifies this as an area of focus for fiscal 2009, stating that “[w]e will determine the extent to which plan sponsors conduct inquiries, initiate corrective actions and make referrals regarding potential fraud and abuse.”4 (CMS has also announced that it plans to update its Part D fraud and abuse guidance in early 2009, but that update was not available at the time of this publica-tion’s deadline.)

The CMS Manual requires Part D plan sponsors to implement plans to monitor and investigate their transactional partners – “first tier,” “downstream,” and “related” entities involved in the administration or delivery of the drug benefit.5 These entities include a plan sponsor’s PBM, pharmacies, prescribing physicians, drug wholesalers, and pharmaceu-tical manufacturers. The Manual does not, however, explain how a health plan sponsor


Increased government oversight of

managed care plans—Are you ready?

By Steven E. Skwara


56

might, for example, go about reviewing or investigating transactions between pharma-ceutical manufacturers and physicians for purposes of identifying “inappropriate trans-actions” or “illegal remuneration schemes.” Examples provided by CMS of the fraud or misconduct for each type of entity for which the plan sponsor must be vigilant include:1. PBMs – inappropriate formulary deci-

sions; prescription drug switching; unlaw-ful remuneration; inappropriate formulary decisions.6

2. Pharmacies – inappropriate billing practices; prescription drug shorting; prescription refill errors.7

3. Prescribers – illegal remuneration schemes; prescription drug switching; provision of false information.8

4. Wholesalers – counterfeit and adulter-ated drugs through black and gray market purchases.9

5. Pharmaceutical manufacturers – kickbacks, inducements, other illegal remuneration; formulary and formulary support activities; inappropriate relation-ships with physicians.10

Additionally, plan sponsors must “identify overpayments and underpayments at any level within the sponsor’s network.”11

Upon learning of possible fraud or abuse within its network of first tier, downstream, and related entities, a plan sponsor must conduct a “reasonable inquiry,” and, upon determining that potential fraud or miscon-duct related to the Part D program occurred, must promptly report the conduct to a Medicare Integrity Contractor (MEDIC). The scope of the potential “fraud or miscon-duct” is not limited to particular jurisdictions or even just criminal laws. CMS instructs plan sponsors to “refer potential violations of applicable federal and state criminal, civil and administrative laws, rules and regulations

to the MEDIC and/or law enforcement for further investigation.”12

In sum, for Part D plan sponsors, CMS has prescribed a system under which Part D plan sponsors must implement monitoring and auditing processes focused on the entire pharmaceutical delivery system, from manu-facture to dispensing. (The reasonableness and wisdom of this “soup to nuts” approach is discussed in Part II of this article.)

CMS oversight in this area has, however, been minimal to date. In August 2008, the Government Accountability Office (GAO) issued a report showing that a selected sample of Part D sponsors had not fully implemented all of CMS’ required fraud and abuse compli-ance plan elements, including the monitoring and auditing requirements, and recom-mended that “CMS conduct timely audits of Part D sponsor’s fraud and abuse programs.”13 The GAO noted that CMS had not audited Part D sponsors’ fraud and abuse programs in 2007 and did not plan to do so in 2008.14 In an October 2008 audit report, HHS-OIG found that although CMS conducted 19 audits of plan sponsors in 2007, only one of these audits included a review of the sponsors’ compliance plan.

Also, HHS-OIG reported that although CMS stated that its MEDIC would begin auditing sponsors’ compliance plans in summer 2008, as of early August 2008, the MEDICs had not yet done so. HHS-OIG recommended that CMS “conduct routine audits of PDP sponsors’ compliance plans to ensure that these compliance plans meet all federal requirements. Specifically, these audits should cover all compliance plan requirements contained in regulations as well as requirements included in Chapter 9 of the ‘Prescription Drug Benefit Manual.’”15

In its defense, CMS has cited the lack of funding from Congress as a reason for its limited fraud and abuse program oversight.16 CMS funding issues notwithstanding, as evidenced by the specific reference to reviews of plan sponsors’ fraud and abuse programs in the HHS-OIG 2009 Work Plan, plan sponsors should anticipate that CMS and its MEDICs will begin a more vigorous program of auditing the fraud and abuse programs of Part D sponsors.

Medicare Advantage PlansAs of the publication deadline for this article, CMS intended to issue fraud and abuse guidance for Medicare Advantage plan sponsors for implementation in early 2009.17 In the meantime, CMS advises Medicare Advantage plans to rely on the fraud and abuse guidance from the Part D Prescription Drug Benefit Manual.18 Because Medicare Advantage plans cover many medical services other than prescription drugs, the Manual’s specific guidance concerning fraud and abuse by PBM’s and pharmacies is less relevant than its general fraud and abuse guidance.

An application of the Manual’s general approach by Medicare Advantage plan sponsors would seem to require that those plans monitor and investigate providers in the plan’s network for potential fraud and abuse. The physicians, hospitals, laboratories, durable medical equipment (DME) provid-ers, etc. in the Medicare Advantage plan’s network presumably comprise the “first tier,” “downstream,” and “related” entities involved in the administration or delivery of Medicare Advantage plans’ members’ health care services and products. Specific areas for fraud and abuse monitoring and investiga-tion will likely include things like billing for services not rendered, upcoding, unbundling, and other traditional types of provider fraud. Also, as required in the Part D Manual,

Increased government oversight of managed care plans ...continued from page 55

March 2009

57

Medicare Advantage plan sponsors may be responsible (however implausibly) for monitoring illegal remuneration schemes involving providers and “downstream” entities (e.g., potentially unlawful payments from a supplier to a physi-cian). Medicare Advantage plan sponsors will also likely have specific reporting requirements for referrals to program safeguard contractors.

In short, Medicare Advantage plans will be given specific guidelines for monitoring, investigating, and reporting external fraud and abuse, but the Part D Manual does provide clues about CMS’ fraud and abuse compliance expectations that plan sponsors should consider acting upon now.

Medicaid HMOsAs is the case with the Medicare-related plans, Medicaid HMOs (health maintenance organizations) too, face increas-ing compliance demands with respect to provider fraud and abuse activity. This movement began taking shape as part of CMS’ (then called the Health Care Financing Organization or HCFA) “National Medicaid Fraud and Abuse Initiative.” In HCFA’s “Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care,” published in October 2000, HCFA asserted that

“[w]hether established as a compliance program or a state-approved fraud and abuse plan, managed care orga-nizations should undertake such efforts as . . . develop-ing procedures to monitor service patterns of providers, subcontractors, and beneficiaries.”19

More succinctly, “[t]he MCO should be monitoring provider fraud . . . .”20 And, according to HCFA, “[a]n MCO might identify provider fraud and abuse by reviewing for a lack of referrals, improper coding (upcoding and unbundling), billing for services never rendered or inflating the bills for services and/or goods provided.”21

Moreover, the federal government has recently placed increased emphasis on Medicaid fraud and abuse as exem-plified by the antifraud provisions of the Federal Deficit Reduction Act (DRA).22 Though it has begun implementing the Medicaid Integrity Program pursuant to the DRA’s direc-tive, CMS has not focused much on managed care, apparently


Never Face a Compliance or Ethics Challenge AloneNow you can meet and collaborate with ethics and compliance professionals year round and around the clock. The Compliance & Ethics Social Network puts you directly in touch with your peers.

Get your questions answered. Learn from what others are doing. Share your experi-ence, policies, and other documents. To get started:

Go to community.hcca-info.org.•Log in using your e-mail address and •HCCA password.Click “Social Network” (in the top black bar).•Click the name of a community (or •communities) that interest you.Select your communications •option and save.Start communicating and •collaborating!Maybe set up •your own community…

HCCA’S CompliAnCe & etHiCS profeSSionAl

Social Network

It’s fast, easy, and can help improve both your work and the profession as a whole. Sign on today.


58

content to leave that oversight function to the states for now.

Consistent with these federal exhortations, the state-level agencies that directly over-see Medicaid managed care plans typically require those plans to monitor and investi-gate their provider networks for fraud and abuse. For example, a state Medicaid agency may require, by contract, the following fraud and abuse-related obligations:n Develop a comprehensive internal fraud

and abuse program;n Upon a complaint of fraud or abuse

or upon identifying any questionable practices, conduct a preliminary review to determine whether in the contractor’s judgment, there is sufficient reason to believe that the provider or enrollee has engaged in fraud or abuse, and where suf-ficient reason exists, report the matter in writing;

n Make diligent efforts to recover im-proper payments or funds misspent due to fraudulent or abusive actions by the organization or its subcontractors;

n Require providers to implement corrective actions or terminate provider agreements, as appropriate;

n Submit reports on its fraud and abuse activities; and

n Certify in writing on an annual basis that to the best of its (or its designated signatory’s) knowledge, the contractor is in compliance with its contract and is not aware of any instances of fraud and abuse in the program covered by the contract, other than those previously reported in writing.

Medicaid managed care fraud and abuse requirements may vary by state, but they will tend to share common elements, and, if anything, they will become more demanding in light of the government’s recent emphasis

on curtailing Medicaid fraud and abuse.

Practical implications for government-

contracted plans

The practical challenge for many government-contracted health plans is implementing a competent fraud and abuse infrastructure, particularly for smaller plans that may not historically have investigated external fraud and abuse with vigor.

The not-so-insignificant question of reason-ableness remains open as well. As it stands, for example, CMS’ Part D fraud and abuse requirements for plan sponsors are impracti-cal, if not impossible, to meet in certain respects and hopefully, with experience, CMS will recognize this fact.

Finally, there are certain elements of an outward-looking fraud and abuse compliance program that, if implemented, should not only meet a government-contracted plan’s compliance obligations, but that also may make sense as a business proposition.

The balance of this article addresses each of these practical implications in turn.

Implementing an outward-focused programThe ease with which a government-contracted health plan can implement a reasonable, compliant fraud and abuse program will vary, obviously, by the size and type of plan.

For larger insurers that manage government-contract plans alongside other lines of health insurance, compliance with the burgeoning externally-focused fraud and abuse require-ments have been, and will be, relatively painless. Most such insurers have established special investigations units (SIU’s), anti-fraud functions in audit or legal areas, or investigative outsourcing relationships for

all of their lines of insurance, and it is not difficult to fold the government-contract business into the plan’s pre-existing antifraud activities. There will be additional, minimally-burdensome reporting obligations, but the antifraud infrastructure will be in place and the incremental cost of government-required fraud and abuse activities will be small.

Even though insurers or plans may already have an investigative structure in place, however, there is still a need to develop a government program-specific monitoring and audit plan. For instance, in its recent report on fraud and abuse programs at Part D plans, the GAO noted that only one of five plan sponsors that the GAO reviewed conducted data analysis of Part D claims separate and apart from its “regular” analyses.23 The impli-cation from this finding is that, at least in the GAO’s view, a plan sponsor’s fraud and abuse program should include a Part D-specific work plan.

Smaller or newer government-contracted plans may face a relatively greater challenge in demonstrating a compliant “downstream” fraud and abuse program, because they may not have a dedicated SIU or other antifraud infrastructure in place. To be sure, CMS expressly states that its Part D guidance does not require a health plan to develop an SIU. CMS does require a fraud and abuse program however.24 In addition to the obvious solution — creating and staffing an SIU — a niche health care fraud investiga-tions outsourcing industry is growing and may be a more financially-viable solution for small to mid-sized health plans. In any case, a program should be established in some demonstrable fashion.

Reasonableness of fraud and abuse programsReasonableness should be a core attribute of



59


any governmental guidelines for fraud and abuse programs, but, as shown, there may be a perception gap regarding reasonable-ness that will hopefully be bridged as both government agencies and plan sponsors become more experienced in this area. For example, taken literally, certain aspects of CMS’ Part D fraud and abuse guidance are virtually impossible to administer. CMS does not (and cannot as a practical matter) specify how and to what extent, for instance, plan sponsors should “monitor” and “investigate” downstream entities, such as drug wholesalers or PBMs. Typically, a plan sponsor will not have practical or legal access to the books, records, or data of such downstream entities nor will it have the expertise to review such records and data even if it were to have access. A plan sponsor will typically have little ability to determine whether a downstream entity is properly calculating true out-of-pocket costs for drugs or whether a pharmaceutical manufacturer’s relationship with a physician may violate federal law.

Likewise, CMS does not explain how a plan sponsor might, for example, go about review-ing or investigating transactions between pharmaceutical manufacturers and physicians for purposes of identifying “inappropri-ate transactions” or “illegal remuneration schemes.” Plan sponsors typically do not have access to information that would allow them to even begin to identify such transactions or schemes. Thus, it does not seem reasonable for CMS to expect significant “monitoring” or “investigating” of any entities other than the “first tier” entities with which the plan has direct day-to-day interaction (e.g., network pharmacies and physicians). CMS’ expecta-tions and guidance will likely moderate over time.

Indeed, HHS-OIG’s audit work tends to prove that plan sponsors are generally unable

to investigate once-or-more-removed entities with any vigor. In another October 2008 audit, HHS-OIG reviewed the fraud and abuse reporting data from 86 plan sponsors to determine what types of fraud and abuse the plans were identifying and what they were doing in response.25 Although the general results of this audit are not terribly interest-ing — some plans identify and report more fraud and abuse incidents than others — the results of the type-of-fraud survey show that most identified incidents result from “direct” interaction with the plan sponsor (e.g., improper billing being the most prevalent type of fraud and abuse identified). In contrast, and unsurprisingly, the plan spon-sors identified very few “downstream” types of fraud and abuse by entities not in direct contractual privity with the plan sponsors such as illegal renumeration, bribes, inap-propriate formulary decisions, manipulation of “true out-of-pocket costs,” or inappropriate manufacturer sales techniques.

The most reasonable approach for all fraud and abuse compliance would seem to be that exemplified in the Medicaid HMO contrac-tual language set forth above. It is reasonable to ask government-contracted plans to moni-tor, investigate, and resolve fraud and abuse issues with their direct networks of providers, members, or others (e.g., PBM’s) for which the plan has reasonable access to claims data, medical records, and similar information. It is also reasonable to expect that plans analyze and monitor their claims data for aberrations or patterns indicative of fraud and abuse. Indeed, at least based on anecdotal informa-tion, Part D plans seem to be structuring their fraud and abuse compliance plans assuming that they are responsible for reason-able outward-looking fraud and abuse efforts focused on entities with which the plan has a direct relationship.

Elements of a reasonable programCMS and Medicaid programs will continue to require specific, unique fraud and abuse program components, but a reasonable outward- or downstream-looking fraud and abuse investigation program generally will include the following, scalable elements:n Monitoring. A “fraud hotline” for mem-

bers and providers to report fraud or abuse by providers and other downstream enti-ties will be of obvious utility. Depending on the size of the plan, a dedicated Medicare or Medicaid fraud hotline might be warranted. The hit and miss nature of relying on ad hoc “tips” or “leads” from a fraud hotline will not be entirely sufficient for compliance purposes, however. A plan will want to demonstrate a regularized, data-driven monitoring process by which it looks for aberrational billing patterns based on recognized pattern-detection methods, for example, peer-group analysis (e.g., identifying those physicians who perform the most services per patient and conducting further investigation). A plan’s data analysis should also include a specific focus on claims or risk areas associated with government-contracted claims or members.

n Investigating. Depending on the size of the plan, a qualified, dedicated investiga-tive staff may be required. The days of assigning a provider relations employee to “follow up” on allegations of provider fraud are over. The investigative function should be performed by trained person-nel; the specialized skills necessary for the function are now widely recognized and accreditation is becoming the norm. Again, this is a function that could be out-sourced for smaller plans. For example, using criteria of years of experience, continuing education, and an examina-tion, the National Health Care Anti-Fraud


60

Association (NHCAA) has certified over 200 individuals in the private and govern-ment sectors as Accredited Healthcare Fraud Investigators since 2002. NHCAA is a coalition of private payers and law enforcement agencies created to address health insurance fraud, Annual surveys of NHCAA member plans show that the typical respondent’s recovery-to-cost ratio is usually in the 2:1 range.

n Reporting. Policies and procedures on how, when, and whom to report poten-tial fraud and abuse in compliance with governmental expectations are essential. Establishing and documenting guidelines for reporting potential fraud by a govern-ment-contracted health plan are important parts of a compliant fraud and abuse plan. Not only should objective guidelines be put in place, the reporting function should be insulated from the influences of other business units whose interests may not be entirely congruent with respect to a provider, for example, engaged in abusive billing behavior but who otherwise is held in favor by the plan for whatever reason.

n Risk prioritization. A government-contracted health plan should prioritize its monitoring and auditing activities based on risk assessments. This risk assessment and the resultant prioritization of auditing should be documented and should include specific reference to risk factors associated with the government plan at issue.

These are the general elements of an effective outward-looking fraud and abuse function for any government-contracted health plan. CMS and state Medicaid-related agencies will undoubtedly come up with more exacting specifications, but Medicare and Medicaid health plans can anticipate that the above will comprise the core of their fraud and abuse-related compliance obligations.

The independent business case There is also a business case to be made for provider-focused fraud and abuse programs by health plans. In the experience of private health insurance plans that have dedicated provider-focused antifraud programs, the average private payer recovers claims payments at an approximately 2:1 ratio to expenses.26 Imputed savings (e.g., claims deni-als, effect of terminating a network provider for fraud) and deterrent effects further enhance the benefit side of the ratio.

Another, albeit intangible, compliance-related benefit can result from a health plan’s estab-lishing a vigorous externally-focused antifraud function. SIUs in health plans with strong antifraud programs tend to develop good working relationships with state and federal law enforcement types. Often, providers who defraud government programs simultane-ously defraud private insurance plans and in a number of instances, law enforcement has included private insurance claims as part of a Medicare or Medicaid case. Those same law enforcement types in a given locality may be the ones asked to look at a health plan’s activi-ties, when allegations of impropriety arise. A health plan’s historically strong working relationship with law enforcement can be a useful thing when it is the plan’s conduct that is under scrutiny.

Conclusion

In light of the converging requirements for fraud and abuse programs for government-contracted plans (whether Medicare or Med-icaid) focused on providers and “downstream” entities, a plan’s actual performance in detecting and reporting fraud in its provider networks and beyond will soon be on the government’s compliance checklist. For instance, CMS will undoubtedly react to the GAO’s recent recommendation for increased auditing in this area and the HHS-OIG Work

Plan expressly provides for reviews of plan sponsors’ fraud and abuse-related compliance.

This is an evolving area of compliance and the related audit experience is minimal. Govern-ment contracted Medicare and Medicaid plans, particularly smaller to mid-sized plans that have not historically conducted robust antifraud operations, should consider whether their fraud and abuse programs are sufficient for purposes of monitoring, investigating, and reporting fraud and abuse by its providers and other downstream entities. Although the CMS and typical state Medicaid fraud and abuse requirements are a mix of the useful, the obvious, and the sometimes unreason-able, they are coherent enough such that government-contracted health plans should address these fraud and abuse issues in their overall compliance efforts in anticipation of increased audit and oversight activity in these areas and for sound business reasons. n

1. See “Prosecutors Look Beyond False Claims Act to Fight Health Care Fraud,” Health Care Daily Report, vol. 13, No. 66 (BNA April 7, 3008).

2. Pub. L. No. 108-173, 117 Stat. 2066 (2003).3. Manual § 204. HHS-OIG FY 2009 Work Plan, at 36 (October 1, 2008). The Work

Plan can be found at www.oig.hhs.gov/publications/docs/work-plan/2009/WorkPlanFY2009.pdf

5. Manual § 50.2.1.6. Manual § 70.1.2.7. Id. § 70.1.3.8. Id. § 70.1.4.9. Id. § 70.1.5.10. Id. § 70.1.6.11. Id. § 50.2.1.2.12. Id. § 50.2.1.2.13. GAO, “Medicare Part D: Some Plan Sponsors Have Not Completely

Implemented Fraud and Abuse Programs, and CMS Oversight Has Been Limited,” (GAO-08-760) (August 2008).

14. Id. at 6-7. 15. HHS-OIG, “Oversight of Prescription Drug Plan Sponsors Compliance

Plans,” Report OEI-03-08-00230, available at www.oig.hhs.gov/w-new.asp (10-31-08 reports) (accessed November 4, 2008).

16. Id., Appendix II (Letter from CMS to GAO) (“[T]here have not been sufficient additional resources to allow the MEDICs to engage in the types of audit oversight activities originally envisioned at the onset of the program.”).

17. Fed. Register Vol. 72, No. 233 at 68706.18. Id.19. Guidelines, at 39-40.20. Id. at 40.21. Id.22. See 42 U.S.C. § 1396d.23. GAO Medicare Part D: CMS Oversight Report (GAO-08-760), at 22.24. Manual § 20 (Overview). Id. 25. HHS-OIG, “Medicare Drug Plan Sponsors’ Identification of Potential

Fraud and Abuse,” Report OEI-03-07-0380, available at www.oig.hhs.gov/w-new.asp (10-31-08 reports) (accessed November 4, 2008).

26. NHCAA Annual Survey, available to members.



61


New HCCA MembersThe Health Care Compliance Association welcomes the following new members and organizations. Please update any contact information using the Member Center on the Web site, or e-mail Karrie Hakenson ([email protected]) with changes or corrections.

Hawaii

n James F. Kahler, MBA PT COSC, Hale Makua

n Patricia Lee, Kaiser Permanenten Ernest J.T. Loo, Goodsill Anderson Quinn

& Stifel LLP

Idaho

n Steven Bradley Pitts, Attorney, Law Office of Steven Pitts, P.A.

Ilinois

n Judith Blacklidge, Loyola Univ Health Sysn Vivian Downing, BroMenn Healthcaren Phyllis Gedzun, Midwest Physicians

Alliancen Ellen S. Green, RHIA CCS-P, Rush

University Med Ctrn Karen A. Hawthorne, Children’s

Memorial Hospitaln Agnes Hernandez, RHIT, Rush University

Med Ctrn Sarah D. Hocking, JD, Carle Foundation

Hospitoln Kelly Barar Keeler, MPPA, Alexian

Brothers Health Systemn Erin M. Kinahan, Lake Forest Hospitaln Susan Kramer, Heart Care Centers of ILn Brad Masterson, RHIA, Southern Illinois

Healthcaren Chris F. Palazzolo, CVS-Caremarkn Joyce Shannon, MetroSouth Medical Centern Jeffrey N. Teske, JD, Advocate Health

Caren Cozette Trela, Heart Care Centers of ILn Margaret Zonca, MS, MBA, JD,

Northwestern University

Indiana

n Ms. Mary Pat McCallister, CPC MCS-P PCS, University Radiological Assoc

n Lisa P. McDonough, CPC CCP, Humanan Kimberly Patton, DePuy Orthopaedics Incn Ms. Faith L. Pottschmidt, IN Univ

Iowa

n Kathy Bamman, Genesis Health Systemn Suzie A. Berregaard, JD, NHA, SPHR,

Hospice of Central IA

Kansas

n Shannan Flach, Wamego City Hospitaln Terri Gehring, Memorial Hospital, Inc.n Denise L. Klimek, MT ASCP, Mercy

Regional Health Centern Dan Roehler, Argus Health Systems

Kentucky

n Donna T. Astudillo, MBA CPC CCP MHP, Humana

n Jamie A. Burnett, RN, Univ Physician Associates

n Terri L. Clark, BA MHP, Humanan Carey Coleson, Humana Inc.n Shelly Denham, BSN, Univ Physicians

Associatesn Derek Dennison, CPA, MBA, Twin Lakes

Regional Med Ctrn Tracy Farley, Jewish Hospital & St. Mary’s

HealthCaren Rhonda Hoffman, Jewish Hospital & St.

Mary’s HealthCaren Sharon E. Jones, NHC, Norton

Healthcaren Anthony Leachman, Jewish Hospitaln Jeffrey T. Lewandowski, MBA MHP,

Humana Incn Ed Miller, Jewish Hospital & St. Mary’s

HealthCaren Elizabeth L. Muse, RN, BSN, CPC,

Norton Healthcaren Stephanie L. Redfern, U of L Hospitaln Ann Shircliff, CPC CCP PCS, Humana

n Furqan Siddiqui, MD, Univ of Louisville Hospital

n Trinia Simmons-Hill, University of Louisville

Louisana

n John J. Finn, Ph D, Self-Client CommCare Corporation

n Byron Johnson, Navigant Consulting, Incn Phyllis Krebs, Lafayette General Med Ctrn Larry Smith, United Medical Rehab Hosp

Maryland

n Shallie Bryant, MedStar Healthn Andrea B. Cherenzia, Care First BCBSn Mary Flanery, CPC, Medstarn Kristen Geissler, Navigant Consultingn Margaret E. Henry, Practice Dynamics Incn Frederick R. Herman, Univ of MD

Medical Centern Mark Loper, Coventry Hlth Care Incn Shari LoPresti, Harford Primary Caren Sharon McNamara, BSN, JD RN,

Erickson Retirement Communitiesn Michelle Russell, Catalyst Rx

Massachusetts

n Beth R. Belt, Deloitte & Touchen Kate Bolland, Health Dialogn Rosa Chiacchierarelli, CHC, Healthdrive

Medical & Dental Practicesn Helen G. DeRosa, Fresenius Medical Care

NAn Deborah Drexler, UMassn Sheila Murphy Fireman, Harvard Pilgrim

HealthCaren Judith Flynn, Partners Home Caren Eileen Gibbonsn Linda S. Hanna-Casey, Caritas Christi

Healthcare Systemn Luke Igweobi, Dana-Farber Cancer

Instituten David McLoon, Franciscan Hospital for

Children

March 2009

62

New Members ...continued from page 61

n Laurie A. Richard, BS CHC, Univ MA Med School

n Michael P. Taylor, RN MS, Shaughnessy Kaplan Rehab Hosp

Michigan

n Laurel Berends, CHC, Spectrum Health United Hospital

n Kathleen Carolin, Karmanos Cancer Center

n Colleen C. Cohan, Blue Care Network of MIn Joyce DeNooyer, Bronson Methodist Hospitaln Frances E. DeVos, Henry Ford Health Sysn Kim Dorotinsky, CPC, Spectrum Healthn Allie Galovich, Lakes Surgery Centern Nancy J. Hay, Henry Ford Health Systemn J Fabiana Johnson, BA, University of

Michigann Allison Reynolds, J.D., Residential Home

Health, LLC

Minnesota

n Gary A. Danisch, BCBS Northern Plains Alliance

n Bethan Davies, Medican Camilla Emmans

n Joey Filipiak, Summit Orthopedics LTDn Carrie A. Hogan, BCBS of MNn Susan Humiston, Leonard Street and

Deinardn Lisa M. Kampa, Gillette Children’s

Specialty Healthcaren Marcia Miller, Health Law Institute,

Hamline University School of Lawn Sue Ricker, VA Medical Centern Paul Rosol, CFSA, CISA, CFE, Jefferson

Wellsn Michael J. Rugani, JD, Fairview Health

Servicesn Sherrie Schiebe, Zimmer Spine, Incn Mary Ward, Mille Lacs Health System

Mississippi

n Mary Curtis, Curtis Management Servicesn Gregory Olivier, MHA, Hancock Medical

Center

Missouri

n Rose Dennis, RHIT, Saint Luke’s Northland Hosp

n Ms. Christie M. Holm, MS, Tri-County Mental Hlth Svc, Inc

n Ms. Linda A. Jesberg, RN, BSN, CPC, Barnes-Jewish Hospital

Montana

n Haley B. Denzer, Great Falls Clinic

North Carolina

n Fran Anderson, Rutherford Hospital,Inc.n Kimberly Ashburn, Novant Medical

Groupn Karen A. Cole, MBA CPC CCP, HMR Incn Kathryn Dever, Carolina’s Medical Centern Vivian Ette n Nancy Hall, Novant Medical Groupn Veronica Hodges, Novant Medical Groupn Adriane B. Jarvis, Novant Healthn Laura Leonard, Novant Medical Groupn Ronald May, MD, Craven Regional Med

Centern Tiffany McCluney, Novant Medical

Groupn Deborah Pondexter, Novant Medical

Groupn Lorraine Schumacher, Novant Medical

Group

Your HCCA StaffWilma EisenmanHR Director/Office Manager/ Compliance [email protected]

Patti HoskinMember [email protected]

Amy MaciasMember [email protected]

Darin DvorakDirector of Conferences and [email protected]

Elizabeth HergertCertification [email protected]

Beckie SmithConference [email protected]

Shawn LeonardWebmaster/Privacy [email protected]

Gary DeVaanIT Manager/Graphic [email protected]

Melanie GrossConference [email protected]

Allison [email protected]

Jennifer PowerConference [email protected]

Meghan [email protected]

Charlie ThiemChief Financial [email protected]

Sarah AnondsonGraphic [email protected]

Nancy G. GordonManaging [email protected]

Patricia MeesCommunications [email protected]

April KielMember [email protected]

Roy SnellChief Executive [email protected]

Margaret DragonDirector of [email protected]

Karrie [email protected]

Julie [email protected]

Marlene RobinsonAudio Conference [email protected]

Caroline Lee BivonaProject [email protected]

Adam TurteltaubVP Member [email protected]

6500 Barrie Road, Suite 250 Minneapolis, MN 55435

Phone 888-580-8373Fax 952-988-0146

[email protected]

The BESLER BridgeEach admission is medically appropriate. Clinical documentation accurately reflects the patient’s condition and each claim is billed accurately. How is this possible? It’s the unique BESLER Bridge. And it could be your solution as well for bridging case management, clinical documentation improvement and coding with physicians and clinical staff. No gaps. Just optimum results. Can we build one for you?

BESLERCONSULTING.COM • 877.4BESLER

Physicians & Clinical Staff

(Clinical Documentation)

Case Management

& Quality

Coding, Charge

Capture & Billing

BESLER BRIDGE SERVICES

Connecting Everyone To Support Medical

Necessity & Revenue Enhancement

© 2009 Besler Consulting

BESLER_BRIDGE_FINAL.indd 1 1/20/09 2:07:49 PM

2.5" jelly-smacker stress ball$4.75 ea. (min. order 5)

Magnifier bookmark$1.95 ea. (min. order 20)

Extra-large 3.5" x 3.5" magnetic star-shaped clip$2.75 ea. (min. order 20)

Stainless steel mug; insulated with screw-on, spill-resistant lid and 15 oz. capacity$5.50 ea. (min. order 5)

Mini 2.5" flashlight with retractable tether and snap-link ring$3.50 ea. (min. order 20)

Tri-stic widebody pen (black ink)$1.99 ea. (min. order 20)

3.5" x 5.25" jotter pad with pen and business-card sleeve$4.50 ea. (min. order 5)

Six colorful glossy posters, 20" x 28", each showcasing a different ethical message. New this year, the Corporate Compliance & Ethics Week logo is on a perforated strip that can be easily removed once the celebration week is over (1 each per 6-pack) $40 per 6-pack

2" x 3.5" solar calculator$3.50 ea. (min. order 20)

Order at www.hcca-info.org or www.corporatecompliance.orgOrder before April 17 to ensure delivery by Compliance Week!

Official poster for Corporate Compliance & Ethics Week20" x 28" glossy color poster $6.25 ea. (min. order 10)

Corporate Compliance & Ethics Week has moved—it will be celebrated the fi rst full week in May going forward.

Co-sponsored by HCCA and the Society of Corporate Compliance and Ethics (SCCE), the fi fth Corporate Compliance & Ethics Week will be celebrated May 3–9, 2009.

HCCA and SCCE have a number of items available for purchase to help spotlight compliance and ethics in your organization. Place your order by Friday, April 17, to ensure delivery before this event.

Order at www.hcca-info.org or www.corporatecompliance.org, or call the Compliance Week Order Fulfi llment Center at 877 646 9226.

Acting With IntegrityMay 3–9, 2009

Corporate Compliance & Ethics Week

volume eleven number three march 2009 published monthly · 42 standing at the crossroads by michael...

Documents