Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

1

XXXXXXX ...continued from page 1

Volume ThirteenNumber Nine

September 2011 Published Monthly

Meet

Audrey Andrews, Senior Vice President and Chief Compliance Officer of Tenet Healthcare Corporationpage 14

Feature Focus:

Reimbursement changes under health care reform: Are you prepared?page 30

Earn CEU Creditwww.hcca-info.org/quiz—see page 39

Security of mobile devices in

health carepage 20

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

2

TitleBy: Line

2011 SCCE Ad 8.5 x 11.indd 1 1/7/11 6:15:39 PM

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

3

XXXXXXX ...continued from page 3

INSIDEINSIDE4 CEU: Medical necessity review:

Compliance in a new era of accountabilityBy Robert R. Corrato, David Hoffman, and Michael TaylorNine suggestions for reducing potential liability with a compliant, medical necessity utilization review process.

9 Newly Certified CHC® and CHRC®

10 Antitrust review of Accountable Care Organizations: Five practical considerations for providersBy Toby G. Singer and David R. PearlA look at the proposed process for forming an ACO and tips for surviving the associated antitrust review.

14 Meet Audrey Andrews, Senior Vice President and Chief Compliance Officer of Tenet Healthcare Corporation An interview by Roy Snell

18 Letter from the CEO By Roy SnellYour job description can make your job easier

19 Social Networking By John FalcetanoTo Blog or not to Blog

20 CEU: Security of mobile devices in health careBy Chad Hirsch and Jacki PemrickSuggestions for proactively mitigating privacy and security risks when employees want to use mobile devices.

27 Exhale By Shawn DegrootUsing the right mode of communication is key

28 Is your hospital environmentally and physically secure? By William C. MoranA comprehensive risk assessment must include some unusual risks.

29 People on the Move

30 CEU: Feature Focus: Reimbursement changes under health care reform: Are you prepared? By Janice A. Anderson and Christopher WilsonHospitals, doctors, and other providers need to form new legal relationships now to maximize payments in the future.

43 Top compliance and legal risks for health care in 2011, Part 2 By Steve McGrawA discussion of expanded revenue recovery audits, the need to demonstrate the effectiveness of compliance programs, and lessons learned from recent enforcement actions.

50 Compliance 101: Record release compliance: The challenge acceleratesBy Jan McDavid Ease of access must be balanced with risk of breach when processing release of information requests.

53 DMEPOS supplier marketing arrangements and HIPAA compliance By Nathaniel Lacktman and Leeann HabteWith some exceptions, products and services may be marketed to Medicare patients only if they sign an authorization.

61 HCCA’s 2011 Corporate Members

64 New HCCA Members

Cover Photo: Members of the Tenet Healthcare Ethics and Compliance Department (from left to right). Front row: Sarah Campbell, Jawanna King, Audrey Andrews, Toni Hill, Lea Fourkiller. Second row: Debbie Wheeler, Vanessa Benavides, Kevin McCaslin. Third row: Al Josephs, Maggie Dunn, and Chris Flanagan.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

4

Editor’s note: Robert R. Corrato is President and Chief Executive Officer with Executive Health Resources in Newtown Square, Pennsylvania. He may be contacted by e-mail at rcorrato@ehrdocs.com.

David Hoffman is President of David Hoffman & Associates, PC, in Philadelphia, Pennsylvania. He may be contacted by e-mail at dhoffman@DHoffmanAssoc.com.

Michael Taylor is Vice President of Clinical Operations with Executive Health Resources in Newtown Square, Pennsylvania. He may be contacted by e-mail at mtaylor@ehrdocs.com.

The federal government estimates that, in recent years, tens of billions of

dollars have been improperly paid through Medicare programs.1 As a result, hospitals now face a new era of health care audit account-ability as the government seeks to reduce or eliminate inappropriate overpayments to providers and suppliers.

The Centers for Medicare and Medicaid Services (CMS) reports that the majority of Medicare overpayments made erroneously to hospitals are due to errant determi-nations of medical necessity.2 Over the past two years, procedures such as kyphoplasty (a treatment for back pain) and cardiac defibrilla-tor implantations have received particular scrutiny by the Depart-ment of Justice (DOJ), because of the potential for fraudulent claims submission arising from inappro-priate utilization of the inpatient hospital setting or lack of medical necessity for the procedure itself.

Recent allegations relating to over-utilization of Medicare inpatient services demonstrate that aware-ness of the importance of Medicare inpatient utilization patterns has reached the mainstream business community and financial sector. Add to this, Capitol Hill’s ongoing battle to reduce Medicare costs, and hospitals are finding that, more than ever, medical neces-sity compliance is a top priority within their organizations.

In today’s environment of increased health care scrutiny and accountability, it is more important than ever for hospitals to maintain a strong, concurrent compliance review program to ensure appropriate utilization of inpatient services.

Expanded power to fight overpayments, fraud, and abuseIn addition to subjecting providers and suppliers to increased scrutiny through programs, such as Recov-ery Audit Contractor (RAC) and Zone Program Integrity Contrac-tor (ZPIC) review, the government has simultaneously strengthened its ability to deal with suspected fraud through rulemaking.

On January 24, 2011, the Depart-ment of Health and Human Services (DHHS) announced new rules, authorized by the Affordable Care Act, that apply to Medicare, Medicaid, and the Children's Health Insurance Program (CHIP). Under the new rules, payments to providers can be suspended in the event of a credible allegation of fraud or abuse. When considered in light of a recent expansion of the False Claims Act to make clear that hospitals have a duty to refund overpayments within 60 days of identification, government inves-tigators now have more powerful tools in their fight against Medicare overpayments, fraud, and abuse.

Medical necessity review: Compliance

in a new era of accountability

By Robert R. Corrato, MD, MBA, David Hoffman, Esq., and Michael Taylor, MD

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

5

XXXXXXX ...continued from page 5

Continued on page 7

A look at the government’s expanded toolbox reveals that providers must consider, not just institutional risk, but personal risk as well. On October 20, 2010, the Office of Inspector General (OIG) of DHHS issued guidance for implementing its permissive exclusion authority under Section 1128(b)(15) of the Social Security Act. (Exclusion refers to the ability of the OIG to exclude individuals or entities from participating in the federal health care programs.) Section 1128(b)(15) specifically authorizes the OIG to exclude an owner, officer, or managing employee of a sanctioned entity (i.e., health care provider, sup-plier, or manufacturer) from participation in federal health care programs.

Furthermore, recent testimony before Congress makes clear that a key plank in the government’s strategy is to target not just institutions that engage in fraud and abuse, but the executives who manage those institutions.

RACs are only the tip of the icebergWhile the contingency fee-based RACs have been the subject of much media attention in recent years, CMS has greatly expanded the role of other auditors, as well. Medicare Administra-tive Contractors (MACs) have essentially combined the roles previously performed by Part A

Fiscal Intermediaries and Part B Carriers. MACs have the author-ity to institute and monitor Progressive Corrective Action (PCA) Plans, which may entail actions such as putting hospitals on pre-payment review.

Other important Medicare audit programs include Comprehensive Error Rate Testing (CERT), which works to measure payment error rates, and ZPICs, which are specialized contractors tasked with ferreting out fraud and abuse in the Medicare program.

The two aspects of medical necessityHospitals should be aware that CMS contractors and other investigators may examine two different aspects of medical neces-sity: (1) the medical necessity for the procedure or medical service itself, and (2) the medical necessity for the setting of care. Both of these aspects of medical necessity have been extensively examined in recent years by CMS contractors and have been the subject of gov-ernment enforcement activities. Medical necessity for a procedure or service itself is often determined by National Coverage Determina-tions, Local Coverage Determina-tions, evidence-based clinical care guidelines, and local and national standards of medical practice.

Because Medicare providers are tasked with providing care in the

most appropriate setting, medical necessity of the setting in which the patient is treated is also a target of auditor attention. Such auditors frequently review short-stay hospital admissions to determine if the patient could have been treated just as safely and effectively in the outpatient setting.

Medical necessity of the inpatient setting was a major target of RAC denials in the demonstration project, and remains a focus of RAC and MAC audit scrutiny today. To ensure optimal compli-ance, a hospital’s utilization review program should evaluate both of these aspects of medical necessity.

Achieving medical necessity complianceAs a first step toward creating a medical necessity compliance process, a hospital may consider reviewing its past performance as an organization with the goal of understanding and recognizing whether there is potential exposure or liability due to pre-existing poor utilization review practices.

The following nine suggestions are offered in order to create a com-pliant process for Medicare medical necessity admission review.

1. Build a strong UR plan and UR Committee

The process of medical necessity compliance starts with the

TitleBy: Line

HCCA ComplyTrack ad 5-11.indd 1 3/8/2011 2:06:24 PM

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

7

Medical necessity review: Compliance in a new era of accountability ...continued from page 5

Continued on page 8

utilization review (UR) standards of the Medicare Conditions of Participation (CoP). In accordance with Title 42 of the Code of Federal Regulations under 482.30 and its subparts, hospitals are required to maintain an active UR Committee as part of a comprehensive UR plan. At a minimum, the UR Committee is charged with reviewing hospital’s admissions, continued stays, and outlier cases.

It is the responsibility of the UR Committee to review the UR plan annually, to continually identify areas of improvement, and to include physicians and other hos-pital medical staff stakeholders in the process of ensuring Medicare admission review compliance.

2. First-level concurrent medical necessity review

It is important for hospital case and utilization managers to use credible, up-to-date inpatient admission screening criteria when conducting first-level reviews and making evaluations for patient status. Such widely accepted utilization screening criteria as InterQual, Milliman, or MCAP™ frequently fulfill this role at hospitals.

It is important to note, however, that CMS does not endorse any particular set of commercial screening criteria, and the satis-faction of any particular set of

commercial screening criteria is not a guarantee of Medicare coverage. Hospitals should moni-tor the accuracy of their first-level screening reviews by asking questions such as: n Are we applying the criteria

correctly? n Are we measuring and achieving

appropriate levels of inter-rater reliability in the application of criteria?

First-level criteria screening reviews are generally conducted by non-physicians, and the profes-sionals who perform these reviews should take care to operate within their appropriate professional scope of practice. The role of the case and utilization manager is to strictly apply the screening criteria, not to substitute for or overrule physician judgments of medical necessity.

It is important to note that first-level screening criteria are not meant to be a substitute for case-by-case expert physician review of medical necessity. In fact, many of these cri-teria have anywhere from a 20% to 25% error rate. In some instances, some patients who don’t satisfy commercial admission criteria at the first-level review may nevertheless require inpatient admission, based on physician assessment.

3. Second-level concurrent medical necessity physician review

When a case does not satisfy the hospital’s first-level utiliza-tion review screening criteria, that case should be referred for second-level physician review. As detailed by the Hospital Payment Monitoring Program (HPMP) Compliance Workbook, hospitals should ensure a two-level admis-sion medical certification process that includes strict application of inpatient screening criteria by case or utilization management profes-sionals, followed by expert physi-cian advisor review for those cases that do not meet the screening criteria.3 As directed by the Medi-care State Operations Manual, only a physician can make the final determination of the medical necessity of an admission.

4. Establish a strong Physician Advisor program.

As hospitals do not close their doors and turn off the lights during nights and weekends, a compliant utilization review program must operate 365 days a year, seven days a week. Physi-cian advisors operating in such a program must be knowledgeable regarding Medicare rules and regulations, and up to date on the latest medical evidence.

Physician advisors need to be skilled and experienced in making proven, consistent, and valid medical necessity recommenda-tions (i.e., recommendations that

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

8

TitleBy: Line

Medical necessity review: Compliance in a new era of accountability ...continued from page 7

are not subject to unexplained variation and that will stand up to scrutiny, as necessary, through the audit and appeals process).

5. Educate and monitor key staff members

Hospitals should ensure ongoing training, education, and inter-rater reliability testing of their utilization management and physician advisor teams. A sound, ongoing education program is a necessity to support and maintain hospital regulatory compliance, and to ensure contin-ued optimal performance of both first- and second-level utilization review processes.

6. Educate treating physiciansThe treating physician is a key part of the process and must be an active and central participant in the utilization review process. With this in mind, hospitals should consider providing ongoing treating physician education on:n the importance of complete

documentation,n the need to work closely with

UR/case management and physician advisors, and

n the role of the treating physician in ensuring both hospital and physician practice regulatory compliance.

7. Create an enduring and audit-able document

An evidence-based utilization review process that adheres to regulatory requirements and CMS

policy guidance may result in sig-nificant protection to the hospital pursuant to Section 1879 of the Social Security Act. In essence, Section 1879 of the Act provides that when a provider does not know, and cannot reasonably have known, that a service will not be covered by Medicare as medi-cally unnecessary, the provider is entitled to payment by Medicare for that service. This is known as the Limitation on Liability.

If a hospital fails to thoroughly document evidence of its compli-ant, concurrent, medical necessity utilization review process, then that hospital may lose the benefit of the protection conferred to it under the Social Security Act’s Limitation on Liability. For this reason, an enduring and auditable docu-ment should be created for each Medicare admission to provide permanent evidence of the hospi-tal’s compliant Medicare admission claim status certification process that will be available for review in the event of an audit by a RAC contractor or other investigator.

This document should include not only documentation of the first-level screening and secondary physician advisor reviews, but any subsequent conversation between the physician advisor and the treating physician that resulted in additional chart documentation.

8. Conduct regular PEPPER analysis

On a quarterly basis, hospitals should review their Program for Evaluating Payment Patterns Elec-tronic Report, more commonly known as PEPPER. This report takes a critical look at targeted diagnoses that are often associated with short stays to identify areas that may require improvement or attention. The data can help serve as a guide to help hospitals identify potential areas of vulnerability.

9. Engage key stakeholdersThe final step in the process ensures that UR/case management, physician advisors, HIM/Coding, finance, and compliance profession-als are all involved in the process of ensuring a compliant, daily, Medi-care medical necessity utilization review program. At the same time, the team that manages this process must be sufficiently streamlined to execute it on a daily basis.

Closing thoughtsIn today’s environment of increased health care accountability, it’s no longer a matter of “if,” but “when” a given hospital will be audited. Compliance requires a concurrent medical necessity review process that is legally defensible to avoid auditor denials and to retrospec-tively manage and appeal inappro-priate auditor denials.

The costs of non-compliance far outweigh the costs of compliance.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

9

The best practice approach to a comprehensive medical necessity compliance program is a proactive approach that infuses clinical and regulatory guidelines in the deci-sion-making process, ongoing com-munications among team members, and proper training to ensure all cases are properly screened, docu-mented, and validated. n

1. Kathleen M. King and Kay L. Daly: “Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments.” Gov-ernment Accountability Office, March 2011. Available at http://www.gao.gov/new.items/d11409t.pdf

2. “The Medicare Recovery Audit Contrac-tor (RAC) Program: An Evaluation of the 3-Year Demonstration.” June 2008. Available at http://www.cms.gov/RAC/Downloads/RACEvaluationReport.pdf

3. HPMP Compliance Workbook. (Pre-pared by TMF Health Quality Institute, the Quality Improvement Organization Support Center for the Hospital Payment Monitoring Program, under contract with the Centers for Medicare & Medicaid Services, an agency of the U.S. Depart-ment of Health and Human Services. 8SOW-TX-HPMPQ-08-06), page 38. January 2006, (rev. March 2008). The workbook is available for download at http://www.metastar.com/Web/Portals/0/Documents/HPMP/HPMP-Compliance-Workbook.pdf

CCBCCB

The CCB offers certifications in Healthcare Compliance (CHC®), Healthcare Research Compliance (CHRC®), and the Certified in Healthcare Privacy Compliance (CHPC®).

Certification benefits:n Enhances the credibility of the compliance

practitioner n Establishes professional standards and status

for compliance professionals in Healthcare and Healthcare Research

n Heightens the credibility of compliance practitioners and the compliance programs staffed by these certified professionals

n Ensures that each certified practitioner has the knowledge base necessary to perform the compliance function

n Facilitates communication with other industry professionals, such as physicians, government officials and attorneys

n Demonstrates the hard work and dedication necessary to succeed in the compliance field

The Compliance Professional’s Certification

Congratulations!! The following individuals have recently successfully completed the CHC® certification exam, earning their certification:

Thomas P. AmburyBruce R. AndersonBrian D. AnnulisGwen M. AveryJoni K. Baker

John C. BarrettShawn D. BartonTodd M. Bejian

Jacqueline N. BloinkJanet C. Braun

Margaret R. BrockettCharita V. BryantJeffery A. Buehrle

Tammie L. CamptonClaire Cieri

Louis Di GiovanniPenny Etter

Janet K. FeldkampSteve J. Fischer

Patricia Galarrita

Brenda J. GatesLisa M. GerlachCarole S. GoodJeffrey B. Hayes

Rebekah R. HaysBradley M. Head

Jeff HollowayPamela K. Hulse

Teresa M. HuysmanMichele P. KaneJeramy D. KuhnAmy R. Langord

Scott LeckeySophie Lee

Audrey D. LewisCurt E. Meeks

Angela I. MuncySuzanne NeuberMichael A. Peer

Lynette R. Peterson

Vicki Y. PotteigerRachel R. PowellSandra J. PriebeTina M. Qualls

Mary Ann RandolphPatty Rhoden

Maria L. RiveraVioleta K. Rose

Elizabeth H. RussellBrian G. Santo

Susie F. SchumacherKatie E. Shepard

Todd A. TangemanKaren P. Thomason

Daniel T. ValdezMaribel Valentin

Aaron W. Van ArtsenSara K. Wheeler

William H. WojcikBenjamin N. Wright

The Compliance Certification Board (CCB) compliance certification examinations are available in all 50 states. Join your peers and demonstrate your compliance knowledge by becoming certified today.

Mary D. Craig Joann Kubica Sheila N. Thomas

Congratulations!! The following individuals have recently successfully completed the CHRC® certification exam, earning their certification:

Susan ColvinJeremy J. Corsmo

Patricia A. Eshleman

Gustavo A. FernandezBarbara Gibson

Dawn Lowe-GoodenChristopher Longspaugh

Tina G. NoonanEdith S. Paal

Elizabeth D. Taccetta

Congratulations!! The following individuals have recently successfully completed the CHPC® certification exam, earning their certification:

For more information about certification, please call 888/580-8373, email ccb@hcca-info.org, or visit our website at www.hcca-info.org.

Contact Us!

www.hcca-info.orginfo@hcca-info.org

Fax: 952/988-0146

6500 Barrie Road, Suite 250 Minneapolis, MN 55435

Phone: 888/580-8373

To learn how to place an advertis-ment in Compliance Today, contact Margaret Dragon: e-mail: margaret.dragon@hcca-info.org phone: 781/593-4924

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

10

Editor’s note: Toby G. Singer is a Partner in the Washington DC office of Jones Day. Her practice focuses on antitrust counseling and litigation for health care clients. Toby may be contacted by e-mail at tgsinger@jonesday.com.

David R. Pearl is an Associate in the Washington DC office of Jones Day. He focuses on antitrust and competi-tion law. David may be contact by e-mail at drpearl@jonesday.com.

By now, most providers have likely heard of—or perhaps have grown tired

of hearing about—Accountable Care Organizations (ACOs). Embraced by Congress as part of the Patient Protection and Affordable Care Act and the Health Care and Education Reconciliation Act of 2010, ACOs are intended to coordi-nate care and lower costs as part of the Medicare Shared Savings Program. Under that program, to incentivize cost reduction, com-binations of physicians, hospitals,

and other providers who form ACOs may share in any savings they create for Medicare.

The implementation of the Medi-care Shared Savings Program has seen coordination among various agencies to an almost unprec-edented degree,1 culminating in the March 31, 2011 issuance of proposed regulations from both the Centers for Medicare and Medicaid Services (CMS) and the antitrust agencies: the Federal Trade Commission (FTC) and the Antitrust Division of the Department of Justice (DOJ). The FTC and DOJ’s Proposed State-ment of Antitrust Enforcement Policy Regarding Accountable Care Organizations Participating in the Medicare Shared Savings Program (FTC/DOJ Proposed Policy)2 attempts to offer guidance concerning how the agencies will review ACOs for antitrust compliance. Although an ACO that chooses to contract only with the Medicare program would not raise antitrust concerns, because

Medicare sets prices, providers have made clear that they are unlikely to form ACOs unless they might also use them for their commercially-insured patients. Because many ACOs, by their very nature, will involve competi-tors acting in concert, importing them into the commercial setting implicates the antitrust laws.

In an effort to create a market power screen, the FTC/DOJ Proposed Policy breaks ACOs into three categories, based upon an ACO’s combined share of any services offered by more than one of its participants in their primary service area (PSA). PSA share, a concept imported from the Stark II laws, refers to an ACO participant’s share of Medicare fee-for-service payments in the lowest number of contiguous zip codes from which it draws at least 75% of its patients for a particular service.

The three proposed ACO categories are: ACOs with a PSA share greater than 50%, which are subject to mandatory antitrust review by the FTC or DOJ; those with a PSA share less than 30%, which are exempt from antitrust review absent extraordinary circumstances; and those with a PSA share between 30% and 50%, which can choose whether to submit to antitrust review (see table 1).

Commenters have criticized these regulations ad nauseum,

Antitrust review of Accountable Care

Organizations: Five practical considerations

for providers By Toby G. Singer and David R. Pearl

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

11

XXXXXXX ...continued from page 11

Continued on page 12

and, while they remain subject to change (the period for public comment closed on May 31, 2011), providers interested in forming ACOs should nonetheless be prepared to comply with the proposed regime. To that end, we offer a number of tips on how best to approach this process.

1. Read both sets of proposed regulations

As mentioned above, the FTC/DOJ Proposed Policy was released in tandem with a CMS proposed regulation, the CMS Medicare Shared Savings Program: Account-able Care Organizations Notice of Proposed Rule Making, (CMS NPRM).3 These two regulations do not function as independent documents and should thus not be read in isolation. For example, one of the most significant develop-ments in the proposed FTC/DOJ Proposed Policy is its willingness to confer automatic Rule of Reason4

treatment on any ACO that has met certain eligibility criteria for the Medicare Shared Savings Program, as laid out in detail in the CMS NPRM. The eligibility criteria an ACO must meet in order to partici-pate in the Shared Savings Program are: (1) a formal legal structure that allows an ACO to receive and dis-tribute payments for shared savings; (2) a leadership and management structure that includes clinical and administrative processes; (3) pro-cesses to promote evidence-based medicine and patient engagement; (4) reporting on quality and cost measures; and (5) coordinated care for beneficiaries.

Moreover, the CMS NPRM features antitrust-related guidance not present in the FTC/DOJ Pro-posed Policy, most notably in its discussion of the re-review process necessitated by a “material” change in ACO composition. Finally, in some ways, the section of the CMS

NPRM that explains the antitrust review process is clearer and more concise than the FTC/DOJ Proposed Policy, as evidenced by the useful table reprinted below.

2. Start earlyContinuing on the theme of interplay between the FTC/DOJ Proposed Policy and the CMS NPRM, it is important to under-stand that, in some circumstances, antitrust review functions as a precursor to the CMS process. As shown in Table 1, those ACOs with a PSA share greater than 50% face mandatory antitrust review and thus, must file a letter with their application to the Shared Savings Program, showing that the review-ing antitrust agency does not intend to challenge their application. Because the FTC/DOJ Proposed Policy requires that a prospective ACO submit all requested materials to the FTC and DOJ at least 90 days prior to the deadline to submit

Table 1: PSA Shares and Review Process

ACO PSA Share Review Process≤ 30% (with a rural exception)

Safety Zone -- No antitrust review necessary by the Antitrust Agencies

>30% and ≤50% Expedited review, compliance with list of conduct restrictions, or proceed without antitrust assurances

ACOs may:1. Request an expedited review by the Antitrust Agencies and submit letter from the reviewing

Antitrust Agency confirming that is has not present intent to challenge or recommend challenging the ACO;

2. Begin to operate and abide by a list of conduct restrictions, reducing significantly the likelihood of an antitrust investigation; or

3. Begin to operate and remain subject to antitrust investigation if it presents competitive concerns.

>50% Required expedited review -- ACO must seek review by the Antitrust Agencies to assess likelihood of pro-competitive and anti-competitive effects. ACO eligibility to participate in Shared Savings Program is contingent on the ACO’s submission of a letter from the reviewing Antitrust Agency confirming that it has no present intent to challenge or recommend challenging the proposed ACO.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

12

TitleBy: Line

Antitrust review of Accountable Care Organizations: Five practical considerations for providers ...continued from page 11

applications to CMS, an ACO must plan ahead. An ACO that features providers with a high PSA share should prepare its materials for antitrust review early, given that obtaining antitrust clearance works as a necessary precondition to CMS approval. Of course, among the materials an ACO must provide to the antitrust agencies as part of its antitrust review submission is its CMS application, meaning that an ACO will have to incur all the costs associated with completing both applications 90 days prior to the date it intends to submit its application to CMS, as discussed further in the next section.

3. Be prepared to spend moneyAs mentioned above, an ACO’s PSA share must be calculated, according to the FTC/DOJ Proposed Policy, for each service offered by more than one ACO participant (an ACOs “common services”). ACOs must perform this PSA share calculation at the very outset of the antitrust review, because an ACO’s PSA share of its common services dictates the treatment it will get from the FTC and DOJ, as shown in table 1. And, although the FTC/DOJ Proposed Policy casts this calcula-tion as a simple three step process (1. Identify each common service; 2. Identify each participant’s PSA for each common service; and 3. Calculate the ACO’s PSA share for each common service), such a characterization ignores a

variety of complications. Between gathering the necessary patient zip code data, to properly delineating one’s PSAs, to finding share data for non-Medicare services like OB-GYN, to the sheer number of potential common services an ACO might have, the PSA share calculation promises to cause headaches and cost money.

And, PSA share is only the begin-ning. Between the CMS NPRM and the FTC/DOJ Proposed Policy, the various agencies request nearly 20 different categories of information and documents, not to mention reserving the right to ask for more, if they deem it necessary. Not only will collecting such information cost money and take time, but ACOs will also have to puzzle over the exact meaning of some of the more confusingly worded requests. The FTC/DOJ Proposed Policy estimates that this entire process will take 30 to 50 hours and cost anywhere between $13,800 and $23,000. Based on our own rough estimates, we believe that the actual time and cost associated with this process will far exceed both numbers in most cases, and we urge potential ACOs to expect to incur signifi-cant costs on the antitrust review portion of this process alone.

4. Learn to live with uncertaintyAlthough the FTC/DOJ Proposed Policy’s embrace of automatic Rule of Reason treatment will remove

some uncertainty at the back end of the process, it has also created a lot of uncertainty at the front end. For one thing, the structure of the review process dictates that an ACO must, at least initially, rely on its own share calculations to determine whether it is safety-zone eligible or subject to mandatory review. This leaves open the possi-bility that the DOJ or FTC could disagree with how an ACO has slotted itself. Thus, an ACO could go through the CMS application process without having undergone antitrust review, only to be denied for lack of a letter from the FTC or DOJ, simply because the agen-cies performed the share calcula-tion differently.

But, it is ACOs in the middle ground of PSA share that must grow the most comfortable with uncertainty. As noted above, an ACO with between a 30% and 50% PSA share in its common services has the choice of request-ing expedited antitrust review—in which case it would follow the same procedures as an ACO subject to mandatory review—or not requesting review and taking its chances that it will not attract attention from the antitrust agen-cies. Although predictability has its benefits, given the costs associ-ated with undergoing antitrust review as it presently stands (including not only the expense of the PSA calculation, but also that of document production

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

13

and of dealing with the agencies), ACOs that believe they fall in this middle scenario should consider carefully whether to initiate the antitrust review process.

5. Hospital participants should avoid exclusive contracting at all costs

The bulk of the FTC/DOJ Pro-posed Policy—and indeed, the bulk of our advice—deals with process-based issues, but there is one piece of substantive advice we can offer: If an ACO wants to give itself the best chance of surviving antitrust review or avoiding anti-trust scrutiny altogether, it should avoid signing exclusive contracts with participants.

From the 1996 Health Care State-ments, to various FTC Advisory Opinions in the last decade, to the Proposed Policy, the FTC and DOJ have made it abundantly clear that they do not look favor-ably upon those who mix clinical integration with exclusive contract-ing. And, although the Proposed Policy does permit exclusive contracting for physicians in the safety zone and for primary care physicians even outside the safety zone, it discourages hospitals and ambulatory care centers from the use of exclusive contracting. For example, ACOs lose the benefit of the safety zone if their non-physician members contract with payers on an exclusive basis.

Further, the FTC/DOJ Proposed Policy cautions those ACOs with shares in the mid-tier to avoid exclusive contracting to minimize their chance of being targeted for review, and similarly advises that those ACOs subject to mandatory review are more likely to survive it if they abstain from entering into exclusive contracts. The FTC/DOJ Proposed Policy does not appear to differentiate between agreements that bar payers from contracting with providers except via their ACO, and agreements that bar providers from being members of multiple ACOs, though the latter would appear less problematic in terms of potential anticompetitive effects. As such, we would encourage prospective ACOs to find other ways to foster provider coordination.

In conclusion, although the anti-trust review process envisioned by the FTC/DOJ Proposed Policy

is burdensome and the prospects of surviving it are uncertain, we believe that ACOs that take into account the above five pieces of advice will both be less surprised by the process and better situated to pass through it unscathed. n

1. See Fed. Trade Commission & Dept of Health and Human Services, Workshop Regarding Accountable Care Organi-zations, and Implications Regarding Antitrust, Physician Self-Referral, Anti-Kickback, and Civil Monetary Penalty (CMP) Laws (Oct. 5, 2010). Transcript available at http://www.cms.gov/Physi-cianFeeSched/downloads/10-5-10ACO-WorkshopPMSessionTranscript.pdf

2. Federal Trade Commission: Proposed Statement of Antitrust Enforcement Policy Regarding Accountable Care Or-ganizations Participating in the Medicare Shared Savings Program. 76 Fed. Reg. 21894; Press Release. Available at http://www.ftc.gov/opa/2011/03/aco.shtm.

3. 76 Fed. Reg. 19528. Available at http://edocket.access.gpo.gov/2011/pdf/2011-7880.pdf.

4. In contrast to the per se rule, which deems certain conduct automatically violative of the antitrust laws, the Rule of Reason examines the unique effects of the con-duct and market dynamics to determine whether that conduct’s benefits outweigh its harms.

Need a quick and cost-effective way to earn CEU credits?

Want the latest news on breaking issues and best practices?

All of this from the convenience of your own office?

Try one of HCCA’s upcoming Web Conferences, and earn 1.2 CEU credits.It doesn’t get any easier.

learn more about upcoming web conferences and register at

www.hcca-info.org/webconferences

TryWebConf_quarterpage_CTad.indd 1 7/8/2010 9:15:55 AM

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

14

TitleBy: Line

Editor’s note: This interview with Audrey Andrews was conducted by HCCA Chief Executive Officer Roy Snell in July 2011. Roy Snell may be contacted by e-mail at roy.snell@hcca-info.org or by telephone at 888/580-8373. Audrey Andrews may be contacted by telephone in Dallas at 469/893-2000.

RS: What has been the most challenging part of being a compliance officer?AA: For me, the most challeng- ing and rewarding part of being a compliance officer has been trying to stay ahead of the curve, taking the lessons from today’s issues and applying them to new situ-ations. It’s really satisfying when you successfully predict the next significant risk and mitigate it before it materializes.

RS: How do you keep training interesting and effective?AA: I think there are three things to avoid in compliance training: process, fear, and

boredom. If you train only on process, no one will remember it. We remember things when we understand why a process is important to us personally. At Tenet, we connect our processes to one of our core values of integrity, service, inno-vation, and transparency, and we tell a lot of stories about when that has worked well for us and when it has not. We try to avoid scaring employees with penal-ties and investigations. We want employees to appreciate the risks involved in health care, but more importantly, we want compliance to be a common-sense part of our operations. Finally, we go to great lengths to avoid boredom—even at the risk of taking on some controversial topics.

Four years ago, we analogized health care compliance to the game of golf, which has a great history of self-reporting viola-tions. I received several notes from employees explaining why they thought other sports would have been a better choice. When I received those notes, I thought we had hit a home run (to continue the sports metaphor), because the employees had listened to our training, remembered it, and formed an opinion about how it would have worked better in another context. It’s quite easy to create training that covers the

articleMeet Audrey Andrews Senior Vice President and Chief Compliance Officer of Tenet Healthcare Corporation

feature

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

15

XXXXXXX ...continued from page 15

Continued on page 16

issues, but it’s more of a challenge to create training that helps someone think about their own values. Of course, four years later, I still receive positive e-mails from employees on Sundays to let me know that another golfer has self-reported a violation.

RS: When conducting an internal investigation what is the most important criteria in selecting an outside legal counsel?AA: At Tenet, we use internal or external counsel to direct an inves-tigation when there is evidence that somebody was acting with some level of intent. Routine investigations or issues that lack intent are handled as non-privileged investigations. That being said, when you select counsel, it is most important to select someone who can strategize on how to best conduct the review in an efficient manner. We want them to be very knowledgeable of our culture and policies, because they are a Tenet representative when they interview employees. We have great internal counsel; however, we use outside counsel when we need extra resources to address something quickly. As a result, they need to be able to work efficiently and independently.

RS: What advice do you have for those who struggle with getting physicians to change the way they bill or document?AA: We had a physician trainer

who I thought did a great job of explaining compliance to physi-cians. He said that physician compliance is nothing more than documenting what you did and why you did it. He explained that the “why” is important because it ultimately creates a physician profile that managed care companies use to determine who is efficient and who is not. For example, if a patient with a three-day hospital stay for sepsis is coded as a urinary tract infection, that physician appears highly inefficient to payers. If I had done that training, I probably would have talked about the coding rules and how the physicians need to do a better job documenting so that we can code correctly. My version would not have worked.

RS: Do you have any Dos or Don'ts for writing policies and procedures?AA: Do write short policies in plain English. Do identify a responsible person so everyone knows who is primarily respon-sible for adhering to the policy. Do use words like “shall” when something is mandatory. Do not use words like “should” if you mean for it to be mandatory. If you find yourself using a word like “should,” perhaps it should be a guideline and not a policy. Or I should probably say it shall be a guideline. See what I mean?

RS: What is the most important component of a compliance program?AA: Culture. An effective compliance program is fueled by a culture that learns from its mistakes and seeks to get better every day. If an organiza-tion’s culture is to explain away problems rather than learn from them, no amount of compliance resources or oversight will create an effective program.

RS: How often would you update your code of conduct and how often do you distribute it?AA: Several years ago we rewrote our Tenet Standards of Conduct to tie it to our core values. Because we believe that these are bedrock principles, we try to avoid updating it more frequently than every four or five years. We prefer to do frequent updates through policies.

RS: What is the biggest complaint you get about the compliance program and how do you deal with it?AA: Our biggest complaint is that we are too conservative and that our competitors allow some-thing that Tenet does not allow. We spend a lot of time researching the policies of our peer companies whose compliance programs we respect. We also listen to our business teams and regularly re-evaluate risks. Our goal is for

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

16

TitleBy: Line

Meet Audrey Andrews, Senior Vice President and Chief Compliance Officer of Tenet Healthcare Corporation ...continued from page 15

employees to understand how our policies are tailored to control a specific and real risk.

RS: What is the biggest mistake you see compliance professionals make and how would you correct it?AA: Trusting without verifying. We all want to trust our employees, and they deserve our trust. But, it is Compliance’s role to confirm that when we believe a risk has been mitigated, that the mitiga-tion is actually working. This means rolling up our sleeves and looking at actual output—whether it is claims data or medical records. This takes time, but it is why we are here.

RS: Do you have any websites that you find the most helpful?AA: I would highly recommend surfing the OIG website for a great tutorial on compliance programs. I also subscribe to the Department of Justice e-mails so that I can keep a pulse on recent settlements. The MedPac site is very helpful when you want a deep understanding of a Medicare payment risk. And of course, we use the CMS and MAC websites for general research.

RS: How has compliance changed since you started in 1999?AA: When I started working in Compliance in 1999, I was a compliance attorney and our compliance program was housed

in the Law department reporting to our general counsel. Now we are an independent department reporting to our board of direc-tors. Compliance is an operations unit with measurable goals. When I first started, we were a response unit that was called in to respond to problems.

RS: Do you think that Compliance can play a role in quality of care and if so, how?AA: Absolutely. The most rewarding part of my job is the time I spend partnering with our exceptional Chief Medical Officer and Clinical Quality department. I am not a clinician, but I hope that we provide a helpful, lay person’s view on quality and that we bring the seven elements of effective compliance programs to their quality processes. I have also taken a page or two from the Quality playbook. We draw a lot from their root-cause analyses, blame-free environment, and continuous performance improvement.

RS: Governing boards are becoming more accountable for their organization’s compliance efforts and yet compliance profes-sionals have very little contact with the board. How can you make the best use of your time with the board?AA: I report directly to the Quality, Compliance and Ethics Committee of our board and am fortunate to spend quite a bit of

time with them. My advice is to fill in the blanks in this sentence: “The most significant risks in the last quarter/month are ____, and we are addressing these risks through the following actions: ___________________.” There is a tendency in our profession to deliver the facts and wait for an opinion from the board when they really want and respect your opinion.

RS: If you have someone in administration who is reluctant to do something you need them to do, what can you do to get them to change?AA: It often works to explain how the issue is related to the organization’s core values and why it is important to them personally. If that doesn’t work, you may need something more formal in terms of impacting incentive compensation or taking disci-plinary action. It’s difficult, but it’s a necessary part of any effective compliance program.

RS: Do you worry about not getting to all of the potential problems and, if so, how do you prioritize them?AA: Yes! I think every compli-ance officer worries about this. We prioritize problems based on patient care risk, financial risk, and reputational risk, and we use a “heat map” to plot issues, so that everyone can understand which ones we believe create more risk

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

17

than others. We also talk a lot about what is not a compliance issue so that all of our activities are focused on the greatest risks.

RS: Has the general counsels’ role changed as result of the health care industry hiring com-pliance officers?AA: I don’t think the role has changed, because I believe compli-ance adds a new safeguard that did not previously exist. General counsel are often concerned that a material risk could go unchecked until it hits their desk as an inves-tigation or litigation. They hire attorneys, they give advice, and they often do training, but they may not be able to test and verify compliance. The compliance program is there to verify that policies are effective, so that issues can be identified internally and corrected before they become large problems posing significant risk.

RS: Should the compliance officer report to the general counsel?AA: I have operated in both environments, and I believe compliance programs are more effective with an independent compliance officer. At Tenet, we now look at issues through two lenses: What is legal and what upholds our core values. It’s a form of segregation of duties that we find to be very effective while allowing us to blend legal and compliance viewpoints.

RS: The compliance officer job involves the use and knowledge of compliance tools such as auditing, monitoring, education, etc. The job also involves knowl-edge of risk areas/regulations such as privacy, EMTALA, and Stark. However, some believe the hardest part of the job are people skills such as collaboration, nego-tiation, persuasion, motivation, conflict management, etc. Do you agree and, if so, why?AA: I agree. Conflict resolution serves as a critical skill for compli-ance officers. We often find ourselves asking someone to do something that they might not have done on their own. The ability to understand their inter-ests, communicate our interests, and find common ground is essential. If the compliance officer can’t retain a positive relationship while working through issues, they won’t be effective.

RS: Some people think compli-ance is all about the law. Do you agree with their view and, if not, why not?AA: I don’t agree anymore. I say “anymore” because I used to think this was true when I was a practicing attorney. Professor Marianne Jennings at Arizona State University regularly reminds us that the law is the minimum standard of behavior and not the maximum. It is absolutely critical to understand the minimum standard of behavior and the

consequences of failing to meet the minimum. But, you need to aim higher than that if you want to be a business with a reputation for integrity.

RS: How important is support from leadership? How can leader-ship help? Give us some specific actions the CEO can take to make it clear to everyone that compliance and ethics are important.AA: Tenet is fortunate to have a fantastic CEO, Trevor Fetter, who signals through his actions that compliance is part of our business. In his monthly staff meeting, we review business and financial issues, but we also review compliance and clinical risks as standing agenda items. When he visits hospitals, he asks me for a compliance report, and he congratulates them if the report is positive or asks them to refocus if they need improvement. He walks the talk, and our employees follow his lead. n

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

18

TitleBy: Line

Continued on page 62

If you have any questions that you would like Roy to answer in future columns, please e-mail them to: roy.snell@hcca-info.org.

Your job description can make your job easierThere have been many good ideas about what a com-pliance and ethics officer must get from leadership to be successful. There are good suggestions about the terms and conditions that must be met before you take a job. I have a condition that should be met before taking a job that I would want as much as any of the other ideas I’ve head discussed. I would want the following statement in my job description:

Due to the Board’s risk exposure, caused by the company’s failure to resolve a serious regulatory or ethical violation, I must report to the Board significant regulatory or ethics issues that I can’t resolve. Due to the Board’s risk exposure, caused by the organization’s failure to implement an effective compliance program, I must report to the Board anything thing that hinders my efforts to implement an effective compliance program.

First of all, you should report significant failures to the Board, regardless of your job description, just as the CEO, CFO, or auditors do. But, having those two sentences in the job description gives you an advantage. The advantage is that discussions with your peers and superiors are easier. This addition to your job description is an advantage to any CEO who is not committing wrongdoing. It is an advan-tage to the CEO, because it will help you keep the peace between you and your colleagues. The CEO will spend much less time mending your fences.

Without those two sentences in your job description, you will have to tell people, “Because you are being difficult/resistant, I may choose to go to the Board and report this.” That will be an end of your relationship with that person and anyone else they talk to. If you have those two sentences in your job description, you will be able to put it much more empathetically. Here is how the conversation may go if the two sentences are in your job description:

“Look, I see that we are at an impasse. I think I should fix this, and you think it isn’t a problem. This is what we can do: You pick anyone you want, inside or outside the organization, to help us settle this tie. I will share my views, and you share yours. If they can find a solution that allows me to fulfill my obligations to the Board, we will be done. If we can’t resolve the tie with that person, then you can pick someone else. If we run out of people to help resolve our difference, then we have to go to the Board, because I am obligated to take issues like this to them (I would show them the language). If we do have to go to the Board, we can do it together, you can explain your views, and I will explain mine.”

Now, I understand that allowing them to pick anyone to help resolve this before you go to the Board sounds like a lot of trouble. Remember, this is only for significant issues. It is unlikely to happen often, but when it does, it will be hellfire and brimstone if you don’t handle it well. You are going to spend a lot of time one way or another. You can bash your way through problems by taking a quicker approach and clean up the mess afterward, or you can be smooth and save some time in the back end. And unless the person they take you to can change the law in question or can get Chapter 8 of the

ROY

SNE

LL

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

19

XXXXXXX ...continued from page 19

Web 2.0 is about the new, faster, everyone connected Internet.

Each resource is 100% dedicated to compliance and ethics management. So sign up for whichever one works best for you, or for all four if you’re already living the Web 2.0 life.

HCCA is embracing this approach and offers you a number of ways to build out your network, connect with compliance professionals, and leverage this new technology. Take advantage of these online resources; keep abreast of the latest in compliance news; and stay ahead of the curve.

Dozens of discussion groups and more than 6,800 participantshttp://community.hcca-info.org

Profiles of over 4,500 compliance and ethics professionalshttp://www.hcca-info.org/LinkedIn

Follow HCCA_News to keep up with the latest compliance news and eventshttp://twitter.com/HCCA_News

Connect with compliance and ethics professionals on Facebookhttp://www.hcca-info.org/Facebook

HCCASocialNetworking_halfpage_301nK_CTad.indd 1 12/28/2010 10:03:44 AM

Editor’s note: John Falcetano, CHC-F, CCEP-F, CHRC, CHPC, CIA is Chief Audit/Compliance Officer for University Health Systems of Eastern Carolina and Second Vice President of the HCCA Board of Directors. John may be contacted by e-mail at jfalcetano@uhseast.com.

To Blog or not to BlogThis month, I though I would focus on one area of our social networking site, “the Blogs.” Blogs provide useful information to our membership. They help stimulate discussion on a wide range of topics. Below are just a few examples of the topics being discussed on the HCCA Social Network site:

Example # 1“I am seeking opinions as to who is the best suited person within a hospital facility to function as the RAC Coordina-tor. Would there be a conflict of interest for the Compli-ance Officer to function in this capacity?”

Example # 2“What topics are covered by ethics codes? Here’s a list of the most common ethics concerns:n Accounting, internal controls, auditing mattersn Workplace issues: substance abuse, FLSA, FMLAn Environmental, health, safety concernsn Falsification of documents or records: fabricating,

altering, destroyingn Discrimination: age, disability, genetic information,

national origin, pregnancy, race/color, religion, sexn Harassment: written, verbal, physical”

Example # 3“Hospital re-admissions are a huge dilemma in the United States medical care system right now, among several other difficulties hospitals and insurers face. When patients are discharged before they should be, some wind up being admitted to the hospital again. The Wall Street Journal

Social NetworkingSocial Networking

JOH

N FA

LCET

ANO

Continued on page 63

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

20

Editor’s note: Chad Hirsch is the Information Security Officer for Mayo Clinic in Rochester, Minnesota. Chad may be contacted by e-mail at hirsch.chad@mayo.edu.

Jacki Pemrick is the Privacy Officer at Mayo Clinic in Rochester. She may be contacted by e-mail at pemrick.jacki@mayo.edu.

Mobile devices, such as laptops, tablets, and smartphones (includ-

ing Blackberry, Android and iOS devices), are increasingly popular for both the business community and personal users due to easy, fast Internet access; their small size and portability; and desktop-like user interfaces. Many of these devices offer bundled features, such as GPS, Bluetooth, a camera, and numerous applications. In addition to the increase in func-tionality and computing capa-bilities provided by these devices, they are also continually adding more storage capacity. As mobile devices rise in popularity, they bring many of the same security and privacy risks from the desk-top domain to the mobile device domain. This also introduces new risks, given the size and ultra-portability of the devices and the increases in their computing and storage capabilities.

The Federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) regulations require health care organizations to apply the same security and privacy standards to mobile devices that are required for paper and non-mobile elec-tronic devices. In recent months, the privacy and security concerns of mobile devices have received the attention of the United States Senate. In fact, the United States Senate has revealed bills that are aimed at protecting the privacy of mobile device users, which rein-forces the need for strong security on mobile devices.1

Storage of confidential informationThe storage of sensitive informa-tion, including protected health information (PHI), on mobile devices presents a risk to any health care organization, if the information is not adequately protected. The recent trend of ever increasing storage capabili-ties of mobile devices, whether a smartphone, tablet, or USB thumb drive, makes it possible for an employee to literally “carry” larger, more complex, and more sensitive data in their bag or pocket. Because mobile devices

are, by design, small and ultra-portable, physical access to the device is easy, physical security is oftentimes nonexistent, and the risk of losing a device is signifi-cantly increased when compared to traditional computing devices. Most organizations still procure and manage traditional comput-ing devices such as workstations and laptops, but personally owned smartphone and tablet devices are increasingly being used by employees to gain access to corpo-rate networks and to store sensi-tive data. These devices are often not managed by the organization; therefore, there is no assurance that the devices satisfy corporate security policies.

Another issue specific to person-ally owned devices is the risk that the device will come into the hands of an unauthorized user via device turnover. Because these devices are not owned or controlled by the organization, an employee is able to trade-in, sell, give away, or throw away the existing device when it is replaced. When this occurs, what corporate information remains on the device and who is responsible for ensur-ing the information is adequately removed are two big questions that keep information security professionals up at night.

Solutions:n Strong policies and procedures

around mobile device security

Security of mobile devices in health care

By Chad Hirsch, CISA, PMP; and Jacki Pemrick, JD, CHC

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

21

XXXXXXX ...continued from page 21

Continued on page 23

n Encrypt all data at rest, includ-ing smartphones, tablets, and flash drives

n Implement strong password controls on devices

n Use mobile device management (MDM) solutions to provide:o insight into the mobile

devices connecting to your network, and

o capabilities to push corporate security policies to device(s) and restrict access to corpo-rate networks and resources.

Use of mobile applicationsUntil recently, smartphone and/or tablet devices were generally used by clinicians and providers to obtain access to their organiza-tion’s e-mail, calendar, and contact applications. These same users are now likely requesting to use their personal devices to access patient information via mobile applications. These applications (apps) enable clinicians to access patient information from any location, allowing for faster decision making, improvements in overall work flow, and better patient outcomes. These mobile apps, however, are not without risks; and just as they offer faster and more convenient access to information, they can also open up new ways for sensitive, clinical information to be compromised. Mobile applications that have been designed to store sensitive information in memory or on the device’s file system may open up

the opportunity for the informa-tion to be compromised, if the device were to come under the control of an unauthorized user. Additionally, if mobile devices and applications are not secured with strong password controls, unau-thorized users could gain access to clinical information.

Solutions:n Provide mobile applications

through internally developed app stores or offer links to specific health care applications via Apple’s AppStore or the Android Market.

n Manage mobile application deployment through MDM solutions.

n Develop a standard set of best coding practices for mobile applications that would include clearing memory, encrypting sensitive data that is written to the file system, and clearing screen shots that are captured as the user moves from one application to the next.

Mobile malwareMobile malware, often distributed through apps, has been increasing in scope and sophistication over the past year. Early mobile mal-ware authors specifically targeted the Symbian and Windows Mobile devices because they were the oldest and most researched mobile operating systems. How-ever, that seems to be changing, as evidenced by a Juniper report2

released in May 2011 that identi-fied malware samples that target Google Android devices jumped 400% between June 2010 and January 2011. Android devices appear to be targeted more often because Google places looser restrictions on developing and building applications for the platform. Although Apple has largely avoided issues with mali-cious applications, iOS devices modified to run software and code not authorized by Apple (i.e., jailbroken devices) have been the target of certain malicious activity. Although the majority of malware today is still being written for the PC environment, that hasn’t stopped hackers from modifying their code to attack the mobile device landscape. This, coupled with the fact that the same Juniper report estimated that 85% of smartphone users do not use anti-virus programs, leads to an environment that is ripe for exploitation.

In August 2010, the first Android “Trojan horse” malware appeared in the form of an application that mimics a media player and sends text messages to Russian-based premium-rate numbers at $6 a message. Early in 2011, Google was forced to remove more than 50 apps from its Android Market because they contained malware, known as Droid Dream, which was capable of gaining root access

TitleBy: Line

email: info@ehealthcareit.com or call 1-800-806-0874.www.ehealthcareit.com

Let's you and I talk about effective Healthcare Corporate & HIPAA compliance training

for your staff, contractors, and physicians

Healthcare facilities that are serious abouttraining and educating their staff chooseeHealthcareIT and PricewaterhouseCoopers.

We don’t need to tell you, healthcare compliance is a veryserious business. In fact, one of the greatest risks to consider in2011 is the increase in targeted healthcare fraud enforcementefforts by the government’s Health Care Fraud Prevention and Enforcement Action Team (HEAT).

Expertise

PricewaterhouseCoopers’ Health Industries Practice andeHealthcareIT is comprised of highly qualified healthcare professionals specializing in regulatory compliance. Includedwithin this group of professionals are physicians, registerednurses, certified coding specialists, registered records administrators, certified public accountants and attorneys.

Engaging & Practical Learning

Reliable, engaging, IT friendly and up to date content is keyto a successful compliance education program, which is whateHealthcareIT brings to the table.

eHealthcareITe L e a r n i n g & I T S o l u t i o n s

You know as wellas we do that onesize does not fit all:

• Over 100 engaging,department specificHIPAA Compliance,Clinical ResearchCompliance, andCorporate Compliancecourses.

• Customization that allowyou to embed your policies, procedures, welcome messages, sitespecific pictures and“contact information”.

• Department specific topicsensures that your staff will receive complianceeducation geared specifi-cally to their needs andresponsibilities.

Your compliance educationshould not be a matinee atthe movies. ContacteHealthcareIT for furtherinformation or consultation.

CTfpAD:Layout 1 2/3/11 3:59 PM Page 1

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

23

Security of mobile devices in health care ...continued from page 21

Continued on page 24

to a device, harvesting data, and installing additional malicious code. Health care organizations need to be aware of the possibility of these malicious apps making their way onto employee-owned devices, especially given the rising trend in malware targeted specifi-cally to the mobile landscape. It is only a matter of time before one of these threats is used to harvest and expose sensitive patient information residing on or being accessed by a mobile device.

Solutions:n Implement MDM solutions

to control and have visibility into apps installed on mobile devices. MDMs can also restrict jailbroken phones from gaining access to corporate networks.

n Educate users on the proper use of mobile applications and to be aware of when mobile applica-tions are requesting additional permission requests.

Personally owned/corporate connected device Many organizations are now allowing their employees to connect their personally owned mobile devices to the organiza-tions corporate network for e-mail, access to applications including electronic medical records, and other applications that contain confidential infor-mation. This is beneficial for the employee and the employer, because it is convenient for the

employee and saves the organiza-tion money by not having to provide mobile devices to indi-viduals. The challenge is: How much control does an employer have over the security of the mobile device when the individual owns it? In most corporate envi-ronments, because of the privacy and security exposures, organiza-tions are requiring employees to conduct a “corporate sync” which provides the organization some ability to ensure that the mobile device is secure when connected to the organization’s network.

The corporate sync also allows health care organizations to manage personal devices by creating password requirements and connectivity to the organiza-tions secure network. This allows the organization to monitor the security of the device and ensure that, at a minimum, the device has a strong password and a secure connection when confidential information flows to the mobile device.

Allowing individuals to connect their personal device to a corpo-rate network presents challenges. Because the device is owned by the individual, only some strong policies can be mandated, but others cannot. For example, if the organization became aware of a possible mobile security issue that puts the organization’s confiden-tial information at risk by causing

a security or privacy breach, the organization could not force the individual to wipe clean their personal mobile device. Addition-ally, if the individual leaves the organization, it’s possible that confidential information is stored on their mobile device and the organization would not be able to easily remove it without engag-ing their Legal department. If an organization allows an individual to connect his/her personal device to its network, another risk is that the organization cannot prevent the individual from sending confi-dential information that is stored on that device through personal e-mail versus corporate e-mail, even if the organization prohibits it in its policies.

Solutions:n Ensure that Human Resources,

Legal, Compliance, and IT define and implement personal device policies that meet infor-mation security and privacy standards, including employee responsibility for the protection of confidential data and impli-cations of a breach.

n Create guidelines around what can and cannot be stored on the device.

n Ensure authentication and device management policies are in place.

n Provide training and education to employees.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

24

TitleBy: Line

Security of mobile devices in health care ...continued from page 23

Mobile devices are frequently lost and stolen Due to the portability of mobile devices, it is certainly a risk that the mobile device can become lost or stolen. If the device is not encrypted, this can pose a risk to an organization, because any confidential information stored on the device will be accessible, if the device lands in the wrong hands. Even if the device is encrypted, it is important for the mobile device to be password protected to prevent ready access to the confi-dential information on the device. If the device is not encrypted and is not password protected and is lost or stolen, it can pose a risk to the owner of the device and to the organization when confidential information is stored on it. The HITECH regulations state that it is possible for both the individual employee and the corporation to be held liable for a breach.3

Solutions: n Make sure the mobile device is

encrypted. n Create policies that mandate

employees to have strong passwords when their device is connected to the organization’s network.

n Educate employees on the risk associated with storing confiden-tial information on the device.

Manage the risk It is important for organizations to manage the risk associated

with mobile devices. Mobile technology is beneficial in health care organizations because of its ability to provide information to the end user very quickly, so it is important to weigh the risk with the benefits to an organization and the individual. It is beneficial to health care organizations to proactively mitigate possible risks associated with the use of mobile devices and help individuals use the devices that are supported by the organization. The risk related to mobile devices can be mitigated in many ways that allow the indi-vidual to use the desired device and still protect the organization from unnecessary exposure if confidential information is stored on the mobile device.

Solutions: n Create strong policies on the

security of the mobile devices that your organization is com-fortable supporting.

n Evaluate the devices and their security and provide a pre-ferred list of mobile devices to employees.

n Conduct employee education on the importance of privacy and security of the mobile device, including the storage of confidential information on the device.

n Implement a data loss prevention tool and conduct monitoring. Include the transmission of data on mobile devices to gain knowledge about the use of the

devices. Proactively monitor security and privacy risks associ-ated with mobile devices.

n If financially feasible for the organization, providing corporate-owned devices to employees would mitigate risk, because the organization can implement policies to auto-matically require encryption, password protection, monitor-ing the device, and wiping the device clean as necessary. This may limit the types of mobile devices the organization could offer to employees.

Conclusion Mobile devices pose security risks that keep both privacy and security officers up at night, and these risks will not be disappear-ing in the near future. That is why it is important to understand the security risk with mobile devices and balance it with the impor-tance of supporting the technol-ogy that is allowing health care professionals to facilitate their job duties, including saving patients’ lives. When organizations put the proper safeguards in place, it allows employees to select devices that suit their personal work styles and job responsibilities and increase the employees’ produc-tivity and job satisfaction. Each health care organization is unique, so it is important to conduct an evaluation of mobile devices and determine how the organization intends to handle the implications

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

25

of supporting or not supporting mobile devices. In order to mitigate the possible risks which can result in privacy or security issues, it is in the best inter-est of the health care organization to proactively mitigate the security risks and implement the solutions recommended in this article as they see fit with their organization. n

1. Chris Lefkow: “US Senators Unveil Mobile Privacy, Data Theft Bills.” The Economic Times, June 16, 2011.

2. Juniper Networks: “At Risk: Global mobile threat study finds security vulnerabilities at all time highs for mobile devices.” May 2011. Available at http://www.juniper.net/us/en/company/press-center/press-releases/2011/pr_2011_05_10-09_00.html

3. Elizabeth Gardner: “Moving Target,” Health Data Management (2011). Available at http://www.healthdatamanagement.com/issues/19_1/moving-target-mobile-devices-41628-1.html

2011

Learn more & register at www.hcca-info.org

Basic Compliance Academies

Chicago, IL | September 19–22

Las Vegas, NV | October 24–27

Orlando, FL | November 14–17

San Diego, CA | December 5–8

Basic Privacy Compliance Academies

San Francisco, CA | October 10–13

San Diego, CA | December 5–8

Basic Research Compliance Academies

Las Vegas, NV | August 15–18

Register now for one of HCCA’s remaining Academies in 2011

HCCA’s RemAining 2011

R e g i o n A l C o n f e R e n C e sNew Englandseptember 9 | Boston, mA

Upper Midwestseptember 16 | minneapolis, mn

Midwest september 23 | overland Park, Ks

North Centraloctober 3 | indianapolis, in

East Centraloctober 14 | Pittsburgh, PA

Hawaiioctober 21 | Honolulu, Hi

Mountainoctober 28 | Denver, Co

Mid Centralnovember 4 | louisville, KY

Desert Southwestnovember 18 | scottsdale, AZ

South CentralDecember 2 | nashville, Tn

leAR

n m

oR

e An

D R

egis

TeR A

T w

ww

.HCCa

-iNfo

.or

g

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

26

TitleBy: Line

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

27

XXXXXXX ...continued from page 27

Editor’s note: Shawn DeGroot, CHC-F, CCEP, CHRC is Vice President of Corporate Responsibility at Regional Health in Rapid City, South Dakota. Shawn also serves as Vice President of

the HCCA Board of Directors. She may be contacted by e-mail at SDegroot1@regionalhealth.com.

Using the right mode of communication is key The background and education of compliance officers and staff in health care are very diverse. Equally important, if not more important, are integrity, character, and the ability to communicate. Sonya Castro-Quirino is the Regional Compliance Director at St. Joseph’s Health System. She has a very diverse background of experience as a Program Analyst with the Office of Inspector General, and working for both for-profit and not-for-profit organizations. Sonya has a clinical background in Clinical Labora-tory Science as well as an MBA with a concentration in Health Organizational Management.

What keeps Sonya up at night? Sonya believes that what keeps her up at night may be common to all compliance staff. The issue she described is multi-faceted:n The constant and continuous concern of keeping

up with regulationsn Communicating the regulations to the right

people in the organizationn Communicating the pertinent topics/issues to the

board of directors

Regarding the first concern, it is extremely difficult to be proficient at the daunting task of reading, interpreting, and communicating all of the regulations. The St. Joseph Health System’s approach is to target the review of the annual OIG Work Plan, conduct risk assessments, and then prioritize the risks. However, while all of that work is underway, more regulations are published.

Once a regulation is published or a compliance matter is identified, the second challenge is determining the right formula for communicating the necessary infor-mation to the appropriate persons who are responsible for addressing the compliance matter. Individuals from the bottom up and top down all have different preferences for how they want to receive information. Some prefer e-mail, others a telephone call, and others prefer a meeting, and it takes some trial and error to identify how best to deliver the communication. Even when you think you have the right formula, you may not always bring the right people to the table. A Quality issue may be embedded in a traditional Compliance issue, and additional staff need to be invited to the next meeting. A second meeting is held and the Quality perspective may alter the process as new facts are presented. Compliance issues are not always simple and have become more complex, and as the position grows, so does the complexity.

Another communication challenge is how best to deliver the right information to your board of directors. Agendas are very full and the board members serve voluntarily, yet a fiduciary duty to be knowledgeable in Compliance is an expectation of the government. Understanding the depth and level of content to present is important for assisting board members in carrying out their fiduciary responsibilities. However, Sonya and I both agreed that there is no one-size-fits-all answer to this dilemma. Refining your communication strategy may be an ongoing process.

How does Sonya counteract the stress of her role?Sonya has three small children, ages 5, 2½ , and 1 year old, who are not at an age where they understand what stress is. The world is just fun and they don’t allow much time to think about anything else. However, when she needs space or a calm time away, Sonya’s choice is to schedule a pedicure and massage, which Sonya says is “one hour of simply not thinking.” n

By Shawn DeGroot, CHC-F, CCEP, CHRCExhaleExhale

SHA

WN

DEGR

OOT

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

28

Editor’s note: William C. Moran is Senior Vice President with Strategic Management in the firm’s Chicago office. He may be contacted by telephone at 847/828-3515 or by e-mail at wmoran@strategicm.com.

A re patients, hospital staff, and the public protected in your hospital environ-

ment? What laws and regulations might the Compliance office help to enforce to ensure protec-tion from physical and material harm? This article will address these questions by examining two important compliance categories: Environmental health and safety, and physical security.

Environmental health and safetyAlthough the hospital setting is one of healing and comfort, it also includes certain dangers. Hospitals contain hazardous chemicals, chemotherapeutic drugs, radioac-tive material, and infectious matter, among other threatening items. For this reason, the Occupational Safety and Health Administration enforces laws and regulations to ensure protection against these exposures.

In addition there are also dangers from fire and smoke that can be

particularly perilous for vulner-able hospital patients. Life Safety Codes have been promulgated to address these problems and are enforced by the Environmental Protection Agency, and reviewed every three years by The Joint Commission. Some states and municipalities also have laws and regulations concerning hazardous material and fire safety.

In order to remediate the risks of environmental health and safety, we recommend the Compliance office, as part of its annual risk assessment, include the following topics:n Hazardous exposure control plann Engineering and work practice

controlsn Personal protective equipmentn Regulated waste containment n Post-exposure evaluation and

follow-upn Fire and safety plann Building design, fire protection

features and furnishingsn Fire drills and fire alarm

notificationsn Maintenance of fire-safety

equipment and building features

Most of the work related to the above topics will be the respon-sibility of the Engineering staff,

Public Safety staff, Patient Care Services, and others, but the Compliance office should ask questions during the annual risk assessment to ensure adequate remediation is actually occurring.

Physical securityPatients, hospital staff, and the public need to be protected from physical harm on both a day-to-day basis and in the event of an unusual circumstance, such as a natural viral epidemic, bioterrorism attack, or major accident. The day-to-day events would include possible harm from robbery, stolen identification, or a violent altercation. The unusual circumstance of an epidemic, attack, or accident could result in hospital overcrowding, spread of disease, or panic for certain medica-tions or procedures. Preparation for and implementation actions for both day-to-day events and unusual circumstances need to be in place. Most of the laws that apply in these situations are local and state statutes that require close coordination with nearby police, fire, and other emergency personnel.

In order to remediate the risks associated with physical security, we recommend the Compliance office, as part of its annual risk assessment, review the following items: n Know who is in the facility,

including patients, staff, and the public

n Know what materials come in and out of the building

Is your hospital environmentally and physically secure?

By William C. Moran

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

29

XXXXXXX ...continued from page 29

n Respond to disruptive behaviorn Respond to weapons in the buildingn Secure drugs, toxic material, and hazardous wasten Have sufficient security technologyn Know your security personnel

Again, most of the work on physical security will be handled by Public Safety staff, Engineering staff, the Pharmacy department, Human Resources, and patient care staff, but the Compliance office should ensure that remedial steps are being taken to address these topics.

Compliance offices focus primarily on laws and regu-lations dealing with Medicare and Medicaid pay-ments, and Food and Drug Administration (FDA) and Office of Civil Rights (OCR) regulations. Risks associated with the Anti-kickback Statute, cost reports, claims submission, HIPAA, EMTALA, Physicians at Teaching Hospitals (PATH), Quality, laboratories, clinical research, and corporate gov-ernance are the more usual compliance categories. However, other federal, state, and local statutes and regulations need to be considered when examining the overall risks in the hospital. Keeping the hospital safe and secure from environmental and physical harm certainly must be included as part of any comprehensive risk assessment. n

On the Move PeoplePeopleDebbie Troklus CHC-F, CCEP-F, CHRC, CCEP has been named a Managing Director with the Aegis Compliance and Ethics Center based in Chicago. Debbie also serves on the HCCA Board of Directors and is the current President for the Compliance Certification Board. She may be contacted by telephone at 502/641-9140 or by e-mail at dtroklus@aegis-compliance.com.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

30

TitleBy: Line

Editor’s note: Janice A. Anderson, Shareholder in the Chicago offices of Polsinelli Shughart PC, has over 25 years’ experience focusing on health regulatory and compliance issues and over 30 years’ experience working in the health care industry. She may be contacted by e-mail at jander-son@polsinelli.com or by telephone at 312/873-3623.

Christopher Wilson is a former associate in the Health Care department of Polsinelli Shughart PC in its Kansas City office.

H ealth care reform will bring about signifi-cant change to how providers are paid, and payment changes will necessitate changes in

how care is delivered. A primary objective of health reform is to integrate a fragmented health care deliv-ery system to reduce costs and improve both the qual-ity of care and the overall health of populations.

Hospitals are very familiar with Medicare’s tradi-tional payment methodology for hospital services (i.e., a diagnosis related group [DRG] payment for inpatient care, and an ambulatory payment clas-sification [APC] payment, for outpatient care) and with Medicare’s volume-based or fee-for-service payment methodology for physician services. Under the current payment structure, doctors determine the care that is to be provided in hospitals, yet bear no financial consequence for the cost of that care. Compounding this divide is the fact that hospitals and physicians are motivated by different—and often adverse—financial incentives, and neither the

hospital nor the physician payment model rewards consistent high quality and low-cost care. A goal of health care reform is to align these misaligned incen-tives between hospitals and physicians through new payment models, thereby improving quality, reduc-ing costs, and improving patient outcomes.

This article will provide hospitals with an overview of the variety of new payment and delivery models included in the Patient Protection and Affordable Care Act of 2010 (PPACA) and other recent laws and regulations to better prepare hospitals for fundamental changes in the way they are paid. It will also discuss the importance of establishing different relationships between hospitals and physicians, and the common structures to achieve those relation-ships, which are necessary if hospitals are to perform well under the payment models of the future.

Value Based PurchasingWith the passage of PPACA, Congress implemented the Value Based Purchasing (VBP) program first developed by the Centers for Medicare and Medicaid Services (CMS) in 2007. VBP is a pay-ment model that directly ties reimbursement to performance. Section 3001 of PPACA enacts VBP for hospitals for discharges occurring on or after October 1, 2012 (FY 2013). Hospitals subject to VBP under PPACA are generally “subsection (d) hospitals” which includes most acute care hospitals paid under the Inpatient Prospective Payment System (IPPS), but does not include psychiatric

focusfeature

Reimbursement changes under health care reform: Are you prepared?

By Janice A. Anderson, Esq. and Christopher Wilson

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

31

XXXXXXX ...continued from page 31

Continued on page 32

hospitals, rehabilitation hospitals, childrens hospi-tals, or long-term care hospitals. However, PPACA excludes VBP for hospitals that:n do not participate in Hospital IQR program; n have been cited for deficiencies that pose immedi-

ate jeopardy to the health and safety of patients during the performance period;

n do not have a minimum number of applicable measures for the performance period; or

n do not have a minimum of cases for the applicable measures for the performance period.

VBP evolved from the existing Medicare Hospital Inpatient Quality Reporting program (Hospital IQR program), formerly known as the Reporting Hospital Quality Data for the Annual Payment Update program (RHQDAPU). Under VBP, a hospital’s reimbursement from CMS will directly depend on its performance under certain quality targets and not simply for report-ing them. Beginning October 1, 2012, the hospitals’ risk based on performance will be limited to 1% of their DRG Medicare payments, with the risk increas-ing each year to a maximum of 2% by 2017. The total amount of payments available to hospitals under VBP must be equal to the total amount of reduced pay-ments for all hospitals in that fiscal year (i.e., the VBP payments are budget neutral). This means that high performing hospitals stand to earn more reimburse-ment under VBP, and low performing hospitals likely will lose. The VBP payment will be earned based on the hospital’s reported performance on metrics related to five specific conditions: acute myocardial infarc-tion, heart failure, pneumonia, surgeries, and health care-associated infection. The measures CMS initially proposed to adopt for the program are a subset of the measures that have already adopted for the Hospital IQR program. In FY 2014 and after, the metrics must also include efficiency measures, including Medicare spending per beneficiary.

On May 6, 2011, CMS released its final rules1 for implementing VBP for hospitals pursuant to

PPACA (the VBP proposed rule). Under the final rules, CMS will use 13 measures that it already uses for the Hospital IQR program for reporting quality data already in place (12 of the proposed measures are clinical process measures and one measure is a patient experience measure with eight components). CMS has noted that all 45 measures specified under the Hospital IQR program (with the exception of readmission measures) are “candidate measures” for use in VBP going forward.

For the clinical process measures, CMS will use a performance period of July 1, 2011 through March 31, 2012 for the FY 2013 payment determination. A hospital’s performance during the performance period will be measured against its performance in a baseline period of July 1, 2009 to March 31, 2010. CMS also will add three outcome measures for FY 2014 that use an 12-month performance period from July 1, 2011 to June 30, 2012 and that would be compared to a baseline of July 1, 2008 to June 30, 2009. Therefore, a hospital’s baseline for the first year of the VBP program has already been established, and performance that will impact payments under VBP began on July 1, 2011.

Under the final rules, a hospital’s performance will be measured based on the higher of the hospital’s achievement score and its improvement score for each applicable measure. A total score would be cal-culated for each hospital by combining the greater of the hospital’s achievement or improvement “points” for each measure, then weighing the measure (for FY 2013, 70% clinical process measures, 30% patient experience measures) and adding together the weighted scores (see table 1 on page 32). VBP measures must be announced no later than 60 days prior to the beginning of a performance period.

CMS has proposed to adopt a “linear exchange function” for the purpose of translating the total

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

32

TitleBy: Line

Reimbursement changes under health care reform: Are you prepared? ...continued from page 31

performance score to the VBP incentive payment earned by the hospital. This means a hospital with a total performance score of zero will not receive any incentive payment, while a hospital with a higher total performance score will receive an amount correspond-ing to its performance taken from the aggregate amount of the base operating DRG payment amounts withheld from all hospitals (1% in FY 2013).

Although VBP is expected to move the dial toward improving quality, some limitations of the VBP payment model are that it continues to keep separate the incentives for hospitals and physicians, and it does not directly address total cost or quality of care. Nonetheless, a hospital’s success under VBP is directly tied to the performance of its physicians, because the quality targets that form the basis of the hospital VBP are largely driven by physician rather than hospital performance. Therefore, if they have not

done so already, hospitals need to engage physicians to comply with quality initiatives, especially the VBP-related metrics that could effect payment.

Accountable Care OrganizationsIt is hard to avoid hearing about Accountable Care Organizations (ACOs) in the health care industry press these days. The goal of ACOs is to improve both the quality of care and the patient experience while decreasing cost for a defined population of patients. ACOs may be comprised of physicians, hospitals, and other providers and suppliers who are structured to work together to achieve these goals. The ACO concept originated from the Physician Group Practice Demonstration Project (PGP) established by CMS in 2005. The PGP was a pay-for-performance demonstra-tion project for physicians mandated by the Medicare, Medicaid, and SCHIP Benefits Improvement and Protection Act of 2000. The goal of the demonstration

Table 1: Example of hospital VBP score calculation provided by CMS in the VBP Proposed Rule.

Domain ConditionAchievement points

Improve-ment Points

Earned points (higher of achieve- ment or improvement)

Domain Score

Clinical Process of Care

HF-1 8 9 9 67.5

HF-2 0 5 5

PN-2 0 3 3

PN-7 10 10 10

Patient Experience of Care

HCAHPS Base Score

60 40 60* 69

HCAHPS Consistency Score

Total Performance Score

0.6795

*The Patient Experience of Care or HCAHPS earned points are calculated by summing the higher of achievement or improvement points across all eight HCAHPS measures.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

33

Continued on page 35

was to reduce the separation between payment for Medicare Part A and Part B services to improve both the cost efficiency and health outcomes of patients. In the demonstration, physician groups continued to receive fee-for-service payments, but were eligible for bonuses when they demonstrated cost savings and met quality performance targets. CMS distributed bonuses to some of the participating physician groups, which has contributed to provider interest in ACOs.2 (CMS recently released its proposed rules on ACOs; however, an analysis of the proposed rules is beyond the scope of this article and will be provided in a future issue of Compliance Today.)

ACO structures may be flexible and may include integrated delivery systems, physician hospital organizations (PHOs), independent practice asso-ciations (IPAs), partnerships of PHOs or IPAs, hospitals, large group practices, joint ventures owned by physicians, hospitals and others, or any variation as long as a legal structure is in place to allow the participants to share a single payment.

PPACA imposes eight requirements that an ACO must meet before it can receive a shared savings pay-ment from CMS. These requirements include:n a commitment to provide patient centered care;n participation as an ACO for at least 3 years; n a formal legal structure to allow the ACO to receive

and distribute shared savings to participants;n primary care and other health care professionals are

included for at least 5,000 Medicare beneficiaries;n an appropriate leadership and management

structure is in place; and n appropriate clinical and administrative systems are

implemented, including technology that can define and implement processes to promote evidence-based medicine, report on quality and cost measures, and coordinate care through care management.

Becoming an ACO has potential financial benefits to its participants. The shared savings payment model

sustains current reimbursement for each participant (DRG or APC payments for hospitals; fee-for-service payments for physicians), but also allows the ACO participants to share an incentive bonus if they are successful in reducing the total cost of the care for a defined population below a target established by CMS based on previous expenditures, while improv-ing quality and the patient experience. Importantly, however, ACOs will require not only new legal rela-tionships between hospitals and physicians to achieve cost effective, high-quality, and high-satisfaction care, but also a new mindset from hospitals looking to maximize their potential shared savings.

Patient-centered medical homesA principal objective of health care reform is to encourage patient-centered care. Indeed, patient-centered care is a statutory requirement for ACOs. Patient-centered care is best facilitated through a Patient Centered Medical Home (PCMH). PPACA includes pilot projects designed to explore the effectiveness of PCMHs to reduce cost and improve quality of care. The inclusion of PCMHs into ACOs is widely recognized as essential to ACO viability.

PCMHs are team-based models of care led by primary care physicians who maximize health outcomes by providing continuous and coordinated care through-out a patient’s lifetime. In a PCMH, each patient’s personal physician is responsible for meeting or overseeing all of a patient’s health care needs. The primary care physician in a PCMH works with a network of health professionals (e.g., nurses, thera-pists, hospitals, and other physicians) to provide a full range of health care to meet the specific needs of each patient. The primary care physician in a PCMH is uniquely positioned to avoid unnecessary or dupli-cate care for a patient, and to assist the patient in navigating the health care system. PCMHs provide patients with greater resources through collabora-tion among the primary care physicians and other

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

34

TitleBy: Line

To learn more and register, visitwww.internalinvestigations.org

EffectiveInternal Investigations

for Compliance Professionals

Topics include:• How Investigations Fit into the

Context of Compliance Programs

• Setting Policies and Guidelines for Conducting Effective Investigations

• How to Plan an Investigation

• Gathering Documentary Evidence

• Who’s Lying: Detecting Deception in Internal Investigations

• Forensics and Electronic Documents

• Investigation Pitfalls and How to Avoid Them

• Preparing the Report

• Discipline, Follow Up, and Closing the Loop

An internal investigation done correctly can quickly resolve issues.

Done incorrectly, it can be divisive, disruptive, costly, and time consuming.

Learn the essentials of workplace investigations November 10–11 at SCCE’s Effective Internal Investigations for Compliance Professionals. This live learning program will provide compliance & ethics professionals with practical guidance and training in conducting effective workplace investigations. Don’t wait—register now to help get the expertise you need to conduct effective internal investigations.

A TWO-DAY WORKSHOP

NOVEMBER 10–11, 2011 | SAN FRANCISCO, CALIFORNIA

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

35

Reimbursement changes under health care reform: Are you prepared? ...continued from page 33

Continued on page 36

health professionals; better access to primary care though improved scheduling and enhanced methods of patient communication; care coordination; and enhanced health information technology systems for tracking tests, results, screens, and preventative care.

As early as the 1960s, PCMHs first emerged to provide pediatric care to children with special needs. Eventually, PCMHs expanded from the pediatric set-ting to family care. PCMHs were first tested by seven national family medicine organizations in 2002 under The Future of Family Medicine: A Collaborative Proj-ect of the Family Medicine Community. Pursuant to the Tax Relief and Health Care Act of 2006, Congress mandated a demonstration to test the PCMH model for Medicare, and CMS recently completed its open solicitation period for participants.

PCMHs will very likely be a key component of ACOs because of the role that primary care will play in a patient’s inclusion in a particular ACO. Given this important incorporation of primary care, any physi-cian-hospital alignment strategy that is part of an ACO should place special emphasis on primary care in order to fully take advantage of the new payment models.

Bundled paymentsBundled payment under PPACA is a pilot program defined as “comprehensive [payment], covering the costs of applicable services and other appropriate services furnished to an individual during an episode of care (as determined by the Secretary).” Bundled payments are currently the subject of the Acute Care Episode (ACE) demonstration conducted by CMS at five organizations. ACE started in 2009 and is examining the bundled payment methodology’s ability to improve the quality of care while reducing costs for discreet episodes of care.

Under a bundled payment system, hospitals and physicians receive a single payment for an “episode” of care, rather than for each isolated treatment. PPACA

requires CMS to establish a “national pilot program on payment bundling” by January 1, 2013. Like many of the payment models designed to align hospital and physician financial interests, bundled payments will require hospitals to examine their current structure in order to best navigate yet another new method of reimbursement, specifically one where hospitals and physicians will be required to share a single payment.

Pay-for-reporting and other notable incentive programsBesides programs though which a hospital might see their traditional reimbursement structure affected, CMS continues to implement several programs, begun prior to health care reform but continuing thereafter, where hospitals will be required to report on various quality metrics or implement certain health information technology, such as electronic health records (EHRs), in order to receive incentive payments or avoid payment penalties.

CMS continues to operate the Hospital IQR program which penalizes hospitals that fail to report on quality data applicable to required quality targets. The program has been in place for several years. Under the Deficit Reduction Act of 2005, the penalty that applies for a failure to report is a 2% downward adjustment to the hospital’s the annual market basket update. Additionally, CMS enacted the Hospital Outpatient Quality Data Reporting Program (HOP QDRP) in 2009, which is modeled after Hospital IQR and also imposes a 2% reduction to a hospital’s annual market basket update for outpatient services for failing to report certain outpatient-specific metrics. As of 2011, hospitals are required to report on 45 inpatient and 11 outpatient quality metrics as part of Hospital IQR and HOP QDRP, respectively, or face the annual market basket reduction.

CMS also has implemented an analogous pay-for-reporting program for physicians, referred to as the

To learn more and register, visitwww.internalinvestigations.org

EffectiveInternal Investigations

for Compliance Professionals

Topics include:• How Investigations Fit into the

Context of Compliance Programs

• Setting Policies and Guidelines for Conducting Effective Investigations

• How to Plan an Investigation

• Gathering Documentary Evidence

• Who’s Lying: Detecting Deception in Internal Investigations

• Forensics and Electronic Documents

• Investigation Pitfalls and How to Avoid Them

• Preparing the Report

• Discipline, Follow Up, and Closing the Loop

An internal investigation done correctly can quickly resolve issues.

Done incorrectly, it can be divisive, disruptive, costly, and time consuming.

Learn the essentials of workplace investigations November 10–11 at SCCE’s Effective Internal Investigations for Compliance Professionals. This live learning program will provide compliance & ethics professionals with practical guidance and training in conducting effective workplace investigations. Don’t wait—register now to help get the expertise you need to conduct effective internal investigations.

A TWO-DAY WORKSHOP

NOVEMBER 10–11, 2011 | SAN FRANCISCO, CALIFORNIA

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

36

TitleBy: Line

Reimbursement changes under health care reform: Are you prepared? ...continued from page 35

Physician Quality Reporting Initiative (PQRI). The 2006 Tax Relief and Health Care Act (TRHCA) required the establishment of a physician quality reporting system, including an incentive payment for eligible professionals who satisfactorily report data on quality measures for covered professional services fur-nished to Medicare beneficiaries. The PQRI was fur-ther modified as a result of the Medicare, Medicaid, and SCHIP Extension Act of 2007 (MMSEA) and the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA). In 2011, the program name was changed to Physician Quality Reporting System, although it is still commonly referred to as PQRI.3

Under the Physician Quality Reporting System, physicians are eligible to receive a bonus if they report on certain quality metrics applicable to their practice. The program has been expanded so that currently there are 190 individual measures for physician reporting. For physicians, the PQRI uses a financial “carrot” rather than the “stick” approach used under the Hospital IQR or HOP QDRP program for hospitals. Initially, just for participating in PQRI and making the report, physicians received a bonus equal to 2% of their Medicare Physician Fee Schedule payments received during the applicable reporting period. Beginning in 2011, a physician’s bonus opportunity is reduced to 0.5% and can be achieved by submitting data on PQRI quality measures for an entire 12-month reporting period, either as an individual physician or as a member of a selected group practice, and by participating in the PQRI’s Maintenance of Certification program by completing a practice assessment program.

Electronic Prescribing Incentive programSimilarly, Medicare recently established an incentive program focused on electronic prescribing by physi-cians. Section 132 of MIPPA authorized a new and separate incentive program called the Electronic Pre-scribing (eRx) Incentive program for eligible profes-sionals who are successful electronic prescribers. The

eRx Incentive program began on January 1, 2009 and is separate from and in addition to the PQRI. Eligible professionals do not need to participate in PQRI to participate in the eRx Incentive program. For each program year, CMS implements the eRx Incentive program through an annual rulemaking process published in the Federal Register.

The eRx Incentive program is similar to PQRI in that it is based on the Medicare Physician Fee Schedule for covered professional services furnished by the eligible professional during a reporting period. For the 2009 and 2010 eRx Incentive program year, the incentive payment amounts were equal to 2% of the total estimated allowed charges by the eligible professional; for 2011 and 2012 the incentive payment amount will be equal to 1% of the total estimated allowed charges; and for 2013, the incentive payment amount is reduced to 0.5%. Beginning in 2012, eligible professionals who are not successful electronic prescribers may be subject to a payment adjustment or penalty, applied to all of the eligible professional’s professional services under the Medicare Physician Fee Schedule. Specifically, for 2012 through 2014, if an eligible professional is not a successful electronic prescriber for the report-ing period for the year, the Medicare Physician Fee Schedule amount for covered professional services will be reduced by 1% for 2012, 1.5% for 2013, and 2% for 2014.

To be eligible for the eRx Incentive program, the eligible professional must meet the criteria for being a successful electronic prescriber as outlined in the annual rulemaking process. For example, in 2011 a physician would need to adopt a qualified eRx system that includes the capability to:n generate a complete active medication list incorporat-

ing electronic data received from applicable pharma-cies and pharmacy benefit managers, if available;

n select medications, print prescriptions, electroni-cally transmit prescriptions, and conduct all alerts;

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

37

Continued on page 38

n provide information related to lower cost, thera-peutically appropriate alternatives, if any; and

n provide information on formulary or tiered formulary medications, patient eligibility, and authorization requirements received electronically from the patient’s drug plan, if available.

Meaningful use Hospitals and physicians also now may receive incentive payments for not just reporting on certain clinical metrics, but also for implementing certain levels of EHRs and achieving “meaningful use.” On July 13, 2010, pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), CMS released the Final Rule for the Medicare and Med-icaid Electronic EHR Incentive Programs (the EHR Incentive Program). Simultaneously, the Office of the National Coordinator for Health Information Technology (ONCHIT), pursuant to the Health Information Technology for Economic and Clini-cal Health Act of 2009 (HITECH), released its final rule on the initial standards, implementation specifications, and certification criteria for EHRs and health information technology in the EHR Incentive Program. These two EHR Incentive Pro-gram final rules establish what criteria and technical standards constitute the “meaningful use” of EHR technology required for a provider to be eligible for incentive payments, and have been discussed in detail in prior articles in Compliance Today.

The significant incentive programs and payment changes targeted at measuring the care delivered by providers, all established in a relatively short period of time, clearly demonstrate CMS’s motivation to change the way care is measured, reported, reimbursed, and ultimately delivered. At a fairly quick pace and in multiple areas, providers will be faced with increasing financial pressure from CMS to both report and improve on the way they deliver care.

Structuring hospital-physician alignment Although it cannot be disputed that hospitals and physicians must structure their relationship dif-ferently to succeed under these new payment and delivery models, the exact structure they pursue is largely variable and can depend on the unique char-acteristics of the current relationship among them and the market in which they practice. The new payment changes will arrive soon, and hospitals and physicians need to select their structure and imple-ment it prior to the payment changes so they are positioned to succeed in the new payment paradigm. Except for ACOs which may receive relief, hospitals and physicians remain constrained by the fraud and abuse laws; however, a number of legal structures are available today to align physicians and hospitals without running afoul of these laws.

Employment modelHospitals may directly employ physicians; provide all of the facilities, equipment, and staff to support the physicians’ practice; and bill and collect for the physicians’ services. This is a highly integrated structure where the hospital is responsible for and bears the entire financial risk of the physicians’ practice. The physicians are paid by the hospital for all of their professional services, and hospitals may also pay incentives to promote efficiencies and improve quality. In an employment model, hospital-supplied access to all necessary facilities and staff to perform services greatly benefits the physician, and the hospital benefits through an easier path to meeting regulatory requirements when dealing with employed physicians, compared to dealing with a physicians in a less integrated structure. The hospital often purchases the physician’s practice in advance of employment, which may or may not include restric-tive covenants that keep the physician loyal to the hospital through non-compete agreements.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

38

TitleBy: Line

Reimbursement changes under health care reform: Are you prepared? ...continued from page 37

Under the new models of care, employment by itself will not result in the health care delivery changes that are required to perform well under VBP or bundled payment. Shared savings will not be achieved unless the hospital successfully engages a broad group of physicians (employed or not) who redesign care processes to provide evidenced-based medicine, meet quality imperatives, and achieve efficiency in providing services. However, employ-ment does provide a legal structure that would allow for payment of incentives to the physicians if the delivery changes can be implemented.

Tax-exempt affiliated entity modelOne step removed from the hospital employing phy-sicians, a tax-exempt entity affiliated with the hospi-tal may provide physician services for the hospital, and this separate entity either can employ or contract with physicians or physician groups to provide all physician services for the system. This structure also results in a high degree of integration between the hospital and the physicians. Similar to the employ-ment model, the tax-exempt affiliated entity typically acquires the physicians’ practice; provides all of the facilities, staff, and equipment to support the physi-cians’ practice; and bills and collects for the physi-cians’ services. To establish a tax-exempt affiliated entity, IRS tax-exemption requirements will affect the structure of the affiliate’s board and the role that the physicians can play in setting compensation and other financial aspects of the affiliate’s operations.

Hospitals in states with strict corporate practice of medicine prohibitions often can use tax-exempt affiliate models to align physicians, because the corporate practice prohibition prevents them from employing physicians directly. However, the model may still be used in states where direct employment by the hospital is not prohibited due to several benefits of the tax-exempt affiliated entity model. First, the model can achieve a high degree of align-ment between physicians and the hospital while

providing the physicians a sense of independence and autonomy. Often, the physicians retain their corporate organization under state law and then contract with the tax-exempt entity through a professional services agreement, although individual contracts and employment (where permitted) also can occur. Additionally, using a separate tax-exempt entity may help separate the billing, malpractice liability, etc. for the physicians’ professional services from the hospital. The tax-exempt model may also make compliance with the fraud and abuse laws easier if the affiliate, and not the hospital, provides the incentive to control costs.

Pay-for-quality modelIn a 2008 Advisory Opinion, the Office of Inspector General endorsed a pay-for-quality structure. The structure involves the creation of a new legal entity which all physicians who have been on the hospital’s active medical staff in relevant departments for at least one year may join. The entity then contracts with the hospital to provide various tasks and services to improve quality and promote efficiency. Payment to the new legal entity can be based on a percentage of pay-for-performance and VBP dollars earned by the hospital (up to 50%) and then distributed to the physician-owners on a per capita basis. As a result, the structure incentivizes multiple physician special-ties, regardless of a physician’s employment status, to deliver the care necessary to improve the hospital’s performance under VBP and may serve as the legal structure necessary to support an ACO.

Under the pay-for-quality model, the hospital does not have to expend significant capital to purchase multiple physician practices or to assume the finan-cial risk of operating those practices. This structure retains the physicians’ private practices and aligns the physicians financially with the hospital on metrics focused on quality and efficiency, the key focus of the payment and delivery model changes described above. Moreover, both employed and non-employed

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

39

physicians may be engaged to promote quality, resulting in improved quality and reduced cost, and this model provides a legal structure that is sufficient to distribute either bundled or shared savings pay-ments as an ACO. The principal disadvantage of the structure is that the fraud and abuse laws discussed above are more difficult to navigate.

Joint ventures and physician-hospital organizations Joint ventures between hospitals and groups of physicians also create a mechanism for addressing the new payment methods and achieving higher quality of care. Joint ventures remain subject to the various regulatory requirements that govern physician-hospital relationships in other contexts and may provide for integration without the physi-cians giving up total control to either the hospital or an affiliated entity. Risk and rewards may also be shared between hospitals and physicians under joint ventures, and the joint venture may qualify as the legal structure necessary to distribute shared savings or bundled payments as an ACO. State law, such as the corporate practice of medicine or professional corporation requirements, potentially impact the ability of hospitals and physicians to jointly own physician practices, however.

Physician-hospital organizations (PHOs) are a form of hospital/physician joint venture that traditionally exists for managed care contracting and physician network development. Nonetheless, these organiza-tions also could function as the vehicle to distribute shared savings or bundled payments as an ACO. PHOs of the past typically did not actually deliver care, therefore a PHO likely would need to do more than just contracting and network development to achieve the delivery system changes needed to be successful under the new payment models. However, PHO use is becoming more common, particularly if they can achieve “clinical integration” to allow for collective negotiation of managed care contracts by the participants under the anti-trust laws.

ConclusionHealth care reform will bring about significant change to both how providers are paid and how care is delivered. The new structures are focused on rewarding improved quality and reduced cost and will require the development of new relationships between hospitals, physicians, and other providers across the care continuum. Although existing laws create a maze of regulation through which providers must navigate to restructure their legal relationships, the models described above can be developed under the current regulatory requirements. Creating these new legal relationships now is essential if hospitals and physicians are to succeed once the new payment and delivery models become effective. n

1. The VBS Final Rule can be downloaded at http://www.federal-register.gov/articles/2011/05/06/2011-10568/medicare-program-hospital-inpatient-value-based-purchasing-program

2. For performance Year 4, five physician groups participating in the demonstration received performance payments totaling $31,700,000 in bonus payments based on a portion of the savings realized by Medicare. Also, during the first four performance years, physician groups increased their quality scores an average of 10 percentage points on 10 diabetes measures; 13 percentage points on the 7 heart failure measures; 6 percentage points on the 7 coronary artery disease measures; 9 percentage points on the 2 cancer screen-ing measures; and 3 percentage points on 3 hypertension measures.

3. PPACA directs the Secretary of HHS to develop and implement a VBP program for physicians beginning in 2015.

Be Sure to Get Your CHC® CEUsArticles related to the quiz in this issue of Compliance Today:n Medical necessity review: Compliance in a new

era of accountability—By Robert R. Corrato, David Hoffman, and Michael Taylor, page 4

n Security of mobile devices in health care— By Chad Hirsch and Jacki Pemrick, page 20

n Feature Focus: Reimbursement changes under health care reform: Are you prepared?—By Janice A. Anderson and Christopher Wilson, page 30

To obtain one CEU per quiz, go to www.hcca-info.org/quiz and select a quiz. Fill in your contact information and take the quiz online. Or, print and fax the completed form to CCB at 952/988-0146, or mail it to CCB at HCCA, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Questions? Please call CCB at 888/580-8373.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

40

TitleBy: Line

If you want toincrease compliance,start with a training

progam thatengages your staff.

If you want toincrease compliance,start with a training

progam thatengages your staff.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

41

XXXXXXX ...continued from page 41

If you want toincrease compliance,start with a training

progam thatengages your staff.

If you want toincrease compliance,start with a training

progam thatengages your staff. hccs

Experts in Healthcare Learning

Healthcare facilities thatare serious about reducingrisk choose HCCS.Compliance is serious business and it takes a serious trainingprogram to increase awareness and change staff behavior.Compliance training must have emotional impact and mustchange attitudes to be effective.

Engaging, professionallydesigned multimedia content is more effectivethan page-turning text.An effective training program requires more than askingyour staff to flip through some electronic text pages. HCCS

online compliance andcompetency trainingcourseware uses pro-fessional multimediaelements to create anengaging, interactivelearning environment.Real-life video scenar-

ios with professional actors in healthcare settings, audio nar-ration and interactivity are combined to increase the reten-tion of the information presented.

Adult learning is what works.HCCS courseware is designed using accepted principlesof how adults learn and retain information.

Research shows that retention is greatest when the learnersees, hears and interacts with training content.

HCCS courses combineexpert up-to-date con-tent with expert learn-ing methods to createa truly unique learningexperience.

The top University hospitals in the countrychoose HCCS.More than 50 Academic Medical Centers, 25 medical schoolsand hundreds of other healthcare facilities have chosenHCCS training courseware for their online education.With over one million registered learners, HCCS is theleading provider of online multimedia compliance andcompetency training courseware.

Whenemployees pay attention, you reduceyour risk.

Looking for a more effective training solution? Want toincrease compliance?

Don’t take our word for it, take one of our free educa-tional webinars or test drive our courseware yourself atwww.hccs.com.

Call 877-933-4227 for more information and a schedule of FREE training webinars or go to www.hccs.com

Medicare • Medicaid • HIPAA • Quality Improvement • Research • Nursing

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

42

DON’T GOHALFWAY.GO GO 360360.

www.compliance360.com

COMPLIANCE PROGRAM EFFECTIVENESS: You’ve established a compliance

program – but can you prove that it’s working? Regulators now look beyond the presence of a compliance program,

demanding concrete evidence that that your program is effective. Partial compliance is non-compliance. You need a

comprehensive, unifi ed solution that helps you identify and fi x the gaps… before something falls through them.

Learn more at the Compliance Effectiveness Resource Center: visit www.compliance360.com/EffectiveCompliance.

GET THE 360° VIEW.

C360 HCCA Ad CPE BW version 06-22-11.indd 1 7/21/11 11:32 AM

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

43

XXXXXXX ...continued from page 43

Continued on page 44

Editor’s note: Steve McGraw is President and CEO of Compliance 360 in Alpharetta, Georgia. Steve may be contacted by e-mail at Steve.McGraw@compliance360.com.

For this two-part article, Steve conducted interviews with five attorneys from leading health care law firms to examine the most press-ing compliance and legal challenges and offer their insights for mitigat-ing the risks. The attorneys who participated in interviews for this second part of the article included: Sara Kay Wheeler of King & Spald-ing (SKWheeler@KSLAW.com) on the topic of increasing and expand-ing revenue recovery audits such as RAC for Medicaid.

Lisa Murtha of SNR Denton (lisa.murtha@snrdenton.com) on the topic of increasing need to demonstrate the effectiveness of compliance programs.

Lisa Ohrin of Katten Muchin Rosenman (lisa.ohrin@kattenlaw.com) on the topic of lessons learned from recent enforcement actions and whistleblower lawsuits.

In Part 1, published in the August issue of Compliance Today, Steve interviewed Anna Grizzle of Bass

Berry & Sims about false claims risks, including self-disclosures and fraud-specific audits; and Frank Sheeder, formerly with Jones Day, now at DLA Piper, about adapting to the changing landscape of government initiatives.

P erhaps no other industry faces the legal and regula-tory challenges as those

present in health care today. Not only is there a high bar for legal risk, but these risks also have more volatility than those in other indus-tries. With the recent passage of the Patient Protection and Affordable Care Act (PPACA), as well as the Fraud Enforcement and Recovery Act of 2009 (FERA), the bar is raised even further. And, at the state level, there is yet another layer of expanding regulatory requirements and enforcements to contend with.

To better help health care compliance and legal professionals understand these changes and take proactive steps in preparation, Steve McGraw invited Sara Key Wheeler, Lisa Murtha, and Lisa Ohrin, attorneys from three of the leading health care law firms, to examine the most pressing compliance and legal challenges and offer their insights for mitigating the risks.

Increasing and expanding revenue recovery audits such as RAC for MedicaidSM: Sara Kay, with increasing demands from the Obama Administration and Congress for recovery of Medicare and Medicaid overpayments, health care providers will face more revenue recovery audits in 2011 than ever before. What do you see as the key challenges for health care providers this year?SKW: Steve, because of the convergence of multiple pri-orities coming from the Fraud Enforcement Recovery Act in 2009 and PPACA in 2010, we believe that some of the greatest risks and challenges for providers will stem from the intersection of these initiatives. For instance, ini-tiatives to combat fraud, as well as others focused on the recovery of overpayments, will have significant points of overlap and providers should evaluate and prepare for these together, rather than in silos. As an example, we should view audits, either internal or external, as sources of information. Internal audits leveraged as a source of information can serve as an asset for providers, exposing potential issues, such as consistent outliers or high error rates. This allows providers to take corrective actions proactively. External audits such as RAC, MAC, MIC, and other revenue recovery audits also serve as sources of information, but the exposure of a consistent pattern of

Top compliance and legal risks for health care in 2011, Part 2

By Steve McGraw

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

44

TitleBy: Line

Top compliance and legal risks for health care in 2011, Part 2 ...continued from page 43

issues here can lead to ZPIC or MFCU “fraud buster” investigations.1 Over time, as the revenue recovery audits uncover consistent patterns of non-compliance, we’ll see the fraud busters stepping in and asking “What were you doing organically to address the issues?”

SM: As the auditors become more aggressive, what can providers do to proactively minimize the risk of recoupment of legitimate payments?SKW: Providers need to focus on addressing the audits with a grass-roots, organic effort. They need to enlist individuals who can proactively identify potential over-payments. In a complex hospital system, this may be a large group including patient financial systems, Legal, Compliance, Audit, and even other less obvious representa-tives, such as those in charge of writing grants. The provider should also identify a smaller group that has the authority to evaluate potential overpayments that have been identi-fied, make a determination, and provide a recommended course of action. Keep in mind that we’re not talking about a process for addressing routine adjustments. This process needs to focus on significant overpayments that may create a risk of large recovery actions or false claims allegations. Providers should also seek help, early in the process, from experts and peers with front-line experience. The potential for mishandling potential overpayments and the liability risks are simply too high to not seek assis-tance from experienced practitioners.

SM: As the RAC program expands to include Medicaid overpayments, what recommendations do you have for large, multi-state health care systems as they cope with appeals processes that vary from state to state and may even be changing as the program evolves?SKW: This is an area that we monitor very closely and there are still many unknowns. CMS has issued a proposed rule for the Medicaid RAC program, but at this point, the final rule is still pending. Even so, some states are moving forward now and have issued RFPs [Requests for Proposals] for Medicaid RAC contractors and have already begun vetting potential candidates. Also, the learning curve has changed significantly in the last 18 months. With the

Arent Fox Ad

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

45

Continued on page 46

Medicare RAC program up and running, providers are less skeptical of the realities of these programs and coming up to speed on the differences between the various types of audits, such as RAC, MAC and ZPIC. However, we also believe there are two important vulnerabilities. First, one year ago, the term “RAC audit” only applied to Medicare Parts A&B. When you said “RAC” everyone knew what you meant. Now, “RAC audit” may have three meanings that include Medicare Parts C&D or Medicaid RAC. Providers need to keep in mind that each of these three RAC programs will have very different sets of rules. Some providers may have a false sense of security from their Medicare A&B RAC experience and may not be fully prepared to relearn the new processes and best practices for managing the other RAC audits. Secondly, the roll-out of the RAC program received a lot of fanfare over the last several years, while the MIC program for Medicaid progressed much more slowly and quietly. Providers participating in the Medicaid program should not expect the same slow pace when the Medicaid RAC audits are rolled out. I believe many states will be moving much faster with the Medicaid RAC program than they did with the MIC program.

Increasing need to demonstrate the effectiveness of compliance programsSM: Lisa, in addition to the new mandatory requirement to implement a compliance plan, regulators will increase their focus on quality in 2011. How are pro-viders preparing for this change?LM: Steve, even prior to the passage of the Affordable Care Act, we’ve been expecting the OIG to put pressure on Congress and CMS to enact a new require-ment for health care providers to implement a compliance program. And, there is an increasing focus on quality issues related to com-pliance for both providers and payers. As a result, we are seeing hospitals move toward a higher level of integration among their Risk Management, Compliance, and Utilization Review functions. Many are integrating their annual Work Plans and addressing specific areas of focus in a much more coordinated manner. For instance, the Compliance department may look closely at the OIG’s annual Work Plan, which may include specific quality-of-care initiatives. The Compliance department would then coordinate the corre-sponding quality reviews with the Risk Management or Utilization Review groups as appropriate. In many health care organizations, we are also seeing the formation of a Quality Committee on the board of directors and more recently, we’re seeing more frequent attendance in

the Quality Committee meetings by the chief compliance officer. While the scope of these Quality Committees has historically focused on quality of care, they are expand-ing to include relevant compliance initiatives. By doing so, organiza-tions are also leveraging quality as a compliance indicator. For example, some of my clients have decided to hold a combined Quality, Audit, and Compliance Committee meeting once each year. These meetings focus on quality initiatives as a component of compliance. They may focus on things such as the incidents of infection reported during a certain time frame as well as the remediation needed to ensure that patient care is not jeopardized.

SM: CMS seems to be shifting from a focus on policies, proce-dures, and retrospective audits, to a focus on measuring outcomes resulting from effective compliance programs. What are you seeing? LM: Steve, not only does the Affordable Care Act address new requirements for compliance program effectiveness, but we are also seeing some new, similar requirements at the state levels as well. For instance, The Office of the Medicaid Inspector General in the State of New York has pub-lished a tool that helps health care organizations self-assess their com-pliance programs. This is largely based on the seven elements of an effective compliance program as

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

46

TitleBy: Line

Top compliance and legal risks for health care in 2011, Part 2 ...continued from page 45

outlined in the US Sentencing Guidelines, augmented with health care-specific metrics, such as monitoring and measuring overpayments. Additionally, some providers have established their own assess-ment tools for measuring indicators such as compliance training, reduction in billing errors, and volume and severity of hotline calls. Regardless of the method used for assessing compliance effectiveness, I think the key to success is in determining how well compliance is integrated into operations. Providers need to determine if compliance is viewed as an integral part of day-to-day operations or merely an add-on or afterthought. This can be accomplished through such things as staff surveys to determine if the compliance program has positively impacted the culture, and integra-tion of measured compliance objectives into performance plans and reviews for managers.

SM: The definition of an effec-tive compliance program seems to be vague at this point. Beyond the seven elements of an effective compliance program, is CMS providing any guidance? Do you have any recommendations?LM: Through their lobbying efforts with Congress and their targeted areas of focus for audits, CMS is providing what I’ll call “indirect guidance.” And, just like the compliance program guidance

provided in New York relative to Medicaid, I think we’ll see more state-specific guidance provided in other states in the future. For assessing compliance effec-tiveness, the common thread can be found in the metrics focused on answering questions such as: Is the compliance program positively influencing the culture? Is it reduc-ing billing errors? Are physician contracts compliant with Stark and anti-kickback regulations? Overall, is documentation as thorough and accurate as needed to provide proactive evidence of compliance? We need to keep in mind that CMS does not want to tell providers how to do it. Because all providers are different—different sizes, different specialties, and different requirements that vary based on location—CMS cannot provide one-size-fits-all instructions for assessing compliance program effectiveness. The metrics will simply vary too much from one organization to the next. Ultimately, guidance relative to assessing compliance effectiveness will be centered on reducing billing errors, ensuring thorough documentation, and improving overall quality of patient care.

SM: What steps are you seeing providers take to be more proactive with their self assessments?LM: We’re seeing a significant uptick in the requests for inde-pendent compliance program assessments and I believe this is

directly related to the federal and state initiatives. Boards of direc-tors are becoming much more knowledgeable about compliance requirements and increasingly asking for this as well. From a practical perspective, I also think Compliance departments are rec-ognizing that they need to measure and demonstrate effectiveness to show that they are adding value to the organization. In addition to independent assessments and benchmarks, providers are also collaborating with their peers to identify best practices for self-assessing compliance effectiveness. Additionally, audit firms are start-ing to include recommendations for compliance program assessments in their management letters. Specific recommendations vary between the use of the Internal Audit team, external auditors, or a combination of both for conducting compliance program assessments.

Lessons learned from recent enforcement actions and whistleblower lawsuitsSM: Lisa, can you give us a quick summary of some of the more telling enforcement actions and settlements you’ve seen in recent years?LO: The settlement with Detroit Medical Center late in 2010 comes to mind first, because of the amount—$30 million. This was a case with hundreds of physician compensation arrange-ments and issues related to leases,

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

47

Continued on page 49

non-monetary compensation, and personal service arrangements—many of which had no written agreements in place. This case is unusual due to the volume of issues and the course of action chosen by the Assistant US Attorney (AUSA). As the hospital produced boxes upon boxes of paper, the AUSA moved directly to negotiating a fine, rather than mounting an expensive investiga-tion into all the evidence. The process was also expedited because Detroit Medical Center was in the process of being acquired. The buyer had initially expected to acquire Detroit Medical Center, but not assume the provider number and the associated non-compliance liabilities. But, CMS informed the buyer that if it did not assume the provider number, it could not keep all the residency slots currently assigned to the hospital. So, the buyer decided to keep the provider number and settle with the AUSA. Although not an issue with Detroit Medical Center, because the Affordable Care Act has also curtailed new physician ownership of hospitals, potential buyers of hospitals must be prepared to assume any potential existing liabilities stemming from Stark Law non-compliance, if the physician owners/sellers wish to maintain the ownership interest. I believe the key takeaway here is that the Affordable Care Act can significantly limit the flexibility

of structuring acquisitions. In the past, non-compliance issues may have remained with the seller, but now they cannot; the buyer must assume potential liabilities, and this would include any potential Stark or anti-kickback issues. Another interesting example is the case with the University of Medicine and Dentistry of New Jersey (UMDNJ) in 2009. Essentially, this was a case of outright fraud. The hospital had written agreements in place with the physicians, but didn’t abide by the agreements. Physicians were being paid, even when no services were provided. Many of the violations cited were classified as kickbacks for referrals. The lesson to be learned is that, even with increased focus on combat-ing fraud, this is still happening. You can’t just sign agreements and move on. Ongoing monitoring and management of potential third-party risks is critical. Compliance officers, internal auditors, and their correspond-ing board committees need to be vigilant and ensure that the services included in an agreement are actually being furnished. As a final example, let’s take a look at the case with St. Joseph’s Medical Center in Maryland. This hospital ended up with a $22 mil-lion settlement in a qui tam action under the False Claims Act. The focus on the hospital began with a cardiologist who had implanted hundreds of medically unnecessary

stents. The physician’s medical practice provided professional services under agreements with the hospital. The qui tam action was brought by a competing cardiology practice. The investi-gation alleged that the hospital was paying kickbacks under the guise of the professional service agreements and the payments were above fair market value and not commercially reasonable. The lesson for hospitals? More and more, the qui tam relators are competing physician groups or “scorned” physicians to whom a contract was not awarded.

SM: So Lisa, from these very interesting examples, can you provide some tips for avoiding or mitigating the risks of these situations? How should providers increase or change their compli-ance programs and activities in light of what we’ve seen?LO: First, providers need to closely examine each physician relationship and objectively determine if the relationship is truly necessary. Then, ensure that each relationship is commercially reasonable and unlikely to be deemed as structured primarily to induce lucrative referrals. I recom-mend two levels of review. First, establish a standard process for vetting agreements before they are signed. Make sure agreements are in compliance with laws and regulations. CMS

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

48

TitleBy: Line

Increase your Revenue by $100,000

in just 12 Months Guaranteed!

The Coding Institute Providing Simple Solutions For Success In HealthcareThe Coding Institute’s team of CPC-certified consultants, coders, trainers, and editors is unmatched in its expertise. And, with over 63 years in the business of helping practices like yours, you can count on us to deliver efficient, effective, and accountable solutions for all your coding, consulting, and compliance needs.

Choose from our various products and discover the secret to a profitable & compliant healthcare organization.

Meet Your Claims Quota in a Flash with www.SuperCoder.com

Get content, codesets, tools and interactive Q&A sessions with CPC-certified coding veterans all in one place. And, with rates starting as low as $14.95/month, it won’t break the bank. We prove that you don’t always get what you pay for - with SuperCoder.com you get more.

Cleaner, More Profitable Claims in Just Minutes Each Month! TCI’s Specialty Alerts help you keep your coding on track all year long. You get the most accurate, timely, and reliable coding instruction available in an easy-to-understand and even easier-to-implement format - straight from our CPC-certified editorial staff.

Get Your Practice on the Growth TrackThe odds are stacked against healthcare providers, but there are savvy physicians who beat those odds every day with TCI’s Consulting & Revenue Cycle Solutions.

We offer an entire portfolio of services for a healthier practice including: Collections Management, Consulting & Education, Revenue Cycle Management, Chart Auditing, On-Demand Coding, Services, and ICD-10 Training.

Call us now at 1-800-508-2582 and mention TCIH to learn more about how we can help you!

Volumes of Coding Expertise at Your Fingertips!Whether it’s updates on the latest coding changes from our Survival Guides or single-page CPT® code references from SuperCoder Illustrated, you’re sure to get expert pointers to save you time, boost your revenue, and keep you out of the RAC spotlight.

Save

15%

on any product

or service.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

49

XXXXXXX ...continued from page 49

Top compliance and legal risks for health care in 2011, Part 2 ...continued from page 47

interpretations can be very strict and providers need to be strict with their interpretations as well. Second, and this is very important, establish a process for ongoing monitoring and review to ensure that all parties are acting appropriately and according to the established agreements. If the primary agreement is not followed, CMS might conclude that the provider has established a “secondary” compensation arrangement, even if nothing has been formalized. That is, a hospital can be considered to provide compensation to a physician when it does not require the physician

to fulfill his/her obligations under an agreement despite payment for those obligations. Third, and this may seem obvious, but it is important to remember the little things. For instance, back-ground checks for provider exclu-sions are critical. Even if agreements are well constructed and being followed, a Stark violation can be alleged simply because the provider has contracted with an excluded provider. A final tip is that a provider should not be too hasty to assume that it has a non-compliance issue, and should not be too quick to self-disclose. Don’t feel rushed by the “60-day

rule.” Providers should take the time to determine if, in fact, they have a non-compliance issue at all. We’ve seen many situations that, on the surface appear to warrant a self-disclosure, but once we dug into the details, we determined that there really was no compliance issue at all. I recommend that providers estab-lish and use a consistent process that includes standard checklists for evaluating each and every potential non-compliance issue. n

1. RAC = Recovery Audit Contractor, MAC = Medicare Administrative Contractor, MIC = Medicaid Integrity Contractor, ZPIC = Zone Program Integrity Contractor, MFCU = Medicaid Fraud Control Unit

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

50

TitleBy: Line

Record release compliance:

The challenge acceleratesBy Jan McDavid

Editor’s note: Jan McDavid is Chief Compliance Officer and General Counsel at HealthPort in Alpharetta, Georgia. She may be contacted by e-mail at Jan.McDavid@HealthPort.com.

In 2010, more stringent Health Insurance Portability and Accountability Act

(HIPAA) Privacy and Security rules under the Health Information Technology for Economic and Clinical Health Act (HITECH) provision of the American Recovery and Reinvestment Act (ARRA) brought to light a misunderstood and often unknown process within health care: the release of medical records, better known as Release of Information (ROI). For years, Health Information Management (HIM) departments have been responsible for managing this elusive but critical function in health care. HITECH’s updates to HIPAA made the process more structured and accountable.

And, as the process undergoes greater scrutiny, the challenge to consistently deliver timely ROI services at a low cost is accelerated. This article explains the ROI pro-cess and describes how industry forces, such as HIPAA, recovery audits, and meaningful use have made ROI an important topic for the Compliance table.

Release of information: What’s the risk? ROI is an important process, one that compliance officers must completely understand. Many may expect that somebody places a reasonable request for a patient’s health information and a clerical worker in Medical Records simply makes a photocopy and forwards it on. Nothing could be further from the truth.

The actual ROI process is a highly structured, multi-step procedure designed to protect the informa-tion, the patient, and the institu-tion. Recent changes make ROI more demanding, more impor-tant, and more expensive; how-ever, the changes were imperative for compliance.

The dichotomy of increasing costs to remain compliant versus the trend to decrease costs in every health care institution requires a balancing act. Recovery audits have exponentially increased the number of information releases that are required, and the

penalties for improper or illegal release have increased as well. Finally, there are evolving rules for notifying the appropriate gov-ernmental agencies as well as the patients/individuals involved.

Business associates also in the mix Another change that has impacted the ROI process is the inclusion of business associates (BA) into the HIPAA compliance mix. Business associate changes, effective in February 2010, were intended to ensure compliance throughout the chain of information movement. A business associate is anyone who works with or provides services to the covered entity involving the use or disclosure of PHI.

Rules apply to both the storage and transmission of paper and electronic versions of unsecured protected health information (PHI). The term “unsecured” is key. If electronic information is encrypted both while stored and transmitted, then it is deemed secured and not subject to penalty if breached.

Further, BAs are now subject to the privacy provisions of HIPAA to the same extent as the covered entity. Prior to February 2010, BAs were required to comply only with contractual obligations; now, they are compelled to adhere to all requirements of the HIPAA Privacy Rule, including the need to have

101 COMPLIANCECOMPLIANCE

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

51

XXXXXXX ...continued from page 51

Continued on page 52

a privacy policy and appoint a privacy officer. The growing importance of compliance as well as an increased cost structure must be borne.

Recovery audits increase ROI volumesThe proliferation of audits is a second major health care initiative that impacts ROI. Health care providers have always been subject to some level of audit, but the Medicare Recovery Audit Contractor (RAC) program has sparked a major increase in the number and type of audits.

The goal of the audits is to mitigate fraud, abuse, and waste. Medicare uses contractors to do the audits. They are compensated based on a percentage of the monies that they re-coup from providers. This creates a “bounty hunter” mentality, which increases the aggressiveness of the audits. In 2010, $1.7 billion worth of claims were audited, and $86 million, or 5.05%, of the payout was recovered.1

With thinning margins, most health care entities are hard pressed to lose more than 5% of their Medicare revenue stream. Worse, 2010 was just the buildup year for RAC audits, as they are expected to continue to increase. The apparent success of Medicare’s

audit programs has sparked other payers to take up the charge and start their own contractor-based audit programs. The Medicaid audit program was scheduled to start April 1, 2011, but it has been delayed to finalize rules. It will not likely start before January 1, 2012, but it is coming. Commercial payers hoping to recover payouts and help their bottom line have joined the fray.

The point is that all this activity has greatly increased the number of requests for information that need to be managed and moni-tored for compliance. Compliance risk is mitigated with the use of a centralized audit management strategy and supporting audit tracking system. The centralized audit strategy has emerged as an industry best practice.

Meaningful use stimulus dollars and ROIThe government is trying to encourage providers to move to

electronic health records (EHRs). In an effort to define the effective-ness of EHRs, the government is certifying them and trying to ensure that the technology is used in a way that is “meaningful.” This meaningful use (MU) require-ment, if fulfilled and attested to, will pay a bonus to the provider. Providers can choose to not pursue the MU program and not receive the bonus dollars but, if they do not demonstrate MU

in five years, they will be penalized by a reduction in Medicare reimbursements. The Phase One MU criteria have 25 components, five of which require the release of information to the patient or to another physician. It must be done electroni-cally and in very short time frames (3-4 days). It must also originate from a certified EHR, to the extent the

information exists there.

Having records available elec-tronically is thought to be a magic bullet in expediting the ROI process. EHRs do relieve the ROI workload and cost slightly, but they also may heighten the risk of a compliance breach.

Releasing copies of medical records is a complex process con-sisting of highly regulated steps, only some of which are automated with an EHR. The process

“Having records available electronically is thought to be a magic bullet in

expediting the ROI process. EHRs do relieve the ROI

workload and cost slightly, but they also may heighten

the risk of a breach.”

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

52

Record release compliance: The challenge accelerates ...continued from page 51

has become increasingly labor intensive for HIM departments, diverting staff time from daily responsibilities to the administra-tive burden of managing all these record requests.

The most labor-intensive part of ROI involves a thorough review of each piece of documentation to make sure that no PHI is released without proper authorization. The fear is that many of the human checks and balances inherent in the process are eliminated in a com-pletely electronic environment.

The logical inference with EHRs is that they afford greater user access to information, and they do. This increased access can help expedite processes and improve patient care. The potential down-side of electronic record sharing is a much greater risk of a data breach. The compliance and secu-rity officers must be particularly vigilant in this brave new world and implement stronger disclosure and security practices to safeguard this information.

The final word on ROIROI’s complexity is growing. The potential for breach is widening, and the need exists for tightening guidelines for security. The com-pliance officer must ensure that every HIM professional is knowl-edgeable about the privacy regula-tions of each medical condition, because the rules for all diagnoses

are not the same. To complicate matters, the regulatory require-ments vary from state to state. In the case of state versus federal regulations, the most stringent regulation applies.

All of this is raising the cost structure for providers. The need for increased legal fees, software purchases, and encryption capa-bilities are small compared to the human capital required to be in compliance. And because the aver-age reimbursement received from a record request is less than $50, providers should not assume they can recoup the cost of compliance.

Finally, the negative effects of a breach due to improper record release must be weighed. Not only are fines and penalties involved, but breaches also impact a pro-vider’s community reputation. Having high-quality compliance staff, partners, policies, and procedures is a must in today’s world. The need is only going to increase. n

1. American Hospital Association: Explor-ing the Impact of the RAC Program on Hospitals Nationwide: Results of AHA RACTrac Survey, 4thQuarter 2010. February 24, 2011. Available at http://www.aha.org/aha/content/2011/pdf/Q4ractracresults.pdf

501 Ideas for Your Compliance and Ethics Program

Jump-start your program with SCCE’s best-selling idea guide! Author Joe Murphy has spent his career collecting great ideas for building an effective compliance and ethics program. These practical tips can have an immediate, lasting impact on your organization’s program.

Visit the HCCA store at www.hcca-info.org, or call 888-580-8373.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

53

Continued on page 54

Editor’s note: Nathaniel (Nate) Lacktman is Senior Counsel in the Tampa office of Foley & Lardner LLP and a member of the Health Care Industry Team. He advises DMEPOS suppliers and other health care clients on a range of business and regulatory issues, including health care compliance and market-ing. Nate may be contacted by phone at 813/225-4127 and by e-mail at nlacktman@foley.com.

Leeann Habte is an associate in the Los Angeles office of Foley & Lardner LLP and a member of the firm’s Privacy, Security & Informa-tion Management practice and the Health Care Industry Team. She advises health care clients on HIPAA and information privacy and security issues. Leeann may be contacted by phone at 213/972-4679 and by e-mail at lhabte@foley.com.

This article is the fourth in a series on DMEPOS compliance issues by Foley & Lardner LLP published in Com-pliance Today. Last month, the authors provided insight and stra-tegic advice on DMEPOS supplier standards and the False Claims Act.

This month, the authors discuss the HIPAA implications for DMEPOS supplier marketing arrangements and provide a sample marketing authorization form as a supplier tool. Subsequent articles will discuss hospital-DMEPOS supplier arrange-ments under the Anti-kickback Statute; strategies for DMEPOS promotions and arrangements with manufacturers; and DMEPOS reimbursement compliance.

Suppliers of durable medi-cal equipment, prosthet-ics, and orthotics supplies

(DMEPOS) play an essential role in the spectrum of patient care, particularly for a medically-fragile patient population seeking greater independence. The lifeblood of a DMEPOS supplier’s business is its customer base—the patients. Motivated suppliers continue to seek out new ways to promote their items and services to cus-tomers, and rightly so. In addi-tion, many established suppliers are exploring cross-promotional arrangements with other compa-nies as a means to obtain addi-tional revenue and expand their

footprint by tapping into other companies’ customer bases.

Although such marketing strategies can offer significant benefits, they also present particular compliance risks in the health care context. DMEPOS suppliers interested in exploring collaborative or cross-promotional arrangements with other businesses must take time to understand the contours of the Health Insurance Portability and Accountability Act (HIPAA) and other applicable rules, because they affect the scope and terms of such cross-promotional arrange-ments. For purposes of this article and all the examples contained herein, the DMEPOS supplier is assumed to be a HIPAA covered entity (as would be the case in the vast majority of retailer DMEPOS suppliers).

HIPAA marketing rules and restrictionsDMEPOS suppliers that plan to implement marketing or pro-motional arrangements should keep in mind that the HIPAA Privacy Rule restricts both the disclosure and use of protected health information (PHI) for marketing purposes.1 With certain important exceptions, the Privacy Rule requires an individual’s written authorization before his/her protected health information can be disclosed or used for any

DMEPOS supplier marketing

arrangements and HIPAA compliance

By Nathaniel Lacktman, Esq., CCEP; and Leeann Habte, Esq., CIPP

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

54

TitleBy: Line

DMEPOS supplier marketing arrangements and HIPAA compliance ...continued from page 53

communication that meets the definition of marketing.2

Definition of marketing Under HIPAA, a communication is considered to be marketing if the supplier makes “a communication about a product or service that encourages recipients of the com-munication to purchase or use the product or service.”3 Generally, if a communication meets the defini-tion of marketing, the supplier may make that communication to a patient only if it first obtains the patient’s express written authoriza-tion. An example of a marketing communication requiring patient authorization is a letter sent from the supplier to its former patients, informing them about a special promotion from a local fitness center that is offering discounts to the general public on new workout memberships, when the com-munication is not for the purpose of providing treatment advice.4 However, if a communication that otherwise meets the definition of marketing falls within one of the following three exceptions and does not involve direct or indirect payment for making such commu-nication, an authorization will not be required.5

Exceptions to HIPAA definition of marketingThe three exceptions below fall under the definitions of treatment and/or health care operations, and use or disclosure of PHI for these

purposes is permissible without written authorization.

1. Supplier’s own health-related items or services

Under the first exception, a com-munication is not considered marketing if it describes a health-related product or service provided by the supplier making the com-munication.6 Among other things, this exception permits com-munications by a supplier about products or services “provided by” the supplier to its clients. For example, it would not be market-ing for a supplier that has added a new anti-snoring device to its product supply catalog to send a flyer describing it to the supplier’s patients (whether or not each patient has actually previously sought treatment for snoring).

2. Supplier’s treatment communications

Under the second exception, a com-munication is not considered mar-keting if it is made for treatment of the individual and for the purpose of furthering the treatment of that individual.7 For example, under this exception, it is not marketing when a supplier mails refill reminders to patients, or contracts with a mailing house to do so.8

3. Coordination of care and recommendation of alterna-tive treatments

Under the third exception, a communication is not considered

marketing if it is made for “case management or care coordination for the individual, or to direct or recommend alternative treat-ments, therapies, health care providers, or settings of care to the individual.”9 For example, under this exception, it is not marketing when an endocrinologist shares a patient’s medical record with several behavior management programs to determine which program best suits the ongoing needs of the individual patient.10 This exception is less frequently utilized in the DMEPOS supplier context, because the supplier commonly fills the orders issued by the patient’s treating physician, and the supplier does not inde-pendently offer its own treatment recommendations.

Marketing and the sale of health informationHIPAA also has a second defini-tion of marketing, under which a communication is considered marketing if the supplier enters into an arrangement with another entity whereby the supplier:

...discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.11

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

55

Continued on page 57

This type of marketing has no exceptions under the current HIPAA Privacy Rule. In other words, a supplier may not sell the PHI or names of its patients to a business associate or any third party without first obtaining express written authorization from each patient.12 A valid authoriza-tion must state that such remu-neration is involved.13

When are HIPAA authorizations for marketing not required?Even if a communication falls within the definition of market-ing, there are certain situations where an authorization is not required. The HIPAA Privacy Rule provides an exception if the marketing communication is in the form of either a face-to-face communication made by the supplier to an individual, or a promotional gift of nominal value provided by the supplier.14 This provision permits a supplier to discuss any services and products, including those of a third-party, during a face-to-face communica-tion. The supplier could also give the patient sample products or other information in this setting (subject to other restrictions, such as the Anti-kickback Statute, Civil Monetary Penalties Law, and other laws not discussed in this article). From a HIPAA perspec-tive, no written authorization is necessary when, for example, a supplier provides a free package of formula and other baby products

to new mothers as they leave the maternity ward.

Effective February 18, 2010, the Health Information Technology for Economic and Clinical Health (HITECH) Act revised the frame-work for the HIPAA exceptions to marketing communications. Under these changes, even if remuneration is involved, certain communications are considered health care operations and not marketing: n if the communication is for

treatment purposes; or n if the communication only

describes a drug or biologic that has been previously prescribed or administered, provided that the amount of the remuneration to the supplier is reasonable.15

For uses or disclosures other than these exceptions, a valid authorization from the patient is required.

Intersection of HIPAA marketing rules and DMEPOS Supplier Standards When marketing items and services, Medicare-participating DMEPOS suppliers must not only comply with HIPAA market-ing restrictions, they must also comply with the Medicare DMEPOS Supplier Standards for marketing to beneficiaries. Although both sets of rules govern marketing communications, they

differ in how they restrict such communications.

Marketing your own DMEPOS items or servicesThe HIPAA Privacy Rule makes clear that certain activities, such as communications made by a sup-plier for the purpose of describing the products and services it pro-vides, do not constitute market-ing. Under HIPAA’s marketing rules, a DMEPOS supplier may freely market its own products and services to its own patients, and may use its patients’ health information for such purpose without authorization. This is also allowed under the Medicare DMEPOS Supplier Standards.

Cross-promoting products or services of other companiesUnder the Privacy Rule, a DMEPOS supplier may not use its patients’ PHI to promote the products and services of other businesses (i.e., products and ser-vices not offered by the DMEPOS supplier itself ) unless it meets one of the exceptions. When a supplier sends another business’s marketing materials to the sup-plier’s patients and such commu-nication is not for the treatment of an individual, the supplier would be using its patients’ PHI. It matters not if the supplier does not actually disclose any PHI to the other business, because the

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

56

TitleBy: Line

Physician Practice/Clinic

Compliance Conference

OCtOber 16–18, 2011 PhiladelPhia, Padoubletree by hilton hotel

Philadelphia City Center

Why You Should AttendPhysicians, compliance officers, coders, and managers will learn to manage an effective compliance program. designed with networking in mind, the conference provides many opportunities for choosing breakout sessions covering topics of interest for all. Participants will learn about compliance program development and management as it relates to physician practices; current government initiatives in the field of health care compliance specific to physicians and their group practices; correct documentation, billing and coding practices for physicians; and best practices utilized in physician practices.

hcca-physician-conference.orglearn more & register at

September 25–27, 2011Renaissance Harborplace HotelBaltimore, MD

REGISTER ONLINE AT www.healthlawyers.org/programs

The Fraud and Compliance Forum is jointly sponsored by the Health Care Compliance Association (HCCA) and the American Health Lawyers Association (AHLA). It will include an explicit designation of a session as “compliance focused” or “legal focused.” The Planning Committee has included enough sessions in each designation that an individual could attend all “compliance” sessions or all “legal” ses-sions for the entire program. Yet an attendee also has the option of selecting a diversity of sessions and networking with an expanded group of individuals. The Fraud and Compliance Forum has the benefit of combining the quality of HCCA and AHLA sessions with the expanded networking power of a combined program.

REGISTER NOW

SPONSORS

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

57

DMEPOS supplier marketing arrangements and HIPAA compliance ...continued from page 55

Continued on page 58

Privacy Rule restricts both the disclosure and the use of PHI.

In this situation, none of the HIPAA marketing exceptions apply. The supplier is not market-ing its own product or service. The supplier is not making a rec-ommendation regarding treatment of an individual patient’s medical condition. And, the supplier is not likely to be considered to be in a position to make specific medi-cal treatment recommendations regarding alternative treatments to patients (as might a physician or hospital). Therefore, the supplier must obtain the authorization of its clients before sending those marketing materials. If the cross-promotion activities involve direct or indirect remuneration to the supplier from the third party, the patient authorization form must state that such remuneration is involved.16

Selling customer health informationLikewise, if a supplier discloses PHI to the other entity, in exchange for direct or indirect remuneration so that the other entity may send marketing mate-rials to the supplier’s patients, the supplier must obtain a valid authorization from its patients. The authorization must expressly state that remuneration is involved.17 For example, a sup-plier cannot, without authoriza-tion, sell a list of patients to a

pharmaceutical company so the pharmaceutical company can directly market its own products to the individuals on the list.

DMEPOS companies with multiple subsidiaries or sister suppliers Under HIPAA, legally separate but affiliated covered entities, such as subsidiaries or sister companies, may designate themselves as a single covered entity for purposes of HIPAA, as long as all the covered entities designated are under common ownership or control.18 If designated as a single covered entity, the sharing of PHI among sister companies or sub-sidiaries within the same covered entity does not constitute a use or disclosure for which authorization is required.

Despite the fact that HIPAA allows multiple subsidiaries or sister companies to be deemed a single covered entity, CMS has stated that it considers each sub-sidiary to be a separate supplier.19 Under DMEPOS Supplier Stan-dard No. 11, CMS stated that the affiliated suppliers may not “reach out to” each other’s Medicare beneficiaries for marketing (or at least, telemarketing) purposes. This means that a DMEPOS company with multiple subsidiary suppliers should take caution when implementing marketing endeavors to promote products and services to its own patients.

Such activities are not impossible, but require planning on how to execute them in compliance with both HIPAA and the Medicare supplier standards.

Obtaining authorization for marketing purposesOne approach to permit broad marketing communications is for the supplier to obtain written authorization from its patients where the patients would consent, in advance, to receive marketing materials. The supplier could send its patients an authorization form. For those patients who sign and return the authorization, the supplier would then send those patients marketing materials, including marketing materials of other companies (assuming the scope of the authorization covered the intended marketing activities). Alternately, the sup-plier could include the marketing authorization in its patient welcome package. A third approach would be to place the authorization form online to obtain and track patient consent. Suppliers with multiple subsidiaries or sister companies should consider creating a master authorization, under which the patient would authorize market-ing activities for the entire family of related suppliers, as well as the supplier’s business partners.

Suppliers should note that HIPAA also imposes certain restrictions

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

58

TitleBy: Line

DMEPOS supplier marketing arrangements and HIPAA compliance ...continued from page 57

on the scope, content, and dura-tion of marketing authorizations.20 The marketing authorization may not be combined with another type of authorization (so-called “compound authorizations”).21

In addition, certain state laws impose further restrictions on the disclosure and use of PHI for marketing purposes. When state law is more restrictive than HIPAA, the state law governs. If a supplier plans to distribute marketing materials to patients in various states, the authoriza-tion form must comply with the corresponding state law. See figure 1 on page 59 for a sample market-ing authorization form.

Of course, different approaches present different logistical and operational challenges, such as time and expense, online capabili-ties, a system to track authorization forms, and patient preferences. Suppliers need to determine what approach is most cost-effective and feasible for their needs.

Practical compliance adviceWhen drafting, reviewing and revising their written policies and procedures on marketing, suppliers should ensure the policies and procedures are current with the recent HIPAA developments and changes. The rules and regulations have undergone significant change as a result of amendments made by the HITECH Act.

New proposed regulations implementing the HITECH Act were published on July 14, 2010. The final regulations have not yet been issued, but are expected to be released soon. Suppliers will need to review these regulations and comply with them when they become effective.

When examining policies for HIPAA marketing compliance, suppliers should consider the fol-lowing sample questions (by no means an exhaustive list):n Does the supplier have a

marketing authorization form? Does it meet current federal and state requirements? Is the form translated into other languages?

n What is the supplier’s pro-cess for a patient to opt out of receiving marketing communications?

n Does the supplier identify the specific marketing uses and disclosures for which an autho-rization is not required?

n How does the supplier docu-ment patient authorization to receive marketing materials?

In addition to the written proce-dures, suppliers should verify that their actual marketing practices correspond with the expectations set forth in their policies and procedures. The marketing staff should be periodically trained and educated on relevant marketing rules under federal and state law.

The supplier’s Notice of Privacy Practices should be current and accurate and its authorization form should be proper in scope and content.

ConclusionMarketing activities are integral to the continued growth of nearly any business, including DMEPOS suppliers. Given the regulatory environment and the intersection of HIPAA rules and the Medicare Supplier Standards, suppliers should implement—and adhere to—a framework of safeguards designed to allow robust market-ing efforts while maintaining high levels of compliance. n

1. 45 C.F.R. Part 160 and Part 164, Sub-parts A and E.

2. See 45 C.F.R. § 164.508(a)(3).3. 45 C.F.R. § 164.501. 4. See Marketing FAQ at p. 1, Office of

Civil Rights, HIPAA Privacy (April 3, 2003).

5. 42 U.S.C. § 17936(a)(2).6. 45 C.F.R. § 164.501. 7. 45 C.F.R. §§ 164.501; 164.506(c)(1). 8. See Marketing FAQ, supra, at p. 3. 9. 45 C.F.R. § 164.501. 10. See Marketing FAQ, supra, at p. 3. 11. 45 C.F.R. § 164.501. 12. See Marketing FAQ, supra, at p. 2. 13. 45 C.F.R. § 164.508(a)(3)(ii).14. 45 C.F.R. § 164.508(3)(i).15. 42 U.S.C. § 17936(a)(2).16. See 45 C.F.R. § 164.508(3)(ii).17. 45 C.F.R. 164.105(b).18. 45 C.F.R. 164.508(a)(3)(ii).19. See 42 C.F.R. § 424.57(c)(11); “CMS

FAQ Concerning the Revised Standards for DMEPOS Suppliers,” CMS-6036-F (Feb. 16, 2011).

20. See 45 C.F.R. § 164.508(c). 21. See 45 C.F.R. § 164.508(b)(3).

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

59

Figure 1: Authorization For Use And Disclosure Of Health Information*

TAMP_1934319.1

Name Street Address City State Zip Date of Birth Phone Email I hereby authorize ABC DMEPOS Supplier, Inc. to use and/or disclose my health information specifically [identify nature of information that would be used or disclosed for DMEPOS marketing purposes] for the specific purposes of informing me about new products and services, and for ABC’s marketing, promotions and advertising activities. ABC’s use and/or disclosure will result in the disclosure of such health information among and between [identify entities that will receive the information]. ABC may receive direct or indirect remuneration (payment) from these third parties as a result of health information obtained and shared with those business partners pursuant to this Authorization. Health information disclosed pursuant to this Authorization may be subject to redisclosure and no longer protected by federal health care privacy laws. You have the right to inspect or copy the health information authorized to be used and/or

disclosed by this Authorization. You have a right to receive a copy of this signed Authorization and ABC will provide you

with a copy, should you choose to sign it. This Authorization is voluntary and you do not have to sign it. Your refusal to sign this

Authorization will not affect your ability to obtain treatment, payment, health plan enrollment, or eligibility for benefits.

You may revoke this Authorization at any time. To revoke this Authorization, notify ABC in writing at: [insert address]. Additional information may be found in ABC’s Notice of Privacy Practices at [insert website].

This Authorization is valid for five (5) years from the date signed below. I have had an opportunity to review and understand the content of this Authorization. By signing this Authorization, I am confirming that it accurately reflects my wishes.

Signature: _______________________ Date: ____________

* This form is for sample educational purposes only. Suppliers should not rely solely on this form and are advised to seek input from legal counsel to comply with all applicable federal and state laws, rules and regulations.

Name Date of Birth

Street Address City State Zip

Phone Email

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

60

TitleBy: Line

� e Health Care Compliance Professional’s Manual gives you all the tools you need to plan and execute a customized compliance program that meets federal standards. Available via print or the Internet, the Manual walks you through the entire process, start to � nish, showing you how to dra� compliance policies, build a strong compliance infrastructure in your organization, document your e� orts, apply self-assessment techniques, create an e� ective education program, pinpoint areas of risk, conduct internal probes and much more.

The Health Care Compliance Professional’s Manual

• Con� dently use OIG publications and Federal Sentencing Guidelines to help you plan and execute a customized compliance strategy that meets strict federal standards

• Perform risk assessments within your program to help you uncover possible areas of risk

• Dra� your own compliance policies that will form the basis for your organization’s program

• Develop and reinforce a solid infrastructure, including guidelines for hiring the right personnel

• Design an e� ective education program that instills the importance of compliance

• Conduct your own internal probes to surface and cure questionable activities, thus mitigating possible penalties

• Keep continually up-to-date with the latest regulatory changes, including practical coverage of federal and state laws

SUBSCRIPTION SERVICE INCLUDED WITH PERIODIC UPDATES

• Hard-copy subscribers receive quarterly updates

• Internet subscribers receive updates as soon as they are issued

MEMBER PRICE: $379 NON-MEMBER PRICE: $419

www.hcca-info.org | 888-580-8373

The Health Care Compliance Professional’s Manual shows you how to:

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

61

XXXXXXX ...continued from page 61

HCCA 2011 Corporate Members

HAYESMANAGEMENTCONSULTING

H

Liberty

HealthNow New York Inc.HealthNow

Compliance & Ethics Center, LLP

Norfolk Community Services Board

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

62

TitleBy: Line

Federal Sentencing Guidelines changed, your position will not change. The tie will remain.

I just don’t think going straight to the Board is a good idea. You have to make some effort. You have to give people a chance to fix it or cave into your perspective. You have to give them a chance to make their case. You have to give them a chance to save face. You have to help them see that they are wrong. Most people will give up before it goes too far. When they see you can’t be bullied or intimidated, they will often give up before they embarrass themselves in front of important people. And, you might suggest going to an outside expert who specializes in the risk area in question. You will, of course, have already done that for a major issue and, if they find someone who is willing to say it’s OK to break the law, you can tell them that there is still some debate between the experts and you must continue in your quest to resolve the issue.

I did this when I was a compliance officer, once in three years. Like I said, it doesn’t happen often but it is, by definition, a battle you can’t lose. I didn’t have those two sentences in my job description. But, by the time I was done talking to anyone the offending person wanted me to (and some experts I wanted to talk to), those looking on were willing to support the fix, because I had gone to great lengths to resolve the problem. What I wanted to do was to give the offending person every chance to give up. He had a chance to give up before we went on to the next person. This guy never gave up. Then the Compli-ance Committee (not the Board) heard about all of my efforts and all the expert opinion, and it gave them backbone. We fixed the problem. There was very little bloodshed. We did report it to the Board after it was fixed.

When dealing with resistance, you have to tell them you will not back down. The trick is to tell them that you can’t back down in a way that optimizes your

ability to keep the peace. It is much easier to say, “I have no choice” (according to the Board), rather than “I choose to not back down.”

We all have to avoid being chicken, and we all have to avoid being Chicken Little. If we get this mandate in our job description, we cannot abuse this man-date. We must try to solve all our problems without causing chaos and a lot of work. We can’t run off and complain to the Board (or anyone else) every time we can’t get something done. My goal was to never go to the Board to complain. However, the road is littered with organizations that kept the peace and lost the war. Enron, HealthSouth, WorldCom, Tyco, and many others all had someone (or several people) who knew about the problem and didn’t fix it, because they didn’t have a mandate. Yes, overreacting is a problem. We can’t have that. But, we also can’t be prevented from fixing serious problems or imple-menting a compliance and ethics program.

If some people want to deny and defend big prob-lems to the death, we need to have a way to “run them over.” If some people want to prevent an audit, education, or some other important element of a compliance program, we need to peacefully convince them to get out of our way or find a way around them. This, my friend, is why our profession was created. This is why those who came before us failed. This is why the press, the public, and the politicians are fed up with business. Those in charge didn’t finish the job. By definition, compliance profession-als finish the job or there is no point in having the profession. We just need to be able to do our job and live to tell about it. n

Letter from the CEO ...continued from page 18

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

63

XXXXXXX ...continued from page 63

Social Networking ...continued from page 19

reports that there are about 4.4 million re-admissions yearly to the hospital that cost about $30 billion on health care expenditures each year that might be prevented.”

As you can see, our Blogs cover a wide range of topics. The Blogs are available on our Social Net-work site. Social network blogs are a great way to make friends, talk with peers, and focus on a specific compliance topic. Don’t forget you can also join many different Communities and participate in discussions as well. You never know what you will find and how much it will help you in your everyday job. Join our network and more specifically, start a Blog or join a community. You will be glad you did.

To participate in the discussion, review the comments, or just talk with your peers, you can access the HCCA Social Network site by going to the following link: http://www.hcca-info.org/sn n

6500 Barrie Road, Suite 250 Minneapolis, MN 55435Phone 888-580-8373 | Fax 952-988-0146 www.hcca-info.org | helpteam@hcca-info.org

HCCA MEMBER DISCOUNTS# of handbooks cost per book

1–9 ...........................$25

10–24 .......................$23

25–49 .......................$20

50–74 .......................$18

75–99 .......................$16

100+ .........................$15

The HCCA HIPAA Training Handbook

� e Health Insurance Portability and Accountability Act (HIPAA) has had lasting impact on U.S. health care providers since its passage in 1996. Now HIPAA, along with HITECH, a� ect health care professionals on a daily basis. � is newly revised handbook is intended for anyone who needs a basic understanding of the privacy and security regulations governed by HIPAA and HITECH. Suitable for sta� training courses, it covers:

• Who must comply with HIPAA and HITECH• When and by whom is the use or disclosure of protected

health information (PHI) permitted?• What rights does an individual have regarding his or

her PHI?• What are the basic safeguards required to protect the

security of e-PHI?• What happens when a breach occurs?• And much more

� is handbook can prepare all health care professionals to help protect the privacy and security of their patients’ health information.

Visit www.hcca-info.org or call 888-580-8373 to order.

HIPAAHandbook2ndEd_2c_2columnAd.indd 1 8/3/2011 4:53:04 PM

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

64

TitleBy: Line

This listing from Tennessee to West Verginia is continued from last month’s New Member listing.

Tennesseen Tracey Bradberry, Ingenixn Cindy S. Hall, Maury Regional

Medical Centern Dale Kennedy, Symbionn Stephanie Matlock, Simplex

Healthcaren Chris Moore, CSHMn Nicole Piersiak, Aegis Sciences

Corporation

Texasn Julia Flores, Kellum Medical

Group n Keri Kimler, EyeMark Projectn Nadia Nassaj, Methodist

Hospital Research Instituten Kathy Rock, Rock Consultingn Deana Zimmerman, Protiviti

Virginian Michelle Calloway, HDJNn Homa Puga, Best Health Care

Servicesn Karen Saunders, Inova Health

System

Washingtonn Laura Kleisle, Proliance Surgeonsn Sara La Porte, Puget Sound

Health Partnersn Lolly Lamb, Seattle Children’s

Hospitaln Noreen A. Rhoades, Seattle

Children’s Hospitaln Kristen Swallom, Evergreen

Hospital & Medical Centern Steven C. Wood, Central

Washington Hospital

West Virginian Susan L. Swiger, United

Hospital Center

Wisconsinn John Fisher, Ruder Ware

n Tammy Krueger, BayCare Clinicn Lori A. Scheller, Aspirus

Wausau Hospitaln Linda Sturnot, Forrest County

Potawatomi Health & Wellness Center

n Jean Worzella, Security Health Plan of Wisconsin, Inc

Arizonan Brenda Hanserd, Quality Care

Networkn Amy Joswiak, Phoenix

Children’s Hospitaln Ashley Lopez, Phoenix

Children’s Hospitaln Dona Weissenfels, CIGNA

Healthcare of Arizona

Arkansasn Roberta McMaster, Mercy

Californian Jeanne Ash n Tracey Butler, Beverly Hills

Cancer Centern Staci L. Chouinard, Arrowhead

Regional Med Centern Sylvia Covarrubias, El Camino

Hospitaln Joyce Martin n Micki M. Mills, Shasta Countyn Deborah Pease, Arrowhead

Regional Medical Centern Alea Roach, St Joseph Health

Systemn Jeff Rostai, Jafaro, Incn Kelly Scheerer, EPIC

Managementn Amy Stillings, City of Hopen Renee Wessell, TMWOHC

Coloradon Joseph M. Marino, Fresenius

Medical Caren Jessie M. Pickens, Southwest

Health System

Connecticutn Olga Dutka, Rushford Center Incn Tracey LeMay, Masonicaren Claire Niles, Lawrence &

Memorial Hospital

Floridan Odalys Baezn Marilyn J. Betzler, Florida

Hospital Watermann Barbie Hadleyn Ronda Klassen n Susan Schultz, Genentech, Inc

Georgian Christine Cramer, Emory Univn Anthony Greene n Mark Guza, Piedmont

Healthcare, Incn Kimberly G. Heibel, WellStar

Health Systemn Jennifer Kenrick, Georgia

Health Sciences Univn Kim Koss, Georgia Health

Sciences Univn Jerry Patton, A.G. Rhodes

Health and Rehabn Ivy Tillman, Georgia Health

Sciences Univn Fabio Van Der Merwe, DeKalb

Community Service Board

Hawaiin Kenneth K. Karratti, Arcadia

Community Servicesn Carleen M. Lum-satsuma, The

Queen’s Health System

Illinoisn Diane Bernahl, Loyola Univ

Health Systemn Vanessa A. Griggley- Owens,

Northwestern Memorial Hospitaln Nora Koch, Cook County

Health & Hospital Systemn Jade Olson, SG-2, LLCn Edward J. Svihra, Walgreens

Indianan Susan Graves, St Francis Med Grp

New HCCA Members

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

65

XXXXXXX ...continued from page 65

Iowan Suzanne Cooner, Grinnell

Regional Medical Centern Michelle O’Meara, L & C

Medical Billingn Tori K. Stafford, Allen Hospital

Kentuckyn EllenClaire Boyance, Univ

Medical Center, Incn Kathleen A. Kassimatis Wane,

Jewish Hospital & St Mary’s Healthcare

n Bonnie S. Kerr, Univ Medical Center, Inc

n Ellen W. Roberts, Univ Child Health Specialist

n Rita Strader, Univ Pediatric Foundation

Marylandn Caroline L. Baker, CMSn Adiel Cory Dale Brewster-

Greenstein, Univ of Maryland Medical Center

n Dawn A. Johnson, CMS

Massachusettsn Wendy C. Chartrand,

HealthAlliance Hospitals Incn Donald Hunter, Tufts Medical

Centern Annette Larsen, Univ of Massn Kathryn M. Lepsevich, Ika Systn Donna M. Zeh, Beacon Health

Strategies

Michigann Analiese Fusner, Genesys

Health Systemn Sheila Simone Ingram, Trinity

Healthn Rachel Johnson, Bell Hospitaln Annette McCormack, Spectrum

Healthn Christina N. Staples, Spectrum

Healthn Kathryn N. Wrench, Oakland

Univ

Minnesotan Deborah J. Bartlett, Oral &

Maxillofacial Surgeryn Kelsey Brodsho, Halleland

Habichtn Elimu Kajunju, Boston Scientificn Terrie Montgomery, Security

Life Ins Co of American Virginia Picotte, Prime

Therapeutics

Mississippin Debra Kennedy, STATCare

Missourin Celeste Absher, St Luke’s

Hospitaln Michael Cardenas, Armstrong

Teasdale,n Susan Meilink, St Luke’s Hospitaln Violeta Rose, Mercy

Nebraskan Michael W Chase, Baird Holm

Nevadan Maureen M. Kopecky,

Healthcare Partners of Nevada

New Hampshiren C.R. Matthew Hodgson,

Dartmouth-Hitchcock Medical Center

n Tim Robinson, The Regulatory Law Group

New Jerseyn Philip Curran, Cooper Univ

Hosptialn Nancy Fletcher, St Francis

Medical Centern Heather Gatton, Cooper Univ

Hospitaln James Kuhn, Siemens Medicaln Ruth London, Robins’ Nest Incn Lisa Mastroianni

New Mexicon Lisa Oden, Presbyterian

Healthcare Services

New Yorkn Karen Carey, Wyekoff Medical

Centern Astara Crews, Mount Sinai

Medical Centern Steven J. Katz, Katten Muchin

Rosenman n Deborah Mabry, Morris

Heights Health Centern Adam Rattner n Mara Sierchio, VNSNYn Peggy Stables, Visiting Nurse

Service of Schenectady and Saratoga Counties

n Mary A. Stone, Hematology Oncology Assoc of CNY

n Maria Sylvester, Rochester General Health System

North Dakotan Leslie A. Hanson, Trinity

Hospitalsn Sharon L. Kiessling, Trinity

Hospitals

Ohion Ruth A. Blake, Pathology

Laboratories, Incn Valerie T. Cloud, Univ Hospitalsn Allana Haut, Cleveland Clinicn Eric Lombardo, Clearwater

Compliance n Martha Molony, WellPointn William Quinlan, St Luke’s

Hospitaln Kimberly M. Thomas, Blanchard

Valley Health System

Oklahoman Tara Galietti, Oklahoma Breast

Care Center

Oregonn Christine Arevalo, ID Expertsn Ed Boehmer, Acumed n Bob Gregg, ID Expertsn Rick Kam, ID Expertsn Avery Munoz, Acumed n Rose Novak, Atrio Health Plansn Doug Pollack, ID Experts

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

66

TitleBy: Line

HCCA Officers:Frank Sheeder, JD, CCEPHCCA PresidentPartner DLA PiperShawn Y. DeGroot, CHC-F, CHRC, CCEPHCCA Vice PresidentVice President of Corporate ResponsibilityRegional HealthJohn Falcetano, CHC-F, CIA, CCEP-F, CHRC, CHPCHCCA Second Vice PresidentChief Audit/Compliance OfficerUniversity Health Systems of Eastern Carolina

Gabriel L. Imperato, JD, CHCHCCA Treasurer Managing PartnerBroad and Cassel

Sara Kay Wheeler, JDHCCA SecretaryPartner–AttorneyKing & SpaldingSheryl Vacca, CHC-F, CHRC, CCEP, CHPCNon-Officer Board Member Senior Vice President/Chief Compliance and Audit ServicesUniversity of CaliforniaJenny O’Brien, JD, CHC, CHPC HCCA Immediate Past PresidentUnitedHealthcare Medicare & Retirement Chief Medicare Compliance Officer

CEO/Executive Director: Roy Snell, CHC, CCEP-FHealth Care Compliance Association

Counsel: Keith Halleland, Esq.Halleland Habicht PA

Board of Directors: Urton Anderson, PhD, CCEPChair, Department of Accounting andClark W. Thompson Jr. Professor in Accounting EducationMcCombs School of Business University of TexasDeann M. Baker, CHC, CCEP, CHRCChief Corporate Compliance OfficerCorporate Compliance & Integrity Services, Alaska Native Tribal Health ConsortiumCatherine Boerner, JD, CHCPresidentBoerner Consulting, LLCJulene Brown, RN, MSN, CHC, CPCEssentia Health West RegionRegional Compliance DirectorOrganizational Integrity and ComplianceBrian Flood, JD, CHC, CIG, AHFI, CFSNational Managing DirectorKPMG LLPMargaret Hambleton, MBA, CPHRM, CHCSenior Vice PresidentMinistry Integrity, Chief Compliance Officer, St. Joseph Health System

Robert A. Hussar, JD, MS, CHCSenior Manager, Forensic and Dispute ServicesDeloitte Financial Advisory ServicesRobert H. Ossoff, DMD, MD, CHCAssistant Vice-Chancellor for Com-pliance & Corporate IntegrityVanderbilt University Medical CenterDaniel Roach, JDVice President, Compliance and AuditCatholic Healthcare WestMatthew F. Tormey, JD, CHCVice PresidentCompliance, Internal Audit, and SecurityHealth Management AssociatesDebbie Troklus, CHC-F, CCEP-F, CHRC, CHPCManaging Director Aegis Compliance and Ethics Center

Publisher: Health Care Compliance Association 888-580-8373Executive Editor: Roy Snell, CEO, roy.snell@hcca-info.orgContributing Editor: Gabriel Imperato, Esq., CHCEditor: Margaret R. Dragon 781-593-4924, margaret.dragon@hcca-info.orgCopy Editor: Patricia Mees, CHC, CCEP 888-580-8373, patricia.mees@hcca-info.orgLayout and Production Manager: Gary DeVaan 888-580-8373, gary.devaan@hcca-info.org

Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Compliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright 2011 Health Care Compliance Association. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means without prior written consent of the HCCA. For Advertising rates, call Margaret Dragon at 781-593-4924. Send press releases to M. Dragon, 41 Valley Road, Nahant, MA 01908. Opinions expressed are not those of this publication or the HCCA. Mention of products and services does not constitute endorsement. Neither the HCCA nor CT is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgSeptember 2011

67

Check your

compliance life signs

Undetected risk can hurt an otherwise healthy organization. Ask EthicsPoint how to better collect, manage and learn from your risk-related data.

Visit us at www.ethicspoint.com.

HCCA’s 2012 EventsNATIONAL CONFERENCES

Managed Care Compliance Conference February 12–14 | Scottsdale, AZ

Audit & Compliance Committee ConferenceFebruary 12–14 | Scottsdale, AZ

Compliance InstituteApril 29–May 2 | Las Vegas, NV

Research Compliance ConferenceJune 3–6 | Austin, TX

Physician Practice/Clinic Compliance ConferenceOctober 14–16 | Location TBA

BASIC COMPLIANCE ACADEMIES

January 23–26New York City, NY

February 13–16San Francisco, CA

March 26–29San Antonio, TX

August 6–9New York, NY

June 4–7Scottsdale, AZ

September 10–13Location TBA

October 1–4Boston, MA

November 5–8Orlando, FL

December 10–13San Diego, CA

RESEARCH BASIC COMPLIANCE ACADEMIES

January 30–February 3San Francisco, CA

August 13–16Boston, MA

PRIVACY BASIC COMPLIANCE ACADEMIES

March 12–15San Antonio, TX

June 25–28San Diego, CA

October 22–25Orlando, FL

REGIONAL CONFERENCES

Southeast January 20 | Atlanta, GA

South AtlanticJanuary 27 | Orlando, FL

Southwest February 17 | Dallas, TX

Alaska March 1–2 | Anchorage, AK

Upper North Central May 18 | Columbus, OH

Upper Northeast May 25 | New York, NY

Gulf CoastJune 8 | Houston, TX

Pacific Northwest June 15 | Seattle, WA

West Coast June 22 | Newport Beach, CA

New England September 7 | Boston, MA

Upper Midwest September 14 | Minneapolis, MN

Midwest September 21 | Overland Park, KS

North Central October 5 | Indianapolis, IN

East Central October 12 | Pittsburgh, PA

Hawaii October 19 | Honolulu, HI

Mountain October 26 | Denver, CO

Mid Central November 9 | Louisville, KY

Desert Southwest November 16 | Phoenix, AZ

South Central November 30 | Nashville, TN

Upper West CoastDecember 7 | Oakland, CA

To learn more about HCCA events, visit www.hcca-info.orgDates and locations are subject to change.

WEB CONFERENCES Explore hot topics for compliance professionals with instant and up-to-date education from the convenience of your own office. HCCA announces new conferences regularly, and prior sessions are available for purchase on CD-ROM. Visit www.hcca-info.org for the latest updates.

Start planning now for

2 0 1 2

April 29–May 2

Join us in Las Vegas