Earn CEU Credit...48 New HCCA Members HCCA Officers: Julene Brown, RN, MSN, BSN, CHC, CPC HCCA President Director of Corporate Compliance Innovis Health Jennifer O’Brien, JD, CHC

Volume TwelveNumber Two

February 2010 Published Monthly

Meet

Meet Nancy Vogt, Director of Corporate Compliance, Aurora Health Carepage 14

Feature Focus:

Medical identity theft: How is the

health care industry responding?

page 36

Earn CEU Creditwww.hcca-info.org/quiz, see page 45

clarifying the confusing: the anti-markup rule

made easypage 8

Register in FEBRUARY and receive a free

copy of the Board of Directors’ Oversight of Compliance Program Effectiveness web conference CD

Organizational climates change as organizationsgrow and evolve. So, how can you ensureattitudes and behaviors remain consistentwith core values? Look to Global Compliance,the single provider offering a comprehensiveframework to protect your organization fromfinancial, legal, and reputational harm.

• Ethics and compliance riskassessments

• Codes of conduct• Communications campaigns• Online and instructor-led training• Hotlines• Case management• Data analytics and benchmarking• Ethics and compliance programevaluations

• Mystery shopping

Contact the ethics and compliance leader thatis already serving over one-half of America'sFortune 100 and one-third of America's Fortune1000 along with colleges, universities, andgovernment entities. And, we’re proud to claimgreater than 450 health care organizations asclients.

With 28 years of experience and the mostcomprehensive product and service offeringsin the industry, Global Compliance can helpyou develop and maintain an ethical climatethat's appealing to employees, patients, andstakeholders.

What’s Your Ethical Climate?

13950 Ballantyne Corporate PlaceCharlotte, NC, USA 28277800-876-5998 • [email protected]

www.globalcompliance.com

© 2009 Global Compliance. All Rights Reserved.

Making the world a better workplaceTM

9.25x11_Umbrella_Ad:Layout 1 1/7/09 4:17 PM Page 1

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgFebruary 2010

3

INSIDEINSIDE4 Physician supervision of hospital outpatient

departments: CMS gets it wrong By Edwin Rauzi and Bernie ThurberCMS and hospitals have divergent views on what it means to have a physician “immediately available” to intervene.

8 Clarifying the confusing: The Anti-markup Rule made easy By Theresamarie Mantese and Gregory NowakowskiPhysicians may not always be able to bill patients for more than the cost of a diagnostic test that is performed by an outside supplier.

13 CERT review By Cindy ShieldsComprehensive Error Rate Testing for Medicare claims and the provider compliance error rate for accuracy in submissions.

14 Meet Nancy Vogt, Director of Corporate ComplianceAn interview by Karen Murray

16 Letter from the CEO By Roy SnellCall me

17 Social Networking By John Falcetano

18 Business process outsourcing: Mitigating the risks and reaping the rewards By Greg GulickOutsourcing repetitive functions saves money and allows companies to focus on their core competencies.

21 Newly certified CHCs and CHRCs

22 CEU: Business associate security and privacy programs: HIPAA and HITECH By Rebecca HeroldThe impact of new legislation is far reaching, and covered entities should address these ten common indicators of serious problems.

29 Tips for designing a collaborative risk assessment process By Kelly NueskeCareful design on the front end can save duplication of efforts and produce a powerful asset for risk management.

31 CEU: Beyond HIPAA: Rules for disclosing substance abuse treatment records By Coale AndersonHealth care providers may face civil and criminal penalties for releasing information—even with a subpoena.

36 Feature Focus: Medical identity theft: How is the health care industry responding? By Desla Mancilla and Jackie MoczygembaThe negative effects of this crime cascade through victims, providers, insurers, and public health entities.

44 CEU: Minimizing risk in financial arrangements with hospital-based specialties By Karen BairstowFinancial assistance to specialty services requires a well-defined contract to avoid Stark and anti-kickback violations.

46 Fraud and abuse in financial arrangements between long-term care facilities and vendors By John W. Jones and Kevin J. DillAccepting free goods in exchange for referrals or free services can lead to hefty fines.

48 New HCCA Members

HCCA Officers:

Julene Brown, RN, MSN, BSN, CHC, CPC HCCA PresidentDirector of Corporate ComplianceInnovis Health

Jennifer O’Brien, JD, CHCHCCA 1st Vice PresidentMedicare Compliance OfficerOvations - UnitedHealth Group

Frank Sheeder, JD, CCEPHCCA 2nd Vice PresidentPartnerJones Day

Shawn Y. DeGroot, CHC-F, CHRC, CCEPHCCA TreasurerVice President Of Corporate ResponsibilityRegional Health

John C. Falcetano, CHC-F, CIA, CCEP, CHRCHCCA SecretaryChief Audit/Compliance OfficerUniversity Health Systemsof Eastern Carolina

Daniel Roach, Esq.Non-Officer Board Member to the Executive Committee Vice President Compliance and AuditCatholic Healthcare West

Rory Jaffe, MD, MBA, CHCHCCA Immediate Past PresidentExecutive Director, California Hospital Patient Safety Organization (CHPSO)

CEO/Executive Director: Roy Snell, CHC, CCEPHealth Care Compliance Association

Counsel: Keith Halleland, Esq.Halleland Lewis Nilan & Johnson PA

Board of Directors:

Urton Anderson, PhD, CCEPChair, Department of Accounting andClark W. Thompson Jr. Professor in Accounting EducationMcCombs School of BusinessUniversity of Texas

Marti Arvin, JD, CHC-F, CPC, CCEP, CHRCPrivacy OfficerUniversity of Louisville

Angelique P. Dorsey, JD, CHRCResearch Compliance Director MedStar Health

Dave HellerDirector, EthicsBoeing Government and International Operations

Karen A. Murray, MBA, FACHE, CHC, CHACorporate Compliance OfficerYale New Haven Hospital

Steven Ortquist, JD, CHC-F, CCEP, CHRCPartnerMeade & Roach

Matthew F. TormeyVice PresidentCompliance, Internal Audit, and SecurityHealth Management Associates

Debbie Troklus, CHC-F, CCEP, CHRCAssistant Vice President for Health Affairs/Compliance University of Louisville

Sheryl Vacca, CHC-F, CCEP, CHRCSenior Vice President/Chief Complianceand Audit Officer University of California

Greg Warner, CHCDirector for ComplianceMayo Clinic

Sara Kay Wheeler, JDPartner–AttorneyKing & Spalding

Publisher: Health Care Compliance Association, 888-580-8373Executive Editor: Roy Snell, CEO, [email protected] Editor: Gabriel Imperato, Esq., CHCManaging Editor/Articles and Advertisements: Margaret R. Dragon, 781-593-4924, [email protected] Editor:Patricia Mees, CHC, CCEP, 888-580-8373, [email protected]:Gary DeVaan, 888-580-8373, [email protected]

Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Compliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright 2010 Health Care Compliance Association. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means without prior written consent of the HCCA. For Advertising rates, call Margaret Dragon at 781-593-4924. Send press releases to M. Dragon, 41 Valley Road, Nahant, MA 01908. Opinions expressed are not those of this publication or the HCCA. Mention of products and services does not constitute endorsement. Neither the HCCA nor CT is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.


4

Editor’s note: Ed Rauzi and Bernie Thurber are Partners in the Seattle and Portland Offices, respectively, of Davis Wright Tremaine, LLP. They work for clients in the health care delivery system. Ed may be contacted by telephone at 206/757-8127 and Bernie’s number is 503/778-5202.

On November 20, 2009, CMS published the Medicare hospital outpatient prospective payment

system for calendar year 2010.1 Included in the rule is a discussion of the physician supervision that CMS expects for hospital outpatient department therapies.2 CMS reiterated its demand that a physician must be “immediately” ready to intervene and conduct or modify the procedure that is underway, but suggested that an immediate response included whatever time it takes to get from somewhere on a hospital’s main campus to the patient. Despite superficial concessions by CMS, many hospitals will not be able to do what CMS requires, and will be sitting on a compliance time bomb.

Compliance professionals, lawyers, and regulators all seek and depend on consistency. In the abstract, consistency in the rules on “incident to” services in physician offices and hospital outpatient departments seems like a good thing. Unfortunately, putting consis-tency above all else can result in applying the right rule in the wrong situation. That is what has happened to CMS in its recent attempts to define the requirements of physician super-vision in hospital outpatient departments.

CMS’s error seems to follow from a principled view. In this instance, however, the consistency they seek can only exist in theory. “Incident to” services provided in physician offices and hospital outpatient departments are like those twin branches from the same tree. Over time, they have grown so far apart that CMS cannot join one to the other without breaking one of the branches. A better analogy is between physician supervision of hospital inpatients and outpatients.

Background

In the beginning, there were the Blue Cross and Blue Shield concepts that were enacted into law as part of the original Medicare Act. One concept is to define categories of benefits for which Medicare will pay. Two such catego-ries are payments to physicians or to hospitals for “services incident to physician services.”

Over the following 45 years, CMS (formerly HCFA) devoted more attention to providing guidance to “incident to” service provided in physician’s offices; almost in the background, the changing nature of health care resulted in new and better therapies provided by hospi-tals, which were covered under the “incident to” label without much thought. For want of a better category, many of the services that hospitals either provided or initiated were paid under the ‘incident to” label.

In 2000, HCFA published the Outpatient Prospective Payment System (OPPS). In describing the scope of physician supervision of therapeutic services, HCFA stated what

the Hospital Manual had said for many years: physician supervision in the hospital outpatient department was “assumed.” In reality, the assumption of supervision was treated as an irre-buttable presumption. That has now changed.

CMS’s position

In 2009, CMS published a “restatement and clarification” of its expectations. CMS was concerned that some were interpreting the “assumption” test to mean that no supervision was required. Drawing upon Part B “incident to” rules, CMS stated

“[It has] been our expectation that hospital outpatient therapeutic services are provided under the direct supervi-sion of physicians in the hospital and in all [provider based departments] of the hospital, specifically, both on-campus and off-campus departments of the hospital. The expectation that a physician would always be nearby predates the OPPS and is related to the statutory authority for pay-ment of hospital outpatient services—that Medicare makes payment for hospital out-patient services “incident to” the services of physicians in the treatment of patients . . . . [R]egulations [state] that Medicare Part B pays for hospital services and sup-plies furnished incident to a physician service to outpatients if they are provided

Physician supervision of hospital outpatient

departments: CMS gets it wrong

By Edwin Rauzi, JD, and Bernie Thurber, JD

EDw

in R

Auzi


5

“as an integral though incidental part of a physician’s services.”3

CMS also “played the quality card,” sug-gesting that hospital outpatient procedures without the “direct supervision” of physicians might be of lower quality. CMS offered no empirical justification that federal action was necessary to improve the quality of care provided in hospital outpatient departments.4

The statements caused serious concerns in hospitals, particularly in rural areas. Some were bold enough to be open and candid, and said there is no clinical need for a uni-form level of supervision for all hospital outpatient therapeutic services. One example cited frequently was outpatient chemotherapy services. Consider the plight of one rural Midwest hospital, as described in a comment submitted to CMS:n The hospital is a critical care access hospi-

tal in a rural setting. Through a relation-ship with an urban oncology group, the hospital has been providing chemotherapy since 1984.

n The hospital has maintained a Commission on Cancer Certificate of Approval since 1993.

n The hospital provides chemotherapy Monday through Friday from 8 a.m. to 4 p.m.

n The two urban oncologists are not at the hospital every day. One visits every fourth week and another visits every week.

n Physician coverage is in the Emergency Room. n If an emergency arises, the two oncolo-

gists are consulted via their cell phones. [P]atients have the ability to see these physicians at different locations in the Indianapolis area, as needed, as well.

n “Limiting our ability to give chemotherapy only when the med oncology physician is at the location will [exacerbate] an already shortage (sic) in medical oncology physi-cian staff presence in all clinic and hospital

settings. Our goal is to serve our commu-nity with the hightest (sic) level of health care available and keep their care local.”5

In response to comments like these, CMS made some minor concessions, but held fast to the most troublesome and unrealistic require-ments. The concession involved allowing supervision by physician extenders (within the confines of state law),6 but CMS made only a modest and internally inconsistent reform concerning physician supervision. Examining some of the comments and CMS’s responses shows the depth the misunderstanding.

Provider comment: Why does CMS need a supervision requirement in the outpatient con-text when there is no inpatient requirement?

CMS response: “Given that hospital inpatients generally have medically complex conditions requiring a high level of acute care, we have not established explicit supervision requirements in regulations because we believe hospitals would have physicians or other qualified practitioners available at all times that complex hospital inpatient services are being furnished.”

Editorial observation: If the word “believe” is changed to “assume” and “inpatient” is changed to “outpatient,” the statement describes CMS’s acts with respect to physician supervision in outpatient departments; it also reflects CMS’s words prior to 2008. As noted above, hospitals have viewed, and HCFA/CMS has treated, the assumption of supervi-sion as an irrebuttable presumption. CMS plans to continue “assuming” that adequate supervision of inpatients exists, but not for outpatients. CMS would have chosen better if it had continued to analogize between the supervision of hospital inpatients and outpatients, and resisted the temptation to analogize hospital outpatients with patients in physician’s offices.

Rural provider comment: Critical access hospitals (CAH) and rural hospitals would be required to hire staff solely to supervise services, and this extra cost would force these hospitals and CAHs to eliminate services.

CMS response: The supervisor only needs to be there when outpatient therapeutic services and procedures are furnished. The supervisory practitioner can be located anywhere on the hospital campus.

Editorial observation: It’s a big world, and it’s just possible that some therapies may begin before physicians arrive, continue when physicians are at lunch across the street, and finish after physicians depart. See the com-ments from the rural hospital above.

Hospital associations’ comment: They recommended that CMS remove the phrase: “immediately available to furnish assistance and direction throughout the performance of the procedure.”

CMS response: The supervising practitioner may be located anywhere on the same campus of the hospital, as long as he or she was immedi-ately available to furnish assistance and direction throughout the performance of the procedure. The supervisory practitioner is not immediately

Continued on page 7

BERn

iE T

HuRB

ER

The RAC Auditors will soon be calling on your hospital. The RAC appeals process is very complex and missed deadlines can result in the automatic recoupment of your legitimate revenues. To minimize your risk of financial losses, you need to be prepared with practical, reliable processes and controls to ensure that critical appeals deadlines are met, with complete, substantiated information.

Compliance 360 is the leader in compliance and risk management solutions for healthcare. More than 300 hospitals nationwide rely on us every day to ensure compliance with legal and industry regulations. Using our unique software solutions, they are always “audit ready” with both proactive defenses and the audit management tools needed to ensure successful audit response and appeals. We are proud to help these healthcare organizations prevent and contain compliance sanctions and we stand ready to help you as well.

To learn more about the Compliance 360 Claims Auditor™ for managing RAC audits, please visit us at booth 102 at the HCCA Compliance Institute Conference, visit www.compliance360.com/RAC or call us at 678-992-0262www.compliance360.com

NEEDS A LOT OF WORK – UNDER CREATIVE LAB

Take control with a strong defense

ARE YOUPREPAREDFOR THERAC AUDITOR?


7

available, however, while performing another procedure or services that he or she could not interrupt, or so far away that he or she could not intervene “right away.”

Editorial observation: (1) It is a rare physician who goes through an entire day without being involved in something that cannot be interrupted; and (2) In a large hospital system, only “Medicare-speak” would characterize a physician as being immediately available when he is in another part of the complex. It is no surprise that hospitals feel some unease in relying on those two proposi-tions as a defense to a whistleblower lawsuit.

Hospital associations’ comment: We have sys-tems in place to assure the quality of outpatient services. That is the role that the Joint Commis-sion and other accrediting agencies fulfill.

CMS response: We know that hospitals take quality of care seriously and are subject to accreditation requirements. We know that hospitals have leadership, credentialing pro-cedures, bylaws, and other policies in place to ensure that services furnished to Medicare beneficiaries are provided by qualified practitioners in accordance with all applicable laws, regulations, and coding guidance. But, we are not changing our minds.

Editorial observation: All that is missing is a little humility and a willingness to consider whether CMS ought to defer to the definition of “quality” that hospitals, physicians, the Joint Commission, state licensing boards, and surveyors have defined over many years.

Comment: Many disagreed with the require-ment that the supervising physician should have hospital-granted privileges and the ability to perform the services being supervised. Instead, the supervisor should provide medical consulta-tion and attend to medical emergencies.

CMS response: We believe the practitioner must be prepared to step in and perform or to change procedure.

Editorial comment: It is a rare practitioner who has the privileges or ability to step in and perform or change every outpatient procedure “immediately.” It is extremely rare that a physician will have a broad range of privileges across multiple specialties.

Comment: This is no “restatement or clarification,” but rather a significant change in policy that may create potential liability due to qui tam litigation.

CMS response: The rule has been that way since 2000, but we will exercise discretion in seeking sanctions for services provided between 2000 and 2008.

Editorial observation: Let us hope that the whistleblowers and their counsel are as generous.

Final thoughts

In the final analysis, the fatal flaw in CMS’s rule is that there is no payment for physician supervision of hospital outpatient depart-ments. Some might argue that is as it should be, and that CMS should not create a new payment stream to physicians without a justified need. Instead—unless physicians voluntarily and en masse agree to supervise without compensation—CMS shifts the burden to pay to hospitals.

The rule that CMS is imposing is impossible for many (if not most) hospitals to honor. There is no untapped reservoir of under-uti-lized physicians hanging around the hospital who may be drafted to supervise. Even if this pool of under-utilized physicians existed, it seems doubtful that they would supervise outpatient procedures for free. Even if they

are willing to supervise for free, they may not have the necessary hospital privileges. It is also worth asking whether the malpractice carriers of the supervising physicians would cover these voluntary supervisions.

Even if a hospital takes CMS at its word, the cost of “coming close” will be significant. Hospitals may have to create a new class of physicians dubbed “outpatientalists,” and pay them to supervise. These outpatientalists will not be allowed to do anything that cannot be interrupted, which is the same as requiring them to do nothing all day. Given the variety of outpatient procedures that a hospital may provide, a situation could still arise where a physician with privileges and the immediate ability to take over the procedure will not be available at a given time.

Abraham Lincoln is quoted as saying that “After 40, every man gets the face he deserves.” After 45 years, Medicare gets the health care delivery system that it created. The scope and content of physician supervi-sion that CMS describes does not exist today because CMS has never paid for physicians for “direct supervision” of hospital employees, and neither such payments or supervision may be necessary. CMS is attempting to fix a quality problem that does not exist, and one that it may not be competent to evaluate.

Something has gone horribly wrong, and it needs to be fixed. Given the corner into which CMS has painted itself, Congress may be the only way to put things right. n

1 74 Fed. Reg. 60316 ( Nov. 20, 2009).2 The 2010 rule also addresses physician supervision of diagnostic

procedures and there are other rules that define supervision in physicians and group medical practice offices. It is beyond the scope of this article to discuss those rules.

3 74 Fed. Reg. at 60576,4 If you look beneath the surface, CMS’s reliance on quality hurts its case

more than helping it. Poor quality is not rampant in hospital outpatient departments, so CMS is trying fixing what is not broken.

5 http://www.regulations.gov/search/Regs/home.html#documentDetail?R=0900006480a00d0f

6 It is beyond the scope of this article to address either physician supervision of diagnostic hospital outpatient services or the authority of physician extenders (e.g., physician aids, nurse practitioners and others) to supervise services.

Physician supervision of hospital outpatient departments: CMS gets it wrong ...continued from page 5


8

Editor’s note: Gregory M. Nowakowski is an Associate Attorney and Theresamarie Mantese is a Founding Shareholder at Rogers Mantese in Royal Oak, Michigan. Both specialize in health law. Mr. Nowakowski can be contacted at [email protected], and Ms. Mantese can be contacted at [email protected].

H ealth care compliance is multi-dimensional. Government policies attempt to accomplish fast and

efficient health care delivery by balancing costs, access, and quality care. Many “com-pliance rules” attempt to meet this balance while affecting daily operations. One of the most powerful policy tools is the power of the purse—rules relating to reimbursement. Without a working knowledge of these reimbursement rules, providers (and their compliance personnel) may inadvertently cre-ate audits, non-payment of claims, fraud, and other regulatory risks.

One recently published, often confusing, but one of the most important reimbursement rules of 2009 is called the Anti-markup Rule. Any approach to analyzing the Anti-markup Rule should include an understanding that billing for health care services is not a process insulated from overall health care management and structure. Billing practices are an integral part of compliance and may cause serious consequences if not carried out properly. This article describes the Anti-markup Rule and then provides insights about common compliance issues and regulatory risks raised by the Anti-markup Rule.

The Anti-markup Rule

On January 1, 2009, the 2009 Medicare Physician Fee Schedule (MPFS) became effective, including the Anti-markup Rule.1 Prior to the MPFS, if a physician billed for a diagnostic test performed by an outside supplier, Medicare prohibited the markup of just the technical component of certain diagnostic tests.2 The MPFS expanded the prohibition against markups of both the technical component and the professional component of certain diagnostic tests.3

In part, the purpose of the Anti-markup Rule is to avoid payment by Medicare for any overhead to providers who do not incur that overhead, when the provider performing the diagnostic test does not share a practice with the billing physician or physician group.4 Further, the rule means providers cannot “markup” over a certain limit (imposed by the rule itself) to attempt to make money off of diagnostic tests by charging for overhead that the provider did not incur, because the provider purchased the test.

Determining when to apply the Anti-markup Rule can be confusing. First, the question of whether the Anti-markup Rule applies is diffi-cult; then, a provider must determine whether either of two definitions of “shares a practice” removes the restrictions imposed by the rule.

Step 1: Is a diagnostic test involved?The Anti-markup Rule only applies to diagnostic tests. To which tests, then, must providers apply the Anti-markup Rule?

Recently, CMS made changes in the list of diagnostic tests for various medical services.5 A simple rule to remember is that if a CPT code is present on the CMS list, then the CPT code is a diagnostic test. If the CPT code is not listed, the determination of whether the procedure is a diagnostic test is fact-intensive and is decided on a case-by-case basis. The following are some of the fac-tors to consider:n The purpose or nature of the procedure,n Medicare coverage rules,n Whether the CPT code may be considered

a smaller portion or part of a larger CPT procedure, and

n Whether the CPT code can be split into a professional component and a technical component.

No CMS list is currently available to identify diagnostic tests. Medicare guidelines should be followed in any event. The Balanced Budget Act of 1997 states, that

if the Secretary (or fiscal agent of the Secretary) requires the entity furnishing the item or service to provide diagnostic or other medical information in order for payment to be made to the entity, the physician or practitioner shall provide that information to the entity at the time that the item or service is ordered by the physician or practitioner.”6 Further, “[a] laboratory or other provider must report on a claim for Medicare payment the di-agnostic code(s) furnished by the ordering physician.”7

Compliance officers should know the distinc-tion between “screening” and a “diagnostic test.” CMS describes screening as, “the testing for dis-ease or disease precursors so that early detection and treatment can be provided for those who test positive for the disease.”8 Screening tests are also performed when no specific sign, symptom,

Clarifying the confusing:

The Anti-markup Rule made easy

By Theresamarie Mantese and Gregory Nowakowski


9

or diagnosis is present, and the patient has not been exposed to a disease.

Alternatively, a diagnostic test is performed to rule out or to confirm a suspected diagnosis, because the patient has a sign or symptom. The sign or symptom should be used to explain the reason for the test.9 In situa-tions that present unusual factual scenarios, compliance officers may consider obtaining advice from Medicare or the third-party payer.10

n If a diagnostic test is not involved, the Anti-markup Rule does not apply and no further analysis is needed.

n If a diagnostic test is involved, the analysis should proceed to Step 2.

Step 2: Does the physician performing the diagnostic test “share a practice” with the ordering physician?This question is difficult because it seems, on first blush, obvious when physicians “share a practice.” However, this is a special term with special interpretations published by the federal government. In addition, the analysis becomes complex with various physician group arrangements that are common in today’s health care marketplace.

For purposes of this step, we have assumed the physician performs the diagnostic tests. In practice, often an assistant performs all or a portion of the technical or professional component of the service. The Anti-markup Rule anticipates this situation and thus makes the rule apply to the physician who performs the diagnostic test and/or supervises the diagnostic test. There are two tests to determine if a physician “shares a practice” with another physician or “shares a practice” with a physician group.

First, if the physician performs 75% of his or her services for a physician group, then the

physician “shares a practice.” How is the 75% determined? The physician group must have a reasonable belief, at any time the physician group submits a claim for a service provided by this physician, that the physician:n Provided 75% of his or her professional

services for the physician group in the previous 12 months; or

n Expects to provide 75% of his or her pro-fessional services for the physician group in the following 12-month period.

Step 2.1: How much work does the physi-cian who performs the diagnostic test pro-vide for the physician group?n If the physician performs 75% or more

of his or her professional services for the physician group, the Anti-markup Rule does not apply and no further steps are necessary.

n If the physician performs less than 75% of his or her professional services for the phy-sician group, the analysis should proceed to Step 2.2.

Step 2.2: A second alterative test to deter-mine whether a physician “shares a prac-tice” is if the diagnostic test is performed in the same building where the physician who orders the test provides the full range of medical services for the physician group.n If the diagnostic test is performed in the

same building, the Anti-markup Rule does not apply and no further steps are necessary.

n If the diagnostic test is not performed in the same building, the Anti-markup Rule applies and the analysis should proceed to Step 3.

Step 3: The physician group’s charge can-not be greater than the lowest of: the fee schedule amount, the biller’s actual charge, or the “net charge.”In the circumstances where the physician who

performs or supervises a diagnostic test does not share a practice with the billing physician, the Anti-markup Rule prohibits billing for that portion of the diagnostic test at a rate greater than the lowest of the fee schedule amount, the biller’s actual charge, or the “net charge.” 11

The net charge is the amount paid by the physician group for the test component. This amount includes the fair market value of charges (i.e., salary + benefits) incurred from paying the physician to provide the test component. The net charge does not include, for example, overhead, space, or equipment lease costs. The net charge must be reasonably calculated and documented by the physician group. “Net charge” does not include the cost of equipment or space leased to the perform-ing supplier by the billing physician or other supplier. “Net charge” consists of the costs for the salary and benefits that the billing physi-cian or other supplier paid to the performing supplier of the diagnostic test.

Always keep in mind that each step applies to both the technical component and professional component of a diagnostic test; a complete analysis of the rule requires following the general steps outlined above for each part of a diagnostic test. When in doubt, always consult with a legal professional who is familiar with the Anti-markup Rule.

Supervision – An additional compliance issue

Scope of practice and level of supervision are also important to legal issues raised by the Anti-markup Rule, which requires that diagnostic tests are performed by licensed professionals who are practicing within the scope of their professional licenses. Medical charts should indicate this.

The level of supervision of the licensed health care professional may also determine whether

Continued on page 11

Policy,Procedure &DocumentManagement

RegulatoryRisk Assess-ment andRemediation

IncidentActivityManagement

ElectronicSurvey Tools& AuditTemplates

RAC andClaims-BasedAuditManagement

Contract &RelationshipManagement

TheComplyTrack™

Suite

Total Solutions for EnterpriseCompliance and Risk Management

MediRegs.com

TheComplyTrack™Suite

MediRegs®

CCH®

Aspen PublishersMediRegs®

Compliance Today ad CTrack.indd 1 3/3/2009 3:05:00 PM


11

medical services are properly billed. The Medicare Benefits Manual12 describes the levels of supervision as follows:n General supervision means the procedure is furnished under the

physician’s overall direction and control, but the physician’s presence is not required during the performance of the procedure. Under general supervision, the training of the nonphysician who actually performs the diagnostic procedure, the maintenance of the necessary equipment, and the supplies used are the continuing responsibility of the physician.

n Direct supervision in the office setting means the physician must be present in the office suite and immediately available to furnish assis-tance and direction throughout the performance of the procedure. It does not mean that the physician must be present in the room when the procedure is performed.

n Personal supervision means a physician must be in attendance in the room during the performance of the procedure.13

Failure to meet licensing and supervision guidelines may result in the non-payment of claims.14 Compliance officers should thus make sure that all licensed professional are properly licensed and that there are no disciplinary complaints pending against them. Without such verifica-tion, the health care facility may incur billing risk.

Conclusion

The Anti-markup Rule is complicated. Providers and their compliance teams should recognize that accurate billing depends on proper policy directives. Obviously, improper billing can be disastrous, not only for health care professionals, but also for compliance officers. Both parties share legal responsibility for proper policy directives to assure compli-ance with the law. It is in this context that compliance officers need to appreciate the subtleties of the Anti-markup Rule and understand its implications for false claims or overbilling to the government and other third-party payers. n

1 Diane T. Carter: Year in Review 2008, 72 Tex. B.J. 26 (2009) (containing a summary of recent changes in health law that may have impact on coding for services).

2 42 C.F.R. § 414.50 (2006).3 42 C.F.R. § 414.50 (2009).4 Atlantic Urological Associates, P.A. v. Leavitt, 549 F.Supp.2d 20, 24 (D.D.C. 2008).5 See, Centers for Medicare and Medicaid Services, U.S. Department of Health and Human Services, Pub 100-04,

Transmittal 1769, Medicare Claims Processing (2009). Available at http://www.cms.hhs.gov/transmittals/down-loads/R1769CP.pdf.

6 42 U.S.C. § 1395u(p)(4) (2009).7 Centers for Medicare and Medicaid Services, U.S. Department of Health and Human Services, Pub. No. 100-02,

Medicare Claims Processing Manual Chapter 16, § 120.1 (2009). Available at http://www.cms.hhs.gov/manuals/Downloads/clm104c16.pdf.

8 Centers for Medicare and Medicaid Services, U.S. Department of Health and Human Services, Medicare National Coverage Determinations Coding Policy Manual and Change Report, at 105 (2009). Available at http://www.cms.hhs.gov/CoverageGenInfo/Downloads/manual200907.pdf.

9 Id.10 United States v. Ovuworie, No. 2:04-cv-0662-RLH-RJJ, 2007 WL 700971 (D. Nev. Mar. 1, 2007) (provider did

not violate False Claims Act where there were no forms for relevant situation and Clinical Manager of the Dialysis Unit sought guidance and instruction from Medicare concerning the appropriate billing procedure for treatment of noncompliant patients admitted by hospital for dialysis).

11 42 C.F.R. § 414.50(a)(1) (2009).12 Centers for Medicare and Medicaid Services, U.S. Department of Health and Human Services, Pub. No. 100-02,

Medicare Benefits Policy Manual Chapter 15 § 80 (2009). Available at http://www.cms.hhs.gov/manuals/Down-loads/bp102c15.pdf.

13 Id.14 See Hoffmann v. Auto Club Insurance Association, 535 N.W.2d 529, 536 (1995). If the treatment was not lawfully

rendered, it is not a no-fault benefit and payment for it is not reimbursable. See also Cherry v. State Farm Mutual Automobile Insurance Co., 489 N.W.2d 788, 790 (1992).

Clarifying the confusing: The Anti-markup Rule made easy ...continued from page 9 Coming to Your Area in 2010

HCCA Regional Conferences

Learn more and register now at www.hcca-info.org

Learn from local experts in your field

Effective local networking opportunities

Inexpensive local education and networking on key compliance topics

Southwest | February 19 | Dallas, TX

Alaska | March 4 to 5 | Anchorage, AK

Upper North Central | May 7 | Columbus, OH

Upper North East | May 21 | New York, NY

Pacific Northwest | June 4 | Seattle, WA

West Coast | June 18 | Newport Beach, CA

New England | September 13 | Boston, MA

Upper Midwest | September 16 | Minneapolis, MN

Midwest | September 24 | Overland Park, KS

North Central | October 1 | Indianapolis, IN

East Central | October 8 | Pittsburgh, PA

Hawaii | October 15 | Honolulu, HI

Mountain | October 22 | Denver, CO

Mid Central | November 5 | Louisville, KY

South Central | November 12 | Nashville, TN

Desert Southwest | November 19 | Phoenix, AZ


12

Editor’s note: Cindy Shields is a Compliance Officer with MCBS, LLC, in Augusta GA. She may be reached by telephone at 706/667-7406 or by e-mail at [email protected].

The Improper Payments Information Act of 2002 expanded efforts to iden-tify and reduce erroneous payments

in government programs.1 This law requires each agency head to review all programs and activities the agency administers and identify those that may be susceptible to significant improper payments. They must estimate the annual amount of improper payments and submit the estimates to Congress before March 31 of the following year. If the estimate is over $10 million, they must submit a report containing what they have determined to be the causes of improper payments, the correc-tive actions implemented, the results of correc-tive actions, what systems the agency has and needs in place to reduce improper payments, and the steps the agency has in place to hold the agency head and managers accountable for reducing improper payments. Improper payments are defined as payments that should not have been made, overpayments, underpay-ments, payments to ineligible recipients, pay-ments for ineligible services, and payment for services not received.

The Centers for Medicare and Medicaid Services (CMS) uses the Comprehensive Error Rate Testing (CERT) program to measure the error rate for claims submitted to Medicare. In 2003, CMS decided to also calculate a provider compliance error rate which measures how well providers prepare claims for submission.

The CERT program randomly selects a sample of about 120,000 submitted claims, requests medical records from the providers,

and reviews the claims and medical records for compliance with Medicare coverage, coding, and billing rules. The CERT contrac-tor also checks the Common Working File to see whether the patient was an eligible Medi-care beneficiary, the service was a duplicate, and to confirm that no other insurance was responsible for paying the claim.

The CERT program is not expected to measure fraud, because it uses random samples in selecting claims and therefore, cannot, as a rule, see billing patterns that raise potential fraud flags. However, if in requesting medical record documentation, the CERT contractor cannot locate the provider, a red flag will go up.

The Medicare contractor (Carrier) is notified of the detected incorrect payments (over and under) so they can make adjustments. The Carrier is encouraged to make payments to providers in cases where underpayment is detected by CERT, but is not required to do so. Instances where the provider fails to submit the documentation requested by CERT are considered overpayments. Providers can appeal denials (including “no documentation” denials) by using the normal appeal processes.

Over the years, many attempts have been made to come up with an accurate but uncomplicated and unambiguous way to determine the code level of an evaluation and management (E&M) visit. There are five levels from which to choose (in addition to patient type and place-of-service categories). The 2008 CERT report2 speaks to this coding quandary. It notes that a common error was the overcoding or undercoding of E&M visits by just one level, and points out that published studies suggest that experienced reviewers may disagree on the

most appropriate code to describe a particular service. Of interest is the subsequent state-ment that CMS is investigating procedures to minimize the occurrence of this type of error in the future. The impact of “one level” errors of E&M coding is projected to be more than $1 billion in improper payments.

The table in the 2008 report which I found most interesting—perhaps because I work for a billing company—was “Paid Claims Error Rates by Provider Type and Type of Error.” For each provider type, the table lists the error rate, number of claims in the sample (which varies greatly from one specialty to another, due to the overall random sam-pling), and shows the percentage breakdown among the different error types: n No documentationn Insufficient documentationn Medically unnecessary servicesn Incorrect coding, and n Other

This table could be used as a starting point in considering risk areas for a particular spe-cialty. For example, for diagnostic radiology it shows a rate of 14.0% for incorrect coding and 54.3% for insufficient documentation. The 14.0% is one of the lowest incorrect coding rates on the table, but 54.3% is one of the highest insufficient documentation rates. You can also compare the specialty’s error rates to the average listed at the bottom of the table, which for incorrect coding is 57.7% and for insufficient documentation is 27.0%. The high error rates for incorrect coding most likely reflect the number of cases where the one-level difference for E&M visits came into play, as previously discussed.

Under the Government Performance and Results Act of 1993 (GPRA),3 CMS hopes that by November 2009 it will have reduced the national rate of improper payments under

CERT reviewBy Cindy Shields


13

Medicare Fee For Service to 3.7%, and that 90% of contractors will have an error rate less than or equal to the national error rate for November 2008, which was 3.7%. In comparison, the national error rate in 1996 was 14.2% ($23.8 billion) and in 2007, it was 3.9% ($10.8 billion).4

Who’s checking up on the CERT contractor? In 2009, CMS contracted with SafeGuard Services, LLC (SGS) to do a random, independent review of the CERT contractor’s payment determinations for 2008. SGS pulled a sample of 852 claims and found that 194 of those were improper claims, whereas CERT had determined only 87 were improper. It was determined this variance resulted from a difference in professional judgment between the SGS and CERT contractors when it came to interpreting medical documentation for medical necessity. In addition, the CERT contractor used available medical records as evidence that the test was indeed ordered, rather than insisting on a copy of the physician’s order.

Because of these findings by SGS, OIG made the following recommendations to CMS: n Clarify documentation policies to reduce the number of differences in pro-

fessional judgment; n Require the CERT contractor to obtain physician orders to support the

medical necessity for diagnostic tests in accordance with Medicare require-ments; and

n Require the CERT contractor to develop a corrective action plan to reduce its number of incorrect determinations.

CMS revised the Program Integrity Manual5 in September 2009 to clarify instructions to review contractors in order to promote uniform interpretation of policies. In January 2008, CMS did clarify the policy regarding physician orders for diagnostic tests, but instructed CERT to not re-review claims to retroactively enforce this policy for the 2008 report period. However, all diagnostic claims in the 2009 report period are being reviewed by CERT in accordance with the clari-fied policy. The CMS contracting office will formally request the CERT contrac-tor to develop a corrective action plan, and CMS will monitor the contractor’s corrective actions and its progress toward reducing incorrect determinations.

All CERT program public reports can be accessed through the following link: http://www.cms.hhs.gov/CERT/CR/list.asp#TopOfPage.

Helpful information for providers regarding the CERT program can be found at: http://www.certcdc.com/certproviderportal/pages/default.aspx. n

1 Improper Payments Information Act of 2002. Available at http://www.dol.gov/ocfo/media/regs/IPIA.pdf2 Independent Contractor’s Review of Fiscal Intermediary and Carrier Claims From the Fiscal Year 2008 Comprehensive Error

Rate Testing Program, HHS, Office of Inspector General, Audit (A-01-09-00511), 09-29-2009. Available at: http://oig.hhs.gov/oas/reports/region1/10900511.asp

3 Available at: http://www.whitehouse.gov/omb/mgmt-gpra_gplaw2m/4 Improper Medicare Fee-For-Service Payments Report – May 2008 Long Report, CMS http://www.cms.hhs.gov/cert/5 Medicare Program Integrity Manual, publication 100-08 is available at: http://www.cms.hhs.gov/manuals/iom/itemdetail.

asp?filterType=dual, date&filterValue=90|d&filterByDID=-1&sortByDID=1&sortOrder=ascending&itemID=CMS019033&intNumPerPage=10

R


14

Editor’s note: This interview was conducted in October 2009 by HCCA Board Member Karen Murray, MBA, FACHE, CHC, CHRC, Chief Compliance Officer at Yale New Haven Health System, Office of Privacy & Corporate Compli-ance in New Haven, CT. Karen Murray may be contacted by e-mail at [email protected]. Nancy Vogt may be contacted by e-mail at [email protected].

KM: Please tell our readers a little bit about your background and how you became the Director of Corporate Compliance for Aurora Health Care. NV: I’ve been working in health care for 32 years. I started my career in Health Information Management, specializing in the area of coding management. With the advent of automation, I became involved in the development of using coded and abstracted data for decision support. I really enjoyed implementing new software, so I decided to make a career move and transferred to the Information Technology department, where I spent five years working to implement our electronic health record system. I had always had an interest in the law, so when the HIPAA Privacy Rule hit the scene, I applied for the new Manager of Privacy Compliance/Chief Privacy Officer position and was fortunate to be selected. After four years in this role, the Director of Corporate Compliance transferred to another position. I applied and was selected, and have been the Director for the past three years.

KM: Tell us about Aurora Health Care and the scope of your responsibilities. NV: Aurora Health Care is an integrated delivery system operating mainly in eastern Wisconsin, with over 28,000 employees. Our system is comprised of 11 hospitals that operate 13 acute care campuses (with two more hospitals to open in 2010), approxi-mately 1,400 employed physicians and physi-cian extenders who practice in 120 clinics, a large home health agency with 12 branches, 120 retail pharmacies, an independent labo-ratory, and various smaller lines of service. We have adopted the Planetree model of care across our system, which places the patient at the center of all that we do. Aurora Health Care is the top-performing health care system in the CMS [Centers for Medicare and Medicaid Services] Hospital Quality Incentive Demonstration Project. As the Director of Corporate Compliance, I am responsible for maintaining and con-tinually improving our compliance program for the entire system. I provide direction and support to our compliance officers and Compliance Committees; facilitate the compliance hotline; oversee policy develop-ment, auditing/monitoring, and education; and facilitate changing processes to better promote compliance.

KM: Can you share with us your compli-ance reporting structure?NV: Aurora’s Chief Compliance/Integrity Officer reports to the Senior Vice President

and Secretary (responsible for governance, compliance, legal services, communication, and government affairs), with a dotted line to the Audit Committee of the Board of Directors. I report to the Chief Compliance/Integrity Officer. The business unit compli-ance officers report to me, some directly and others via a matrix reporting relationship. These compliance officers are aligned via their lines of service—hospital, physician, pharma-cies, lab, etc.

KM: If you had to name the top three com-pliance risk areas, what would they be?NV: The enforcement of Stark combined with the potential consequences of violating even a technical requirement make physi-cian financial relationships an area where I see the need for constant and continuing

featurearticleMeet Nancy Vogt Director of Corporate Compliance, Aurora Health Care

R


15

diligence. The increasing CMS audits are another, especially the RAC [Recovery Audit Contractors] audits but also the MAC [Medicare Administrative Contractor], MIC [Medicaid Integrity Contractor], CERT [Comprehensive Error Rate Testing], and other audit mechanisms that CMS has imple-mented. The level of scrutiny is higher than ever before, creating the need for diligence in how we monitor medical necessity, documen-tation, and billing processes. Finally, I see the legislative movement towards more trans-parency creating the need for attention to conflicts of interest and vendor relationships.

KM: What has been your single biggest challenge in your compliance function?NV: Education is clearly the biggest chal-lenge, especially with the size and scope of my organization. We are constantly looking for better ways to deliver targeted educa-tion, including information about regulatory changes, to those who need it. We created our own online general compliance training for new hires years ago, as well as an annual compliance update for all staff. Both are mandatory. This has worked well for general training, but it is more challenging to get out-and-about to deliver more targeted training. We have implemented a “compliance roadshow,” where our compliance officers pres-ent at existing management meetings across the system. We also have specific training for coders and physician documentation, and we present targeted information at various depart-ment meetings. Regardless, it always seems like we need to do more. Most people want to do the right thing. With the complexity of health care regulations, they may not always know what the “right thing” is. I see education as the key to keeping a compliance program proactive rather than reactive.

KM: How do you view the role of risk assessment as part of a compliance program?

NV: I see an annual risk assessment as an important tool to identify areas of potential noncompliance that need attention. It’s important, however, that the risk assessment does not become the end game rather than a tool. You can spend a significant number of resources assessing, analyzing, creating long to-do lists, prioritizing, and re-prioritizing. That is time not spent on addressing the issues. I believe taking a reasonable approach that will result in identifying the “big” issues, as opposed to every possible issue, is the best way to effectively use the compliance resources in an organization.

KM: What do you enjoy most about working in the health care compliance industry?NV: I love the variety that working in compli-ance offers. I have the privilege to work with many talented individuals from differing disci-plines. It seems that every day my knowledge of our health care delivery system becomes more expanded. I am a firm believer that compli-ance professionals need to roll up their sleeves and jump into the trenches if an organization is to be successful in establishing and revising operational processes that promote compliance. Not only is this good for the organization, there is the personal reward of being part of a team that has made the organization a better place for our patients to be served and a better place for our employees to work.

KM: Do you have any recommendation for compliance colleagues new to the profession?NV: Take it a day (or an issue) at a time. There is so much to learn that it can seem over-whelming. You find over time, however, that you have developed a fundamental platform of knowledge and experience that makes new issues and new challenges easier to navigate.

KM: How does HCCA best support the work you are doing and what could HCCA

be doing to support your work and the pro-fession even more?NV: HCCA affords the opportunity for compliance professionals to network, both through their educational events and via the Compliance and Ethics Social Network on their website. HCCA has provided a forum to share best practices and challenges, and also does a great job educating the membership on a myriad of topics. I personally appreciate the insights that Roy Snell shares in his monthly “Letter from the CEO”, and I start each of my monthly compliance officer meetings with insights from his latest article. n

KARE

n M

uRRA

y

Contact Us! www.hcca-info.org

[email protected]

Fax: 952/988-0146

HCCA 6500 Barrie Road, Suite 250 Minneapolis, MN 55435

Phone: 888/580-8373

To learn how to place an advertisment in Compliance Today, contact Margaret Dragon:e-mail: [email protected]: 781/593-4924


16

Call meI don’t take time to answer the phone; I save time answering the phone.I don’t get enough calls from members of our organization. I would like to share a few thoughts about this problem in the hope that some members might call me.

I think CEOs of many professional associations often fall into bad habits. Some of them think they are too important or too busy to talk to members. They become so distant that their vision becomes skewed. They have lots of meetings. They go to important lunches. They worry about what wine to serve at dinner. They create too many committees and hurry from one meeting to another at the annual conference, knocking over members along their way. Some have a Board that wants the CEO to write reports, go to committee meetings, and spend time buying etched glass for the office door that few members will ever see. Your organization does not have that kind of Board.

When I am at a conference, I don’t go to breakout sessions. I only go to (most) general sessions because I have to. I would rather go to the registration desk, our booth, or to the lobby. I like to sit and wait for someone to come by and talk. If no one stops by, I might just go up and start up a conversation. I get a kick out of the people who clearly look puzzled as to why a stranger walked up and asked how the meeting was going for them. When those who don’t know me ask, or are told who I am, they have an entertaining reaction. They have this “Why aren’t you out doing something important?” look. It’s really quite ironic, because what they really want is for their organization to be concerned about them and not wine, etched glass, or dithering committees.

We have two receptionists in the office. When a third call comes in, it rolls over to most every phone in the office (we have 27 staff). The rule is, stop what you are doing and answer it. That goes for everyone, including the CFO and CEO. If I can beat them to the call, everyone gets a not-so-gentle reminder to answer it. I can’t believe the number of companies, let alone professional associations, that have the phone immediately roll over to some automatic answering system. I think

every one of them should have, “Please press 1 to resign from this organization, because we don’t really care.” Don’t get me started.

The reason we do what we do is because we don’t believe in pressing 1 or even going to voicemail. We are far from perfect, but we do all we can. One of the interesting aspects of this is when I do answer (a couple times a week), I mention my first name and ask “How can I help you.” A lot of people don’t know me, but when they do, I can tell, because there is a long pause. It’s not “com-puting” for them. Some ask what I am doing answering the phone. It’s particularly funny when it is a Board member, making a random call to the staff. I tell them essentially what I am telling you in this article.

We hate voicemail and we hate pressing 1, so we don’t want to do it to others. It kills me how many people want to talk to a human being when they make a call, but when they go to their job, they have to go to a machine. We are also sending a message to the staff that service is everything. If there were no other reason for my answering the phone than the message this sends to the staff, it would still be worth it. We represent the members. Nothing is more important than the members. Some might think that I should have more important things to do, but they would be wrong. I have a lot of important things, and I get most of those things done. However, a couple phone calls a week isn’t going to bring the system to its knees. As a matter of fact, I often learn something that can save us all a lot of time. I find out what the members are interested in. More often, I find out their problems and I find out their opinions. Sometimes I find out a common problem that a simple system change can fix. We then free up staff time for other things, because we reduce the time on fixing problems. I don’t take time to answer the phone. I save time answering the phone, so call me.

I got a call from a member yesterday who specifically wanted to talk to me. It doesn’t happen enough. This one was particularly interest-ing. She wanted to let me know she thought it was a mistake that we discontinued the Audit Committee of the Board conference. We were losing money on it, but the conference was a real benefit to those who could get their Board to go. Dan Roach, who was the biggest advocate for this important member service, had just told me two days earlier that we should bring back the conference. I told him he was killing me with this fiscally imprudent idea. I asked him if he had heard about the recession. The truth of the matter was, we continue to do fine,

ROy

snE

LL


Web 2.0 is about the new, faster, everyone connected Internet.

Each resource is 100% dedicated to compliance and ethics management. So sign up for whichever one works best for you, or for all four if you’re already living the Web 2.0 life.

HCCA is embracing this approach and offers you a number of ways to build out your network, connect with compliance professionals, and leverage this new technology. Take advantage of these online resources, keep abreast of the latest in compliance news, and stay ahead of the curve.

Dozens of discussion groups and more than 3,000 participantshttp://community.hcca-info.org

Profiles of over 1,300 compliance and ethics professionals eager to connecthttp://www.linkedin.com/groups?gid=83345

Connect with compliance and ethics professionals on Facebookhttp://www.hcca-info.org/Facebook http://www.hcca-info.org/Fan_Page

Over 11,000 people already follow us on Twitter to get breaking compliance newshttp://twitter.com/HCCA_News


17

Editor’s note: John Falcetano, CHC-F, CCEP, CHRC, CIA is Chief Audit/Compliance Officer for University Health Systems of Eastern Carolina and Secretary of the HCCA Board of Directors. John may be contacted at [email protected].

Life in the Compliance Lane

Over the last several years, I have dedicated this column to responding to questions asked by our membership related to compliance and most recently to providing our members with a list of topics being discussed on the Social Network site (http://ww.hcca-info.org/sn). While I will continue to encourage all readers to go and use the Social Network site each month because it is such a wonderful resource, I have decided to use this column to provide information that our members may find useful in furthering their careers. One question I often receive is, “Why should I become certified in health care compliance?” The answer is simple: You should become certified so you can be recognized for your experience and knowledge in health care compliance. The requirements for taking the certification examination, as well as how to prepare for the exam, are posted on the HCCA website.

Requirements: n CHC candidates must meet both the work experience and continu-

ing education requirement before registering for the examn Persons with one year of full-time (or 1,500 hours) of compliance-

related experience are eligible for the CHC examn Students completing a program at an accredited university are also eligiblen Continuing education credit: 20 hours must be earned in the 12

months prior to taking the examPreparation:n Review the CHC Candidate Handbook, focusing on the detailed contentn Read Compliance 101, The Healthcare Compliance Professional’s

Manual, The HCCA HIPAA Training Handbook, and Monitoring & Auditing Practices for Effective Compliance

n Take the practice exam n Attend an HCCA Compliance Academy (a week-long event that

fulfills the 20 hours of continuing education requirement) and pre-register for the on-site CHC exam

n Review the federal sentencing guidelinesn Please note: The CHC exam is largely based on professional compli-

ance experienceGood luck to all of you who sit for the certification examination and remember to check out the Social Network. It is a great way to network with your peers and find answers to your compliance questions. n

Social NetworkingSocial Networking

JOH

n FA

LCET

AnO


18

Editor’s note: Greg Gulick is President of Gulick Global Solutions, a consulting firm that assists companies with outsourcing projects and doing business internationally. Greg specializes in health care law and has Masters Degrees in Healthcare Administration and International Business. Greg may be contacted via e-mail at [email protected] or by telephone at 414/699-4262.

Outsourcing is sometimes used as a bad word in polite society because it is associated with moving U.S.

jobs to foreign countries. Although “out-sourcing” technically means moving internal operations to an outside vendor and “offshor-ing” is used to denote the moving of internal operations to a vendor located in a foreign country, the term “outsourcing” is generally synonymous with sending services to foreign countries. Despite its bad press, outsourcing is a valuable tool that allows corporations to reallocate their workforces and to focus on their core competencies by letting someone else worry about the non-core, routine, and repetitive functions.

Outsourcing began in the manufacturing industry when businesses found that they could manufacture their products cheaper in foreign countries. Generations of Americans are familiar with the ubiquitous “Made in China” and “Made in Taiwan” labels. In the late 1990s, US corporations found that they could outsource their information technol-ogy (IT) functions to India after Indian programmers helped companies fix their Y2K

problems. Early this century, with the devel-opment of high-speed communications, more and more companies found that they could actually send business functions to other countries; this is known as Business Process Outsourcing (BPO). In addition to BPO, which typically involves sending routine and repetitive functions to a foreign vendor, companies are also beginning to send more complicated functions to vendors located in other countries. The outsourcing of functions that are more complicated and require more expertise is known as Knowledge Process Outsourcing (KPO). KPO involves the out-sourcing of accounting services, legal work, and even medical diagnosis (e.g., teleradiol-ogy) to foreign countries.

Outsourcing has gained in popularity as improvements in technology and a more competitive global landscape have forced companies to consider every method available to reduce costs. Outsourcing appeals to companies because of the 20% to 50% cost savings associated with outsourcing certain functions. In addition to these cost savings, BPO allows companies to focus on their core competencies while outsourcing all non-core functions. A “core competency” is something that a customer is willing to pay money for (it is considered to be “value-added”). A “non-core function”, while essential to doing business, is not something a customer would willingly spend money on (it is not consid-ered to be “value-added”). An example of a non-core function in the health care industry is medical coding; patients are willing to pay

money to receive treatment, but may not will-ing to pay to have their office visit translated into a diagnosis or treatment code.

Health care outsourcing

The health care industry is currently under attack for high administrative costs that con-tribute to the U.S. having the costliest health care system in the world. It is estimated that administrative costs account for $1.2 trillion of the $2.2 trillion in health care spending in the U.S.1 Thus, half of all spending in the health care industry, or approximately $7,900/person, is not value-added and does not contribute to the betterment of health care services. Although this $1.2 trillion figure includes all forms of waste in the health care industry, including the practicing of defensive medicine and the treatment of preventable conditions, $210 billion in spending is directly attributable to spending on non-core functions such as medical coding and billing, which adds costs but does not add value.

Health care organizations are in business to treat patients, not to perform “back-office” functions associated with operating a health care organization. Back-office functions typi-cally include:n Data inputn Transcribing recordsn Coding the diagnoses and treatmentsn Billing health insurers and patients, andn Collections

These back-office functions are typically outsourced by health care organizations to domestic companies that specialize in these services. It is only a matter of time before more health care organizations decide to real-ize the 20% to 50% cost savings associated with sending these “back-office” functions to foreign countries.

Obviously, many risks are associated with

Business process outsourcing: Mitigating the risks and reaping

the rewardsBy Greg Gulick, JD, MBA, MHA

mailto:[email protected]


19

moving any function offshore. This article will examine four of the common risks and offer suggestions on mitigating these risks. Compliance professionals need to be able to identify these risks and find ways to minimize them in support of their organization’s outsourcing venture.

Compliance risks

Although most offshore outsourcing goes to India, countries such as China, the Philippines, and Vietnam are also becoming offshore destinations for US companies. Obviously moving back-office functions offshore carries certain risks. With proper planning and knowledge, these risks can be mitigated. There are four risks that health care organizations need to be aware of when planning offshore outsourcing.

n The Foreign Corrupt Practices Act India is the most popular destination for BPO because English is the national language, it has a large population of well-educated workers, and the wages in India are much lower than in the U.S. However, as competi-tion in India grows, wages are also increasing, and countries such as China, the Philippines, the Czech Republic, Ireland, and Vietnam are gaining in popularity as BPO destinations. The one thing that many of these destina-tions have in common is the risk of corrupt business practices. For example, China ranks 72 on the 2008 Corruption Perceptions Index while India ranks 85 and the Philippines ranks 141 (the higher the ranking, the more corrupt the country is considered to be).2

The risk of corruption is an important consid-eration for US companies looking to do business in foreign countries, because of the Foreign Corrupt Practices Act (FCPA).3 The FCPA is a federal law that prohibits company representatives, including agents of the com-pany, from offering any benefit to a public

official in a foreign country for the purpose of obtaining or keeping business. This would include offering payments (i.e., bribes) to facilitate obtaining a license or to accelerate a particular inspection. Although these types of payments are common in some countries, if they are made by or on behalf of a US busi-ness, the FCPA is implicated. A violation of FCPA is a criminal offense, so any violation can result in jail time in the United States. Thus, if a US health care organization hires a vendor who makes a payment to facilitate that organization’s business, the FCPA may be implicated and the US health care organiza-tion may be prosecuted.

If a health care organization is partnering with a vendor in a foreign country, it is crucial to make the vendor aware of the FCPA and to prohibit them from bribing any foreign official on your behalf. In addition, it is important to build this into your contract with the vendor to ensure that your orga-nization is protected from violations of the FCPA. Although a contract can provide some protection, the best protection is a thorough and robust due diligence process to fully investigate and review any potential vendors. Performing a thorough due diligence process, including checking references and investigat-ing the vendor’s litigation history in its home country, can mitigate the risks associated with the FCPA.

n Intellectual property protectionIn most BPO relationships, the vendor is simply performing services on your behalf and is not creating any new IT functionality. However, many BPO vendors also serve as IT consultants and may offer-up some innovative IT solutions to make your business processes more efficient. It is important to address this possibility in the contract and to build-in a “gain share” option whereby if the vendor creates a technological improvement that

saves your organization money, the vendor only gets a pre-determined percentage of the cost-savings associated with that innovation.

If the vendor does create an IT solution for your organization, it is essential to have the proper protections in place so that your organization owns that intellectual property (IP) at the end of that relationship. In the United States, vendors that create something on behalf of their client automatically assign ownership rights of that invention to their client. The invention is considered a “work for hire” and these rights are assigned to the client so that the client, and not the vendor, owns that invention. This law also applies to employees who create something during the course of their employment; the ownership rights are automatically assigned to their employer.

Other countries, however, have different IP laws. In India, for example, an employee who creates a new invention owns that invention unless they have an agreement in place with their employer to assign the rights to that new invention to the employer. If such assignment is in place, it is only applicable to protect the rights in India, unless otherwise specified in the release to apply internationally. Thus, without such an agreement (and a subsequent agreement for the vendor to assign the rights of that invention to your organization), the vendor or their employee would own the invention. In order to ensure that any new IP is protected, special provisions need to be used in the contract. Compliance profes-sionals also need to be aware of any of the organization’s software that is being used by the vendor in the foreign country to make sure that the proper licenses are obtained and that software is being used in the appropriate way.



20

n Litigation/Contract enforcementOnce your organization has conducted the proper due diligence, found the perfect partner, and crafted a perfect contract that protects against every potential risk, you are ready to go, right? Not necessarily. Contract-ing with a foreign company can be very complicated. For example, let’s say you set the choice of law provision for your home state, because you feel comfortable in that court system. And let’s say that during your contract dispute with the vendor, you manage to serve a representative of the company (let’s say he was in Las Vegas presenting at a conference and you catch him there). Your company obtains a default judgment in your home court. Now, how do you propose to enforce this judgment? The vendor most likely does not have any assets in the U.S. In addition, most foreign courts will not enforce a judgment from a US court.

The solution is to require that any contractual disputes are settled in binding arbitration in a predetermined location (such as New York or London) under predetermined rules (such as those set forth by the American Arbitration Association). Many foreign courts will not enforce judgments from US courts, but many will enforce arbitration decisions.

However, if the relationship gets to the point of litigation or arbitration, then problems in the relationship were not addressed early enough. Thus, it is useful to build dispute resolution procedures into the contract whereby routine disputes, such as missed service levels or communication break-downs, are addressed by appropriate decision-makers at the appropriate time. Should the dispute not get resolved, it would get escalated to the next level of management.

It is crucial in any outsourcing project to have executive involvement in the project from

start to finish. It is also important for compli-ance professionals to stay actively involved in monitoring service levels and ensuring that the work is being done. Only by catching problems early can the risks be mitigated and the relationship maintained.

n Privacy, security, and data protectionCompliance with HIPAA privacy and security regulations and data protection is probably the biggest compliance concern for health care organizations that are considering outsourcing their back-office functions. There are numerous horror stories about health care organizations that knowingly (or even worse, unknowingly) send their patients’ protected health information offshore, only to have it hijacked and held for ransom. In one story, a hospital had sent transcription services out to a domestic vendor. The vendor then sent this work to a business partner located offshore in Costa Rica. When the hospital’s vendor did not pay this subcontractor, the subcontractor sent an e-mail to the hospital holding the medical information hostage until they were paid what they were owed (the “ransom note” contained a screen shot of the medical infor-mation being held). Obviously the hospital paid the subcontractor and also learned a very important lesson about knowing where its data was being sent!

Given the inherent risks with allowing any data to leave the U.S., it is best to establish a system whereby the vendor accesses the organization’s IT system remotely in order to perform the services. So, if your organization has outsourced medical transcription services, the vendor would access the organization’s system remotely, transcribe the data file, and save the transcription in the system. No data would ever leave your organization’s server, which is located in the U.S. and protected by US law. Due diligence has been mentioned before and will be mentioned again, because

it is so important. In this case, onsite visits to the vendor need to be conducted to ensure that the vendor has implemented:n Segregation of the vendor’s employees who

are serving your account from the vendor’s employees who are serving other accounts;

n Physical security measures that monitor access to the computers and to the system;

n Secure work environments that do not have printers or external drives, so that employees cannot download or print any information;

n Secure work environments that prohibit employees from bringing cell phones or cameras into the work area (to protect against data being stolen).

By maintaining the data on servers located in the U.S. and severely restricting access to the data, your organization can ensure that the HIPAA privacy and security standards are met. Many BPO vendors call themselves “HIPAA certified,” but it is still important to conduct your own training. Although this training can be performed remotely via an Internet connection, it may make sense to combine the training with a privacy and security audit. Who knew that being a compliance officer would be an international job?

Conclusion

If done in a strategic and methodical way, the risks associated with outsourcing can be mitigated and the cost savings can be maximized. One of the advantages of BPO is that it allows health care organizations to reduce costs by taking advantage of the cost arbitrage associated with international busi-ness. However, the most important aspect of BPO is the fact that it allows your organiza-tion to focus on its core competency (treating patients) and allows a vendor that specializes in the ancillary functions (such as data input, transcription, coding, and billing) to use their

Business process outsourcing: Mitigating the risks and reaping the rewards ...continued from page 19


21

expertise to manage these functions. Very few health care organizations would consider medical billing to be their specialty, and even fewer would consider this a core competency of their organization.

Outsourcing can be a tremendous advantage to a health care organization, because it allows the organization to reduce costs while refocusing and reallocating resources to the organization’s core business. A strategic plan can go a long way in minimizing the job losses associated with outsourcing by retrain-ing and reallocating your personnel within the organization. Compliance professionals play a large role in all aspects of the outsourc-ing project, from the strategic planning to the due diligence, to the implementation.

For an outsourcing project to be successful, it is crucial to do your research, or tap into the expertise of a consultant, and go about the outsourcing project in a systematic and strategic way. This way, your organization can mitigate the risks associated with outsourcing while reaping the rewards. n

1 PriceWaterhouseCoopers’ Health Research Institute, The Price of Excess: Identifying Waste in Healthcare Spending (2008)..

2 Corruption Perception Index found at http://www.transparency.org/policy_research/surveys_indices/cpi/2008 (visited September 30, 2009).

3 Foreign Corrupt Practices Act of 1977, 15 U.S.C. §§78dd-1, et seq.

CCBCCBThe CCB offers certifications in Healthcare Compliance (CHC), Healthcare Research Compliance (CHRC), and the Certified in Healthcare Compliance Fellowship (CHC-F).

Certification benefits:n Enhances the credibility

of the compliance practitioner

n Establishes professional standards and status for compliance professionals in Healthcare and Healthcare Research

n Heightens the credibility of compliance practitioners and the compliance programs staffed by these certified professionals

n Ensures that each certified practitioner has the knowledge base necessary to perform the compliance function

n Facilitates communication with other industry professionals, such as physicians, government officials and attorneys

n Demonstrates the hard work and dedication necessary to succeed in the compliance field

For more information about certification, please call 888/580-8373, email [email protected], or visit our website at www.hcca-info.org.

The Compliance Professional’s Certification

Congratulations!! The following individuals have recently successfully completed the CHC certification exam, earning their certification:

Melissa J. Alexander

Elizabeth Suzanne Antoun

Ginger Renee Bandeen

Yoly Bazile

Robert A. Bell

Yvonne Camarena

Joeann Coleman

Connie G. Coleman

Lisa S. Corrigan

Maureen A. Decker

B. Kyle Dickerson

Kimberly D. Easley

Sharon E. Fernandes

Brenda Pratcher Gamble

Karen Elaine Gipson

Julie A. Glover

Phylliss E. Graham

Suzanne M. Grouws

Vanessa Guaty

David Marshall Hall

Linda Hanna-Casey

Kay Louise Hanson

Sarah Renee Horner

Laura Theresa Humbertson

Mary A. Hurn

Lisa Diane Jacklin

Jessica E. James

Ginger G. Johns

Frederick D. Knight

Phyllis Lorraine Knox

Barbara J. Knuutila

Crystal Joy Laven

Walter G. Mann

Ronald B. May

Gary Mendelsohn

William John Naber

Dania Michelle Neal

Vera M. Newkirk

Kenneth R. Nunez

Robert H. Ossoff

Felicia Nicole Rabsatt-Harris

Celeste Inez Reed

Michael J. Reid

Stacey A. Ries

Ryland Terry Rigsby

Robert J. Schnarrs

Rhonda A. Seefeld

Ronald C. Skillens

Colleen M. Susko

Tony Swicer

Linda M. Thomas

John Michael Travis

Adam Turteltaub

Lisa Marie Venn

Jennifer Vybiral

Aaron Justin Walker

Kathryn Leanne Walls

Raye D. White

Daryl Ann Williams

Michael L. Woitkowiak

Tracy A. Zabrenski

Carol A. Znaniecki

The Compliance Certification Board (CCB) compliance certification examinations are available in all 50 states. Join your peers and demonstrate your compliance knowledge by becoming certified today.

Toby L. Anchie

Shawn Y’Vette De Groot

Stephen M. Kelly

Ernesto Marrero

Donald Ray Martin

Maryann Northrup

Bonnie Ann Sexton

Congratulations!! The following individuals have recently successfully completed the CHRC certification exam, earning their certification:

http://www.transparency.org/policy_research/surveys_indices/cpi/2008

http://www.transparency.org/policy_research/surveys_indices/cpi/2008


22

Editor’s note: Rebecca Herold, The Privacy Professor®, is owner of Rebecca Herold & Associ-ates, LLC located in Van Meter, Iowa. She may be contacted by e-mail at rebeccaherold@rebecca herold.com or by telephone at 515/996-2199.

The Health Information Technology for Economic and Clinical Health Act (otherwise known as the HITECH

Act portion of the American Recovery and Reinvestment Act of 2009) effectively widened the requirements for the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule to include the business associates (BAs) of covered entities (CEs). CEs are now accountable for more active validation of BA security and privacy program compliance, beyond just having a BA contract in place. It is more important than ever for CEs to take proactive measures to ensure BAs establish and maintain effective and appropriate information security and privacy policies and other supporting actions. Simply depending upon a security questionnaire answered once a year (or even less often), with no validation that the information provided is even accurate, is not effective. CEs must take a more proactive approach to ensuring BAs have effective and compliant programs in place. After all, CEs are ultimately responsible for ensuring the security and privacy of the information they collect from their own clients, patients, customers, and employees.

Business associates

I’ve done a great amount of HIPAA compliance work for CEs over the past decade, since just

before HIPAA went actively into effect. In the past few years, I’ve done around 200 BA infor-mation security and privacy program reviews.

Many different types of BAs perform work for CEs. A large portion of them do business in other industries, in addition to the health care industry. In the BA information security and privacy program reviews I’ve performed, the BAs were of all sizes, provided a very wide range of services (some I had never even thought of before), and worked in many different industries.

I’ve been asked if a comprehensive list of BAs exists. Not only do I doubt that, I doubt if one even could exist; there is a constant turnover of companies that become BAs and cease being BAs.

The numbers of BAs used by CEs can be huge. As just one example, I did a BA security and privacy program review for one company that had approximately 15,000 employees. They had identified over 2,000 business part-ners, and of these, they identified around 600 “high risk” BAs – those with access to PHI.

Consider the statistics within the Health and Human Services (HHS) Breach Notice Rule which help to reveal the very widespread impact of the HITECH Act. HHS has determined that the HITECH Act impacts over 734,178 “small business” HIPAA CEs alone, and that doesn’t include the medium and large CE businesses.

Consider the following data taken from the HHS website, based on US business census data provided to the Small Business Administration Office of Advocacy, which looks at how many “small” CEs will be impacted by the HITECH Act:n 605,845 physicians, dentists, ambulatory

care centers, hospitals, and nursing facilitiesn 107,567 suppliers of durable medical

equipment and prosthetics n 3,266 insurance firms and third-party

administratorsn 17,500 independent pharmacy drugstores

This represents a total of 734,178 small CEs. But, a large section of clearinghouses are missing from this list. There are more types of clearinghouses than what would fall under those shown. Now think about how many more thousands of medium-to-large CEs there are. The total number of CEs, as defined by HIPAA, in the U.S. is well over one million.

So then, think about how the HITECH Act has expanded HIPAA to effectively require all BAs to comply with the Security Rule and the Privacy Rule, and how many BAs are used by each CE. Consider a few numbers:n One small CE I’m working with has five

employees and five BAs. n A little bit larger CE I’ve helped has

around 50 employees and 15 BAs. n A large CE (I’ve done over 150 BA security

and privacy program reviews for them) has over 2,000 business partners, of which 600 are identified as BAs that have access, in some way, to protected health information (PHI).

Based upon just these limited examples, the HITECH Act has effectively expanded the reach of HIPAA by five to 600 times! The HITECH Act will be impacting literally millions of organizations. This demonstrates how the HITECH Act is impacting health care information security and privacy compliance

Business associate security and privacy

programs: HIPAA and HITECH

By Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI


23

much more widely than even HIPAA did. Each CE now must widen their compliance purview significantly to help ensure that all their many BAs are appropriately safeguarding information and providing appropriate – and required – security and privacy protections.

Business associate services

BAs perform a very wide range of services. An example of just some of the activities per-formed by the 200 BAs I’ve reviewed include:n Call center workn Application developmentn Archivingn Backup vaultingn Physical files maintenancen Employee background checksn Job candidate background checksn Test data creationn Transcription servicesn Contracted laboratory and radiology

departmentsn Software developmentn Hot site hostingn Billing, andn Home care services

So what is a “business associate”? HIPAA defines a business associate as follows within §160.103 Definitions:

“Business associate:1. Except as provided in paragraph (2) of

this definition, business associate means, with respect to a covered entity, a person who:i. On behalf of such covered entity or of

an organized health care arrangement (as defined in §164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a mem-ber of the workforce of such covered entity or arrangement, performs, or assists in the performance of:a. A function or activity involving the use

or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

b. Any other function or activity regu-lated by this subchapter; or

ii. Provides, other than in the capacity of a member of the workforce of such cov-ered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accredita-tion, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

2. A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this defi-nition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

3. A covered entity may be a business as-sociate of another covered entity.”

Think about all the possible types of organizations you outsource different types of business activities to. If they have access

in any way to PHI, then they are most likely considered to be BAs.

10 common indicators of problems

During the course of performing BA security and privacy program reviews, I have repeatedly run across similar problems when reviewing the completed questionnaires and other documen-tation, such as policies, website information, and so on. The following provides a high-level listing of the ten most common indicators that a BA information security and privacy program has some problems at best, and completely insufficient and risky programs at worst.

Indicator 1: Incomplete responseWhen a BA does not completely answer the information security and privacy question-naire used during a review, it may indicate that no acceptable program in place. It may also indicate that the appropriate person did not provide the questionnaire responses. I have often had the BA’s marketing contact try to answer the questions. The best people to answer the questions work in the information security and privacy areas. I have also found BAs often choose not to answer a question at all if it will look negative for them; perhaps they think not responding at all looks better.

Indicator 2: Inconsistencies between policy and responseMany times I have found the responses in the BA’s completed questionnaire did not match the documentation provided. For example, the respondent for the questionnaire may indicate the passwords used are a minimum of six alpha characters, but the actual policy may indicate passwords must all be a mini-mum of eight alphanumeric characters. This shows that the BA is likely not enforcing their policies, that the systems are not configured to support the security policies, that compli-ance audits are not performed, and/or that


February 2010

24


25

there is no training or awareness provided for the policies.

Indicator 3: No assigned security or pri-vacy responsibilityThe responsibility for security and privacy may be delegated to a “Jack/Jane-of-all-trades” or performed ad-hoc. Information security and privacy responsibilities need to be formally assigned and documented. Not only is this a requirement under multiple rules and regulations, including HIPAA, it is also good business practice to ensure personnel know their responsibilities with regard to security and privacy practices. A formally documented responsibility must be in place to ensure secu-rity is appropriately and consistently addressed.

Indicator 4: Response is provided by another company Be sure to verify that the questionnaire responses apply to your BA and are not pro-vided by some other entity. I have run across many instances when a completely different organization filled out the security and privacy questionnaire instead of the BA. For example, there have been multiple times the BA used an outsourced managed services provider to take care of their network, and got them to answer the questionnaire based upon the managed ser-vices security and privacy program, not upon the BA’s program. It is important to know if your BA uses a managed services provider, but your BA still needs to answer the questionnaire and tell you about the BA’s own security and privacy program. Your BA needs to have an information security and privacy program in place to address all the operational, physical facilities, and human issues, even if they have outsourced the network management.

Indicator 5: Subcontracting Many times the BA was subcontracting the processing of my client (CE’s) data to yet another company, and that subcontracted

company did not have good security practices. In fact, in some instances, the subcontractor had basically no security practices! There have also been times when the subcontracted company was located in a different country. Be sure to cover the issue of having your BA subcontract within your organization’s contract with the BA. In one very interesting case, I discovered that my client’s BA had been subcontracting PHI management and processing to another company that employed an ex-employee of my client who had left under very hostile terms. This was certainly a high risk to have this person handling such sensitive information for a company against which he had a vendetta!

Indicator 6: No mobile computing controlsOne of the most common ways in which security incidents and privacy breaches occur is through lost or stolen mobile comput-ing devices, such as Blackberrys, laptops, notebooks, smart phones, and so on. An alarmingly large number of the BAs I’ve reviewed did not have security policies or controls in place for these types of mobile computing devices, or for their employees who work from remote locations. However, they often allowed the CE’s data to be stored on the mobile devices, or allowed personnel who used these types of computers to process the CE data. Make sure BAs have appropriate security in place for such situations.

Indicator 7: No use of encryptionAnother type of incident reported weekly, and sometimes daily, is the loss or theft of personal information, including large amounts of PHI, that was not encrypted. I have found most of the BAs do not use encryption to protect information in storage, in transit, or on mobile computing media and devices, such as laptops, backup tapes, USB drives, and so on. This is slowly changing, but in most cases, the BA will not spend the time and resources to encrypt data unless required contractually or by law to

do so. Now laws in Massachusetts and Nevada require encryption of such personal informa-tion. Plus, the HIPAA Security Rule, which BAs must now be in compliance with, requires encryption to be used, based upon risk. Be sure encryption is used by BAs to mitigate the risk involved in such situations.

Indicator 8: Missing, incomplete, or outdated business continuity and disaster recovery plansI never cease to be surprised when I find a BA does not have any documented business continuity or disaster recovery plans! It seems like such a common sense type of protection to have. However, in far too many cases, business continuity and disaster recovery plans are often either missing or were written several years ago and never tested. Recently, I found a BA with a very well-documented and detailed business continuity plan…from 1995! The plan had never been updated or tested! Needless to say, most of the BA systems and applications had been either replaced or changed dramatically since 1995. Be sure the BAs have up-to-date plans in place, and that they test them regularly.

Indicator 9: No corrective actions for prior breaches Has your BA had an information security or privacy breach? This is definitely something you need to check on. Check multiple places. Use the time your BA is completing the security and privacy questionnaire to do research to see if they have had any publicized security incidents or privacy breaches. There are multiple services you can use to check on this, in addition to dozens to hundreds of good websites to search for news about the BA and any security breaches for which it was involved. I have found some BAs who indicated on their security questionnaire that they have never experienced a security incident or privacy breach, after I found through my own research that they have had significant incidents and


Business associate security and privacy programs: HIPAA and HITECH ...continued from page 23


26

RESEARCHCompliance ConferenceApril 21–24, 2010 | Dallas, TXThis is the research conference you cannot miss if you work for a research site, a CRO or SMO, a hospital or hospital system, a sponsor, or for clinicians/investigators who conduct research. Learn about updates to the new CMS Clinical Trials Policy (replacing the Medicare NCD for Clinical Trials), latest trends on compliance with research accounting standards, clinical

trial billing and process improvements, effort reporting, scientifi c misconduct, confl icts of interest, off-label use issues, FDA compliance, and government enforcement trends. Hear directly from representatives from NIH, OHRP, ORI, and the FDA and from other industry experts who can provide practical perspectives for handling research compliance risks.

WE’VE MOVED from the autumn to the spring, so please mark your calendars

REGISTER BEFORE

MARCH 10, 2010 AND RECEIVE $250 OFF YOUR REGISTRATION**INCLUDES PRE-CONFERENCE FREE

REGISTER ONLINE AND LEARN MORE ABOUT OTHER SPECIAL DISCOUNTS AT www.hcca-research-conference.org


27


HEALTH CARE COMPLIANCE ASSOCIATION’S14th Annual COMPLIANCE INSTITUTE April 18–21, 2010 ✪ Hyatt Regency ✪ Dallas, TX

PROFESSIONAL DEVELOPMENT INDUSTRY IMMERSION:

Negotiation/Collaboration

• Learn a process to address intimidating and disruptive behaviors

• Learn relationship building and collaborative practices

• Learn how to manage workplace conflict

Register in FEBRUARY and receive a free copy of the Board of Directors’ Oversight of Compliance Program Effectiveness web conference CD-ROM*

Register in MARCH and receive a free copy of 501 Ideas for Your Compliance and Ethics Program* *New registrations only

AGENDA AVAILABLE ONLINE

Register now at www.compliance-institute.org

(CHC) Certified in Health Care Compliance –OR–(CHRC) Certified in Health Care Research ComplianceWednesday, April 21, 2010 | 2:00 – 4:00 PMPlanning to take the CHC or CHRC exam at the Compliance Institute? Sessions marked in the brochure with CHRC or CHC may be helpful.

TAKE THESE CERTIFICATION EXAMS at the Compliance Institute

GROUP DISCOUNTS AVAILABLE

(see registration form)

NEW


28

breaches! If you find the BA has had a breach, be sure to ask the company about it and find out what actions they have taken to prevent such a breach from occurring again.

Indicator 10: No independent assessmentIf a BA has never had an independent securi-ty or privacy assessment of their organization, it is a warning sign. It could be indicative of many possibilities, such as:n Lack of funding for the security and privacy

program. Most organizations that are serious about security and privacy have an inde-pendent audit or assessment to ensure their controls and safeguards are appropriate.

n A false sense of security. Many of the BAs I’ve reviewed have indicated that they believed things were fine, so they didn’t need someone to do a review. Ignorance is definitely not bliss when it comes to security, privacy, and compliance.

n Independent assessments have been done, but are not being shared. I’ve run across two very large BAs who did not want to share the results of their security and privacy program audit, because it had so many significant findings.

Of course, it is also possible that you will find upon investigation that the BA simply did not know that doing an independent assessment was advantageous, or they simply didn’t want to spend the money to do one. However, it is still worth checking on.

Benefits of active BA compliance management

If you depend upon the use of questionnaires for doing BA security and privacy program reviews, as is typically done, you will likely reveal a very wide range of risks. I’ve done around 200 of these, and while they’ve been very beneficial to identify concerns within BA information security and privacy pro-grams, they also have their drawbacks. Some of these include:

n Each review typically takes around four to eight weeks to complete, depending upon how timely the BA completes the question-naire, provides documentation, and makes key contacts available for interviews.

n The review is an assessment of a point in time for the BA. As soon as the review is over, if anything within the BA opera-tions, systems, networks, administration, or other signification factor changes, it will likely also change the information security and privacy posture for the BA.

n Most of the answers on the questionnaires are not validated. Many organizations answer the questionnaires in the way that will be most beneficial for them to “pass” the review, and they do not truly represent the reality of the BA information security and privacy program.

As I did more and more of these BA security and privacy program reviews, I became more and more convinced that there must be a better, more effective, accurate, and efficient, way for CEs to ensure, on an ongoing basis, that BAs have good information security and privacy programs in place. To meet this need I partnered with Jack Anderson, of Compliance Helper (http://www.compliance-helper.com), to create an automated way to allow CEs to see the documentation for their BAs at any time, on an ongoing basis, to validate appropriate documents, forms, and activities exist for BA security and privacy program compliance. By having a window into the key BA security and privacy program components, CEs will be able to ensure BAs:n Are in compliance with legal and regula-

tory requirements and/or expectationsn Perform due diligence efforts during the

contracting process or other risk manage-ment activities

n Are in compliance with CE contractual security and privacy expectations

n Resolve security and privacy issues promptly and appropriately

This is an effective and cost efficient alternative to performing the more time- and resource-intensive reviews based upon point-in-time questionnaires and documentation reviews. It also helps to quickly and effectively address and eliminate the ten BA security and privacy program problems.

Many benefits accrue from performing BA information security and privacy program reviews, or from choosing to have ongoing compliance monitoring capabilities: n Meet compliance with multiple laws and

regulationsn Demonstrate due diligence by your

organizationn The resulting reports clearly detail for the

BA what you want them to do to protect the information and system that you have entrusted to them

n Having such documentation also helps to motivate the BA and ensure the risks are resolved in a timely manner

n Ongoing monitoring, or doing point-in-time reviews, aids in a reasonable and appropriate evaluation of the BA’s security and privacy program

n Security and privacy expectations for the BA are aligned with the CE’s requirements

n Reviews and/or monitoring helps organiza-tions define within their contract the issues and activities that are considered as grounds for termination of business relationship

n Vulnerabilities and threats can be identified and mitigated before bad things happen

Following formal information security and privacy review methodologies or using an ongoing program monitoring service will help to ensure BA compliance, which also helps CEs to ensure they are appropriately demonstrating due diligence, complying with all their compliance obligations, and doing all they can to prevent privacy breaches. n

Business associate security and privacy programs: HIPAA and HITECH ...continued from page 25


29

Kelly Nueske is Director of Enterprise Risk Ser-vices at Sinaiko Healthcare Consulting, a leading independent health care management consulting firm, where she works with health care organiza-tions nationwide on a diverse range of internal audit and compliance issues. You may contact Kelly by e-mail at [email protected].

W ithin your organization, do you know “who” is conduct-ing annual risk assessments to

develop work plans each year? Have you ever wondered what type of information others are collecting and their approach to gathering information? Is there a possibility that mul-tiple departments are asking leaders in your organization similar questions?

I know from my experience as an internal audit and compliance professional that there is a good chance at least two annual risk assessment processes are occurring in your organization—and it could be more, depending on your organization’s complexity. For example, when I worked for a large health system, the chief operating officer met with the leaders of Internal Audit, Compliance, Risk Management, and the Law department for the purpose of asking “us” to develop a collaborative annual risk assessment process. He wondered if there was an opportunity to collaborate, because each of our areas was meeting with him, his direct reports, and other leaders throughout the organization each year for our “individual” risk assess-ments—thereby creating redundancies and inefficient use of resources. He had a very valid point. However, if you work for an orga-nization that is not conducting an annual risk

assessment, then you might want to consider starting the process.

One may wonder why so many areas of an organization conduct risk assessments and what are the objectives? The organization should have Internal Audit (or an outsourced provider) conduct an annual risk assessment that is very broad in nature, looking at all business processes and multiple risk factors as a means to develop their annual work plan. The Compliance department is similar in that the process should be a means to develop an annual work plan; however, the focus may be limited to state and federal regulations as they relate to the Medicare and Medicaid programs. Risk Management may be more focused on exposure areas and process improvements as they relate to patient, employee, and visitor safety; while the Legal department is similar to Internal Audit in that they have a very broad focus on legal risks in all facets of operations.

Internal Audit, Compliance, Risk Manage-ment, and the Legal department all have sig-nificant opportunities to work collaboratively in the risk assessment and mitigation process. The knowledge and risk expertise in these four areas is a powerful asset to management and governance. The key to designing a risk assessment process is realizing that “one size does not fit all.” However, there are some tips to think about while designing a collaborative and comprehensive risk assessment process.

Tip #1: Identify a risk framework

There is so much literature on risk domains, risk factors, and how to rank risk that it

can be overwhelming; however, they are all fairly similar in the end. Look to your internal audit colleagues to provide guidance and options for this one. It’s their area of expertise, or look to a consulting firm with internal audit expertise.

One risk framework I have found easy to apply to the health care environment is the Internal Control Framework (ICF) developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). There are five elements within the framework that help identify risks and con-trol weaknesses:1. Control environment – the organization-

al culture that influences ethical behavior, workplace integrity, risk, and compliance consciousness of its personnel.

2. Risk assessment – the process of identify-ing risks that threaten the organization’s achievement of objectives.

3. Information and communication sys-tems – the process for providing the right information to the right people at the right time for them to effectively carry out their responsibilities.

4. Monitoring – the management process in place to verify controls are working as intended and identify anomalies.

5. Control activities – the activities estab-lished to support execution of require-ments and risk responses selected by management.

The goal is to identify the highest risks effi-ciently, so don’t stop with the ICF. I suggest focusing on change as it creates risks. Some of the higher risk changes include: n Changes in operationsn Partnerships or joint ventures with

physiciansn New personnel or management turnovern New or changed information technology


Tips for designing a collaborative risk assessment process

By Kelly Nueske


30

n Rapid growthn Introduction of new service lines or

productsn Accounting pronouncementsn Regulatory or accreditation changes

Tip #2: Define the risk universe

The risk universe is the “directory” to the entire organization’s operations. The informa-tion gathered for the risk universe will vary by organization, but there should be some basic information gathered. For simplicity sake, let’s assume the risk universe is defined by department or general ledger cost center. For each department/cost center, you will want to know at a minimum:1. What information technology/applica-

tions are used by that department?2. What regulations or accreditation stan-

dards apply to that department?3. What is the department’s year-to-date

annual revenue and expenses?

In addition to the basic information, you should capture the risk information gathered during the risk assessment process and associ-ated risk ranking. Once you have the risk universe defined, you only need to update the information each year and capture the current risk factors. The risk universe could be expanded to track internal or external audits dates, and it could be used to document resource strategies by department/cost center as it related to the allocation of Internal Audit, Compliance, Risk Management and Legal department resources.

Tip #3: Develop the risk assessment

approach

The next big task is gathering the information in the most reliable and efficient manner. Some information is relatively easy to gather, such as requesting the financial and technology information by department. The more challenging component is determining

how to gather the other risk information. I suggest using a combination of surveys and interviews, and more importantly, divide and conquer when it comes to the interview process by collaborating as a group (Internal Audit, Compliance, Risk Management and Legal departments).

With respect to the survey process, the best thing I ever did was engage the assistance of research professionals within my organization who knew how to gather reliable information with a well-designed survey. Once your team has decided what information needs to be gathered, sit down with a research expert, whether an internal expert or a consultant, who can help you design the survey and interview questionnaire. Going through this process as a team is invaluable to understand-ing the desired outcome.

Tip #4: Resource and work plan strategy

All the information is gathered, high-risk areas are identified; now it is time for the strategy. Collaboration and understanding the roles of Internal Audit, Compliance, Risk Management, and the Law department is critical. Internal Audit is an independent assessment function; Compliance and Risk Management typically assist with facilitating change and monitoring the remediation prog-ress; and the Legal department is typically an advisor. With that in mind, look at each risk area and determine how to best support the organization with the risk resources available.

For example, if a new regulation is going into effect and there has been no education or planning for implementation of the regula-tion, it wouldn’t make sense to have Internal Audit test compliance with the regulation, because the risk score is high. A more effective strategy would be for Compliance to assist Operations with implementing change in the affected areas, followed by Internal Audit

testing the effectiveness of the implementa-tion. It becomes a timing strategy to ensure resources are used wisely.

In closing

Resources are always limited in a health care organization and change is constant, which creates risk. As you approach your next risk assessment process, consider expanding the process and involving all the risk experts within your organization in a collaborative fashion. So much valuable information can be shared, and the process can be more effective with some thoughtful design at the front end. n

Tips for designing a collaborative risk assessment process ...continued from page 29

The Health Care Compliance Associa-tion (HCCA) is seeking authors for Compliance Today. Every month Compliance Today offers health care compliance professionals information on a wide-variety of enforcement, regu-latory, legal, and compliance program development and management issues. To do this we need your help!

We are particularly interested in articles covering compliance concerns involving all segments of the health care industry, including Behavioral Health, Rehabili-tation, Physician practices, Long-Term Care, Homecare and hospice, Ambula-tory Surgery Centers, etc.

For Details: E-mail Margaret Dragon with your topic ideas, format questions, etc. at [email protected] or call her at 781/593-4924.

IMPORTANT: For those who are Certified In Healthcare Compliance (CHC), please note that CCB awards 2 CEUs to authors of articles published in Compliance Today.

Upcoming Compliance Today Deadlines:n February 15n March 1n April 2

n April 19n May 3n June 1

Compliance Today Needs You!


31

Editor’s note: Coale Anderson is a Principal in the firm of Shub & Anderson, PC, a boutique health care law firm located in Boston. She currently focuses on counseling health care pro-fessionals regarding business structures, corporate transactions, clinical trials, employment issues, administrative and litigation matters, and regulatory and compliance issues. Coale may be reached by e-mail at [email protected].

P resented with a search warrant, valid subpoena signed by a judge, or a court order to release substance abuse treat-

ment and related medical records, doctors or office managers are often understandably eager to comply, believing that they are required to respond to an official written demand. Depending on the circumstances, the opposite may be true, even if the patient provides a writ-ten release. In fact, the federal statute protecting substance abuse treatment records1 and the rules implementing that code2 (collectively, the “Confidentiality Regulations”), may expose a health care provider who releases records of a patient treated for substance abuse to civil and criminal penalties. A health care provider’s simple acknowledgment that the person whose records are being subpoenaed is in fact a patient may constitute a “release of records” sufficient to violate the Confidentiality Regulations.

The purpose of the federal statute is to increase the success of substance abuse treatment pro-grams by ensuring confidentiality to patients who might otherwise be reluctant to seek help. A commonly occurring side effect, however, is confusion among health care providers

regarding when disclosure of substance abuse treatment records is permitted or required.

Which providers are subject to the

Confidentiality Regulations?

Generally, the Confidentiality Regulations apply to drug or alcohol substance abuse treat-ment records created, maintained, or held by a federally assisted or federally regulated health care provider, practice, facility or substance abuse unit within a hospital that provides alcohol or drug abuse diagnosis, treatment, or referral. Certain federally assisted or federally regulated facilities that provide drug and alcohol treatment-related services, such as labo-ratories that conduct drug testing, also may be subject to the Confidentiality Regulations.

What to consider when a subpoena arrives

By complying with invalid subpoenas, custo-dians of substance abuse patient records often unwittingly expose themselves to significant liability (not to mention the nuisance of gathering, reviewing and copying documents and/or attending hearings).. Examples of potentially invalid subpoenas are those that: n are issued without a specialized court order

(see discussion below); n are issued by a state court in another state; n are issued in a civil case in another state by a

federal court more than 100 miles from the place in which the hearing or deposition occurs;

n contain patient-identifying information; n contain inaccurate essential information

or are missing essential information (other than patient-identifying information), or

n are served improperly.

Although compliance with an invalid subpoena may be unnecessary, the recipient should not ignore a subpoena. Rather, the recipient should notify the person issuing the subpoena of any deficiencies and request that the subpoena be withdrawn until a proper court order has been applied for and received.

In some states, health care providers (or their employees) who are validly subpoenaed may avoid the inconvenience and expense of appear-ing in court to testify as keepers of medical records by certifying the records so that they will qualify for a hearsay exception at trial. The recipient of the subpoena should ask his or her attorney to discuss such course of action with the person who issued the subpoena.

Even court orders may be insufficient to compel disclosure. As an initial matter, a court order authorizing disclosure of sub-stance abuse treatment records is not valid unless:n it is accompanied by a valid subpoena

(see discussion above) or a similar legal mandate and

n a court of competent jurisdiction has bal-anced the evidence and determined that such disclosure is a. necessary to protect against an existing

threat to life or serious bodily injury, b. necessary to investigate or prosecute an

extremely serious crime, or c. in connection with litigation or an

administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.

Even if the court order meets these threshold requirements, it is still not valid unless the order has been applied for by: n an appropriate person or entity, such

as a person conducting investigative or


Beyond HIPAA: Rules for disclosing

substance abuse treatment records

By Coale Anderson


32


33


34

prosecutorial activities with respect to the enforcement of criminal laws; or

n a person who has a legally cognizable inter-est in disclosure of patient records for pur-poses other than a criminal investigation.

Further, the application for the order and the order itself must use a fictitious name such as “John Doe” or “Jane Doe” to refer to any patient or otherwise disclose patient identifying informa-tion (except in certain limited circumstances). The court order must comply with additional requirements, which may vary depending on the context of and purpose of disclosure.

Additional requirements in the criminal contextIn addition to the requirements set forth above, a court order sought for investigative or prosecutorial activities with respect to enforce-ment of criminal laws, is not valid unless:1. the record keeper has been given the op-

portunity to appear and to be represented by independent counsel at a hearing held in the judge’s chambers or in some other manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceed-

ings, the patient, or the record keeper; 2. the records are reasonably likely to dis-

close information of substantial value in the investigation or prosecution,

3. there is no other way to obtain the information, 4. the potential injury to the patient and the

ability of the substance abuse treatment provider to provide treatment to other patients is outweighed by public interest and the need for disclosure; and

5. the order limits disclosure to portions of the patient records essential to fulfill the objective of the order and to law enforce-ment and prosecutorial officials.

Additional requirements in the civil contextIn addition to the general requirements set forth above for court orders, a court order sought for purposes other than for a criminal investigation is not valid unless:1. both the patient and the record keeper are

provided with an opportunity to file a written response, or to appear in person to respond, to the application for the court order;

2. any oral argument, review of evidence, or hearing on such application must be held in the judge’s chambers or in some man-

ner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceeding, the patient, or the record keeper (except in certain limited circumstances);

3. there are no effective alternative means of obtaining the information;

4. the public interest and need for disclo-sure outweigh the potential injury to the patient and treatment services in general; and

5. the order limits disclosure to portions of the record which are essential to fulfill the objective of the order and to persons whose need for information is the basis of the or-der and includes other measures necessary to limit disclosure to protect the patient and efficacy of treatment services in general (such as by sealing the record).

Patient consent

A person or facility subject to the Confiden-tiality Regulations should not disclose patient identities or records—even if the patient consents—unless such consent is in writing and satisfies the requirements of the Confi-dentiality Regulations. Such requirements

Beyond HIPAA: Rules for disclosing substance abuse treatment records ...continued from page 31

Sample Consent

I __________________ [Name of Patient] authorize _______________________ [Name or Type of Program Disclosing] to disclose ____________________ [Kind and Amount of Information to be Disclosed] to _____________________ [Intended Recipient of Disclosed Information] for ______________________ [Purpose of Disclosure]. I understand that this consent is subject to revocation at any time except to the extent that the program which is to make the disclosure has already taken action in reliance on it. If not previously revoked, this consent will terminate upon _________________________ [Specific Date, Event, or Condition].

_________________________________ Dated:__________________________(Patient Signature)

_________________________________ Dated:__________________________(Guardian/Parent Signature, if required)

_________________________________ Dated:__________________________(Signature of person authorized to sign in lieu of the patient, if required)


35

prohibit disclosure based on a consent that has expired; is known to have been revoked; is known, or through reasonable effort could be known, by the person holding the records to be materially false; or fails to contain any of the information in the sample consent (on page 34):

Points to keep in mind

If disclosure is permitted, the Confidentiality Regulations require the record keeper to provide the recipient of the records with notice that the Confidentiality Regulations apply to the records and that re-disclosure is not permitted.

The Confidentiality Regulations are protections in addition to those provided for by state laws and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and corresponding regulations.. Although state laws and HIPAA requirements are outside the scope of this article, compliance with applicable state laws and HIPAA is also imperative.

Certain other narrow disclosures may be permitted under the Confidentiality Regulations, which are not discussed in this article, such as disclosures:1. to medical personnel in the event of a medical emergency, 2. to law enforcement officers in connection with a crime (or threat thereof ) on the

premises of the practice or program where the records are kept or against personnel of such practice or program,

3. for internal audits,4. for records (or portions thereof ) that are not likely to identify any patient, 5. for initial reports of suspected child abuse or neglect, 6. to certain qualified service organization or business associates, 7. for research, if certain regulatory requirements are satisfied, and 8. for internal communications to personnel who have a need to know of the information.

Even more stringent forms of the confidentiality requirements may apply to records created prior to 1987.

Note that a state court order may not be considered a “final” judgment, and therefore seeking a federal court review in connection with state orders pursuant to the Confi-dentiality Regulations may be advisable. n

Disclaimer – This article does not provide legal or other professional advice, and does not create an attorney-client relationship. Laws and their application and relevance vary de-pending upon jurisdiction and factual circumstances. Information in this article should not be used in lieu of consultation with professional advisors.

1 Title 42 U.S.C. § 290dd-22 42 CFR Part 2

Physician Supervision of Hospital Outpatient Departments: Clinical and Regulatory Perspectives Remain Worlds Apart – February 2, 2010

Edwin Rauzi, JD, Partner, Davis Wright TremaineBernie Thruber, JD Partner, Davis Wright Tremaine

The Wage & Hour Pandemic in the Health Care Industry: What You Can Do to Protect Your Organization – February 4, 2010

Lee Schreter, Shareholder, Littler Mendelson Reid Bowman, Esq., General Counsel, ELT

To Register visit www.hcca-info.org

n


36

Editor’s note: Desla Mancilla is HIM Program Director at West Suburban College in Oak Park, IL and may be contacted by telephone at 708/763-3564 or by e-mail at [email protected].

Jackie Moczygemba is Associate Professor, HIM Program at Texas State University in San Marcos and may be contacted by telephone at 512/245-3503 or by e-mail at [email protected]/.

The seemingly never ending deadline extensions for the Federal Trade Commission’s Identity Theft Red Flag Rules1 also seem to have quelled the growing awareness of and concern about

medical identity theft.

Soon after the topic of medical identity theft was initially introduced by Pam Dixon of the World Privacy Forum in 2006,2 came word of growing attention to the matter by health care consumers, providers, and the federal government. Although the Red Flag Rules were not designed specifically to address the concept of medical identity theft, their opportune release coincided well with increasing media coverage of the occurrence and damaging effects of medical identity theft. For this reason, health care organizations, required by the Red Flag Rules to create extensive privacy breach and information exposure manage-ment policies, saw this as an ideal vehicle for addressing medical identity theft within their organizations. However, medical identity theft waits for no one—including finalization of the Red Flag Rules. As health care organizations struggle to stay abreast of the changing deadlines, medical identity thieves march on.

In 2008, the concept of medical identity theft was investigated with a research study targeted at members of the Health Care Compliance Association (HCCA). The purpose of the study was to examine the current practices used in health care facilities to detect, prevent, and remediate the occurrence of medical identity theft. A brief explanation of the study design and response rate is necessary for clarity and focus.

Background

The research conducted by the authors entitled “Medical Identity Theft: A Foundational Study” was sponsored by the American Health Information Management Association (AHIMA) Foundation. HCCA supported this study by allowing distribution of the invitation to par-ticipate in the study to its entire membership via e-mail. Four hundred and forty HCCA members agreed to participate in the electronic survey. Of those, 133 members qualified for the study frame criteria, which required the participant to be a chief compliance officer in an acute health care setting. Of the 133 who agreed to participate, 82 (61.7%) completed the online survey. The low response rate may be misleading. Because some compliance officers were responsible for the compliance programs at more than one facility within an integrated delivery system, 226 separate acute care facilities were represented by the 82 participants. Forty-six individuals (54.3%) who responded to the electronic survey indicated that their organization had a multi-disciplinary plan in place to address medical identity theft. Those 46 individuals were asked if they would be willing to participate in a follow-up telephone discussion.

Numerous articles have been published on the topic of medical identity theft and the definition varies depending on the source. The definition used for this study is “When someone uses an individual’s identifying information, such as their health insurance information or Social Security number, without the individual’s knowledge or permission, to obtain medical services or goods, or to obtain money by falsifying claims for medical services and falsifying medical records to support those claims.”3

The questions posed on the electronic survey are shown in Table 1on page 38. In addition to those questions, there were several additional questions related to the admitting and registration practices used to confirm identity. The results of those survey questions have been previously published and are outside of the scope of this article, but

Medical identity theft: How is the health care industry responding?

By Desla Mancilla, MPA, RHIA and Jackie Moczygemba, MBA, RHIA, CCS

focusfeature

n


37

generally describe photographic documentation verification as the key method used to verify patient identity.4 Like an elephant in the room, obviously absent from the questions posed on the electronic survey, was the specific question of how many cases of medical identity theft the organization had experienced. The researchers believed that partici-pants would fear that the response to this question would potentially be too damaging, and they would reject the entire survey.

Of the 82 compliance officers who responded to this survey, 77 categorized the issue of medical identity theft as very important (44) or somewhat important (33), making the issue one that demands further attention.

The researchers participated in many discussions regarding the design of the survey instrument and debated who would be the most appropriate population of interest. Discussions centered on an extensive literature review that supported the view that when there is suspicion of medical identity theft, a multidisciplinary response is required and involves at a minimum, health information services, compliance staff, the privacy officer, information systems, IT security, risk management/legal, physical security, admitting staff, clinicians, and patient care staff. These departments have shared responsibility as data integrity stakeholders and their representatives are integral participators in workflow policies and procedures. After significant dialogue, the researchers decided the chief compliance officer in the acute care hospital would be the best-suited individual for responding to the survey. The perception was that the chief compliance officer would have broad knowledge of work processes and be able to answer exploratory-type research questions for all disciplines.

The crime of medical identity theft has many potential negative effects. An AHIMA practice brief on medical identity theft cites the cascading effects of the crime and identifies potential negative financial and health care impacts.5 The crime starts with the theft of an individual’s identifi-able health information and thus leads to a corrupt health record. This places the victim at risk for future health care problems when providers make treatment decisions based on erroneous information. In addition, it is very difficult for an individual to remediate medical identity theft when he or she falls victim to the crime. AHIMA offers a consumer checklist that includes 18 suggested tasks. Many of these tasks take time to work through, such as reviewing and correcting credit reports, filing a police report, and follow-up tasks with providers, insurers, and credit bureaus. A victim must contact the provider organization and request an accounting of disclosures. Furthermore, a victim has to work through the arduous process of correcting the existing inaccurate health record

entries and determine where incorrect information was sent. These are just some of the tasks and in the end, a victims might still scratch their heads wondering if everything has truly been corrected.

The negative effects of medical identity theft continue and cascade to providers, insurers, and public health entities. Providers file false claims to insurance plans that respond by paying for services used by the thief or perpetrator. In some instances, insurance benefits are exhausted before the consumer is aware that he or she is a victim. In addition, erroneous data from the corrupt health record may be used in research activities, abstracted for disease indexes/registries, and end up in public health reports.6 It becomes quite evident how far-reaching the nega-tive effects may extend in the health care arena.

This exploratory study investigated the level of preparedness and ability of acute care medical facilities to respond to claims of medical identity theft. The research study consisted of a three-step process, including the previously described electronic survey instrument, fol-low-up telephone interviews, and ultimately, two on-site observations. Respondents to the electronic survey who indicated their organization had a multi-disciplinary plan in place to address medical identity theft were asked to participate in a follow-up telephone interview. Forty-six respondents answered yes and of this total, 25 agreed to participate in a follow-up telephone interview. After two attempts to schedule all 25 interviews, a total of nine telephone interviews were conducted. The others who agreed either had schedule conflicts or did not respond.

The final stage of the study involved two on-site visits. Based on information provided during the telephone follow-up interview, six of the phone survey participants were asked if they would allow the investigators to conduct an on-site observation of their admitting and registration processes. Two participants gained approval for researchers to conduct on-site observations. Site visits were performed to deter-mine compliance with organizational policies and procedures related to verification of patient identity at the time of registration and/or admission. Site visits in both organizations included observation of both inpatient and outpatient admissions and registrations.

Although elucidating, the survey responses alone did not provide enough information to fully define the scope of how organizations are currently managing the detection, prevention, and remediation of occurrences of medical identity theft. For this reason, nine in-depth telephone interviews were conducted with the emersion of the following themes that bear further discussion.



38

Medical identity theft: How is the health care industry responding? ...continued from page 37

Emersion of themes

According to the respondents, most cases of medical identity theft seem to originate in the Emergency Department (ED). This seems a bit unusual, given the fact that EMTALA ensures initial stabilization treatment to all emergency patients, regardless of their ability to pay. Respondents indicated that drug seeking behavior and the presence of law enforcement officials in EDs are factors that may compel certain

patients to commit medical identity theft to avoid potential arrest for other, unrelated crimes.

Interestingly, when the phone interview subjects were questioned about their multi-disciplinary plans to address medical identity theft, the researchers noted an almost unanimous blending of the terms “medical identity theft” and “financial identity theft.” Essentially, this

Table 1

Yes No Don’t Know

Do you perceive the prevention of medical identity theft to fall into the compliance domain of responsibility? 87.8% 12.2% 0%

Does your facility have a multi-disciplinary plan to respond and resolve patient claims of medical identity theft? 56.1% 39.0% 4.9%

Does your facility have established policies and procedures related to financial identity theft? 47.6% 41.5% 9.8%

Does hospital policy require pre-employment background checks on potential contract personnel? 88.6% 7.6% 3.8%

Do your facility’s medical record amendment policies and procedures outline how medical identity theft records are corrected? 41.8% 44.3% 13.9%Does your facility’s medical record amendment policies and procedures outline how amendments are communicated to those who previously received the erroneous information? 51.9% 36.7% 11.4%

Does hospital policy require pre-employment background checks on potential admitting/registration personnel 94.9% 5.1% 0%Does hospital policy require pre-employment background checks on potential patient financial service personnel? 97.5% 2.5% 0%Does hospital policy require pre-employment background checks on potential other non-clinical personnel? 97.5% 2.5% 0%

Does hospital policy require pre-employment background checks on potential contract personnel? 88.6% 7.6% 3.8%

Does hospital policy require pre-employment background checks on potential volunteer personnel? 68.4% 17.7% 13.9%

Does hospital policy require pre-employment background checks on potential other personnel? 57.0% 11.4% 31.6%

What types of background checks are used

Personal and Professional references 91.1% 8.9% 0%

Past employment references 93.7% 6.3% 0%

Verification of SSN 81.0% 19.0% 0%

Criminal Records 94.9% 5.1% 0%

Credit Records 27.8% 72.2% 0%

Licensing and certification records 97.5% 2.5% 0%

Public court records 31.6% 68.4% 0%

Driving records 43.0% 57.0% 0%

Education records 70.9% 29.1% 0%

Other 25.3% 74.7% 0%

Is it policy of your facility to perform backgrounds checks at routine intervals after employment? 35.9% 57.5% 6.4%

Please note: Not all responses total to 100% due to rounding.


39

means that the organizations had plans in place for how to address the financial effects of identity theft, but most were still struggling with how to address the co-mingling of health information resulting from true cases of medical identity theft.

The age-old dilemma of garnering executive level and financial support for compliance activities also reared its ugly head in the responses from survey participants. Respondents noted that the financial costs to deter medical identity theft can be high, but its occurrence is perceived by executives to be unlikely. This combination of high cost and perceived low potential do not often compel executive level support. But, as most respondents noted, it only takes one case of publicized medical identity theft to breakdown public trust of the organization.

The respondents often noted they contact local law enforcement when medical identity theft has occurred; the response from law enforce-ment is often not helpful. In addition, one respondent commented on how law enforcement officials experience the same kind of situation when they arrest individuals who give them erroneous identity information (name, address, etc.). The reasons provided for the lack of support for law enforcement are beyond the scope of this article. Of interest, however, is that all respondents noted their organizations are not hesitant to contact law enforcement, because the issue of medical identity theft is considered to be a crime on premises and disclosures to law enforcement for this reason is allowable under the Health Insur-ance Portability and Accountability Act (HIPAA).

The majority of respondents also indicated that better tracking of disclosures is necessary, if the effects of medical identity theft are to be appropriately remediated. Survey participants indicated that while an accounting of disclosures policy is in place, it would be difficult to notify every recipient of erroneous data resulting from medical identity theft. Because tracking of treatment, payment, and health care opera-tions disclosures were not required under the original HIPAA Privacy Rule, these kinds of disclosures were generally not tracked. With the inception of the Health Information Technology for Economic and Clinical Health Act (HITECH) rule of the American Recovery and Reinvestment Act (ARRA) the ability to notify recipients of erroneous data will undoubtedly improve.7

When medical identity theft is confirmed in health care organizations, respondents noted that their organizations provide consumer support. The support activities include providing consumers with information on how to contact law enforcement and the Federal Trade Commis-sion. If the medical identity theft is known to have occurred as a result

of contact with the health care organization, some of the respondents indicated their organization pays for one year of credit report tracking.

Some of the respondents indicated that their organization was begin-ning to store photographs of patients in their electronic information systems to reduce the potential for medical identity theft. However, other organizations rejected this as a solution due to concerns related to HIPAA. No respondent organization was using any form of biomet-ric identification verification at registration or admission.

Another theme noted in the telephone survey discussion was that staff members who have patient access are the frontline defense for detection of medical identity theft. These individuals are faced with increasing time pressures to move patients quickly through the registration process, while at the same time, collect accurate data to verify patient identity, demographics, and ensure that insurance is verified for appropriate payment of claims. As new regulations appear, it always seems to create additional work for the patient access staff, but the organizational demands for quick registration do not change. Several of the respondents noted that additional technological support is needed to assist in supporting the registration process. Although the respondents all noted that biometric systems seem to be a potentially strong method to identity verification, there were concerns about lack of executive support due to potential cost, as well as concern that consumers would reject this option due to perceived privacy weaknesses. One survey respondent also noted the need for a national database specifically for the reporting and tracking of cases of medical identity theft.

In terms of consumer awareness of medical identity theft, responding organizations suggested that consumer understanding of medical identity theft may be lacking, as evidenced by the number of billing errors reported by consumers to be cases of medical identity theft.

Finally, respondents noted that the continuing use of Social Security numbers in information systems throughout their organization may contribute to the increased risk of medical identity theft. For this reason, several of the responding organizations were in the process of reviewing where Social Security numbers were collected and used within their organization. The goal of this project would be to reduce or eliminate the need for Social Security numbers and correspond-ingly, reduce the chance for medical or generic identity theft as a result of consumer interaction with the health care organization.



40

Health Care Compliance Association6500 Barrie Road, Suite 250

Minneapolis, MN 55435888-580-8373 (p) | 952-988-0146 (f)

[email protected] | www.hcca-info.org

Managed Care Compliance ConferenceFebruary 21–23, 2010 | Scottsdale, AZRegister online now at www.hcca-managedcare-conference.org

2010 Compliance InstituteApril 18–21, 2010 | Dallas, TXRegister online now at www.compliance-institute.org

Research Compliance ConferenceApril 21–24, 2010 | Dallas, TXRegister online now at www.hcca-research-conference.org

Physician Practice Compliance ConferenceOctober 17–19, 2010 | Philadelphia, PARegister online now at www.hcca-physician-conference.org

HCCA’s UpComingNational ConferencesEducation and networking opportunities in 2010

Learn more at www.hcca-info.org

n


41

Medical identity theft: How is the health care industry responding? ...continued from page 39

Although the number of telephone interviews was not statistically significant, the themes arising from the discussions seem relevant to the detection, prevention, and remediation of medical identity theft. In addition to the electronic survey and telephone follow up, two on-site observation visits were conducted. The observation visits were limited to the admitting and registration processes used to verify patient identity. The detailed results of the observation visit are outside the scope of this article; however, generally speaking, the observation visits supported the concept that providers have policies and procedures in place to verify patient identity at the point of registration through photographic documentation. The type of service (inpatient and outpatient) was one consideration for when to confirm patient identity. One of the observed organizations did not require photographic identification for outpatients and the other organization required photographic identification for all services. Additionally one of the observed organizations only reviewed photographic documents at the patient’s first registration within the organization, while the other organization’s policy was to review a photographic document at all registration events. In both cases, the organizations’ stated policies regarding verification of identity through photographic methods were not consistently followed.

Considerations for compliance officers

Continued education of both health care provider organizations and consumers on the concept of medical identity theft is needed. A prom-ising finding of the study suggests that corporate compliance officers perceive medical identity theft to fall into their domain of practice and this bodes well for future development of prevention, detection, and management plans.

Responding health care organizations have policies and procedures in place for identifying patients at registration/admission but time constraints and admitting/registration personnel skill level for detect-ing fraudulent forms of identification may perpetuate the problem of medical identity theft. According to the telephone follow-up survey conducted by the investigators, most organizations appear to provide support to consumers who believe their identity has been compro-mised. Depending on the circumstances, the organization may pay for free credit reporting for consumers. Additionally, support is offered in the form of directing consumers to appropriate legal and government resources to file complaints and resolve issues that may have a financial impact.

An overwhelming majority of respondents indicated that they do per-form pre-employment background checks. However, far fewer conduct follow-up checks at routine intervals throughout the employment period. Less than half (41.8%) of the survey phase one respondents indicated that their medical record amendment policy outlines how medical identity theft records are corrected. The researchers further assessed this question during phase two telephone follow up and confirmed organizations’ concern with the inability to identify all recipients of patient-specific information. The results of the survey suggest the continued need for study of the complex issues surround-ing medical identity theft.

As indicated by the study results, health care provider organizations are concerned about the issue of medical identity theft. To this end, compliance officers should consider the following methods to support identity confirmation and medical identity theft remediation within their organizations.n Information systems should be designed to allow operational ef-

ficiency in the patient identification verification process. Before purchase, organizations should evaluate system capabilities to assist in the detection and prevention of medical identity theft. Methods to support photographic, biometric, and other forms of identity verification should be efficiently supported by technology used in the health care setting.

n Staff must be trained and compliance with policies and procedures monitored to detect and prevent the occurrence of medical identity theft.

n Organizations must develop methods to track all disclosures, even those made for treatment, payment, or health care operations, or those made to business associates to remediate the negative out-comes of medical identity theft.

n Organizations should conduct background checks on volunteers as well as employees.

n Post-employment background checks should be conducted at routine intervals on all employees. n

1 Identity Theft Red Flags and Address Discrepancies implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), 15 U.S.C. § 1681m, and section 315 of the FACT Act, 15 U.S.C. §, that amended the Fair Credit Reporting Act (FCRA) The FTC recently renumbered the sections in 16 C.F.R. part 681 as follows: the Address Discrepancy rule (origi-nally § 681.1) was renumbered as § 641.1; the Red Flags rule (originally § 681.2) was renumbered as § 681.1; and the Card Issuers’ rule (originally § 681.3) was renumbered as § 681.2.

2 Dixon, P. “Medical Identity Theft: The Information Crime That Can Kill You.” The World Privacy Forum (2006):13-22.

3 Ibid.4 Rhodes, H: Developing Breach Notification Policies and Procedures: An Overview of Mitigation and Response

Planning. AHIMA 8-24-09. Available at http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_044673.hcsp?dDocName=bok1_044673

5 AHIMA e-HIM Work Group on Medical Identity Theft: “Mitigating Medical Identity Theft.” Journal of AHIMA 79, no. 7 (2008): 63-69

6 Ibid.7 American Recovery and Reinvestment Act of 2009. Public law 111-5. February 17, 2009. Available online at

www.thomas.loc.gov.


42

Letter from CEO ...continued from page 16

because we have cut unnecessary expenses. At the moment this person called, we were in a position to reconsider some of the cuts.

I told the caller about that conversation. I also told her that I had seen a couple of e-mails in our general e-mail box, asking where the conference went (more about that general e-mail box later.) I told her I would call Dan. We decided to try the conference one more time. There was a lot of input, but that one call, from one member, pushed that decision over the top. In fact, that was the second time a fiscally questionable but helpful conference was reinstated by a single member making a single call, so call me.

To maintain any shred of integrity, I must make a confession right about here. Many of the phone calls result in the following phrase: “I am sorry, but there is nothing we can do about that.” However, we can often do something, but not quite what they’re asking. Quite often we do something later, when conditions change, but we would never have done it if the one call was not made. Most often, the main outcome of the call was to clarify something that was not well understood. Just to be clear, you will often get a long and heartfelt explanation about why we can’t do anything about your problem or your idea for change, but call me.

We have a general e-mail address on the website that gets about seven or eight e-mails a day. I get copied on them. I scan the topics for a theme or unique issues I should help with. I learn a lot about what is going on. Soon after I started getting the general e-mails, I was seeing a lot of good feedback (e.g., log in troubles) from the members. I asked if we could do anything about the log in problems, but no one had any ideas. I soon determined that if seeing these e-mails was help-ful to me, it would be helpful for others in the office to see them. I had all the supervisors copied on all the e-mails to the general e-mail box. Very soon after that, a staff member saw a common theme to the log in problems and we made a change. The volume of e-mails dropped. Some things cannot be seen from far away. You have to get up close and think about it over time to see an opportunity. Being constantly connected to the members is a good thing, so call me.

Notice I didn’t say e-mail me. I hate typing. I can’t tell the difference between a dangling modifier and a mortified participle. So call me if you can, but e-mails will work too. I would tell you there are no dumb questions, but it’s been done; however, it’s very true. I would tell you that there are no unimportant questions, and I hope that you believe me. What you really need to believe is that there is always time. It is very important to stay in touch and be grounded. I am

ready and waiting, so call me.n My cell phone is 612 709-6012n My direct line is 952 933-8009n My e-mail is [email protected]

P.S.

Just as I finished this article, I answered a call. It was ironic. The member wanted a sample template for a Board compliance report. Our receptionists are trained to help with these requests. However, I was able to walk him through a website search which resulted in both of us learning something. We discovered that most of what we had was PowerPoint presentations on the subject. Then it dawned on me that few people would share their Board compliance report for obvious reasons. He said all they needed to do was to post a template, implying it should have been donated by now. However, most people would not take the time to turn their report into a template. Even if they had one, they may not even want the template on the Internet. I told him that when he got his Board report done, he should turn it into a template and, if necessary, he could have our staff post it anonymously. We’ve done similar things on the Social Network – posting a message anonymously for a member. And the Social Network is a great place to share documents. Now my mind is churning about a number of related issues that could result in actions that will improve our services. It also is an example of one other thing you should know about calling me. It can result in me asking you to do something for us. So beware, but call me. n

This conference is designed for board members and members of a board audit and/or compliance committee of not‑for‑profit health care organizations. Compliance officers may attend with their board member(s). CEOs, CFOs, and other senior officers are also welcome to attend.

coming soon from hcca

More details coming soon at www.hcca-info.org

Audit &

Committee ConferenceCompliance


43

REGISTER BEFORE

MARCH 10, 2010 AND RECEIVE

$250 OFF YOUR REGISTRATION**INCLUDES PRE-CONFERENCE FREE

REGISTER ONLINE AND LEARN MORE ABOUT OTHER SPECIAL DISCOUNTS AT www.highereducationcompliance.org

April 21–24, 2010 | Dallas, Texas

Conference for Effective Compliance Systems in

Higher Education


44

Editor’s note: Karen Bairstow, is Managing Partner with Healthcare FMV Advisors, LLC in Denver, CO. She may be contacted by telephone at 303/623-1726 or by e-mail at [email protected].

Hospital-based specialties, such as anesthesia, radiology and hospital-ist medicine, frequently require

financial assistance from the hospital to keep the group financially secure and maintain continuous coverage. Typically, financial assistance is structured in the form of (1) a collection guarantee or (2) a fixed subsidy. A collection guarantee is a fluctuating pay-ment equal to the shortfall of the group’s actual collections minus reasonable operating expenses. A fixed subsidy (i.e., usually not subject to repayment) is based on historical or estimated collections minus reasonable operating expenses.

Hospital executives, including compliance officers, should consider the following laws governing hospital-based subsidy arrange-ments:n the Anti-kickback Statue n Stark Law, and n IRS prohibition on private benefit and

private inurnment which applies to all non-profit entities, 501(c)(3).

Generally, hospital-based physician agree-ments should not implicate the Anti-kickback Statute, because the physicians are usually not in a position to make referrals to the hospital (i.e., the hospital controls the referrals to hos-

pital-based specialties). An exception to con-sider and be aware of is an anesthesia group that provides pain management services and may refer patients to the hospital for tests or other procedures (i.e., the Kosenske v. Carlisle HMA, Inc. case). Under Stark Law, hospitals should be able to construct subsidy arrange-ments that will meet the personal services arrangement exception or the fair market value (FMV) exception. In order to meet the excep-tions, hospitals must ensure their arrange-ments comply with the following guidelines:n The arrangement is set out in writing, is

signed by the parties, and specifies the services covered by the arrangement.

n The arrangement(s) covers all of the services to be furnished by the physician or group to the entity.

n The aggregate services contracted for do not exceed those that are reasonable for the business purposes of the arrangement(s).

n The compensation to be paid over the term of each arrangement is set in advance and does not exceed fair market value.

n The arrangement is not determined in a manner that takes into account (directly or indirectly) the volume or value of any referrals made by the referring physician.

n The term of each arrangement is for at least one year. To meet this requirement, if an arrangement is terminated during the term (with or without cause), the parties may not enter into the same or substantially the same arrangement during the first year of the original term of the arrangement.

n The arrangement is commercially reason-able (taking into account the nature and

scope of the transaction) and furthers the legitimate business purposes of the parties.

n The services to be performed under the arrangement do not involve the counseling or promotion of a business arrangement or other activity that violates a federal or state law.

n The arrangement does not violate the Anti-kickback Statute or any federal or state law or regulation governing billing or claims submission.

Valuable lessons can be learned from reviewing the Kosenske v. Carlisle HMA, Inc. case from a compliance perspective. Essentially, the hospital had a long-standing agreement with an anesthesia group whereby the circumstances significantly changed over a period of time and no longer resembled the original agreement (i.e., OIG alleged the hospital violated both the Stark Law and the federal Anti-kickback Statute).

Arrangements between hospitals and physician groups can change over time; therefore, we recommend periodically reviewing all physi-cian compensation arrangements to ensure that the written agreements continue to reflect the services actually being provided by the parties, and that the compensation being paid remains accurate and within FMV. The payments may no longer be within FMV if the quantity or type of services has changed.

When negotiating these exclusive financial arrangements with hospital-based specialties, it is important that health care executives and compliance officers do not do so blindly. It is essential to ask the group to disclose its financial information in order to review and understand why financial assistance is neces-sary and can be justified. In addition, when health care executives are unfamiliar with what is considered a reasonable staffing level for the specialty, they may be tempted to accept a

Minimizing risk in financial arrangements

with hospital-based specialties

By Karen Bairstow, MBA


45

staffing model proposed by the group seeking the financial assistance. Caution: Excessive staffing can have a significant financial impact on the hospital, and can result in payment that would be considered above FMV.

Health care executives, including compliance officers, should understand the advantages and disadvantages of structuring these financial arrangements, and be aware of what to monitor to remain compliant. Collection guarantees, whereby the hospital must cover the physician group’s shortfall, can be viewed as not providing the appropriate incentives (i.e., the group receives payment despite their performance). Therefore, health care executives should tie the financial assistance to the group’s performance. A well-defined contract should outline performance parameters, such as billing and collection performance, for the group and the hospital should establish tracking metrics to align both parties’ best interests. Because collection guarantees require the hospital to cover the short fall between actual collections and expenses, they minimize the financial risk of the hospital overpaying the physician group. Fixed subsidies allow the hospital’s obligation to be clear-cut upfront. However, both the hospital and physicians must assume financial risk that collections and expenses maybe greater or less than anticipated. Fixed subsidies can run the risk of the hospital paying above FMV if the group’s collections increase unexpectedly, which is a violation of the Stark Law. Therefore, hospital executives and compliance officers should review these arrangements quarterly to ensure assumptions about volume, collections, and payer mix accurately reflect the situation.

Financial arrangements with hospital-based specialties provide an example of why it is critical that corporate compliance officers should implement a regular review and monitor all physician financial arrangements and contracts to ensure they comply with

Stark, the anti-kickback laws, and the IRS prohibition against private benefit and private inurement for nonprofit hospitals.

If laws are violated, penalties can be extremely harsh. A violation of the Anti-kickback Stat-ute is punishable as a felony by a fine of up to $25,000 per violation or by imprisonment for up to five years, or by both fine and imprison-ment. A violation of the Stark Law can result in many different penalties. For instance, the health services provided may not be paid for by Medicare, or any payment received will need to be refunded. Additionally, any person who “knows or should know” that a referral violates Stark will be liable for up to $15,000 civil monetary penalty per claim. Failure to meet the reporting requirements of Stark is subject to a civil monetary penalty of up to $10,000 per day for which reporting is required. Violation of the IRS prohibition against private benefit and private inurement can result in the loss of hospital’s non-profit status, an obligation to pay back taxes, and immediate sanctions imposed on insiders, such as executives and physicians.

Take away

Physician agreements can evolve with time, and the initial approval of a contract by legal counsel should not be the only step taken to ensure a physician arrangement is compliant. A prudent approach is to frequently audit and review all physician financial arrange-ments to ensure they reflect the current situ-ation. In addition, we recommend keeping the following documentation on file for each physician financial arrangement: n An executed contract n A fair market value opinion n A legal review, and n Documentation the arrangement was not

made with the intent to induce referrals. n

Be Sure to Get Your CHC CEUsArticles related to the quiz in this issue of Compliance Today:

n Business associate security and privacy programs: HIPAA and HITECH By Rebecca Herold, page 22

n Beyond HIPAA: Rules for disclosing substance abuse records By Coale Anderson, page 31

n Minimizing risk in financial arrangements with hospital-based specialties By Karen Bairstow, page 44

To obtain one CEU per quiz, go to www.hcca-info.org/quiz and select a quiz. Fill in your contact information, read the articles, and take the quiz online. Or, print and fax the completed form to Liz Hergert at 952/988-0146, or mail it to Liz’s attention at HCCA, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Questions? Please call Liz Hergert at 888/580-8373.

Compliance Today readers taking the CEU quiz have ONE YEAR from the pub-lished date of the CEU article to submit their completed quiz.


46

Editor’s note: John W. Jones, Jr. and Kevin J. Dill are attorneys in the Philadelphia office of Pepper Hamilton LLP. Both attorneys focus their practice on health care matters, specifically regarding regulatory issues, hospital-physician relations, and fraud and abuse matters. Mr. Jones may be contacted by e-mail at [email protected] and Mr. Dill may be contacted by e-mail at [email protected].

W ith new funds available through the American Recovery and Reinvestment Act and additional

authority provided through new laws and regulations, the federal government is focus-ing significant enforcement attention on the health care industry, including payment arrangements between long-term care provid-ers and vendors. The central issue is whether these payment arrangements comply with the federal Anti-kickback Statute.

Anti-kickback Statute

The federal Anti-kickback Statute (AKS) proscribes the offering, payment, solicitation, or receipt of any remuneration, in cash or in kind, in exchange for referrals of patients or other business for which payment may be made by a federal health care program, includ-ing Medicare and Medicaid. In addition to civil penalties of up to $50,000 for each viola-tion, the AKS also provides significant criminal penalties, including imprisonment. Violation of the AKS may also result in exclusion from

participation in Medicare and Medicaid, which is often referred to as the death penalty for a provider. Although satisfying a safe harbor under AKS is not required for parties to comply with the statute, it will provide them immunity from prosecution.

The Office of Inspector General (OIG) has expressed long-standing concerns with certain practices in the health care industry. One area of concern has included the provision of free goods and services by suppliers to customers. OIG has stated on numerous occasions its view that the provision of free goods by a seller to an actual or potential referral source can violate the AKS. OIG states:

We are aware that many suppliers … are providing various kinds of multi-use equipment to customers pursuant to vari-ous written and unwritten arrangements, typically with a condition that such equip-ment is only to be used in connection with their service. However, in determining whether a free or “loaner” computer or fax machine constitutes illegal remunera-tion, the substance—not the form—of the transaction controls and any reasonably foreseeable “misuse” of the equipment implicates the entity providing the equip-ment as well as the user.

OIG noted that not only is there often no substantial business need for the equipment,

but also there is no attempt to police the arrangement to ensure that the “restrictions” are being enforced.

Some recent examples of enforcement activ-ity resulting from alleged violations of the AKS by providers who gave free goods or services in exchange for the referral of busi-ness include:n Bioscrip, Inc. and Bioscrip Pharmacy, Inc. In November of 2008, Bioscrip, Inc. and Bio-scrip Pharmacy, Inc., agreed to pay $795,000 for stationing a pharmacist at two physician practices to provide services that benefitted the physician practices, including services that otherwise would have been provided to patients by the physician practices. Patients of the physician practices, including those counseled by the on-site Bioscrip pharmacist, were then referred to a Bioscrip pharmacy for the dispensing of their medications.

n Ivinson HospitalIn August of 2008, Ivinson Hospital agreed to pay $635,000 for allegedly providing illegal kickbacks to physicians in the form of free rent, equipment, and furnishings, leases at less-than-fair-market value, and reimburse-ment for medical-director services in excess of fair-market value.

n Spartanburg Regional Healthcare System

In May of 2008, Spartanburg Regional Healthcare System agreed to pay $780,000 for allegedly providing information technology resources to non-employee physician groups.

While it is arguable that in each of these cases the goods or services provided were for some legitimate purpose, the AKS is interpreted to prohibit the offering of remuneration where one purpose of the remuneration is to induce the referral of government program business. Accordingly, even where legitimate

Fraud and abuse in financial arrangements

between long-term care facilities and

vendors: By John W. Jones, Jr. and Kevin J. Dill


47

business purposes are present and support an arrangement, where one purpose of the remuneration transferred to a party is to induce the referral of government program business, the AKS has been violated.

Current trends

Additional resources will allow the OIG and other federal and state agencies to initiate additional enforcement activity in these and other areas in the coming year. In such a climate, it is criti-cal that providers of long-term care services review their vendor arrangements to ensure that they do not violate the AKS and that they otherwise comply with applicable safe harbor regulations. Over the past year, certain arrangements have become common between long-term care facilities and vendors. Some of these arrangements raise issues that could subject them to scrutiny under the AKS, including:n vendors paying for hardware/software technology and equipment

and simultaneously entering into long-term contracts for the furnishing of goods and services to the long-term care facility;

n vendors paying for services on a facility’s behalf or providing services at no charge (such as a consultant pharmacist) in order to maintain an account;

n vendors offering extended payment arrangements or non-payment terms in order to obtain access to third-party reimbursement;

n facility owners and relatives being offered equity positions in a vendor at little or no cost in exchange for the facility’s business; and

n facilities splitting profits with vendors in exchange for reduced supply costs.

Although definitive conclusions about the compliance of these activities with the AKS and applicable laws and regulations would require a detailed analysis of the facts and circumstances, parties to these arrangements should be mindful that such arrangements may implicate AKS. Accordingly, it is prudent for all providers and their vendors to take steps to ensure that their arrangements comply with the AKS and otherwise fit within an applicable safe harbor regulation. n

Dorothy DeAngelisManaging DirectorFTI Consulting

James G. Sheehan, JDNew York State Medicaid Inspector General

Gabriel Imperato, Esq, CHCCT Contributing EditorManaging PartnerBroad and Cassel

Jeffrey Sinaiko,PresidentSinaiko Healthcare Consulting, Inc.

Kirk Ruddell, CHC, MBACompliance OfficerIsland Hospital

Cheryl Wagonhurst, JD, CCEPPartner

Foley & Lardner LLP

Lisa Silveria, RN BSNHome Care ComplianceCatholic Healthcare West

Deborah Randall, JDPartnerArent Fox LLP

Janice A. Anderson, JD, BSNShareholderPolsinelli Shughart, PC

Christine Bachrach, CHCSenior Vice President – Compliance OfficerHealthSouth

Compliance Today Editorial BoardThe following individuals make up the Compliance Today Editorial Advisory Board:

Eric Klavetter, JD, MS, MAPrivacy and Compliance OfficerMayo Clinic

David Hoffman, JDPresidentDavid Hoffman & Associates

F. Lisa Murtha, JD, CHC, CHRC Partner, Sonnenschein Nath & Rosenthal, LLP

Debbie Troklus, CHC-F, CCEP, CHRCAssistant Vice President for Health Affairs/ComplianceUniversity of Louisville School of Medicine

Linda Wolverton, CHC, CPHQ, CPMSM, CPCS, CHCQM, LHRM, RHITVice President Compliance Team Health, Inc.

Gary W. Herschman,Chair, Health and Hospital Law Practice GroupSills Cummis & Gross P.C.

Rita A. Scichilone, MSHA, RHIA, CCS, CCS-PDirector of Practice LeadershipAmerican Health Information Management Association


48

The Health Care Compliance Association welcomes the following new members and organizations. Please update any contact information using the Member Center on the website, or e-mail Karrie Hakenson ([email protected]) with changes or corrections.

Alabaman Kelly Geiger, St Vincent’s Health System

Arizonan Jacquelyn K. Bohner

Californian Yuan Chen, Kaiser Permanenten Andre Cousar, Kaiser Permanente, West Los

Angelesn Gregory Daly, Pomona Valley Hospitaln Karen Louise Elliott, LA Care Health Plann Conrad Fernandes, San Mateo Medical Centern Ranee Jimenez, Kaiser Permanenten Melitta Johnson, Kaiser Permanenten Vanessa C. Londo, Kaiser Permanenten D’Arcy Myjer, Delta Dentaln Leslie S. Rothenberg, Kaiser West Los Angeles

Medical Centern Barbara Saak, St. Joseph Health Systemn Anne E. Sullivan, Sutter Healthn Grace Toy, Kaiser Permanente

Coloradon Jason Fahrlander, Memorial Health Systemn Lisa LaPlante, Southwest Memorial Hospital

Conneticutn Jenifer Barone, Medical Practice Partners LLCn Lucy D’Angelo, Quest Diagnosticsn Diane Drozd, Silver Hill Hospitaln Wendy Fairman, Boehringer Ingelheim USA

Corporationn Charles Jefferis, IIIn Joan A. Morgan, AmeriChoice

Floridan Heather Cavin, Shands Healthcaren Dennis Smyser, Brooks Health Systemn John Stimler, Bettinger, Stimler and Assoc LLC

Georgian La Vonda DeWitt n Robert DiVito, Piedmont Healthcare, Incn Jennifer McCollum, Pershing Yoakley and

Associates, PCn Monica Murdock, Blood & Marrow Transplant

Group of Georgian Michael Paulhus, King & Spaulding LLP

Idahon Julie J. Caputo, St Luke’s Health Systemn Laurie J. Carey, St Luke’s Health Systemn Katherine Penchansky, Boise VA Medical Cntrn Benjamin A. Rogers, Boise VA Medical Cntr

Illinoisn Kenneth Mantel, Gateway Foundation, Incn Diane Nobles, Caremark, Inc.n Gail S. Sheehan, OSF Healthcare Systemn Ruth Snyder, Methodist Medical Centern Richene Stotts, Blessing Corporate Srvs

Indianan Douglas Essex, St. Francis Medical Group

Kentuckyn Pamela Cline, Graves-Gilbert Clinicn Denise M. Sethman-Bohnert, Kindred

Healthcaren Krysi M. Simon, Kindred Healthcare

Louisianan Tryone Johnson, LSU Health Care Services Divn Sadhana Kamat, LSU Healthcare Network

Marylandn Lisa Linton, Booz Allen Hamilton

Massachusettsn Karen Fagan-Foellmer, Caritas Christin Julie Piantedosi n Deanna A. Turner, Kohler HealthCare

Consulting, Inc.

Michigann Linda Curry, Allegan General Hospn Mary Jo Gray, Univ of Michigann DeCole Heard, Molina Health Caren Elizabeth A. MacInnes, Portage Healthn J.D. Mullins, J.D. Mullins & Associates PLLC

Minnesotan Alison Green, Prime Therapeutics LLCn Jacki Pemrick, Prime Therapeutics LLC

Missourin Eric Endsley, Missouri Veterans Commissionn David Schopp, Advanced ICU Care, Inc.n Anne Webb, Ascension Health

Nevadan Jarrett Clausnitzer, Matt Smith Physical Therapy

New Jerseyn Rose Mary Colombo, Division of Health

Services, Diocese of Camdenn Albert Kim, VHA Office of Compliance &

Business Integrityn Richard Traynor, LifeCell Corporation

New Yorkn Debbie Meade, NS-LIJ Health Systemn Gail M. Meehan, Amsterdam Nursing Homen Michele Sarlo, Amsterdam Nursing Home Corp

North Carolinan Janit Pike, EthosPartners Healthcare

Management Group

Ohion Janet Grant, CareSourcen Rich Letner, Invacare Corpn Denise M. Mitchell, Summa Health Systemn Debra L. Woods, Department of Veterans

Affairs

Oklahoman Melissa Davis, CMBSn Jennifer Jones, Integris Health Systems

Oregonn Brandy Justice, Legacy Health

Pennsylvanian Beth Henn, The Visiting Nurse Assoc of

Greater Philadelphian Philip J. Masser, Geisinger Health Plann Veronica McCabe, The Visiting Nurse Assocn Heath J. Siemon, Westmoreland Case

Management & Supports Inc

Rhode Islandn Eileen Gelzhiser, Wood River Health Serv

South Carolinan Lisa F. Wilt, LW Consulting, Inc

Tennesseen Maxine Cunningham, Vanderbilt Univ Medical

Centern Paul G. Daniels, HCAn Cindy J. Gomez, Simplex Healthcaren Kristin N. Grimaldi, Simplex Healthcaren Mike Hutson, Simplex Healthcaren Fernando E. Murphy, Vanderbilt Univ Medical

Centern Jason D. Rozell, Simplex Healthcaren Ashley R. Spurgeon, HealthSpring Inc

Texasn Susan Andrews-Carden, Ingenix Consultingn Anna Barden, Parkland Health & Hosp

System-Clinical Resn Marie Barnett, Lone Star Community Health

Centern Todd M. Bothun, Parkland Health & Hospital

System - Clinical Researchn Marsha Harris-Hall, Univ of TX Health

Science Center

New HCCA Members


49

n James W. Luca, MD Anderson Cancer Centern Kim McConnell, MD Anderson Cancer Centern Jill Schilp, Parkland Health & Hosp Systemn Judy Swenson, HealthBridge Children’s Hosp -

Houston, LTDn Hannelise Van Der Walt, Nexus Specialty Hosp

- The Woodlandsn David R. Whiting

Virginian Kimberly S. Day, Childrens Hospital of the

King’s Daughtern Juan DeLeon, Centran Elizabeth Walker, Quantum Medical

Wisconsinn Leia Chicoine, Hall Render Killian Heath &

Lyman, PC

Alberta, Canadan Anthony O’Connor, O’Connor Consulting

Your HCCA Staff

Wilma EisenmanHR Director/Office Manager/ Compliance [email protected]

Patti HoskinDatabase [email protected]

Amy MaciasMember [email protected]

Darin DvorakDirector of Conferences and [email protected]

Elizabeth HergertCertification [email protected]

Beckie SmithConference [email protected]

Gary DeVaanIT Manager/Graphic [email protected]

Melanie GrossMarketing Coodinator/ Conference [email protected]

Allison [email protected]

Jennifer PowerConference [email protected]

Meg KosowskiCertification [email protected]

Charlie ThiemChief Financial [email protected]

Sarah AnondsonGraphic [email protected]

Nancy L. GordonManaging [email protected]

Patricia MeesCommunications [email protected]

April KielDatabase and Member Services [email protected]

Roy SnellChief Executive [email protected]

Margaret DragonDirector of [email protected]

Karrie HakensonMember [email protected]

Julie [email protected]

Marlene RobinsonAudio Conference [email protected]

Adam TurteltaubVP Member [email protected]

6500 Barrie Road, Suite 250 Minneapolis, MN 55435

Phone 888-580-8373Fax 952-988-0146

[email protected]

Lizza CatalanoConference [email protected]

Jodi Erickson HernandezConference Plannerjodi.ericksonhernandez @hcca-info.org

Katie LuitjensConference [email protected]

Eric Newman, Esq.Social Media [email protected]

ORDER AT WWW.HCCA-INFO.ORG BEFORE FRIDAY, APRIL 16, to ensure delivery by Compliance Week!

Official poster for Corporate Compliance & Ethics Week: 20˝ x 28˝ glossy color poster

$6.25 each (min. order 10)

Four colorful glossy posters, 20˝ x 28˝, each showcasing a different ethics message (4-pack includes one of each poster). Perforated strip along bottom of each poster allows easy removal of Corporate Compliance & Ethics Week logo once the week is over.

$30.00 per 4-pack

Pocket antibacterial hand sanitizer in pump spray.


Comfort gel stress ball; 2.25˝ diameter.


Mini flashlight on key-ring; 3.25˝ long.


Computer screen sweeper/keyboard duster/letter opener; 2.75˝ with brush retracted.


Retractable magnifier bookmark; slides closed to 4˝ x 2˝.


Insulated stainless steel mug with screw-on, spill-resistant lid; 15 oz. capacity.


Wide-body ballpoint pen (black ink) with ergonomic rubber grip.


Jotter pad with mini pen and business-card sleeve; 6˝ x 3.75˝.


Leading By ExampleMay 2–8, 2010

Corporate Compliance & Ethics Week

Corporate Compliance & Ethics Week is celebrated every year during the fi rst full week in May.

Co-sponsored by HCCA and SCCE, the sixth Corporate Compliance & Ethics Week will be celebrated May 2–8, 2010.

HCCA and SCCE have a number of items available for purchase to help spotlight compliance and ethics in your organization. Place your order by Friday, April 16, to ensure delivery before this event.

Order at www.hcca-info.org or www.corporatecompliance.org, or call the Compliance Week Order Fulfi llment Center at 877-646 -9226.

www.hcca-info.org • 888-580-8373

2010

“I just wanted to say thank you for helping to coordinate and present such an educational and useful compliance academy. If I knew how much I was going learn and how many ideas I would leave with to improve our compliance program I would have attended much sooner. The academy helped to energize and inspire me to take our compliance program and myself as a compliance professional to the next level.”

Michael Scudillo, Chief Compliance Offi cer, Universal Institute, Inc.

CERTIFICATION EXAM OFFERED FOLLOWING EACH ACADEMY

REGISTRATION FOR EACH ACADEMY IS LIMITED TO 75 ATTENDEES

COMPLIANCE ACADEMIESFebruary 1–4 | Scottsdale, AZ

March 15–18 | Boston, MA

June 7–10 | San Francisco, CA

August 16–19 | Chicago, IL

October 25–28 | San Francisco, CA

November 15–18 | Orlando, FL

RESEARCH ACADEMYFebruary 15–18 | Orlando, FL

PRIVACY ACADEMYOctober 4–7 | San Diego, CA

ORDER AT WWW.HCCA-INFO.ORG BEFORE FRIDAY, APRIL 16, to ensure delivery by Compliance Week!

Official poster for Corporate Compliance & Ethics Week: 20˝ x 28˝ glossy color poster


Four colorful glossy posters, 20˝ x 28˝, each showcasing a different ethics message (4-pack includes one of each poster). Perforated strip along bottom of each poster allows easy removal of Corporate Compliance & Ethics Week logo once the week is over.

$30.00 per 4-pack

Pocket antibacterial hand sanitizer in pump spray.


Comfort gel stress ball; 2.25˝ diameter.


Mini flashlight on key-ring; 3.25˝ long.


Computer screen sweeper/keyboard duster/letter opener; 2.75˝ with brush retracted.


Retractable magnifier bookmark; slides closed to 4˝ x 2˝.


Insulated stainless steel mug with screw-on, spill-resistant lid; 15 oz. capacity.


Wide-body ballpoint pen (black ink) with ergonomic rubber grip.


Jotter pad with mini pen and business-card sleeve; 6˝ x 3.75˝.


Leading By ExampleMay 2–8, 2010

Corporate Compliance & Ethics Week

Corporate Compliance & Ethics Week is celebrated every year during the fi rst full week in May.

Co-sponsored by HCCA and SCCE, the sixth Corporate Compliance & Ethics Week will be celebrated May 2–8, 2010.

HCCA and SCCE have a number of items available for purchase to help spotlight compliance and ethics in your organization. Place your order by Friday, April 16, to ensure delivery before this event.

Order at www.hcca-info.org or www.corporatecompliance.org, or call the Compliance Week Order Fulfi llment Center at 877-646 -9226.

Managed CareCompliance Conference

February 21–23, 2010Scottsdale, AZ | Hotel Valley Ho

HCCA’S MANAGED CARE COMPLIANCE CONFERENCE provides essential information for individuals involved with the management of compliance at health plans. Plan to attend if you are a compliance professional from a health plan (all levels from officers to consultants), in-house and external counsel for a health plan, internal auditor from a health plan, regulatory compliance personnel, or managed care lawyer.

LEARN MORE AT WWW.HCCA-INFO.ORG

Documents

Earn CEU Credit...48 New HCCA Members HCCA Officers: Julene Brown, RN, MSN, BSN, CHC, CPC HCCA President Director of Corporate Compliance Innovis Health Jennifer O’Brien, JD, CHC