XXXXXXX continued from page 1 - HCCA Official Site...C360 HCCA Ad RAC BW version 10-05-11.indd 1 10/5/11 3:22 PM. ... to Medicare payments to pro-viders of services and suppliers participating

Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgFebruary 2012

1

XXXXXXX ...continued from page 1

Volume FourteenNumber Two

February 2012 Published Monthly

Meet

Jenny O’BrienUnitedHealth Group’s Chief Medicare Compliance Officerpage 14

Feature Focus:

2012 OIG Work Plan: Part 2, Additional OIG reviews page 35

Earn CEU Creditwww.hcca-info.org/quiz—see page 64

PQRS reporting: Avoiding the pitfalls

page 23

This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at 888/580-8373 with all reprint requests.


2

TitleBy: Line

Improving Governance Practices

February 13–14, 2012 | Scottsdale, AZ

Audit &

committee conferenceCompliance This conference is designed for

board members and members of a board audit and/or compliance committee of not-for-profit health care organizations. Compliance officers may attend with their board member(s). CEOs, CFOs, and other senior officers are also welcome to attend.

Learn more at www.auditcompliancecommittee.org

2012FebAZ-AuditComp_halfpage_4c_ad.indd 1 1/9/2012 2:32:29 PM

Managed Care Compliance ConferenceFebruary 12–14, 2012Scottsdale, AZ

HCCA’s Managed Care Compliance Conference provides essential information for individuals involved with the management of compliance at health plans. Plan to attend if you are a compliance professional from a health plan (all levels from officers to consultants), in-house and external counsel for a health plan, internal auditor from a health plan, regulatory compliance personnel, or managed care lawyer.

learn more at www.hcca-managedcare-conference.org

2012ManagedCare_halfpage_4c_ad.indd 1 1/9/2012 2:41:49 PM


3


INSIDEINSIDE5 ACOs: Bold waivers to create a new

health care delivery modelBy Theresamarie Mantese and Gregory M. NowakowskiFive new waivers signal an easing of regulatory statutes for providers who want to participate in ACOs.

12 A decision tree for breach notification risk assessmentBy Mike WheelerA 10-step process for determining whether a breach has occurred and when individuals must be notified.

14 Meet Jenny O’Brien, UnitedHealthcare Group’s Chief Medicare Compliance Officer An interview by Julene Brown

18 Letter from the CEO by Roy SnellGive me independence or give me death

19 Social Networking by John FalcetanoAsking questions of the social network communities

20 Exhale by Shawn DeGrootView the Compliance department as a resource, not a sheriff

23 CEU: PQRS reporting: Avoiding the pitfallsBy Daniel F. ShayPractical and legal considerations for eligible professionals who participate in the pay-for-reporting program.

27 Benefits of voluntarily addressing the Red Flags Rule for health care providers By Brian SantoMost health care providers will not fall under the definition of “creditor,” but following the rules is a best practice.

30 Conflict of interest final rule demands transparency, accountabilityBy William SacksResearch institutions will need to update their policies on financial conflicts to comply with more stringent disclosure requirements.

35 Feature Focus: 2012 OIG Work Plan: Part 2, Additional OIG reviewsBy Sara Kay Wheeler and Stephanie F. JohnsonOversight of government contractors, the Medicare appeals process, Medicare Advantage, Part D, and Medicaid are slated for reviews.

42 CEU: How internal controls support compliant business practices, Part 2: Auditing and monitoringBy Kelly NueskeAuditing and monitoring differ, but both are needed to measure the effectiveness of internal controls.

47 Vendor compliance in a dynamic Medicare landscapeBy Andrew FinkelsteinCompanies that employ first tier, downstream, and related entities must demonstrate accountability for the training those entities receive.

51 Newly Certified CHC®, CHRC®, and CHPC®

52 CEU: Medicare revalidation survival guideBy Jennifer Benedict and Angela Epolito SprecherTen tips for providers and suppliers to ensure they don’t lose billing privileges if they receive a revalidation request from CMS.

55 Surviving a RAC attack By Stacey S. ElliottSufficient documentation by the admitting provider is key to defending inpatient medical necessity during a RAC audit.

60 HCCAnet and Website News

62 New HCCA Members


4

DON’T GOHALFWAY.GO GO 360360.

www.compliance360.com

MANAGE CLAIMS AUDITS WITH TOTAL CONFIDENCE. Multiple audits, hundreds

of claims, dozens of team members, zero free time. Miss one date and you forfeit hard-earned revenue. With so

much complexity – and so much at stake – only Compliance 360 offers the confi dence of a 24x7 Virtual Audit

Coordinator that manages every step of every audit in one central system. No gaps, no guesses, no gotchas.

Visit www.compliance360.com/ClaimsAuditor to learn how we’re helping thousands of providers protect their

revenues – and their peace of mind. GET THE 360° VIEW.

C360 HCCA Ad RAC BW version 10-05-11.indd 1 10/5/11 3:22 PM


5


Continued on page 6

Editor’s note: Theresamarie Mantese is a Shareholder and Gregory M. Nowakowski is an Associate in Rogers Mantese & Associates, PC in Royal Oak, Michigan. Theresamarie may be contacted at [email protected] and Gregory may be contacted at [email protected].

In March 2010, the United States Congress passed sub-stantial health care reform

legislation (Health Care Reform).1 There is still much uncertainty about the impact of Health Care Reform on the delivery of health care in the United States. However, an understanding of how Health Care Reform may affect the delivery of patient ser-vices in this country requires an examination of the two major goals of Health Care Reform. One goal was to improve access to health care through an expan-sion of insurance coverage. The second goal focused on reducing costs and improving quality and efficiency.2

An Accountable Care Organiza-tion (ACO) under the Medicare Shared Savings Program of Health

Care Reform is a new health care delivery model aimed at reducing costs and at increasing quality of care to Medicare beneficiaries. An ACO is a network of doctors and hospitals that share responsibility for providing care to Medicare patients. In the new law, an ACO would agree to manage all of the health care needs of a minimum of 5,000 Medicare beneficiaries for at least three years. An ACO would bring together the different component parts of care for the patient—primary care, specialists, hospitals, home health care, etc.—and ensure that all of the parts work well together to provide health care to the patient.3

On October 20, 2011, the Centers for Medicare & Med-icaid Services (CMS) issued an interim final rule (IFC) relating to Medicare payments to pro-viders of services and suppliers participating in ACOs. One of the most significant aspects of the IFC is the waiver of the Stark (Physician Self-Referral) Law, the federal Anti-kickback Statute, and certain civil monetary penalties (CMP) law provisions involving

ACOs. This relaxation of these laws through waivers suggests the firm commitment of the Secretary of Health and Human Services (HHS) to carry out the goals of Health Care Reform.

This article will generally discuss three of the five waivers for ACOs. The article then will focus on the two remaining waivers involving: (1) the distribution of shared sav-ings among participants in ACOs, and (2) patient incentives that encourage Medicare beneficiaries to use ACOs. These two waivers appear to be the strongest policy statement by the government sup-porting ACOs. First, the Sharing Savings Distributions waiver is significant, because it will allow the spreading of earned shared savings among ACO participants without giving rise to health law violations. Second, the Patient Incentive waiver permits the ACO to provide incentives to Medicare beneficiaries to use ACOs, with-out the ACO’s risking health care law violations.

Waiver categoriesCMS and the HHS Office of Inspector General (OIG) jointly issued an IFC with comment period entitled “Final Waivers in Connection With the Shared Savings Program.” The IFC estab-lishes five categories of waivers including: n ACO Pre-participation waiver

ACOs: Bold waivers to create a new

health care delivery model

By Theresamarie Mantese and Gregory M. Nowakowski

mailto:[email protected]






6

TitleBy: Line

ACOs: Bold waivers to create a new health care delivery model ...continued from page 5

n ACO Participation waiver n Compliance with Stark

(Physician Self-Referral) Law waiver

n Shared Savings Distributions waiver

n Patient Incentive waiver

It is important to understand that these waivers are a bold commit-ment on the part of the govern-ment to encourage participation in ACOs. By easing the stronghold of long–standing, health care regulatory statutes, the government is offering flexibility to a larger group of providers to participate in ACOs. The IFC also provides: “The waivers are intended to be self-implementing. Apart from meeting applicable waiver condi-tions, no special action (such as the submission of a separate applica-tion for a waiver) is required by parties in order to be covered by a waiver. Parties need not apply for an individualized waiver.”4 The government is thus accommodat-ing ACOs to organize in a market environment by its relaxation of bureaucratic oversight.

The first three categories are important for providers who are in the process of setting up an ACO.

n ACO Pre-participation waiverAn ACO Pre-participation waiver applies to ACO-related start-up arrangements. This waiver is particularly important to those

health care providers that antici-pate participating in the Medicare Shared Savings Program. It waives the Physician Self-Referral Law, the federal Anti-kickback Statute, and the Gainsharing CMP pro-hibitions. In particular, the CMP prohibits payments to physicians as an inducement to reduce or limit services to Medicare benefi-ciaries who are under the care of a physician.5

Gainsharing is generally an arrangement in which hospitals give physicians a share of the hos-pital’s cost savings that result from the physicians’ efforts in saving costs in caring for a patient. OIG and HHS have advised that there may be a violation of the CMP in certain gainsharing arrangements.6 The easing of the gainsharing prohibition was a dramatic step by the government to encourage the development of ACOs by provid-ers who were reluctant to form ACOs based on the Gainsharing CMP prohibitions.

Providers that are contemplating the formation of an ACO must meet four requirements to qualify for a Pre-participation waiver: 1. The party or parties act in good

faith to develop an ACO that will participate in the Shared Savings Program that will start in a particular year (the “target year”).

2. The parties must take diligent steps to develop an ACO that

would be eligible for a partici-pation agreement that would become effective during the target year.

3. The ACO’s governing body has made a bona fide determi-nation that the ACO arrange-ment is reasonably related to the purposes of the Shared Savings Program.

4. The ACO’s governing body’s authorization and the diligent steps to develop the ACO.7

n ACO Participation waiverAn ACO Participation waiver is available to any arrangement of an ACO, one or more of its ACO participants or its ACO providers/suppliers, or a combination of these entities. It waives the Physician Self-Referral Law, the federal Anti-kickback Statute, and the Gainsharing CMP prohibitions in connection with already existing ACOs.

To qualify for this waiver, five requirements must be met: 1. The ACO has entered into a

participation agreement and remains in good standing under its participation agree-ment.

2. The ACO meets certain statu-tory requirements concerning its governance, leadership, and management.

3. The ACO’s governing body has made a bona fide determi-nation that the ACO arrange-ment is reasonably related to


7

Continued on page 9

the purposes of the Shared Savings Program.

4. The ACO arrangement and its authorization by the governing body are documented, which must be retained for at least 10 years after completion of the arrangement and made available to the HHS Secretary.

5. The description of the arrangement is publicly disclosed as established by the HHS Secretary.8

The waiver period will begin on the start date of the ACO partici-pation agreement and will end six months following the earlier of either the expiration of the partic-ipation agreement, including any renewals, or the date on which the ACO has voluntarily terminated the participation agreement. However, if CMS terminates the participation agreement, the waiver period will end on the date of the termination notice.8

n Compliance with Stark Law waiver

This waiver is available to an ACO, its ACO participants, and its ACO providers/suppliers if any of their arrangements implicate the Stark (Physician Self-Referral) Law. The Stark Law prohibits certain physician self-referrals, primarily based on whether the physician receives any financial or other compensation from the referral. The waiver applies to the Stark Law, the federal

Anti-kickback Statute, and the Gainsharing CMP prohibitions.

This waiver is available only if three conditions are met: 1. The ACO has entered into a

participation agreement and remains in good standing under its participation agreement.

2. The financial relationship is reasonably related to the purposes of the Shared Savings Program.

3. The financial relationship fully complies with an excep-tion under the Physician Self-Referral Law.9 The excep-tions may include bona fide employment agreements, safe harbor exceptions, and elec-tronic health record (EHR) donations.

Critical ACO waiversThe last two categories of ACO waivers include the Shared Sav-ings Distributions waiver and the Patient Incentive waiver. These waivers are probably the most sig-nificant waivers, because they will be on the frontline of the opera-tions of ACOs, once they are up and running. These waivers offer a new direction in health care in the United States. With these waivers, the government has shed many policy decisions that were entrenched over the years and decided to allow ACOs to have certain economic and financial rewards from their participation

in this new delivery system. Each of these waivers will be analyzed in this context.

n Shared Savings Distributions waiver

This waiver applies to distribu-tions and uses of shared savings payments earned under the Medicare Shared Savings Pro-gram and provides a waiver of the Physician Self-Referral Law, federal Anti-kickback Statute, and Gainsharing CMP. Obviously, this is an extraordinary move by the government to allow ACO partici-pants to share in the profitability of the entity. The interim final rule states this objective:

[t]his less restrictive waiver for shared savings distributions within the ACO is premised, in part, on recognition that an award of shared savings necessarily reflects the collec-tive achievement by the ACO and its constituent parts of the quality, efficiency, and cost reduction goals of the Shared Savings Program.10

For the waiver to apply, five conditions must be met: 1. The ACO has entered into a

participation agreement and remains in good standing under its participation agreement.

2. The shared savings are earned by the ACO under the Shared Savings Program.

TitleBy: Line

Soar to higher levels of compliance and risk management . . .

When you’re forced to rely on labor-intensive spreadsheets, point solutions, or a software system retrofitted to the health care industry, it can feel as if your risk is managing you.

Go beyond risk management to continuous improvement with a customized, scalable and complete solution, fully supported by experts in the health care compliance industry.

Created exclusively for the health care industry, MediRegs® ComplyTrack™ from Wolters Kluwer Law & Business provides you with the tools you need to proactively assess, understand, communicate and mitigate risk across your entire enterprise.

ComplyTrack™ delivers industry-leading solutions for:

■ Compliance ■ Risk ■ Internal Audit■ Privacy & Security■ Audit & Compliance Committee■ Legal■ Health Information Management

Visit MediRegs.com/ERM and learn why customers prefer our solution for enter-prise compliance and risk management.

HCCA ComplyTrack ad 7-11.indd 1 5/9/2011 11:09:20 AM


9


Continued on page 11

3. The shared savings are earned by the ACO during the term of its participation agreement, even if the actual distribution or use of the shared savings occurs after the expiration of that agreement.

4. The shared savings are either distributed among the relevant ACO participants during the year in which the shared savings were earned by the ACO, or the shared saving are used for activities that are reasonably related to the purposes of the Shared Savings Program.

5. Payments of shared savings distributions made from a hospital to a physician are not made knowingly to induce the physician to reduce or limit medically necessary items or services to patients under the direct care of the physician.8

It should be apparent that this waiver is intended to reward ACO participants for success-fully operating an ACO. Yet, this waiver is not intended to compromise patient care. Obviously, this is going to be a judgment call on the part of ACO administrators on how to allocate earned shared savings and continue to provide neces-sary medical care to patients. This waiver interfaces with the Patient Incentive waiver, which is intended to encourage Medi-care patients to use ACOs.

n Patient Incentive waiverThe Patient Incentive waiver allows the relevant ACO participants to provide Medicare beneficiaries with items or services for free or below market value without violating the Beneficiary Inducement CMP and the federal Anti-kickback Statute. Again, this waiver is unprecedented. Prior health law directives were unequivocal that incentives should not be offered to Medicare patients to induce them to use services. However, the goal of this waiver is to foster more patient responsibility for health care decisions.

The IFC provides: “ACOs would need to engage patients in better managing their own health care, including obtaining preventive care and complying with treatment plans for chronic conditions.” Therefore, in light of this need, this IFC promul-gates a waiver of the federal Anti-kickback Statute and the Beneficiary Inducements CMP to address arrangements pursuant to which ACOs, ACO participants, and ACO providers/suppliers provide beneficiaries with free or below-fair market value items and services that advance the goals of preventive care; adherence to treatment, drug, or follow-up care regimes; or management of a chronic disease or condition.”11 This explains why the waiver limits the incentives to be offered to patients to in-kind services.

ACO participants may not give cash to Medicare beneficiaries to encourage them to use an ACO.

For the waiver to apply, four con-ditions must be met: 1. The ACO has entered into a

participation agreement and remains in good standing under its participation agree-ment.

2. A reasonable connection exists between the items or services and the medical care of the beneficiary.

3. The items or services are in-kind.

4. The items or services are pre-ventive care items or services, or advance clinical goals.8

This waiver period will begin on the start date of the participation agreement and will end on the earlier of the expiration of the term of the participation agree-ment (including any renewals) or the date on which the participa-tion agreement is terminated. However, the patient may keep items received before the par-ticipation agreement expired or was terminated, and receive the remainder of any service initiated before the participation agreement expired or was terminated.8

ConclusionCoverage, costs, and care will be continually important in the provision of health care in this


10

TitleBy: Line

CHC-FELLOW CERTIFICATION

Build upon your CHC certifi cation

Demonstrate your advanced knowledge

Distinguish yourself from your peers

Expand the profession’s knowledge base

The importance of health care compliance keeps increasing, and with it the importance of having compliance leaders who know how to solve the most complex health care compliance challenges.

The CHC-Fellow certifi cation demonstrates that you have the experience, wisdom, and investment in health care compliance to lead the profession.

To learn more about the program and how you can set yourself apart, visit us online at www.hcca-info.org/advancedcertifi cation. It’s a simple step to meeting the challenge of complex times.

Take Your Career to the Highest Level

Advanced Certifi cation for Health Care Compliance Professionals


11


country. Health care laws have long governed the playing field in which providers had to care for patients. The government appears to be committed to a new health care delivery system in the form of ACOs. In an unprec-edented move, the government has decided to relax some health care laws in the form of waivers. The most critical waivers that are likely to have a far-reaching effect are the Shared Savings Distributions waiver and the Patient Incentive waiver. These waivers will offer financial rewards in shared distributions, and also in an increased patient base. ACO administrators will have their share of regulatory problems as they work through this innova-tive waiver system. n

1. Patient Protection and Affordable Care Act, Public Law 111 – 148 (PPACA) and the Health Care Education and Reconciliation Act of 2010.

2. Altarum Institute: “The Uncertain Impact of Health Reform on Hos-pitals.” July 27, 2010. Available at www.healthpolicyforum.org/.../spe-cial-contributor-the-uncertain-impact-of-health-reform-on-hospitals/

3. Jenny Gold: “FAQ On ACOs: Accountable Care Organizations, Ex-plained.” Kaiser Health News, October 21, 2011. Available at http://www.kaiserhealthnews.org/stories/2011/january/13/aco-accountable-care-organization-faq.aspx

4. 76 FR 67992-01 at 67998.5. 2 U.S.C. § 1320a-7a(b)(1).6. See, e.g., OIG Advisory Opinion No. 01-1, January 18, 2001. Avail-

able at oig.hhs.gov/fraud/docs/advisoryopinions/2001/ao01-01.pdf.7. 76 FR 67992-01at 68000.8. 76 FR 67992-01 at 68001.9. 42 CFR 411.355 through 42 CFR 411.357.10. 76 FR 67992-01at 68005. 11. 76 FR 67992-01at 68007.



12

Editor’s note: Mike Wheeler is the University Privacy Officer, Informa-tion Assurance Compliance Officer, and Compliance Officer for Medi-cal University of South Carolina. Mike may be contacted by e-mail at [email protected].

The American Recovery and Reinvestment Act of 2009 (ARRA) was enacted

on February 17, 2009. ARRA is commonly referred to as the Economic Stimulus Package. Included in ARRA is the Health Information Technology for Economic and Clinical Health (HITECH) Act. Following the discovery of a breach of unsecured protected health information (PHI), the HITECH Act requires Health Insurance Portability and Accountability Act (HIPAA) covered entities to notify affected individuals and requires business associates to notify covered enti-ties. In response, the Department of Health and Human Services (HHS) on August 24, 2009 issued the Breach Notification for Unsecured Protected Health Information interim final rule. This rule was issued as Subpart D to HIPAA—Notification In the Case of Breach of Unsecured Protected Health Information and

contains the HITECH Act’s spec-ified breach notification require-ments.

To determine if an impermis-sible use or disclosure of PHI constitutes a breach, covered entities and business associates must perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. In performing the risk assessment, covered entities and business associates need to consider a number or combina-tion of complex factors. The consideration of these complex factors is causing many headaches for covered entities and business associates and may result in either under- or over-reporting of a breach. For this reason, a decision tree that lists all the complex fac-tors is essential to ensure compli-ance with applicable regulations.

These complex factors are sum-marized in figure 1. The decision tree simplifies the process into a 10-step determination. The first step in the breach notifica-tion process is to determine if the acquisition, access, use, or disclosure is impermissible and violates the requirements of the

HIPAA Privacy Rule. To meet the definition of a breach, the imper-missible use or disclosure must “compromise” (the second step of the breach notification deter-mination process) the security or privacy of the PHI. The remaining eight steps in this process are shown in figure 1.

The most difficult determination is involved with answering the question posed in Step 4: Does the disclosed information pose a significant risk of financial, reputational, or other harm? This is the step where the risk assessment must be performed to determine “if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.” The section-by-section description of the Interim Final Rule provides numerous discussion points for this step and several subsequent steps listed on the decision tree. For example, HHS cautions “covered entities and business associates to keep in mind that many forms of health information, not just information about sexually transmitted dis-eases or mental health, should be considered sensitive for purposes of the risk of reputational harm—especially in light of fears about employment discrimination.”

The breach notification decision tree lists a summary of the com-plex factors involved and provides a solid foundation for the breach

A decision tree for breach notification

risk assessmentBy Mike Wheeler, MA, CCRA


13


notification process. The informa-tion listed on the decision tree can help the covered entity or busi-ness associate in generating a risk assessment to determine if breach notification is necessary. Remem-ber, the methods used to conduct the risk assessment and the results must be documented. n

Figure 1: Breach Notification Decision Tree

No – STOPNo notification


No

4. Does the disclosed information pose a significant risk of financial, reputational or other

harm? For example, SSNs, bank account numbers, credit card numbers, mother’s maiden name, mental or emotional illness, AIDS/HIV, cancer, substance abuse, transplant, STDs, etc.


Yes

5. Was the information disclosed to an entity governed by HIPAA or to a federal agency

governed by the Privacy & Info Security Acts?Yes – STOP

No notification

No

6. Can recipient provide a confidentiality agreement or verify destruction?

Yes – STOPNo notification

No

7. Was the information returned prior to being accessed?


No

8. Was the disclosure from a CE’s workforce member authorized to access the information to

another CE’s workforce member? (If the information was not further used or disclosed)


No

9. Does the disclosure of information meet one of the exceptions?

(See box on left side for exceptions)Yes – STOP

No notification

No

10. Notify the individual(s).

EXCEPTIONS:(1) Unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a CE or a business associate (i.e. opening an incorrect chart); (2) inadvertent disclosure of PHI from one person authorized to access PHI at a CE or business associate to another person authorized to access PHI at a CE or business associate; (3) unauthorized disclosure in which an unauthorized person to whom PHI is disclosed would not reason-ably have been able to retain the information.

1. Is this an impermissible use, Disclosure, or release?

Yes

2. Does disclosure/release compromise the privacy or security of the

information?

3. If in an electronic format, was a NIST-approved encryption

technology used and were the encryption keys protected?

Yes



14

TitleBy: Line

Editor’s note: Julene Brown con-ducted this interview with Jenny O’Brien in November 2011. Contact Julene Brown at [email protected] and Jennifer O’Brien at [email protected].

JB: You and I have been acquainted for several years and it has been due to our work in the Compliance field. You have served on the HCCA Board and are the Immediate Past President. You and I have experienced similar roles on the HCCA Board. Could you share some information on your background with the readers? How did you get become involved in working in Compliance?JO: I have been fortunate to have worked in a variety of great organizations, including the government, a non-profit inte-grated health care system, a law firm, and my current role at a for-profit organization. Each job has provided the opportunity to expe-rience various leadership styles

and develop different skill sets from the diverse work environments. While working as an Assistant Attorney General in 2001, I received a call to discuss a compli-ance role with a health care system. To be honest, I had no clue what a “compliance role” entailed. However, after meeting with David Orbuch (a frequent HCCA speaker/panelist), I felt like it was too intriguing of an opportunity to pass up. Within the first few months on the job, we were faced with a state and federal investigation and negoti-ating/preparing for a Corporate Integrity Agreement. It was a great learning experience and prepared me well for future Compliance roles. I am currently the Chief Medicare Compliance Officer of UnitedHealth Group.

JB: Tell us about the organiza-tion you work for.JO: UnitedHealth Group, the corporate parent of UnitedHealthcare, is a health care company serving more than 75 million people. Our family of companies touches nearly every aspect of health care with the mission of helping people live healthier lives. I am part of the UnitedHealthcare Health Benefits Division, and I am responsible for oversight of the compliance program of our Medicare busi-ness, which includes Medicare Advantage, Prescription Drug

articleMeet Jenny O’Brien UnitedHealth Group’s Chief Medicare Compliance Officer

feature





15



Plans, Medicare Supplement, and Special Needs Plans. We have approximately 9 million individuals enrolled in our plans, and we are focused on making it easier for individuals over the age of 50 to manage their health care needs. I work with an incredibly talented group of business leaders and compliance professionals who work to ensure there are effective structure, process, and outcome measures in place to meet and exceed our commitments to the Centers for Medicare & Medicaid Services (CMS) and that protect our Medicare beneficiaries.

JB: Please explain what your job entails as the Chief Medicare Compliance Officer. JO: I am responsible for developing the strategy and providing oversight for the UnitedHealthcare Medicare Compliance program. I work closely with our regulators, with most interactions being with CMS Lead Region IX and the CMS Central Office. I am a member of the Executive Leadership Team which includes the CEO, CFO, and other orga-nizational leaders. I work with my colleagues to develop and deliver on our business plan. An impor-tant role of our leadership team is to ensure we have an effective and efficient compliance program. I have been with the organiza-tion for two years and, with the help and support of senior

management and my team, we have restructured the compliance program across all lines of our Medicare businesses.

JB: Would you review the struc-ture of your compliance program?JO: I am part of a team within the UnitedHealthcare Benefits business that is accountable for oversight of the UnitedHealthcare Government Compliance Program, which includes Medicare, Medicaid, and Military Services. I am supported by the following teams: Internal Audit Management, Regulatory Affairs, Investigations, Privacy, Delegated Entity Compliance and Medicaid Compliance. My Medicare Compliance team is structured by business functions and consists of compliance officers in Finance, Materials/Fulfillment, Operations, Pharmacy, and Sales/Distribution. I also have a leader who oversees our CMS Account Management team who works directly with an account manager from CMS Region IX. Each of my compli-ance leads and their teams are embedded within the business to ensure business accountability for compliance.

JB: You have worked as a com-pliance officer for an integrated health care system and are now on the health plan side. How is developing a compliance program for a health plan different than an integrated health care system?

JO: That’s one of the first ques-tions I asked myself in preparing to transition to my job at UnitedHealthcare. I reached out to my HCCA compliance colleagues who have provider and health plan experience and asked that very question. I received great advice. The consistent theme was to use the same tools, resources, and instincts that were successful on the hospital/clinic side and apply them on the health plan side. The biggest and most chal-lenging difference has been that almost every part of our business is regulated on the health plan side—versus the provider side, which is predominantly focused on the billing around Medicare and Medicaid services. From the language in the marketing materials, kits, and content of conversations of our sales agents and brokers, to timeframes regarding enrollment and/or disenrollment of members—each aspect across health plan business functions is regulated and requires intense monitoring and auditing to ensure ongoing compliance with regulations.

JB: What are regulators focusing on within the health plan industry? JO: As a Medicare Advantage and Part D plan sponsor, there is increased focus by CMS on the scope and intensity of the audits it performs. Plans are notified


16

TitleBy: Line

Meet Jenny O’Brien, UnitedHealth Group’s Chief Medicare Compliance Officer ...continued from page 15

that they have been selected to be audited, and they are given five to seven days to provide the requested documentation. CMS then brings a group of auditors onsite within two weeks of the notification to perform the audits. The audits examine and test plan sponsors’ administration of the Medicare program, which includes comprehensive onsite documents reviews, universe testing, and employee interviews. Although the audits can include an assessment of all functions related to the Medicare program, key focus areas include appeals and grievances, claims processing, marketing/sales, enrollment/disenrollment, formulary administration, oversight of first tier and downstream entities, and a comprehensive review of the overall effectiveness of the compliance program.

JB: Do you measure the effec-tiveness of your program? And if so, how? JO: We have implemented a reporting and oversight structure across each of the business func-tions that includes an Oversight Compliance Committee and a compliance scorecard. The Compliance Committees, which meet quarterly, are com-prised of accountable business leaders, including Clinical, Legal, and Human Resources. They are co-chaired by the business function compliance

officer and accountable busi-ness executive. The committees meet quarterly and report into a Medicare Compliance Oversight Committee (MCOC) that is co-chaired by Tom Paul, CEO of UnitedHealthcare’s Medicare business, and me. The MCOC reports to the UnitedHealthcare Government Programs Oversight Compliance Committee. Across each business function, we have implemented compliance scorecards that use a structure, process, and outcome methodol-ogy. Structure measures address the capacity of a health care organization to ensure compli-ance. Process measures refer to the manner in which an organization actually provides compliance coverage. Outcome measures refer to observable, measurable compli-ance outcomes. The scorecard captures progress on each of the seven elements of an effective compliance program. Examples of our outcomes measures include regulatory notices received from CMS, results of internal and external audits, privacy breaches, oversight of delegated entities, and cultural attribute results. We have found this to be a very effective tool that ensures business leaders are informed and engaged in compliance efforts, as well as a tool to determine the effectiveness of our program.

JB: What have been your biggest challenges in your role as a

compliance officer?JO: I have been fortunate to have the opportunity to create compliance programs in a variety of different organizations. The biggest challenge can be to get buy-in from the executive team and get a seat at the executive table. Fortunately, when I came into the job at UnitedHealthcare, both those elements were present. Having the support and engage-ment of top leaders makes all the difference.

JB: Let’s talk for a moment about HCCA, where you and I became acquainted. Let’s tell the readers how this came about. JO: I joined HCCA in 2001, when I took my first role in Compliance. I kept hearing about the seven elements of a compliance program but had no idea what that meant or how to implement an effective compli-ance program. I attended the Regional Conference and met a number of people I still call on today to talk through tough compliance issues. I then attended my first Compliance Institute and realized what an incredible resource HCCA would be for me. I became involved at the local level, started writing articles, and networking with people across the country – and, as they say, the rest is history!

JB: You have been a local, regional, and national leader for


17

the health care compliance profes-sion. Can you tell us why it is important to you to be involved? JO: I believe an important trait of an effective compliance officer is to be someone who is a “life learner.” I have been in this role for more than 10 years and learn on the job every day. Being involved in HCCA provides a great forum to learn about trends in the industry and to connect with regulators and understand their priorities as well as their challenges. Most importantly, I appreciate the opportunity to develop relationships and find out how others are approaching diffi-cult issues and, where possible, how to employ different tactics to move an issue to resolution. The membership of HCCA is very generous and willing to share what they’ve learned and their successes. I never hesitate to call on people I have met along the way. They have truly made me a more effective compliance officer.

JB: You have attended the Compliance Institute and also served on the Planning Committee. What about this annual conference keeps you coming back?JO: The first time I participated on the Planning Committee, I was struck by how diligent the reviewers were to ensure topics existed for new attendees as well as the more experienced compli-ance officers, and the effort to

get new compliance professionals involved. We used to hear from the experienced compliance officers that we needed more advanced topics, which resulted in additional tracks. It amazes me when I see the brochure come out each year and I am able to pick from such a variety of topics. I keep coming back for the oppor-tunity to hear about hot topics, learn about areas I don’t have the chance to dig into, and network with compliance professionals from across the country.

JB: You are certified in Healthcare Compliance (CHC) and Privacy Compliance (CHPC). What benefit has this brought you in your Compliance career?JO: Going through the certifica-tion process was invaluable. In addition to testing my compe-tence, it provided another venue to network with compliance professionals across the country. I stated earlier that ongoing learning and training is key to continued success in this field. The certifications are an opportu-nity for continued learning, and the credentials continue to get positive recognition. We are seeing them included more and more in requirements for compliance jobs.

JB: Leisure time—we always need to think about that! Do you have any hobbies you are involved in?

JO: I have two sons, Sam and Tommy, who are in high school and keep my husband Dan and me very busy. I love going to their sporting events and school activities. Outside of that, I enjoy traveling and anything that keeps me active. My current favorite activities are playing golf with my husband and training our new puppy. It may be more accurate to say she is training me!

JB: Jenny, It has been an honor and a pleasure interviewing you. Thank you for sharing, and keep up the great work in the health care compliance profession! Thank you for all the work you have done for HCCA! n

HCCA has stepped up our environmental responsibility by printing

Compliance Today on recycled paper. The interior pages are now printed on paper manufactured with 100% post-consumer waste. The cover stock is made up of 10% post-consumer waste and is locally produced in Minnesota near our printing facility. In addition, the energy used to produce the paper is 100% renewable energy. This is not to mention that the ink used in our magazine is 100% soy-based water soluble ink. Certifications for the paper include The Forest Stewardship Council (FSC), Sustainable Forestry Initiative (SFI), and Green-e.org.


18

TitleBy: Line


Give me independence or give me deathSociety created the very difficult compliance and ethics officer position to do the things that few other employees will do. And now, on occasion, society won’t help us implement this new position properly. We clean up the problems left behind by those who don’t have the intestinal fortitude, ability, or author-ity to fix them. We need independence from those we monitor, just as the Audit department needs independence.

Who had independence at Penn State? The police, president, athletic director, the head of Student Affairs, and more all appeared to have no indepen-dence. There seemed to be a lack of independence when it came to “football issues.” What if someone had been given independence, authority, and access to the Board at PSU? The problem might have been solved years ago.

We have a number of people who think they know all about our profession and can speak for us, despite never having held a job in our profession. They’re not helping. If you haven’t been a compliance or ethics professional you probably should not tell people how the profession should be defined. More importantly, if you have not immersed yourself in the compliance and ethics profession and don’t understand what the typical compliance professional is dealing with, you should not speak for the profes-sion. Anecdotal stories aren’t helping.

Ben Heineman, a renowned former general counsel for GE and a Harvard professor, is writing and speaking about the legal profession with a great degree of experience. He is a kind, experienced, and thoughtful man. However, there is a great quote he should heed that my father once told me: “Be careful what you say. People listen to you.” I have swapped a couple of emails with Ben, and he sounds like a great, well-intentioned guy. I have responded to his Harvard blog post suggesting that the compliance officer report to the general counsel. Despite my suggestions to contrary, he continues to advocate for a lack of independence for the compliance officer. Ben Heineman has never been a compliance officer. He thinks compliance is all about the law, so he thinks the compliance officer should report to the legal counsel.

Ben, you can certainly speak for your profession with a great deal of authority and experience. What I can’t understand is how you can speak for a job you have never spent a day performing, or even spent time talking to more than a few people in the profession. Instead, you have a theory and anecdotal stories about cases where a lack of independence has worked.

Your logic for having the compliance officer report to the GC is because it’s all about the law. Compliance professionals and compliance pro-grams aren’t about the law; compliance is about following the law. It is hard for many people to understand what it’s like being responsible for significant problems that others have refused to step up and deal with. During the most sig-nificant problems, issues that have people on high very upset, compliance professionals expect support from their colleagues. Unfortunately, on many occasions all they see is the soles of their

ROY

SNE

LL


19



Editor’s note: John Falcetano, CHC-F, CCEP-F, CHRC, CHPC, CIA is Chief Audit/Compliance Officer for Vidant Health and Second Vice Presi-dent of the HCCA Board of Directors. John may be contacted by e-mail at [email protected].

Asking questions of the social network communitiesThis month I though I would focus on the ability of our members to ask questions of their peers who participate in HCCA’s social network communities—a great place to find answers to compliance-related questions you may have for one reason or another. The social networking site enables our participants to provide feedback on compliance-related ques-tions posted to the website. For example, recently a member posted the following:

I am interested in input on whether “Assisted Living Facilities” would be subject to the HIPAA Privacy Rule elements. The facilities that I am familiar with “supervise” residents who live there with their activities of daily living. They may, in many cases, receive the oral drugs to administer. No other medi-cal services are provided by the facility staff. Any medical care required takes place by outside doctors who round weekly or Home Health Agency staff when required by physician order. If blood tests or x-rays are ordered by the physicians, the entities who performing those services come to the facility to draw blood or have a portable x-ray performed. Results are sent to the ordering physician’s office.”

The member provides additional information and asks for any thoughts on applicability. To follow the discussion or to comment on this topic or many others, go to HCCA’s social network site.

The sharing of information on our social network site is of great value to our

Social NetworkingSocial Networking

JOH

N FA

LCET

ANO

Get Connected

Start a discussion with your peers in HCCA’s LinkedIn groupwww.hcca-info.org/LinkedIn

Get the latest compliance news and HCCA event information in your Facebook news feed. “Like” the HCCA Facebook page at www.hcca-info.org/Facebook

Follow @hcca_news for the latest trends in health care compliance www.twitter.com/hcca_news

Subscribe to dozens of discussion groups, download hundreds of resources, and connect with thousands of compliance professionals on HCCAnetwww.hcca-info.org/hccanet


20

TitleBy: Line

Editor’s note: Shawn DeGroot, CHC-F, CCEP, CHRC is Vice President of Corporate Responsibility at Regional Health located in Rapid City, South Dakota. Shawn also serves as Vice

President of the HCCA Board of Directors. She may be contacted by e-mail at [email protected].

View the Compliance department as a resource, not a sheriffIn the movie, ”J. Edgar,” the practices of govern-ment investigations and the political subterfuge surrounding decision-making was quite interesting. The landscape of our country during the Depression and lessons-learned from lack of structure, along with cover-up and a desire to control, were evident. Based on the corporate scandals that have plagued our country the past few years, one might ask if history is repeating itself as we embark on health care reform and the increased regulatory scrutiny that is associated with increased fraud. Although comparing circumstances in the 1930s and now may be comparing apples to oranges, fundamentally we have (understandably) not decreased government resources to detect, prevent, and deter fraud. The return on investment of $16.70 for every $1.00 spent on investigations by the Office of the Inspector General, as published in the OIG Work Plan,1 is better than most stock options and retirement plans. Nevertheless, the increased investigations create awareness and lessons-learned from a compliance perspective.

The state of Texas has been quite active with investigating improprieties that impact health care. What is bothersome and difficult is abiding by an abundance of rules designed for the minority—those that commit fraud. Millie Johnson, Institutional Compliance Officer for Texas Tech University Health Sciences Center (TTUHSC) is in the midst

of enhancing the compliance program, based on numerous regulatory oversight areas, as well as increasing awareness. Currently, Millie is focus-ing on conflicts of interest, especially with respect to provider interactions with health care vendors (e.g., pharmaceutical companies, durable medical equipment suppliers). TTUHSC is a seven school university, and Millie has primary oversight of billing compliance and HIPAA privacy involving all of the schools. The oversight responsibility can be daunting at times.

What keeps Millie up at night? Stark, accountable care organizations, and HIPAA are three of the many concerns. In an effort to raise compliance awareness, Millie and her team try to be proactive in developing goals for the fiscal year that include enhancements to the online pres-ence for faculty and staff. Due to the large service area, Millie’s team constantly strives to “spread the compliance message.” Her department developed a newsletter, uses compliance flash cards (similar to a deck of cards with compliance questions and answers), and fortune cookies to make compliance “palatable.” Attention is also underway to implement an investigations policy that provides general guid-ance, structure, and confidentiality to the investiga-tive process. Just as in the movie, a need exists for policies and procedures that outline the fundamental steps for an appropriate investigation.

How does Millie cope? Recently, Millie and her husband bought a hot tub to alleviate management stress, and it has wonderful healing properties. Then there is the unmanageable stress. Millie focuses on communication with senior management, outlining the risks and alternatives that are available. If management refuses to change and you are convinced that its position is wrong, then you have to be willing to make a change. That change can also create a new level of stress.

By Shawn DeGroot, CHC-F, CCEP, CHRCExhaleExhale

SHA

WN

DEGR

OOT


21

Words of advice from Millie It is all in the attitude with which you approach a situation. Each day she simply does her best, and it is her experience that most people want to do the right thing. Sometimes people simply don’t have all of the information they need, and we are in such a highly regulated industry. That is where the Compliance department can help. If Compliance is viewed as a resource rather than a sheriff, and employees who bring up issues are viewed as customers vs. complain-ers, everything can fall in line for the right reason. n

1. Department of Health and Human Services, Office of Inspector General: FY 2012 Work Plan. Available at http://oig.hhs.gov/reports-and-publications/archives/workplan/2012/Work-Plan-2012.pdf

Exhale ...continued from page 21

members and participants and is highly encour-aged. Social networking is a great way to make friends, obtain needed compliance documents, get answers to your questions, or just talk with peers. Visit our network, start a blog, or join a discussion group. You will be glad you did.

To participate in the discussion above, review the comments, or just talk with your peers, you can access the social networking site by going to the following link: www.hcca-info.org/hccanet n

Social Networking ...continued from page 19

HCCA Board of Directors ElEction REsults

The votes have been tallied and the results are in: RE-ElEctEd

Daniel Roach, JDVice President, Compliance and Audit, Catholic Healthcare WestSan Francisco, CA

Debbie Troklus, CHRC, CHC-F, CCEP-F, CHPC Managing Director, Aegis Compliance and Ethics Center, Chicago, IL

Sara Kay Wheeler, JDPartner, Attorney at Law, King & Spalding, Atlanta, GA

nEW BoARd MEMBERs

Lori StraussChief Corporate Compliance & Privacy Officer, University of Virginia Health System, Charlottesville, VA

Debra (Debi) Hinson Vice President–Compliance, Chief Compliance & Privacy Officer, CarePoint Partners, LLC, Cincinnati, OH

AppointEd

Urton Anderson, PhD, CCEPChair, Department of Accounting and Clark W. Thompson Jr. Professor in Accounting Education, McCombs School of Business, The University of Texas at Austin, Austin, TX


22

TitleBy: Line

colleagues’ shoes sticking out from under the table, more worried about their reputations or jobs.

Compliance and ethics professionals have to stand up to powerful people on occasion, not just give them advice and return to their office. The “I told some-body” defense is not working. Society is not buying it. Enron, Tyco, and most of all Penn State University had a number of people who claim they did their job because they told somebody. A compliance officer, by definition, cannot rest until the job is done. They can’t just say, “I told somebody.” That is why the job was created: because many who came before us felt their job stopped after they “told somebody.”

The most recent expla-nation I have received for why the compliance officer should report to the general counsel was because they had seen it work in a couple of cases. Anecdotal stories cannot define best practice. Decisions should not be made based on anecdotes, especially decisions as important as this. Sure, there are cases where reporting to the general counsel might be considered successful. However, that is not how best practice should be developed. If that logic were true, then Internal Audit should report to the CFO whenever it feels like it, because that worked in a couple of cases. After what has gone on in the last fifteen years in the Internal Audit profession, no one in their right mind would advocate for Internal Audit reporting to the CFO. No one in their right mind would say that Internal Audit should be independent except when it doesn’t feel like it, just because a couple of anecdotal stories show it working. Internal Audit doesn’t use anecdotal stories to define best practice. You can’t develop best practice by telling anecdotes.

You have to immerse yourself in the process and the profession to develop best practice.

Simply stated, PSU, Enron, HealthSouth, and many others failed because the Board did not receive the viewpoint of an independent perspective on their problems. Specifically, they did not receive the viewpoint of an independent compliance and ethics officer. Everyone was worried about retaining money, power, or reputation. Some were worried about defending the organization. Almost all ethics and

regulatory missteps that went unresolved for a period of time and were known by a handful of people can be traced to a conflict of interest. Someone was worried about power, money, or reputation, and they prevented the Board from receiving an inde-pendent perspective.

Penn State University may go down as the “conflict of interest case study” of all time. There was no inde-pendence. If I could sum up in one word why the compliance profession was created, and its greatest benefit, it would be independence. Ben, the battle cry for the compliance and ethics profession should be, “Give me independence or give me death.” Until you become immersed in our profession and see this through our eyes, it would be best if you stopped trying to define our profession. You are making it difficult for a lot of people who have enough dif-ficulties to deal with already. Be careful what you say, Ben, because people listen to you. n

If you have any questions that you would like Roy to answer in future columns, please e-mail them to: [email protected].

Letter from the CEO ...continued from page 18

A compliance officer, by definition, cannot rest until the job is done. They can’t just say, “I told somebody.” That is why

the job was created: because many who came before us felt

their job stopped after they “told somebody.”


23


Editor’s note: Daniel F. Shay is an Attorney with the law firm of Alice G. Gosfield & Associates, PC. He may be contacted in Philadelphia by telephone at 215/735-2384 or by e-mail at [email protected].

The Physician Quality Reporting System (PQRS), formerly

known as the Physician Quality Reporting Initiative (PQRI), represents one of the Centers for Medicare & Medicaid Services’ (CMS) recent efforts to improve quality, amass data, and offer both a carrot and stick to physi-cians and physician practices par-ticipating in Medicare. Originally begun in the latter half of 2007 as an initiative, the program has been modified over the years, with Congress changing the name as part of a series of mandated reforms in the Patient Protection and Affordable Care Act of 2010 (PPACA).1 This article includes a general overview of the current state of PQRS, and discusses the potential pitfalls for practices when they participate.

The essence of the PQRS program is that physicians report informa-tion collected about patient care, reflecting the performance or non-performance of specific activities.

The program does not reward actual quality performance, but rather it rewards the reporting of data alone. The services them-selves may be sub-par, yet credit is given for the reporting.

Although it originally offered a 1.5% incentive payment, and was extended by statute several times, as a result of the changes mandated by PPACA, eligible physicians can receive an incentive payment of 1% on their Medi-care Part B reimbursement for the 2011 reporting period. This incentive will decrease to 0.5% for the 2012-2014 reporting periods. Beginning in 2015, however, the system will become punitive, deducting 1.5% in 2015, and 2% beginning in 2016 and for subse-quent years.

Practices should therefore consider participation in the system as “recommended” (if not necessarily mandatory), with an incentivized “training” period. Dr. Donald Berwick, Administrator of CMS, has stated, “Although participa-tion in our pay-for-reporting programs is optional now, it should be regarded as imperative in terms of medical professionals’ shared goal of improving quality of care and patient safety.”2 Dr.

Berwick then challenged health care providers to begin participat-ing, if they had not already.

But, participants have had mixed success with the program. In 2009, out of a total 210,559 participating physicians, only 119,804 physicians (approxi-mately 57%) actually received incentive payments, for reasons explained more fully below.3 Given the changing impact of this program, beginning with rewards but eventually changing to a 2% penalty on Part B payments, practices should understand the risks of participation.

Program overviewParticipation in PQRS is open to physicians (defined as doctors of medicine, osteopathy, podiatric medicine, optometry, dentistry, oral surgery, and chiropractic) and non-physician practitioners (defined to include physician assistants, nurse practitioners, clinical nurse specialists, certified registered nurse anesthetists and anesthesiologist assistants, certi-fied nurse midwives, clinical social workers, clinical psychologists, registered dieticians, nutritional professionals, audiologists, physical therapists, occupa-tional therapists, and qualified speech-language therapists) who submit claims payable under the Medicare Physician Fee Sched-ule (collectively referred to as

PQRS reporting: Avoiding the pitfalls

By Daniel F. Shay, Esq.



24

TitleBy: Line

“eligible professionals”). Eligible professionals are not required to enroll in PQRS as long as they already participate in Medicare; they merely report the data in the prescribed manner.

The process of actually reporting is relatively simple in theory, but may prove difficult in practice. The quality measures themselves consist of a unique denomina-tor (such as the total number of patients who have a given condi-tion) and a numerator (such as the number of patients with that condition who received a given treatment), which allow for calcu-lation of a percentage. Participat-ing physicians currently select from 200 measures on which to report. The determination of eli-gibility for the incentive payment takes into account the volume of claims with proper reports. Issues range from percentage of final reports for fluoroscopic proce-dures that include documentation of radiation exposure or exposure time; to percentage of patients diagnosed with diabetes mellitus aged 18 through 75 who had a dilated eye exam; to percentage of patient visits (without regard to patient age) where patients had a diagnosis of cancer, were receiv-ing chemotherapy or radiation therapy, and where pain intensity was quantified. After selecting the measures on which to report, the physician must then report

in accordance with the measure’s requirements.

Individual physicians may report using several different mecha-nisms, such as claims reporting, or through a qualified registry, as well as by electronic health record (EHR). A group practice reporting option is also available. However, to actually qualify for payment, the reporting physician must report for a specific period of time, the length of which depends upon the method of reporting. Physicians report on a claim-by-claim basis by includ-ing a quality-measure code (also known as a quality data code or QDC) on the claims form. By contrast, when using the registry option, the registry itself reports the QDCs, but the physician or practice must be using a qualified registry.

Depending on the nature of information reported and the method of reporting, reports must generally be submitted during either a 12-month or 6-month reporting period, based on the calendar year. For claims-based reporting, a participating physi-cian must report on 50% or more of applicable Medicare Part B fee-for-service patients on at least three individual measures, or on each measure if fewer than three measures apply to the eligible professional. Alternatively, the physician may report by measures

PQRS reporting: Avoiding the pitfalls ...continued from page 23Web ConferenCes

Need a quick and cost-effective way to earn CEU credits?

Want the latest news on breaking issues and best practices?

All of this from the convenience of your own office?

Try one of HCCA’s upcoming Web Conferences, and earn 1.2 CEU credits.It doesn’t get any easier.

learn more about upcoming web conferences and register at

www.hcca-info.org/webconferences


25


group (i.e., a group of several measures for a specific condition or treatment, such as asthma or preventive care measures) on 50% or more of at least eight patients for a measures group. For registry-based reporting, the physician must submit data on 80% or more of patients on at least three measures, or if report-ing by measures group, on 80% or more of at least eight patients for a measures group. Methods such as group practice reporting or EHR-based reporting require a 12-month reporting period. Practically speaking, a longer reporting period allows more time to correct problems as they are discovered, and still submit a suf-ficient number of correct reports to qualify for the bonus.

The CMS website has useful documentation describing how to initially participate in PQRS, and addresses specific reporting requirements for each of these measures. However, physicians must remain careful to avoid the potential complications that may arise in reporting.

Potential reporting pitfallsAs with general billing, report-ing PQRS codes carries certain inherent risks. If physicians fail to properly report codes, at best they will waste time and effort in the reporting process, and at worst may potentially expose themselves to false claims liability.

In 2009, 85% of physicians who submitted data submitted at least one instance with invalid QDCs, and 4% submitted all of their data with invalid QDCs. For this same reporting period, the most common cause of QDC errors were situations in which the physician reported a QDC on a claim with an incorrect HCPCS code. Other causes of errors included submitting QDCs with an incorrect diagnosis, submitting with both an incorrect diagnosis and incorrect procedure code, or submitting with an age or gender mismatch.

Managing ongoing compliance with respect to PQRS claims can be difficult. The system does not offer ongoing feedback as to whether measures are being correctly reported. If a practice is reporting using outdated QDCs from a previous year, for example, it may not be informed of this fact until after the program has ended for the year when it discovers that none of its reporting will be counted. Moreover, if the PQRS measure is reported on a claim where the service itself is billed improperly, the PQRS measure is not counted for purposes of deter-mining bonus eligibility. These concerns raise both practical and legal considerations, which means that PQRS reporting should be addressed in the practice’s compli-ance program.

On a practical level, not only is proper reporting of the PQRS measures a challenge, practices must be sure they have properly submitted the underlying claims. If either the underlying claim or the PQRS measure is miscoded, the practice will receive no credit for the reporting of the measure towards the year-end tally, which could ultimately threaten the practice’s eligibility for incentive payment. Although practices have some leeway for improper report-ing (e.g., when reporting claims-based measures, reports must be submitted properly on only 50% of patients, using three measures), without ongoing oversight, a practice may only realize that erroneous codes were submitted when there is insufficient time to remedy the problem.

On a legal level, however, PQRS presents a thornier proposition, given the potential for False Claims Act liability. In general, when a practice receives an over-payment for improperly submit-ted claims, it is required by law to return the overpayment within 60 days of its identification. Retain-ing the funds beyond the 60-day period can result in False Claims Act liability.

For example, consider a scenario in which a physician in a practice participates for a year, reporting PQRS codes through claims


26

TitleBy: Line

submission. In addition to two other selections, the physician reports on Measure #111 – per-centage of patients aged 65 or older who have ever received a pneumococcal vaccine. The mea-sure must be reported at least once per measuring period per patient seen during that period. To report the measure, the physician must bill using one of the accepted CPT codes (for example, evalu-ation and management [E&M] codes like CPT 99212-99215) and must then report whether (a) the vaccine was administered at that visit or ever in the past, (b) whether the vaccine was not administered or previously received for medical reasons, or (c) whether the vaccine was not administered or previously received for unknown reasons.

If the practice’s billing staff routinely submits a higher E&M visit code than was warranted for the visit, not only will the pay-ment for the visits be improper, but the PQRS reporting for each visit will not be counted, because the visits will be treated as improperly submitted claims. With respect to PQRS specifi-cally, this scenario presents more of a problem in a post-payment audit than if the practice has not yet received a PQRS incentive payment. The same holds true if the underlying visit is properly billed, but the PQRS reporting is inaccurate (e.g., reporting that

the patient had received a vaccine, when no vaccine should have been reported). In such a situa-tion, the question of whether an overpayment exists would turn on the total number of properly submitted QDCs as compared to the total improperly submitted QDCs. If a sufficient number of QDCs were improperly reported, then the incentive payment would be an overpayment.

With respect to False Claims lia-bility specifically, it is unclear how federal authorities will enforce the law. A lone misreported measure probably will not be seen by federal authorities to taint the entire universe of properly reported claims, but a sufficiently large group of improper codes may. With no history of enforce-ment efforts by CMS or the OIG, it is difficult to quantify the risk involved. However, the potential exists that federal authorities would treat the submission of a large number of knowingly improper claims to which QDCs were attached, or improperly submitted QDCs themselves, as resulting in an overpayment if the physician qualified for incentive payment.

ConclusionFaced with these types of risks, practices must work to stop problems before they start, rather than trying to resolve them after the fact. Towards this end,

practices should include in their compliance programs the PQRS compliance protocols, which are increasingly an enforcement-avoidance imperative, although still not yet legally mandated. Periodic internal “probe audits” may also help catch errors before the reporting period ends, thereby increasing the likelihood of receiving the incentive payment. The practice should ensure that both physicians and billing staff are intimately familiar with the details of how to report PQRS measures, and that the medical record supports both the reported QDCs and the underlying claims. A lawyer who is knowledgeable about compliance matters in gen-eral, and PQRS specifically, can help to develop methods by which the practice may better protect itself from inadvertent errors. n

1. Patient Protection and Affordable Care Act of 2010, Section 10327.

2. CMS Press release: CMS data show gains in key quality indicators through Physician Quality Reporting System and Eprescribing Incentive Program. April 19, 2011. Available at http://www.cms.gov/apps/media/press/release.asp?Counter=3937&intNumPerPage=10&checkDate=&checkKey=&srchType=1&numDays=3500&srchOpt=0&srchData=&keywordType=All&chkNewsType=1%2C+2%2C+3%2C+4%2C+5&intPage=&showAll=&pYear=&year=&desc=&cboOrder=date.

3. CMS: 2009 Physician Quality Reporting System and eRx Reporting Experience and Trends. April 4, 2011, pp. vi, ix.

4. CMS: PQRS How to Get Started. Avail-able at http://www.cms.gov/PQRS/03_How_To_Get_Started.asp.

5. CMS: 2009 Physician Quality Reporting System and eRx Reporting Experience and Trends, April 4, 2011, p. 19.

6. CMS: 2009 Physician Quality Reporting System and eRx Reporting Experience and Trends, April 4, 2011, p. 20.

PQRS reporting: Avoiding the pitfalls ...continued from page 25

http://www.cms.gov/apps/media/press/release.asp?Counter=3937&intNumPerPage=10&checkDate=&checkKey=&srchType=1&numDays=3500&srchOpt=0&srchData=&keywordType=All&chkNewsType=1%2C+2%2C+3%2C+4%2C+5&intPage=&showAll=&pYear=&year=&desc=&cboOrder=date








http://www.cms.gov/PQRS/03_How_To_Get_Started.asp

http://www.cms.gov/PQRS/03_How_To_Get_Started.asp


27


Editor’s note: Brian Santo is a Senior Consultant for Booz Allen Hamil-ton in Rockville, MD. He may be contacted at [email protected].

The Red Flags Rule requires many businesses to develop and implement a formal,

written identity theft prevention program for the purpose of detect-ing the warning signs or “red flags” of identity theft in their day-to-day operations. The Red Flags Rule legislation was delayed on more than one occasion. When it finally went into effect, the definition of “creditor” had been clarified such that most health care providers will not fall under the Federal Trade Commission’s (FTC) definition of “creditors” as identified in the Federal Register. Formal policies and procedures on preventing and dealing with identity theft may no longer be mandated by regulation, but these policies are still a good idea for health care providers.

Legislative timeline of the Red Flags RuleIn November 2007, the FTC issued extensive regulations aimed

at deterring, detecting, and pre-venting identity theft. Under these rules, known as the Red Flags Rule, (16 C.F.R. § 681.1 et seq.,) financial institutions and creditors of covered accounts must establish a program to detect, prevent, and mitigate identity theft.

The Red Flags Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The FTC issued several enforcement policies that delayed enforcement of the Red Flags Rule. The FTC announced in October 2009 that, at the request of certain members of Congress, it was delaying enforcement of the Red Flags Rule until June 1, 2010. The FTC further delayed enforcement of the Red Flags Rule through December 31, 2010, while Congress considered legislation that would affect the scope of covered entities.1

On December 18, 2010, President Obama signed into law the Red Flag Program

Clarification Act of 2010 (S.3987, the Clarification Act). The Clarification Act limits the scope and application of the Red Flags Rule to creditors that regu-larly and in the ordinary course of business: n obtain or use consumer reports,

directly or indirectly, in connec-tion with a credit transaction;

n furnish information to con-sumer reporting agencies in connection with a credit trans-action; or

n advance funds to or on behalf of a person, based on a person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf.2

The revised definition of “creditor” excludes entities “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”3 This exclusion addressed a widespread concern that the original definition improperly extended the Red Flags Rule’s scope to implicate entities not usually thought of as creditors, including health care providers.

A federal appeals court dismissed a lawsuit brought by the American Bar Association (ABA) against the FTC’s enforcement activity versus doctors, lawyers, and other profes-sionals. Organized medicine also sued the FTC and filed amicus

Benefits of voluntarily addressing the Red

Flags Rule for health care providers

Brian Santo, JD, MPH, CHC



28

briefs in the ABA lawsuit. The United States Court of Appeals for the District of Columbia dismissed the case because the intervening Clarification Act made the case moot.4

The rule’s interpretation and requirementsThe Red Flags Rule was estab-lished under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC to develop regulations requiring “creditors” and “financial insti-tutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such enti-ties that have “covered accounts” to develop and implement written identity theft prevention programs that help identify, detect, and respond to patterns, practices, or specific activities (known as red flags) that could indicate identity theft.1 The scope of the Red Flags Rule and the FTC’s initial inter-pretation indicated that the rules would apply to many participants in the health care industry.

Before enactment of the Clarifica-tion Act, a health care provider was thought to be covered by the Red Flags Rule if it was a “creditor” that offers or maintains “covered accounts.” The law clari-fied that a “creditor” is any entity that regularly accepts deferred payment for goods and services, an “account” means a continu-ous relationship established by a

person with a creditor to obtain a product or service, and a “cov-ered account” means an account designed to permit multiple pay-ments or transactions, as well as any other account for which there is a reasonably foreseeable risk of identity theft.5

The Red Flags Rule includes some basic requirements for establishing and overseeing a Red Flags program, including:1. The program must be in

writing. 2. The program must include

reasonable policies and proce-dures to:

(a) identify relevant red flags, and incorporate those red flags into the program;

(b) detect red flags that have been incorporated into the program;

(c) respond appropriately to any red flags that are detected; and

(d) ensure the program is updated periodically.

3. The program must be appropri-ate to the size and complexity of the organization and to the nature and scope of its activi-ties.

4. The organization must consider the FTC’s Red Flags interpre-tive guidelines when establish-ing its Red Flags program, and include the elements of the FTC’s guidelines into the Red Flags program, as appropriate.

5. The program must be formally approved, and regularly reviewed, by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management. Administration of the pro-gram must include staff train-ing to effectively implement the program, and must also include oversight of relevant service provider arrangements.

6. The creditor must periodically conduct risk assessments to determine whether it offers or maintains covered accounts. The risk assessment must take into consideration the methods that the organiza-tion provides for opening and accessing its accounts, as well as the organization’s previous experiences with identity theft.6

Benefits of enacting voluntary Red Flags Rule provisionsAs stated, the Clarification Act expounded that health care pro-viders are not classified as credi-tors, because they essentially fail to offer or maintain accounts that pose a risk of identity theft. The revised definition of “creditor” excludes those “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”

However, the problem is that medical identity theft exists.

Benefits of voluntarily addressing the Red Flag Rule for health care providers ...continued from page 27


29


Nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion, or approximately $20,000 per victim. The Department of Health and Human Services also allocated $1.7 billion for fraud detection in 2011. Identity Theft Resource Center 2009 Data Breach statistics show 68 reported health care data breaches in the United States that put more than 11.3 million patient records at risk of exposure.7

Various red flags may arise in the health care setting. For example:n A complaint or question from

a patient based on the patient’s receipt of:o a bill for another individual;o a bill for a product or service

that the patient denies receiving;o a bill from a health care pro-

vider that the patient never patronized; or

o a notice of insurance benefits for health services never received.

n Records showing medical treat-ment that is inconsistent with the physical examination or a medical history as reported by the patient.

n A dispute of a bill by a patient who claims to be the victim of any type of identity theft.

n A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.5

Moreover, the new law does not specify that physician practices or other health care organizations are exempt from the Red Flags Rule; it simply clarifies the definitions of a creditor in ways that most Congressmen and Senators claim exempts health care organizations.8 The law highlights creditors that routinely pull credit reports on existing or potential customers, as many health care entities do.

Health care providers should utilize compliance policies and procedures formed to comply with the Red Flags Rule. Providers still hold a duty to safeguard the confidential-ity of patient information, and an organization that had a policy—and then stopped using it because of a relaxation in the law—may be particularly vulnerable to claims that it could have prevented someone’s identity theft.8

Thus, physicians and health plans should not use the new law to skirt responsibility for protecting personal information. Medical offices are not required to imple-ment Red Flags compliance pro-grams, but it makes sense to have policies and procedures in place to mitigate the risk of identity theft targeted at patient accounts. n

1. Federal Trade Commission: “FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule.” May 28, 2010. Available at http://www.ftc.gov/opa/2010/05/redflags.shtm

2. American Medical Association: “Red Flags Rule: New Law Clarifies Who is Subject to the Red Flags Rule.” Available

at http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/practice-management-center/data-security/red-flags-rule.page

3. Hunton & Williams LLP: “President Obama Signs Red Flag Program Clarifica-tion Act.” December 20, 2010, Privacy& Information Security Law Blog. Available at http://www.huntonprivacyblog.com/tag/red-flags-rule-2/

4. Fierce Healthcare: “Court decision ends Red Flags Rule dispute, AMA says.” Available at http://www.fiercehealthcare.com/print/node/54613.

5. Rath Young Pignatelli: “Health Care Providers’ Obligations under the FTC’s Red Flag Rules: What providers need to know.” Available at http://www.rathlaw.com/assets/attachments/66.pdf.

6. Alissa Smith: “The Red Flag Rules’ Ap-plication to the Healthcare Industry.” Dorsey & Whitney LLP, October 7, 2008. Available at http://www.dorsey.com/red_flag_rules/

7. “SCA: Medical ID theft one of the fastest growing crimes.” Secure ID News, April 1, 2010. Available at http://www.secure-idnews.com/2010/04/01/sca-medical-id-theft-one-of-fastest-growing-crimes

8. Jim Hook: “The Red Flags Rule Doesn’t Apply to Physician and Healthcare Organizations. ‘Really?’” The Fox Group, LLC, December 11, 2010. Available at http://www.foxgrp.com/blog/red-flags-rule-doesnt-apply-to-physician-and-healthcare-organizations-really/

Contact Us! www.hcca-info.org

[email protected]

Fax: 952/988-0146

HCCA 6500 Barrie Road, Suite 250 Minneapolis, MN 55435

Phone: 888/580-8373

To learn how to place an advertisment in Compliance Today, contact Margaret Dragon: e-mail: [email protected]: 781/593-4924


30

Conflict of interest final rule demands

transparency, accountability

By William Sacks

Editor’s note: William Sacks is the Co-founder and Vice President of Health Care Compliance Strategies in Jericho, New York. He may be contacted at [email protected].

On August 23, 2011, the Depart-ment of Health and Human Services (HHS) published its final rule on financial conflict of interest (FCOI). These regula-tions introduce new transparency and accountability guidelines for research institutions seeking and receiving Public Health Service (PHS) funds from the National Institutes of Health (NIH).

Many organizations, however, may not be prepared for the stringent reporting and review demands, or may not have a process in place to identify new FCOI among their physicians and other investigators. Institutions with research investigators who have significant financial interests (SFI) in pharmaceutical, medical device, or other companies will need updated, accurate, and easily accessible data for public informa-tion requests and to form their FCOI management plans.

The compliance deadline is August 24, 2012. Institutions that haven’t updated their FCOI processes since the first set of HHS regulations in 1995 will need to start developing new disclosure processes immediately to meet the compliance date. This article will present an overview of the final rule, help institutions understand the increasingly stringent FCOI disclosure requirements, and offer practical strategies for efficiently managing FCOI disclosures within the new regulatory guidelines.

Industry money influences researchUntil the 1990s, research insti-tutions and government agencies seldom recognized industry funding as an influence on clini-cal research. However, as public research funding became more competitive, the relationships and interdependency among aca-demic researchers and industry deepened. For example, financial support of biomedical research rose from $37.1 billion in 1994 to $101.1 billion in 2007, with industry sources providing 58% of the amount spent in 2007,

according to the results of study published in the Journal of the American Medical Association in 2010.1

In 1995, HHS released its first set of regulations regarding conflicts of interest. The guide-lines instructed institutions to have an up-to-date, written and enforced administrative process to identify and manage FCOI—but it only asked organizations to certify that they had a process in place. The process could be as simple as asking researchers if they had any conflicts of interest, not whether they received any industry money for consulting or how much. Even today, some major research universities still determine conflicts of interest by asking investigators to respond to a simple “yes or no” question.

In addition to the increased amounts of research funding avail-able, new public awareness about industry influence has become a driving force behind new regula-tion. In 2008, two front-page articles in The New York Times featured prominent psychiatrists who together collected more than $4 million in compensation from drug makers for consulting and speaking about their products. That same year, the U.S. Senate Special Committee on Aging held hearings that examined physicians’ relationships with pharmaceutical and medical device companies.



31


Final rule demands greater detailThe HHS final rule makes several changes to the 1995 regulations. The new regulations redefine SFI as any remuneration or equity interest in a publicly traded company that exceeds $5,000 when aggregated over 12 months prior to the date of disclosure, regardless of whether it is related to specific PHS funding. Also included is any equity inter-est in a non-public company, and certain intellectual property rights. This threshold has been reduced from the $10,000 annual limit specified in the 1995 regulation. Keep in mind that the SFI can be that of the investigator, his/her spouse, or dependent children.

Also new in the final rule: Travel that is reimbursed or sponsored by an entity other than a govern-ment agency, an institution of higher education, or its affiliates must be included in the financial disclosures.

The rule requires institutions to have a process in place to deter-mine which SFI are to be consid-ered FCOI, and to describe what steps will be taken if relevant FCOI is found among investiga-tors and other involved staff. The institution must then create a management plan to mitigate that conflict, which can include, but is not limited to:n Disclosure of FCOI to

participants;

n Appointment of an indepen-dent monitor capable of taking measures to protect the design, conduct, and reporting of the research against bias resulting from the FCOI;

n Modification of the research plan if FCOI is determined;

n Change of personnel or person-nel responsibilities, or dis-qualification of personnel from participation in all or a portion of the research;

n Reduction or elimination of the financial interest (such as sale of an equity interest); and

n Severance of relationships that create financial conflicts.

Institutions must report any inves-tigator FCOI prior to expenditure of PHS funds and certify that a management plan has been imple-mented at the time of the report.

Another significant change in the final rule is that each investigator must complete training prior to engaging in research related to any PHS funding, and re-train at least every four years. Train-ing also must occur immediately when an institution’s FCOI policies change, an investigator is new to an organization, or if an investigator is noncompliant with an institution’s FCOI policy or management plan.

It is interesting to note that the proposed version of the HHS rule required institutions to

disclose financial interests on a publicly available website. After the comment period, however, that requirement was changed to allow institutions to respond to a written request within five days. Still, PHS officials may inquire at any time (before, during, or after an award) into any investigator’s disclosure of financial interests and the institution’s response. Data flexibility and accessibility, therefore, will be key factors in enabling compliance.

Best practices ensure complianceOnce the final rule takes effect in August 2012, the consequences for noncompliance include ineligibility for PHS funding, which could be devastating to research-driven orga-nizations. That is why compliance with the new FCOI regulations must start with senior leadership championing the issue. With senior leadership’s endorsement, an institu-tion will be better able to secure the financial resources needed to update its technology infrastructure. Institutions will need to develop or acquire an automated system for collecting financial disclosure information, so they can identify and manage conflicts and generate required reports.

Institutions should have a process in place to collect information through an annual financial disclosure form, as well as on


32

TitleBy: Line

If you want toincrease compliance,start with a training

progam thatengages your staff.




33





progam thatengages your staff. hccs

Experts in Healthcare Learning

Healthcare facilities thatare serious about reducingrisk choose HCCS.Compliance is serious business and it takes a serious trainingprogram to increase awareness and change staff behavior.Compliance training must have emotional impact and mustchange attitudes to be effective.

Engaging, professionallydesigned multimedia content is more effectivethan page-turning text.An effective training program requires more than askingyour staff to flip through some electronic text pages. HCCS

online compliance andcompetency trainingcourseware uses pro-fessional multimediaelements to create anengaging, interactivelearning environment.Real-life video scenar-

ios with professional actors in healthcare settings, audio nar-ration and interactivity are combined to increase the reten-tion of the information presented.

Adult learning is what works.HCCS courseware is designed using accepted principlesof how adults learn and retain information.

Research shows that retention is greatest when the learnersees, hears and interacts with training content.

HCCS courses combineexpert up-to-date con-tent with expert learn-ing methods to createa truly unique learningexperience.

The top University hospitals in the countrychoose HCCS.More than 50 Academic Medical Centers, 25 medical schoolsand hundreds of other healthcare facilities have chosenHCCS training courseware for their online education.With over one million registered learners, HCCS is theleading provider of online multimedia compliance andcompetency training courseware.

Whenemployees pay attention, you reduceyour risk.

Looking for a more effective training solution? Want toincrease compliance?

Don’t take our word for it, take one of our free educa-tional webinars or test drive our courseware yourself atwww.hccs.com.

Call 877-933-4227 for more information and a schedule of FREE training webinars or go to www.hccs.com

Medicare • Medicaid • HIPAA • Quality Improvement • Research • Nursing


34

TitleBy: Line

Conflict of interest final rule demands transparency, accountability ...continued from page 31

a transactional basis. This will enable researchers to update disclosures and conflict status as it relates to specific grant applica-tions or renewals. An electronic database, where a user can input financial disclosure information on-demand, will help institutions more quickly and easily comply with PHS and public requests for FCOI information. Moreover, having a robust and accessible database can help institutions maintain the most current finan-cial disclosure information for investigators and other key staff.

The good news is that the cost of implementing changes to comply with the final rule is an allow-able cost that may be eligible for reimbursement as a facilities and administrative cost on PHS-sup-ported funding. This could offset some portion of the cost burdens of implementation.

Health care organizations have their attention divided in many directions, including implementing electronic health records, updating systems for ICD-10, and forming Accountable Care Organizations—all expensive initiatives. Institu-tions cannot afford to let FCOI noncompliance stand in the way of their research funding at a time when it’s needed more than ever. n

1. E. Ray Dorsey, Jason de Roulet, Joel P. Thompson, Jason I. Reminick, et al: “Funding of US Biomedical Research, 2003-2008.” JAMA, 2010;303(2):137-143

Physician Practice/ClinicCompliance Conference

SAVE the

DATE

OCTObEr 14–16, 2012 PhiladelPhia, Pa

Why yOu ShOulD ATTEnD•Get updated on government initiatives

specific to physicians and their practices

•Network with your peers

• learn the latest enforcement trends

• Topics to be addressed include correct documentation, billing and coding practices, and operating on a limited budget

www.hcca-physician-conference.org

2012Physician_savedate_2 column_4C.indd 1 1/9/2012 3:04:15 PM

http://jama.ama-assn.org/search?author1=E.+Ray+Dorsey&sortspec=date&submit=Submit

http://jama.ama-assn.org/search?author1=Jason+de+Roulet&sortspec=date&submit=Submit

http://jama.ama-assn.org/search?author1=Joel+P.+Thompson&sortspec=date&submit=Submit

http://jama.ama-assn.org/search?author1=Joel+P.+Thompson&sortspec=date&submit=Submit

http://jama.ama-assn.org/search?author1=Jason+I.+Reminick&sortspec=date&submit=Submit


35


Editor’s note: Sara Kay Wheeler is a Partner in King & Spalding’s Healthcare Practice Group in Atlanta and may be contacted at [email protected].

Stephanie F. Johnson is an Attorney in King & Spalding’s Healthcare Practice Group in Atlanta and may be contacted at [email protected].

Part 1 of this article appeared in the January 2012 issue of Compliance Today.

P art 1 of this article focused on Department of Health and Humans Services

(HHS), Office of Inspector General (OIG) reviews by pro-vider and supplier type. This article highlights additional OIG reviews, including reviews assess-ing government contractors, the Medicare appeals process, and the Medicare Advantage, Medicare Part D, and Medicaid programs.

Government contractorsSimilar to the 2011 OIG Work Plan, the 2012 OIG Work Plan1 includes several activities or projects

designed to assess the effectiveness of various government contractor engagements. As providers and suppliers are well-aware, the number of Medicare- and Medicaid-affiliated government contractors that have been charged with detecting fraudulent and abusive practices by enrolled providers has dramatically expanded over the past few years. The OIG’s 2012 Work Plan includes several projects focused on the effort and effectiveness of contractors, including the following. (Descrip-tions in this section of the article are not designed to be exhaustive.)

Contractor error rate reduction plans (new)OIG will examine the extent to which Medicare contractors have implemented error rate reduction plans and the extent to which such plans have resulted in lower error rates for contractors. OIG also intends to assess CMS’s over-sight of the contractor error rate reduction process. (Part I, p. 28)

ZPIC fraud and abuse activities Zone Program Integrity Contrac-tors (ZPICs) are charged with

identifying potential fraud and abuse. OIG will continue to review the extent to which ZPICs performed program integrity activities including investiga-tions, case referrals, requests for information, and administrative actions. OIG will further review any barriers ZPICs encountered in performing their program integrity activities, and any bar-riers affecting CMS oversight of ZPICs. (Part I, p. 29)

Vulnerabilities identified by benefit integrity contractorsOIG will assess the manner by which CMS addresses potential vulnerabilities that are identified by Program Safeguard Contractors (PSCs), ZPICs, and Medicare Drug Integrity Contractors (MEDICs). Specifically, OIG will determine the numbers and types of actions CMS pursued to address the vulnerabilities identified by such contractors. PSCs and ZPICs are currently required to report vulnerabilities to CMS on monthly cost reports and on quarterly vulnerability reports, and MEDICs

focusfeature

2012 OIG Work Plan: Part 2, Additional OIG reviews

By Sara Kay Wheeler and Stephanie F. Johnson


36

TitleBy: Line

are required to submit quarterly vulnerability reports. (Part I, p. 29)

RACs’ identification and recoupment of improper paymentsOIG will continue to assess the performance of the Medicare Parts A and B Recovery Audit Contractor (A/B RAC) program and CMS’s oversight of this pro-gram. Healthcare reform expanded the RAC program to the Medicaid and Medicare Parts C and D programs. OIG recently released a report on the permanent Medicare A/B RAC program.2 According to the report, A/B RACs identified and corrected $92.3 million in improper payments (both overpayments and underpay-ments) in fiscal year (FY) 2010. (Part I, p. 29)

Medicare-affiliated contractors’ PCAMany providers and suppliers are now familiar with the potential administrative burden associated with undergoing prepayment review. OIG will review the progressive corrective action (PCA) provider education and training programs conducted by Medicare-affiliated contractors to determine whether such programs have reduced billing and payment error rates and noncompliance. Also, OIG will assess CMS’s processes for overseeing the education and training programs of affiliated contractors. CMS also recently announced a Medicare A/B RAC prepayment demonstration. Although Medicare Administrative Contractors (MACs) and ZPICs are authorized to conduct prepayment reviews, A/B RACs have historically been limited to post-payment reviews. The A/B RAC prepayment demonstration will operate in seven “high-error” and” high-fraud states” (California, Florida, Michigan, Texas, New York, Louisiana, and Illinois), and four states with high volumes of claims for short inpatient hospital stays (Pennsylvania, Ohio, North Carolina, and Missouri). (Part I, p. 30)

CERT program: FY 2011 error rate oversightOIG will review certain aspects of the Comprehensive Error Rate Testing (CERT) program to evaluate

2012 OIG Work Plan: Part 2, Additional OIG reviews ...continued from page 35


37



CMS’s efforts to ensure the accu-racy of the FY 2011 error rate and to reduce improper payments. OIG notes that the CERT pro-gram’s national estimated improper payments for FY 2010 were $34.3 billion, which equates to a 10.5% error rate. (Part I, p. 33)

MEDICs’ program integrity activities in Part D (new) OIG will evaluate the operations of the MEDICs to provide an update on previously identi-fied fraud and abuse issues, a functional realignment, and MEDICs’ fulfillment of addi-tional responsibilities for the Medicare Part C and D pro-grams. (Part II, p. 11)

Early results from MICsAs the provider and supplier communities are aware, states are required to implement Medicaid RAC programs by January 1, 2012. CMS clarified in the final rule that Medicaid RACs are not intended to replace Medicaid Integrity Contractors (MICs).3 Accordingly, OIG will continue to review the progress of MICs in completing the program integrity tasks outlined in their contracts. OIG will also examine the results of the MICs’ work. (Part III, p. 12)

AppealsAs contractor activity increases and matures, providers and suppliers are more involved in the Medicare appeals process. The Medicare

appeals process can pose additional challenges to providers and sup-pliers. For example, as seen in the Medicare A/B RAC program, there is occasionally a lag between the issuance of the remittance advice by the MAC and the issuance of the demand letter that outlines the provider’s or supplier’s appeal rights by the RAC. In some instances, MACs have allegedly calculated appeal deadlines and inappropri-ately dismissed appeals because the MACs calculate appeal deadlines incorrectly, based on the date of the remittance advice rather than the date of the demand letter. It is worth noting that beginning January 3, 2012, MACs will issue demand letters for RAC reviews.

In addition, MACs sometimes initiate recoupment despite having received a timely appeal limiting recoupment. Although the OIG Work Plan does not address all, or even a majority, of the challenges faced by providers in the Medicare appeals process, the Work Plan includes a few issues focused on this process.

First level of the Medicare appeals processMedicare contractors typically have 60 days to issue a redetermination decision unless additional evidence has been submitted which extends the deadline by 14 days.4 Providers and suppliers, however, have little recourse if the contractor does not issue a timely decision. OIG will

review the timeliness of Medicare contractors’ redetermination decisions. OIG will also review the processes that Medicare contractors use to conduct first-level Medicare appeals. (Part I, p. 32)

Medicare administrative law judge decisionsOIG will assess the characteristics of cases decided by Medicare administrative law judges (ALJs) in FY 2010. OIG will also describe how Medicare ALJs review and decide cases, and the extent to which CMS and its contractors participate in ALJ hearings. To conduct its review, the OIG will evaluate case files from recent ALJ hearings and will interview relevant HHS Office of Medicare Hearings and Appeals (OMHA) and CMS officials. (Part I, pp. 32-33)

Medicare Advantage With regard to Medicare Advan-tage, the 2012 OIG Work Plan establishes as priorities, among others, Medicare Advantage plans’ identification of fraudulent or abusive activity.

Medicare Advantage organiza-tions’ oversight of contractorsOIG will assess Medicare Advan-tage organizations’ oversight of contractors that provide enrollees benefits, such as prescription drugs and mental health services. Specifically, OIG will determine the extent to which Medicare


38

TitleBy: Line


Advantage organizations oversee and monitor their network participants’ compliance with regulations and examine the processes the Medicare Advantage organizations use to ensure that such participants fulfill their con-tractual obligations. (Part II, 4)

Medicare Advantage organiza-tions’ identification of potential fraud and abuseMedicare Advantage organizations are required to independently maintain compliance plans that include measures to detect, correct, and prevent fraud, waste, and abuse. OIG will review the extent to which potential fraud and abuse incidents were identified and addressed by Medicare Advantage organizations in 2009. For incidents that have potential for fraud and abuse, OIG will also determine whether Medicare Advantage organizations conducted inquiries, initiated corrective actions, or referred the incidents for further investigation. (Part II, p. 4)

Enhanced payments to plans for certain beneficiary typesOIG will review the appropriate-ness of Medicare Advantage reimbursement for beneficiaries classified as institutionalized, end stage renal disease (ESRD), or Medicaid eligible. OIG will also assess the impact of inaccurate or invalid classification of beneficiaries on Medicare payments to Medicare Advantage plans. (Part II, p. 1)

Enrollment of Medicare ben-eficiaries who have chronic conditionsOIG will review Special Needs Plans’ compliance with chronic condition enrollment requirements. OIG will also examine CMS’s oversight of Special Needs Plans’ enrollment practices. (Part II, p. 1-2)

Duplicate payments for drugs by Parts C and D for institu-tionalized beneficiaries OIG will assess the extent to which certain drugs for institutionalized beneficiaries that should have been covered under Part C payments to Medicare Advantage plans in 2008 were reimbursed by Medicare Part D. To conduct its review, OIG will match information on Part C drugs negotiated between Medicare Advantage plans and CMS against Part D payment data. Matches in the data will represent potential duplicate payments, according to the OIG. Medicare Part D coverage does not extend to drugs covered under Medicare Part A and Part B, including drugs for ben-eficiaries in Part A skilled nursing facilities (SNF) stays, because drugs used during SNF stays are typically covered under Medicare Part A. (Part II, p. 2-3)

Medicare Part D Duplicate Medicare Part D claims OIG will review Medicare Part D claims to determine whether Part D claims were duplicated in Medicare Part A or Part B. OIG

will further determine the extent to which payments for the sam-pled Part D claims were correct and supported. (Part II, p. 5)

Part D payments for drugs dis-pensed at retail pharmacies with discount generic programs (new)OIG will determine whether Part D claims were paid at the discounted prices available at certain retail pharmacies, and whether the Plan Finder website5 is accurately reporting these prices to beneficia-ries. OIG notes that in 2006, sev-eral retail chain pharmacies began offering certain generic drugs at discounted prices and, generally, sponsors should also pay these discounted prices if their contracts include a “usual and customary” clause. OIG further provides that these prices should also be reflected in CMS’s Plan Finder website, which assists beneficiaries in selecting a prescription drug plan based on estimates of costs and coverage. (Part II, p. 6)

Duplicate drug claims for hospice beneficiariesOIG will assess the appropriateness of drug claims for individuals who are receiving hospice benefits under Medicare Part A and drug coverage under Medicare Part D. Specifically, OIG will determine whether pay-ments under Medicare Part D are accurate, supported, and not dupli-cated in hospice per diem amounts. OIG will also determine the extent of any duplication found and


39


identify controls to prevent duplicate drug payments. (Part II, p. 6)

Refills of Schedule II drugs (new)OIG will review the prescription drug event (PDE) records for Schedule II drugs to determine whether Part D sponsors are in compliance with federal regulations that prohibit refills of prescriptions for Schedule II drugs. (Part II, p. 7)

Utilization management con-trols in Medicare Part D (new)OIG will determine the extent to which Part D plan sponsors are applying utilization management controls for drugs on their formular-ies that are not approved by CMS. The OIG’s review will also assess CMS’s oversight in monitoring, detecting, and preventing non-CMS-approved utilization management controls used by Medicare Part D sponsors. (Part II, p. 9)

Sponsors’ internal controls for fraud, waste, and abuseOIG will assess the reliability of Medicare Part D sponsors’ internal controls to guard against fraud, waste, and abuse. Federal law requires Part D sponsors to have such internal controls. (Part II, p. 11)

Medicaid Home health services: Homebound requirements (new)OIG will review CMS policies and practices for reviewing the sections of Medicaid state plans

related to eligibility for home health services and will identify the number of states that violate federal regulations by inappro-priately restricting eligibility for home health services to home-bound recipients. (Part III, p. 6)

Hospice services: Compliance with reimbursement requirements (new)OIG will review Medicaid pay-ments for hospice services to determine whether such payments complied with federal reimburse-ment requirements. Medicaid may cover hospice services for individu-als with terminal illnesses. Accord-ing to the OIG, FY 2010 hospice Medicaid payments totaled more than $816 million. (Part III, p. 9)

Potentially excessive Medicaid payments for inpatient and outpatient servicesOIG will review state controls to detect potentially excessive Medicaid payments to institutional providers for inpatient and outpa-tient services. OIG comments that its previous review of Medicare inpatient and outpatient claims concluded that many excessive pay-ments to the hospitals were attribut-able to billing errors on the submit-ted claims, such as inaccuracies in diagnosis codes, admission codes, discharge codes, procedure codes, charges, Healthcare Common Pro-cedure Coding System (HCPCS) codes, and number of units billed. (Part III, p. 9)

Vulnerabilities identified during Medicaid state program integrity reviews (new)OIG will review corrective actions that state Medicaid agencies have implemented to address the findings and recommendations from state Medicaid program integrity reviews conducted by CMS. OIG will also examine why states may not have implemented all the recommended corrective actions. In addition, OIG intends to review the follow-up that CMS performed to ensure that appro-priate corrective actions were taken by the states, and examine the evidence CMS reviews to con-firm that corrective actions were implemented. (Part III, p. 12)

State Medicaid Fraud Control Units performance standardsOIG will assess the overall man-agement, operations, and perfor-mance of State Medicaid Fraud Control Units (MFCUs).6 OIG will also determine the extent to which state MFCUs operate in accordance with the twelve pub-lished performance standards and identify areas for improvement in the MFCUs’ management and operations. (Part III, p. 13)

Federally excluded providers and suppliersOIG will review Medicaid pay-ments to providers and suppliers to determine the extent to which pay-ments were for services performed


40

TitleBy: Line

Learn more & register at www.hcca-info.org

San Antonio, TXMarch 26–29, 2012

Scottsdale, AZJune 4–7, 2012

New York, NYAugust 6–9, 2012

Las Vegas, NVSeptember 10–13, 2012

Boston, MAOctober 1–4, 2012

Orlando, FLNovember 5–8, 2012

San Diego, CADecember 10–13, 2012

Boston, MAAugust 13–16, 2012


Orlando, FLOctober 22–25, 2012

2012Registration for each Academy is limited to 75 attendeesHCCA’s Compliance Academy is a four-day intensive program focusing on subject areas at the heart of health care compliance practice. Courses are designed for participants who have a basic knowledge of compliance concepts and some professional experience in a compliance function.

BAsiC CompliAnCe ACADeMieS

Certification exams are offered following each AcademyBe recognized for your experience and knowledge in health care compliance! Take advantage of the opportunity to sit for an optional certification exam on the last day of your Academy. Get Certified in Healthcare Compliance (CHC)® at the Basic Compliance Academy, Certified in Healthcare Research Compliance (CHRC)® at the Research Academy, or Certified in Healthcare privacy Compliance (CHpC)® at the privacy Academy.

ReseaRch Basic compliance academy

pRivacy Basic compliance academies

Basic compliance academies

San Diego, CAJune 25–28, 2012

2012AllAcademies_1page_2C_CT-Feb.indd 1 1/9/2012 3:12:23 PM


41


by providers or goods procured from suppliers that were excluded from Medicaid. Excluded providers and suppliers are not permitted to receive payments for services provided during periods of exclu-sion. (Part III, p. 14)

MCOs’ use of prepayment reviewsOIG will review the extent to which Medicaid Managed Care Organizations (MCOs) use prepayment reviews to detect and deter fraud and abuse. OIG also intends to examine the results of MCO prepayment reviews, the challenges addressed in developing

and implementing the prepay-ment programs, and lessons MCOs learned about the prepay-ment reviews. OIG notes that prepayment reviews can serve as effective fraud and abuse safe-guards because they occur during the claims-processing phase, prior to claim payment. (Part III, p. 22)

Conclusion The OIG Work Plan is an impor-tant tool that can be used to help shape effective compliance agendas. As providers and suppli-ers continue to encounter escalat-ing government expectations

regarding their compliance programs, the 2012 OIG Work Plan should assist providers and suppliers in their assessment of compliance program initiatives. n

1. Office of Inspector General, Work Plan for Fiscal Year 2012. Available at http://oig.hhs.gov/reports-and-publications/archives/workplan/2012/Work-Plan-2012.pdf

2. The report is available at https://www.cms.gov/recovery-audit-program/down-loads/fy2010reportcongress.pdf

3. Recovery Audit Contractors, 76 Fed. Reg. 57808 (Sept. 16, 2011) (to be codified at 42 C.F.R. Part 455).

4. See 42 CFR 405.946(b).5. The Medicare Plan Finder website is

available at https://www.medicare.gov/find-a-plan/questions/home.aspx.

6. OIG: Proposed Revision of Performance Standards for State Medicaid Fraud Control Units. 76 Fed. Reg. 62074 (Oct. 6, 2011).

Learn more & register at www.hcca-info.org


Scottsdale, AZJune 4–7, 2012

New York, NYAugust 6–9, 2012

Las Vegas, NVSeptember 10–13, 2012

Boston, MAOctober 1–4, 2012

Orlando, FLNovember 5–8, 2012

San Diego, CADecember 10–13, 2012

Boston, MAAugust 13–16, 2012


Orlando, FLOctober 22–25, 2012

2012Registration for each Academy is limited to 75 attendeesHCCA’s Compliance Academy is a four-day intensive program focusing on subject areas at the heart of health care compliance practice. Courses are designed for participants who have a basic knowledge of compliance concepts and some professional experience in a compliance function.

BAsiC CompliAnCe ACADeMieS

Certification exams are offered following each AcademyBe recognized for your experience and knowledge in health care compliance! Take advantage of the opportunity to sit for an optional certification exam on the last day of your Academy. Get Certified in Healthcare Compliance (CHC)® at the Basic Compliance Academy, Certified in Healthcare Research Compliance (CHRC)® at the Research Academy, or Certified in Healthcare privacy Compliance (CHpC)® at the privacy Academy.

ReseaRch Basic compliance academy

pRivacy Basic compliance academies

Basic compliance academies

San Diego, CAJune 25–28, 2012

2012AllAcademies_1page_2C_CT-Feb.indd 1 1/9/2012 3:12:23 PM

HCCA Training Resources

Guidebooks and videos to train your health care workforceCompliance and Ethics: An Introduction for Health Care ProfessionalsHCCA’s top-rated video covers 7 key compliance areas in a 23-minute program. Includes a trainer’s guide with suggested agendas and discussion outlines – suitable for new employee orientations and staff refreshersA Supplement to Your Deficit Reduction Act Compliance Training ProgramThis 13-page handbook offers an easy way to educate your employees about the basics of Medicare and Medic-aid, the Federal False Claims Act, and the whistleblower protections that help health care workers fight fraud.HIPAA Privacy ComplianceThis 19-minute video plus 10 participant handbooks offer an in-depth review of the HIPAA Privacy Rule – updated in 2010 with guidelines for the new HITECH mandates. HIPAA Security ComplianceThis 15-minute video plus 10 participant handbooks show how to meet the requirements of the HIPAA Security Rule – updated in 2010 with guidelines for the new HITECH mandates.

EMTALA 911: On Call!This 15-minute video plus 10 participant handbooks review EMTALA requirements for any facility that has walk-in patients with urgent care needs.HCCA HIPAA Training HandbookThis 36-page guide offers essential, basic knowledge of privacy and security regulations governed by HIPAA and HITECH that front-line health care workers need. A Compelling Case for Clinical DocumentationEnhance quality of care and reimbursement processing with this award-winning training program that gives physicians the tools needed to consistently produce higher quality clinical documentation. Guide to Resident Compliance TrainingThis guide offers a complete training program designed to introduce resident physicians to key compliance concepts.

Visit the HCCA store at www.hcca-info.org, or call 888-580-8373.

http://oig.hhs.gov/reports-and-publications/archives/workplan/2012/Work-Plan-2012.pdf



https://www.cms.gov/recovery-audit-program/downloads/fy2010reportcongress.pdf



https://www.medicare.gov/find-a-plan/questions/home.aspx

https://www.medicare.gov/find-a-plan/questions/home.aspx


42

Editor’s note: Kelly Nueske is a Managing Director of Enterprise Risk Services, Internal Audit & Compliance at Sinaiko Healthcare Consulting, Inc., a Reimbursement Services Division of Altegra Health in Los Angeles. Kelly may be contacted at [email protected].

Part 1 of this article appeared in the December 2011 issue of Compliance Today.

In Part 1, we discussed an overview of how we pro-gressed to the regulatory

environment we operate within today and the fundamentals of internal controls. As a refresher around regulatory expectations related to internal controls and monitoring, the following is the Office of the Inspector General’s (OIG’s) introduction to the pro-gram guidance section, as posted on their website:

OIG has developed a series of voluntary compliance

program guidance documents directed at various segments of the health care industry, such as hospitals, nursing homes, third-party billers and durable medical equipment suppliers, to encourage the development and use of internal controls to monitor adherence to appli-cable statutes, regulations, and program requirements. (Emphasis added)

I have the utmost respect for our federal government, but I feel the need to clarify the emphasized phrase in their website intro-duction. The statement “use of internal control systems to moni-tor” is not exactly how it works. An internal control structure is the foundation of sound business practices, and monitoring is a process to validate the internal control structure is functioning as intended to prevent errors, fraud, waste, and abuse. Moni-toring is one of the five elements of the COSO Internal Control Framework.1

MonitoringMerriam-Webster’s Collegiate Dictionary defines monitoring as “to watch, keep track of, or check, usually for a special purpose.” As it relates to an organization’s compliance program, monitoring should be periodic and focus on the organization’s compliance risk areas. The OIG Annual Work Plan can be used as one tool to identify potential compliance risk areas, but an organization should not focus on the Work Plan to the exclusion of other risk indicators, such as RAC requests and payer denials, which play an equal role in determining focus areas.

Another effective tool used to identify compliance risks is con-ducting an annual risk assessment involving departments or processes that have experienced a significant amount of change. Change creates some level of risk, because it means new processes, tools, people, or a combination of the three.

Common compliance risk areas that could be monitored include physician or focus arrangements, joint ventures, billing and/or coding processes, cost reporting, marketing, physician ordering patterns, or compliance program processes. When an organization decides to monitor a risk area, there should be a foundational moni-toring policy which sets param-eters for the overall process.

How internal controls support compliant business practices, Part 2: Auditing &

monitoringBy Kelly Nueske




43



The policy would address:n the need for specific and mea-

surable monitoring criteria;n acceptable accuracy thresholds

and organizational expectations when a threshold is not met;

n reporting requirements, includ-ing frequency and escalation, if accuracy thresholds are not met; and

n corrective action plan require-ments, if accuracy thresholds are not met.

A common concern expressed by management is the lack of both time and resources to adequately conduct monitoring activities. The problem with this thought process is that compliance moni-toring in health care shouldn’t be thought of as an additional task. Monitoring focuses on “check-ing” the effectiveness of internal controls and is the foundation of effective operations that were around long before compliance programs existed. The key is to determine what management is already monitoring, to identify the activities that are associated with compliance risk areas, and package it together for reporting.

In my experience, when risk areas are identified by Compliance, that same risk area had already been identified by management, and as a result, some level of monitoring is already underway. However, there are times this is not the case, and a new monitoring process

needs to be established as a neces-sary measure.

Monitoring data can be over-whelming; therefore, it should be packaged in such a manner that compliance committees, senior management, and the board can easily understand the status of the risk area. What often works well is a dashboard-type illustration of the monitoring results over time. Figure 1 (on page 44-45) is a snapshot example of how moni-toring results could be reported to provide a more visual perspective of the results.

Another important point to remember is that just because an organization starts monitoring a compliance risk area, that does not mean it should go on indefi-nitely. If a risk area is stable and demonstrates consistency with achieving the expected accuracy thresholds, then monitoring should be stopped. At this time, management should be able to rely on the internal controls to continue functioning as intended.

All departments should be responsible for monitoring their own areas of responsibility. I have found when working with organizations that monitoring activities often focus on the Compliance department’s opera-tions and not the organization’s operations.

Some examples of operational monitoring include:n RAC requests and outcomesn Denial patterns for medical

necessity, by providern Accurate completion of the

Medicare Secondary Payor Questionnaire

n Completion of the Medicare Assignment of Benefits

n Number of unassigned orders in providers’ in-baskets

n Number of privacy or security violations

n Compliance scorecard by business unit

Examples of Compliance depart-ment monitoring include:n Hotline calls receivedn Hotline call response time to

conclusionn Percentage of new employees

completing compliance education within 30 days of employment

n Pass rate of compliance compe-tency tests, post education

When the entire organization takes accountability for the com-pliance program and monitoring compliance risks areas, the pro-gram can achieve the appropriate level of effectiveness.

AuditingMerriam-Webster’s Collegiate Dictionary defines audit as “a methodical examination or review.” The financial and internal audit


44

TitleBy: Line

How internal controls support compliant business practices, Part 2: Auditing & monitoring ...continued from page 43

industry states that auditing should be done by a person independent of the area under review. Periodic independent auditing of internal controls in high risk areas is prudent practice. The frequency of auditing should be driven by the results and executed in the same manner as monitoring. Auditing should be included in a compliance program, because monitoring is a self-validation process performed by each department, which may have some variability in how the criteria are interpreted.

There are two types of auditing: ongoing, periodic auditing and what some may call “Houston we could have a problem” auditing.

Ongoing audits can either be con-current or retrospective. Concur-rent auditing is a review performed contemporaneously with the process or transaction to identify potential errors prior to complet-ing that process or transaction. This can be an ideal approach, because errors can be corrected before an over- or under-payment is made. However, concurrent audits can be a challenge, because they need to be performed in a timely manner to avoid a backlog in operations. Implementing concurrent reviews takes a fair amount of planning and coordina-tion with Operations to success-fully execute. It also may prohibit auditing the outcome of a process, such as in the case of testing the

Business office’s internal controls. Concurrent reviews don’t allow the opportunity to test what the final “bill” will look like and how it is accepted by the payer.

Retrospective audits are per-formed after the process or transac-tion is completed. Because the pro-cess is complete, the timing allows the auditor to validate internal controls thoroughly throughout the entire process. The downside is that any overpayments identified will need to be refunded and the

organization must have a process in place to ensure that occurs.

SamplingWhen an organization identifies a historical pattern or ongoing prob-lem, auditing would help assess the situation. However, don’t jump to the conclusion that a statistically valid sample is necessary. The decision whether to select a statisti-cally valid sample should involve legal counsel, along with other key leaders, to complete a thoughtful analysis of the issue(s).

Department:SalesCriteria: The percentage of provider NPIs w ho have been provided certain percentages of the $350 non-monetary gifts for the year.Threshold: The higher NPIs must be monitored closely.

Department:Client RelationsCriteria: The percentage of accounts w ritten off due to client (MD) or patient complaints.Threshold:5%

Department:BillingCriteria:The percentage of claims w ritten off for improper diagnoses/medical necessity.Threshold:5%

Metric 11 - % of Claim Written Off for Improper DX/Medical Necessity Metric 12 - Accuracy Rate of QA Account ReviewsDepartment:ClinicalCriteria:The accuracy rate of QA Account review s.Threshold:95%

Improper DX/Med Nec Account Reviews

Metric 9 - # of NPIs Using % of Non-Monetary Gift Value ($350)

Metric 8 - % of Accuracy of Orders

Complaints Metric 10 - % of Accounts Written Off for Client or Patient Complaints

Department: Registration Criteria: The percentage of orders that are mising signatures or proper diagnosis codes.Threshold: 5%

Metric 7 - # of Orders Missing Signatures or DX CodesIncomplete Orders Accuracy of Orders

Non-Monetary Gifts

Department:RegistrationCriteria: The percentage of accuracy of orders on the requisition to the billing system and LIMS and the claim.Threshold: 95%

0%2%4%6%8%

10%10% 9% 8% 7% 6% 5% 4%

% In

ccom

plet

e O

rder

s

Months

90%91%

92%93%

94%92%

95%

86% 88% 90% 92% 94% 96%

Oct-10

Dec-10

Feb-11

Apr-11

% Accuracy of Orders

Mon

ths

400

225

175

12575

0-19 % of Allotment Used 20-39% of Allotment Used40-59% of Allotment Used 60-79% of Allotment Used80-100 % of Allotment Used

86%88%90%92%94%96%

90% 91% 92% 93% 94%92%

95%

% A

ccur

acy

Months

10%9%

8%7%

6%5%

4%

0% 2% 4% 6% 8% 10% 12%

Oct-10

Dec-10

Feb-11

Apr-11

% of Claims Written Off

Mon

ths

86%88%90%92%94%96%

90% 91% 92% 93% 94%92%

95%

% A

ccur

acy

Months

Figure 1: Sample Dashboards


45


A number of terms associated with statistical sampling can be confusing, so let’s cover some basic terminology.

Probe sample: OIG defines a probe sample size as a minimum of 30 samples from the defined universe. A probe sample is com-monly used when the organization “thinks” there might be a problem that needs to be addressed.

Discovery sample: OIG com-monly defines a discovery sample size as 50 when the organization “knows” there is a problem and the seriousness needs to be assessed.

Full statistical sample: This type is used if the probe or discovery sample identifies an error rate deemed unacceptable and the organization plans on disclosing their monetary liability to the OIG as a result of the error(s).

The full statistical sample size is based on the results of the probe or discovery sample and equals the probe or discovery sample plus an additional number of samples mathematically calculated to reveal a statistically accurate representa-tion of the sample universe tested. The total number selected is driven by the probe or discovery samples error rate, the universe size, (i.e., total number of records, transac-tions, claims, etc.) the confidence level (i.e., certainty that the sample accurately depicts the universe) and precision (i.e. range of accuracy). The publically available OIG RAT-STATS program (http://oig.hhs.gov/compliance/rat-stats/index.asp) makes it relatively easy to determine the sample size and assist with selecting the sample.

Stratified sample: In this type of audit, the universe is divided into “buckets” based on defined characteristics within the universe. A simple example is if the universe spans over a period of years, then the universe is stratified by year to ensure a representative sample across the years. Another example may be a universe that involves multiple locations, a change in staff, or multiple providers. Before a sample is stratified, there should be some level of analysis and thoughtful discussion to determine the most representative separation in each “bucket” so that the stratification will increase

Department:SalesCriteria: The percentage of provider NPIs w ho have been provided certain percentages of the $350 non-monetary gifts for the year.Threshold: The higher NPIs must be monitored closely.

Department:Client RelationsCriteria: The percentage of accounts w ritten off due to client (MD) or patient complaints.Threshold:5%

Department:BillingCriteria:The percentage of claims w ritten off for improper diagnoses/medical necessity.Threshold:5%

Metric 11 - % of Claim Written Off for Improper DX/Medical Necessity Metric 12 - Accuracy Rate of QA Account ReviewsDepartment:ClinicalCriteria:The accuracy rate of QA Account review s.Threshold:95%

Improper DX/Med Nec Account Reviews

Metric 9 - # of NPIs Using % of Non-Monetary Gift Value ($350)

Metric 8 - % of Accuracy of Orders

Complaints Metric 10 - % of Accounts Written Off for Client or Patient Complaints

Department: Registration Criteria: The percentage of orders that are mising signatures or proper diagnosis codes.Threshold: 5%

Metric 7 - # of Orders Missing Signatures or DX CodesIncomplete Orders Accuracy of Orders

Non-Monetary Gifts

Department:RegistrationCriteria: The percentage of accuracy of orders on the requisition to the billing system and LIMS and the claim.Threshold: 95%

0%2%4%6%8%

10%10% 9% 8% 7% 6% 5% 4%

% In

ccom

plet

e O

rder

s

Months

90%91%

92%93%

94%92%

95%

86% 88% 90% 92% 94% 96%

Oct-10

Dec-10

Feb-11

Apr-11

% Accuracy of Orders

Mon

ths

400

225

175

12575

0-19 % of Allotment Used 20-39% of Allotment Used40-59% of Allotment Used 60-79% of Allotment Used80-100 % of Allotment Used

86%88%90%92%94%96%

90% 91% 92% 93% 94%92%

95%

% A

ccur

acy

Months

10%9%

8%7%

6%5%

4%

0% 2% 4% 6% 8% 10% 12%

Oct-10

Dec-10

Feb-11

Apr-11

% of Claims Written Off

Mon

ths

86%88%90%92%94%96%

90% 91% 92% 93% 94%92%

95%

% A

ccur

acy

Months

SPECIAL EXPLANATIONS THIS MONTH: This is where the depart-ments would explain any outliers or special circumstances for the month.


46

the accuracy of the estimation of the error.

For example, let’s say we are looking at a claims audit where there are concerns about sup-porting documentation related to signed physician orders. The universe in question spans over a number of years. During that timeframe, the provider utilized a paper medical record for one year and in the second (and later years) was using an electronic medical record (EMR). The preliminary investigation indicated there were order deficiencies in both years; however, there was a higher accuracy rate of signed orders prior to the implementation of the EMR. Stratifying the sampling may create a more representative precision to the error rate.

Although this example is simple, the point is that there needs to be a thoughtful analysis and plan-ning process undertaken prior to identifying the universe, focusing on the concern, and minimizing the variables within it. A number of unique questions can be asked for each situation to help identify the variables or changes that may impact the universe. Ideally, involving legal counsel and key stakeholders who have a thorough understanding of the issue and operations during the timeframe in question is the key to success-fully identifying the appropriate universe. It is also wise to involve someone who has a good under-standing of statistical sampling, because they often have a different perspective on questions to ask.

ConclusionI often wonder if organizations put too much effort into auditing and not enough into monitoring. Auditing is more often done after the fact, where monitoring can more easily be integrated into operational processes. Auditing and monitoring are both good tools to validate that the internal controls structure is working. The approach and effort is unique to each organization’s needs and availability of resources. In the end, the goal should be to have a good balance of auditing and monitoring to take the pulse on the effectiveness of the internal control structure. n

1. Committee of Sponsoring Organizations of the Treadway Commission (COSO): “Internal Control – Integrated Frame-work: Guidance on Monitoring Internal Control Systems” June 2008. Available at http://www.coso.org/documents/volumeii-guidance.pdf

How internal controls support compliant business practices, Part 2: Auditing & monitoring ...continued from page 45

Health Care Auditing & Monitoring ToolsFilled with more than 100 sample policies, procedures, guidelines and forms to enhance your compliance auditing and monitoring efforts. The manual is updated twice a year with new tools. The first two updates are free; an annual subscription can be purchased to continue receiving the updates.

If just one tool in this book fills a need in your department, then you’ll be adding value to your compliance program!

For more information, visit www.hcca-info.org/books, or call 888-580-8373.


47



Editor’s note: Andrew Finkelstein is a Director of Corporate Compliance for Coventry Health Care in King of Prussia, Pennsylvania, where he focuses on vendor oversight. He may be contacted at [email protected] or by phone at 610/290-1261.

In any business environment in which subcontractors are used, the quality and performance

of the work they perform is vital to the success of the parent organiza-tion. Whether retained to perform specific tasks or an entire business function, the specialization achieved through utilization of vendors is a key mechanism or incentive for any one or more of a variety of jus-tifications. These may include cost reduction, risk mitigation, opera-tional expertise, or quality improve-ment, to name a few. Although the preceding are generally viewed as positive implications associated with subcontracting, there are negative ones as well. Offshore subcontracts, for example, carry a significant negative connotation in the poten-tial loss of opportunity for similar domestic sources. Opponents also cite the potential for contractual non-compliance when important quality standards and benchmarks are not met. Regardless of the posi-

tive justification or potential down-side risk, the significance of subcon-tractors cannot be understated and is, in practice, highly utilized.

It comes as no surprise then that the regulatory framework in which health care compliance resides has gone to significant lengths to attempt to govern these working relationships. Indeed, as the health care industry has moved in the direction of adopting compliance programs compliant with the Federal Sentencing Guidelines for Organizations (FSGO), so have the agencies that regulate these compliance programs. Notably, within the area of Medicare compliance, where the potential for harm resulting from subcon-tractor operations may have direct impact on Medicare program beneficiaries, subcontractors, or “first tier, downstream, and related entities” (FDRs, as the Centers for Medicare & Medicaid Services [CMS] refers to them) are regulated with substantial compli-ance responsibility and oversight. Indeed, as a condition for contract-ing with CMS to offer Medicare benefits, plan sponsors must have compliance plans that enable them to follow federal regulations and,

especially, to prevent fraud, waste, and abuse. These plans mirror the FSGO and, in practice, inherently include oversight of FDRs. The challenge for the Medicare compli-ance professional is therefore not just to adhere to the responsibility within a plan sponsors compliance plan, but also to the regulatory and subregulatory guidance that attempts to weave its way in and out of a compliance program and the compliance plan elements. To this end, the gold standard of best practices is a robust and thorough Medicare FDR management pro-gram that can withstand a dynamic Medicare landscape that requires keen regulatory navigational skills.

For each compliance plan element, just as a sponsor must ensure it is implementing the necessary requirement for itself, it should also view the elements in light of its FDRs. From a regulatory per-spective, the final rule governing the Prescription Drug Program, for example, mandates that any contractual activity performed by an FDR be consistent and comply with the sponsor’s own contractual obligations. Because a sponsor’s contractual obligations include the presence of a compliance plan, so too, does an FDRs.

From a subregulatory perspective, and sticking with the Medicare Part D program, in Chapter 9 of the Prescription Drug Benefit

Vendor compliance in a dynamic Medicare

landscapeBy Andrew Finkelstein, JD, CCEP




48

TitleBy: Line

Vendor compliance in a dynamic Medicare landscape ...continued from page 47

Manual, the above provisions are echoed with more detailed respon-sibility incumbent upon sponsors. Although Section 50.2.1 of the manual outlines what should be articulated within the sponsors’ written policies and procedures, including a code of conduct, this section enhances the requirement by informing sponsors they should “encourage” their FDRs to:

adopt and follow a code of conduct particular to their own organization that reflects a commitment to detecting, preventing and correcting fraud, waste and abuse in the administration or delivery of Part D benefits and to share their code of conduct with FDRs upon request in order to relay the Sponsor’s own commitment at preventing, detecting and preventing fraud, waste and abuse.

I’ve added emphasis on the word “should” above because as legal statutory construction has taught us, although the word “must” is used to denote affirmative obliga-tions to act, “should” is used to indicate actions that are strongly recommended. In practice, this is a serious consideration for the compliance professional.

Whereas an ample amount of subregulatory guidance exists for the above written policy element and the requirements it imposes

upon Compliance departments that oversee a sponsor’s FDRs, it is dwarfed by the significance that compliance with the “effective training and education” element has on sponsors. Try an experiment: Type “Medicare FDR Training” into Google and take notice of the results. Peppered with relevance, the results are demonstrative of the fact that FDR training is a cornerstone of a Medicare compliance program requiring substantial oversight with annual and ongoing monitoring.

Effective January 1, 2009, both Medicare Advantage Organizations (MAOs) and Prescription Drug Plan sponsors were required to implement fraud, waste, and abuse training for all entities they are partnering with to provide benefits or services in the Part C and the Part D programs, not just to the direct employees within their orga-nization, as was the then replaced requirement.1 Acknowledging the burden this might cause sponsors and their FDRs (based on the idea that sponsors were routinely subcontracting with some notable vendors that specialize in Medicare-required functions), CMS encour-aged sponsors to work together to provide standardized training—a concept that never manifested into any permanent solution. As a result, (as our experiment has demonstrated) nearly all sponsors have created their own version of fraud, waste, and abuse training, all containing content which CMS has

“encouraged” sponsors to include. As the CMS guidance stated:

Topics that should be addressed in a fraud, waste and abuse training program include:

n Laws and regulations related to MA and Part D fraud, waste and abuse (e.g., False Claims Act, Anti-kickback Statute, HIPAA, etc.);

n Obligations of FDRs to have appropriate policies and procedures to address fraud, waste and abuse;

n Process for reporting to the MAO or PDP sponsor suspected fraud, waste and abuse in FDRs;

n Protections for employees of FDRs who report suspected fraud, waste and abuse;

n Types of fraud, waste and abuse that can occur in FDRs.2

The cumbersome aspect to compli-ance with this element is ensuring that your organization is able to demonstrate accountability to CMS that all of the above topics have been provided to all FDRs and that the FDRs have provided these materials to all of their employees and subcontractors. The industry standard for achieving compliance with this requirement has been to request that FDRs attest to these requirements. Language from an attestation might include requesting that a senior officer from an FDR certify to completing these require-ments on behalf of the organization.


49

Although this entity level of dili-gence might seem appropriate, in the eyes of regulators, is it enough? CMS has indicated that although it does not require documentation from FDRs or a certification pro-cess, through its audit and review process, it will determine whether or not the training and education requirements were fulfilled. CMS will hold the Part D sponsor or MA organization responsible for fulfill-ing this requirement regardless of whether FDRs certify to that effect.3

As expected, this promise did manifest itself in 2010 with the highly anticipated CMS Compli-ance Plan Audits, whereby CMS put plan sponsors through rigorous and extensive evaluations of their compliance programs, including a focus on FDR oversight. So how then could a sponsor satisfy its FDR requirements for CMS? In the absence of clearer guidance, at least one mechanism Compliance departments have used is audits in which actual evidence or records demonstrating compliance with sponsors’ training requirements (and attestations) are requested, reviewed, and validated. This evidence-based approach captures the requirements imposed upon sponsors’ FDR training programs. Indeed, procedures for internal effective monitoring and audit-ing is another compliance plan element, and, in the context of training, one that is especially

critical to the success of any FDR compliance effort.

It may also be that more clear guidance is on its way. A recent OIG report posited several recom-mendations to CMS regarding fraud, waste, and abuse training.4 Although the subject and recom-mendations of the report were specifically for pharmacies (down-stream entities), CMS’s responses were universal in either addressing FDRs as a group or sponsors’ compliance programs as a whole. The resulting expectation from CMS is a reissuance of training responsibilities and assistance in effectively providing it, a welcomed addition to the current dynamic Medicare compliance landscape.

Whereas both of the preceding highlighted elements carry an arsenal of regulatory and sub-regulatory interpretation, so, too, can any of the other elements not highlighted, and all in the context of FDR oversight. Coupled with the anticipated requirements CMS is forecasted to issue, a Medicare vendor’s Compliance department should prepare appropriately with an evidence-based toolkit to satisfy these critical elements. n

1. CMS Memorandum: Fraud, Waste and Abuse Training Requirements, October 20, 2008

2. CMS Memorandum: Fraud, Waste, and Abuse (FWA) Training Clarification, August 21, 2009

3. 72 Fed. Reg. 68700, 68707 (Dec. 5, 2007).4. OIG: Medicare Prescription Drug Spon-

sors’ Training To Prevent Fraud, Waste, And Abuse, OEI-01-10-00060, July 2011

Basic Classified Ads Our basic ads are listed on our website for 90 days and cost just $400 per position. In addition, for each month you advertise with us, your listing is included in our monthly HCCA Jobs Newsletter, which we send out to over 24,000 email addresses.

Premium Listings Want to make sure your job listing gets noticed first? Try a premium listing. For just $100 more, your job listing is placed in the top section of the site, and it is also featured in the top section of the newsletter, making it stand out.

Help keep your program fully staffed

List Your Job Openings Online with HCCA

LIsT My JOb OpenIng: hcca-info.org/newjobs


50

TitleBy: Line

HCCA Officers:Frank Sheeder, JD, CCEPHCCA PresidentPartner DLA PiperShawn Y. DeGroot, CHC-F, CHRC, CCEPHCCA Vice PresidentVice President of Corporate ResponsibilityRegional HealthJohn Falcetano, CHC-F, CIA, CCEP-F, CHRC, CHPCHCCA Second Vice PresidentChief Audit/Compliance OfficerVidant Health

Gabriel L. Imperato, JD, CHCHCCA Treasurer Managing PartnerBroad and Cassel

Sara Kay Wheeler, JDHCCA SecretaryPartner–AttorneyKing & SpaldingSheryl Vacca, CHC-F, CHRC, CCEP, CHPCNon-Officer Board Member Senior Vice President/Chief Compliance and Audit ServicesUniversity of CaliforniaJenny O’Brien, JD, CHC, CHPC HCCA Immediate Past PresidentChief Medicare Compliance OfficerUnitedHealthcare Medicare & Retirement

CEO/Executive Director: Roy Snell, CHC, CCEP-FHealth Care Compliance Association

Counsel: Keith Halleland, Esq.Halleland Habicht PA

HCCA Board of Directors: Urton Anderson, PhD, CCEPChair, Department of Accounting andClark W. Thompson Jr. Professor in Accounting EducationMcCombs School of Business University of TexasDeann M. Baker, CHC, CCEP, CHRCChief Corporate Compliance OfficerCorporate Compliance & Integrity Services, Alaska Native Tribal Health ConsortiumCatherine Boerner, JD, CHCPresidentBoerner Consulting, LLCJulene Brown, RN, MSN, CHC, CPCRegional Compliance DirectorOrganizational Integrity and Compliance Essentia Health West RegionBrian Flood, JD, CHC, CIG, AHFI, CFSNational Managing DirectorKPMG LLPMargaret Hambleton, MBA, CPHRM, CHCSenior Vice PresidentMinistry Integrity, Chief Compliance Officer, St. Joseph Health System

Robert A. Hussar, JD, MS, CHCSenior Manager, Forensic and Dispute ServicesDeloitte Financial Advisory ServicesRobert H. Ossoff, DMD, MD, CHCAssistant Vice-Chancellor for Com-pliance & Corporate IntegrityVanderbilt University Medical CenterDaniel Roach, JDVice President Compliance and AuditCatholic Healthcare WestMatthew F. Tormey, JD, CHCVice PresidentCompliance, Internal Audit, and SecurityHealth Management AssociatesDebbie Troklus, CHC-F, CCEP-F, CHRC, CHPCManaging Director Aegis Compliance and Ethics Center

Publisher: Health Care Compliance Association 888-580-8373Executive Editor: Roy Snell, CEO, [email protected] Editor: Gabriel Imperato, Esq., CHCEditor: Margaret R. Dragon 781-593-4924, [email protected] Editor: Patricia Mees, CHC, CCEP 888-580-8373, [email protected] and Production Manager: Gary DeVaan 888-580-8373, [email protected]

Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Compliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright 2011 Health Care Compliance Association. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means without prior written consent of the HCCA. For Advertising rates, call Margaret Dragon at 781-593-4924. Send press releases to M. Dragon, 41 Valley Road, Nahant, MA 01908. Opinions expressed are not those of this publication or the HCCA. Mention of products and services does not constitute endorsement. Neither the HCCA nor CT is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.


51

CCBCCB The Compliance Professional’s Certification

Congratulations!! The following individuals have recently successfully completed the CHC® certification exam, earning their certification:

Susan AcquistoCarrie AikenJason Algeo

Caroline BakerOfer BarlevRuth Blake

John BokoskyAndrei Boyarshinov

Amy BoyleLouise Bucolo

Michelle CastroKita Cathey

Valerie CloudBrittany ConeJoan Daniel

Keith DeleeuwLinda DonleyLaurie Dubas

Alexander FearJohn Fisher

Donna Flynn PageAnaliese Fusner

Elvis George

Maria Luisa GermaniStephanie Gibson

Joyce GrahamJoe Green

William GregoryVanessa Griggley-Ownes

Alice HallAmanda HaverdinkLawrence Hendricks

Stephanie HochstetlerKeri Jennings

Jennifer KennedyErin KinahanGail KinkeadTatiana Klesc

Jacqueline KniskaHeidi KocherLinda Kology

Elizabeth KopochisNatalie Laporta

Henri-Alexandre LauerAdam Lentz

Joel Levi

Marsha LiuDeborah Mack

Sarah McCarterLoretta McGintyKelly McIntoshJanice MeisterMary MenardBecky Merkel

Megan MicalettiDebra Ann Minnucci

Stephanie MussoChristy Naylor

Patricia NervinaFrancine Nigrello

Kathy Perkins-SmerdelMona Peterson Rosow

Alison PhillipsM Pope

Stephen RobertsValerie Rock

Ryan RuzziconiAida Sanchez-Nunez

Laura Schmitt

Stacy SchulzeMaria SessionsLori Severson

Kimalisa ShamblinJames Sheehan

Lanford SlaughterJoni Smith

Robin SmithRobin Stults

Marilyn TarrantMelisa VazquezVielka VelaquezDavid Verona

Anna WardMichael WeigmanDona Weissenfels

Angele WhiteKelly Wittmeyer

Stacie WojciechowskiMitchell Wright

The Compliance Certification Board (CCB) compliance certification examinations are available in all 50 states. Join your peers and demonstrate your compliance knowledge by becoming certified today.

Merrit AndersonJacob BelangerBenisa Berry

Sharon BlackwoodTara Brady

Ray BraeunigMaria Cox

Rebecca ElithorpGlenda FlancerDarci Friedman

Mark GaraFelice Hersch

Wendi HodgenSondra Hornsey

Chris HowellLaura HumbertsonMillicent Hunter

Aimee JankeEric Kaminski

Blaine KerrJennifer Lee

Cristina MackenziePatrick Midden

Cary Miskoff

Sherri MortonSusan Muscarella

Jade OlsonAkemi OtsukaTracie PaivaErin Parker

Kathryn PykeJoseph Rivet

Homer RobinsonMargaret Scherrer

Karen SchimpfHeather Seward

Niraj SinghLaurie Smaldon

Lorri SteinerCarol Stone

Marilyn ThomasPatty ThompsonWilliam TurnerSergio VazquezCindy VredeveldAyeola WilliamsJonathan Wolin

Congratulations!! The following individuals have recently successfully completed the CHRC® certification exam, earning their certification:

John BoskoskyMichael Roach

Sheron SalyerDanette Slevinski

Donna Walsh

Congratulations!! The following individuals have recently successfully completed the CHPC® certification exam, earning their certification:

For more information about certification, please call 888/580-8373, email [email protected], or visit our website at www.hcca-info.org.


52

Editor’s note: Jennifer Benedict is a Partner with Honigman Miller Schwartz and Cohn LLP in Detroit. She may be contacted at [email protected] or by phone at 313-465-7326.

Angela Epolito Sprecher is an Associate at Honigman and may be contacted at [email protected] or by phone at 313-465-7540. Jennifer and Angela are both attor-neys and members of Honigman’s Health Care Department.

The Centers for Medicare & Medicaid Services (CMS) have launched a massive

effort to revalidate the enrollment information of providers and sup-pliers in the Medicare program. New enrollment screening criteria, in accordance with the Patient Protection and Affordable Care Act (PPACA), imposes heightened screening and enforcement mea-sures for initial Medicare enroll-ment, revalidation, and billing in an effort to proactively prevent fraud and abuse in federal health care programs.

Approximately 1.4 million health care providers and suppliers in the Medicare program, including 750,000 physicians, are required to revalidate their enrollment information with CMS between

now and March 2015. Providers and suppliers should not begin the revalidation process, however, until receiving a revalidation request letter from CMS or a Medicare Administrative Contrac-tor (MAC). Providers and sup-pliers who submitted enrollment applications on or after March 25, 2011 will not be required to undergo revalidation, as their applications were processed under PPACA’s new enrollment screen-ing criteria.

Initially, CMS announced a much more compressed timeframe for completion of its revalidation effort and indicated that revalidation let-ters would be sent to providers and suppliers between August 2011 and March 23, 2013. After reeval-uating the revalidation requirement under PPACA, however, CMS concluded that PPACA allows for a more flexible timeframe. CMS has since announced that it will extend its revalidation effort through March 2015. Importantly, this extension does not affect those pro-viders who have already received a revalidation notice.

Revalidation processCMS began its revalidation effort in September 2011 by sending 89,000 revalidation request letters to providers and suppliers. This

first set of letters was sent to providers and suppliers that bill the Medicare program but are not currently in Medicare’s Provider Enrollment, Chain and Owner-ship System (PECOS). A sample revalidation notice letter is posted on CMS’s website (www.cms.gov). Between now and March 2015, MACs will intermittently send out revalidation request letters on a regular basis. This phased approach will allow the MACs to better manage the additional workload created by the revalida-tion applications.

Providers and suppliers must revalidate their Medicare enroll-ment information either by submitting a paper revalidation application (CMS-855 form) or by electronically submitting a revalidation application online using PECOS. Providers and sup-pliers have 60 days from the date of their revalidation request letter to submit the requested enroll-ment forms and all supporting documentation for revalidation. Institutional providers and sup-pliers who submit an enrollment application for revalidation will be required to pay a fee for revalida-tion processing, but physicians, physician group practices, non-physician practitioners, and non-physician practitioner orga-nizations are exempt from this fee. For calendar year 2011, the application fee was $505, but the fee increases to $523 for 2012.

Medicare revalidation survival guide

By Jennifer Benedict and Angela Epolito Sprecher




http://www.cms.gov


53



Failure to complete revalidation enrollment forms as requested may result in deactivation of the provider or supplier’s Medicare billing privileges. CMS has instructed its MACs to make at least two phone calls to alert providers or suppliers of a pend-ing revalidation request before deactivating privileges. Once a provider or supplier’s billing privileges have been deactivated for failure to timely revalidate, CMS has indicated that it will reinstate billing privileges if it receives the appropriate revalida-tion documents within 120 days of the postmark of the original revalidation request.

PECOS improvementsCMS has started taking steps to improve PECOS to allow providers and suppliers to more easily update their information and submit revalidation applica-tions. For example, providers and suppliers using PECOS can pay the application fee (if any) online when submitting their revalida-tion enrollment application. Other planned improvements to PECOS include: fewer screens and more prompts to notify providers when information is incomplete, a search function for enrollment applications to assist providers to more easily manage their enrollment applications, a simplified registration process for authorized representatives, and use of digital document upload

for supporting documents to eliminate the need to separately mail supporting documents. Pro-viders and suppliers can expect to see some of these planned updates and changes to PECOS as early as January 2012.

Paper applications and the revised CMS-855 formsProviders and suppliers who plan to submit a paper revalidation application (CMS-855 form) should be aware that in July 2011, CMS published new versions of the Medicare enrollment applications (CMS-855A, 855B, 855S, 855R, 855O and 855I). The revised forms contain several changes, including requiring all providers and suppliers to provide more detailed information about individuals or organizations that have ownership or managing control of the provider or supplier. These changes have also been incorporated into the PECOS system. When responding to a request for revalidation, providers and suppliers who plan to submit paper applications should use the most current version of the applicable CMS-855 form.

Revalidation survival tips1. Watch for a revalidation

request letter from your local CMS contractor. According to CMS, the letter will arrive in a colored envelope and will be clearly marked as a “Revalida-tion Request.”

2. CMS has posted on its web-site a list of all providers and suppliers who were mailed a revalidation letter. Check this list to confirm whether a letter was sent to your organization.

3. According to CMS, for pro-viders that are not in PECOS, the revalidation request letter will be sent to the special payments or primary practice address. For providers in PECOS, the revalidation request letter will be sent to both the special payments and correspondence addresses. If both of those addresses are the same, a revalidation request letter will also be sent to the primary practice address. If you are not sure of the address where your organiza-tion’s revalidation letter may be directed, call your MAC directly.

4. Your organization should not begin the revalidation process until a revalidation request letter is received from your MAC.

5. Do not delay your response or ignore a revalidation request letter. Begin processing your revalidation application as soon as your organiza-tion receives the request to revalidate your information. Providers and suppliers have only 60 days to submit a revalidation application with all supporting documentation.


54

TitleBy: Line

Medicare revalidation survival guide ...continued from page 53

Failure to timely submit a revalidation application can result in deactivation of Medicare billing privileges.

6. The revalidation process can be tedious and time-consum-ing. Consider appointing a single person within your organization to gather the necessary revalidation infor-mation and documentation and to otherwise oversee the revalidation process.

7. The process for Medicare enrollment and revalidation has become increasingly complex. Further, the CMS-855 forms are not “one size fits all.” If, after reviewing the instructions for the 855 form, you still have questions about

how to accurately complete the form, do not hesitate to call your MAC for further guidance.

8. Providers and suppliers should continue to submit necessary updates regarding any changes of information or change in ownership. The obligation to do so is not affected by the revalidation effort.

9. Once you receive a revalida-tion request letter, track and document the steps you take to complete the revalidation process. If you submit a CMS-855 form or any supporting documentation by mail, use certified mail or other similar means to ensure the docu-ments are traceable. Make and

maintain copies of everything you submit to Medicare, as well as all of the correspon-dence you receive, to evidence your timely processing of CMS’s revalidation request. After submitting payment of any applicable revalidation fee, print the confirmation screen for your records.

10. Promptly respond to com-munications and follow-up requests from your MAC. Educate those within your organization who may receive correspondence or answer phones to ensure that CMS’s requests reach the appropri-ate person and are handled correctly. n

HCCA’s 2012 Regional ConferencesStart planning now for

Southwest February 17 | Dallas, TX

Alaska March 1–2 | Anchorage, AK

Upper North Central May 11 | Columbus, OH

Upper Northeast May 18 | New York, NY

Gulf Coast NewJune 8 | Houston, TX

Pacific Northwest June 15 | Seattle, WA

West Coast June 22 | Newport Beach, CA

New England September 7 | Boston, MA

Upper Midwest September 14 | Minneapolis, MN

Midwest September 21 | Overland Park, KS

North Central October 5 | Indianapolis, IN

East Central October 12 | Pittsburgh, PA

Hawaii October 19 | Honolulu, HI

Mountain October 26 | Denver, CO

Mid Central November 9 | Louisville, KY

Desert Southwest November 16 | Phoenix, AZ

South Central November 30 | Nashville, TN

Upper West Coast NewDecember 7 | Oakland, CA

HCCA’s regional, one‑day conferences

provide high‑quality, convenient, inexpensive education & networking

opportunities. Don’t miss the

opportunity to attend one in

your area !Learn more & register at www.hcca‑info.org

2012HCCARegionals_halfpage_ad_2c.indd 1 1/9/2012 3:25:23 PM


55


Editor’s note: Stacey S. Elliott is Manager of Government Audits at Community Memorial Health Systems, in Ventura, California. Contact Stacey at [email protected].

M edicare providers con-tinue to be financially pummeled by the scruti-

ny and recoupment activities driven by the Recovery Audit Contractor (RAC) program. Medical necessity denials related to hospital inpatient admissions are a RAC target that impacts facilities nationwide. The financial burden goes far and above refunding a reimbursement that, after review, has been determined to be an “overpayment.” There are now RAC managers and RAC coordinators in almost every hospi-tal—positions that didn’t exist a few years ago.

Many organizations find them-selves forced to decide if the cost involved in a lengthy appeal process outweighs simply refund-ing the amount of the payment without a fight. If you struggle with that decision, keep in mind that when you don’t appeal an overpayment determination, there are other repercussions besides merely suffering the financial pain associated with recoupment. As your “claims denial ratio”

increases, so does your vulnerabil-ity. Because RACs rely on histori-cal statistics and other data trends to target and justify reopening claims for review, high error rates will make you a more obvious target for increased scrutiny and audit activity. Win or lose, there is a significant cost associated with responding to overpayment decisions, submitting written discussions, composing appeal letters, and attending legal hear-ings. If and when you receive a favorable decision, recoupment of the original payment may have already occurred; you will then be required to spend additional time and money pursuing the recovery of your original reimbursement.

It only makes sense to fight fire with fire. If you are receiving unfavorable decisions, based on Medicare guidelines indicating that your documentation failed to support medical necessity, then taking whatever actions necessary to prevent that seems elementary. Requiring physicians to take a little extra time to document the rationale for their decision to admit a patient may not save you from a RAC’s initial request for medical records and scrutiny; however, it will save you an enormous amount of time and money in the long run. With that

said, let’s discuss what is required to maintain compliance with Medicare guidelines and support an appropriate inpatient admis-sion. How hard is it?

Unfavorable decisions regard-ing the appropriateness of an inpatient admission will usually state, “Documentation did not support the medical necessity of an inpatient level of care.” Supporting guidance will also be cited, such as, Medicare Benefit Policy Manual, Chapter 1 (Inpatient Hospital Services Covered Under Part A):

The physician or other practitioner responsible for a patient's care at the hospital is also responsible for deciding whether the patient should be admitted as an inpatient. Phy-sicians should use a 24-hour period as a benchmark, i.e. they should order admission for patients who are expected to need hospital care for 24 hours or more, and treat other patients on an outpatient basis. However, the decision to admit a patient is a complex medical judgment which can be made only after the physician has considered a number of factors, including the patient's medical history and current medical needs, the types of facilities available to inpatients and to outpatients, the hospital's by-laws and admissions policies,

Surviving a RAC attack

By Stacey S. Elliott, CCS, CPC




56

Surviving a RAC attack ...continued from page 55

and the relative appropriateness of treatment in each setting. Additional factors include such things as the severity of the signs and symptoms exhibited by the patient; the medical predictability of something adverse happening to the patient; the need for diagnostic studies that appropriately are outpatient services to assist in assessing whether the patient should be admitted; and the availability of diagnostic proce-dures at the time when and at the location where the patient presents. (Emphasis added)

Following the rulesThe above guidelines are somewhat vague and their interpretation is subjective at best. Nevertheless, lack of understanding and awareness is not the primary problem. To suc-cessfully survive a medical necessity audit, make sure you can demon-strate your facility and admitting providers are following the rules! Being simply aware of the appli-cable rules, regulations, guidelines, and other supporting information published by recognized govern-ment authorities (i.e., Centers for Medicare & Medicaid Services [CMS], Medicare Administrative Contractors, etc.) is not enough. Incorporating those rules, regula-tions, and guidelines into your organization’s by-laws, admissions policies, internal protocols (i.e., the use of decision trees and other screening medical necessity tools),

and, most importantly, physician documentation requirements are para-mount to successfully withstanding the scrutiny of a RAC or other government audit. Bear in mind, as a participant of the Medicare program, it is your responsibility to promote, achieve, and maintain successful compliance with govern-ing rules and regulations.

Not surprisingly, there has been a surge of physician advisory groups, consultant companies, RAC monitoring systems, and other health care management companies springing up and racing to sell solutions and offer assistance to manage the overwhelming demands of the ever-increasing government activity intended to eliminate areas of fraud and abuse. Honestly, I believe that many facilities are more willing to invest exorbitant amounts of money in enlisting outside resources, rather than addressing the obvious inter-nal issue of inadequate provider documentation. All too often, the only documentation that directly addresses an admission to “inpa-tient status” is a checked box on a hospital doctor’s order form. Even if the order to admit passes the initial compliance sniff test (i.e., being timed, dated, and signed acceptably), a check mark next to “inpatient” is not enough in itself to justify the decision to admit.

Think about it. You may wish to further support your provider’s

decision to admit by employing a physician advisor to attest to the legitimacy of the admission. How-ever, if the admitting provider does not sufficiently document his/her own rationale and ultimate decision to admit, a statement by a physician advisor will not suffice—nor should it.

The same may be said for internal utilization review (UR) validations. Without documentation by the provider of care indicating his/her decision to admit and the specific basis and details of that decision, a UR validation stating that InterQual® or Milliman® screening criteria was met is just not enough. Determinations made by UR staff, based on screening criteria tools or a physician advisor’s analysis and statement supporting the appropriateness of an inpatient admission, are not meant to substitute for the admitting physician’s opinions and decisions. In fact, if a UR nurse or a physician advisor is responsible to write a letter of appeal and cites conditions or conclusions based on their own clinical interpretations of information contained in the medical record (e.g., lab test results, past medical history, nurse notes, etc.), there could be unexpected consequences. If the attending provider did not document the same clinical significance, the appeal letter may introduce signs,


57


symptoms, or conditions that were never reported when the claim was originally filed. Coders are mandated to only report signs, symptoms, conditions, etc. that were documented by a physician directly involved in the patient’s care. Utilizing UR nurses and physician advisors may help when arguing the validity of an inpatient admission, but without documented corroboration by the attending physician or other provider (directly in charge of the patient’s care), their support is virtually useless. The admitting provider needs to “get it right” by clearly documenting the rationale and other specific details directly supporting the decision to admit.

By incorporating the applicable Medicare guidelines into your facil-ity’s existing admission policies, by-laws, and physician documentation rules, a medical necessity denial for an inpatient stay should be easily defendable, even if you are forced to appeal all the way up to an Administrative Law Judge (ALJ) or beyond. Documentation that your physician clearly considered the 24-hour benchmark and other applicable factors, per Medicare guidelines, is critical. The medi-cal record can and should speak for itself. Admittedly, it may help to have a UR nurse or physician advisor (either internal or external) document that an inpatient admis-sion was reviewed and certified as appropriate, but only if the facts

and basis of their determination are also acknowledged in the physi-cian’s documentation.

As facilities are held responsible for following rules, regulations, and guidelines, so are the RACs. The current RAC Statement of Work (SOW), updated in September 2011, should be carefully reviewed in its entirety by everyone involved in managing and/or responding to RAC reviews and overpayment decisions. Three very important points cited in the SOW are:

n Minor omissionsConsistent with Section 937 of the Medicare Modernization Act (MMA), the RAC shall not make denials on minor omissions, such as missing dates or signatures, if the medical documentation indicates that other coverage/medical necessity criteria are met. Any questions regarding whether a claim shall be denied for a minor omission shall be directed to the contracting officer technical representative (COTR).

n Medicare policies and articlesThe RAC shall comply with all national coverage determinations (NCDs), coverage provisions in interpretive manuals, national coverage and coding articles, local coverage determinations (LCDs)—formerly called local medical review policies (LMRPs)—and local coverage/coding articles in their jurisdiction.

n Rationale for determinationThe RAC shall clearly document the rationale for the determina-tion. This rationale shall list the review findings including a detailed description of the Medicare policy or rule that was violated and a statement as to whether the violation resulted in an improper payment. RACs shall ensure they are identifying pertinent facts contained in the medical record to support the review determination. Each rationale shall be specific to the individual claim under review.

All too often, unfavorable decision letters do not clearly document the rationale for the determination. Instead the letters are ambiguous and seem to be carbon copies of each other. Keep an eye out for RAC, MAC, or QIC denials that reflect statements that are inaccurate or blatantly false. Also, remember, test results or details of a patient’s status that were only made known post-admission may not be used to argue an inpatient admission was not reasonable and necessary. The CMS Benefit Policy Manual, Chapter 1 - Inpatient Services Covered Under Part A, states the following:

In making decisions, Quality Improvement Organizations (QIOs) consider only the medical evidence which was available to the physician at the time an admission decision had


58

TitleBy: Line

Surviving a RAC attack ...continued from page 57

to be made. They do not take into account other information which became available only after admission, except in cases where considering the post-admission information would support a finding that an admis-sion was medically necessary.

Worst case scenario, in the event that an unfavorable decision is upheld, if you are able to submit sufficient evidence establishing your compliance with Medicare rules and regulations, the Limita-tion of Liability provision of the Social Security Act may allow your claim to be paid and prevent recoupment:

Limitation of Liability - In accordance with Section 1879 of the Social Security Act, when assigned services are denied because they are determined to be not reason-able and necessary, the Medi-care program makes payment when neither the beneficiary nor the physician knew, and could not reasonably be expected to have known, that the services were not reason-able and necessary based on Medicare guidelines.

ConclusionDon’t let medical necessity denials intimidate you. Cover all your

bases by incorporating Medicare rules and guidelines into your own facility’s by-laws and policies wherever possible. Educate your providers and require them to clearly document their consider-ations and rationale in adequate detail to support their decision for an inpatient admission. After all, in the words of CMS, “The physician or other practitioner responsible for a patient's care at the hospital is also responsible for deciding whether the patient should be admitted as an inpa-tient.” So, play by the rules and fight fire with fire. You will not only survive a RAC attack, you will triumph! n

Earn Your Health Care Compliance Certificate onlinE with an iPad2

Become a certified heath care compliance professional on your schedule.

Award-winning certificate program is now powered by Hamline’s proprietary iPad app

Affordable tuition includes an an iPad2 that students keep

Start in June 2012 and complete the program in just one year

Hamline Law’s Health Law Institute is one of the nation’s top 20 health law centers.

law.hamline.edu/healthlaw


59

Dorothy DeAngelisManaging DirectorFTI Consulting

James G. Sheehan, JD Chief Integrity Officer. New York City Human Resources Administration

Gabriel Imperato, Esq, CHCCT Contributing EditorManaging PartnerBroad and Cassel

Jeffrey SinaikoPresidentSinaiko Healthcare Consulting, Inc.

Cheryl Wagonhurst, JD CCEP, PartnerLaw Office of Cheryl Wagonhurst

Lisa Silveria, RN BSNHome Care ComplianceCatholic Healthcare West

Deborah Randall, JDLaw Office of Deborah Randall

Janice A. Anderson JD, BSNShareholderPolsinelli Shughart, PC

Christine Bachrach CHCChief Compliance Officer University of Maryland

Compliance Today Editorial BoardThe following individuals make up the Compliance Today Editorial Advisory Board:

David Hoffman, JDPresidentDavid Hoffman & Associates

F. Lisa Murtha, JD CHC, CHRC SNR Denton US LLP

Debbie Troklus, CHC-F, CCEP-F, CHRC, CHPC Managing Director Aegis Compliance and Ethics Center

Linda Wolverton, CHC, CPHQ, CPMSM, CPCS, CHCQM, LHRM, RHITVice President Compliance Team Health, Inc.

Gary W. HerschmanChair, Health and Hospital Law Practice GroupSills Cummis & Gross P.C.

Rita A. Scichilone, MSHA, RHIA, CCS, CCS-PDirector of Practice LeadershipAmerican Health Information Management Association

Ofer Amit MSEM, CHRCResearch Compliance AdministratorBaptist Health South Florida

Robert H. Ossoff, DMD, MD, CHC, Assistant Vice Chancellor for Compliance and Corporate IntegrityVanderbilt Medical Center

Emily RaymanGeneral Counsel and Chief Compliance OfficerCommunity Memorial Health System

Jacki Pemrick Privacy Officer Mayo Clinic

Richard P. Kusserow President & CEOStrategic Management

HCCA Ad

Health Care Privacy Compliance HandbookThis book will help privacy professionals sort through the complex regulatory framework and significant privacy issues facing health care organizations. Written by the faculty of HCCA’s Basic Privacy Compliance Academy, it offers up-to-date guidance on:

•HIPAA•HITECH•FERPA•The Federal Privacy Act

•Privacy and Research•Vendor Relations •Payor Privacy Issues•Auditing & Monitoring

Visit the HCCA store at www.hcca-info.org or call 888-580-8373.

PrivacyHandbook_2c_halfpage-ad.indd 1 1/9/2012 10:53:47 AM


60

TitleBy: Line

Subscribe to the following health care-specific discussion groups:

n 2012 HCCA Compliance Instituten Auditing and Monitoring Healthn Behavioral Health Care Compliancen Chief C & E Officer Health Care Networkn Critical Access Hospital (CAH)n Ethics Health Care Forumn Global Healthcare Compliance and Ethics Communityn Health Care System Forumn Healthcare Billing and Reimbursement Groupn HIPAA Forumn Hospital Networkn Long Term Care Networkn Managed Care & Medicare Part D Forum n Medical Device Group n Physicians Compliance Professionals Networkn Post-Acute Care n Quality of Care Forum n Research Compliance Networkn Social Media ComplianceGo to www.hcca-info.org/groups and click My Subscriptions

HCCAnet is the most comprehensive social network for health care com-pliance professionals. Subscribe to dozens of discussion groups and get your compliance questions answered. Stay informed on the latest health care compliance news and information. Network with your colleagues and stay connected with our mobile app.

Watch Compliance Videos on YouTube Subscribe today at www.youtube.com/compliancevideos

HCCA is now on Google+ Add HCCA to your Circles at www.hcca-info.org/google

Contact Eric Newman at 952-405-7938, or e-mail Eric at [email protected] with any questions about HCCAnet. Also, ask Eric about the new HCCAnet mobile app for the iPhone, Blackberry, and Android devices.

HCCAnet

Popular Resourcesn HIPAA Security Rule Toolkit

- Found in Library: Privacy Officer’s Roundtable

n Corporate Integrity Agreement Implementation chart (basic) o Initial chart of things to do

once CIA is issued to begin plan of action.

n Fundamental Pharmacy Forms for Reviewing Audit Records - Found in Library: Hospitals

n Corporate Integrity Agreement Implementation chart (basic) - Found in Library: GRC Governance, Risk, Compliance

n Risk Assessment - Found in Library: Physicians

Compliance Professionals n Role of Legal Counsel

- Found in Library: Physicians Compliance Professionals

n Documenting of Incident of Improper or Illegal Practice - Found in Library: Physicians Compliance Professionals o What a voluntary disclosure

report should demonstrate n Conflict of Interest Disclosure

Form - Found in Library: Chief Compliance and Ethics Officer Health Care Network

n Dozens of Job Descriptions - Found in Library: Health Care Library

n Stark and Anti-Kickback Statute Basic Training - Found in Library: Health Care Library


61


HCCA Website NewsHCCA Job BoardThe HCCA job board is one of the “most visited” pages on the HCCA website. If you are currently looking for a job, take a look at our job board. And if you’re looking to hire, post a job with HCCA’s job board. www.hcca-info.org/jobs

Becoming CertifiedHCCA’s website has many resources available for those who are interested in becoming certified, such as practice exams, handbooks, and applications. If you are interested in holding the CHC, CHRC, or CHPC certification, take a look at our certification page for more information. www.hcca-info.org/certification

Streamlined Web ConferencesPast web conferences can be viewed instantly by streamlining the recorded session to your computer. It’s a great way to earn 1.2 CEUs towards your certifi-cations and catch up on the latest compliance issues. www.hcca-info.org/webcds

Regional ConferencesThere are 20 regional conferences all over the United States. Meet with local compliance officers in your area. Each conference is one day long and covers hot compliance topics. See which regional conference is closest to you, and register at www.hcca-info.org/regionals

Contact Tracey Page at 952-405-7936, or e-mail Tracey at [email protected] with any ques-tions about the HCCA website.

Congratulations!We congratulate the winners of the HCCAnet Upload Contest. HCCAnet members were asked to upload compliance documents to the Social Network. The five people who uploaded the most documents received $1,000 in confer-ence credits.

Nancy Vogt, RHIT, CHIP, CHC (69 uploads) Deputy Chief Compliance Officer Aurora Health Care Milwaukee, Wisconsin

Kim Bullock, CIA, CICA, CHC (19 uploads) Corporate Compliance Officer Hoover, Alabama

C.J. Rathbun, CCEP (18 uploads) Senior Consultant First Consulting & Administration Kansas City, Missouri

Linda Elley (14 uploads) Compliance/Coding Manager Regional West Physicians Clinic Scottsbluff, Nebraska

Susan Wagner (9 uploads) Senior Specialist, Regulatory Management Cardinal Health South Pasadena, Florida

You can download the documents in the HCCAnet Resource Libraries. www.hcca-info.org/Library


62

TitleBy: Line

Kansasn Curt Caruso, Via Christi

Health, Incn Debbie McDaniel, Via Christi

Health, Incn Mike Metro, Via Christi

Health, Incn Joe Peabody, US Army-Medical

Departmentn Shona Salzman, William

Newton Hospitaln Darryl Serpan, Hutchinson

Clinic, PAn Jared Sommers, Via Christi

Hospitals-St Francisn Theresa Zimmerman, Forbes

Law Group

Kentuckyn Robyn G. Blankenship,

Western Baptist Hospitaln Jennifer P. Borders, Central

Baptist Hospitaln Carol Doyle, WellCare Health

Plansn Joshua A. Lenavitt, Baptist

Regional Medical Center

Louisianan Michelle Buford, Sullivan

Stolier Kovata Knight LCn Cindy Vaughn,

LSUHSC-Shreveport

Mainen Mildred W. Smith, Martin’s

Point Health Care

Marylandn Mary Berg, Meritus Health Incn Debra Bittle, Upper

Chesapeake Healthn Christopher Briddell, Univ of

Maryland Medical Systemn Melissa L. Fannin, Clifton

Gunderson LLPn Jayne Hunt, XLHealthn Ramiek James, Department of

Health and Mental Hygienen Mark Juba, MedAssurant, Inc

n Julie Kennedy, Homewood Retirement Centers, Inc

n Wendy A. Kronmiller, Erickson Living Management LLC

n Mina Sellami, IntegriGuard, LLC

n Alissa Vertes, HealthPRO Rehabilitation

Massachusettsn Kim Bracuti, Boston Heart

Diagnosticsn Jane L. Clay, Westfield Medical

Corpn Kathleen S. Crockern Natalie A. Herron, Beth Israel

Deaconess Med Centern Michael Manere, MedSafen Michele Melvin, Saints Medical

Centern Jackie K. Moore, North Suffolk

Mental Health Assocn Karen Nelson, Partners

Continuing Caren Dianne Pledgie, Boston Health

Care for the Homeless Programn Marisol Solis Cooke, Deloitte

& Touche LLPn Michelle H. Stone, Tufts Univ

School/Dental Med

Michigann Rebecca Cole, Henry Ford

Health Systemn Mary Couperthwaite, Univ of

Michigann Tracy Dantzler, Kalamazoo

Community Mental Healthn Margaret M. Donaubauer, Mott

Children’s Health Centern Nancy Foley, Univ of Michigan

Health Systemn Donna Fry, Univ of

Michigan-Flintn Joshua S. Kooistra, Emergency

Care Specialists, PCn Rebecca Lewis, Deloitte &

Touche LLPn Shawn Lilley

n Allison Martin, Karmanos Cancer Center

n Erin Ross, Advanced Radiology Services, PC

n Beth Venier, Univ of Michigan Health System

Minnesotan Lucinda Bourn, Sisu Medical

Solutionsn Laurena S. Lockner,

HealthPartnersn Stacie Jo Nelson, Blue Cross

Blue Shield of Minnesotan Sara Quaidoo, Indian Health

Boardn Mona P. Rosow, Targetn Jacklyn R. Semrad, Reliable

Medical Supply Incn Abraham Welle, Medtronicn Cameo K. Zehnder, Pediatric

Home Service

Mississippin Blair F. Pyron, Blue Cross &

Blue Shield of Mississippi

Missourin Claudia Brennan, WellCare

Health Plansn Cathie Eikermann, Phelps

County Regional Medical Center

n Carrie Sullwold, Heartland Health

n Michael Tucker, CEJKA Executive Search

Montanan Paul G. Dolan, Benefis Health

System

Nebraskan JVawnna Bell, Nebraska Urban

Indian Healthn Tricia Davison, Garden County

Health Servicesn Stephanie Sharp, UNMC

Physicians

New HCCA Members


63



New Hampshiren Nancy Formella, Mary

Hitchcock Memorial Hospitaln Karen Gravel, Wentworth-

Douglass Hospital

New Jerseyn TinaMarie Arlington, South

Jersey Healthcaren Anthony Caroleo, UMDNJn Valerie Crossland, South Jersey

Healthcaren Jeff Fontanilla, Barnabas Healthn Denise Holtz, Cancer

Treatment Centers of American Eneze J. Jatto, OECCI

University Hospital-UMDNJn Cynthia L. Lake, South Jersey

Health Caren Sheryl Rosenfield, Zimmet

Healthcare Services Groupn Michael Schoppmann,

Kern Augustine Conroy & Schoppmann, PC

n Chassidy F. Woods-Nesmith, UMDNJ

n Susan Zuber

New Mexicon Cassandra Romero, UNMMG

New Yorkn Alecia Ajarie, Mt Sinai Elmhurst

Faculty Practice Groupn Melissa A. Arena, St. Ann’s

Communityn Zhanna Baranets, Grant

Thorntonn Jeena Belil, Belil & Varriale, PCn Tina Brown, WNY

Independent Living, Inc.n Ryan Busuttil, Federation of

Organizationsn Amanda Cerniglia, Health Questn Susan Craig, ARISEn Linda S. Donley, IRA

Davenport Memorial Hosp Incn Kimberlee A. Frarey, Anthony L

Jordan Health Co

n Jayetta Goodlow, River Hospitaln Spence Halperin, Spence

Halperin Consultingn Therese Kundel, Albany

Medical Centern Laura Langner, Educational

Alliancen Shawn Lomax-Mosley,

Northshore LIJ Health Systemn Trish Manna, Orange Regional

Medical Centern Roz McCormick, Auburn

Memorial Hospitaln Michele Mecomonaco,

Fransican Companiesn William Olschewske, Finger

Lakes Visiting Nurse Servicen Jayshree Patel, Northshore LIJ

Health Systemn Wendy Prystal, Health Questn Jacque Richards, Tri-Borough

Home Caren Sarah Roberts, Covidienn David Solomon, Fortune

Societyn Jessica Squeglia, Mt Sinai

Medical Centern Caren Sullivan, Health Questn Ana Taras, William F. Ryan

Community Health Centern Joyce Tichy, APS Healthcaren Ilene Wikler, Care to Care LLCn Ayeola J. Williams, NYU

Langone Medical Center

North Carolinan Monica I. Portugal, The

Durham Centern Jana Rakes, Triangle Physician

Networkn Penny L. Weinhold

North Dakotan Lisa M. Davies, Sanford Healthn Andrew Wood, Catholic Health

Initiatives

Ohion Kirsten Ballman, John Sterling

Associates

n Wendy Elliott, Pickaway Health Services

n Elizabeth M. Foley, HCR Manor Care

n Holly Losekampn Gabriella Neff, Summa Health

Systemn Richard Porter, HCF

Management, Inc.n Jenny Roman, Human Arc Corpn Brenda Ross, CareSource

Oregonn Wade Carson, Willamette

Valley Cancer Institute & Research Center

n Amy Dimond, EthicsPoint, Incn Tom McNamara, EthicsPointn Mark Reed, EthicsPoint, Incn Jennifer Woods, Albertina Kerr

Centers

Pennsylvanian Millie Agnew, WRC Senior

Servicesn Nancy Burch-Nelson, Urology

Health Specialists, LLCn Thomas J. Conlin Jr., Maria

Joseph Manorn Aleta Dick, Family Home

Health Servicesn Sharon Herrle, Henderson

Brothers, Inc.n Jodi Kay Hirsch, West Penn

Allegheny Health Systemn Christin J. Kieffer, Evangelical

Community Hospitaln Frank J. King, Redstone Highlandsn Judy Oprisko, Allied Servicesn Carol A. Watson, Landmark

Home Health Care

Tennesseen Cecilia M. Baehm, Life Care

Centers of American Sarah D. Branch, Baptist

Memorial Healthcare Corpn Katherine Byrum, Memorial

Health Care System


64

TitleBy: Line

New Members ...continued from page 63

n Matthew M. Curley, U.S. Attorneys Office

n Niejadd Evans, HealthSpringn Cheryl Garth, Baptist

Healthcare Corpn Julia Hamilton, Meharry

Medical Collegen Adraine Harris n Tameka L. Hayes, HealthSpringn Rocio Kirchner, HealthSpringn Sara Linton, HCAn Richard F. Russell n Alexis Tutor, Wright Medical

Technology

Texasn Eric Dominguez n Marian Farebrother n Jayne Fleck Pooln Gretchen L. Gemeinhardt,

Harris County Hospital Districtn Mel Gunawardena, Synergen

Health LLCn Carol Hanes n RoseMaria Levinsky, Hendrick

Medical Centern Marjorie Maier, GE Healthcaren Jonathan McCollum, Orion

HealthCorpn Gogo U.K. Owor, Law Office of

Gogo U.K. Owor & Associatesn Claire Pancerzn Holly Reade Nolan, UT Health

Science Center San Antonion Richard Rivera, KCI USA, Inc.n Jean Stiles, Signature Healthcaren Reed Tinsley, CPAn Najmeh Vahid, Vahid Law Firm

PLLC

Vermontn Cynthia Snow, Fletcher Allen

Health Care

Virginian Vernita Haynes, UVA Health

Systemn David Krupnick n John Lenoir, Key Point

Government Solutions

n Nancy Reinardy, VCU Health System

n Patricia Scipio, PricewaterhouseCoopers LLP

n James G. Scott, Applied Policy LLC

n Lisa York, Riverside Health System

Washingtonn Matthew Donohoe, Providence

Health & Servicesn Michelle Peterson, Lane Powell

PCn Kayla Petramalo, DaVitan Raphael Rodriguez, Matrix

Anesthesian Cindy Ryals, MultiCare Health

Systemn Tanya Semenko, Providence

Health & Services

Wisconsinn Tanya M. Harris, Milwaukee

Health Services, Incn Brenda Nuite n Lisa Rowe-Peplinski, Riverview

Hospital Associationn Cynthia Roy, Extendicare

Health Services Incn Deanna Wachholz, Advance

Pain Managementn Toni Young, St Josephs Health

Services- Gunderson Lutheran

Puerto Ricon Vanessa Beltran-Ortiz, Arroyo

and Monrouzeau Law Firmn Rene De Leon Toro, MAPFRE

Life Insurance Company n

Be Sure to Get Your CHC® CEUs

Articles related to the quiz in this issue of Compliance Today:

n PQRS reporting: Avoiding the pitfalls—By Daniel F. Shay, page 23

n How internal controls support compliant business practices, Part 2: Auditing and monitoring—By Kelly Nueske, page 42

n Medicare revalidation survival guide—By Jennifer Benedict and Angela Epolito Sprecher, page 52

To obtain one CEU per quiz, go to www.hcca-info.org/quiz and select a quiz. Fill in your contact information and take the quiz online. Or, print and fax the completed form to CCB at 952/988-0146, or mail it to CCB at HCCA, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Questions? Please call CCB at 888/580-8373.

Compliance Today readers taking the CEU quiz have ONE YEAR from the pub-lished date of the CEU article to submit their completed quiz. Only the first attempt to pass each quiz is accepted.


65


don’t approach your audits blindfoldedlet TRACKerTM PRO guide the way


66

TitleBy: Line

Register now at www.compliance-institute.org

Compliance InstituteApril 29–May 2, 2012 • Las Vegas, NV • Caesars Palace

Health Care Compliance Association’s 16th Annual

Come to HCCA’s 2012 Compliance Institute in Las Vegas and learn from these GENERAL SESSION SPEAKERS

Register for HCCA’s Compliance Institute between January 21 and February 29 and get your choice of TWO HCCA web conferences for FREE!* Choose any two:

• Stark—Beyond the Basics• Auditing Hospital/Physician Financial

Arrangements• Ready for Action: Preparing Your Organization

for Governmental Audits with Practical Steps for Compliance

• HIPAA Audits

Aaron Beam, Founder and Former CFO, HealthSouth, Loxley, AL

Shawn DeGroot, CHC-F, CCEP, CHRC, Vice President of Corporate Responsibility, Regional Health, Rapid City, SD

Marjorie W. Doyle, JD, CCEP-F, Managing Director, Aegis Compliance & Ethics Center, LLP, Of Counsel, Meade & Roach, LLP, Landenberg, PA

Daniel R. Levinson, Inspector General, Offi ce of Inspector General, U.S. Department of Health and Human Services, Washington, DC

Robert Ossoff, DMD, MD, CHC, Assistant Vice-Chancellor for Compliance and Corporate Integrity, Vanderbilt University Medical Center, Nashville, TN

Daniel Roach, JD, VP Compliance & Audit, Catholic Healthcare West, San Francisco, CA

James Sheehan, JD, Chief Integrity Offi cer/Executive Deputy Commissioner, New York City Human Resources Administration, New York, NY

SPECIAL OFFER

*New registrations only

Documents

XXXXXXX continued from page 1 - HCCA Official Site...C360 HCCA Ad RAC BW version 10-05-11.indd 1 10/5/11 3:22 PM. ... to Medicare payments to pro-viders of services and suppliers participating