volume seven number twelve december 2005 published monthly · los angeles, ca compliance academy...

Volume SevenNumber TwelveDecember 2005

Published Monthly

RegisterNow!See pages

22–23.

February 6–9, 2006Park Hyatt Los Angeles

Los Angeles, CA

June 5–8, 2006Hilton Scottsdale Resort & Villas

Scottsdale, AZ

ACT NOW! SPACE IS LIMITED!

February 6–9, 2006: Los Angeles, CA

June 5–8, 2006: Scottsdale, AZ

$ 2,500 Members$ 3,000 Non-Members$ 2,795 HCCA Membership & RegistrationSave $205.00 by joining HCCA today!(New members only.)

PLEASE TYPE OR PRINT

First Name Last Name

Credentials HCCA Member ID

Title

Company

Address

City State Zip

Phone

Fax

E-mail

Federal Tax ID: 23-2882664

Payment TermsPlease enclose payment with your registration and return it to the confer-ence office at the above address, or fax your credit card payment to (952)988-0146.

Invoice mePO number_________________ CODE: CAM0605Check enclosed (checks payable to HCCA)American Express Visa MasterCard

Account No.

Exp. Date

Name of Cardholder

Signature

WEBwww.hcca-info.org

MAILSend form with tuition fee to:HCCA5780 Lincoln Drive, Suite 120 Minneapolis, MN 55436

FAX(952) 988-0146

[email protected] 1-888-580-8373

CC

Health Care Compliance Association

HCCA • 888-580-8373 • www.hcca-info.org

DDeeaarr HHCCCCAA mmeemmbbeerrss::Many HCCA members have asked how they can domore for our organization. AAnn eexxcciittiinngg ooppppoorrttuunniittyy ttoobbeeccoommee mmoorree iinnvvoollvveedd iinn HHCCCCAA hhaass nnooww aarrrriivveedd!! Weare seeking members who wish to serve as associate editors for a new auditing and monitoring manual. Thismanual will contain tools and other resources to helpmembers assess and improve their compliance programs.

VVoolluunntteeeerrss aarree nneeeeddeedd to research articles and find back-ground material for the manual. In addition, aassssoocciiaatteeeeddiittoorrss aarree nneeeeddeedd to interview the manual's chief editorsand gather information that will add insight and providecontext to auditing and monitoring in compliance.

MMeemmbbeerrss wwhhoo wwiisshh ttoo hheellpp mmaayy ccoonnttaacctt HHCCCCAA EEddiittoorr AAllaann PPiieerrccee aatt 888888--558800--88337733,, eexxtt.. 224455,, oorr aattaallaann..ppiieerrccee@@hhccccaa--iinnffoo..oorrgg

T H E C A L E N D A RONON

2005 CONFERENCES:

Baltimore, MD■ Medicare Prescription Drug Part D

Compliance ConferenceDecember 11-13

2006 CONFERENCES (BY STATE):

Anchorage, AK■ Alaska Area Meeting

July 13-14

Scottsdale, AZ■ Compliance Academy

June 5-9

Los Angeles, CA■ Compliance Academy

February 6-10

San Francisco, CA■ Advanced Academy

June 19-23

San Diego, CA■ West Coast Area Meeting

July 28

Denver, CO■ Mountain Area Meeting

August 25

Orlando, FL■ South Atlantic Area Meeting

January 27

Atlanta, GA ■ Southeast Area Meeting

February 10

Honolulu, HI■ Hawaii Area Meeting

October 19-20

Chicago, IL■ North Central Area Meeting

October 6

Baltimore, MD■ Northeast Area Meeting

March 3

Boston, MA■ New England Area Meeting

September 8

Detroit, MI■ Upper North Central Area Meeting

June 16

Minneapolis, MN■ Upper Midwest Area Meeting

September 15

Kansas City, MO■ Midwest Area Meeting

August 4

Las Vegas, NV■ 10th Anniversary Compliance

Institute, Caesars PalaceApril 23-26

■ 3rd Annual Research ConferenceSeptember 17-19

Rochester, NY■ Tri-State Area Meeting

November 3

Pittsburgh, PA■ Mid Atlantic Area Meeting

September 29

Nashville, TN■ South Central Area Meeting

November 10

Dallas, TX■ Southwest Area Meeting

February 17

Seattle, WA■ Pacific Northwest Area Meeting

June 2

NATIONAL CORPORATECOMPLIANCE AND ETHICS WEEK■ May 21-27

INSIDEINSIDE4 The SDN list

5 HCCA audio conferences

7 Managing conflictsof interest

11 Documenting fairmarket value

14 Founding HCCABoard membersweigh in

18 Moving from rulesand standards

20 CEO Letter

21 HCCA seeks yourcontributions

22 10th AnniversaryCompliance Institute

24 Re-evaluating training & auditingprocesses

26 Compliance programeffectiveness

32 Developing a proactive complianceprogram

36 Preserving attorney-client privilege

NEWSFLASHNEWSFLASH

DDeecceemmbbeerr 22000055

3

The Health Care ComplianceAssociation (HCCA) is seekingauthors for upcoming issues ofCompliance Today. Topics to consider: HIPAASecurity, compliance auditingand monitoring, complianceoperations, implementing vari-ous aspects of the Sarbanes-Oxley Act, effective trainingtechniques, 2006 OIG WorkPlan, and more.Contact [email protected] with questionsand topics.Please note that HCCB awards2 CEUs to authors of articlespublished in CT.Upcoming Article DeadlinesDecember 7. . . . February 2006January 12 . . . . March 2006February 11 . . . . April 2006March 11 . . . . . May 2006 April 12 . . . . . . . June 2006

Call for Authors

R E S O U R C E SHCCAHCCATo order or for more information, visitwww.hcca-info.org or call 888-580-8373.■ The HIPAA Security Rule■ The Health Care Compliance

Professional’s Manual■ Monitoring & Auditing Practices

for Effective Compliance■ HCCA’s Guide to Resident

Compliance Training

■ Compliance 101■ Compliance, Conscience, and

Conduct™, a video-based training program

■ Privacy Matters, a video-based HIPAA training program

■ Corporate Compliance & Ethics:Guidance for Engaging Your BoardVolume 1: The Board’s Perspective

4DDeecceemmbbeerr 22000055

Editor’s note: Jerry Ballman is VicePresident of John Sterling Associates,LLC in Cincinnati, Ohio. The companyprovides compliance screening ofemployees, physicians, and vendors. Mr.Ballman may be reached by telephone at800/909-5763 or by [email protected].

O ver the past two years, hospitalcompliance professionals havebeen advised by the screening

industry that they have a responsibility to usethe Specially Designated Nationals andBlocked Persons (SDN) list as part of theiremployment and vendor compliance screen-ing programs. Often this advice borders onnear hysteria, as some in our field use fear ofheavy fines and images of terrorists roaminghospital corridors to hype their screeningservices. It’s time to apply some perspectiveand common sense to SDN screening inyour hospital.

First, the perspectivePlease stand up now, take a deep breath, andwalk to the nearest window. Look up anddown the street. Can you see a bank, a realestate office, a pawn shop, a manufacturerwith export sales, a mini-mart selling moneyorders or a stock brokerage? All of them areat far greater peril from the SDN than yourhospital ever will be. That’s because a princi-pal goal of the SDN list is to prohibit busi-ness dealings, and especially fund transfers,with blocked parties.

Let’s take a closer look at the SDN list. TheU.S. Treasury’s Office of Foreign AssetControls (OFAC) updates this list frequently

on the Internet at www.treas.gov/offices/enforcement/ofac/sdn/. You will quickly notethat this site is not easy to use. The GSAExcluded Parties List System (EPLS) alsocontains SDN data. In my opinion, a far bet-ter checking source is the NationalAssociation of Security Dealers (NASD) siteat http://apps.nasd.com/Rules_&_Regulations/ofac/defaultAll.asp.

OFAC regulations impose explicit checkingand reporting duties on banks, import/exportfirms, securities brokers, insurance compa-nies, tourism/travel agencies, credit reportersand their clients, charities, money servicesbusinesses, and corporate registrars. There areserious consequences for compliance failurewith possible fines well into six figures.

While it is true that the law and regulationscan be read as covering all organizations, thereality is that no enforcement has been notedoutside the above group of regulated indus-tries. Common sense will indicate that thefederal government is focused on money andtechnology transfers and the terrorists whofacilitate and benefit from such transfers. Youwill note that hospitals are not included inOFAC’s short list of regulated industries.

Before September 11, 2001, the list was pri-marily focused on businesses and personsinvolved in money laundering schemes. Mostof these schemes were drug cartel related.After that date, Executive Order 13224added many known or suspected MiddleEastern terrorists, charities, and businesses tothe list. While the SDN list is often said tohave about 5,000 names, many are spellingvariations or alternative aliases. There are

probably fewer than 2,000 discrete entitieson the list.

The number of listings with a U.S. nexus ismuch smaller. In June 2005, there were just20 businesses, 6 charities, and 19 personswith listings that indicate a U.S. address. Ofthe listed persons, there were only 11 whowere born in or who have resided in theUnited States, based on SDN data regardingplaces of birth or Social Security Numbers.

Now consider your employment compliancescreening program. There are no employ-ment prohibitions to be found regardingSDN, unless you consider hiring people tobe “doing business” with them.

Consider why a listed person would evenwant to go to work for your hospital in thefirst place. In my opinion, relocating fromColombia with a desire to give up a career inillegal narcotics is highly unlikely. Or consid-er why a terrorist bent on creating havoc inyour hospital would use his own name whenfalse identity papers are so easy to obtain.The plain fact is that screening employeeswith the SDN list does not yield much fruit.

What it will yield, though, is many false pos-itives to honorable employees with commonLatino names like Jose Alvarez and MariaGonzalez. While often differing dates ofbirth or middle names will permit clearingan employee, there are times when you canonly observe that the listed person is in Cali,Colombia while your employee lives in yourtown. Common sense then tells you there isno real reason to suspect your employee andit is best to not pursue the matter further.

The story on vendor screening is not muchdifferent. Apart from the handful of busi-nesses with U.S. addresses, the businesses

BByy JJeerrrryy BBaallllmmaann

Continued on page 6

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

HCCA Audio ConferencesJoin us for the following

HCCA Audio Conferences are a fast and easy way to aquire HCCB CEUs!

Get the latest “how-to” information—tools and advice youcan use daily without even leaving your office! Register onthe HCCA Web site—www.hcca-info.org. You will receive ane-mail a few days before the conference with any conferencehandouts, and dial-in information and instructions.

➤ ➤ Clinical Trial Billing: Medicare Coverage Reviews,Process Improvement, Part I and Part IISpeakers: Lisa Murtha, JD, CHC and Ryan Meade, Esq.December 2 and December 16—12 Noon Central

➤ ➤ Critical Access Hospitals and ComplianceSpeakers: Gregory Etzel, Esq. and Scott McBride, Esq.December 15—12 Noon Central

➤ ➤ The OIG Work Plan audio conference has been postponed until mid December. For more information, please check our Web site: www.hcca-info.org

5Health Care Compliance Association • 888-580-8373 • www.hcca-info.org



listed are all on foreign soil. Few (if any)appear to be medically related operations,based on their names. True, you have areporting obligation if a blocked entity doesturn up on your vendor list, so do checkyour vendors against the SDN list. It is,however, highly unlikely that you are doingbusiness with any blocked business.

So, where does that leave you in your com-pliance screening efforts? First, resist the hys-teria. There probably is a greater chance of akiller meteorite hitting your hospital thanthere is of trouble from a SDN listed entity.Look at the SDN list yourself and youshould feel comfort that this risk really issmall.

Don’t pay extra for this screening. You caneither do it yourself or engage a reputablescreening source that includes it as part of itsregular screening procedure at no extra cost.

Don’t overreact if there is an apparent match.It almost certainly is not real. Look at thedetails and use common sense if you have tomake the final determination.

And always remember that the SDN list hasonly tangential relevance to your hospital. Tomodify Gertrude Stein’s famous quotation,there is very little “there” there for hospitals.Many other facets of your compliance pro-gram are more deserving of your time andattention. ■

The SDN list ...continued from page 4

REGISTER NOW for HCCA’s

10th AnniversaryCompliance

InstituteSee pages 22–23 for details.



Editor’s Note: José Tabuena is with theForensic & Dispute Services practice ofDeloitte Financial Advisory ServicesLLP. He has investigated fraud andabuse allegations, and assisted organiza-tions to develop conflicts of interestpolicies and protocols. A former compli-ance officer, he has implemented andmanaged conflict of interest processes.Mr. Tabuena may be reached by tele-phone at 214/840-7410 or by e-mail [email protected].

Part II will be published in the Februaryissue of CCoommpplliiaannccee TTooddaayy. The views inthis article are those of the author and donot necessarily represent the views ofDeloitte Financial Advisory Services LLP.

P erhaps no other issue arises asoften as “conflicts of interest” forthose in the field of organizational

compliance. Further, because of the breadthof areas where conflicts can arise and the lackof uniform law or regulation, managing con-flicts of interest can be particularly challeng-ing. Consider the following headlines:■ A U.S. Supreme Court Justice refused to

step aside in a case filed by the VicePresident. The two had taken a huntingvacation together shortly after the courtagreed to consider the case.

■ The hiring of former military officials bylarge defense contractors was questionedafter it was learned that the officials were

involved in several large government con-tracts that were awarded to those defensecontractors.

■ The objectivity of several journalists waschallenged after they admitted being paidby the government to promote issues thatwere the topic of columns and articlesthey had written.

■ In separate incidents, a national laborato-ry and a city police department experi-enced heavy criticism when they replacedinternal investigators who had been work-ing on controversial matters involvingallegations against senior executives andofficials.

Let’s also not forget that most of the recentcorporate scandals involved at their coresome form of conflict of interest. Forinstance, the personal interests of an execu-tive versus the interests of the company as awhole are at issue when that executivereceives improper personal benefits (includ-ing loans and guarantees) because of his orher position in the organization.

Conflicts are even found in more mundanesettings at home and in the workplace.Personal examples I have observed include:■ The youth coach who insisted on playing

his son at a particular position when it isapparent to the rest of the team that thiswas not his best role.

■ A PTA president who over the yearsbecame close with the school principal

and upon the principal’s retirement decid-ed to award her with an ostentatiouswatch with PTA funds.

■ A supervisor believed to favor employeeswho spoke her native language whendetermining who would get plum assignments.

In this commentary, I will discuss the natureand definition of conflicts of interest. Whatexactly are they and whose interests are weconsidering? Have we gone too far in healthcare in trying to eliminate potential conflictsof interest? Can conflicts be effectively man-aged? In a future article (Part II), I will covertechniques for managing and addressing con-flicts of interest.

What exactly are conflicts of interest?Conflicts of interest are considered one ofthe most difficult white-collar offenses toinvestigate. They often occur at the upperlevels of an organization with internalreviews facing resistance or lack of supportfrom the involved parties. While an employ-ee who engages in a conflict situation is saidto violate his or her duty of loyalty to thecompany, a board of directors that fails toadequately take steps to prevent or investi-gate conflicts may violate its duty of care.

JOS

É A

. TA

BU

EN

A

BByy JJoosséé AA.. TTaabbuueennaa

Continued on page 8

8 Health Care Compliance Association • 888-580-8373 • www.hcca-info.org


A useful definition can be found in the NewYork Stock Exchange (NYSE) CorporateGovernance Listing Standards. The NYSEprovides that:

A “conflict of interest” occurs whenan individual’s private interest inter-feres in any way—or even appears tointerfere—with the interests of thecorporation as a whole. A conflictsituation can arise when an employ-ee, officer, or director takes action orhas interests that may make it diffi-cult to perform his or her companywork objectively and effectively.1

Examining this definition more broadly, con-flicts of interest occur when a decision-makerin a position of trust has competing profes-sional and/or personal interest. Even if thereis no improper conduct, the existence of aconflict of interest can create an appearanceof impropriety that can undermine confi-dence in the ability of that individual to actproperly. Similarly, if there is an apparent butnot an actual conflict, a reasonable personmay still likely conclude that a person’s judg-ment was compromised.

The scenarios described above clearly fitunder this definition. The telling feature isthat the independence and objectivity of asupposedly impartial decision-maker ispotentially impaired. The ability of a deci-sion-maker in exercising his or her dutieswithout bias comes into question.

Most conflict of interest situations involvefinancial interests but individuals have othermotives that can also influence objectivity.The earlier example of the national laborato-ry and police department is one such case.The removal of internal investigators from asensitive matter was a conflict of interestinvolving a process, as opposed to a financialtransaction. The appearance that manage-

ment did not want an independent reviewproved to be a public relations fiasco for thelab as well as for the police department.Likewise, one may be motivated by prestigeor recognition, which does not necessarilyresult in an immediate financial interest.

General types of conflicts of interestConflicts of interest involve both financialand non-financial interests and can ariseunder many different circumstances.Depending on the situation, a conflict ofinterest can lead to a wide range of criminalcharges such as mail and wire fraud, state andforeign commercial bribery, various chargesunder industry specific statutes (e.g., Anti-Kickback Act) and civil litigation againstdirectors for breach of the duty of care.

Despite the lack of uniform standards,instructive frameworks governing conflictscan be found in requirements that apply topublic officials,2 and in state and federal tax-exemption laws including prohibitionsagainst private inurement and excess benefittransactions.3 Agencies such as the JointCommission on Accreditation of HealthcareOrganizations also have standards thataddress conflicts of interest to help ensurethat the integrity of clinical decision-makingis not compromised.

It would be difficult to exhaustively list andcategorize the various forms of conflicts ofinterest. A compliance program shouldundertake a meaningful risk analysis so it cananticipate conflicts that may occur andaddress such conflicts in its policies, proce-dures, and monitoring techniques.

Still, there are certain conflicts of interestrisks that are fairly common and noted incompany codes of conduct. The followingare common core areas a compliance officerin any industry is likely to encounter:

■ Financial Interests—Often significantfinancial interests in entities doing busi-ness with or competing with one’semployer are defined in codes of conductand policies. Such interests may be pro-hibited or require advanced clearance byappropriate personnel. In addition toreceipt of expensive gifts that can create afinancial interest, this can include any for-profit business in which you have a largeinvestment or ownership stake.

■ Interest in Customer or Supplier—Personnel who have an undisclosed andpotentially adverse interest in a supplier orcontractor (including but not necessarily afinancial interest), will likely favor theirown interest over the organization. Thiscan result in bid rigging, charge orderabuse, or other contract and procurementfraud.

■ Gifts and Entertainment—This area hasthe potential to touch more employeesthan any other conflict of interest. Giftsor gratuities include any inducement thatcan be prosecuted as a bribe or kickback.

■ Interested Fiduciary Transactions and Self-Dealing—Entails performing transactionsin which a corporate fiduciary has a per-sonal interest. This includes situationswhere an employee or family memberreceives personal benefits.

■ Competing with the Company—Workingfor or providing services to others that dobusiness or compete with your company,such as outside employment with a com-petitor.

■ Usurping Corporate Opportunities—Involves using corporate assets for person-al gain such as running a home businessfrom work, and taking advantage person-ally of opportunities discovered throughthe use of corporate property.

■ Offer of Employment by a Customer,Supplier, or Competitor—Employees maybe improperly influenced by offers of

Managing the unavoidable ...continued from page 7



employment for themselves or familymembers. This often involves planning totake a job that takes advantage of one’sprior position.

Health care specific issuesThe regulatory environment for health careand the life sciences poses special risks from aconflicts of interest perspective. In additionto the areas where conflicts occur in allindustries, compliance officers need to con-tend with a maze of regulatory implicationsand government scrutiny that relate to con-flict management.

Concerns pertaining to provider-patient rela-tionships still arise as the boundaries betweenpatients and staff can be blurred in manyareas because of the intimate nature of carein certain settings. There also remains ten-sion and competing economic interestsbetween institutions and physicians as med-ical staff have been said to view corporateconflict of interest policies as a means to gaininformation on a physician’s business practiceto the hospitals competitive advantage.

Lately we’ve seen emphasis on the influencepharmaceutical and medical device manufac-turing money can have on the prescribing,purchasing, and research decision-makingprocesses of health care providers.

Health care professionals themselves are tar-gets as transactions and relationships withdrug and device manufacturers are questioned.Lewis Morris, Chief Counsel, Office ofInspector General (OIG), U.S. Department ofHealth and Human Services, observed that itis reasonable to consider whether physicians orother providers are effectively “shaking down”their vendors by demanding some form ofinducement.4 U.S. Attorney James Sheehanadded that while solicitations by providers toobtain kickbacks have been a focus, there is a

new emphasis on the role of payors and mid-dlemen in seeking to obtain or retain favor-able contracts or treatment.5

One of the primary concerns when it comesto the acceptance of gifts and business cour-tesies is the Federal Anti-Kickback Statute,which makes it unlawful to accept anythingof value with the intent of influencing thereferral of patients covered under a govern-ment health care program. Even gifts of min-imal value can be problematic if it is intend-ed to reward referrals or purchases reim-bursable under a program like Medicare.Therefore, if a vendor’s costs may directly orindirectly be reimbursed by Medicare, orother government health care programs, thenthe statute may be implicated.

The latest Stark regulations devoted a lot ofattention to gift giving and incidental bene-fits and this issue has required hospitals andother providers to place an emphasis ontracking and documenting benefits given toreferring physicians. For hospitals, trackingbenefits to physicians under the Stark law$300 annual non-monetary gift cap and the$25 per item “incidental” benefit limit canbe a significant undertaking.

Additionally, there has been an onslaught ofcongressional and IRS inquiries into conflictmatters as they relate to private and excessbenefits with tax-exempt organizations.

Emerging risk areas in health care includeefforts to require more disclosures of finan-cial interest between research investigatorsand clinical trial sponsors.6 Some medicaljournals are considering whether to requireresearchers to register clinical studies atinception so that poor results are reportedpublicly and can’t be concealed. Under theMedicare Modernization Act, interactionsbetween life science companies and members

of Pharmacy and Therapeutic committeeswill likely be an area of concern. And newstate laws and proposed legislation are requir-ing drug and device manufacturers to tracksales and marketing activities.7

Physicians are of particular challenge becauseof their role and influence in decision-mak-ing.8 Even when a physician does not useparticular equipment, the institution mayneed his or her input to fully understand itsappropriate application. Is it in the bestinterest to remove a physician from a deci-sion-making process because he or she has afinancial interest, even when that physician isthe user at the point of care? For example,medical devices are expensive so institutionsoften ask their own physicians to help decidewhich ones to buy. Thus physician consult-ing arrangements with device companies thatseek expert input to enhance their productswould render difficult the ability of thephysician to provide independent advice.

Are conflicts of interest necessarily bad?The examples above demonstrate that con-flicts of interest can arise in a myriad of situ-ations. Yet those who address them in theworkplace recognize that conflicts are gener-ally unavoidable. According to the AmericanMedical Association, “The presence of a con-flict of interest is often indicative of broadexperience, accomplishments and diversity ofinstitutional decision-makers.”9

It can seem that the more accomplished anindividual, the more likely he or she willencounter a conflict of interest situation.Recently appointed judges will likely need torequest recusal on cases involving their for-mer law firm. But once they don the robesmust judges cloister themselves and limitcontact with all powerful individuals? Should

Continued on page 10



Managing the unavoidable ...continued from page 9

renowned scientists be constrained in theirability to consult or give talks on a medica-tion because they ran a clinical trial spon-sored by the drug maker? Is anyone evercompletely free from bias?

Consider the board of a small nonprofit com-munity hospital. Often such a board compris-es well known community leaders who dobusiness with each other and the hospital.Couple that with increasingly complex andinterrelated transactions between hospitalsand physicians. In such a scenario, conflictscan abound from competing economic inter-ests such as the role of the department chairin credentialing partners and competitors, therole of a management service organizationowned by the hospital and physicians, etc. Itmay prove a challenge to find a truly inde-pendent board member who at times may bethe only qualified decision-maker.

Still, as the pressure on board accountabilityhas grown, hospitals are asking for moredetail from physicians and executives abouttheir outside activities. Organizations arerefining their policies so that conflicts ofinterests can be better managed. Regardingdealings with drug and device representa-tives, some entities have gone so far as to banthem from speaking with their physicians.

Are such extreme measures really necessary?The objective is not to eliminate all con-flicts—that is not possible—but to identifyand resolve them. Just because a board mem-ber works for a company that does businesswith the hospital doesn’t mean that personcan no longer serve on the board. Instead,the hospital needs to be aware of the rela-tionship and have a process to ensure the fairresolution of the situation, such as the recusalof the board member from voting on issuesimpacting his or her employer. But that canbe easier said than accomplished.

An organization that fails to prevent andmanage conflicts of interest risks publicembarrassment as well as criminal chargesand other legal liabilities. Often there are nobright lines, and situations need to be evalu-ated on a case-by-case basis. An organizationis better served by having policies and guide-lines on conflicts of interests that are tailoredto the risks of the organization, and clearlyspecify as to whom the criteria apply. Andprocesses to monitor conflict situations toensure appropriate handling, while promot-ing consistency and fairness, are crucial.

As will be covered in Part II, requiring dis-closure is a good start and not all financialinterests lead to corruption. Fortunately there

are methods for monitoring and detectingpotential conflicts of interest to help managethe risk. ■

1. Section 303A of the NYSE Corporate Governance Rules.2. For example, the Regulations of the Fair Political Practices

Commission in California contains a detailed set of limita-tions (Chapter 7, Conflicts of Interest, California Code ofRegulations § 18700 et seq.).

3. See the Internal Revenue Service model conflicts of interestpolicy for tax-exempt organizations:http://www.irs.gov/pub/irs-utl/topice00.pdf

4. Comments at the American Health Lawyers Annual Meeting(AHLA), June 27, 2005.

5. Comments at the AHLA Annual Meeting, June 29, 2005.6. The National Institute of Health (NIH) has issued conflict of

interest regulations(http://www.nih.gov/about/ethics_COI.htm). The OIG hassolicited recommendations for development of complianceprogram guidance for recipients of NIH research grants(http://oig.hhs.gov/authorities/docs/03/FRcpgNIHsolicitation.pdf).

7. See e.g., California Health & Safety Code §§ 119400-119402(California SB 1765).

8. Jaffe, Rory S. “Physicians Conflicts of Interest are OftenDifficult to Resolve.” Journal of Health Care Compliance,Vol. 4, No. 4 (July/August 2002).

9. See the American Medical Association A-05 Resolutions andReports, Report “A”, Conflict of Interest Guidelines athttp://www.ama-assn.org/ama/pub/category/4878.html.

Full Name:

Title:

Organization:

Address:

City/State/Zip:

Telephone:

Fax:

E-mail:

HCCA individual membership costs $295; corporate membership(includes 4 individual memberships, and more) costs $2,500. CCTT subscription is complimentary with membership. HCCA non-member subscription rate is $357/year.❑ Payment enclosed ❑ Pay by charge: ❑ AmEx ❑ MasterCard ❑ Visa

Card #: Exp. Date:

Signature:

❑ Please bill my organization: PO# PPlleeaassee mmaakkee cchheecckkss ppaayyaabbllee ttoo HHCCCCAA aanndd rreettuurrnn ssuubbssccrriippttiioonn ccoouuppoonn ttoo::

HHCCCCAA,, 55778800 LLiinnccoollnn DDrriivvee,, SSuuiittee 112200,, MMiinnnneeaappoolliiss,, MMNN 5555443366..

To order Compliance Today (CT) complete this coupon



Editor’s note: Christine Bachrach,CHC, is Vice President–CorporateCompliance for HealthSouth. She may be reached by telephone at205/970-5853 or by e-mail at: [email protected]

F air Market Value (FMV) for a con-tract is something that every com-pliance professional will likely be

asked to review. Many types of contracts fora health care organization involve relation-ships with referral sources—both direct andindirect. Direct relationships with referralsources, such as physicians, may include con-tracts for medical director duties, other med-ical responsibilities (e.g., call, coverage), leas-ing real estate, equipment, or employees, orrelocation agreements. Direct relationshipsmay also exist with other referral sources,such as hospitals. For example, a hospitalmay have a contract with, and be a referralsource for, a vendor that provides products orservices to the hospital (i.e. laboratory servic-es or ambulance transport services). There arealso many cases where indirect relationshipsmay exist with a referral source. For example,an indirect relationship may exist between aphysician and a surgery center if the surgerycenter contracts with a transcription compa-ny owned by the physician’s wife.

For contracts in which the company is pur-chasing a service or item, fair market valueoften can be determined simply by obtainingcomparable bids. But what about contractsthe company offers or those that involveintangible or hard-to-measure services? This

article will outline several different contractsand discuss some of the considerations whenlooking at FMV.

Medical directorsSince the introduction of “safe harbor” rateswith Stark II, documentation for FMV forhourly rates has changed. Many organiza-tions have found that the hourly market ratefor physicians is higher than the safe harborrates. This is especially true for certain spe-cialties such as internal medicine and infec-tious diseases where some of the calculatedsafe harbor rates fall below $80/hour. Somefactors to consider and document when eval-uating the rate paid to a physician for med-ical director include the physician’s years ofexperience, reputation in the community,special qualifications, and training. There arealso other salary surveys available, such as theFederated Ambulatory Surgery Associationsurvey which includes information onMedical Directors for ambulatory surgerycenters.

Another factor that may affect the rate paidfor medical director services is the level of thephysician duties required. For example, itmay take a much more skilled physician todevelop and manage a new program (e.g., thefacility wants to develop clinical pathways) asopposed to managing a well-established pro-gram with existing clinical processes.

Another important consideration is how toverify and document that the number of paidhours is reasonable and appropriate. Does ittake the same effort to manage a program

with 20 patients versus one with 100patients? The program’s stage of developmentshould also be considered. For example, theJoint Commissions of AccreditingOrganizations has a program that recognizescertain hospitals as Primary Stroke Centers.The qualifications to earn this designationare difficult, and it may require more efforton the part of the physician to initially earnthe designation that it would to maintain theprogram.

Lastly, it’s important to make sure that thereare no overlapping duties. If you had both anorthopedic surgeon and a hand surgeon, itwould be important to differentiate theirduties and provide an explanation as to whyboth are necessary.

VendorsMost vendor contracts are relatively simple toget FMV by old-fashioned comparison shop-ping. However, there are special considera-tions when you have a vendor who may billitems both to the facility and to payorsdepending on the circumstances. For exam-ple, an ambulance vendor may bill MedicarePart B for transporting a beneficiary to along-term care hospital, but the vendor maybill the hospital if, during the admission, thepatient had to be transported to another

CH

RIS

TIN

E B

AC

HR

AC

H

BByy CChhrriissttiinnee BBaacchhrraacchh




facility for a CT scan that the hospital couldnot provide. In these circumstances, the con-tract with the vendor should specify the serv-ices to be provided by the vendor and howand whom the vendor will bill for such serv-ices. The arrangement should also reflectcommercially reasonable prices for servicesbilled by the vendor to the facility. Oneexample might be if the above ambulancevendor offered to bill substantially below theMedicare allowable rate for those servicesthat are billed to the facility.

SponsorshipsThis is not an area typically considered with-in the purview of compliance. However,there may be a referral source involved—atleast indirectly—in these arrangements thatshould be reviewed. The sponsored organiza-tion may be a source of referrals, or in anathletic team sponsorship the team physicianmay be a referral source for the facility. Evenif the federal anti-kickback statute is not triggered because of a lack of Medicare refer-rals, several states now have anti-kickbacklaws similar to the federal law that apply toprivate- and government-funded programpatient referrals. In this regard, sponsorshiparrangements should be examined and documented appropriately.

Real estate leasesReal estate leases are an area where it is oftenrelatively easy to get a FMV quote from areliable outside source. But it’s important tobe sure that the outside opinion is basedupon the same “terms” as the proposed lease.If the proposed lease is stated in terms ofgross rent (i.e., the rent payment covers allutilities, etc.) but the FMV is in terms of“triple net” (i.e., renter pays separately forutilities, and items like snow removal, janitor-ial services, etc.), this could make it difficultto compare FMV. Another consideration is toensure that the FMV includes the appropriate

“common area factor” for common areasused, such as stairs, hallways, restrooms, etc.

Equipment leasesComparable FMV quotes are sometimesmore difficult to obtain for equipment leases.This difficulty may be because of a lack ofreadily available comparable equipment (e.g.,different lasers with different characteristics,or used versus new equipment). For usedequipment, it may be possible to use a salesquote to approximate a lease rate calculation.For example, if a two-year-old laser with anexpected life of five years costs $3,600 new,and has an annual maintenance cost of $600,a minimum monthly lease amount may be$150 plus a reasonable margin (calculated as$3,600 / 36 months (expected life left) +$600 / 12 (monthly maintenance). This val-uation methodology may not be ideal, but itmay be used as a benchmark to determinewhether more explanation may be necessary,if for example, the proposal was to lease to areferral source for $100 per month.

Employee leasesIf an entity leases employees to or from areferral source, it’s important to be sure thatthe lease rate covers salary, benefits, costs,and a reasonable margin for the type of per-sonnel. It may be possible to obtain rates forcomparison purposes from local staffingagencies.

Management agreementsThere are many more considerations whenreviewing FMV for a management agree-ment. In addition to FMV analysis, manage-ment agreements will certainly require legalcounsel to ensure the terms are appropriate.One of the most important factors in a man-agement agreement is consideration of theservices to be provided. Basic services under amanagement agreement may include billing,staffing, etc. Other agreements may include

more full service administrative and manage-ment services, such as accounting and finan-cial management, clinical support and quali-ty assurance, contracting, human resourcesand benefit management, legal, complianceoversight, payroll, real estate and lease man-agement, and risk management. It’s impor-tant to make sure that each service to be pro-vided, and any excluded service, is defined. Itis also important to ensure that the calcula-tion for the management fee is consistentwith other management agreements. Someorganizations define a set methodology toapply to all management agreements. Insome cases it may be possible to obtainquotes from other organizations offeringcomparable services.

In the end, the FMV evaluation for any con-tract involves reviewing the informationavailable internally and externally, askingquestions, and making a determination if theproposal value is based upon a commerciallyreasonable methodology to arrive at FMVrange. ■

Tips on documenting fair market value for contracts ...continued from page 11

Contact Us!

To learn how to place an advertisment inCompliance Today, contact MargaretDragon:

e-mail: [email protected]: 781-593-4924

http://[email protected]

Fax: (952) 988-0146

HCCA5780 Lincoln Drive, Suite 120 Minneapolis, MN 55436

Phone: 888-580-8373



Editor’s note: In 2006 HCCA will cele-brate 10 years of operation. With thisfeature interview, HCCA takes a lookback to learn what decisions early on inits history were fundamental to HCCA’sgrowth and success and what sugges-tions these early pioneers have for thefuture, as HCCA enters its seconddecade. Margaret Dragon, HCCA’sDirector of Communications, inter-viewed the following five members ofHCCA’s first Board of Directors: RoySnell, Brent Saunders, Debbie Troklus,F. Lisa Murtha, and Thomas Suddath.

MD: When you first gathered to formHCCA, what did you envision it would bein 10 years?Brent Saunders: I thought it wouldbecome an organization of 100 to 200 mem-bers which would meet two times a year overlunch.Roy Snell: I really didn’t think about it. Iwould have never imagined that it wouldbecome what it is today. This has been fan-tastic. Debbie Troklus: First of all, when I wasasked to help form the HCCA, I was new tothe field (only one month) and was only “act-ing” in my position. I can remember tellingRoy that I would help, but I was only “acting.” I couldn’t see myself in compliancelong term, because I really didn’t know exact-ly what compliance was. It turned out thatnot many people did in 1996. I thought itcould possibly be a sub-chapter of a largerorganization. It didn’t take us long to figure it out, and we didn’t let anything stand in our way.

Lisa Murtha: I honestly didn’t know whatto expect when Brent Saunders called me tohelp organize HCCA. I was so honored tobe asked to get involved. All I knew at thetime was that I was hungry to network withcompliance officers and that I would jump atthe chance to get involved. I anticipated thatif I needed networking opportunities, othersdid as well and that HCCA was a necessaryvenue for compliance professionals.

Thomas Suddath: In 1996, compliance inthe health care field was just beginning. Butit was clear that compliance would be a realgrowth area. There was a real need for anorganization that could provide professionaland personal resources to health care com-pliance professionals. The goal was to try tobe on the forefront of compliance issues, rec-ognize emerging areas of interests, and todevelop the HCCA into an industry leader.

There really wasn’t any roadmap to follow.We relied upon the collective judgment andexperiences of the founders to feel our waythrough a rapidly emerging field.

MD: Looking back, what one or twodecisions made early on (1996/97) were themost beneficial to the association?Thomas Suddath: Two things: Decidingupon a mission statement for the organiza-tion and listening to the members to learnwhat they wanted and needed. It soundssimple, but the mission statement really wasused as a tool to guide many of our decisionsback in the early days.Roy Snell: The Board we put togethermade all the difference in the world. Thesepeople were bright, dedicated, energetic,entrepreneurial, and fearless.Brent Saunders: There were two key deci-sions that I believe has held HCCA in goodstead. First, the decision to be a member-focused organization—essentially, everydecision we made and every action we tookwas to benefit the members of the organiza-tion. And the second was that it should bean inclusive association. We decided toreach out to all the constituents of healthcare, whether it be academic medical cen-ters, for-profit hospitals, home health agen-cies, long-term care, Managed CareOrganizations, to encourage them to partici-pate in every aspect of the association and atall levels within the organization, whether

featureHHCCCCAA''ss 1100tthh AAnnnniivveerrssaarryy::

HCCA's founding board members weigh in

article

LIS

A M

UR

THA



that be in leadership, conferences, or membership. Debbie Troklus: I think one of the mostimportant decisions we made early on was tohave a planning retreat. The bad decisionwas to have that retreat at (name of hotelwithheld). That was one retreat I will neverforget. It was there, in a small suite in (thehotel) that the foundation of the HCCA wasformed. The entrepreneurial spirit gave usthe drive that we needed to move forward,and in no time at all we were growing at arate we never dreamed of.

Lisa Murtha: I suspect that the most benefi-cial decision was to organize the HCCACorporate Office. It is clear that given the sizeand complexity of the organization and itsconstituency, it was necessary to developdevoted, full-time and experienced resources tosupport the organization and its membership.I have heard many positive comments aboutthe HCCA staff, officers, and management.Since the Board members are volunteers, it iscritical to have experienced compliance savvyprofessionals who can assist the membership.

The other important decision was thedevelopment of the HCCA Academies andCertification program. I want to especiallycommend Debbie Troklus on her tirelessefforts in organizing the Academies andmanaging the Certification program. These

programs have been highly successful andhave done a tremendous amount to profilecompliance as a profession.

MD: If you were back there in1996/1997, knowing what you know now,what one decision would you implement?Lisa Murtha: If I went back in time, I sus-pect that I would have developed more issue-focused conferences and meetings. Giventhe success we have experienced with thePhysician’s Conference and the ResearchConference, it is clear that compliance professionals are eager for more substantivetopics and issues.Roy Snell: I would have saved the napkinBrent and I wrote the name and missionstatement on.Brent Saunders: Well, to be even moreinclusive—to broaden our focus and gobeyond health care to all industries. Ofcourse, I have the benefit of hindsight.

MD: As you remember those early Boardmeetings, what do you think can mostaccount for the organization’s success atentering the national health care arena?Roy Snell: Timing is everything. We werein the right place at the right time andthought big. We worked with partners whohad done it before which helpedDebbie Troklus: No boundaries; if it didn’twork we would punt, and if it did work, wewould do it big. No tunnel vision, we werethinking big picture. It is that way today,too. We are never satisfied with status quo;we work to be the best.Thomas Suddath: Collaborative and inno-vative thinking about how we were going todeliver value to our members. We knewthat there was a need for a nonprofit organi-zation to provide written materials andworkshops for compliance professionals. Weworked hard to come up with ideas to makethe conferences valuable and worthwhile for

the attendees and also to develop writtenmaterials that provided real value to people who were new to the field as well as the more experienced complianceprofessionals.Lisa Murtha: One of the chief factors ofHCCA’s early success is the entrepreneurialinitiatives of Brent Saunders and Roy Snell.Brent and Roy led the Board to thinkingabout the next phase of compliance and theBoard was able then to look ahead and antici-pate the future needs of compliance profes-sionals. Brent and Roy did a great job of tak-ing the HCCA Board from being a rag-taggroup of legal and compliance professionalsto being a cohesive, hard working, forward-thinking unit. My work on the HCCABoard has been some of the most rewardingwork I have done in my career and the peo-ple I have met and worked with have becomemy most treasured friends and colleagues.

Brent Saunders: We stayed above the fray.We avoided the politics at all levels—the pol-itics of reimbursement, the politics ofenforcement, the politics of organizationaldesign within companies, and we stayedfocused on the profession of compliance andour members.

MD: Whether you are still involved in

BR

EN

T S

AU

ND

ER

S


RO

Y S

NE

LL

HCCA, or you have moved on, what sugges-tions do you have to help HCCA succeed inthe next 10 years?Debbie Troklus: Never forget that theassociation is about its members. Strive togive the members resources that they can use.Roy Snell: Don’t blink.Brent Saunders: I say, “stay the course.”Continue to champion the profession ofcompliance and more importantly to ensurethat the chief compliance officers are “highlevel,” that they report to their ChiefExecutive Officer, that they are an active partof the management team, that they haveaccess to their board of directors.

Lisa Murtha: My best advice to HCCA isto stay the course. Listen to the membersand be sensitive to what compliance andethics professionals need. Continue to put onoutstanding meetings, alliances with the OIGand other government agencies, and developnew products and services that continue tobe on the cutting edge.

MD: What do you think most accountsfor HCCA’s success?Lisa Murtha: There are many factors thatcontribute to HCCA’s success. The first isthat we have a membership that is unsur-passed in its technical knowledge and interestin networking. The members constantly

come forward with new ideas that are trulyinnovative. That helps HCCA’s leadershipkeep the organization fresh. The second fac-tor that contributes to HCCA’s success is thesupport we receive from various governmentagencies including the OIG, DOJ, CMS,NIH, FDA, and more. The OIGRoundtables and speech-making that hasbeen done by representatives from these gov-ernment agencies has helped us all learnabout the “hot” compliance issues ouremployers and clients need to know about.Finally, the fourth factor that contributes toHCCA’s success is the hard work and sup-port of HCCA’s Board of Directors and lead-ership. HCCA’s Board members put in enor-mous hours working for HCCA. While Icannot speak for the entire Board, I can saythat I have loved every minute I have workedon this Board. HCCA is like my child—Isaw its birth, its childhood, and now we aremoving into its adolescence. The next fewyears should be fun to watch.Debbie Troklus: HCCA’s success is attrib-uted to many things—being in the rightplace at the right time, our dedicated mem-bers, they work hard to make the associationa success, also HCCA’s involvement with thegovernment. Instead of trying to workagainst them, we have tried very hard towork to understand them and have includedthem in all facets of the association. I wouldbe remiss if I didn’t give some credit to theBoard members, who have put many volun-tary hours into the HCCA.Brent Saunders: Very clearly, its people at alllevels of the organization; the leadership, themanagement, the volunteers, the members.Good people trying to do the right thing. Roy Snell: The three keys to success are thepeople, the people, and the people.Thomas Suddath: Health care spending.Compliance has now become an expectedpart of the corporate culture in health care.As health care spending will continue to

grow in the future, government oversight willalso continue to be a part of the environ-ment. Compliance will continue to be animportant corporate component for healthcare providers and because of this, the needto educate and train compliance professionalsand leaders will not diminish.

MD: Finally, please share (with themembership through Compliance Today) asingle funny moment(s) you recall thatoccurred in those early years.Brent Saunders: The first leadershipretreat we attended was held in Ft.Lauderdale—I can’t remember the name ofthe place, but it had the word “resort” in itstitle, so it sounded OK. The “resort” had anolder part and a newer part. I was given aroom in the older part of the “resort.”Shortly after I checked into my room I sawrats—yes, that’s right , rats. The Board mem-bers lucky enough to have a room in thenewer part of the “resort” didn’t seem to havethe same problem. In the middle of the nightDebbie Troklus, Tom Suddath, and I left the“resort” in search of a Sheraton.Roy Snell: Our first strategic planning meet-ing at the XXX Resort. It was a pigsty. Therewere holes in the wall, bugs, dirt, etc. TheBoard fled the hotel after about one night.Lisa Murtha: The one funny experience Iwould like to reflect on is one of our firstBoard meetings at the “beautiful (but notvery clean) XXX Resort in Florida. Fundswere very tight and many of us either paidour own way to attend HCCA events or ourcompanies paid for us to attend. In an effortto keep spending down, we had a Boardmeeting in 1998 at a resort in Florida thatwas less than luxurious and not very clean.The first morning of our Board meeting,Brent Saunders announced to the group thathe had slept in his clothes because he was toogrossed out to let the sheets touch him . . .now that’s dedication.



16

HCCA's founding board members weigh in ...continued from page 15

THO

MA

S S

UD

DAT

H

Debbie Troklus: I remember at one earlyCompliance Institute where we introducedour plans for compliance certification thatmuch bashing occurred. That presentationdid not go well. At first, everyone was veryagainst certification. We held additionalinformational sessions, learned what ourmembers wanted, tweaked our plans, andtoday we are close to having 1,000 individu-als that are Certified In HealthcareCompliance (CHC). Now we are workingtoward a fellowship level. It is funny howthings have progressed.Thomas Suddath: Spending the first boardretreat at a location in Florida that was somiserable that most of the Board membersmoved out of the rooms and checked into anearby hotel. We were on a tight budget andwe got what we paid for. But the Spartanfurnishings kept us focused on our mission,which was strategic planning for the HCCA.One decision that came easily was to do bet-ter due diligence in selecting the location forfuture Board retreats. ■

DE

BB

IE T

RO

KLU

SCERTIF IED INHEALTHCARECOMPLIANCECHCCHC

TThhee HHeeaalltthhccaarree CCoommpplliiaanncceeCCeerrttiiffiiccaattiioonn BBooaarrdd ((HHCCCCBB)) ccoommpplliiaanncceecceerrttiiffiiccaattiioonn eexxaammiinnaattiioonn iiss aavvaaiillaabbllee iinnaallll 5500 SSttaatteess.. JJooiinn yyoouurr ppeeeerrss aannddbbeeccoommee CCeerrttiiffiieedd iinn HHeeaalltthhccaarreeCCoommpplliiaannccee ((CCHHCC))..

CHC certification benefits:■ Enhances the credibility of the

compliance practitioner ■ Enhances the credibility of the

compliance programs staffed bythese certified professionals

■ Assures that each certified compliance practitioner has thebroad knowledge base necessary toperform the compliance function

■ Establishes professional standardsand status for compliance professionals

■ Facilitates compliance work for compliance practitioners in dealing withother professionals in the industry, such as physicians and attorneys

■ Demonstrates the hard work and dedication necessary to perform thecompliance task

CHC Certification, developed and managed by HCCB, became availableJune 26, 2000. Since that time, hundreds of your colleagues have becomeCertified in Healthcare Compliance. Linda Wolverton, CHC, Director,Compliance, Triad Hospitals, Inc. says that she sought CHC Certificationbecause “...many knowledgeable people work in compliance, and I wantedmy peers to recognize me as ‘one of their own’.” With certification she is“recognized as having taken the profession seriously, having met the national professional standard.”

FFoorr mmoorree iinnffoorrmmaattiioonn oonn hhooww yyoouu ccaann bbeeccoommee CCHHCC CCeerrttiiffiieedd,, pplleeaassee ccaallll 888888--558800--88337733,, ee--mmaaiill hhccccbb@@hhccccaa--iinnffoo..oorrgg,, oorr vviissiitt tthhee HHCCCCAA WWeebb ssiittee:: hhttttpp::////wwwwww..hhccccaaiinnffoo..oorrgg//TTeemmppllaattee..ccffmm??sseeccttiioonn==HHCCCCBB__CCeerrttiiffiiccaattiioonn

The Compliance Professional’s Certification

Congratulations on achieving CHC status! The Health Care

Compliance Certification Boardannounces that the following

individuals have recently successfully completed the

Certified in HealthcareCompliance (CHC) examination,

earning CHC designation:

Letha E. Arencibia

Brian Beard

Kathleen M. Kenyon

Lila J. Mayer

Nancy Ann O'Neill

Caroline Rebecca Rader

Richard Robinson

Vincent P. Shirley Jr.





Editor’s note: Dov Seidman is CEO andChairman of LRN, a provider of gover-nance, risk, and compliance solutions toleading companies throughout theworld, including The Dow ChemicalCompany, DuPont, Johnson &Johnson, Pfizer, Procter & Gamble andRaytheon. The following article is basedon LRN remarks at 4th AnnualCompliance & Ethics Institute.

What is often lost in the discus-sion of corporate transgressionsand scandals is how profoundly

and permanently the business environment haschanged in their wake. There is now an emerg-ing emphasis on how business gets done,rather than a focus on outcomes and results.Accompanying this new inquiry is a shift inthe standards by which conduct is now judged.There is a growing sense that nothing less thanabsolute honesty will be acceptable.

An end to the rule of lawRather than questioning whether a rule hasbeen broken, companies and individuals arebeing judged by standards of behavior. Forexample, Harry Stonecipher, the formerCEO of Boeing, was relieved of his post afterengaging in a consensual affair with a co-worker. His offense resulted not from theviolation of a rule, but of engaging in behav-ior that could bring the reputation of thecompany into disrepute. As Lou Platt,Boeing’s Chairman at the time, said “theCEO must set the standard for unimpeach-able professional and personal behavior.”

As a result, we find ourselves in unchartedterritory, and we lack knowledge and consen-sus on how to respond, or indeed even whatguideposts we can use to determine if we areheading in the right direction. Rules whichonce provided answers now only set absoluteminimums. This shift from rules to standardsand from “what” you produced to “how” youproduce represents a changed relationshipwith law. Instead of thinking about regula-tions and laws, we must consider them inconcert with ethics. But not ethics as a nounor as something that is considered outsidethe core of business, rather, ethics as modifi-er, as an adjective, as an imperative—i.e. eth-ical sales, ethical contracting, ethical manu-facturing. And when you consider all of theseshifts together, they fundamentally changehow you go about pursuing compliance.

The need for effective compliance in health careTraditionally business organizations haverelied almost exclusively on compliance pro-fessionals to develop programs with appropri-ate training, incentives and, punishments toassure conformity. Some organizations take atop-down approach and simply try to exactcompliance through rote adherence to lawsand regulations. I call this approach “blindobedience,” where employees are expected toobey the rules, but not necessarily understandthe rationale behind the rules. Thankfully,companies that attempt this today are few.

Most companies today pursue an approach I’vetaken to calling “informed acquiescence,”

where a small group within an organizationtakes responsibility for managing the carrotsand sticks that encourage employees to acqui-esce to rules. Often, employees don’t obeyblindly, and in many cases, they understandthe reasons the rules are in place. However,they do necessarily embrace and adopt therules as their own. They still conform to anexternally-imposed constraint. Despite itsprevalence, this approach, unfortunately, hasalso failed. The United States SentencingCommission determined last year during acomprehensive examination of the nearly two-decade impact of the Commission’s work thatwhile the Organizational SentencingGuidelines it created resulted in the widespreadadoption of compliance programs, such programs resulted in little effective compliance.

Law, regulations, and rules are very effective atreducing variability and creating predictabilityand certainty in many situations. We’ve seengreat successes in areas like full financial dis-closure, environmental standards, workplacesafety, food safety, child labor laws, etc. Butlaw, regulation, and rules are not a panacea.While still a work in progress, consider thesuccesses and limitations of Health InsurancePortability and Accountability Act (HIPAA).HIPAA is undeniably well-intentioned, andhas clearly created additional patient safe-guards and increased confidentiality. But

BByy DDoovv SSeeiiddmmaann

DO

V S

EID

MA

N


Health Care Compliance Association • 888-580-8373 • www.hcca-info.orgHealth Care Compliance Association • 888-580-8373 • www.hcca-info.org

HIPPA has also added additional new require-ments on a system that was already overtaxed.An article last year in the Association ofAmerican Medical Colleges Reporter noted,“Medical school officials complain that theincreased documentation required by HIPAAhas made the research process unduly cumber-some, at times even making it difficult torecruit subjects to participate in low-risk stud-ies.”1 If true, this unwelcome result of HIPAAis a chilling effect on foundational research bythe doctors who design studies and thepatients who willingly participate in them.

Many unintended consequences of laws andrules stem from the reality that rules are bynature designed to proscribe and constrain,rather than encourage and inspire. They oftenreflect vulnerabilities, rather than strengths.Where laws and rules have not succeeded is increating predictability and consistency in thevariations in human conduct. Because lawsand rules are subject to interpretation andmis-interpretation, they are, by nature bothover- and under-inclusive. Through cleverness,ingenuity and in some cases even genius, theend goals of rules have been subvertedthrough clever lawyering that obeys only theletter, rather than embraces the spirit of lawsand rules. Given the recent examples, it is nosmall wonder that Conrad Black declared,“America’s greatest invention: the loophole.”

Fostering self-governing culturesIf you think of compliance in terms of rules,people always seem to find a way to exploitthe vulnerabilities in the rule. Only culture,where people choose to self-regulate based oncommon, shared values, can guide, controland inspire appropriate behavior and humanconduct. The new world in which we findourselves requires that we shift our focusfrom developing compliance programs to fos-tering and maintaining ethical, self-governingcorporate cultures. There is no question that

culture can be a double-edged sword. Enroninarguably had a strong corporate culture,just not a corporate culture aligned aroundthe right values. The wrong culture candestroy, just as establishing and maintainingthe right culture creates the context and theenvironment that allows companies to win.

Unfortunately, there is no one lever or switchthat leaders can use to move culture. Moreover,cultures aren’t built in time for this quarter’searnings announcement or even this year’sannual report; cultures are built over years anddecades. That said, regulators, prosecutors andother stakeholders have begun to evaluate andmeasure corporate cultures directly. For exam-ple, at one time a prosecutor might look to theprograms a company has in place—i.e., Didthe company have a code of conduct? Have awhistle-blower hot line? Did it train its people?Now we see investigators asking far more pene-trating questions that get to the essence of acompany’s culture—i.e., How are employeesusing the hotline? Is the Code of Conduct apaper tiger where all that really matters—andall that is rewarded—is making the numbers?

In light of these new, more profound inquiriesto ascertain how corporations actually operate,what can we do? Fortunately, we have a wealthof good examples—global leaders that havelong been known for succeeding the right way.These companies collectively offer decades andeven centuries of human interaction andprogress. I’ve had the privilege of working withmany of them, and can attest to the consistenthallmarks I have found among ethical, win-ning corporate cultures that self-regulate basedon shared values. Most critically, I have seenhow the fostering of an ethical corporate cul-ture provides companies the foundation fromwhich it can differentiate and win in the mar-ket. Other hallmarks I’ve observed include:

EEtthhiiccaall ddeecciissiioonn mmaakkiinngg:: An informed,

aware workforce is a crucial tool againstignorance and apathy. It requires educationof all, not just management, to create com-mon expectations and understanding.

VViiggiillaannccee bbyy aallll:: Self-governance demandsresponsibility of all individuals to be alertand aware, not just a select few. Self-gover-nance requires vigilance by all—not simplythose who have “compliance” in their jobtitles. It requires that everyone in a companytake responsibility for individual conduct andfor the conduct around them so that badapples won’t survive. In self-governing corpo-rate cultures, picking up the phone to reportmisconduct is as natural as reporting frayedwiring or leaking pipes.

TTrruusstt aanndd vveerriiffyy:: You cannot have self-gover-nance without trust, but this does not meanblind trust. Put another way, absent trust, theburden of distrust taxes organizations in multi-ple ways. One cost is transactional, and can beseen in the practice of drafting exhaustiveagreements that try in vain to anticipate everyeventuality that may go wrong. But there’seven a greater cost in the corrosive cynicismcaused by distrust. Self-governing cultures rou-tinely and rigorously examine conduct, andcontinually develop the tools and systems todo so effectively. Most importantly, leadershipmust reward the desired conduct—even whenor especially when it is inconvenient or unprof-itable—and discipline the violation of trust.

IInntteeggrraattiioonn aanndd cceelleebbrraattiioonn:: Great self-governing organizations integrate characterand skill. They examine who they are hiringand how they go about their jobs. They eval-uate sales executives not by looking simply atwhether they meet their targets, but examinehow they represented the company. They cel-ebrate principled conduct and punish thosewho cut corners.




I relate compliance to so manythings. I have compared it to play-

ing poker. I have related it to the cabin we have had in our family for70 years (and are losing because of regulations). I have another veryunusual comparison. It may be the most unusual one and yet it maybe the most fascinating. My wife was just diagnosed with breast can-cer and the relationship to compliance is interesting. It is very obvi-ous that you should take no chances with cancer. Effective compli-ance professionals take their job seriously too.

EducationMy wife, and many women, have constant exposure to breast cancereducation through print media, TV, colleagues, and health care pro-fessionals. She was aware of the potential problem and knew what tolook for because of the effective breast cancer education in this coun-try. This education played a significant role in her early detection.

MonitoringMy wife had routine physical exams. She had a physical exam in Junewhich spotted nothing.

Risk Assessment Also as a result of effective education, my wife knew her family histo-ry of breast cancer was a risk and that she should be more vigilantthan others. In the compliance profession, we do risk assessments todetermine where we need to go beyond routine monitoring. Afterassessing the risk, she asked for more intensive monitoring.

AuditingWomen her age do not have frequent mammograms, but she insistedbecause of her family history. Some younger women are refused earlyexams. She did not let that stop her and insisted on more monitoringdue to the increased risk. A couple of months after her physical exam,she had a mammogram that spotted a small but aggressive cancer.Compliance professionals constantly are hitting roadblocks. The good ones find a way around them and insist that the job be done thoroughly.

InvestigationOnce she discovered the problem, sheneeded to find our exactly what waswrong and what needed to be fixed. Shesought opinions from experts in the field.She received advice from her local providerand sought out an expert from the MayoClinic. She knew the people at Mayo. Shehad networked with them as an employee of Mayo several years ago. Itis not unlike the networking compliance professionals do at our annu-al meeting in April. She knew specialists were available and she knewwho to see. Effective compliance professionals seek out subspecialiststo help them with serious issues rather than use the generalist downthe street. Effective compliance professionals network with their peers.

Problem resolutionAfter the clinicians conducted their investigation (testing and consul-tation), they decided on a plan. The plan has many components.They surgically removed the problem/cancer. In addition, there willbe chemotherapy treatments for six months to help ensure that theproblem will not come back. The cancer was found in two lymphnodes. If cancer was found in four or more lymph nodes, they wouldhave done radiation. They will do hormone therapy after chemo.Like an effective compliance plan, the problem resolution and follow-up is based on the facts of the case. A follow-up plan is implementedto ensure that the problem does not come back.

Reporting to the BoardThe Board in her life is her family and friends. They expect (wouldlike to) be kept informed and assured that everything possible isbeing done. To communicate, she uses a web site calledCaringBridge.org. She posts her update; they keep up on herprogress; and they send her notes to wish her well. She tells themwhat was found and what was being done to correct the problem.She reports to them on a regular basis.

DisciplineAs you can imagine (and is often the case), there is no need for disci-pline. Everyone had done the best they could. In fact, she was toldthat the radiologist could have easily missed this small and somewhatinvisible tumor. They detected a small calcium deposit that is, on arare occasion, a sign of cancer. They ordered a biopsy that confirmedcancer existed. Compliance professionals follow up on hints of trou-ble. Sometimes compliance professionals wish that they had followed

Roy SnellCompliance and

Cancer:



Here’s your chance to share your expertise and get a chance to win.....

HCCA is seeking your contributions!

Dear Compliance Professionals, HCCA is seeking contributions for a new manual on auditing and monitoring.Here's a great opportunity to contribute to the association—andget a chance to win a laptop, a portable DVD player, or receive free registration for the HCCA Compliance Institute.

We are asking health care professionals to share their tools and success stories that have aided their auditing and monitoring programs. We are interested in all aspects of auditing and monitoring. (If you would like, identifying information can be removed, so your organization can remain anonymous.)

Everyone who submits materials will be entered into adrawing to win a laptop, a portable DVD player, or free registration to the Instituteon April 23–26 in Las Vegas. You will beentered into the drawing for each audit toolyou submit (i.e., two audit tool submissionsequals two entries). Authors of acceptedmaterials will be listed as contributors in themanual, if they wish.

We look forward to receiving contributions from you. For more information or to make a contribution, contact Alan Pierce at 888-580-8373, ext. 245, [email protected].

TThhaannkk yyoouu,,

AAllaann PPiieerrcceeEEddiittoorr//PPrroodduucctt MMaannaaggeerr


Partial Brochure

Available Now

as a special insert

in this issue of

Compliance Today.

EARLY BIRD REGISTRATION

Attend the Pre- and Post-Conference FREE—a savings of $375Receive the Early Bird discounted conference rate:$799 members / $949 non-members—a savings of $50

COMPLIANCE INSTITUTE 2006

HCCA’S 10TH ANNIVERSARYCOMPLIANCE INSTITUTE

LAS VEGAS, APRIL 23–26, 2006Register by January 1, 2006, and SAVE $425!

Sessions at the HCCA 2006 Compliance Institute will offer the latestcompliance information on the hottest topics and current events incompliance. The program will feature multiple HIPAA and compliance sessions and a corporate responsibility track. Industryimmersion sessions for a variety of health care segments are alsobeing planned, including:

• Large Health Systems • Payor/Managed Care• Long-Term Care• Pharmaceutical Compliance• Durable Medical Equipment• Physician Group Practices • Research/IRB Issues • Academic Medicine• Behavioral Health• Government Providers

Join your colleagues in Las Vegas for HCCA’s 2006 Compliance Institute—the single most comprehensive compliance conference designed specifically to meet the needs of today’s health care compliance professionals

and their staff. The 2006 Compliance Institute will be held at Caesars Palace from April 23–26, 2006.

BROAD SPECTRUM OF SPEAKERSRepresenting Policymakers, Enforcement Officials, Practicing

Lawyers, Active Compliance and Privacy Officers

This year’s full program will be available in January 2006.Find the program at www.hcca-info.org

REGISTER

BEFORE

JANUARY 1, 2006 &

SAVE

$425!

Conference RegistrationMember On or before January 1 $ 799

On or before April 1 $ 849After April 1 $ 899

Non-Member On or before January 1 $ 949On or before April 1 $ 999After April 1 $ 1049

* Pre-conference AM $125* Pre-conference PM $125* Post-conference $125

*Waived for registering prior to January 1, 2006!*Must select if planning to attend pre- or post-

conference. You are not automatically registered.

MembershipI want to become an HCCA member! Please add $200 to my member conference registration fee (new members only).

I cannot attend the 2006 Compliance Institute, but I would like to become a member of HCCA: $295

Total Payment

PLEASE TYPE OR PRINT

Member ID

First Name Last Name

Credentials

Title

Place of Employment

Address

City State Zip

Phone ( )

Fax ( )

E-mail(required for confirmation notification)

HCCA’S 2006 COMPLIANCE INSTITUTE

Register today!

WEB EMAILwww.hcca-info.org [email protected]

FAX MAIL(952) 988-0146 Send form with payment to:

MI 63PO Box 1414 Minneapolis, MN 55480-1414

Federal Tax ID: 23-2882664 Code: CIEB06

Payment TermsPlease enclose payment with your registration and return it to the HCCA office at the above address, or fax your credit card payment to (952) 988-0146.

Invoice me PO number _________________Check/money order enclosed (checks payable to HCCA)American Express Visa MasterCard

Account No.

Name of Cardholder

Signature

Exp. Date /

Method of Payment for RegistrationMake payment by check to Health Care Compliance Association.American Express, Mastercard or Visa are also accepted. If the incorrect amount is calculated HCCA will charge the correct amount.

Groups: Please complete a registration form for each attendee. List allgroup members on cover sheet. For group rates contact the HCCA.

Tax Deductibility All expenses incurred during training (including tuition, travel, lodging,and meals) to maintain or improve skills in your profession may be taxdeductible. Please consult your tax advisor.

Cancellations/Substitutions No refunds will be given for “no-shows” or cancellations. You maysend a substitute; please call the HCCA Office at (888) 580-8373. Additional charges may apply.

EARLY BIRD REGISTRATION

To receive member discounts and benefits at all upcoming HCCA conferences and events, join HCCA. Just add $200 to the member registration fee for one full year.

$

No charge priorto Jan. 1, 2006

Hotel Accommodations:Special rates starting at $199(plus tax) single/double pernight, have been arranged. Besure to mention the HCCACompliance Institute to receivethe reduced rate.

For Reservations Contact:Caesars Palace3570 Las Vegas Blvd SouthLas Vegas, NV 89109 (800) 634-6661

Registration must be post-marked by Jan 1, 2006



Editor’s note: Sandy Soerries is a member of BKD Health Care Group, adivision of BKD, LLP, in Kansas City,Missouri. BKD, LLP is one of the 10largest CPA and advisory firms in thecountry. BKD Health Care Groupserves diverse clients including integrat-ed health care delivery systems, a widerange of hospitals, long-term care andskilled nursing facilities, rural healthclinics, and physicians and medicalgroups. Sandy Soerries may be reachedby e-mail at [email protected].

When was the last time yourhospital evaluated its compli-ance training and education?

When was the last time you critically assessedyour monitoring and auditing processes?

Now may be the perfect time to re-evaluatethese processes because the OIG publishedits Supplemental Compliance ProgramGuidance for Hospitals (SCPG) in theJanuary 31, 2005, Federal Register.

SCPG guidelines provide a detailed explana-tion of what the federal government expectsfrom providers.

Appropriate training & educationAccording to the SCPG, hospitals that fail toadequately train and educate their staff riskliability for the violation of health care fraudand abuse laws.

The purpose of conducting a training andeducation program is to ensure each employ-ee, contractor, or any other individual whofunctions on behalf of the hospital is fullycapable of executing his or her role in com-

pliance with rules, regulations, and otherstandards.

In reviewing your training and educationprograms, ask the following:■ Do qualified trainers conduct annual

compliance training for staff, includinggeneral and specific training pertinent tovarying levels of responsibility?

■ Do you annually evaluate training andeducation program content to determineif the subject matter is appropriate andsufficiently covers the range of issues thatconfront your employees?

■ Do you keep up with changes in federalhealth care program requirements andadapt your education and training pro-grams accordingly?

■ Does your education and training programcontent take into consideration the resultsof audits and investigations; results fromprevious training and education programs;trends in hotline reports; OIG, CMS orother agency guidance or advisories?

■ Is your training format appropriate interms of session length whether it’s deliv-ered via live instructors or via computer?Also, are training sessions held frequentlyenough, and do they meet the need forgeneral and specific sessions?

■ Do you seek feedback after each session toidentify shortcomings in the training pro-gram? Do you administer post-trainingtesting to ensure attendees understandand retain the subject matter delivered?

■ Have you provided your governing bodywith appropriate training on fraud andabuse laws?

■ Do you document who has completed therequired training?

■ Have you assessed whether to impose

sanctions for failing to attend training?Do you offer appropriate incentives forattending?

Internal monitoring & auditingThe SCPG states auditing and monitoringplans will help hospitals avoid submittingincorrect claims to federal health care pro-gram payors.

Take time to develop a detailed annual auditplan designed to diminish the risks associatedwith improper claims and billing practices.Consider the answers to the following sevenquestions:1. Do you annually re-evaluate your audit

plan; does it address the proper areas ofconcern, e.g., findings from previousyears’ audits, risk areas identified as partof the annual risk assessment and high-volume services?

2. To help identify the root cause of billingerrors, does your audit plan include abilling systems assessment in addition toclaims accuracy?

3. Is the auditor’s role clearly established,and are coding and audit personnel inde-pendent and qualified with the requisitecertifications?

4. Should the need arise, is the audit depart-ment available to conduct unscheduledreviews, and is there a mechanism that

BByy SSaannddyy SSooeerrrriieess

SA

ND

Y S

OE

RR

IES



allows the compliance department to request additional audits ormonitoring?

5. Has your institution evaluated the error rates the annual auditsidentify?

6. If your error rates are not declining, have you investigated otheraspects of your compliance program to determine hidden weaknesses and deficiencies?

7. Does the audit include a review of all billing documentation in support of a claim, including clinical documentation?

Respond consistently to deficiencies By consistently responding to detected deficiencies, your organizationcan develop effective corrective action plans and improve overall com-pliance.

When evaluating the way your institution responds to a deficiency, usethe following checklist:■ Use a response team that includes representatives from the compli-

ance, audit, and other relevant functional areas who are able toquickly evaluate deficiencies

■ Investigate all matters thoroughly and promptly■ Implement a corrective action plan that addresses the root causes of

each potential violation■ Conduct periodic reviews of problem areas to verify that corrective

action is successfully implemented to eliminate existing deficiencies■ Consult with legal counsel if a detected deficiency results in an

overpayment to the organization to determine your repaymentoptions

■ Include legal counsel early in the process when you are concernedabout a potential violation

Outdated CDMs can potentially create significant compliance risks forhospitals. Because HCPCS codes and APCs are regularly up-dated, yourhospital also must up-date its CDM to assign the correct codes to out-patient claims. Implement timely updates and properly use modifiersand correct associations between procedure codes and revenue codes.

SummaryEffective education and auditing programs are extremely important tothe success of a compliance program. The OIG’s SupplementalCompliance Guidance of January 31, 2005, provides valuable insightinto the measures that should be taken to develop effective educationand auditing programs. ■



Editor’s note: Lourdes M. Martinez is apartner at Garfunkel, Wild & Travis,P.C. in Great Neck, New York. Shemay be contacted by telephone at516/393-2221 or by e-mail [email protected].

W ith the increasing emphasis oncorporate governance issues,recent changes to the Federal

Sentencing Guidelines for corporations, andthe recent issuance of SupplementalCompliance Program Guidance for Hospitalsby the Office of Inspector General for theU.S. Department of Health and HumanServices (the OIG), it is more importantthan ever for hospitals to employ measures toevaluate the effectiveness of established compliance programs and to ensure that governing boards have adequate oversight ofhospital compliance activities. In today’senvironment, hospitals must be proactive inidentifying and assessing risk areas. This arti-cle discusses some aspects of these recentdevelopments and the specific steps hospitalsshould consider implementing to achieve thegoal of maintaining an effective complianceprogram.

Why an effective compliance programis importantHaving a proactive compliance program inoperation can truly help to convince the gov-ernment that any alleged false claim or otherinappropriate activity is an aberration. Thismay well translate into reduced exposure topossible civil monetary and/or criminalpenalties.

All areas of the health care industry are underthe microscope in the federal government’sfight against fraud and abuse.

From the government’s prospective, its fighthas been quite successful in recouping substan-tial overpayments, imposing large fines andpenalties, banning many egregious abusers ofthe public trust from earning any further bene-fit of the Medicare and Medicaid programsand prosecuting those who engage in criminalactivity against government programs. Forexample, in fiscal year 2004, the OIG reportedthat it had identified $762.5 million throughits audit recovery programs and $1.9 billion ininvestigative receivables. In addition, the OIGreported that it had excluded over 3,000 indi-viduals and entities from participating in feder-al health care programs, obtained 533 criminalconvictions, and completed 268 civil actions.

What has changed?Years ago, your hospital likely set up aCompliance Program with a code of conductand manual of procedures that it distributedthroughout the system. But this isn’t reallyenough to keep the hospital out of troublewhen government regulators and investiga-tors come knocking on the door.

Times have changed. New laws and regula-tions have been implemented; the govern-ment’s focus has expanded to new areas sinceyour compliance program was first estab-lished. In fact, in the past year or so:■ New Stark regulations became effective.■ Amendments to the Federal Sentencing

Guidelines have changed the emphasis

from preventing crime to developing anethical corporate culture with increasedcorporate responsibility and oversight ofcompliance programs.

■ The OIG issued SupplementalCompliance Program Guidance (CPG)for Hospitals that expanded compliancerisk areas and similarly emphasized thedevelopment of a “culture of compliance.”

As a result of these and other changes, it ismore crucial than ever that hospital compli-ance programs be tested and necessaryimprovements be put into place. It’s a simplereality that when government investigators docome looking at allegations of fraud or otherwrongdoing in hospitals, one of the firstthings they request is evidence that a compli-ance program exists. Second, they look at thecompliance program’s effectiveness.

What steps should hospitals be taking?Both the OIG’s Supplemental CPG and theamended Federal Sentencing Guidelinesstress the importance of periodic evaluationsof the overall effectiveness of the complianceprogram as part of the monitoring and audit-ing requirement.

The following are the areas of concern andthe types of questions that hospitals shouldbe asking:■ The compliance department: is it properly

organized? Does it have sufficient resources?■ The development of compliance policies:

are policies clearly defined and regularlyre-evaluated?

■ The hospital’s ability to communicate: isthere an anonymous hotline or othermechanism for reporting potential com-pliance issues? Are results of internalinvestigations shared with the governingboard and relevant departments?

■ Training and education programs: are

BByy LLoouurrddeess MM.. MMaarrttiinneezz



trainers appropriately qualified? Havetraining programs incorporated changes inregulations and program requirements?

■ Audit plans: are audit personnel independ-ent and qualified? Are audit plans adjustedto consider findings from previous audits,additional risk areas, high volume services?

■ The hospital’s response to detected deficien-cies: is there an effective response team? Docorrective action plans take into accountthe root cause of the potential issue?

■ The effectiveness of internal disciplinaryefforts: are disciplinary standards well-pub-licized and enforced consistently? Are gov-ernment sanction lists (i.e., the OIG’s listof excluded individuals/entities and theGeneral Services Administration’s ExcludedParties Listing) routinely checked?

In addition to the above, hospitals also needto focus on improving (and documenting)board oversight of the compliance programand expand risk areas identified for auditpurposes. Hospitals should also conductStark-related reviews.

The Sentencing GuidelinesThe original Compliance Program Guidancepromulgated by the OIG for various sectors ofthe health care industry are based on standardsformulated in the Federal SentencingGuidelines (FSG) for organizations for assess-ing criminal culpability. An organization canreduce its culpability score and thus its expo-sure to penalties by having an effective com-pliance program. The substance of the FSGfor organizations was amended last November;the U.S. Sentencing Commission changed theemphasis from organizations implementingsystems that prevent crime to a new accent ondeveloping an “organizational culture,” whichmust encourage ethical conduct and be com-mitted to compliance with the law.

Significantly, the amended FSG requires that

high-level personnel be assigned and be givenappropriate resources to implement and over-see the compliance program and that thegoverning authority (i.e., the board of direc-tors) be knowledgeable about and exercisereasonable oversight with respect to itsimplementation and effectiveness. In addi-tion, the amended FSG requires that:■ ongoing mandatory compliance and

ethics training be instituted for everyemployee and board member;

■ appropriate incentives be established foremployees to perform in accordance withthe compliance program;

■ periodic evaluation be conducted of thecompliance program’s effectiveness.

To develop a culture of ethical conduct fromthe top down, a hospital board must beknowledgeable about the content and opera-tion of the compliance program and exercisereasonable oversight with respect to its imple-mentation. Hospital boards must be aware oftheir responsibilities, and demonstrate thatawareness through appropriate action. Suchaction, for instance, can take the form ofmodification of existing by-laws, updates tocompliance resolutions, adoption of chartersfor board-level compliance committees, andimplementation of compliance training specif-ically targeted to board member responsibility.

Hospital boards might also avail themselvesof two educational resources provided by theOIG and the specific tools they provide toassist boards in carrying out their complianceoversight function. Entitled A Resource forHealth Care Boards of Directors, theseresources are designed to assist health careboards in i) formulating knowledgeable andappropriate questions related to structuraland operational compliance issues; and ii)establishing and coordinating the roles andresponsibilities of the hospital’s general counsel and the compliance officer.1

The physician self-referral lawsThe federal prohibition on physician self-refer-rals—the Stark Law—remains a high fraudand abuse exposure area. Anecdotally, we havefound that many hospitals’ recent experiencesdemonstrate that Stark investigations can rap-idly burgeon into False Claims Act and Anti-Kickback prosecutions. In fact, the OIGrecently reported that it reached a significantsettlement—$22.5 million—with the TenetHealthcare Corporation over allegations thatTenet has falsely billed Medicare for servicesprovided pursuant to referrals by eleven physi-cians with whom Tenet had improper financialrelationships under the Stark law.

Generally, the Stark Law limits the ability of aphysician, who has a financial relationship(either directly or through a member of thephysician’s immediate family) with an entityproviding certain “designated health services”(a DHS Entity), from making referrals ofMedicare (and in most instances, Medicaid )patients to such DHS Entity for the furnishingof DHS.2 Additionally, the DHS Entity willnot be able to bill for services provided as aresult of a referral from a physician with afinancial relationship unless an exception ismet. The prohibition on referrals under theStark Law affects, inter alia, situations wherethere is a direct or indirect ownership orinvestment interest or a compensation arrange-ment between the physician (or his or herimmediate family) and a DHS Entity, whichcan include, but is not limited to, hospitals,diagnostic and treatment centers and federalqualified health centers, as well as professionalpractice entities (e.g., professional corporations,limited liability practice entities, etc.).

The second phase of the final regulations(Phase II) under the Stark Law, became effec-tive on July 26, 2004. These new regulationsaffect current relationships between hospitals




and physicians (as well as between physiciansand other physicians and any provider ofDHS) and contain significant clarificationsand changes to the interpretation and imple-mentation of the Stark Law, including themodification of existing exceptions and thecreation of new ones. For instance, Phase IIregulations created a new exception for pro-fessional courtesy arrangements, and modi-fied the physician recruitment exception tonow (i) permit hospitals to compensate thegroup that a recruited physician is joining,provided specific safeguards are in place; (ii)allow federally qualified health centers to uti-lize this exception; and (iii) allow retentionpayments in very limited circumstances.

Because hospitals face significant financialexposure if their referral relationships are notproperly structured under the Stark Law,hospitals should conduct comprehensive con-tract reviews to ensure that all referral rela-tionships fall squarely within statutory orregulatory exceptions under the statute. AStark evaluation should include a fair marketvalue analysis. Moreover, many states (e.g.,New York) have enacted their own physicianself-referral or “State Stark” laws. These lawsoften extend the breadth of Stark to cover allpayors. Thus, any compliance review musttake this into consideration.

Supplemental compliance programguidanceIn January of 2005, the OIG published sup-plemental Compliance Program Guidance(CPG) for hospitals, which complements theinitial Compliance Program Guidance issuedin 1998.3 The Supplement CPG expandsalready identified compliance risk areas,details new specific concerns, and offers guid-ance for hospitals in a variety of areas.

The OIG stresses that the CPG can be used asa “benchmark” against which to measure

ongoing compliance efforts and as a roadmapfor updating or refining those efforts. Thus,hospitals should review the CPG carefully, andexamine each of the areas discussed to deter-mine potential applicability to the hospital andthe need for an internal review.

The list and discussion of risk areas coveredby the CPG are extensive and read almost asa primer on key compliance concepts andissues. The areas covered by the CPG include:

■ TThhee ssuubbmmiissssiioonn ooff aaccccuurraattee ccllaaiimmssaanndd iinnffoorrmmaattiioonnWhile ensuring the accuracy of claims haslong been a fundamental complianceissue, the supplemental CPG spotlights avariety of Medicare-related areas that theOIG considers to be evolving or under-appreciated risks for hospitals:• Outpatient Procedure Coding

Issues, including the importance ofcorrect procedure coding and documen-tation; improper selection of Evaluationand Management codes (for facility ERand clinic services); circumvention ofthe multiple procedure discountingrule; billing on an outpatient basis for“inpatient-only” claims; not followingLocal Coverage Determinations; sub-mitting duplicate claims or otherwisenot following Correct Coding Initiativeguidelines; submitting incorrect ancil-lary services claims because of outdatedCharge Description Masters; andimproper billing of observation services.

• Admissions and Discharges Issues,including the failure to follow the “sameday” rule under OPPS; abuse of partialhospitalization payments; violations ofMedicare’s post-acute care transfer policy;same day discharges and readmission.

• Supplemental Payment Issues,including improper reporting of thecosts of “pass through” items; incorrect

provider-based designations; abuse ofDRG outlier payments; improperclaims for clinical trials, organ acquisi-tion costs, and cardiac rehabilitationservices; and the failure to followMedicare rules for payment of costsrelated to educational activities.

• Information Technology Issues,including the need for hospitals toensure that they undertake a thoroughassessment of all new computer andsoftware systems that impact on coding,billing, or the generation/transmissionof information related to federal healthcare programs or their beneficiaries.

■ TThhee ffeeddeerraall rreeffeerrrraall llaawwssThe CPG also underscores the need for hos-pital compliance programs to focus on—and ensure compliance with—the Stark Lawand the Federal Anti-Kickback Law. Underthe Stark Law, the CPG states that “hos-pitals face significant financial exposureunless financial relationships with refer-ring physicians fall squarely within statu-tory or regulatory exceptions under thestatute.” Under the Anti-KickbackStatute, the CPG discusses at length suchimportant high risk areas as joint ven-tures; physician compensation arrange-ments; relationships with other healthcare entities (such as home health agen-cies, skilled nursing facilities, durablemedical equipment companies, labs, phar-maceutical companies, and other hospi-tals); discounts; and malpractice insurancesubsidies. Medical staff credentialing prac-tices such as conditioning privileges on aparticular number of referrals or requiringthe performance of a particular number ofprocedures are also addressed.

■ RReellaattiioonnsshhiippss wwiitthh ffeeddeerraall hheeaalltthh ccaarreepprrooggrraamm bbeenneeffiicciiaarriieessUnder the Civil Monetary Penalties Law,

Evaluating and maintaining hospital compliance program effectiveness ...continued from page 27



Publisher:Health Care Compliance Association, 888-580-8373

Executive Editor: Roy Snell, CEO, HCCA, [email protected]

Contributing Editor: Odell Guyton, President, HCCA, 888-580-8373

Layout:Sarah Anondson, HCCA, 888-580-8373, [email protected]

Story Editor:Margaret R. Dragon, HCCA, 781-593-4924, [email protected]

Advertising:Margaret R. Dragon, HCCA, 888-580-8373, [email protected]

health care providers cannot offer inducements to federalprogram beneficiaries that are likely to influence the ben-eficiaries selection of a health care provider. The CPGhighlights a number of areas hospitals routinely need toaddress under this law in dealing with Medicare andother federal health care beneficiaries, such as gifts andgratuities to patients; cost-sharing waivers (i.e., waiver ofcoinsurance amounts); and free transportation.

■ OOtthheerr aarreeaassThe CPG contains other guidance on a diverse array oftopics, such as the Emergency Medical Treatment andLabor Act (EMTALA), avoiding substandard care, andimplementing “gainsharing” arrangements (e.g., where ahospital gives physicians a percentage share of any reduc-tion in the hospital’s costs for patient care attributable inpart to the physicians efforts) which may implicate theCivil Monetary Penalties Law prohibition on payments toreduce or limit services.

■ CCoommpplliiaannccee pprrooggrraamm eeffffeeccttiivveenneessssFinally, in accordance with the amendments to the FederalSentencing Guidelines, the OIG recommends that hospitalsendeavor to develop a culture that values compliance fromthe top down and fosters compliance from the bottom up.Such a culture can be maintained, the OIG suggests, onlythrough i) the commitment of the hospital’s governance andmanagement at the highest levels; and ii) regular review ofcompliance program effectiveness. The CPG advocatesassessing not only the overall success of a compliance pro-gram, but also the success of each of the program’s basic elements, as well, on at least an annual basis.

Identify/audit risk areasRegular self-assessment has long been a main ingredient ofcompliance. Although billing, coding and documentationwill always be the meaty audit areas, the range of issues thatneed to be addressed expands exponentially every year. Themagnitude of the task can be daunting. Thus, the designand implementation of comprehensive audit tools, check-lists, and timelines for conducting audits are necessary.

Only through regular evaluation of established risk areas(and expansion into newly identified areas), effective


Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care ComplianceAssociation (HCCA), 5780 Lincoln Drive, Suite 120, Minneapolis, MN 55436. Subscription rate is$357 a year for non-members. Periodicals postage-paid at Minneapolis, MN 55436. Postmaster: Sendaddress changes to Compliance Today, 5780 Lincoln Drive, Suite 120, Minneapolis, MN 55436.Copyright 2004 the Health Care Compliance Association. All rights reserved. Printed in the USA.Except where specifically encouraged, no part of this publication may be reproduced, in any form orby any means without prior written consent of the HCCA. For subscription information and advertis-ing rates, call Margaret Dragon at 781-593-4924. Send press releases to M. Dragon, PO Box 197,Nahant, MA 01908. Opinions expressed are not those of this publication or the HCCA. Mention ofproducts and services does not constitute endorsement. Neither the HCCA nor CT is engaged in ren-dering legal or other professional services. If such assistance is needed, readers should consult profes-sional counsel or other professional advisors for specific legal or ethical questions.

HCCA Officers:

OOddeellll GGuuyyttoonnHCCA PresidentSenior Corporate Attorney,Director of Compliance,U.S. Legal–Finance & OperationsMicrosoft Corporation

DDaanniieell RRooaacchh,, EEssqq..HCCA 1st Vice PresidentVP & Corporate Compliance OfficerCatholic Healthcare West

SStteevveenn OOrrttqquuiisstt,, CCHHCCHCCA 2nd Vice PresidentSenior Vice President, Ethics andCompliance/Chief Compliance OfficerTenet Healthcare Corporation

RRoorryy JJaaffffee,, MMDD,, MMBBAA,, CCHHCCHCCA TreasurerExecutive Director–Medical ServicesUniversity of California

JJuulleennee BBrroowwnn,, RRNN,, BBSSNN,, CCHHCC,, CCPPCCHCCA SecretaryMeritCare Health System

AAll WW.. JJoosseepphhss,, CCHHCCHCCA Immediate Past PresidentDirector of Corporate ComplianceHillcrest Health System

CCyynntthhiiaa BBooyydd,, MMDD,, FFAACCPP,, MMBBAAChief Compliance OfficerRush University Medical Center

CEO/Executive Director: RRooyy SSnneellll,, CCHHCCHealth Care Compliance Association

Board of Directors:

AAnnnnee DDooyylleeDirector, Corporate Learning andOrganizational DevelopmentTufts Health Plan

FF.. LLiissaa MMuurrtthhaa,, EEssqq..,, CCHHCCManaging DirectorHuron Consulting Group

FFrraannkk SShheeeeddeerrPartnerBrown McCarroll, LLP

JJoohhnn SStteeiinneerr,, JJrr..,, JJDDChief Compliance OfficerThe Cleveland Clinic Health System

DDeebbbbiiee TTrrookklluuss,, CCHHCCAssistant Vice President for HealthAffairs/Compliance University of Louisville, School ofMedicine

SShheerryyll VVaaccccaa,, CCHHCCDirector, National Health Care RegulatoryPractice, Deloitte & Touche

CChheerryyll WWaaggoonnhhuurrssttOutgoing, Chief Compliance OfficerTenet Healthcare Corporation

GGrreegg WWaarrnneerr,, CCHHCCDirector for ComplianceMayo Foundation

Counsel: KKeeiitthh HHaalllleellaanndd,, EEssqq..Halleland Lewis Nilan Sipkins & Johnson



Editor’s note: Nicholas R. Caster is theCompliance Analyst for the Palo AltoMedical Foundation/Palo Alto Divisionand may be reached at [email protected]. Kathleen J. Boice is the Ethicsand Compliance Officer for Palo AltoMedical Foundation and may bereached at [email protected].

“C oming to a computer nearyou.” This was one of theslogans used in 1999

when the physicians and staff of the PaloAlto Medical Foundation first adopted apaperless, electronic health record (EHR) inthe outpatient setting—although, back then,we still called it the electronic medicalrecord. One year later, we launched a prod-uct that allowed patients to view a portion oftheir record online, and subsequently allowedelectronic prescription renewal, onlineappointment setting and secure e-mailbetween physicians and patients.

The benefits of an EHR are amazing: ease ofaccess to records which promotes continuityof care, ready-made electronic data for out-comes research, communication betweenancillary electronic systems (such as clinicallaboratory, pathology, and radiology) to cre-ate a more complete medical record andonline conversations between patients andproviders that drop right into the record.However, as with any electronic system, aserious audit program is also necessary to

ensure the confidentiality of the data.

In the “paper” days, chart security was a chal-lenge. Today, the challenges are similar butwith greater sophistication. We have allworked on providing role-based access. Buteven when access is provided based on thescope of one’s position, the concepts of mini-mum necessary and authorized use still apply.The purpose of this article is to walk youthrough a thought process to either kick-offor augment a proactive compliance programto discourage unauthorized viewing.

Although we will be speaking primarily froman outpatient perspective, many of the prin-ciples are applicable in the inpatient setting.

Nuts and bolts of a proactive auditprogramSSttaaffffiinngg—How many staff members does ittake to run an audit program? You may notknow until you try. Many factors will influ-ence the number of full-time equivalents(FTEs) required:■ Automation: The more manual the

process, the greater number of hours itwill require. This will certainly require apartnership between you and yourInformation Technology colleagues. YourDecision Support colleagues may alsoneed to be involved.

■ Availability of a Data Warehouse: Ifyou have the luxury of getting all the datafrom one place, the time required will be

less. However, if you will need to mineseveral different systems (human resourcesdatabase, medical record informationdatabase, payroll database), the require-ment will increase.

■ Number of Users: If you want to auditevery person who has access to the EHRon an annual basis, plus other audits forhigh-risk areas, you will need to calculatethe necessary staffing based on the time ittakes to perform one audit and the num-ber of audits you want to perform peryear.

■ Number of Visits: Our organizationfacilitates approximately 210,000 patientvisits per year—generally, outpatient willrequire more encounter audits than aninpatient record. For organizations pro-viding both inpatient services and outpa-tient clinic services, do not discount theimportance of auditing the outpatientrecords. Within the physician-patient rela-tionship, patients will reveal many person-al details that are often documented andare important to protect.

Support for the processPPoolliicciieess aanndd PPrroocceedduurreess::■ Define Proper Use of the EHR: You

probably have this information containedin your HIPAA policies or HumanResources policies. However, confirmprinciples such as “do not share your password,” or “do not look in any recordsunless it is for treatment, payment, orhealth care operations—finding addressesfor the holiday party in the EHR is notOK,” etc.

■ Program Plan: Prior to launching theprogram, record in writing what you aregoing to audit, what you are going to dowith the audit results and to whom theresults will be reported to.

■ Investigations Policy: You have done

BByy NNiicchhoollaass RR.. CCaasstteerr aanndd KKaatthhlleeeenn JJ.. BBooiiccee,, CCHHCC


At MC Strategies, we can help you get there. Our consultants provide comprehen-sive assessments, such as Chargemaster reviews that help you identify billingissues and ensure HCPCS/CPT accuracy. And APC validations that include CPTand ICD-9 accuracy verification. But helping you get compliant is only part of whatwe do.

Our WebInservice® online training features the industry’s most comprehensive set of compliance curricula. Our EduCode® Compliance curriculum is a practical yetextremely informative program that covers general compliance as well as the highly-technical and high-risk areas of billing and coding compliance. And because allWebInservice training is delivered online, you can rest assured that you’re tapping into the most efficient and cost-effective training method available today.

Achieving compliance today is a complex task. And it takes more than knowing the basics, but rather, knowing it all from A to Z. To learn more, log ontowww.mcstrategies.com or call us at 800-999-6274.

HCPCS/CPT, APC, ICD-9. No wonder you have to be compliant to the letter.

MC Strategies – Consulting Facilitating performance and compliance.

WebInservice® – Training Improving efficiency through knowledge.



Developing a proactive compliance program ...continued from page 32

your first proactive audit and you findsomething suspicious—now what do youdo? Create a separate policy or fold thisitem into your existing compliance inves-tigations policy and procedure.

■ Sanction Policy: After your investigation,the suspicion has turned into a confirmedviolation. Think through your sanctionsbefore they happen. This can become par-ticularly sticky if you find a violation thatinvolves a physician and an employee—ifthe sanctions cannot be exactly the same,they need to be comparable. The policy,like other personnel policies, may cite sev-eral potential sanctions that may be uti-lized (formal counseling, written warning,termination, fines if you are dealing withshareholder physicians).

Committee of championsYou will need a committee to approve yourAudit Plan, to review audit results and tosupport the Privacy Officer, HumanResources or other body who imposes anynecessary sanctions. The committee thatcame together a few years ago to implementHIPAA Privacy has become our committeeof champions for EHR auditing. It is calledthe “Health Information Use and DisclosureCommittee.” Another good choice, of course,would be your compliance committee. ■ Committee Membership:

Representation from InformationTechnology, your EHR team and compli-ance is critical for success. At a minimum,the Committee should include the privacyofficer, compliance officer, security officer,health information management (AKAmedical records), physician leadership rep-resentation, Information Technology andEHR team representation.

■ Committee Charter: Draft a charter andhave it approved by the appropriate bodybecause the authority of this group willmost likely be challenged at least once.

What to audit?A proactive audit plan calls for several rou-tine audits on a regular basis. The initial goalof these audits is to identify the presence ofany inappropriate viewing of PHI and togain a sense of the existing problem. A planwill be needed to break down such a broadgoal into manageable pieces. The first break-down involves Per Patient Audits and PerUser Audits: ■ Per Patient Audits: Audits of who has

been in a specific patient’s electronic med-ical record in a specific time period.

■ Per User Audits: Audits of which chartsan individual has viewed in a specific timeperiod.

Further categories include the following:■ High-Profile Patients—Per Patient

Audit: Every community has its celebritieswhether they are movie stars, sports stars,local government officials, wealthy donors,or the CEO of your organization. Create alist of high-profile groups or individuals andschedule regular audits showing who was inthe chart and why. Monitor on a regularbasis and change the audit list as needed.

■ Employees on Leave of Absence—PerPatient Audit: Unexpected or expectedleaves of absence by a person who is botha patient and an employee can causecuriosity and angst among co-workers.Questions like “Did she have the babyyet?” or “Gee, I wonder what is wrongwith her” can lead to inappropriate access-es of the employee/patient’s chart.

■ New Hire Employees—Per UserAudit: Consider auditing new hires with-in 30–60 days of their hire-date to moni-tor compliance with the standards theyheard in employee orientation. Advertisethe fact that all new hires are audited andall employees are audited on a regularbasis in your employee orientation.

■ High-Risk Departments—Per User

Audit: This audit is performed ondepartments that were identified as need-ing improvement to monitor that stan-dards are now being met.

■ Randomly Sampled IndividualUsers—Per User Audit: In order tomaintain a fair and reasonable approachto your audit program, individual userscan be randomly sampled for audit reviewto maintain compliance. Once all usershave been randomly sampled and audited,the process repeats itself.

■ Ad-Hoc Audits—Per Patient or PerUser Audit: These reactive audits couldbe run in response to a patient/employeewho believes someone was viewing inap-propriately the information contained intheir record. Another common reason forrequesting this type of report is when a co-worker, physician or manager reports thatan employee is spending time in chartswhere there is no professional need-to-know. With privacy, security, and compli-ance officers, and a confidential hotline,several sources in which to begin an ad-hocaudit exist. Individual or entire departmentaudits may be necessary at times.

Most of the early EHR systems containedsome type of auditing and reporting mecha-nism that allowed you to know who had beenin any given chart. Newer audit tools canactually tell you which portion of the chartwas viewed and for how long. Regardless ofyour audit tool, work with your EHR vendorto increase the audit capabilities as necessary.

Report generationGenerating audit reports is the most technicaland intricate part of the audit process. Thissection is for readers who are interested in the“technical” pieces of this process. As we men-tioned earlier, this audit program must be acombined effort between the EHR team, ITand Compliance. The following is our experi-



ence on how these audits can be run. Wehope it will help in setting up your process.

We are able to query data from our EHR sys-tem in several key steps:

The process begins with a real-time databaserunning behind our EHR that stores everypiece of data input in the EHR. To runreports while not affecting the performanceor speed of the EHR, a snapshot of the datais taken every week and stored in a SQLdatabase. In addition to most of the fieldsavailable in the real-time database, the SQLdatabase also houses all audit data needed tocreate a per-user or per-patient audit report.A reporting tool is used to query the SQLdatabase and generates user-friendly reports.The reporting tool creates audit reports that“filter” out appropriate accesses of PHI asdetermined by a set of rules developed inter-nally. The filters leave ONLY potential inap-propriate accesses of PHI for review by ourCompliance Analyst. Over time, new filtershave been implemented, and additional fil-ters will continue to be created and tested inorder to make the report analysis a moreefficient and accurate process.

Here is an example of how filters react to create useful reports:

An employee has floated to another depart-ment, and because that department is notlisted as the employee’s primary depart-ment, the access shows on the audit reportas being inappropriate. This occurs becausethe access to the patient’s chart did notmeet the filter criteria of “user worked,within a two-week pay period, in a depart-ment where the patient had an encounterwithin 90 days.” It appears as though theemployee did not work in the departmentin which the patient was seen. This canoccur if payroll hours are not coded correct-ly. To counter this problem, incorporating afilter such as “user created an encounter for

this patient sometime during the audittimeframe” can help to filter out a numberof appropriate accesses if the employee didin fact create an encounter, or a new patientoffice visit entry within your EHR.

Auditing “people”Throughout our audit process, we havefound it is important to remember that weare auditing people, not just reviewing data.As human beings we are all different andtend to have different approaches to per-forming the same task. Auditing employeesand physicians poses a multitude of chal-lenges and opportunities to improve. Weoffer the following three suggestions:1. Do not jump to conclusions: Doing so

can violate the integrity of your auditprocess and the trust that exists betweenyour organization and its employees.Imagine that an employee is caught by yourprogram filter as looking in her co-workers’chart. In reality the employee was acting asa medical assistant taking that person’s vitalsduring their doctor’s appointment, anddocumenting them in the EHR. You, theauditor, did not take the initiative to lookfarther into the encounter, or office visit, tosee that the employee being counseled didin fact have an appropriate need to accessthe employees chart.

2. Check, double-check, and triple-check: Often, what may look like aninappropriate access may in fact be appropriate. It is difficult for the auditorto differentiate between the two becauseof different workflows and processesacross departments. It is also difficult forthe filters to catch every inappropriateaccess of PHI. However, through consistent auditing, more filters may beimplemented to improve the process.

3. Education: Employees and physicians maynot always remember the practical applica-tion of new rules and regulations—ongoing

educational efforts are critical. Employeesand physicians may state, “I didn’t know Icouldn’t view my mother’s chart withoutauthorization,” or “You mean I can’t sharemy password?” These two questions andothers like them should be handled in new-hire orientation and in an annual HIPAAprivacy and security training.

ConclusionWhile it will always be possible to miss inap-propriate accesses during routine auditingprocedures, we have a legal and ethical obli-gation to take action necessary to protect andsecure the confidentiality of our patients’PHI. The proactive auditing plan can helpyou to identify areas in need of improvementand will raise the awareness among youremployees and physicians that your organization is serious about compliance. ■

compliance training, and comprehensiveassessment of the program itself, can ahospital hope to be prepared for govern-ment investigations and achieve the goalof maintaining high ethical and profes-sional standards in the delivery of qualityhealth care.

1. The OIG’s Educational Resources for Health CareBoards can be accessed on its Web site athttp://oig.hhs.gov/fraud/complianceguidance.html#2

2. DHS is currently defined to include clinical laboratoryservices; physical therapy services; occupational therapyservices; radiology services (including MRI, CT andultrasound); radiation therapy services and supplies;durable medical equipment and supplies; parenteraland enteral nutrients, equipment and supplies; pros-thetics, orthotics and prosthetic devices and supplies;home health services; outpatient prescription drugs;inpatient hospital services; and outpatient hospital serv-ices. The Medicare 2006 Physician Fee Schedule willexpand this list to include nuclear medicine services.

3. For more information, both the original and the finalsupplemental CPG for hospitals are available athttp://oig.hhs.gov/fraud/complianceguidance.html

Evaluating and maintaining programeffectiveness

...continued from page 31



Editor’s note: Alison M. Duncan is aPartner in the law firm of Porter,Wright, Morris & Arthur, LLP. Shemay be reached by telephone at202/778-3058.

The central purpose of the attorney-client privilege is to promote “fulland frank communication between

attorneys and their clients,”1 and this ancientcommon law testimonial privilege applies toconfidential communications between attor-ney and client. As there is equal protection ofthe company as a “person” under the law, theprivilege also belongs to the corporate client.In addition, there is strong public policyinterest to encourage corporations to seekattorney assistance and advice in order toensure compliance with the law.

This testimonial privilege is one born of neces-sity; it is a privilege, not a right. As the privi-lege hampers the litigation goal to discover thetruth of the matter, it is a qualified and not anabsolute privilege.2 Thus, if the communica-tion is disclosed to a third-party, the privilege iswaived.3 Such disclosure may occur voluntarily,for example, by responding to a subpoena, orby waiver or by accident. Courts have also heldthat communications between client and attor-

ney in order to relay that information to athird party are not confidential and not protected by the attorney-client privilege.4

Privilege and compliance: How to protect in an age of transparencyIn compliance, a corporation investigatingallegations of wrongdoing needs to have aneffective investigation that encouragesemployees to speak candidly and confiden-tially. The attorney-client privilege has servedto protect that effort so that the client, thecorporation, is encouraged to fully investigatewrongdoing. Yet changes over the lastdecade have enhanced the government’s abili-ty to obtain access to once privileged infor-mation. As set forth by the Department ofJustice in the Holder, Thompson, andComey Memoranda, in the SEC’s require-ments for strict compliance with its disclo-sure requests, in the Commission’sAmendments to Chapter Eight of theOrganizational Sentencing Guidelines, andin the statements of top federal prosecutors,the government’s test of true cooperationrequires the corporation to waive the privi-lege and provide the government with theroadmap to the misconduct. This creates atension within the company, as it means thatcompliance efforts designed to ferret out the

wrongdoing are now likely to become theroadmap for the government’s case. Thus,even if the privilege technically survives, con-sistent and widespread waiver of the privilegecould render the protection redundant.

The landscape for disclosure has continuedto evolve in key wording from DOJ memo-randa over the past few years and illustratesthe developing national law enforcement per-spective on the definition of cooperation:

“The corporation’s timely and voluntarydisclosure of wrongdoing and its will-ingness to cooperate in the investigationof its agents, including, if necessary, thewaiver of the corporate attorney-clientand work-product privileges . . .” is afactor in enforcement and prosecution.Eric H. Holder, Jr., FederalProsecution of Corporations, June16, 1999.

“In determining whether to charge acorporation, that corporation’s timelyand voluntary disclosure of wrongdoingand its willingness to cooperate withthe government’s investigation may berelevant factors. In gauging the extentof the corporation’s cooperation, theprosecutor may consider the corpora-tion’s willingness to identify the culpritswithin the corporation, including sen-ior executives, to make witnesses avail-able, to disclose the complete results ofits internal investigation, and to waiveattorney-client and work product pro-tection.” Larry D. Thompson,Federal Prosecutions of BusinessOrganizations, Jan. 20, 2003.

“In my view, for a corporation to getcredit for cooperation, it must help thegovernment catch the crooks.Sometimes a corporation can provide

BByy AAlliissoonn MM.. DDuunnccaann


C O R P O R A T E C O M P L I A N C E & E T H I C S :G U I D A N C E F O R E N G A G I N G Y O U R B O A R D

Name:

Title:

Company:

Address:

City:

State: Zip:

Phone:

Fax:

E-mail:

Mail to: SCCE5780 Lincoln Drive, Suite 120Minneapolis, MN 55436

Phone: (888) 277-4977

Total Payment $ ______________

Invoice MePurchase Order # _____________Check/Money OrderVISA MasterCard American Express

Number

Exp. Date

Name of Card Holder

Signature of Card Holder

Code: CT1104Please make check payable to:

Society of Corporate Compliance and Ethics (SCCE)

FAX: (952) 988-0146

Online: www.corporatecompliance.org

E-mail: [email protected]

Non-Members $395SCCE/HCCA Members $345

www.corporatecompliance.org

Bringing the vision ofleadership together

with a compliant andethical culture

“This video provides anoverview of the Board’s rolein compliance.”

Odell GuytonSenior Corporate Attorney,Director of ComplianceMicrosoft Corporation

“It’s pretty clear that the bestcompliance program in theworld is meaningless, even ifit’s funded with a good wellmeaning compliance officer,if the leadership of the company is not behind itand isn’t supportive…”

Honorable Michael E. Horowitz,Commissioner, United StatesSentencing Commission

ORDER TODAY!

Bronze TellyAward Winner!





cooperation without waiving any privi-leges. Sometimes, in order to fullycooperate and disclose all the facts, acorporation will have to make somewaiver because it has gathered the factsthrough privileged interviews and theprotected work product of counsel. . . .The disclosure, however, involves aminimal intrusion on the privilege,and may be necessary if the corpora-tion chooses to earn leniency throughcooperation.” James B. ComeyInterview, United States AttorneyBulletin, Nov. 2003.

Federal prosecutors “must actively seeksentences within the range establishedby the Sentencing Guidelines in all butextraordinary cases…. [I]n any case inwhich the sentence imposed is belowwhat the United States believes is theappropriate Sentencing Guidelinesrange (except uncontested departurespursuant to the Guidelines, withsupervisory approval), federal prosecu-tors must oppose the sentence andensure that the record is sufficientlydeveloped to place the United States inthe best position possible on appeal.”James B. Comey, U.S. Departmentof Justice, Department Policies andProcedures ConcerningSentencing, Jan. 28, 2005.5

In essence, the DOJ memoranda instructcompanies to help prosecutors find the truth.The government expects to receive the resultsof interviews conducted as part of an internalinvestigation in order to find out what hap-pened. If the government’s efforts are imped-ed, and the company continues to employ anindividual when it has information thatimplicates the employee, the government willlikely view that as a serious flaw in the cor-poration’s compliance program and reflective

of a problematic corporate culture.

Cooperation, waiver, and complianceTrue cooperation today, per the aboverequirements laid out by the DOJ, the SEC,and in the advisory Sentencing GuidelineAmendments, puts a premium on reportingwrongdoing within the company. True coop-eration, it appears, requires the company tomove quickly to begin internal investigationsto find out the facts and to be ready, willing,and able to waive the attorney-client privilegeand turn over internal investigations. As aconsequence, the compliance officer is nowfaced with some serious catch-up efforts.

In order to receive credit from the govern-ment for being “cooperative,” counsel mayfind itself forced to produce materials whichmay otherwise be privileged. The internaland external reporting requirements of theSarbanes-Oxley Act of 2002, (Sarbanes-Oxley) have created new lines of disclosure ofpreviously privileged information.6 The SEChas made it abundantly clear that it willreward cooperation and punish lack of coop-eration. United States v Giesecke, C.D.Cal., 02-1028, Sept. 25, 2002 (company notcharged because of its full cooperation).

Additionally, in Sarbanes-Oxley, Congressrequired the U.S. Sentencing Commission toreview the federal Sentencing Guidelines. TheGuidelines became effective on November 1,2004, and strengthened the requirements forestablishing and maintaining a complianceprogram designed to detect and deter crimi-nal conduct. They also require an organiza-tion to waive the attorney-client privilege andwork product protection in order to demon-strate cooperation with the government.

In particular, commentary to the SentencingGuidelines notes that cooperation “shouldinclude disclosure of all pertinent informa-

tion.”7 In an August 15 letter to theSentencing Commission, the American BarAssociation expressed concern that the com-mentary is “counterproductive and under-mines, rather than enhances, compliancewith the law.”8 The ABA letter goes on tostate that the amendment will be viewed as“Congressional ratification” of the DOJ poli-cy requiring waivers. Hence, how theseGuidelines will be employed is uncertain.9

Following Sarbanes-Oxley, the ABA revisedits Model Rules to permit an attorney to disclose otherwise privileged information incertain situations.10

The ABA believes that as a result of the privi-lege waiver amendment, companies and otherorganizations will be forced to waive theirattorney-client and work product protectionson a routine basis. In their view, the exceptionis likely to swallow the rule as routine waiversbecome a necessary part of corporate practice:

“Now that this amendment hasbecome effective, the JusticeDepartment which has followed a gen-eral policy of requiring companies towaive privileges in many cases as a signof cooperation since the 1999 “HolderMemorandum” and the 2003“Thompson Memorandum” is likely topressure companies to waive their priv-ileges in almost all cases. Our concernis that the Justice Department, as wellas other enforcement agencies, willcontend that this change in theCommentary to the Guidelines pro-vide Congressional ratification of theDepartment’s policy of routinelyrequiring privilege waivers.”11

In sum, given DOJ’s consistent and unwaver-ing (pun intended) emphasis on cooperationand waiver, if a company wants to be viewedas cooperative and have that fact taken into

Preserving the attorney-client privilege ...continued from page 36



consideration by the government in any resolution of the investigation, it should fur-nish materials which may otherwise be privi-leged. Even if, as in the present situation, itremains unclear whether waiver of the attor-ney-client privilege will actually result indecreasing the ultimate penalty imposedunder the Sentencing Guidelines.

How to make an effective complianceteam and preserve the privilegeThe Department of Justice instructs prosecu-tors to look into the substance of a compli-ance program to confirm that the programcan effectively deter and prevent misconduct.As a result, the compliance team has toensure it is far more than a paper complianceprogram (per the Thompson Memorandum)and yet still retain the ability to protect theprivilege. The compliance team must there-fore reflect a government mandate to:■ maintain in-house systems and processes

to ensure effective reporting mechanisms■ ensure that company employees can coop-

erate fully and frankly with complianceefforts

■ comply with the additional requirementsthat are designed to facilitate governmentinvestigation techniques instituted in thewake of recent enforcement efforts andthe corporate mandate

■ protect and preserve the corporation’s abil-ity to assert the attorney-client privilege.

The suggestions below provide a checklist forthe working compliance officer who is facedwith that day-to-day decision making process.

TRANSPARENCY: TThhee ttwweellvvee--ppooiinntt lliisstt ffoorr ttrraannssppaarreennccyy

T Training for Working with theCompliance Office

R Retain the DocumentsA AuditN Non-compliance has zero tolerance

S Set up processes to facilitate decision-making

P Preserve the PrivilegeA Get AnswersR Reporting SystemsE Educate YourselfN NumbersC The CEO must knowY You

T Training for Working with theCompliance Office: Employees needto know how to work with complianceand how to use the reporting mecha-nism. The goal is a consistent, transpar-ent, and effective communication linebetween all departments and the com-pliance office. Managers, in particular,should not “go it alone.” Complianceshould be involved in all investigations.

R Retain the Documents: A company’sability to respond to investigations willdepend in part upon its ability to locateand manage a request for documents.Similarly, counsel’s ability to work withthe matter will depend heavily onwhether the company has put an effec-tive document retention program inplace. Ideally, this program will affordcounsel the ability to efficiently locateresponsive materials, identify thosewhich are privileged, and implement a“halt mechanism” by which the destruc-tion of documents is placed on holdonce litigation is reasonably foreseeable.

A Audit Coordination: Coordinate withInternal Audit and be in a position tomake the determination when andwhether to bring an audit finding to theattention of counsel. Find a balancebetween collaboration with auditors andthe need for auditors to maintain inde-pendence. Work with counsel to

identify risk areas and integrate thoserisk areas into the company’s audit plan.

N Non-compliance is not tolerated:Ensure that there is an appropriateresponse to non-compliance and thatthe response is consistent with the spir-it of the compliance program.Disciplinary measures must be deci-sive, impactful, and fully implemented.

S Set up processes to facilitate deci-sion making: Recognize that you willbe inundated as you are at the nervecenter of company operations: requeststo attend every meeting, participate inevery phone call, and make decisionsdaily come across your desk, creating alogistical nightmare. Your best friend iscommon sense and setting up proce-dures to make the system work for you.

Set up processes to help you sort thewheat from the chaff. Setting up astandard reporting format for ques-tions and concerns not only willreduce the red tape, but it will create arecord that will document your com-pliance efforts. You have cut your timeand helped ensure that the company’scompliance efforts are transparent.

P Preserve the Privilege: As discussedherein, the privilege does not just hap-pen. Affirmative steps must be taken bycounsel to preserve the privileged natureof both oral and written communica-tions. Over-assertion of the privilege canjeopardize your ability to assert it. Geton the same page as counsel. Determinein advance the kinds of circumstancesthat warrant counsel involvement.

A Get Answers: No one expects you toContinued on page 40

have all of the answers all of the time.But you need to put yourself in a posi-tion to get those answers. Set up aprocess to make sure that you have allthe substantive information. Create aprocedure for investigations. Who willbe responsible for what; who needs tobe in the loop. This will help ensureconsistency and make it easier tomobilize the resources you will need.Incorporate the need-for-counsel deci-sion into your process.

R Reporting Systems: Besides youranonymous reporting system (compli-ance hotline), ensure that you have aclean reporting line to the board ofdirectors and the CEO on compliancematters. At the risk of stating the obvi-ous, don’t forget that protecting theprivilege extends to board presentations.

E Educate Yourself: Keep abreast of allcompany programs and new initiatives.Stay educated in the company’s opera-tions and in its risk areas. Be visibleand be knowledgeable. Make yourself akey asset to your company. Stay edu-cated and participate in conferences.Stay abreast of ongoing litigation andenforcement efforts that are relevant toyour company.

N Numbers: Track compliance hotlinecalls. Be able to show progress, to showthat transparency is hard at work inyour company. You are expected toknow the nature and scope of yourcompany’s training programs. Howmany, how often, how are they devel-oped to match the skill set of theemployees. Keep track of the changesto the SOPs and work to coordinatechanges to the code of conduct andemployee manuals. Ensure you have

adequate resources.

C The CEO must know: Complianceefforts are now visible to investigativeand enforcements efforts, both withinthe company and without. The CEOis the public face of the company.There can be no surprises.

Y You: Yes, it is in fact up to you. Takeresponsibility. You should reflect thecompany code of conduct in your activ-ities and you should be seen exemplify-ing company values. You really need toknow your company inside and out.

ConclusionBoth counsel and compliance officers face aunique challenge in attempting to preservethe privileged nature of communications andwork-product generated within the corpora-tion, while maintaining a transparent compli-ance program. As we all move forward in theage of transparency, where waiver is the orderof the day, preservation of the privilege mayultimately prove to be pyrrhic. A SupremeCourt justice once said that an uncertainprivilege is the same thing as no privilege atall. We have moved from the age of testimo-nial privilege to the age of transparency. ■

1. Upjohn Co. v. United States, 449 U.S. 383, 389 (1981).2. See Lugosch v. Congel, 219 F.R.D. 220 (N.D.N.Y. 2003)

(noting that the privilege is less a sacrosanct rule than subjectto waiver upon waiver).

3. See In re Grand Jury Proceedings October 12, 1995, 78 F.3d251, 254 (6th Cir. 1996) (finding that attorney-client privi-lege is waived by voluntary disclosure to a third party). Butsee Merrill Lynch v. Allegheny Energy, Inc., 2004 U.S. Dist.LEXIS 21543 (S.D.N.Y. Oct. 22, 2004) (holding that natureof report to accounting firm did not constitute waiver ofwork-product protection since disclosure was not inconsis-tent with maintaining secrecy).

4. See United States v. Bergonzi, 216 F.R.D. 487, 493 (N.D.Cal. 2003) (citing United States v. Sudikoff, 36 F. Supp. 2d1196, 1204-05 (C.D. Cal. 1999) (finding that client’s com-munication with attorney made with intent that attorneyrelay communication to government is not protected byattorney-client privilege).

5. See also, James B. Comey, Deputy Attorney General, U.S.Department of Justice, speech at the 19th Annual NationalInstitute on White Collar Crime 2005 (Mar. 3, 2005). “The

issue of waiver, though it’s really quite simple. If a corpora-tion wants leniency in the charging decision by theDepartment of Justice, they have to cooperate.”

6. 17 CFR §§ 205.2, 207. See also SEC press release, U.S.Securities and Exchange Commission, April 11, 2002) ( SECfined Xerox in part for its “lack of full cooperation.”http://www.sec.gov/news/press/2002-52.txt/

7. U.S.S.G. § 8C2.5 ¶ 12 8. See Letter from Robert D. Evans, Director, American Bar

Association, to United States Sentencing Commission (Aug.15, 2005), available at http://www.abanet.org/poladv/commentlettertoussc.pdf.

9. United States v. Booker, 125 S. Ct. 738 (2005) (proper remedy for constitutional infirmities of the SentencingGuidelines is to retain them as advisory); United States v.Robles, 408 F. 3d 1324 (11th Cir. 2005); United States v.George, 403 F. 3d 470 (7th Cir. 2005) (following the guide-lines). See http://www.fd.org, http://www.ussc.gov/Blakely/sel_postbooker.pdf (U.S. Sentencing Commission websitewith selected decisions).

10. See ABA Model Rules 1.6,1.13. and related ABA Fact Sheet.11. See Letter from Robert D. Evans, Director, American Bar

Association, to United States Sentencing Commission (Aug.15, 2005), available at http://www.abanet.org/poladv/commentlettertoussc.pdf.



Preserving the attorney-client privilege ...continued from page 39

HCCA ELECTIONS

IN DECEMBER

The Election for HCCA’sBoard of Directors takes

place in December.

All ballots must be received no later thanDecember 31, 2005.

If you are a member andhave not received a ballot,please contact HCCA at

888/580-8373.

Please be certain to complete your ballot

and mail it using the return envelope provided

in your packet.


PPuurrssuuiitt ooff aa mmiissssiioonn oouuttssiiddee ooff ccuullttuurree:: Self-governing culture isnot an end in itself—it is a means to accomplishing something ofgreat value to others. The most successful companies have a purposebeyond themselves—a noble mission. Cultures only stay healthy ifthey pursue and stay true to their missions.

By focusing on the “how” of business, by seeking to establish stan-dards in addition to rules, by investing in culture and by fosteringthe hallmarks of successful self-governing cultures in our own organizations, we do more than protect against the downside of scandal, fines, and penalties. We put in place annuity that continuesto bear dividends long after today’s headlines have faded and newquarterly results replace the old. We put in place a foundation forenduring value—a foundation to win. ■

1. Suria Santana, “Researchers Criticize New HIPAA Regulations,” AAMC Reporter, July 2004.

Moving from rules and standards ...continued from page 19


CEO’s letter ...continued from page 20

up on that “whisper of trouble.” There was an effective auditingand monitoring system in place. Everyone did their job. There wasan effective detection and resolution system in place. Because her“breast cancer compliance program” was so effective, we are veryoptimistic about the outcome.

The carrot and the stick The new sentencing guidelines talk about the need for positivereinforcement of compliance efforts. In the case of cancer, that cancome in the form of well-wishing. Many people have asked whatthey can do to help and they have helped a lot. In fact, they havebecome part of her “cancer compliance program”. Many people Ihave worked with have asked what they can do. I suggest to themto stop by her web site, caringbridge.org/visit/juliesnell, andput in a note to Julie from “Roy’s colleague.” Caringbridge.org issomething you should know about, should you ever find yourselfin this situation.

ConclusionIt is very obvious that you should take no chances with cancer.Everyone expects everything possible to be done. I don’t always seethat in compliance. Too often we settle for less. Effective compli-ance professionals take their jobs seriously. We must be reasonable,but we should do whatever we can to ensure success. ■

On one side, itÕs a technology solution. On the other, a servicesolution. SMART2.o is more than a software tool, it’s a technologysolution designed to help you continuously assess coding accuracy and data quality as an important part of your hospital’scompliance program.

For more than 15 years, we’ve worked with HIM professionalsproviding affordable tools and services that help them with codingaccuracy, regulatory compliance, data management and reportsto monitor PPS requirements.

So, whether you look at your hospital’s compliance program froma technology perspective or a service perspective, SMART2.o is a very smart, very budget-friendly way to work.

To start an in-depth conversation about your particular needs,contact Doug Barry at 866-792-4920 or visit pwc.com/healthcare.

®SMART2.o : bringing HIM people and HIM technologytogether.*

© 2005 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, asthe context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. *connectedthinkingand SMART2.o are trademarks of PricewaterhouseCoopers LLP (US).

*connectedthinking

SMART2.o