CHC EXAM PREP OUTLINE

OUTLINE

CHAPTER 1

I) Developing and Effective Compliance Team

A) WHO NEEDS A COMPLIANCE PROGRAM
i) Physician org, managed care org, ambulance org, BA billing companies, labs, research, DME distributors (Medical
Device), Home Health Agencies, Accountable Care org.
B) Measuring Effectiveness Among Six Compliance Program Indicators
i) Indicator # 1 – Policies and Procedures
ii) Indicator # 2 – Ongoing Education and Training
iii) Indicator # 3 – Open Lines of Communication
iv) Indicator # 4 – Ongoing Monitoring and Auditing
v) Indicator # 5 – Enforcement and Discipline
vi) Indicator # 6 – Investigation, Response, Prevention
C) Benefits of Compliance program
i) Community org among employees
ii) Cost-effective
iii) Identify and prevent fraud/criminal activity
iv) Improve quality patient care
v) Create a centralized source of health care regulations
vi) Develop a mechanism for reporting
vii) Develop procedures that allow the prompt thorough investigation of alleged misconduct
viii) Immediate and appropriate corrective action
ix) Reduce the organization exposure to civil damages and penalties, criminal sanctions and admin remedies such as
exclusion.
D) Seven Fundamental Elements of an effective Compliance program (FSG)
i) Implementing Standard Code written procedures, standards and policies
(a) Demonstrate a org’s ethical attitude and emphasis on compliance
(b) It is meant for all employees, vendors, suppliers, contractors
(c) Most CIAs require annual attestation to the code
(d) Should outline enforcement and discipline (Penalties and dismissals)
(e) Check List
 Culture and values of org: prevention, detection and resolution
 Written plainly and translated if necessary
 Mention org policies
 Consistent with company policies and procedures
 Should not be embedded in a policy or HR manual
(f) Code and employees
 Employees receive, read and understand standards
 Training specific to code
 Enforcement of compliance fairly consistently and appropriate discipline
 Code should state that non-compliance will result in discipline
(g) Code Purpose
 Represent culture of org
 Summarize guidelines
 Assist employees understand their duties
 Provide a basis for decision making
 Confirm daily compliance by employees
 Elevate corporate compliance
 Confirm org upholds and supports proper compliance conduct
ii) Hire a Compliance officer
(a) Most important responsibilities of the compliance professional in an investigation
Page 1 of 69
 CHC EXAM PREP OUTLINE
 Review the investigation policy
(i) timelines
(ii) approval process
(iii) centralized process
 Set investigative priorities/objectives
 Determine the deciding authority
 Identify Point Person
 Review what is known
 Identify persons/employees to be interviewed
 Obtain relevant documentation and financial information if applicable
 Set timeline needed to complete investigation
 Discuss report guidelines
 Take corrective action
 Document process and results
iii) Conducting internal monitoring and auditing of the compliance program
Audit and review types

Baseline High level review

Probe Determine whether a compliance issues
Routine Evaluate ongoing compliance
Expanded Enlarge sample based on errors rates identified during a routine audit
Focus For cause review

(a) Monitoring
 Employee vested in Day to day function necessary to determine whether compliance elements, such as
dissemination of standards, training and disciplinary action have been satisfied.
 Activities include: on site visits, interviews with personnel, questionnaires developed to solicit impressions of
hospital employees and staff, peer reviews, reviews of documentation, trend analyses, reviewing exit interviews,
and hotline issues and trends.
(i) Performance reviews are a good way for people to 1. discourage whistleblowers, 2. acknowledge concerns
in writing and explain whether (and how) previously noted concerns have been addressed.
1. Hospitals must integrate peer review into its culture of compliance to reduce the risk of false claims,
misconduct, liability for unnecessary substandard care.
2. Six Areas of Peer review
a. patient care
b. medical/clinical knowledge
c. education/training
d. communication
e. professionalism
f. system based practice
3. Records are protected by discovery if reviewed by an outsider. Generally, state law determines this.
(ii) Prompt response to hotline complaints
(iii) Track resolution of those complaints
(iv) Sample Exit interview questions
1. Communication in unit
2. Do you think the COC is followed
3. Concerns regarding ethical issues or compliance practices
 Day to day function necessary to determine whether compliance elements, such as dissemination of standards,
training and disciplinary action have been satisfied.
 Activities include: on site visits, interviews with personnel, questionnaires developed to solicit impressions of
hospital employees and staff, peer reviews, reviews of documentation, trend analyses, reviewing exit interviews,
and hotline issues and trends.
(i) Sample Exit interview questions

Page 2 of 69
 CHC EXAM PREP OUTLINE
1. Communication in unit
2. Do you think the COC is followed
3. Concerns regarding ethical issues or compliance practices
(b) Establishing compliance oversight Compliance-related policies exist for:
 Auditing and monitoring
(i) Create an audit Plan
1. References
a. OIG work plan (investigation ideas)
b. OIG Semi-annual Report
i. 2016 Specific case types include fraud schemes related to:
ii. controlled and non-controlled prescription drugs,
iii. home health agencies and personal care services,
iv. ambulance transportation,
v. DME, and
vi. diagnostic radiology and laboratory testing
2. Use Qualified Auditors
3. Risk Areas
a. Coding
b. Contracts
i. Free of stark, kick-back, COI and other pitfalls
c. Quality care
i. Sources: Client satisfaction surveys can quickly point to risk areas, as can complaint logs,
payment denial logs and other indicators.
4. Use Sampling
a. Do not need to audit 100% of the claims
b. How to select a sample: Identify risk areas and billing vulnerabilities
c. If you use a sample and find errors you may need to expand that time frame or scope
i. To determine when problem became (Track)
ii. Overpayments Other errors
-require disclosure fraud liabilities and refund overpayments
iii. Cause of error (Trend)
iv. How to prevent the problem
-look at other providers (Benchmark)
5. Corrective Action Plan: Recovery Audit Program
a. Employee training or discipline
6. Identify necessary changes to policy and procedures
a. Billing improvement
 Compliance record retention policy
(i) Attestations audit results, investigating documents
 Self-disclosure
 Regular sanction checks
(i) HHS is the largest grant awarding organization
(ii) HHS is the 3rd largest contracting organization
1. Grant –carry out a purpose authorized by law
2. Contract –provide goods and services for the
(iii) Grant and Contract Fraud
1. Theft
a. CC designated for business use is used for personal purpose
b. Fake attendance records for ghost employees
2. Material false statements
a. Submitting materially false statements: Documentation (insufficient or non-existent), invoices,
unallowable expenses
3. Conflicts of interest
a. For example: Grantee orders food from his catering business

Page 3 of 69
 CHC EXAM PREP OUTLINE
b. Restitution
c. Criminal prosecution
(iv) Penalties
1. Banned from receiving HHS contracts and grants
(v) System for award management (SAM)
1. Official govt system that consolidated the capabilities of Central Contractor Registration (CCR)
2. Office of research in clinical amplification (ORCA)
3. OIG Exclusion database: Excluded Party List System (EPLS)
a. CMP has a calculation that determines fines for hiring on contracting with persons on the excluded
list.
(vi) State Medicaid Database
1. By law if federal gov’t revokes you, the state must follow suit.
(vii)Specially designated national list (SDN)-“Terrorist List”
 Specific area of risk, conflicts of interest, billing, clinical integrated networks, third-party relationships.
(i) the purpose of training based upon risk assessment findings is reducing the organization's legal exposure
 Non-retaliation (maybe in HR)
 Stark/Anti-kick Back
 HIPAA Privacy –WHAT information to be protected. General rule is that covered entity may not disclose PHI
except as required by law or exception.
(c) Audits
 Maintain policies and procedures for
(i) Internal audits
(ii) External audits
 Two approaches
(i) Concurrent –real time audit that reveals potential problems individually as they rise.
(ii) Retrospective –snapshot of things that need to be fixed
1. If you discover billing errors, you are required to report and return funds back to the gov’t
a. If repayment is due to medicare it must be done within 60 days of identification.
i. 6 Year SOL on repayment liability.
 Requires a review of
(i) Anti-kickback and self-referral (stark) issues
(ii) Conflict of interest
1. DEF-transfers of value from a medical products company to a physician.
a. Conflicts should be
i. Disclosed AND
ii. Managed or
iii. Eliminated
2. Scope and elements of a COI Program
a. Conflict of interest
i. individual: Do individual interests/relationships have potential to impact objectively or
judgment with respect to org activities?
ii. institution: Do institutional interests/relationships have potential impact organizational
decisions and or oversight.
b. Conflict of commitment
i. Do the individual interests / relationships interfere with/detract from one meeting their org
responsibilities?
a. Protect the integrity of research and human subjects
b. Protect the welfare of patients
c. Protect the integrity of medical education
d. Protect the reputation of the institution
ii. Do the Org interests / relationships interfere with/detract from one meeting their org
responsibilities?
a. Occurs when an institution’s interests appear to impact or influence its operations.
b. Can include financial interests, holdings, investments, of both the institution itself and/or
its top leadership and board members.
Page 4 of 69
 CHC EXAM PREP OUTLINE
c. Can include even the appearance of potential for conflict of interest or commitment.
c. Nepotism
i. preferential treatment
a. the practice among those with power or influence of favoring relatives or friends,
especially by giving them jobs.
b. the unfair practice by a powerful person of giving jobs and other favors to relatives.
c. Scientific nepotism: favoring relatives in the sharing of scientific discovery for the
purpose of mutual financial gain. Example: Physician researcher employed by a school
of medicine, shares information about a research breakthrough with her brother.
Research will result in new technology with clinical applications. Brother starts
technology company that will develop the clinical application. Physician-researcher
invests in “start-up” technology company.
d. Significant Financial Interest
e. Managing COI
i. Communication
a. discussions
b. systematic workflow
c. letter/document
ii. Roles and Responsibilities
a. committee
b. central office
c. other leadership (chair, chief)
iii. Documentation
a. acknowledgment/agreement/signature
b. sponsor reporting/other notifications
3. Compliance
a. Risk based sample / use of metrics
b. Specific activities
i. Checking or asking for publications and presentations?
ii. Verifying disclosure in informed consent documents?
iii. Verifying disclosure to research team and collaborators?
iv. Reduction in conflicted individual’s role in activity?
v. Independent monitoring of activities (data analysis, etc.)
c. Enforcement and corrective action
d. Compliance integration
i. Electronic conflict reporting options
ii. Centralization of management processes
iii. Integration with publicly reported database
(iii) Documentation billing and coding reviews (see E&M)
(iv) Third-party contracts
(v) Compliance program processes (meaningfulness)
E) E&M Coding Documentation Guidelines / Conducting effective training and education
i) Documentation sufficiency
(a) Diagnosis codes -- The CPT and diagnosis codes reported on the health insurance claim form or billing statement
should be supported by documentation in the medical record.
 National coverage determinations (NCD) and applicable local coverage determinations (LCD) from the
Medicare Administrative Contractor (MAC).
 LCD and NCD provide information for coverage limited to certain diagnosis. Coverage decisions may limit the
frequency of an item or a service or deny an item or service outright as experimental and non-covered. Private
payors may follow CMS NCD or they may have their own LCD.
 Prior to an NCD taking effect, CMS must first issue a Manual Transmittal, CMS ruling, or Federal Register
Notice giving specific directions to our claims-processing contractors. That issuance, which includes an
effective date and implementation date, is the NCD.
 Agency must also change billing and claims processing systems and issue related instructions to allow for
payment. The NCD will be published in the Medicare National Coverage Determinations Manual.
Page 5 of 69
 CHC EXAM PREP OUTLINE
ii) Medical necessity documentation
(a) Fraud and abuse most likely to occur with billing irregularities. Billing polices must prohibit both billing for services
never provided and billing for unnecessary services.
(b) Physician services are described in codes in the Current Procedural Terminology (CPT)
(c) all states require
(d) unaltered and original documentation
(e) justify the code being billed for “Level of Service” which depends on
 History : Elements: 1) Location of systems, 2) quality of features, characteristics or attributes, 3) severity or
harshness, sharpness, 4) duration or length of the symptom, 5) timing to something else (after dinner, or at
night), 6) context factors that surround a particular event, precedes or follows a symptom, 7) modifying factors
those that alter or limit a symptom, 8) associated signs and symptoms.
(i) Chief Complaint
(ii) present illness (HPI)
1. location (of sign or symptom)
2. timing (when the signs or symptoms are experienced)
3. modifying factors (what makes it worse)
4. quality (adjective to identify the type of signs or symptoms)
5. associated signs and symptoms (other signs or symptoms)
6. severity (descriptive statement describing the signs or symptoms)
7. duration (how long have the signs been there)
8. context (where or when did patient experience symptoms)
(iii) review of symptoms
(iv) past family
(v) social history
 Examination
(i) #of body areas and open systems
1. medical documentation MUST contain sufficient information to:
a. support the diagnosis (must be timely),
b. justify the treatment/procedures (detailed and Why such is necessary),
c. document the course of care,
d. identify treatment/diagnostic test results, and
e. promote continuity of care among health care providers
2. Types of exams
a. problem focused
b. expanded problem focused
c. detailed
d. comprehensive
 Medical decision making
(i) Types of decision making
1. Number of diagnosis
2. Amount of complexity
3. Risk of significant complexity
(f) Examples
 Example: “Down Stream Entity” Part D sponsor ultimately responsible for the actions of its subcontractors
(pharmacists, consultants and market firms). Pharmacy Benefit Managers (PMB).
 Risk Areas
(i) Script mills occur when a provider writes prescriptions that are not medically necessary, often in large
quantities and for patients that are not theirs, often for controlled substances.
(ii) Prescription switching –PBM receives a payment to switch a beneficiary from one drug to another.
(iii) Drug Shorting –Pharmacy provides less than the prescribed quantity and intentionally does not inform the
patient, but bills for the fully-prescribed amount.
(iv) ID theft –individual steals another’s person’s Medicare card to obtain prescriptions.
 Medical billing codes are organized according to diagnosis related group (DRG).
(i) Medicare has approx. 17K numeric codes

Page 6 of 69
 CHC EXAM PREP OUTLINE
 Upcoding is the practice of billing that provides a higher reimbursement rate
(i) All codes submitted for payment must correlate with documentation in the patient record and follow the
official coding guidelines.
(ii) HIPAA added monetary fines to OIG sanction authority for such violations.
(iii) DRG Creep is the practice of using a DRG code that provides higher billing than one that reflects the actual
services.
iii) Developing effective lines of communication and screening
iv) Disciplinary guidelines: Enforcing standards through well-publicized
(a) Five points
 Discipline issued for non-compliance
 Employees have an obligation to report
 Outline of disciplinary procedures
 List of appropriate parties
 Discipline is fair and consistent
(b) Failure to detect or report is a serious compliance violation
(c) HR duty to work with management to impose the discipline
(d) It is the compliance professional responsibility to monitor consistency in disciplinary actions
v) Identify and detected offenses
(a) Discovery of the breach is key
 Investigation
(i) Develop a plan of action
1. Questions
a. Why did the breach occur?
i. i.e.-why was ePHI emailed
b. What is the origin of the issue?
c. When did the issue originate?
d. How far back should the investigation go?
e. Statistical sampling of billing – to estimate or conclude something by assuming that existing
trends will continue or a current method will remain applicable
(ii) Meet with GC or external counsel
(iii) Documentation
1. Description of potential misconduct
2. Description of the investigation process
3. Relevant documents reviewed
4. List of employees interviewed
5. Employee interview questions and notes (vary by organization)
6. Changes to the policies and procedures (if appropriate)
7. Documentation of disciplinary action
8. Investigation final report identifying whether allegation was substantiated or not.
vi) Correction: Responding to compliance issues
(a) If a violation pursuant to civil law or rules governing federal funded health care program has occurred
 Voluntary disclosure has financial incentives in claim overpayment
(b) If allegations are unsubstantiated then no further action is necessary
vii) Physician certification statement
(a) legible or types
(b) signatures
viii) Requested guarantees
F) Organization Chart

Board
Compliance Committee CEO
 VP
 HR
 Audit
Page 7 of 69
 CHC EXAM PREP OUTLINE
 Billing/Coding
 Record Management
 Compliance
 Privacy
 Risk Management
Chief Compliance officer Chief Privacy/Security Officer In-house Counsel

G) Board of Directors and Senior Execs must be on board

i) Duties
(a) adjusting to account for payment reforms and new quality
(b) compliance goals periodically adjusted to account for payment reforms and new quality standards
(c) how does the board encourage managers to incorporate compliance in daily decisions
(d) does the board hold key employees accountable
(e) Hold meetings and document them
ii) Key roles for the board
(a) Compliance oversight
 A Board must act in good faith in the exercise of its oversight responsibility for its organization, including
making inquiries to ensure:
(i) a corporate information and reporting system exists
(ii) the reporting system is adequate to assure the Board that appropriate information relating to compliance
with applicable laws will come to its attention timely and as a matter of course
(b) Structuring the compliance program
(c) Evaluating the standard and processes
iii) Issues relating to a Board’s oversight and review of compliance program functions
(a) (1) roles of, and relationships between, the organization’s audit, compliance, and legal departments;
(b) (2) mechanism and process for issue-reporting within an organization;
(c) (3) approach to identifying regulatory risk; and
(d) (4) methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives
iv) FSG make it mandatory for their unequivocal support for the program
(a) Caremark International Derivative litigation – makes the board responsible for implementation of a system to gather
information on the company’s efforts to prevent and detect fraud and abuse.
 First Tier, Downstream or Related Entity (FDRs) may satisfy Fraud Waste and Abuse (FWA) Training
requirements through:
(i) CMS FWA Training Module
(ii) Be “deemed” through Parts A/B enrollment or through accreditation as a supplier of DMEPOS
(iii) Take training/materials provided by sponsor
 FDR employees that perform work on behalf of the plan sponsor’s Medicare contract must satisfy FWA
Training requirements.
 Example: Caremark's board of directors (the "Board") breached their fiduciary duty of care to Caremark in
connection with alleged violations by Caremark employees of federal and state laws and regulations applicable
to health care providers. A substantial part of the revenues generated was derived from third party payments,
insurers, and Medicare and Medicaid reimbursement programs. practice of entering into contracts for services
(e.g., consultation agreements and research grants) with physicians at least some of whom prescribed or
recommended services or products that Caremark provided to Medicare recipients and other patients. Such
contracts were not prohibited by the Anti-referral payments Law (Stark) but they obviously raised a possibility
of unlawful "kickbacks. They entered into a consent agreement with the govt to settle.
v) board promotes economy, efficiency and effectiveness by:
(a) new payment models that reward quality, value and reduction of waste.
(b) enhance compliance through involvement in oversight activities.
(c) integrating compliance throughout the business.
vi) Skills
(a) Be engaged in oversight
 active, raise questions, raise skepticism
(b) Experienced
 compliance, clinical or financial auditing expertise can be useful
Page 8 of 69
 CHC EXAM PREP OUTLINE
(c) Be informed
 how does org audit, and monitor risk areas
(d) Be involved
 attend compliance training
(e) Be adaptable
(f) new risk areas and developing new safeguards
vii) Manager buy-in
viii) Physician support through compliance
(a) Business and clinical needs
(b) Clinical and fiscal improvements
(c) Trust through involvement
(d) Involve them early
(e) Work one-on-one with them
(f) Cultivate the early adopters and enthusiasts
(g) Be a partner, not a dictator
(h) 3C’s of Communication
 Clear
 Concise
 Creative
ix) Staff Support
x) Financial Support
xi) Compliance Budget
xii) Ongoing operations
(a) Risk Management Process
 Objective setting
 Event identification
 Risk Assessment
 Risk Response
 Control Activities
 Information and communication
 Monitoring
(b) Saving future costs of compliance
 Embedded quality into existing processes
 Centralize common processes and controls
 Improve human resources infrastructures
 Improve system resources
 Emphasize training
 Monitoring marketing and compensation
 Conduct a risk assessment
(i) Privacy Impact Assessment, or PIA, is an analysis of how sensitive information is collected, used, shared
and maintained at your institution.
1. ensure legal, regulatory, and institutional policy compliance
2. determine associated risks and effects
a. The Federal Sentencing Guidelines require that risk assessments: Prioritize risk for compliance
program modification.
i. Historical data would be most helpful
3. evaluate protections and alternative processes to mitigate potential privacy risks
a. Be sure any timeframes or requirements listed can be accomplished given the practice’s resource
(ii) type of risks assessments
1. strategic
2. operating
3. financial
4. compliance
 Develop mission and goals

Page 9 of 69
 CHC EXAM PREP OUTLINE
(i) The Board of Directors’ Audit Committee may meet and not keep minutes as long as internal emails.
suffice. The documentation does not have to be in the form of minutes.
 Quality management
(i) Plan
(ii) Do
(iii) Check
(iv) Act
 Must understand and oversee
(i) Annual reviews
(ii) Reports on monitoring plans
(iii) Investigations
(iv) Approval on high risk items
 GOALS
(i) RISKS
1. Detect
2. measure
3. Adjust
(ii) PREVENT MISCONDUCT / FRAUD
1. monitor
2. review
(iii) MITIGATE
1. analyze
2. apply corrective measures
H) Effectively and appropriately develop its Corporate organizational structure for self-governance, while supporting the
organizations policies and procedures
I) Establish and new and improved compliance team
II) Having support of senior management for a compliance program will occur if:
A) Effectiveness compliance program
i) what metrics are being used to evaluate compliance with laws and regulated? how are they selected?
ii) gaps in quality and improvement
iii) routinely conducting internal monitoring
iv) track corrective action plans to ensure the proposed changes are implementing
v) hurdles compliance? resource constraints or lack of support
B) Compliance Officer is someone the CEO, CFO, and COO trust implicitly
i) Both OIG and Federal Sentencing Guidelines call for a designated Compliance Professional.
(a) 70 percent of OIG funding is directed at Medicare/Medicaid oversight
(b) OIG appropriate authority for the success of the program.
(c) FSG states to carry out operational responsibility.
ii) Compliance officer must have access to any and all documents that are relevant to compliance.
(a) i.e.-patient records, billing and contracts.
iii) May report to the Board, CEO/President or General Counsel (GC).
(a) CMS Recommends that Compliance Officer must be independent and be able to freely enforce compliance
requirements up and down the organization’s chain of command.
(b) If Board is not reviewing the informed consents or authorizations completed by research subjects, then GC should
be notified.
iv) Does the compliance officer have sufficient influence?
v) Main duties should be implementation, administration, and day to day oversight of compliance program.
(a) Board duties according to the OIG
 Overseeing and monitoring the implementation and ongoing operation of compliance program
(i) compliance programs more dangerous if developed but not implemented
 Reporting on a regular basis to governing body, CEO, compliance committee
(i) Committee duties include:
1. Participating in Identification and prioritization of risk
2. Regularly reviewing and assessing compliance policies and procedures
3. Assisting with the development of standards of conduct (SOC/COC) and policies and procedures
Page 10 of 69
 CHC EXAM PREP OUTLINE
a. Must have policies, procedures and standards of conduct that:
i. Articulate commitment to comply with Federal and State standards
ii. Describe compliance expectations
iii. Implement operation of compliance program
iv. Provide guidance on dealing with compliance issues
v. Identify how to communicate compliance issues
vi. Describe how compliance issues are investigated and resolved
vii. Include policy of non-intimidation and non-retaliation
b. Policies and Procedures Detailed and specific Operation of compliance program:
i. Compliance reporting structure
ii. Training requirements
iii. Reporting mechanisms
iv. How investigations conducted
v. How issues are resolved
vi. Touch upon operational areas
vii. Update with changes to laws and requirements
viii. Easy to read and comprehend
ix. Translation as necessary
c. Distributed to all employees within 90 days of hire, when updated and annually
d. The Compliance Department, Senior Leadership and the Governing Body are all responsible for
promoting the Standards of Conduct. Standards should be approved by the full governing body.
e. Compliance Policies and Procedures into one document, as long as the document contains all of
the content as required by the Compliance Program regulations and guidance.
4. Conducting an annual review of the compliance plan document
5. Determining the appropriate strategy to promote compliance
6. Developing a system to solicit, evaluate and respond to complaints
 Revising the compliance program periodically as appropriate
 Developing, coordinating and participating in a multifaceted educational and training program
(i) Compliance training should include :
1. Should be conducted annually at a minimum
2. Compliance is a condition of employment
3. Elements of compliance program
4. COC
a. Sponsors may combine their Standards of Conduct and Compliance Policies and Procedures into
one document, as long as the document contains all of the content required by the Compliance
Program regulations and guidance.
5. Reporting system
6. Individual accountability for reporting suspected non-compliance
7. Non-retaliation policy
a. Well-publicized disciplinary actions for retaliation
8. Name Compliance officer
9. Explanation of fraud, waste and fraud
 Ensuring that independent contractors and agents are aware of the org program
 Ensuring BGC are done to eliminate sanctioned individual and contractors
(i) Five elements of BGC verification
1. Screening Process
a. Disclosure to the employee how it will be conducted in writing
i. Internally conducted or Use a vendor/ Third party
ii. Is it required law
iii. Frequency
iv. Which databases will be searched
v. Id Verification / Education/ License verification
vi. Health Care Sanction Check and Monitoring
vii. Drug Screening
viii. What constitutes adverse information and what will occur
Page 11 of 69
 CHC EXAM PREP OUTLINE
ix. Is there an appeal process
2. Criminal History Check
a. Sex offender
b. EEOC criminal convictions
i. Cannot ask about convictions during application and deferred it
ii. Check it is not eliminating or excluding a protected class in violation of title 7
iii. No blanket exclusions “we will not hire anyone with misdemeanor convictions in the past 5
years”
iv. Establish job necessity and standards for the bgc process
v. Conduct individualized assessment
- Age of the conviction, number of convictions, rehabilitation, references
3. FCRA and Credit check
a. Disclosure and authorization
4. State Law Compliance
a. 43 states require BGC for positions with contact SNF patients.
b. 10 states require nursing homes to conduct fbi bgc. Federal law does not.
5. Comprehensive HR Compliance
 Assisting with auditing and monitoring activities
(i) Five functions that maybe audited
1. Output
2. Risk management
3. Procedures
4. Processes and
5. polices
 Independently investigating and acting on matters related to compliance
(i) Successful line of communication between Compliance Officer
 Reporting mechanisms for reporting compliance issues
(i) hotline logs,
(ii) Mail drops
(iii) Non-retaliation policy
C) Compliance Officer serves as the balance between the CFO and COO on behalf of the CEO
D) Senior management is giving time to digest compliance information
E) Senior management is aware of the importance of compliance and program elements
F) Senior management has the time and resources to promote and carry out compliance improvements
G) Board of Directors takes time to learn about compliance in general in order to make informed recommendations regarding
noncompliance issues
i) The governing body of the organization that contracted with CMS or its parent company may oversee the Medicare
compliance program
ii) Either parent or subsidiary board
III) Make sure Compliance Officer has the requisite skills
A) Be a leader, and come from a healthcare background if possible
B) Fully appreciate the importance of compliance in general and the unique nature of billing corrections, disclosure refunds and
system and practice changes
C) Have extensive knowledge of the way the company or provider does business
D) Make quality decisions and ability to demonstrate sound judgement
E) Lead by reason and logic, personal strength, and have a strong sense of fairness
F) Be able to follow the company’s compliance plan and not veer from it for any reason
G) Be a leader for the organization in an emergency and very high-pressure situations
H) Ability to anticipate new risk areas
I) Have some systems and control knowledge and experience
IV) Build a Compliance Team that can manage and maintain the compliance program
V) Consider the Costs-Benefits Ratio of a Compliance Program
A) Cost of not having a compliance program vs costs of billing adjustments, disclosures and voluntary refunds
VI) Conduct Periodic Evaluations of the Compliance Program
VII)Implement strong training as part of the Compliance Team’s Development
Page 12 of 69
 CHC EXAM PREP OUTLINE
VIII) Ten obstacles to effective compliance implementation
A) lack of commitment from board and management
B) lack of resources
C) dual roles for compliance program
D) unclear laws and regulations
E) lack of education and training
F) resistance to change
G) fear of retaliation
H) culture of no accountability enforcement
I) territorial struggles amongst functions

CHAPTER 2 – resource

I) Keeping the Healthcare sampling gains going

A) Government Regulators use statistical sampling
i) The use of statistical sampling is an important component of testing compliance
ii) If you’re not presently using statistical sampling, you should be
iii) Anywhere statistical sampling skills are needed, they should be acquired or enhanced timely
B) What does statistical sampling provide
i) Answers or estimated answers about quantities in population
ii) Combined answers: the average payment on a claim times the change of a claim having an error times the number of
claims
iii) Government Reviews and the RAT-STATS Statistical Sampling Methodology
(a) RAT-STATS is free statistical software used to select a random sample for audit.
(b) Purpose: minimize exposure to and risk in government audits and effectively respond and fight back any recovery
demands based on sampling.
 The 50-claim sample was selected from across a large organization or an organization with multiple locations.
Suggestions included increasing the sample size and focusing the claims review on particular types of claims or
particular issues.
 According to the self-disclosure protocol, the minimum sample size is 100 claims to be looked at in a study or
review.
(i) This is not the same as probe sample that maybe smaller.
(c) Audit Objectives, such as:
 Claim based audit and overpayment
 Enrollment application or eligibility status audit
 Marketing compliance and targeted verification
 Patient or member satisfaction audits
 Arrangements review for conflict of Interest
 LEIE screening compliance
(d) Healthcare compliance testing by statistical sampling developed in more than a few review areas, include:
 Medicare and Medicaid billing
 Labor law
 HIPAA
 Stark Law
 Anti-Kickback Law
 Deficit Reduction Act
 False Claims Act
 Estimates of damages
(e) Reasons why a sampling occurs
 Internal Audit
 Random audit by OIG
 Self-disclosures to OIG and CMS contractor
 Enforcement Action as part of a CIA
(f) Contractors that claims and payment focused will use statistical methods to extrapolate overpayments in their audit
projects once they have identified and reviewed payment errors.
Page 13 of 69
 CHC EXAM PREP OUTLINE
 Medicare administrative contractors (MACs)
 Zone Program Integrity contractors (ZPICs)
(i) Contracted by CMS
(ii) ZPICS are private companies contracted by CMS that are used to conduct audits for Medicare and
Medicaid overpayments.
(iii) ZPIC audits are targeted by potential Medicare fraud and waste.
 Recovery audit Contractors (RACs)
(i) RACs can generate large recovery amounts based on the review of relatively small statistical samples.
(ii) RACs Able to generate request records based on larger statistical samples.
(iii) RACS perform automated and complex reviews.
(iv) RAC Appeals Process
1. Level I, Request for Reconsideration: Level I appeals must be filed no later than 60 calendar days
from the date of the Notification of Improper Payment Letter.
2. Level II, Request for CMS Hearing Official Review: Level II appeals must be filed no later than 30
calendar days from the issuance date of the Level I review decision.
3. Level III, Hearing by ALJ Judge.
 Medicaid Integrity Contractors (MICS)
(i) MIC can audit a Medicaid provider throughout the country.
 Medicaid Fraud Control Units (MFCUs)
(i) Medicaid fraud control units (MFCUs) operate under the direction of the OIG.
 CERT contractors look for
(i) Documentation specifically the lack of;
(ii) Insufficient documentation;
(iii) Medical necessity;
1. A compliance professional identified an issue with medical necessity. The compliance professional
should collaborate with the case manager.
(iv) Incorrect coding; and
(v) Claim errors
1. Data mining software is used to identify potential claim errors.
(vi) CMS implemented CERT to establish errors and improper payments in accordance with improper
payments elimination and recovery improvement act.
iv) BASIC STATISTICAL PRINCIPLES, REQUIREMENTS, AND BEST PRACTICES
(a) CMS regional offices main responsibilities is to work on quality initiatives.
(b) CMS contractors are to use probability samples that are statistically valid and follow a series of prescribed steps
 selecting the review period to be reviewed;
 defining the universe, the sampling unit, and the sampling frame;
 designing the sampling plan and selecting the sample;
(i) Selecting Sample: entire claim, line item, patient name, patient account MRN, member name, facility
(ii) Sample Plan
1. Document every step
2. Written Sampling Plan
3. Universe, Sample, Random Numbers
4. Software used, estimator used if manual
5. Estimation output from software such as RAT-STATS,
6. SAS, SPSS etc
7. Mind resource and time estimates and qualifications of personnel
 reviewing each of the sampling units and determining if there was an overpayment or an underpayment
(variable) or
 occurrence (attribute); and estimation of the overpayment or occurrence.
(c) Regional Advanced Techniques (RAT)-STATS - is a free statistical software package that providers can
download to assist in a claims review. The package, created by OIG in the late 1970s, is also the primary statistical
tool for OIG's Office of Audit Services.
 Is used to refer generally to the government’s statistical rules

Page 14 of 69
 CHC EXAM PREP OUTLINE
 The software program with algorithms that determines sample sizes, draws random samples, extrapolates
sample results, and performs other calculations.
(i) For example, in corporate integrity agreements (CIAs), the OIG requires a full sample to be used, if the
overpayment error rate, or financial error rate, in a discovery sample is at or above 5% percent.
II) Health Insurance Portability and Accountability Act (HIPAA)
A) HIPAA Privacy Rule-establishes U.S. national standards to protect individuals’ medical records and other PHI (applies
to all PHI) and
i) Applies to Covered Entities “CE”
(a) health plans (see glossary at the end) Health Care Privacy Handbook “HCPH” (2014)
 Subhealth plan -means a health plan whose business activities, actions, or policies are directed by controlling
health plan.
 Controlling health plan means a health plan that controls its own activities, actions or policies or is controlled
by an entity that is not a health plan AND exercises sufficient control over the subheath plan to direct its
business activities, actions or polices.
(i) For example, consider a situation in which the employer has a wrap plan that is a single legal entity
(i.e., a single ERISA plan) comprising several health plans. If those health plans are all self-funded, they
could each be considered an SHP (allowing each to have its own unique HPID), but the ERISA plan
would be able to apply as a CHP for a single HPID that would cover all of them, together. However, if
an employer sponsors several health benefits that are not organized as a single ERISA entity via a
wrap plan structure, then each separate health plan is probably a CHP.
 Excludes
(i) Government funded programs (Medicaid, Medicare)
(ii) Government supervisory authorities
ii) Healthcare clearinghouses (claims processing)
(a) Processes or facilitates the processing of PHI
(b) Receives a standard transaction from another entity and processes or facilities the processing of PHI into a
nonstandard format/data for the receiving entity.
iii) healthcare providers
(a) Provider of health or medical services
B) The legislation required the establishment of a national Health Care Fraud and Abuse Control Program (HCFAC) and is
designed to coordinate Federal, State and local law enforcement activities with respect to health care fraud and abuse.
C) Patient History consists of these four subcomponents: Chief Complaint (CC), History of Present Illness (HPI), Review of
Systems (ROS), Past, Family, and/or Social History (PFSH)
D) Privacy notices covered entity must provide a notice on the first date of service delivery.
i) Address patient reminders in the Notice of Privacy Practices
ii) Health plans are NOT required to make a good faith effort to obtain from their enrollees a written acknowledgement
of receipt of the notice. Under the HIPAA Privacy Rule, only covered health care providers that have a direct
treatment relationship with individuals are required to make a good faith effort to obtain the individual's
acknowledgment of receipt of the notice.
iii) A covered entity’s notice is not a substitute for an individual’s authorization.
iv) Covered health care providers have discretion to design the posted notice in a manner that works best for their
facility, which may be to simply post a copy of the pages of the notice that is provided directly to individuals.
(a) Notice of Privacy Practice “NPP”
 Contents HCPC (2014) pg. 20
(i) Statement that CE is required by law to maintain the privacy of phi, CE legal duties and privacy
practices and requirement to notify individuals following breach.
(ii) Statement that CE is required to abide by terms of its PP.
(iii) Statement that CE reserves the right to amend terms if If PP is updated/ changed.
(iv) HIPAA Privacy Rule DOES NOT require a health care provider to obtain a new acknowledgement of
receipt of the notice from patients if the facility changes its privacy policies.
 covered entities permitted to give individuals a “layered” notice. For example, a covered entity may satisfy
the notice requirements by providing the individual with both a short notice that briefly summarizes the
individual’s rights, as well as other information; and a longer notice, layered beneath the short notice, that
contains all of the elements required by the Privacy Rule.
(b) Exception—does NOT need to be provided if a provider has indirect treatment relationship, but must be
provided if requested by an individual.
 Indirect Relationship - the healthcare provider delivers care to the individual based on the orders of another
provider or the healthcare provider typically provides services or products, or reports the diagnosis or results
associated with the healthcare, directly to another healthcare provider, who provides the services or products
or reports to the individual.
(c) Exception-- many schools would not be required to comply with the HIPAA Privacy Rule because the school
maintains health information only in student health records that are “education records” under FERPA and, thus,
Page 15 of 69
 CHC EXAM PREP OUTLINE
not “protected health information” under HIPAA. Privacy Rule will not provide protections to the immunization
records maintained by a school because: (1) the school is not a HIPAA covered entity; or (2) the records are
maintained by an educational institution or agency to which the Family Educational Rights and Privacy Act
(FERPA) applies and, thus, are protected by FERPA and not HIPAA.
 HOWEVER, IF a public high school employs a health care provider that bills Medicaid electronically for
services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to
the HIPAA requirements concerning transactions.
v) Authorizations for use and disclosures –use and disclosure of PHI for essential healthcare purposes (TPO) :
Treatment, payment or operation, and compliance purposes.
 Authorization is a document that specifically identifies the information to be used and the purpose of the use
or disclosure, the entity to which the disclosure may be made.
(i) A covered entity may NOT require an individual sign an authorization as a condition of receiving
treatment.
(ii) HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record
even though portions of the record were created by other providers.
(b) Minimum necessary use or disclosure –covered entity must make reasonable effort to limit use and disclosure
of PHI.
 Example: Covered Entity disclosing information to BA, only if they have a BAA ensuring will be bound by
all obligations applicable to the covered entity. See Raleigh Orthopedic Clinic.
 Minimum necessary does not apply to
(i) Disclosures to Federal or state agencies, such as the Social Security Administration (SSA) or its
affiliated agencies, for individuals' applications for federal or state benefits.
(c) Employee Group plan with 50 or more participants
(d) Privacy Rule Does not apply to :
(i) Covered entity transmits ePHI to health care provider concerning the treatment of an individual;
(ii) A group plan, or a health maintenance organization or a health insurance carrier (payment);
(iii) A group plan that is a gov’t program transmits ePH to another gov’t agency;
(e) Business Associates of a covered entity
 Definition: HCPH pf. 7 (2014)
(i) A entity that is separate from a CE that
1. On behalf of a CE receives, creates, arranges PHI OR
2. Management, administrative, accreditation, or financial services to or for such CE.
(ii) Examples:
1. Health Information Organization
a. E-precribing gateway
2. Management company
a. Hospitals can offer management services to physicians and in that case the hospital becomes a
BA
3. Billing company
4. EMR / IT specialist
5. Consultant
6. Accountant
7. Attorney
8. Malpractice insurer
9. Interpreters
10. Data transmission services if they have knowledge
11. routine access to info
12. Subcontractors of forgoing
13. Data storage entities / Cloud Computing Services (CSPs) are BAs if they store PHI even though:
a. They do not access data
b. Data is encrypted and CSP does not have access key
c. Must still ensure the availability and integrity as well as confidentiality of the e-PHI.
i. Exception: CSP not liable if it did not know CE was using CSP to
ii. create, receive, maintain or transmit PHI. Upon learning of such acts, CSP must correct
situation within 30 days.
(iii) Business Associate Agreements (BAA) –required by HIPAA, a covered entity may permit a BA to
create, receive, or transmit electronic PHI on covered entity’s behalf only if the covered entity obtains
from the BA “satisfactory assurances” that the BA will appropriately safeguard the information.
1. If a BA handles PHI, they must comply with HIPAA security rule directly and privacy rule
indirectly.
2. The HIPAA Rules do not expressly require that a CSP to allow auditing or provide documentation
of its security practices to or otherwise allow a customer to audit its security practices. However,
customers may require from a CSP (through the BAA, service level agreement, or other
Page 16 of 69
 CHC EXAM PREP OUTLINE
documentation)
3. a CSP receives and maintains only information that has been de-identified in accordance with the
HIPAA Privacy Rule, it is NOT a business associate
4. Accreditation organizations business associates of the covered entities they accredit.
5. Contract provisions for background checks (BGC) of vendor employees ensure performance of due
diligence on third parties.
(iv) Vicarious liability of the Covered Entity for actions for BA
1. Lack of BAA or failure to update BAA
2. Based on knowledge
3. Based on Control
4. BAA confirms not liable
5. Willful neglect (being aware of BA misconduct and not terminating BAA or curing breach within
30 days)
(v) Example: Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to
settle potential violations of the HIPAA Security Rule after the theft of a CHCS mobile device
compromised the protected health information (PHI) of hundreds of nursing home residents. CHCS
provided management and information technology services as a business associate to six skilled nursing
facilities. The total number of individuals affected by the combined breaches was 412. OCR initiated its
investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI
involving the theft of a CHCS-issued employee iPhone. The iPhone was unencrypted and was not
password protected. The settlement includes a monetary payment of $650,000 and a corrective action
plan.
(vi) Example: In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the
Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business
associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH.
While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business
Associate Agreement (BAA) prior to Oct. 12, 2015. The Center for Children’s Digestive Health
(CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential
violations of the HIPAA Privacy Rule.
(vii) Example: RoxSan Pharmacy ("RoxSan") notified 1,049 patients of a potential breach of unsecured
personal patient protected health information. The incident involved the transmission of a data file to a
business associate on January 20, 2015. The data file containing the unsecured information was
transmitted to only one individual, a business associate in the legal field, with which RoxSan maintains
a Business Associate Agreement. However, since the data file was transmitted for non-health-related
reasons, the transmission is considered a breach.
(f) Access and accountings of disclosures –individuals have the right to access their own PHI, including an
accounting of certain disclosures of PHI. Individuals have the right to amend PHI. An individual may also file a
statement then it must be included in any future disclosure of information.
 When reviewing current policy on patient requests and amendments an accurate description of the regulatory
requirements is critical.
(i) Providers may charge for summary and postage but NOT retrieval of records.
(ii) Access v. Authorizations
(iii) Example: A terminated employee had improperly acquired a list of patients who had been seen at the
practice the previous six months, by way of another employee. The practice investigated the incident
and fired the employee who provided the report to the former co-worker. A former employee may have
taken the report to attempt to confirm payments owed, or to make future contact with patients at a
different medical practice. The practice demanded in writing that the former employees delete and
destroy all copies. It also further restricted access to reports in its computer system, and provided
additional training to all employees about privacy, security and patient information.
(g) Accountability –foster compliance, covered entities are subject to set of administrative requirements.
(i) Designated Privacy Official responsible for development of privacy protections.
(ii) Personnel must be trained and compliant and other procedures must be in place.
1. The HIPAA Privacy Rule requires retraining of workforce after a material change.
(iii) OCR process individual complaints and can access penalties of up to 1.5 mil per year per type of
violation.
1. Example: Cigna was fined 4.3 million for violations related to company’s denial of access to
patient records in 41 instances between 2008-2009.
2. Example: Mass General Hospital was fined 1 Million for the loss of 192 billing records for HIV
and Aids patients.
(h) Individual’s Right to request restrictions (Privacy Fundamentals pg, 101) on use and disclosure of health
information
 Notice: covered entities must produce a notice of privacy practices.
 Right to access: right to access ePHI maintained by a covered entity
Page 17 of 69
 CHC EXAM PREP OUTLINE
 Authorization: for uses beyond care, payment and healthcare operations.
 Marketing: authorization is required for data use in marketing. But a covered entity can use PHI to market its
own healthcare products and individuals can opt-out. pg. 81 HCPH
(i) Limiting use and disclosures to the minimum necessary
(i) When this minimum necessary standard applies to a use or disclosure, a CE may not use or disclose the
entire medical record for a particular purpose, unless it can specifically justify the whole record as the
amount reasonably needed for the purpose
 Minimum necessary to accomplish the intended purpose, use or request.
 Access and uses based on the specific roles of members of the workforce to carry out their duties.
 Disclosures and requests for disclosures –implement policies and procedures for routine, recurring disclosures,
or requests for disclosures that limited the PHI disclosed to what it’s the minimum amount necessary to
achieve the purpose of the disclosure.
(i) GR=Required Disclosures
1. At the patient’s request
2. To comply with HHS investigations or review
 Reasonable reliance—covered entity may rely on requests from 1) public officials, 2) professional such as a
BA or 3) a researcher who provides the documentation or representation necessary required by privacy rule
for research.
(j) Exceptions—Permitted Disclosures: permitted disclosures
 a covered health care provider uses an interpreter to communicate with an individual, the individual’s
authorization is not required.
 Citizens Health v. Leavitt, HIPAA contains a "routine use" exception that allows disclosure of protected
health information for "treatment, payment, and healthcare operations. Under the state action principle, a
violation of a citizen's right to medical privacy can only be unconstitutional when the violation can properly
be ascribed to the government. An act may be ascribed to the government when the government has
commanded a private citizen to act inappropriately. A law requiring violation of individual rights, and
enforcement of such a law, could establish the requisite state action. The Privacy Rule does not make
healthcare entities "state actors. HIPAA's "routine use" exception does not, however, order the release of
protected health information by private parties. In fact, HIPAA expressly provides that physicians and other
covered entities are free to obtain a patient's consent before disclosure of any protected health information
 Avoid serious and imminent threat (police 9-11)
 Directly to the Patient
 For treatment, payment and health care operations;
(i) The definition of “health care operations” at 45 CFR 164.501 includes a covered entity’s activities of
conducting or arranging for legal services to the extent such activities are related to the covered entity’s
covered functions (i.e., those functions that make the entity a health plan, health care provider, or health
care clearinghouse). Thus, for example, a covered entity that is a defendant in a malpractice action, or
a plaintiff in a suit to obtain payment, may use or disclose protected health information for such
litigation as part of its health care operations.
1. NOTE: a covered entity that is NOT party to a legal proceeding discloses protected health
information in response to a subpoena, discovery request, or other lawful process must
account for this disclosure as it does not apply to the operations exceptions.
(ii) Except psychotherapy notes require a separate authorization and should not be included with other
health records.
1. The Privacy Rule does not provide a right for a patient or personal representative to access
psychotherapy notes regarding the patient.
2. Psychotherapy notes are primarily for personal use by the treating professional and generally are
not disclosed for other purposes. Thus, the Privacy Rule includes an exception to an individual’s (or
personal representative’s) right of access for psychotherapy notes. See 45 CFR 164.524(a)(1)(i).
3. As any such disclosure is purely permissive under the Privacy Rule, mental health providers should
consult applicable State law for any prohibitions or conditions before making such disclosures.
4. The HIPAA Privacy Rule permit a covered entity to disclose psychotherapy notes to or through a
health information organization (HIO)
 Incidental disclosures
(i) Example: A provider may instruct an administrative staff member to bill a patient for a particular
procedure, and may be overheard by one or more persons in the waiting room.
(ii) Example: A health plan employee discussing a patient’s health care claim on the phone may be
overheard by another employee who is not authorized to handle patient information.
 To family, friends, and clergy as long as patient has consent or hasn’t objected;
(i) Where a patient is not present or is incapacitated, a health care provider may share the patient’s
information with family, friends, or others involved in the patient’s care or payment for care, as long as
the health care provider determines, based on professional judgment, that doing so is in the best
interests of the patient. Note that, when someone other than a friend or family member is involved, the
Page 18 of 69
 CHC EXAM PREP OUTLINE
health care provider must be reasonably sure that the patient asked the person to be involved in his
or her care or payment for care.
(ii) only the protected health information directly relevant to the person’s involvement in the patient’s
care or payment for care.
 Personal representatives
(i) State or other law should be consulted to determine the authority of the personal representative to
receive or access the individual’s protected health information
(ii) Minor who cannot consent to treatment (state law determines age of majority)
(iii) A deceased patient can be released to the patient's spouse if: the spouse the personal representative and
there is a valid authorization for the release.
(iv) Second, a covered entity may disclose information to an individual’s legally authorized executor or
administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased
individual or his estate. the Rule permits the personal representative to obtain the information or provide
the appropriate authorization for its disclosure.
1. NOTE: State or other law determines who is authorized to act on an individual’s behalf, thus the
Privacy Rule does not address how personal representatives should be identified.
(v) A power of attorney that does not include decisions related to health care in its scope would not
authorize the holder to exercise the individual’s rights under the HIPAA Privacy Rule.
1. NOTE: Privacy protection continues after death for a period of 50 years.
2. A family member that is a personal representative of the decedent (e.g., an executor or
administrator of the decedent’s estate) is to be treated as the individual for purposes of the Privacy
Rule with respect to protected health information relevant to the representation. In these cases, a
covered health care provider may disclose relevant protected health information about the
decedent to the family member, and the family member retains the right to receive a copy of the
relevant information in the decedent’s medical record, without regard to the decedent’s prior
objection.
 The Rule provides two ways for a surviving family member to obtain the protected health information of a
deceased relative.
(i) A covered entity may disclose a decedent’s protected health information, without authorization, to the
health care provider who is treating the surviving relative.
 For welfare: abuse, neglect, domestic violence;
 45 C.F.R. § 164.512
(i) Order, Warrant or Subpoena Signed by Judge
(ii) Grand Jury Subpoena
(iii) Administrative Demand. A provider may respond to an administrative subpoena, summons, or
investigative demand authorized by law if the administrative agent confirms.
(iv) Subpoena Signed by Clerk or Attorney. These subpoenas do not contain the same inherent privacy
protections as those that are issued by a judge, magistrate, or grand jury. Disclosure is allowed if:
1. Notice has sufficient detail AND
2. Assurances are made that the patient was notified AND
3. Time for the patient to object has lapsed
4. With subpoena you can provide patient with notice in order for them to quash the subpoena
 Avert serious threat to health and safety
 Specialized government functions
 The HIPAA Privacy Rule's public health provision permit covered health care providers to disclose protected
health information concerning the findings of pre-employment physicals, drug tests, or fitness-for-duty
examinations to an individuals employer:
(i) First, the covered health care provider must provide the health care service to the individual at the
request of the individual’s employer or as a member of the employer’s workforce.
(ii) Second, the health care service provided must relate to the medical surveillance of the workplace or an
evaluation to determine whether the individual has a work-related illness or injury.
(iii) For example, OSHA requires employers to monitor employees’ exposures to certain substances and to
take specific actions when an employee’s exposure level exceeds a specified limit.
(iv) When a health care service DOES NOT meet the above requirements, covered entities may not
disclose an individual’s protected health information to the individual’s employer without an
authorization.
 Worker’s compensation
(i) Individuals do not have a right under the Privacy Rule at 45 CFR 164.522(a) to request that a covered
entity restrict a disclosure of protected health information about them for workers’ compensation
purposes when that disclosure is required by law or authorized by, and necessary to comply with, a
workers’ compensation or similar law
1. CE may provide information regarding an injured workers' previous condition, which is not
directly related to the claim for compensation, to an employer or insurer if I obtain the workers'
Page 19 of 69
 CHC EXAM PREP OUTLINE
written release
(ii) Provide records to claimant free of charge
(iii) Limited disclosure Related to injury to employer, surety, manager, fund, or their attorney
 FMLA
 For medical research on De-identified information
(i) Before researcher can remove the identifiers before beginning the research, researcher to obtain a waiver
of authorization from the patients or approval from an IAB Disclosures from a covered entity to a
researcher for research purposes do not require a business associate (BAA) contract, even in those
instances where the covered entity has hired the researcher to perform research on the covered entity’s
own behalf.
 De-identification information: Remove most if not all 18 elements ( Privacy Fundamentals pg. 102)
(i) Names, address, city, county, zip, precinct, DOB, admission date, discharge date, date of death, ages
over 80, Telephone/Fax #, Email address, SSN, Medical record #, Health plan #, Account#,
Certificate/license #, Vehicle (VIN, Plate#), Device ID and Serial #, URL, Internet Protocol (IP),
Biometric ID (finger print, voice print), Full-face photographs, Any other unique identifiers
(ii) Have an expert certify that the risk of re-identification is small
(iii) health information organization (HIO), acting as a business associate of a HIPAA covered entity, Can
not de-identify information and then use it for its own purposes. The process of de-identifying PHI
constitutes a use of PHI. Thus, a HIO may only de-identify PHI it has on behalf of a covered entity to
the extent that the business associate agreement authorizes the HIO to do so.
(k) Privacy vs. Efficiency
 For example, the affordable care act (ACA) establishes various incentives for cost containment.
(l) Admin Requirements
 For example: disclosures provided by a provider
(m) Polices of HIPAA
(n) Examples
 St. Luke’s-Roosevelt Hospital Center Inc. (St. Luke’s) has paid the U.S. Department of Health and Human
Services (HHS) $387,200 to settle potential violations of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) Privacy Rule and agreed to implement a comprehensive corrective action plan. the
HHS Office for Civil Rights (OCR) received a complaint alleging that a staff member from the Spencer Cox
Center impermissibly disclosed the complainant’s protected health information (PHI) to the complainant’s
employer. This impermissible disclosure included sensitive information concerning HIV status, medical
care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical
abuse.
E) Security rule-- The rule requires appropriate safeguards to protect the privacy of personal health information and sets
limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The
rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health
records and to request corrections.
i) Security Rule (purpose) applies to the spectrum of safeguards (below) put in place to protect the confidentiality,
integrity and availability of the information and system in which it is stored. Definition of HOW information is to be
protected.
(a) Confidentiality
(b) Integrity
(c) Availability
ii) Requirements
(a) BAA
iii) Record retention
iv) State laws generally govern how long medical records are to be retained. However, the HIPAA security rule requires
a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of
its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they
require shorter periods. Your State may require a longer retention period.
(a) Perform Risk Analysis
 Each covered entity must conduct risk assessment of potential vulnerabilities, which must be addressed.
(i) Size, complexity and capabilities of the covered entity;
(ii) Covered entity or BA infrastructure, hardware and software security capabilities;
(iii) The cost of security measures
 Risk assessment analysis
1. Requires documentation maintained in written form
2. NIST standards are recommended but not required as they are tailored for larger organizations

Page 20 of 69
 CHC EXAM PREP OUTLINE
a. NIST 800-39 Managing Information Security Risk
-Access
-Frame
-monitor
-respond
b. NIST 800-37 Risk management framework
c. NIST 800-30 Risk analysis
-vulnerability-weakness/ condition that exists
-threat potential for the person or thing to exercise a specific vulnerability
-risk is net mission impact considering the probability that a particular threat will arise once a
threat is triggered resulting impact
(ii) implemented policies and procedures on computer access and password management
(b) Safeguards -- covered entities implement certain procedures to protect the confidentiality, integrity and
availability of PHI it stores)
 GR- standards and implementation specifications must be in place to ensure appropriate protection of electronic
PHI (ePHI) a covered entity receives, creates, maintains or transmits (ePHI).
(i) e-PHI also includes telephone voice response and fax back systems because they can be used as input and
output devices for electronic information systems. E-PHI does not include paper-to-paper faxes or video
teleconferencing or messages left on voice mail, because the inform
 Purpose:
(i) Ensure the confidentiality, integrity and availability of all ePHI the covered entity and BA creates,
receives, maintains and transmits.
(ii) Protect against reasonably anticipated threats or hazards to the security or integrity of the ePHI.
(iii) Protect against any reasonably anticipated use or disclosures of such information that is not permitted or
required.
(iv) Ensure compliance with the security by its workforce.
(v) Each covered entity must identify and individual who is responsible for the security rule compliance
program. –maybe the same as the privacy officer but does not have to be.
(vi) Integrity Controls –ePHI is not altered or destroyed
(vii)Transmission Security –guard against unauthorized access
 Security measures that allow CE to reasonably implement security measures based on (HCPC pg.23):
(i) The size, complexity and capabilities of the CE
(ii) CE technical infrastructure, hardware, software security capabilities
(iii) The cost of security measures
(iv) The probability and criticality of potential risks of ePHi
 Types of Safeguards under HIPAA CFR 164
(i) Physical
1. Restricted access to the facility
2. Badges
3. Locks
4. Work Station use
5. Disposal of PHI
(ii) Technical
1. Encryption
2. Access control of computer systems and logins
3. Authentication
(iii) Administrative
1. Risk Assessment / Analysis
2. Hiring Security Personnel
3. Implementation
4. Training
5. Termination standards
6. Business Associate Agreements (BAA)
 Requirements –

Page 21 of 69
 CHC EXAM PREP OUTLINE
(i) Each safeguard must be broken down to a standard (2 categories)
1. Implemented-outlined as a regulation
2. Addressed –defined as a methodology (different than a regulation)
a. If it will not be used at all, entity must document the rationale that led to the conclusion.
(c) Preemption –States are free to pass laws so long as they are not in conflict.
 Where the state law and the privacy rule provisions are similar but have different requirements, the covered
entity should comply with the more stringent provision.
(d) Private Right of Action--NO, Plaintiff’s may use HIPAA to file state negligence claims see Byrne v. Avery, 314
Conn. 433. (Privacy Fundamentals pg. 8, 21, 95; McGeveren pg. 767)
(e) Case examples
 United States v. Michel, 2013 WL 9903336 –Helene Michel was convicted of identity theft Medicaid fraud,
wrongful disclosure of private medical information under HIPAA. She used her position as owner of a medical
equipment company to enter health facilities and steal patient records, then she submitted false Medicare.
billings. She had to forfeit 1.3 million in profits and sentenced. 12 years in prison.
 United States v. Hippler (E.D. Tex 2015)—Hippler a former hospital employee, was sentenced to 18 months in
prison for HIPAA violations after he plead guilty for wrongful disclosure of PHI with the intent to sell, transfer
and use the information for personal gain.
 Administrative safeguard
(i) Role base access of employees and BA
(ii) Each covered entity must implement a security awareness and training program.
1. Bd. Of Regents of Univ of Wash, (Privacy Fundamentals pg. 105) Employee downloaded malware
that infected IT system and compromised the data of 90k patients.
 Physical Safeguard
(i) Facility Access and Control
1. Workstation and Device Security
a. Lahey Clinical Hospital, workstation laptop stolen from unlocked hospital treatment room,
exposing the PHI of 591 patients.
b. Parkview health systems, boxes of medical records left unattended
 Technical Safeguards
(i) Access control –technical policies and procedures that allow only authorized persons to access ePHI.
(ii) Audit Controls—implement hardware, software and procedural mechanisms to record and examine
access.
1. Example: NY Presbyterian Hosp, improperly configured computer server made of PHI 6,800
patient available to Internet search engines
2. Example: Several medical records cannot be located Develop an audit plan.
(f) Common Issues
 Removing unencrypted data
(i) Example: Providence Health Services stored unencrypted PHI in electronic storage devices and laptops
that were taken outside the facility and lost. They paid a 100k and had to establish a 3-year corrective
plan.
 Improperly disposing of prescription data
(i) Example: CVS inadequately labeled prescription bottles. Penalty 2.25 Million.
 Failure to provide adequate training
(i) Example: OCR’s investigation found that the physician practice was posting clinical and surgical
appointments for their patients on an Internet-based calendar that was publicly accessible. Further,
Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA
Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic health
information (ePHI). Phoenix Cardiac Surgery agreed to pay 100k with HHS and Alaska DHSS
 Inadequate polices and safeguard
(i) Example: Phoenix Cardiac Surgery
 Failure to conduct risk analysis
(i) Example: Phoenix Cardiac Surgery
 Failure to cooperate with HHS investigation
(i) Example: Cignet Health 4.3 Million for denying 41 patients access to their records and for not
cooperating in the investigation.
(g) More Examples—
 On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees'
email accounts and obtained 3,200 individuals' ePHI through a phishing incident. Metro Community
Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential
noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a
Page 22 of 69
 CHC EXAM PREP OUTLINE
corrective action plan.
 MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of
115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to
affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth,
and social security numbers. The login credentials of a former employee of an affiliated physician’s office
had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to
April 2012, affecting 80,000 individuals. MHS has paid the HHS $5.5 million to settle potential violations of
the HIPAA. Access to ePHI must be provided only to authorized users, including affiliated physician office
staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must
implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and
regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it
difficult for covered entities and business associates to not only recover from breaches, but to prevent them
before they happen.
 In re GMR transcription services—medical transcription company outsourced services to a third party without
adequately checking that it could implement reasonable security measures.
 United States v. Zhou a violator need only obtain PII PHI. No requirement of knowledge of violating HIPAA.
 Horizon Blue Cross Blue Shield of New Jersey agreed to pay $1.1 million to New Jersey Division of
Consumer Affairs and improve data-security practices to settle charges that it failed to properly protect the
privacy of nearly 690,000 state policyholders whose personal information was contained on two laptops
stolen from the insurer’s Newark headquarters. In 2014, two laptops were stolen from Horizon's Newark
headquarters which contained unencrypted information of 840,000 policy holders. ePHI included names,
addresses, date of births and some social security numbers and limited medical information. The
policyholder data on the stolen laptops was password protected, but not encrypted, as required by HIPAA.
The company’s failure to comply with federal healthcare data security standards threatened to expose
private information of its members. Also see Anthem.
 Example: Sorrell vs. Ims Health Inc . In 2007, the Vermont legislature passed a law that banned the sale,
transmission or use of prescriber-identifiable data (''PI data'') for marketing or promoting a prescription drug
without the consent of the prescriber. The law also prohibited the sale, license or exchange for value of PI
data for marketing or promoting a prescription drug. Three companies -- IMS Health, Verispan and Source
Healthcare Analytics, a unit of Dutch publisher Wolters Kluwer -- that collect and sell such data and by a
trade group for pharmaceutical manufacturers challenged the law. The U.S. Court of Appeals for the 2nd
Circuit struck down the measure, holding that it violated the First Amendment because it restricts the speech
rights of data miners without directly advancing legitimate state interests.
 Case Examples
 In Re PaymentsMD v FTC,-- PaymentsMD provided billing platform for medical care providers, allowing
payments to pay bills online. The FTC alleged that Payments MD and Hughes (former CEO) altered the
signup process for a consumer health billing site to include permission to collect consumers’ ePHI for an
electronic health record portal site. According to the complaint, the company contacted health insurance
companies, pharmacies, medical offices and labs seeking consumers’ health information, without adequately
informing consumers that the company would be seeking such information. FTC asserted that the
authorization process provided consumers with inadequate notice. PaymentsMD and Hughes must destroy
any information collected related to the Patient Health Report service. In addition, the respondents are
banned from deceiving consumers about the way they collect and use information, including how
information they collect might be shared with or collected from a third party, and they must obtain
consumers’ affirmative express consent before collecting health information about a consumer from a third
party. The FTC has brought privacy or security actions in the healthcare space with respect to CVS, Rite
Aid, PaymentsMD, Accretive Health, Henry Schein Practice Solutions, and GMR Transcriptions," Greene
notes.
 In re accretive health inc—a medical billing company and revenue management services to hospitals put
ePHI at risk by transporting laptops in a way that made them vulnerable to theft. FTC also said that the
company gave access to PI to employees who did not need it to do their jobs.
 Complete PT Pool & Land Physical Therapy, Inc. Company impermissibly disclosed PHI when it posted
patient testimonials to its website without proper authorization. Violations: failed to safeguard PHI, failed to
implement procedures to comply with HIPAA authorization requirements, $25k penalty.
 Example: a student health center, even though a covered entity, does NOT create PHI as long as it only sees
students. All the student records are excepted from being considered PHI (see 45 CFR 160.103 definition of
PHI) and are defined as either education records or treatment records (FERPA).
 Example: Paul v. Providence Health System-Oregon, 273 P.3d 106 (Or. 2012) Issue: Whether a health
care providers (covered entity) can be liable for damages, when their negligence led to the theft of the ePHI
of 365,000 patients. The information included SSN, telephone numbers, Names, and medical information.
The information was never used or viewed. Rule: Plaintiff’s sued under Oregon’s Unlawful Trade Practices
Act. Analysis: Although plaintiffs incurred expenses for credit monitoring and time away from work dealing
with the issue they cannot show economic loss. Plaintiffs did not allege unauthorized use of their PI. Held,
Page 23 of 69
 CHC EXAM PREP OUTLINE
dismissed claims by plaintiffs based on finding that threat of future harm not enough.
(i) Under HIPAA access without substantial harm does NOT rise to the level of breach.
(ii) Also search section that lists "States that trigger notice by access (breach)"as a different outcome
may have occurred in one of those states.
F) Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
i) Purpose: among objectives, further addresses privacy and security issues involving PHI as defined by HIPAA. The
HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are
tied to tiered ranges of civil monetary penalties.
i) Purpose: promote adoption and standardization of electronic health records (EHR).
(a) American Recovery and Reinvestment Act (ARRA) allocated funds for incentives for covered entities to integrate
EMR and or EHR programs with meaningful use criteria.
 Examples of EHR
(i) Contain a patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies,
radiology images, and laboratory and test results
(ii) Allow access to evidence-based tools that providers can use to make decisions about a patient’s care
(iii) Automate and streamline provider workflow
 An EMR is more beneficial than paper records because it allows providers to:
(i) Track data over time
(ii) Identify patients who are due for preventive visits and screenings
(iii) Monitor how patients measure up to certain parameters, such as vaccinations and blood pressure readings
(iv) Improve overall quality of care in a practice
ii) Designated Record Set Definition and Role
(a) The HIPAA privacy rule defines the designated record set as a group of records maintained by or for a covered
entity that may include patient medical and billing records; the enrollment, payment, claims, adjudication, and
cases or medical management record systems maintained by or for a health plan; or information used in whole or
in part to make care-related decisions.
 whatever information they import into their electronic records via a network may become an integrated part of
their designated record set(s).
(b) The designated record set also contains individually identifiable data stored on any medium and collected and
directly used in documenting healthcare or health status. It includes clinical data such as WAVE files, images (e.g.,
x-rays), and billing information.
(c) The designated record set is generally broader than the legal health record because it addresses all protected health
information. While the legal health record is generally the information used by the patient care team to make
decisions about the treatment of a patient, the designated record set contains protected health information along
with business information unrelated to patient care.
(d) Organizations must define the types of documentation that comprise the designated record set and identify where the
records physically exist, such as in separate and multiple paper-based or electronic systems.
(e) Under HIPAA, the designated record set is used to clarify the rights of individuals to access, amend, restrict, and
acquire an accounting of disclosures. Individuals have the right to inspect and obtain a copy, request amendments,
and set restrictions and accountings of medical and billing information used to make decisions about their care.
iii) What is covered entity?
(a) Clearing houses
(b) Health care providers
(c) Health care insurers
 Although a plan sponsor may not be a HIPAA covered entity subject to the Security Rule, it would nevertheless
be obligated, through its plan documents, to report such security incidents to the group health plan.
iv) Increased fines and the scope of remedies for violation of HIPAA and breaches of security.
v) Duty to maintain the
(a) Confidentiality – protecting PHI from unauthorized disclosure.
(b) Integrity
(c) Access
vi) Protected Health Information (PHI) Definition –individual identifiable health information that is created, stored by a
covered entity and maintained in electronic or other form.
 NOT educational records
vii) De-identified Information –excluded from the rule any health information for which all identifying characteristics
listed in the regulations *18 identifiers
Page 24 of 69
 CHC EXAM PREP OUTLINE
viii) Rights of individual (consent)
(a) Right to Access
(b) Right to Amend PHI
 The HIPAA Privacy Rule designates a covered entity as the responsible party for acting on an amendment
request.
 a covered entity must make reasonable efforts to communicate an amendment to others in the network identified
by the individual as needing the amendment, as well as generally to other parties that are known to have the
information about the individual.
(c) Right to obtain accounting or listing of disclosures of PHI
(d) Right to receive a notice of privacy practices
(e) Communication in a confidential manner
(f) Right to restrict access to PHI by 3rd parties
 While covered entities are not required to agree to an individual’s request for a restriction, they are required to
have policies in place by which to accept or deny such requests.
(g) Right file a complaint about with OCR
ix) Standards for health care providers
(a) Notice of privacy practices
(b) Provide Access to Health Information
x) Privacy Officer –implement safeguards to protect the confidently, integrity, and availability (CIA) of information,
training and education requirements.
xi) Privacy Program
(a) on the implementation of a privacy program, a privacy professional should consider Program Scope FIRST
xii) Breach – Source of breach notification process
(a) Data breach response employee training is required
 a response team, consisting of representatives from compliance, audit, and any other relevant functional
department to establish compliance effectiveness for responding to and/or preventing compliance issues.
(b) Access, acquisition or use of PHI is unauthorized AND
(c) Unsecure (unencrypted)
(d) Requirements Components
 Verification
 Conduct a risk assessment to determine the risk of harm
(i) Significant risk of harm (Financial, reputational or other)
 Notify the individuals within 60 days of discovery
 Disclosures
 Breach notification Requirement- breaches of PHI must be reported if there is a violation of the privacy rule
AND the information is unsecured.
A. According to HHS PHI is unusable (therefore not requiring notification if breached) if:
a. Paper format –de-identified, shredded, pulping or otherwise rendering it impossible to
reconstruct.
b. Electronic –unreadable and indecipherable (encrypted)
B. Breaches involving 500 or less individuals
a. Reported to affected individuals
b. To HHS in an annual disclosure within 60 days of the end of the prior calendar year.
C. Breaches involving 500 or more individuals
a. Reported to HHS via OCR website
b. Reported to affected individuals no more than 60 days after it occurred.
c. If it occurs in a single state or jurisdiction then the media must be notified.
D. Contents of breach notification HCPH pg. 26
a. Description of what occurred
b. Types of unsecure PHI involved in the breach (category of data)
c. Steps individuals can take to protect themselves from harm
d. Description of the actions the CE is taking to investigate and mitigate the breach
e. Contact information for individuals to ask questions or learn additional information.
E. Breach Notice Exceptions –
Page 25 of 69
 CHC EXAM PREP OUTLINE
a. Acting under the authority of a covered entity or business associate, if such acquisition,
access, or use was made in good faith and within the scope of authority.
b. Inadvertent disclosures among persons similarly authorized to access PHI of an entity or BA.
c. Disclosure where there is a good faith belief that the recipient of the info would not
reasonably have retained the information.
d. Access of use of the information by persons or employees acting under the authority of the
entity/BA
(e) Safe Harbor: Not acting with willful neglect and correct the issue within 30 days.
(f) Common Areas of Breach
 Missing or outdated BAAs
 Missing or inadequate risk assessment
 Failure to act in the face of known risks
(i) failure to encrypt
(ii) failure to restrict access (physical & logical)
 Failure to perform timely breach notification
 Failure to respond to OCR Notice of Determination
(i) Subpoenas are issued by OIG
(ii) Compels orders to provide documentations to the OIG
(g) Omnibus Rule
 Written request by patient to specific party (identifies where and who info goes)
 Modification of the standard for reportable privacy breach and specification of assessment criteria
 An exclusion of marketing of treatment provided that opt-out conditions are included
 Prohibition pf the sale of PHI without an individual authorization
 Covered entities provide an opt-out option for fundraising
 Specific language in the notice of privacy practices
 Supplementation of individual rights to access PHI for electronic records
 Permission of payments for PHI for research purposes
(i) Reasonable to prepare and transmit
 Exclusion from the HIPAA privacy and security protections the PHI of individuals who have been deceased for
over 50 years.
(i) If they have been deceased for > 50 years the next of kin are notified of the breach.
 Expansion of the exceptions for disclosures for PHI to include:
(i) Proof of immunization by covered entities to schools with state laws requiring this for entry
 Restriction on information provided to health plans for health care for which individual has paid in full out of
pocket.
 Assessment of whether there is PHI is low probability of compromise if (supported by documentation):
 Content
(i) Person
(ii) Access
(iii) Mitigation
 Uses and Disclosure of PHI
(i) Permitted Disclosures (TPO)
1. Treatment –a physician can call his or colleague in another specialty to get colleagues input.
2. Payment –staff can submit a bill to the individual’s insurance company to obtain payment for services.
3. Health Care Operations—compliance staff can access individual PHI to conduct an assessment of
physician coding and documentation process.
a. Required Disclosure
i. Request from Secretary of HHS pursuant to an investigation
ii. The Privacy Rule provides for “conducting training programs in which students, trainees, or
practitioners in areas of health care learn under supervision to practice or improve their skills
as health care providers; therefore, permits medical residents, medical students, nursing
students, and other medical trainees from accessing patient medical information in the course
of their training

Page 26 of 69
 CHC EXAM PREP OUTLINE
 Limited Data –a patient who pays a provider directly for medical care may limit PHI shared with a health
pan.
 Uses and Disclosures that DO NOT require consent (public interest)
(i) Required by law
(ii) Public health activities
(iii) Reporting victims of abuse, neglect or domestic violence
(iv) Reporting for health oversight activities
(v) Judicial or administrative proceedings
(vi) Law enforcement purposes
1. The Privacy Rule permits a HIPAA covered entity, such as a hospital, to disclose certain protected
health information, including the date and time of admission and discharge, in response to a law
enforcement official’s request, for the purpose of locating or identifying a suspect, fugitive, material
witness, or missing person. See 45 CFR § 164.512(f)(2). Under this provision, a covered entity may
disclose the following information about an individual: name and address; date and place of birth;
social security number; blood type and rh factor; type of injury; date and time of treatment (includes
date and time of admission and discharge) or death; and a description of distinguishing physical
characteristics (such as height and weight). However, a covered entity may NOT disclose any
protected health information under this provision related to DNA or DNA analysis, dental records,
or typing, samples, or analysis of body fluids or tissue. The law enforcement official’s request may
be made orally or in writing. Further, to the extent that State law may require providers to make
certain disclosures, the Privacy Rule would permit such disclosures of protected health information
as “required-by-law” disclosures.
(vii)Medical examiners/ funeral directors
(viii) Organ donation
(ix) Research
(x) Avert serious health or safety
(xi) Specialized gov’t functions
(xii)Worker’s compensation
1. Records have to be provided free of charge to counsel
 Access Requiring Opportunity to Object
(i) Limited information in facility directory
(ii) Disclosure where an individual is given an opportunity to object
(iii) Individual is not present or is incapacitated, a disclosure to family
(iv) Assisting in disaster relief
 Authorization requires—
(i) Description of the PHI to be used or disclosed in a specific ad meaningful fashion;
(ii) Name or other specific identification of the person or class of persons authorized to make the use or
disclosure of the PHI
(iii) Name or other specific identification of the person or class of person authorized to receive PHI
(iv) Description of the purpose of each requested use or disclosure
(v) An expiration date
(vi) Signature of individual and date
(vii)Statement informing the individual of the right to revoke the authorization in writing
(viii) Any restriction of the individual’s right to revoke and instructions for how the authorization can
be revoked.
1. If the health care provider has agreed to the requested restriction, then the doctor is bound by that
agreement and (except in emergency treatment situations) would not be permitted to share the
information.
2. HIPAA Privacy Rule require that a health care provider document a patient’s expressed preference
not to have the provider discuss the details of her health care with her family.
3. For example, an individual who has obtained a genetic test may request that the health care provider
not use or disclose the test results. If the health care provider agrees to the restriction, the information
could not be shared with providers treating other family members who are seeking to identify their
own genetic health risks.

Page 27 of 69
 CHC EXAM PREP OUTLINE
(ix) Statement informing an individual that signing the authorization is a precondition of treatment,
participation in research, eligibility of benefits, or enrollment in the health plan
(x) Statement informing the individual that the recipient of the PHI may re-disclose, in a manner that makes it
no longer protected PHI
(xi) Fundraising
1. Limited PHI (demographic information)
(xii)BA need individual consent to disclose PHI from individual, irrespective of authorization of the entity.
(xiii) Marketing ??
 Enforcement and Penalties
(i) Tier 1: inadvertence $100 min / 50k Max
(ii) Tier 2: reasonable case but not willful neglect 1k min / 50k max
(iii) Tier 3: willful neglect but corrected 10k minimum / 50k max
(iv) Tier 4: willful neglect and not corrected minimum of 50k
(v) Increased penalties of up to 1.5 mil for willful breach
G) The 21st Century Cures Act of 2016
i) Purpose: Ensuring electronic health record systems are interoperable for seamless patient care and help fully realize the
benefits of a learning health care system; and Improving education for health care providers and help facilitate seniors’
access to the latest medical technology.

(a) The Cures Act also contains several provisions related to the HIPAA Privacy and Security Rules
(b) Adds a new subsection to the HITECH Act specifying that when a provider or other covered entity maintains
patient records in an EHR, business associates may directly provide PHI to a patient or the patient’s designee in
response to an access request from the patient.
 The Rule requires covered entities to specify in the business associate contract that the business associate
must make such protected health information available if and when needed by the covered entity to provide
an individual with access to the information. However, the Privacy Rule DOES NOT prevent the parties
from agreeing through the business associate contract that the business associate will provide access to
individuals, as may be appropriate where the business associate is the only holder of the designated
record set, or part thereof.
 The Rule requires covered entities to specify in the business associate contract that the business associate
must amend protected health information in such records (or copies) when requested by the covered entity.
(c) Statute Direct the Secretary of HHS to study whether the HIPAA regulations should be revised or clarified to
remove any potential barriers to optimal patient care and communication or to the availability of patient
information for medical research.
(d) HIPAA does NOT prohibit a covered entity’s granting remote access to PHI to a researcher for activities
taken as reviews preparatory to research. PHI may NOT be removed from the covered entity in the course of
such review. The Cures Act specifies that remote access to PHI must meet minimum safeguards consistent with
HIPAA’s Privacy and Security Rules.
(e) Privacy Protections
 Under the new law, certificates of confidentiality will be issued automatically for research projects involving
the collection of identifiable, sensitive research information.
(i) Certificates allow research institutions to reject requests for individuals’ research data from people or
entities not involved in the research.
 New provisions guard against inappropriate use of the Freedom of Information Act (FOIA) to gain access to
participants’ genetic and health information by allowing the Department of Health and Human Services to
explicitly disqualify such individual-level research data from FOIA.
H) Patient Protection and Affordable Care Act of 2010 (“PPACA”)
i) Goals
(a) Better coordination between Medicare and Medicaid;
(b) Leverage and target resources to geographic areas and provider types that are high-risk;
(c) Move from “pay and chase” to prevention;
(d) Form partnerships with private sector, specifically commercial payers, to combat fraud
ii) Compliance
(a) Contains more than 32 sections related to health care fraud and abuse and program integrity and significantly
amends existing criminal, civil, and administrative anti-fraud statutes.
(b) $350 million dollars in total funding through 2020, integrity and law enforcement.

Page 28 of 69
 CHC EXAM PREP OUTLINE
(c) long-term care facilities that received 10K in federal funding must notify individual who is an owner, operator,
employee, individual who is an owner, operator, employee, manager, agent, or contractor (covered individuals) that
they must report any reasonable suspicion of a crime against a facility resident to HHS.
 Bodily injury, report immediately (<2 hours); if not, then report within 24 hours of forming suspicion
 Penalties for failure to timely report: Up to $300,000 + exclusion
(d) Non-Profit hospitals
 conduct community health needs assessments extraordinary collection efforts” to collect debts from patients
unless the organization.
 "extraordinary collection efforts” to collect debts from patients unless the organization as made reasonable
efforts to determine whether the patient qualifies.
 Establish a written financial assistance policy (FAP) and policy on emergency medical care (i.e., EMTALA
policies);
 Limit amounts charged for emergency or other medically necessary care to individuals who qualify for
assistance under the hospital’s FAP
(e) Physician compliance
 Performance data may include:
 Quality measures
 Assessment of quality
 Efficiency
 Patient satisfaction
 Safety
iii) Effect of the Law
(a) Reported payments from Pharma and Payments from Pharma and Device Manufacturers (See sunshine act)
(b) Increased sentences by 20% to 50% for health care for fraud offenses involving more than $1 million in losses
(c) Amended CMP, FSA, Stark, AKS
 Established that violations of AKS are also violations of FSA
(d) Obstructing a health care fraud investigation or audit is a crime
(e) Erased the intent requirement for health care fraud
(f) Expanded HHS--OIG Authority
(g) PPACA Enabled Government Agencies to Share Data to Fight Fraud
(h) Defined overpayment rules
(i) Established rules for DMEPOS
(j) Publish list of standard charges for items and services provided by the hospital
(k) Prior to inclusion on provider list
 Providers must disclose affiliation with excluded provider
 criminal background checks;
 Fingerprinting;
 database inquiries;
 site visits
iv) Integrity Program
(a) Preventing fraud and abuse
(b) Bolstering enforcement tools to help fight fraud and abuse
(c) Mandating provider education and compliance programs
I) Open Payments (Physician Payments Sunshine Act)-Section 6002 of the Affordable Care Act GR: requires the
establishment of a transparency program, now known as Open payments. The program increases public awareness of
financial relationships between drug and device manufacturers and certain health care providers.
i) Application: Applicable manufacturers of covered drugs, devices, biologicals, and medical supplies must report
payments or other transfers of value they make to physicians and teaching hospitals to CMS.
(a) ALL Physicians rule applies to (acceptance of federal health care funds is irrelevant):
 Doctor of Medicine
 Doctor of Osteopathy
 Doctor of Dentistry
 Doctor of Dental Surgery
 Doctor of Podiatry
Page 29 of 69
 CHC EXAM PREP OUTLINE
 Doctor of Optometry
 Doctor of Chiropractic Medicine
(b) Exception: Does not apply to medical residents
ii) Compliance
(a) disclosure of payments of $10 or more and aggregated annual payments equal $100
(b) must report all payments or other transfers of value provided to covered recipients, regardless of whether any
particular payment or other transfer of value was related to a covered drug, device, biological, or medical supply
items to be disclosed:
 consulting fees;
 compensation for services other than consulting;
 honoraria;
 gift;
 entertainment;
 food;
 travel (including the specified destinations);
 education;
 research
 charitable contribution
 royalty or license
 current or prospective ownership and interest
 direct compensation for services as a faculty or a speaker for medical education program or grant
 any other nature of the payment of other transfers of value
J) Medicare Prescriptions Drug, Improvement and Modernization Act (MMA)
i) MMA was put in place to reduce the errors due to illegible physician handwriting and gave momentum to the e-
prescribing movement.
K) False Claims Act (FCA/Lincoln Law) –31 USC §§ 3729-3731:
i) Rule Prohibits—
(a) Anyone from knowingly submitting or causing to be submitted a false or fraudulent claim.
(b) Any person or entity that improperly receives and avoids payments to the federal gov’t is held liable for their
actions.
(c) Says that anyone who knowingly presents, or causes to be presented to the US a false or fraudulent claim for
payment or approval to the gov’t or conspires to defraud the gov’t is guilty of violating this act.
 Federal law that allows nongovernment affiliated people to file a claim alleging federal contractors have
committed fraud.
 Enacted during Civil War.
ii) Mens REA
(a) No specific intent to defraud is required
iii) SOL
(a) SOL is six years from date of violation or three years the date when facts material to the right of action are known or
reasonably shown or should have known.
(b) Penalties
 Treble damages (3X) claim payment amount
 OIG can seek $10,000 for each service or item improperly billed (amount changed in 2015 see chart)
 false Claims Act provides the Court with the authority to assess: Up to three “times the amount of the damages
which the Government sustains
 Example: OIG investigates a provider for billing for services that were not rendered. It is determined that there
are $20,000 in overpayments, resulting from 25 false claims.
(i) Calculation: 25 Claims x 10,000 = $250,000
(ii) $20,000 in overpayments x 3 = $60,000
(iii) $250,000 + $60,000=$310,000
iv) Self-Disclosure
(a) Process takes 12 months
(b) Pay less fines
(c) Avoid exclusion
Page 30 of 69
 CHC EXAM PREP OUTLINE
(d) Biggest self-disclosure Case: OIG alleged that Kroger violated the CMP Law: 1) employed 14 excluded individuals
who were excluded from participation in Federal health care programs; and 2) filled prescriptions, for which
payment was made under a Federal health care program, that were written by 84 excluded prescriber.
v) Reverse Claims
(a) Fraud Enforcement Recovery Act (FERA) extensively amended the FCA, including the reverse false claims
provision.
 GR: Civil Liability for someone knowingly makes, uses, or causes to be made or used, a false record or
statement material to an obligation to pay or transmit money or property to the Government, or knowingly
conceals or knowingly and improperly avoids or decreases an obligation to pay or transmit money or property
to the Government”
(i) any scheme or artifice with the intent to defraud the United States, or to obtain money or property by means
of false or fraudulent pretenses”
 Duties
(i) reasonable diligence might require an investigation conducted in good faith and in a timely manner by
qualified individuals in response to credible information of a potential overpayment.
(ii) Overpayment- Recipients of Medicare and Medicaid funds who have “received an overpayment” must
“report and return the overpayments.”
(iii) 60 Day Rule: overpayment must be reported and returned once discovered.
(iv) "Reasonable diligence” standard “demonstrated through the timely, good faith investigation of credible
information, which is at most 6 months from receipt of the credible information, except in extraordinary
circumstances.
 Applies: to all parts of Medicaid and Medicare BUT
(i) Parts A &B may report to Medicare contractor [the MAC] or OIG
 Penalty: liable to the U.S. for civil penalties and treble damages under the FSA 31 U.S.C. § 3729(a)(1)(G)
 Example: US ex rel. Kane v. Continuum, No. 11 Civ. 2325 (ER). In 2009, a glitch in the software used by
Healthfirst, providing managed care insurance for Medicaid-eligible enrollees, caused Healthfirst to send
remittances to participating providers, erroneously informing them they could seek additional payment for their
services from secondary payers such as Medicaid. This, in turn, resulted in providers in the Continuum system
claiming and receiving Medicaid payments to which they were not entitled. In September 2010, the NYS
Comptroller identified a small number of claims submitted by Continuum and notified Continuum that
Medicaid had been wrongly billed. In early February 2011, Kane ultimately provided a spreadsheet with
approximately 900 claims, totaling over $1 million, that were affected by the glitch and that potentially resulted
in an overpayment. Continuum terminated Kane and took no further action. The Comptroller continued to
analyze Continuum’s billing and identified several additional tranches of affected claims and from March 2011
to February 2012 brought these additional claims to Continuum’s attention. Continuum proceeded to repay only
small batches of affected claims. Final repayments were not made until March 2013. The Government alleged
that this conduct violated the “reverse false claims” provision of the FCA, 31 U.S.C. sec. 3729(a)(1)(G).
 Example: Pediatric Services of America-This is the first settlement under the False Claims Act involving a
health care provider’s failure to investigate credit balances on its books to determine whether they resulted from
overpayments made by a federal health care program. SA had been maintaining numerous credit balances on its
books that related to claims it had submitted to various federal health care programs, some of which had been
on PSA’s books for several years. Additionally, PSA wrote off and absorbed credit balances that had resulted
from overpayments into their revenue because they had not investigated the reason for the credit balances
before doing so. The settlement was for 6.88 million.
vi) Record Retention
(a) Records must be maintained for 10 years from the last contracting period or audit, which is later, to conform to the
statute of limitations for the discovery of violations under the False Claims Act.
vii) Three levels of liability
(a) Criminal –willful conduct
(b) Gov’t action based on civil penalties
(c) Private Right of Action through a realtor (Qui Tam)
 Incentive—Whistleblowers can receive between 15-30 % of the recovered amount.
 Whistleblower must lawfully obtain evidence
(i) Access ordinary course of business
Page 31 of 69
 CHC EXAM PREP OUTLINE
(ii) 2 party consent is required under federal law for recordings, but look to state law to see what wiretap laws
apply.
 Who can Bring the action?
(i) “Original Source” To bring Qui Tam, the individual, referred to as a realtor must be an original source of
information concerning the false claims.
(ii) “First to File Bar” Realtor must be first to file action.
(iii) Success on qui tam lawsuits is much lower when the government chooses not to intervene.
(iv) “Master architect” Realtor must have not been engaged in/convicted of the fraud being alleged.
(v) “Under seal” Realtor discloses action while it’s under seal and they could be accused of breaching the seal
and barred from bring action.
(vi) Public disclosure bar –publically disclosed that is a bar to qui tam action.
(vii)Release of claims under a severance agreement could bar bringing any action against the employer.
(d) Medicare self-referral disclosure protocol (“SRDP”) pursuant to Section 6409(a) of the Patient Protection and
Affordable Care Act (ACA). The SRDP sets forth a process to enable providers of services and suppliers to self-
disclose actual or potential violations of the physician self-referral statute.
 FCA liability arises if an actor does not repay any identified overpayment within sixty days.
 ACA Improves health care fraud and abuse enforcement by increasing the types of prohibited conduct.
 The ACA, gives the Secretary of HHS the authority to reduce the amount due and owing for violations
 Exceptions—
(i) including physician services,
(ii) in-office ancillary services,
(iii) ownership in publicly traded securities and mutual funds,
(iv) rental of office space and equipment,
(v) and bona fide employment relationship
(e) warning signs that non-compliance may exist : Significant change in the number or type of claim rejection
(f) Research Fraud
 Falsely Claiming Costs Actually Paid by the Federal Government Through Another Grant or Otherwise by the
Federal Government:
(i) Misstating data, accomplishments
(ii) Manipulated Data Inappropriately
(iii) Take inappropriate credit or denying appropriate
1. Can become a kickback issue
(g) Exception
 August 4, 2011, relators Myron Winkelman (auditor) and Stephani Martinsen (pharmacist) challenged the
billing practices of CVS Caremark Corp. and affiliated companies (collectively, CVS). The focus of Relators’
Complaint was CVS’s Health Savings Pass program (“HSP”), a program allowing customers to purchase
generic prescription drugs at discounted prices after paying a low enrollment fee. Relators alleged that CVS
overbilled Medicare Part D and Medicaid, as well as state equivalent programs, because CVS was not reporting
the lower prices given to HSP customers when seeking reimbursement from federal and state programs. In
February 2010, labor unions had issued a report detailing CVS’s HSP pricing practices. This report led to
extensive news coverage as well as a Congressional investigation. Id. at 204. The State of Connecticut
subsequently got involved: Connecticut both claimed that CVS was already required to report HSP pricing, and
modified its statutes explicitly to require CVS to do so. CVS threatened to remove its HSP program from the
state altogether as a result. The court concluded that enough was disclosed about CVS’s practices in
Connecticut’s challenge—and the misrepresented and true state of facts—to put the federal government and
other states on notice of CVS’s potentially fraudulent practices. The ACA defines “original source” in two
ways, based on the timing of relator’s claim relative to the public disclosure: (1) First, relator is considered an
original source if “prior to a public disclosure the relator voluntarily disclosed to the Government the
information on which allegations or transactions in a claim are based or if relator possesses “knowledge that is
independent of and materially adds to the publicly disclosed allegations or transactions. The realtors' disclosures
in this case did not meet either standard.
(h) Types of false claims
 Off label marketing —promoting a drug for an unapproved dosage, demographic, or use and paying kickbacks
to physicians to prescribe the drug. See Glaxo case in this outline.
 Inadequate documentation of services performed
Page 32 of 69
 CHC EXAM PREP OUTLINE
Billing for goods and services not provided
(i) A pharma company cannot charge the gov’t more for drugs
 Upcoding / Debridement
(i) Callous Paring –billing for unrelated service
(ii) Inadequate documentation of services performed
(iii) Billing at a higher level than actually provided or inconsistent with documented symptom
 Unbundling
 Billing for services that are of such poor quality they are deemed worthless
 Medically unnecessary
 False Certification
(i) Examples
 Mylan Inc. and Mylan Specialty L.P. (collectively, Mylan) agreed to pay $465 million to resolve FCA liability
associated with allegations that Mylan improperly classified EpiPen as a generic drug for purposes of the
Medicaid drug rebate program.
 eClinicalWorks (ECW), and certain of its employees will pay a total of $155 million to resolve a False Claims
Act lawsuit alleging that ECW misrepresented the capabilities of its software. In its complaint-in-intervention,
the government contends that ECW falsely obtained that certification for its EHR software when it concealed
from its certifying entity that its software did not comply with the requirements for certification. For example,
in order to pass certification testing without meeting the certification criteria for standardized drug codes, the
company modified its software by “hardcoding” only the drug codes required for testing. In other words, rather
than programming the capability to retrieve any drug code from a complete database, ECW simply typed the 16
codes necessary for certification testing directly into its software. ECW’s software also did not accurately
record user actions in an audit log and in certain situations did not reliably record diagnostic imaging orders or
perform drug interaction checks.
 Michael Martinez, in southern California, an individual defrauded the Medicare program by establishing
various fraudulent DMEPOS companies, primarily by using street gang members to pose as nominee owners of
his sham companies. He paid each gang member $5,000 to establish bank accounts and to fill out the Medicare
paperwork. The nominee owners submitted claims for reimbursement to Medicare for power wheelchairs and
orthotic devices that were not medically necessary or legitimately prescribed by a physician. To date, nine of
the gang members and associates have been indicted for charges including health care fraud and providing false
statements to Government agencies. See also RGV DME, Obiageli Agbu
 Johnson & Johnson to Pay More Than $2.2 Billion to Resolve Criminal and Civil Investigations, arising the
false claim allegations relating to the prescription drugs Risperdal, Invega and Natrecor, including promotion
for uses not approved as safe (product misbranded) and effective by the Food and Drug Administration (FDA)
and payment of kickbacks to physicians to prescribe the drugs ; J&J paid kickbacks to Omnicare Inc., the
nation’s largest pharmacy specializing in dispensing drugs to nursing home patients.
 Abbott Laboratories has agreed to pay the United States $5.475 million to resolve allegations that it violated the
False Claims Act by paying kickbacks to induce doctors to implant the company’s carotid, biliary and
peripheral vascular products. The lawsuit filed by Steven Peters and Douglas Gray, former Abbott employees,
under the qui tam provision of the False Claims Act, which allows whistleblowers to file suit on behalf of the
United States for false claims and share in any recovery. As part of today’s resolution, Peters and Gray will
receive a total payment of more than $1 million. Abbott knowingly paid prominent physicians for teaching
assignments, speaking engagements and conferences with the expectation that these physicians would arrange
for the hospitals with which they were affiliated to purchase Abbott’s carotid, biliary and peripheral vascular
products. As a result, the United States alleged Abbott violated the Anti-Kickback Act and caused the
submission of false claims to Medicare for the procedures in which these Abbott products were used.
 A Dallas doctor and his co-conspirators improperly recruited individuals with Medicare coverage to sign up for
Medicare home health care services. He was 420 months in federal prison and ordered to pay $268,147,699.15
in restitution.
L) Occupational Safety and Health Act (OSHA) –working conditions and safety of employees
i) Applies to all employers Except mining industry
ii) Compliance
(a) Hazard Communication Standard

Page 33 of 69
 CHC EXAM PREP OUTLINE
 Hazard classification: Chemical manufacturers and importers are required to determine the hazards of the
chemicals they produce or import. Hazard classification under the new, updated standard provides specific
criteria to address health and physical hazards as well as classification of chemical mixtures.
(b) Blood Pathogens Standard: OSHA issued this standard to protect employees from the health hazards of exposure
to bloodborne pathogens. Employers subject to this standard must develop a written exposure control plan, provide
training to exposed employees, and comply with other requirements of the standard.
 OSHA published the occupational exposure to bloodborne pathogens in 1991.
(c) Hazard Communication Standard. This standard is designed to ensure that employers and employees know about
hazardous chemicals in the workplace and how to protect themselves.
 CDC estimates that healthcare workers sustain nearly 600k percutaneous injuries annually involving
contaminated sharps.
 Employers with employees who may be exposed to hazardous chemicals in the workplace must prepare and
implement a written Hazard Communication Program and comply with other requirements of the standard.
 Chemical users: Continue to update safety data sheets when new ones become available, provide training on
the new label elements and update hazard communication programs if new hazards are identified.
 Chemical Producers: Review hazard information for all chemicals produced or imported, classify chemicals
according to the new classification criteria, and update labels and safety data sheets.
 Labels: Chemical manufacturers and importers must provide a label that includes a signal word, pictogram,
hazard statement, and precautionary statement for each hazard class and category.
(i) All secondary containers will need to have labels that identify the contents, name the manufacturer and the
appropriate NFPA hazard warning labels.
 Personal Prospective Equipment (PPE) should be provided by an employer free of charge.
 Safety Data Sheets: The new format requires 16 specific sections, ensuring consistency in presentation of
important protection information.
 Information and training: To facilitate understanding of the new system, the new standard requires that
workers be trained by December 1, 2013 on the new label elements and safety data sheet format, in addition to
the current training requirements.
iii) Employer duty arises
(a) Employer failed to keep the premises free of hazard
(b) It was a recognized hazard
 Hazard caused death or serious harm
 There was a feasible and useful method to correct the hazard
(c) Exceptions
 Does not apply to federal, state and local gov’t
 Does not apply to waste management
iv) Reporting requirements
(a) All work-related fatalities within 8 hours.
(b) All work-related inpatient hospitalizations,
(c) all amputations and all losses of an eye
(d) within 24 hours
v) preemption-no, several states have passed companion laws
vi) mens rea
(a) negligence -should you have known
vii) non-retaliation policy
(a) osha must investigate if a former or current employer reports to osha
viii) Penalties
(a) Citations for not maintaining documentation
 May contest within 15 working days
(b) Maximum penalty $7,000
 serious probability of death
M) American disabilities Act (ADA)-Prevents discrimination based on a disability. ADA requires businesses to take steps
necessary to communicate with patients with vision, hearing and speech disabilities.

Page 34 of 69
 CHC EXAM PREP OUTLINE
N) The Emergency Medical Treatment and Labor Act (EMTALA)/ The SSA, 42 U.S.C. section 1395dd, the Patient Anti-
Dumping Statute: is a federal law that requires anyone coming to an emergency department to be stabilized and treated,
regardless of their insurance status or ability to pay, but since its enactment in 1986 has remained an unfunded mandate.
i) General Rule: (1) The hospital must provide an appropriate medical screening examination; (2) To determine if the
individual is suffering from an emergency medical condition; (3) If so, the hospital is obligated to provide stabilizing
medical treatment or an appropriate transfer.
ii) Prohibits: EMTALA prohibits hospitals from treating emergency patients differently based on whether or not they have
health insurance, Medicare, or Medicaid
iii) INTENT: was to ensure patient access to emergency medical care and to prevent the practice of patient dumping, in
which uninsured patients were transferred, solely for financial reasons, from private to public hospitals without
consideration of their medical condition or stability for the transfer.
iv) Test to determine if compliance with EMTALA is required:
(a) Licensed by state OR
(b) Held out by public: name, posted signs or advertising as a place that offers urgent medical services without an
appointment OR
(c) Based on a sample at least 1/3 of patient’s visits were for out-patient visits for emergency conditions that were seen
without an appointment.
v) Applies to:
(a) EMTALA applies to hospitals that participate in Medicare through their provider agreements.
(b) EMTALA applies to all emergency patients whether or not they are eligible for Medicare benefits.
(c) Urgent Care Centers (even if they are off campus)
(d) Psychiatric Hospitals (even if they do not have a designated emergency department)
(e) Examples—
 Emergency rooms or departments
(i) Hospital parking lots and other property more than 250 yards from the main facility.
(ii) The 250-yard zone does not apply to physician owned hospitals.
 Labor and delivery departments
 Psychiatric units providing emergency care without
 No appointment is required
 On and off campus, urgent care centers
vi) Requirements
(a) Medical Screening
(b) Applied in a non-discriminatory manner
(c) Sufficient to allow QMP to determine
(d) Appropriate transfer after stabilization, when necessary
vii) Three-tier enforcement structure
(a) CMS Enforcement
(b) OIG Enforcement
(c) Civil Monetary Penalties Law (CMPL) enforcement
 Penalties
(i) HHS now has discretion to reduce CMPs up to 50% if:
1. Facility self-reports;
2. Promptly corrects the deficiency;
3. Waives right to appeal.
 Priorities
 Overview of recent settlements
(d) Private right of action
viii) Fraud detection: Quite simply, any citizen, physician, or hospital may report a possible EMTALA violation. All
complaints are forwarded to the appropriate HCFA regional office, and the regional office then refers the complaint back
to the state's HCFA survey agency if it feels an investigation is warranted. The agency then has 5 working days to initiate
an investigation; it usually tries to conclude the investigation within 15 days.
(a) They will look for patterns of noncompliance and discrimination in such areas as diagnosis (e.g., AIDS), race, color,
insurance type, handicap, or nationality. Interviews with appropriate staff also may be conducted.
ix) Penalties

Page 35 of 69
 CHC EXAM PREP OUTLINE
(a) OIG Civil monetary penalties
 Up to $25,000 per incident for hospitals with less than 100 beds
 Up to $50,000 per incident for hospitals with 100 or more beds
 Up to $50,000 for physician for negligent violations
(b) Negligence damages
(c) Sanctions
 The regional office may recommend termination of the hospital's Medicare provider agreement in a 90-day
track. Usually this means that significant noncompliance issues were identified but that they do not pose an
immediate threat to patient health and safety.
 the hospital may be served notice that it will be terminated from Medicare in 23 days if the deficiencies are
deemed an immediate threat to patient safety and health
 Appeal: hospital has legal recourse: it may file an appeal with the federal district court, but while the appeal is
being processed, the hospital's termination from Medicare continues.
x) Preemption-- EMTALA supplements state medical malpractice laws, but supersedes them if they are conflicting.
xi) Examples
(a) The on-call physician refused to come to the emergency department.
(b) Rogers Memorial Hospital fined $30,000, June 25, 2008, Allegation that hospital refused to accept 57-year old
patient with depression; hospital stated it did not treat Medicaid patients in her age group.
(c) Cape Fear Valley Medical Center $42,500, Allegation that suicidal teenager released without appropriate screening
exam; after release jumped out of moving car.
(d) Orlando Regional Healthcare Systems, Inc. (ORHS), Florida, agreed to pay $85,000 for allegedly violating the
Patient Anti-Dumping Statute on three separate occasions: (1) ORHS inappropriately transferred a 27-year old
female in active labor; (2) ORHS did not accept a patient referred to one of its facilities under the Baker Act; and (3)
ORHS failed to provide an appropriate medical screening examination for a patient who arrived at its emergency
department.
(e) Inbound patients must be accepted unless you are on diversionary status.
O) The Clinical Laboratory Improvement Amendments (CLIA) regulate laboratory testing and require clinical laboratories
to be certificated by their state as well as the Center for Medicare and Medicaid Services (CMS) before they can accept
human samples for diagnostic testing.
i) Purpose: CLIA Proficiency Testing Violations. The CLIA proficiency testing standards for laboratories performing non-
waived testing are included the standards are very detailed and presented by the various specialties and subspecialties for
laboratories performing moderate and high complexity testing. Most laboratories have specific policy and procedure for
handling and testing proficiency test samples to ensure it does not violate the CLIA rules and regulations. The
consequences of violating these rules can be severe and can result in the lab having its certification revoked for one or
more specialties or subspecialties.
(a) QA assurance standards and controls
(b) Proficiency standards
(c) Record maintenance
ii) Certificate registration-This certificate is issued to a laboratory that enables the entity to conduct moderate to
high complexity laboratory testing until the entity is determined to be survey to be in compliance with CLIA
regulations.
iii) All clinical laboratories fit into a certificate type
(a) Certificate of Waiver
(b) Certificate for Provider Performed Microscopy
(c) Procedures (PPMP)
(d) Registration Certificate
(e) Certificate of Compliance
(f) Moderate and High complexity testing
(g) Certificate of Accreditation
iv) Statute applies to
(a) Applies to labs that examine human specimens for the diagnosis, prevent, or treatment of any disease or impairment
of or the assessment of the health of human beings.
 Example: Under CLIA only physicians, mid-level practitioners or a dentist may perform Provider Microscopy
Procedure (PPM) procedures.
Page 36 of 69
 CHC EXAM PREP OUTLINE
v) All tests fit into complexity level
(a) Provider Performed Microscopy (PPM) Certificate is issued to a lab in which a physician, mid-leveled practitioner,
or dentist performs no tests other than PPM. This cert also permits the lab to also perform waived tests.
(b) Waived Testing Programs
 Simple Lab Examinations and procedures
 Pose no reasonable risk of harm if performed incorrectly
 Do not require specific training to perform
 Does not require annual proficiency testing
 End user must follow manufacturer’s instructions
(c) Moderate
(d) High
vi) Exceptions:
(a) CLIA license isn’t necessary of you are not doing medical testing
 Example: recreational genetic testing
 Example: forensic lab
 Example: CLIA is not required if the facility only collects specimens and performs no testing.
vii) Parties
(a) Director “Technical supervisor” = CLIA license holder
 Director meets the education and experience requirements. It must be demonstrated that the individual is, in
fact, providing effective direction over the operation of the laboratory
 Limited to five laboratories
 May delegate certain LD responsibilities to the Technical Consultant, Technical Supervisor or Clinical
Consultant;
 May serve in the role of the Technical Consultant, Technical Supervisor, Clinical Consultant or Testing
personnel if he/she meets qualifications and performs responsibilities.
(b) General Supervisor
(c) Technical consultant = MD, PhD, or DO; cannot be GC
viii) Enforcement
(a) The Food and Drug Administration (FDA)
 Categorizes tests based on complexity
 Reviews requests for Waiver by Application
 Develops rules/guidance for CLIA complexity categorization
(b) Center for Medicaid Services (CMS) and
 Issues laboratory certificates
(i) non-waived labs must comply with CLIA cert
1. Personnel
2. Quality Control
3. Proficiency Testing
4. Patient Test Management
5. Quality Assessment
 Collects user fees
 Enforcement: Conducts inspections and enforces regulatory compliance
 Approves private accreditation organizations for performing inspections, and approves state exemptions
 Monitors laboratory performance on Proficiency Testing (PT) and approves PT programs
 Publishes CLIA rules and regulations
(c) Center for Disease Control (CDC)
 Provides analysis, research, and technical assistance
 Develops technical standards and laboratory practice guidelines, including standards and guidelines for
cytology
 Conducts laboratory quality improvement studies
 Monitors proficiency testing practices
 Develops and distributes professional information and educational resources
 Manages the Clinical Laboratory Improvement Advisory Committee (CLIAC)

Page 37 of 69
 CHC EXAM PREP OUTLINE
ix) compliance
(a) Laboratories must comply with rules for:
 Certification
 Enrollment in proficiency testing (if applicable)
 Personnel qualifications and responsibilities
 Facility administration
(i) Documentation requirements and retention
(ii) Facility layout (uni-directional workflow)
 Quality systems including quality control for non-waived tests:
(i) Specimen Testing Processes - Comprehensive SOPs
(ii) Quality assessment activities
(iii) Pre-analytic
1. Requisition design
a. Capture patient and physician demographic information
b. Reflex Testing
c. Components of bundled Tests
2. Specimen handling procedures
3. Unique specimen identification
(iv) Analytic
1. Quality Control
a. Controls must monitor the accuracy and precision of the complete analytical process
environmental conditions, analytical, operators
b. Material type, frequency, expected results
i. Action for unacceptable results
c. Maintenance records
2. Documentation for testing records
a. Who performed the test, when was it performed
(v) Post-Analytic
1. Test Result report
a. Test result and units of measure
b. Specimen identification
 Inspections
(i) Every two years on-site
(ii) CMS has authority to close down a testing facility if they suspect harm to patients (immediate jeopardy)
(b) CLIA requires laboratories to take steps to assure the accuracy of testing in lieu of testing PT samples. CLIA
requires that, at least twice annually, you verify the accuracy of any test or procedure that you perform that is not
listed in Subpart I.
(c) Providers are required to update their CLIA certificate within 30 days when there is a change in ownership,
name, location, technical supervisor or director.
(d) According to CLIA, personnel performing waived tests must follow the manufacturer's instructions when
performing the tests.
x) Penalties
(a) See CMP
(b) Revocation of lab’s CLIA license
(c) Loss of Medicare, other reimbursement
xi) Preemption—No, states may establish more stringent laws. A list of laboratories that have been convicted, under Federal
or State laws relating to fraud and abuse, false billing, or kickbacks.
P) Stark Law / Physician Self-Referral Prohibition
i) History: Stark I applied to referrals of Medicare patients for clinical laboratory services made on or after January 1,
1992, by physicians with financial relationship with the clinical lab provider. Stark II extended referrals to DHS.
ii) Rule: Civil statute that prohibit “physician self-referral”, specifically a referral by a physician of a Medicare or
Medicaid patient to an “entity” providing “designated health services” ("DHS"), if the physician (or an immediate
family member) has a financial relationship with that entity.

Page 38 of 69
 CHC EXAM PREP OUTLINE
(a) Prohibits physicians from making referrals of Medicare and Medicaid patients for the furnishing of certain
Designated Health Services (DHS) to any entity with which the physician has a financial relationship.
(b) A financial relationship is defined broadly, and includes any direct or indirect relationship between a physician and
an entity in which the physician or family member has:
 An ownership or investment interest
 A compensation arrangement
(i) Commercial reasonableness –if it would make sense to an org of the same size and a reasonable physician
of similar scope and specialty.
(ii) Physician compensation packages are closely scrutinized by IRS for tax exempt entities.
 Prohibits specific categories of referral payments, including kickbacks, bribe or rebates.
iii) Applies to: Physicians providing designated Health Services are considered as such;
(a) Hospital inpatient and outpatient services, diagnostic radiology services, and clinical laboratory services
(b) Application to designated health services:
 Clinical laboratory service
 Physical therapy services
 Occupational therapy services
 Outpatient speech-language pathology services
 Radiology and certain other imaging services
 Radiation therapy services and supplies
 Durable medical equipment and supplies
 Parenteral and enteral nutrients, equipment and supplies
 Prosthetics, orthotics and prosthetic devices and supplies
 Home health services
 Outpatient prescription drugs
 Inpatient and outpatient hospital services
iv) Financial relationship
(a) Compensation generally is reasonable based on
 Fair market value (FMV)
 Set in advance (agreement in writing signed by parties)
 Commercially reasonable
(b) Direct –remuneration whether in cash or in kind between physician and an entity.
 Ownership or investment interest
(i) Example: Stock option, partnership shares, or limited liability companies
1. Stock options and convertible securities do not count as a compensation until exercised.
 Compensation arrangement
(i) Remuneration no intervening persons or entities
(c) Indirect
 Ownership or investment interest
(i) Unbroken chain of any number, but no less than one of the persons or entities having ownership or
investment interests between the physician and the entity.
(ii) Entity has knowledge or should know (reckless) that the physician has an ownership or investment interest
 Compensation agreement
(i) Referring physician and entity there must be an unbroken chain of number of persons and entities that have
a financial relationship.
(ii) Referring physician must receive aggregate compensation from the person or entity in the chain with which
she or has a direct financial relationship.
(iii) Arrangement requires that the entity furnishing DHS know or should know that the compensation, in the
aggregate, varies with the volume or value of referrals.
(d) Direct compensation vs Indirect Compensation test
 Stand in shoes
(i) Physician is the physician of the entity
(ii) Physician has an ownership or investment interest
(iii) Example: Physician enters into a director agreement with an entity and the referring physician holds an
equity interest in the physician organization.
Page 39 of 69
 CHC EXAM PREP OUTLINE
(e) Non-monetary compensation. Physicians may receive non-monetary compensations of up to $398 a year (i.e.,
meals, parking, training, etc.) from a DHS entity.
 The physician practice should limit participation in a hospital’s compliance program to training and
education or policies and procedures only.
(f) Exceptions to financial relationship
 Physician ownership is titular
 Academic medical exception
(i) Academic medical centers sometimes make support payments to the physicians on their faculty or faculty
practice plan but it may NOT be tied to specific items or services provided by faculty physicians.
1. Accredited medical school
2. Majority of the hospital admissions are made by physicians who are faculty members
 Arrangements during the original term or current term that satisfied indirect compensation as of 9.5.2007.
 publically traded stock, mutual funds, rural providers do NOT constitute a financial relationship and therefore
do not implicate Stark.
 Hospitals in Puerto Rico
 Rural providers –DHS provides not less than 75% of the DHS to residents in that area.
(g) Compensate a non-physician Practitioner
 Must be of the following:
(i) Physician Assistant
(ii) Nurse Practitioner
(iii) Clinical social worker
(iv) Clinical psychologist
 Arrangement must be in writing
 Signed by the hospital
 Not conditioned on referrals from either a physician or the non-physician practitioner
 Remuneration cannot exceed 50 percent of the actual compensation, signing bonus, and benefits paid by the
physician to the non-physician practitioner during a period not to exceed the first two consecutive years of the
compensation arrangement between the non-physician practitioner and the physician.
 The physician does not impose practice restrictions on the NPP that unreasonably restrict the NPP’s ability to
provide patient care services in the geographic area.
 The NPP has not practiced or otherwise been employed/contracted by another physician/group in the
geographic area served by the hospital, RHC, or FQHC for a period of at least one year preceding the
compensation arrangement.
v) Mens Rea
(a) Is NOT an intent based statute
vi) Analysis
(a) Is there a referral?
(b) Does the physician or immediate family member have a financial relationship with the DHS?
(c) if there is a financial relationship fit into an exception?
vii) Penalties per CMP
(a) Stark Law and Civil Monetary Penalties Law – Up to $15,000 for each service improperly billed.
 Civil penalties for failing to refund payment.
 Circumvention scheme –up to $100,000
(b) Sanctions—
 Denial of payment –medicare will not pay a claim for DHS pursuant to a prohibited referral.
 Obligation to refund payment –Medicare has paid a claim for DHS arising from a prohibited referral, the law
requires the entity receiving such payment timely refund the amounts collected within 60 days from the date of
receipt pursuant to the FSA.
 Section 6409 of the Affordable Care Act requires the Secretary of Health and Human Services (HHS), in
cooperation with the Inspector General of HHS to establish a Medicare self-referral disclosure protocol (SRDP)
establishing a process for providers of services and suppliers to self-disclose actual or potential violations of the
physician self-referral statute.
 Exclusion from Federal Health Care Programs –exclude persons and entities that violate CMP. Whether
they are clinicians or not. You cannot hire these individuals or use them as contractors.
Page 40 of 69
 CHC EXAM PREP OUTLINE
viii) Revisions
(a) Stand in shoes
(b) Per click payments in lease arrangements
(c) Percentage-based compensation formula
ix) Exceptions MUST MEET THESE –STRICT LIABILITY
(a) Advisory Opinion
 The inquirer is protected from prosecution for the exact activity and scenario.
(b) Donated and subsidized EHRs. The Stark Law exception and fraud and abuse safe harbor permitting physicians to
accept electronic health record (EHR) donations. Hospitals can continue to donate or subsidize EHRs to physician
practices and other healthcare organizations without fear of violating provisions of the Stark Act through 2021, due
to a recent extension of a Stark Act safe harbor.
 Excludes labs from the types of entities that may donate EHRs
 Updates the definition of what type of software is considered interoperable for the purposes of
subsidies/donations.
 Clarifies the requirement prohibiting any action that limits or restricts the use, compatibility or interoperability
of donated items or services.
(c) Professional courtesy. In 2004, CMS established an exception to the Stark Act to recognize the longstanding
tradition of extending professional courtesy to physicians and their families.
 Generally, A doctor may not bill Medicare for services provided to his or her:
(i) Children / In Laws
(ii) Parents / Grand Parents
(iii) Spouses
(d) The professional courtesy exception covers free or discount services for physicians and their immediately family
members without incurring Stark penalties. As long as certain conditions are met:
 The professional courtesy must be extended to all members of the entity’s medical staff in the case of a hospital,
or all members of the local community or service area, in the case of a physician practice;
 The healthcare items and services are a type routinely provided by the entity or practice;
 The professional courtesy policy must be set forth in writing and approved in advance by the entity’s governing
board(s);
 The professional courtesy must not be extended to Medicare or other federal health program beneficiaries
unless there is a showing of financial need, and;
 The arrangement cannot violate the anti-kickback statue or any state law.
(e) 42 CFR 411.351
 Group practice-single entity, shared space, expenses, same group billing # and agreement to distribute the
expenses.
(i) Physician compensation cannot be based on the volume or value of DHS referrals.
 In office ancillary services –services commonly offered in a physician’s office (blood work, MRI/Scan,
(f) 42 CFR 411.353
 temporary non-compliance
1. Entities may submit claims and receive payments during this period if:
a. Agreement must have been in compliance for 180 calendars immediately preceding the date on
which financial relationship became noncompliant.
b. The noncompliance must be result of reasons beyond the entity’s control and entity taken steps to
rectify the noncompliance.
c. The period of time to rectify the noncompliance may not exceed 90 days.
d. The financial relationship must not violate law and otherwise comply with state and federal law.
 (g) Failure to obtain a signature
(g) 42 CRF 411.355(g)-(j)
(h) 42 CFR 411.357 (a)-(y)
 Rental Lease
 Equipment rental
 Bonafide Employment
(i) 42 CFR 411.56 Hospitals outside of PR

Page 41 of 69
 CHC EXAM PREP OUTLINE
 The referring physician is authorized to perform services at the hospital;
 Physician owns entire hospital;
 It is not specialty hospital
(j) 42 CFR 411.57
 Obstetrical malpractice insurance
(i) Entire for a full-time physician
(ii) Partial for the amount of time the physician who is part time
x) Stark violations and FCA intersection
(a) Express certification of compliance
 In order to submit a claim, the DHS certifies compliance with law. For example, providers must certify in their
cost reports or enrollment application and then submit claims.
(i) If the fruit of that claim is illegal (start referral) then the claim is false and both statutes are triggered.
(b) Implied certification of compliance
 DHS submits a claim knowing they are not in compliance with law. See Schmidt v. Zimmer (Below)
xi) Examples—
(a) The hospital agreed to pay a total of $42 million to resolve its FCA, AKS, Stark liabilities and enter into a 5 year
CIA. Hospital and physicians entered into contracts that exceeded the FMV, were not commercially reasonable and
took into account the amount of referrals generated between the physicians and the facility.
(b) Memorial Health, Inc., Memorial Health University Medical Center, Inc., Provident Health Services, Inc.,
and MPPG, Inc. d/b/a Memorial Health University Physicians agreed to pay $9,895,043.04 to resolve allegations
that they violated the FCA by submitting claims to the government in violation of the Stark Law. The compensation
agreements in question involved three physicians who were given a base salary and a guaranty, provided that their
wRVUs for the prior year were equal to or greater than a specific target. Further, each physician was eligible for
incentive compensation depending upon the number of wRVUs produced annually, including a quarterly bonus
based on a percentage of the physician’s “personal cash collections,” plus a credit for 10.5% of “professional cash”
generated by midlevel providers personally supervised by the physician, less the base salary paid to the midlevel.
Board communications related to the physicians prior to their employment identified them as a “high volume
practice with large numbers of hospital admission and referrals to specialists.” Health also tracked the referral rates
of the physicians after the acquisition, and compared referrals to its hospitals and those of the competing system.
The period of the compliance obligations assumed by Memorial Health under the CIA was five years.
(c) US Schmidt v. Zimmer Inc-- Schmidt alleged that Zimmer, a manufacturer, seller, and distributor of orthopedic
implants, entered into a contract with Premier Purchasing Partners (“Premier”), an organization which acts as a
purchasing agent for a group of entities, including Mercy Health Systems, that provide medical services for which
reimbursement may be sought under the Medicare program (“Premier Participants”). The Premier Participants were
rewarded if they purchased Zimmer's products in sufficient numbers to increase Zimmer's market share. the contract
allegedly provided that each Premier Participant would receive a 2% bonus on implant purchases if the Premier
Participant met the pre-set market share and volume purchase commitments.   Finally, the contract allegedly
provided for additional incentives “targeted to offset the costs associated with competitive conversion. Schmidt
further alleged that the rewards provided under the contract were paid to Mercy and the other Premier Participants
“in cash or cash equivalents,” and that these payments are a classic example of “kickbacks. Moreover, it was alleged
that Zimmer and Mercy induced certain of its physicians and orthopedic departments to assist in meeting Zimmer's
prescribed volume and market share levels by sharing with them all or part of the rewards received from Zimmer
under the contract. Zimmer insists that the Anti-Kickback Act provides a safe harbor for marketing programs
offering discounts to health care providers and that its program was designed to take advantage of this safe harbor.
Held, Zimmer was at least aware of the possibility that Mercy might file a false claim for more than it paid Zimmer.
(d) Helpful to determine whether a proposed action could violate the anti-kickback statute? Does the arrangement or
practice raise patient safety or quality of care concerns?
(e) Kosenske v. Carlisle—the contract provided that anesthesiologist would only provide anesthesiology services at
Carlisle Hospital would be performed solely by the physicians in the agreement. Physicians began offering pain
management services. Carlisle provided the space, personnel and equipment for the pain clinic. Carlisle asserted
personal services exception. The court the arrangement did not meet the requirements of the exception. The FMV,
commercial reasonableness requirements, the written agreement did not specify the services to be provided and did
not include pain management.

Page 42 of 69
 CHC EXAM PREP OUTLINE
(f) Texas hospital provider accepted no Medicare, which prevented Stark enforcement. Enforcement/Indicted because
of kickback issues: problems with management and other agreements with physicians providing improper
remuneration in relation to Tricare and federal workers compensation program referrals. RED FLAGS - Payments
for “marketing” and “management.” Compensation in any arrangement must be “fair market value” and
“commercially reasonable” and not take into account the volume or value of any referrals.
(g) Baker v. Columbus Regional Health Care – govt contended that Columbus did not satisfy the incident to services
exception for billing services provided by physician and a mid-level provider must both personally document the
portion of the evaluation and management they performed, the documentation must clearly support the billed
combined service level and both physician and mid-level provider must be enrolled as Medicare providers. To
qualify to incident to services must be part of a patient’s normal course of treatment. The physician must be
present have direct supervision in the office suite (does not need to be in the treatment room) to render
assistance. Columbus Regional paid Dr. Pippas more than twice the amount of the collections and revenue
Columbus Regional received for the services he personally performed. Dr. Pippas was being compensated above the
90th percentile, the parties continued under this arrangement. Further, Dr. Pippas was billing for services performed
by a non-physician. The settlement resolved alleged FCA violations based on upcoded claims and Anti-Kickback
Statute and Stark Law violations. Columbus Regional settled for $25 million, plus up to $10 million in contingency
payments.
(h) Drakeford v. Tuomey Healthcare System, Inc.,Tuomey is a nonprofit hospital located in Sumter, South Carolina, a
small, largely rural community that is a federally-designated medically underserved area. At the time of the events
leading up to this lawsuit, most of the physicians that practiced at Tuomey were not directly employed by the
hospital, but instead were members of independent specialty practices. Beginning around 2000, doctors who
previously performed outpatient surgery at Tuomey began doing so in their own offices or at off-site surgery
centers. Tuomey estimated that it stood to lose $8 to $12 million over a thirteen-year period from the loss of fees
associated with gastrointestinal procedures alone. Tuomey sought to negotiate part-time employment contracts with
a number of local physicians. Each physician was paid an annual guaranteed base salary. That salary was adjusted
from year to year based on the amount the physician collected from all services rendered the previous year. The bulk
of the physicians' compensation was earned in the form of a productivity bonus, which paid the physicians eighty
percent of the amount of their collections for that year. The physicians were also eligible for an incentive bonus of
up to seven percent of their earned productivity bonus. In addition, Tuomey agreed to pay for the physicians'
medical malpractice liability insurance as well as their practice group's share of employment taxes. The physicians
were also allowed to participate in Tuomey's health insurance plan. Finally, Tuomey agreed to absorb each practice
group's billing and collections costs. Physicians could maintain their private practices, but were required to perform
outpatient surgical procedures exclusively at the hospital. Physicians could not own any interest in a facility located
in Sumter that provided ambulatory surgery services, save for a less-than-two-percent interest in a publicly traded
company that provided such services. The physicians also agreed (non-compete) not to perform outpatient surgical
procedures within a thirty-mile radius of the hospital for two years after the expiration or termination of the
contracts. Tuomey, however, was unable to reach an agreement with Dr. Michael Drakeford, who believed the k
violated stark. He later sued the hospital under the qui tam provisions of the FCA, alleging that the part-time
employment contracts violated the Stark Law compensate the physicians in excess of fair market value. The Stark
Law is a strict liability statute so it is immaterial whether one intended to violate the law. Held, the Tuomey violated
both Stark and FCA.
(i) Halifax knowingly violated the Stark Law by executing contracts with six medical oncologists that provided an
incentive bonus that improperly included the value of prescription drugs and tests that the oncologists ordered and
Halifax billed to Medicare.
(j) KDMC violated the Stark Law by paying certain cardiologists salaries that were unreasonably high and in excess of
fair market value. The Stark Law is designed to limit the influence of money on physicians’ medical decision-
making by prohibiting financial relationships between hospitals and referring physicians, unless these relationships
meet certain designated exceptions. Ashland Hospital Corp. d/b/a King’s Daughters Medical Center (KDMC) has
agreed to pay $40.9 million to resolve allegations that it submitted false claims to the Medicare and Kentucky
Medicaid programs for medically unnecessary coronary stents and diagnostic catheterizations and had prohibited
financial relationships with physicians referring patients to the hospital.
(k) Saint Joseph Health System Inc. has agreed to pay $16.5 million to resolve allegations that Saint Joseph Hospital
violated the False Claims Act by submitting false claims to the Medicare and Kentucky Medicaid programs for a
variety of medically unnecessary cardiac procedures. Saint Joseph Hospital violated the federal Stark Law and Anti-

Page 43 of 69
 CHC EXAM PREP OUTLINE
Kickback Statute by entering into sham management agreements that financially benefitted Drs Chatterjee and
Anand as an inducement for Chatterjee and Anand to direct more Cumberland Clinic patients to the hospital.
(l) New York Heart Center to Pay More Than $1.33 Million To Settle Allegations Of False Claims Act And Stark Law
Violations. In a recent August 2014 settlement, an Albany, N.Y. group practice of cardiologists called New York
Heart Center agreed to pay the U.S. government $1.34 million plus interest to resolve allegations it violated the
False Claims Act and the Stark Act. NYHC cardiologists had allegedly determined a partner-physician
compensation formula by taking into account the volume of referrals the physician was directing to the practice for
nuclear and CT scans. The government's investigation of these allegations revealed that NYHC implemented this
formula with the knowledge that it could violate the Stark Act.
(m) US Parikh v. Citizens Medical Center –emergency physicians alleged received above market salaries and other
incentives to induce referrals for surgery and other hospitals services. Gastroenterologists were paid bonuses
disguised as directorships fees and awarded additional time to participate in hospitals colonoscopy screening
program, based on the volume of their referrals. The court noted that two laws that often serve as FCA predicates are
the Anti-Kickback statute (AKS) and the Stark self-referral law. The plaintiffs, cardiologists, claimed that their pay
more than doubled upon becoming employees despite the hospital losing $400,000 – $1,000,000 per year on the
deal, due to their lucrative cardiac surgery referrals.
(n) Singh v. Bradford Regional Medical Center-The Relators, Drs. Singh, Kirsch, Nadella, and Jacobs, allege that
Defendants submitted, or caused to be submitted, false claims for payment to the Medicare program arising out of
referrals from Drs. Vaccaro and Saleh to BRMC in violation of the Stark Act, and the Anti-Kickback Act. April
2000, realtors purchased their practice from BRMC and formed V&S Medical Associates, LLC (―V&S‖). Prior to
2001, Drs. Vaccaro and Saleh were a significant source of referrals to BRMC, both for inpatient admissions and for
outpatient procedures. Entity rep explained that their (realtors) acquisition of a nuclear camera would negatively
impact the hospital‘s financial position and affect the recruitment of a cardiologist. In May 2001, BRMC adopted a
Policy on Physicians with Competing Financial Interests. The policy provided that, if a physician had a financial
relationship with a competing health care entity that might have a significant impact upon the hospital, that
physician would be ineligible for hospital privileges. Rather than referring patients to BRMC for nuclear imaging
tests as they had done previously, Drs. Vaccaro and Saleh began to perform such tests in their own office, thus
decreasing their nuclear referrals to BRMC. n January 2002, Drs. Saleh and Vaccaro, through their legal counsel
objected to BRMC‘s Policy and its application to Drs. Saleh and Vaccaro. Realtors asserted that the ―Medical
Center is conditioning privileges on referrals streams. This is precisely the type of arrangement that the anti-
kickback laws were intended to prevent, also noted that the Stark Statute and the False Claims Act provide civil
penalties ―for those who enter into arrangements which compensate based upon referrals. Held, violation as to
Stark Law only.
Q) State False Claim Act
i) Typical state laws related to fraud and abuse include health care fraud, insurance fraud and fraudulent practices in
Medicaid program.
ii) State equivalents to federal false claims act (FCA).
iii) If OIG determines that a state false claims act meets certain requirements, the state is entitled to an increase of its share
of any amounts recovered under a state statute. 19 states meet such criteria including: TX, NY and California.
iv) States given incentives to adopt such a law under SSA Requirements
(a) Establish liability to the state for false or fraudulent claims to Medicaid program;
(b) Contain provisions are at least effective in rewarding and facilitating qui tam actions for false or fraudulent claims
under FCA;
(c) Contain a requirement for filing an action under seal for 60 days with review by the state AG;
(d) Contain a civil penalty that is not less than the amount of the civil penalty that is NOT less than the amount the civil
penalty authorized under FCA.
R) Federal Audit Statute
i) The statute imposes substantial penalties upon any person or entity that receives in excess of 100k from the gov’t in any
year and with intent to deceive and defraud the US., to influence, obstruct, or impede a federal auditor in the
performance of official duties to that person or entity.
S) Civil Monetary Penalty Act –SSA provides that knowingly engage in fraud, abuse or improper conduct are subject to civil
penalties.
i) Prohibits an entity from knowingly making a payment
ii) Penalties between $2k-100k
iii) Mandatory sanctions: Criminal offenses related to
Page 44 of 69
 CHC EXAM PREP OUTLINE
(a) Delivery of an item or service under any federal or state health care program;
(b) Neglect or abuse of patient in connection with the delivery of a health care item or service;
(c) Felony conviction related to health care fraud;
(d) Felony conviction related to unlawful manufacture, distribution, prescription or dispensing of controlled substance.
iv) Examples CMP Apply
(a) Nurse Liane P. Tomlinson, 33, of Hamburg, New York, for plead guilty for stealing over $27,000 from Medicaid.
Tomlinson submitted 105 claims for payment to Medicaid in which she falsely purported that she provided private-
duty nursing services to six severely disabled children. Tomlinson’s false claims included instances when she was in
Canada caring for a private-pay patient, when she was in Florida on vacation, when another nurse provided the care,
and after she had been fired by a patient’s mother. Notably, Tomlinson submitted 46 of the 105 false claims during a
five-week period in 2016 when nursing and medical records obtained by MFCU revealed that Tomlinson was
homebound, recovering from complications resulting from an elective surgery, and was in fact receiving private-
duty nursing services at her home. These 46 claims totaled $14,251.90.
(b) Failing to properly screen and hire excluded individual. You will be liable to repay overpayments, while that person
was employed there or appeared on the list (if it occurred after hire).
 37 states have their own exclusion list and require annual certification that you are running checks.
(i) Admin statute in Texas
(ii) Criminal Statute in LA
 Pharmacy filled a prescription for a physician who was excluded from the OIG list. Pharmacy was liable to for
OIG. Medicaid Fraud Control Unit (MFCU) entered into a 478k settlement with pharmacy for failing to screen.
v) Criminal Penalties –SSA provides for sanctions imposed in respect to federal health care programs for false claims and
knowingly and willfully making certain representations.
T) Anti-Kickback Law
i) History: Originally enacted the Anti-Kickback Statute as part of the Social Security Amendments of 1972. AKS arose
out of congressional concern that financial inducements can influence health care decisions and results in goods and
services being more expensive, medically unnecessary, and harmful to patients.
ii) Rule: Medicaid/Medicare includes a provision that prohibits specific categories or referral payments, including
kickbacks, bribes, or rebates.
iii) Prohibits: anti-kickback statute prohibits any person from knowingly and willfully offering, paying, soliciting, or
receiving direct or indirect remuneration, in cash or in kind, overt or covert, in return for, or to induce, the referral of
federal health care program patients, or the ordering of services for which a federal health care program may pay.
(a) The Anti-Kickback statute is a criminal statute that prohibits transactions that are intended to induce referrals or
business paid for by Medicare, Medicare and any other Federally funded healthcare programs.
(b) Criminal statute that Prohibits any knowing and willful conduct involving solicitation, receipt, offer or payment of
any kind for any remuneration in return for referring an individual or for recommending or arranging the purchase,
lease, or ordering of an item or service that maybe wholly or partially paid for under a federal health care program.
(c) Patient Protection and Affordable Care Act of 2010 expanded the liability of the False Claims Act to now
definitively include Anti-Kickback claims as grounds for violation.
iv) Applies
(a) Any provider (including physicians, entities) to knowingly and willfully accept bribes or other forms of
remuneration in return for generating Medicare, Medicaid or other federal health care program business
v) Mens REA
(a) Intent required.
(b) Ignorance of the law is not a defense
vi) Penalties
(a) Fines include reimbursement secured under illegal referral
(b) Exclusion is another sanction/fine
(c) Violation of the statute is a felony, and penalties include up to five-years imprisonment and or up to $25,000 in
fines.
(d) Civil penalties can cost as much as $50,000 per kickback in addition to three times the amount of damages sustained
by the government.
vii) Preemption – State v. Harden a florida statute was invalidated because 1. It contained no safe harbors, 2. It contained a
lower mens rea standard (violation for negligence vs. intent).

Page 45 of 69
 CHC EXAM PREP OUTLINE
(a) Approximately 36 states and the District of Columbia also have laws that prohibit paying remunerations for
healthcare program business referrals, according to the National Conference of State Legislatures.
viii) Exceptions
(a) The OIG adopted safe harbor regulations that are almost identical to the Stark exceptions (see above)
(b) Self-disclosure protocols for mitigating potential violations
(c) safe harbor does not protect pharmaceutical companies or medical device manufacturers because they are typically
not entities that bill federal health care programs either directly or through reassignment.
ix) Safe Harbor
(a) Bona Fide Employee
(b) Investments in large publicly-held health care companies
(c) Investments in small health care joint ventures
(d) Space rental
(e) Time Share- much-needed flexibility for independent physicians who share office space and for hospitals that
provide office space, equipment, personnel, supplies, and services to part-time, independent physicians on an “as-
needed” basis.
 Parties must be a physician or a physician organization
 The premises, items, and services must be “predominately” used to furnish E&M services.
 The compensation cannot be based on a percentage of revenues or per unit of services fees to the extent such
fees reflect services provided to patients referred by the grantor.
 Any equipment covered by the timeshare arrangement must be (1) located in the same building where the E&M
services are furnished, (2) not used to furnish DHS other than those incidental to the E&M services furnished at
the time of the E&M visit, and (3) not advanced imaging equipment, radiation therapy equipment, or clinical or
pathology laboratory equipment (other than equipment used to perform CLIA-waived laboratory tests).
(f) Equipment rental
(g) Personal services and management contracts
 In writing
 Specify the amount of time
(i) No less than one year
 Commercially reasonable
 Fair Market Value
(h) Sales of retiring physicians' practices to other physicians
(i) Referral services-- The referral service safe harbor requires that if a referral service charges its participants any fees,
the fees (i) must be assessed equally against and collected equally from all participants in the referral service and (ii)
may only be based on the cost of operating the referral service and not on the volume or value of patient referrals.
(j) Warranties
(k) Discounts
(l) Employee compensation
(m) Group purchasing organizations
(n) EHR items and services
(o) Electronic prescribing items and services
(p) Waivers of Medicare Part A inpatient cost-sharing amount
(q) Increased coverage
(r) Reduced cost-sharing amounts or reduced premium amounts offered by health plans to beneficiaries
(s) Price reductions offered to health plans by providers
(t) Investments in ambulatory surgical centers (ASCs)
(u) Joint ventures in underserved areas
(v) Practitioner recruitment in underserved areas
(w) Sales of physician practices to hospitals in underserved areas
(x) Subsidies for obstetrical malpractice insurance in underserved areas
(y) Investments in group practices
(z) Specialty referral arrangements between providers
(aa) Cooperative hospital services organizations
(bb) ambulance medication and supplies restocking programs enable the ambulance to depart the hospital ready for the
next emergency call.
x) Test: if no safe harbor applies is if the action was to induce referrals
Page 46 of 69
 CHC EXAM PREP OUTLINE
xi) OIG Principal concerns in assessing potential risk If Safe Harbor Does NOT APPLY
(a) overutilization
(b) increased federal program costs
(c) interference with clinical decision-making
(d) patient safety and quality of care concerns
(e) decrease in patient freedom of choice
(f) unfair competition
xii) Example of violations
(a) Offering a doctor, a service, such as free/reduced rent, free or below market support service (dictation, secretarial) or
goods (a PC provided by a pharma company).
(b) By submitting claims for reimbursement tainted by kickbacks, causing a health care provider to submit such claims
or conspiring with a provider to submit false claims through unlawful kickbacks, physicians render themselves
individually liable for violations the False Claims Act.
(c) Cincinnati-based Omnicare settled a costly anti-kickback case. Omnicare allegedly offered nursing facilities illegal
monetary incentives in exchange for the facilities' selection of Omnicare drug supplies for elderly Medicare and
Medicaid recipients. The nursing home pharmacy company settled for $124.24 million. The government also alleged
the improper relationship resulted in Omnicare and the facilities submitting fraudulent claims for reimbursement to
Medicare and Medicaid. Kickbacks to entities making drug recommendations compromise their independence and
undermine their role in protecting nursing home residents from the use of unnecessary drugs.
(d) In July, Chicago-based United Shockwave Services, United Prostate Centers and United Urology Centers entered
into a $7.3 million settlement. OIG described the conduct that it believed violated these laws as "leveraging patient
referrals to obtain contract business from hospitals." In the settlement agreement, OIG elaborated on the unlawful
conduct in this way: in connection with the provision of [lithotripsy and laser services and items to treat kidney and
other stones, and benign prostatic hyperplasia], United solicited and received remuneration, in the form of contracts,
from various hospitals ... in exchange for the referral of patients to such hospitals.
xiii) More examples
(a) Former owners of Los Angeles-based City of Angels Medical Center pay $10 million for paying illegal kickbacks.
In January, Robert Bourseau and Rudra Sabaratnam, MD, pleaded guilty to their roles in a scheme to pay patient
recruiters illegal kickbacks for the recruitment of homeless patients. The recruited homeless patients underwent a
variety of medical treatments, many of which were not medically necessary and were billed to federal healthcare
programs.
(b) In March, the health system agreed to pay $3.3 million to settle kickback allegations. According to the charges,
Christiana Care overpaid physicians at Neurology Associates for in-hospital readings of EEGs allegedly as a
"reward" for referring patients to the hospital. The court documents note the payments were part of a contract dating
to 1989, prior to the enactment of the current Stark Act and Delaware Anti-kick back Statute.
(c) St. Jude Medical, Parma (Ohio) Community General Hospital and Norton Healthcare in Louisville, Ky., settle false
claims allegations for $3.9 million — The heart device manufacturer was accused of paying kickbacks to the two
hospitals in order to obtain heart-device business.
(d) Marion (Ohio) General Hospital pays $1.2 million to resolve allegations of Stark law and anti-kickback violations.
The violations, which were self-reported by the hospital in October to the U.S. Attorney General's Office, included a
number of financial relationships with physicians that did not involve a written contract. Specifically, the hospital
provided an after-hours answering service and medical waste disposal services to independent physicians at below-
market rates and provided payment without a written contract to independent physicians who treated uninsured
patients, among other violation.
xiv) Referral Service Example
(a) Requestor is a for-profit corporation that provides software, online tools, and related discharge planning support
services to hospitals across the nation. It operates an online referral service, that provides hospitals with access to a
nationwide listing of all licensed post-acute care providers, including skilled nursing facilities, home health
agencies, and assisted living facilities (“Providers”). The Requestor typically compiles this listing by reviewing
state licensure databases of post-acute care providers. Hospitals pay a fee to the Requestor to utilize the System.
The Requestor has certified that the amounts paid by the hospitals are equal to FMV and are not tied, directly or
indirectly, to the volume or value of referrals or other business generated between the parties. The Requestor further
certified that the revenues it collects under its arrangements with the hospitals exceed the associated costs of the
System. Currently, Providers are not charged a fee to use the System to electronically receive or respond to hospital
referral requests. Under the Proposed Arrangement, the Requestor would begin charging Providers that wish to use
Page 47 of 69
 CHC EXAM PREP OUTLINE
these online capabilities a one-time implementation fee of and a monthly fee. The Requestor has certified that the
fees would not vary based on the volume or value of referrals or other business generated between the parties.
Providers that choose not to pay the Requestor’s fees would continue to be listed in the System but would not be
able to electronically receive or respond to the hospitals’ referral requests. Rather, the Requestor would notify non-
paying Providers of hospital referral requests via facsimile. Analysis: Providers that pay the Requestor’s fees would
be more likely to get the patients—not because they provide superior care but because they paid for the opportunity;
the costs that the Requestor would incur to fax the referral requests to nonpaying Providers would exceed the costs
that it would incur to transmit them electronically; the Providers would be required to pay fees they cannot afford for
services they require to remain competitive, or risk substantial loss of business. The Proposed Arrangement could
potentially generate prohibited remuneration under the anti-kick back statute.
(b) An uninsured patient requests a reduced rate for knee replacement surgery. The doctor believes that the surgery is
essential and will help prolong the patient’s life through improved exercise opportunities. The hospital is currently
conducting a clinical trial on knee surgery, but the patient does not qualify. If the doctor arranges a discounted
research rate for the patient, the institution could be subject to potential liability for violation of: Anti-Kickback
Statute.
(c) The Federal Health Care Benefit Programs and the Prohibition Against Kickbacks and Fraudulent Billing
U) Deficit Reduction Act 2005-requires entities makes or receives 5 million or more in Medicaid reimbursements annually
to provide detailed information to their employees and contractors about relevant state and federal False Claims Act and
similar tools.
(a) Purpose: Combat healthcare fraud and abuse
 Fraud is an intentional deception or misrepresentation of fact that can result in unauthorized benefit or
payment.
 Examples of Fraud
(i) submitting claims for services not provided or used
(ii) falsifying claims or medical records
(iii) misrepresenting dates, frequency, duration or description of services rendered
(iv) billing for services at a higher level than provided or necessary
(v) falsifying eligibility
(vi) failing to disclose coverage under other health insurance
 Abuse means actions that are improper, inappropriate, outside acceptable standards of professional
conduct or medically unnecessary.
 Examples of Abuse
(i) a pattern of waiving cost-shares or deductibles
(ii) failure to maintain adequate medical or financial records
(iii) a pattern of claims for services not medically necessary
(iv) refusal to furnish or allow access to medical records
(v) improper billing practices
(b) RULE: CMS must enter into contracts with qualified entities
 Perform under the Medicaid program to determine whether fraud, waste, or abuse has occurred.
 Audit claims made under Medicaid program, including cost reports and risk contracts.
 Identify overpayments to individuals or entities receiving federal funds and
 Educate providers and managed care entities regarding payment integrity and quality of care.
(c) Created the Medicaid integration program (MIP) within the CMS to assist in this goal and simultaneously
dramatically increased the number of resources available to CMS in detecting fraud, waste and abuse.
(d) Medicaid Integrity contractors implement the five-year plan and oversee providers and managed care for payment
integrity and quality of care issues nationwide.
(e) Section 1909 of SSA was added to promote states to adopt false claims acts similar to FCA.
(f) An entity must establish policies for its contractors’ and agents’ employees, including, but not limited to, the
employees of the entity’s vendors performing billing and coding functions.
 Applies to contractors furnishing Medicaid health care items or services include, but are not limited to, all
contract therapists, physicians (including, but not limited to, house staff, hospitalists, and independent
contractors), and pharmacies.

Page 48 of 69
 CHC EXAM PREP OUTLINE
(g) Under DRA section 6032, an entity must “establish written policies for all employees ... of any contractor or agent
of the entity.” Written policies may be on paper or in electronic form, but must be readily available to all employees,
contractors, or agents.
(h) Authorizes a gainsharing demonstration program to test and evaluate arrangements between hospitals and
physicians designed improve the quality and efficiency of care provided to beneficiaries. The demonstration allowed
hospitals to provide gainsharing payments to physicians that represent solely a share of the savings incurred as a
result of collaborative efforts to improve overall quality and efficiency.
 NOTE: CAH cannot knowingly make a payment, directly or indirectly, to a physician as an inducement to
reduce or limit medically necessary services provided to Medicare or Medicaid beneficiaries who are under the
direct care of the physician under the kick back statute.
(i) The safe harbor for warranties protects remedial actions by suppliers to address products that fail to meet bargained-
for requirements. Spoiled Products would be restricted to certain unintentional, unplanned circumstances, and could
increase patient safety and quality of care. The Proposed Arrangement poses a sufficiently low risk of fraud and
abuse under the anti-kickback statute.
V) Non-Health Care Specific statutes --Prosecute health care entities for fraudulent claims under Money laundering, mail
fraud and wire fraud statutes.
xiii) Criminal Offenses
(a) Furnishing services or supplies determined to be substantially in excess of those needed or so lacking to be
worthless.
(b) Willfully making false statement or representation in application for payment.
(c) Makes it a criminal offense to submit claims based on incorrect codes or medically unnecessary services under
Medicaid and state health care programs.
(d) Knowingly and willfully executing a scheme or artifice to defraud
(e) Knowingly and willfully embezzling or stealing or converting any money or other assets of health care
(f) Knowingly and willfully lying or covering up a material fact or making false statements in connection with the
delivery of, payment for, health care benefits.
(g) Willfully preventing, obstructing, misleading, delaying or attempting to prevent, obstruct, mislead or delay the
communication
(h) Insurance Fraud- submitting claims to private insurers that are incorrect, for services not provided, up coded,
unnecessary tests, etc
 Keep in mind that private insurers take part in Medicaid part C, which then turn this into a false claim.
(i) Wire Fraud -- Any health care fraud scheme that disseminate any article or document through a “common mail
carrier.”
(j) Money laundering—
 Rule: health care provider obtains 10k or more from a specified unlawful activity, such as from Medicaid fraud.
 Fines of up to 500k and imprisonment and be sentenced to serve a prison sentence based on any underlying
felonies that accompany the money laundering charges.
(k) Racketeering Influenced and Corrupt Organization Act (RICO)
1. Rule: Prohibits a person from receiving any income, directly and indirectly from a pattern of racketeering
activity involving the commission of a predicate office such as mail
2. Example: MICHAEL DANILOVICH was sentenced today to 25 years in prison in connection with his
conviction for 16 counts of racketeering conspiracy, securities fraud, health care fraud, mail fraud, wire fraud,
and money laundering. ANILOVICH was a leader of an enterprise engaged in a pattern of racketeering that
included a massive scheme to defraud automobile insurance companies under New York’s no-fault insurance
law. From 2007 through 2012, DANILOVICH’s organization defrauded automobile insurance companies of
more than $100 million by, among other things, creating and operating medical clinics that provided
unnecessary and excessive medical treatments in order to take advantage of the No-Fault Law In order to
increase the number of medical treatments that could be billed to automobile insurance companies and referred
to Modality Clinics, the No-Fault Clinic Controllers used individuals who recruited Patients to the No-Fault
Clinics (the "Runners"). The No-Fault Clinic Controllers generally paid the Runners between $2,000 and
$3,000 per Patient referral received kickbacks for additional unnecessary treatments. All told, Danilovich’s
organization billed insurance companies for tens of millions of dollars in fraudulent medical treatments.
Furthermore, DANILOVICH and his co-conspirators laundered the proceeds of the fraud through check-
cashing entities and shell companies, and used the money to pay for luxury cars, watches, and vacations.
i. Four activities prohibited:
Page 49 of 69
 CHC EXAM PREP OUTLINE
 investing income that is derived, directly or indirectly, from a pattern of racketeering activity or through the
collection of unlawful debt, in which the persons has participated as a principal.
 acquiring and maintaining directly or indirectly through a pattern of racketeering activity or the collection
of unlawful debt.
 associated with an enterprise through a pattern of racketeering.
 conspiring to commit any of these acts
 RICO increased the severity of penalties for violations involving organized crime.
i) Mail and wire fraud –schemes invariably involve the mailing the invoices, bills, reimbursement checks, and numerous
other documents, the mail fraud statute is also used to prosecute false health care claims.
(a) Elements
 Scheme to defraud AND
 Use of the mail for the purpose of executing the scheme
(b) Penalties from mail fraud include fines and imprisonment of up to 20 years.
(c) Example: United States v. Umawa Oke Imo, a physician was convicted of mail fraud for being involved in his
physical therapy clinic’s health care fraud in which bills sent by the clinic to medicare and Medicaid. From
approximately March 2, 2006 to June 26, 2009, CNS billed Medicare and Medicaid for approximately $30 million.
However, CNS was never registered to provide physical therapy services and did not have any licensed physical
therapists. Clardy contracted with CNS to work fifteen hours a week in return for a monthly salary of $5,000; this
contract was also submitted in CNS's application to Medicare. Indeed, based on the submitted bills, Clardy
supposedly supervised more than 380 patients during the course of a single day; each patient purportedly received
three hours of physical therapy.
W) Sherman Act
i) Prohibits an agreement to restrain trade, monopolization.
(a) Horizontal
 Price fixing, market allocation, bid rigging and group boycotts.
(b) Vertical
 Exclusive dealing
ii) Penalties
(a) Civil and Criminal
iii) Example
(a) Example: Omnicare is the nation's largest institutional pharmacy. It provides pharmaceutical services to long-term
care facilities, such as nursing homes, in 47 states. Defendant-appellee UnitedHealth Group (“United”) is a large
national provider of health insurance. Institutional pharmacy Omnicare entered into separate service contracts with
merging Medicare Part D plan sponsors UnitedHealth Group and PacifiCare. PacifiCare employed its in-house PBM
RxSolutions to conduct its negotiations with Omnicare. By all accounts the negotiations did not proceed smoothly.
In early June 2005, RxSolutions sent to Omnicare a copy of PacifiCare's “any willing provider” contract, a form
contract that CMS required Part D plan sponsors to develop and make available to any pharmacy willing to sign it.
Omnicare in turn sent RxSolutions its own form contract, which included eighteen “Patient Protections” that
Omnicare developed to address the special needs of long-term care patients. Dissatisfied with negotiations Omnicare
filed a complaint and alleged that United, PacifiCare, and RxSolutions (collectively “Defendants”) violated the
Sherman Antitrust Act, 15 U.S.C. § 1, and a parallel state statute, the Kentucky Consumer Protection Act. Held,
Omnicare therefore cannot prove that Defendants violated section 1 of the Sherman Act.
iv) Clayton Act
(a) Prohibits mergers, acquisition and joint ventures that may tend substantially to less competition.
(b) Requires
 Reporting to FTC and a waiting period
(c) Penalties
 Civil and Criminal
(d) NO PRA
X) Antitrust Law
i) Has or could obtain market power or
ii) Entering into an agreement or is engaging in joint conduct with one or more competitors

COMPARISON OF THE ANTI-KICKBACK STATUTE, STARK LAW AND False Claim Act

Page 50 of 69
 CHC EXAM PREP OUTLINE
THE ANTI-
KICKBACK
STATUTE
(42 USC § 1320a-7b(b))
Prohibition Prohibits offering, paying,
soliciting or receiving
anything of value to induce
or reward referrals or
generate Federal health care
program business
Referrals Referrals from anyone
Items/ Any items or services
Services
Mens Rea Intent must be proven
(knowing and willful)
Penalties Criminal: Civil:
 Fines up to $25,000 per
violation
 Up to a 5-year prison
term per violation
 Civil/Administrative:
 False Claims Act liability
 Civil monetary penalties
and program exclusion
 Potential $50,000 CMP
per violation
 Civil assessment of up to
three times amount of
kickback
THE STARK LAW
(42 USC § 1395nn)
 Prohibits a physician from
referring Medicare patients
for designated health services
to an entity with which the
physician (or immediate
family member) has a
financial relationship, unless
an exception applies
 Prohibits the designated
health services entity from
submitting claims to
Medicare for those services
resulting from a prohibited
referral
Referrals from a physician
Designated health services
 No intent standard for
overpayment (strict
liability)
 Intent required for civil
monetary penalties for
 knowing violations
 Overpayment/refund
obligation
 False Claims Act liability
 Civil monetary penalties
and program exclusion for
 knowing violations
 Potential $15,000 CMP for
each service
 Civil assessment of up
to three times the
amount claimed
Page 51 of 69
False Claim Act
31 U.S.C. § 3729
 Submit a claim to the
government which, on its face,
contains false or fraudulent
information
 Knowingly receive
overpayments.
 Use a false document in order to
get a false or fraudulent claim
paid or approved.
 conspiracies to engage in any of
the acts forbidden by the Act in
Section 3729(a)(3)
 government contractor falsely
accounting for the value of
government property in its
possession to avoid having to
repay the gov't
Not directly may be coupled with
the other statutes in a cause of
action
Claims for health services
 (1) actual knowledge (2) act
with deliberate ignorance, (3)
acts in reckless disregard
 no proof of specific intent to
defraud is required
Civil
 Between $10,781 and $21,563
for each false claim
 CHC EXAM PREP OUTLINE
Exceptions  properly disclosed
discounts;
 a bona fide employee-
employer relationship;
 specific waivers of co-
insurances;
 specific arrangements
between vendors and
vendees;
 certain managed care
arrangements; and
 any other arrangements
exempted in the
regulations.
Safe Harbor Certain arrangements such as
personal services and rental
agreements, investments in
ambulatory surgery centers,
and payments to bonafide
employees.
Federal Health All
Care Programs
Statute of 6 years
limitations
Preemption Partial preempt any
conflicting state statute. A
florida statute was invalidated
because 1. It contained no safe
harbors, 2. It contained a
lower mens rea standard
(violation for negligence vs.
Whistleblower intent).
Yes, to inform the govt and
Provision reward available once gov’t
successfully prosecutes.
Same as Kickback Statute There is an exception to the public
disclosure bar if the relator is an
"original source" of the information.
 Ownership in publically  including physician services,
available stock  in-office ancillary services,
 rental space or equipment  ownership in publicly traded
 Bona fide employment securities and mutual funds,
relationships  rental of office space and
 Personal service arrangements equipment,
 and bona fide employment
 Physician incentive plan
relationship
 Physician recruitment
 physician self-referrals for
patients with end-stage renal
disease (ESRD)
Medicare/Medicaid any federally funded contract or
program, with the exception of tax
fraud
6 years after violation? The later of: (1) 6 years after the
4 years to reopen period date on which the violation is
committed; or (2) 3 years after the
date when the material facts giving
rise to the cause of action are known
BUT no more than 10 Years
No, Florida’s more restrictive self- No, states are financially
referral law did not conflict with or incentivized to pass their own laws
frustrate the purpose of federal so long as it is compliant with
Stark law, and thus was not section 1909 of the SSA.
preempted by Stark
Yes, to inform the govt and reward Yes, can bring suit on behalf of
available once gov’t successfully gov’t and share in proceeds in fines.
prosecutes. Further, protects employees who
come forward from retaliation.
Page 52 of 69
 CHC EXAM PREP OUTLINE
PRA The Anti-Kickback Act NO YES, can be brought by AG or a
contains no private right of private persons.
action

CHAPTER 3

I) Retrospective Versus Contemporaneous Reviews

A) Retrospective Review
i) Is done after a contemporaneous review has found issues and the data margins need to be widened in order to find any
further errors outside the scope of the contemporaneous review
B) Contemporaneous Review
i) It’s like taking a snapshot of current operations
ii) Can also be used as a benchmark
(a) OIG recommends that claims/services that were submitted and paid during initial three months after implementation
of the education and training program should be examined to give the physician practice a benchmark against which
to measure future compliance effectiveness.
iii) Only a limited set of data is reviewed (which means that data prior to or after those dates could include risks
iv) Offers the provider an opportunity to correct a problem before it becomes bigger
v) They are reviews that, most times, include claims that have either not been billed yet or have not been paid by the third-
party payor, which means they can be corrected prior to becoming a False Claim
vi) The provider that ignores the retroactive implications of a contemporaneous review may potentially be exposing itself to
significant risks
C) Statute of Limitations on a False Claim Act
i) It is quite likely that the Government will review the matter for the entire time period open under the statute
ii) Cause of Action may not be brought after a certain period, whichever is later; 6 years after the violation is committed or
3 years after the date when the facts material to the right of action are known
iii) But can vary from 6 yrs to 10 years – the Government may have an argument to extend the statute to 10 years

CHAPTER 4

I) Investigation Process
A) Report or notice of misconduct
B) Description of misconduct
C) Determine the Scope of Investigation
D) List relevant documents
E) List employees interviewed
F) Take corrective action, if necessary
i) Change policies
ii) Document discipline
G) Produce a final report to the board
II) The Attorney-Client Privilege in the context of Healthcare Compliance Investigations
A) there is no requirement for outside counsel to be involved in the development of a compliance program. Though they may be
useful in Certain phases of program development and implementation.
B) It’s a common law concept
C) It’s considered communication that may be protected from disclosure during discovery because of attorney-client privilege
D) The privilege may apply not only to lower ranking employees but also to former employees and company consultants
E) The attorney-client privilege applies to communications made by the client but does not apply to the under lying facts of the
communication
i) Meaning – a litigant cannot shield from discovery the knowledge it possessed by claiming it communicated it to a lawyer
F) Waiver of privilege
i) May be waived directly by the client, inadvertently through careless disclosure of the information or by the operation of
law
G) The crime-fraud exception
i) An evidentiary rule that permits discovery of ongoing crime or fraud, since such communications between a lawyer and
the client if they are in furtherance of a future or ongoing crime or fraud
Page 53 of 69
 CHC EXAM PREP OUTLINE
CHAPTERS 5 & 9 & 10

I) Financial Relationships with Physicians: Auditing and Monitoring Anti-Kickback Statute and Stark Law Compliance
A) Framework of Audit & Monitoring
i) Perform a risk assessment to determine level of risk
ii) understand laws and regulations
iii) obtain and or establish polices for specific issues and areas
iv) educate on the policies and procedures and communicate awareness
v) monitor compliance with laws, regulations and polices
vi) audit the highest risk areas
vii) re-educate staff on regulations and issues identified in the audit
B) Audit Process
i) Analyze relevant data
ii) Interview appropriate people
iii) Obtain documents
iv) Perform the audit
v) Report the results to management /board
C) Corporate Integrity Agreement Negotiations
i) Definition of CIA: Consent Decree is a negotiated settlement agreement between an organization and the government.
(a) Purpose: Avoid lengthy and costly litigation
(b) Duration: 3, 5 or 8 years
ii) Purpose: Deferred Prosecution Agreement prosecutor in a criminal matter agrees to dismiss charges in exchange for the
defendant agreeing to fulfill certain requirements.
iii) Requirements:
(a) hire a compliance officer/appoint a compliance committee;
(b) develop written standards and policies;
(c) implement a comprehensive employee training program;
(d) retain an independent review organization to conduct annual reviews;
(e) Reestablish a confidential disclosure program;
(f) Restrict employment of ineligible persons;
(g) Report overpayments, reportable events, and ongoing investigations/legal proceedings; and
(h) Provide an implementation report and annual reports to OIG on the status of the entity's compliance activities.
D) Helpful tips
i) Establish credibility early
(a) A compliance officer who has clout with senior management
(b) A comprehensive code of conduct that emphasizes the importance of compliance and documentation that shows it’s
properly disseminated to all employees
(c) A structured training program and written evidence that every employee receives initial training and annual
retraining
(d) Written policies and procedures compiled so they can easily be shared with the OIG
(e) Evidence of an annual self-auditing plan, including documentation that overpayments are routinely refunded
ii) Don’t put off CIA negotiations until the end
iii) Involve Company personnel in the negotiations
iv) Use a lawyer who has experience negotiation CIAs
v) Be realistic
vi) Know what Negotiable and what is not – there are areas where the OIG has shown flexibility and, thus, which are more
likely to be successfully negotiated
(a) The organizational location of the compliance function within the company and the identification of the personnel
who will be responsible for compliance
(b) The content of the training program the company will conduct for all employees and deadline for conducting that
training
(c) The scope of auditing required to be performed by the IRO
vii) Use Cost-Benefit Analysis to justify proposals
viii) Bring the Independent Review Organization (IRO) to negotiations
ix) Closely Review the requirements for written policies and procedures

Page 54 of 69
 CHC EXAM PREP OUTLINE
x) Prepare the first draft of the IRO work plan
xi) Look to other CIAs for guidance
xii) Try to make the OIG a partner
E) Corporate Integrity Agreements (CIA): The Outlier Approach
i) Certain physician relationships are identified as posing a greater risk of noncompliance
(a) Loans and other physician accounts receivable that are past due
(b) Leases of buildings where physicians have offices
(c) Personal services agreements and other payments to physicians
ii) These are the criteria that the OIG uses to identify “Outliers”
(a) Overdue loans and other past due accts
(b) Medical office building leases
(c) Personal service agreements and/or payments to physicians
(d) Multiple medical directorships at the same facility with the same apparent function
(e) Leases of physician-owned property or equipment without a fair market value (FMV) verification
(f) Physician recruitment arrangements
iii) Framework of CIA
(a) FSG, OIG’s voluntary compliance program guidance documents, and OIG Corporate Integrity Agreements (CIAs)
can be used as baseline assessment tools for Boards and management in determining what specific functions may
be necessary to meet the requirements of an effective compliance program Date of violation.
iv) Typically contains the following conditions:
(a) hire a compliance officer/appoint a compliance committee
(b) develop written standards and policies
(c) implement a comprehensive employee training program
(a) All employees will receive training on how to perform their jobs in compliance with the standards of the
practice and any applicable regulations.
(d) retain an independent review organization to conduct annual reviews
(e) Establish a confidential disclosure program
(f) Restrict employment of ineligible persons
(a) Example: As a compliance officers, you find out a vendor or an employee are on OIG exclusionary list you:
i. put the individual on leave
ii. report to this to agency
iii. conduct an audit to find all of his work that's been billed to federal programs
iv. return the money
v. inform private insurers
(g) Report overpayments, reportable events, and ongoing investigations/legal proceedings
(h) Provide an implementation report and annual reports to OIG on the status of the entity’s compliance activities
F) The main issues that an entity faces in preparing for an Independent Review Organization (IRO) engagement pursuant to a
CIA:
i) Choosing an IRO
ii) Defining independence of that IRO
iii) Differentiating the audit terminology in the compliance engagement from the billing engagement
iv) Developing a mechanism for meeting the time frames in the CIA
v) Discerning the differences in responsibilities under an Agreed-Upon Procedures engagement versus a Consulting
engagement
G) The OIG definition of independence
i) HHS Office of Inspector General (OIG)
ii) Whether the IRO or any of its members have financial interest in the provider
iii) Whether the IRO will audit the implementation of a compliance program
iv) Whether and to what extent the IRO was involved in the provider’s management decisions
v) Whether the IRO played any role in operating the provider’s compliance program
H) Preparing for the independent review organization compliance engagement
i) Responsibility for procedures
ii) Problem areas for the agreed-upon procedures engagement
iii) Preparing for the agreed-upon procedures engagement
iv) Form of the agreed-upon procedures report
Page 55 of 69
 CHC EXAM PREP OUTLINE
I) Billing engagement
i) Responsibility for the procedures
ii) Problem areas for the agreed-upon procedures engagement
(a) The billing engagement typically contains provisions required by the IRO
(a) Costs incurred on behalf of the entity pertaining to the matters covered in the Settlement Agreement
(b) Cost incurred on behalf of the entity in connection with the government’s civil and criminal investigation
(c) The entity’s investigation, defense, or corrective action plans
(d) Negotiation of the Settlement Agreement or CIA
(e) Payment made pursuant to the Settlement Agreement
iii) Form of the agreed-upon report
J) Self-regulatory
K) Certificate of Compliance Agreements (CCA)
i) usually an option for providers with
(a) effective compliance programs in place such as:
(a) Monitoring billing;
(b) Recruiting and hiring staff; and
(c) Employee education and awareness.
(b) Orgs who cooperate and Reply to all requests from the OIG in a timely and professional manner.
ii) Rules/Characteristics
(a) usually last three to five years
(b) Unlike a CIA, Independent Review Organization (“IRO”) not required.
(c) Requires provider certification regarding compliance program.
(d) Provider must agree to report overpayments or non-compliance.
iii) Compared to CIA
(a) Shorter Duration
(b) Less Costly
(c) Less Burdensome
L) Developing Audit Protocol
i) Types of relationships subject to audit
(a) Personal services agreements, consulting agreements, medical directorship agreements
(b) Leases of medical office building space to physicians
(c) Loans and other physician accounts owed to the facility
(d) Recruiting agreements
(e) Joint ventures between hospitals and physicians
(f) Employment agreements
(g) Acquisition or leases of physician-owned property by the facility
(h) Lavish gifts and entertainment and other benefits provided to physicians
ii) Determining sources of available data, here are examples of some of the types of documents and other files to be
examined during an audit
(a) Physician contract files
(b) Deal documents produced in connection with acquisitions
(c) Memoranda, correspondence, letter agreements
(d) Attorney opinion letters
(e) Rent rolls or other documents indicating payments of rental obligations
(f) General ledger and other accts receivable data
(g) Demand letters and other documents reflecting efforts to collect rents, loans, accts receivable
(h) Accounts payable files, W-2’s, 1099’s, check registers
(i) Appraisals, market surveys, independent valuations
(j) Referral/admissions data
iii) Defining the population subject to review
(a) Narrow the scope of review by reviewing only a portion of the population during any given review cycle
iv) Select the Audit Team
(a) Consideration should be given to the availability of personal, cost of outside resources, and size of population to be
audited
(b) Composition of the audit team will determine the protocol to be used in data review

Page 56 of 69
 CHC EXAM PREP OUTLINE
v) Sample Checklist
(a) Personal services agreements
(b) Employment agreements
(c) Leases (both space and equipment)
(d) Recruiting agreements
(e) Physician loans
(f) Acquisitions
(g) Joint ventures with physicians
(h) Entertainment/Gifts/Benefits from referral sources

CHAPTER 6

I) Creating Databases of Financial Relationships – for use by compliance officers who are considering whether to design and
implement a database to keep track of arrangements that pose compliance risks to the organization
A) Reasons to Create a database
i) Because monitoring high-risk areas is what compliance is all about
ii) To provide a principled basis to advise the board that the organization complies with the law
iii) Because CMS can demand the information on 30 days advance notice
iv) Because your organization is just (un)lucky
v) To monitor the expiration dates of contracts
B) Designing the database
i) Identifying the goal
ii) Defining the time period
iii) Defining the team
iv) Defining the fields
v) Locating the information
C) Define the fields in the database
i) The parties to each Arrangement
ii) A characterization of the Arrangement
iii) When the Arrangement begins and ends
iv) The compensation and how it will be paid
v) How fair market value was determined
vi) Whether the payments are based on the volume or value of referrals between the parties
vii) Whether each party has certified that they will not violate Stark or the Anti-Kickback statue
viii) Whether the Arrangement satisfies the requirements of an Anti-Kickback statues safe harbor and /or Stark law exception
or safe harbor

CHAPTER 7

I) Developing a Voluntary Disclosure and Refund – the importance of having reasonable plans in place for making a voluntary
disclosure and possible refund cannot be stressed enough
A) Communicating about regulatory interpretations
B) Identifying high-risk areas to review
C) Working closely with counsel
D) Planning and conducing the self-disclosure and refund review
i) Identification of the source of the practice at issue
ii) The organization’s departments that are associated with the practice in question
iii) The government agency, carrier or fiscal intermediary that has been or maybe have been affected by the practice in
question
iv) Any potential fraud issues raised by the practice and relevant documentation of those issues
v) The time period during which the practice appears to have occurred
vi) Corporate officials and employees who knew of, encouraged or participated in any improper or illegal practice
II) Responding appropriately when a voluntary refund becomes possible
A) The organization should adequately understand the problem before it has to disclose it
i) The Federal Sentencing Guidelines (FSG) Purpose
(a) Enacted in 1991 and revised in 2004

Page 57 of 69
 CHC EXAM PREP OUTLINE
(b) So that sanctions that are imposed will provide just punishment, adequate deterrence and incentives for org to
maintain internal mechanisms.
(c) Elements of FSG
(a) Establish compliance policies and procedures for its employees
(i) Communicate standards to the board, senior leaders, managers and employees
(ii) Management informed of program
(iii) Insure engagement of employees in ethical conduct
(b) Assigned high-ranking individuals to oversee the compliance program
(c) Screen: Take care not to give known wrongdoers positions involving discretion or authority
(d) Education: Provided training to all employees on its policies and procedures
(e) Take steps to ensure compliance and to detect violations such as monitoring and auditing systems as well
as created a mechanism through which employees feel safe and comfortable reporting concerns
(i) Ongoing auditing and monitoring will evaluate whether the physician practice's standards and
procedures are current and accurate and whether the compliance program is working.
(f) Consistently responded to detected violations and Remediate problem
(g) Evaluated and modified its programs to try and ensure enhanced prevention and detection of illegality
(d) Guidance for assessing fines and calculating the culpability score
(a) Culpability score –adds points for aggravating factors and subtracts points for mitigating factors in determining
fines.
(i) Four factors that increase the ultimate punishment of an organization are: Aggravating factors
1. involvement in tolerance of criminal activity;
a. Upper level employee has participated in, condoned or was willfully ignorant of the offense
b. If awareness of and tolerance of the violation were pervasive
2. prior history of the organization;
a. Violation was a repeat offense
3. violation of an order; and
4. obstruction of justice
a. Gov’t was hindered during its investigations and
(ii) Mitigating factors:
1. Org has an effective compliance & ethics programs
a. Maintain creditability and integrity of the program
2. self-reporting, cooperation, or acceptance of responsibility
a. Suspend payments or claims until resolved
b. Compliance manager and GC to investigate
c. Take corrective action
d. If repayment is due
e. Org has reported the violation promptly within 60 days
3. Org has cooperated with the govt investigation
4. Org has accepted responsibility
B) Avoid conduct that could be misconstrued as an attempt to conceal a problem
III) Deciding to Whom the disclosure and refund should be made
A) OIG expects those who participate in federal healthcare programs to prevent fraudulent activity
B) OIG also expects those who participate to adequately investigate any potential overpayments
IV) Determining the appropriate voluntary self-disclosure protocol
A) Consider risks associated with self-disclosure
B) The amendments also increased the penalties for a false claim from Minimum per claims penalties: $10,781 from $5,500
C) Maximum per false claim penalties: $21,563 from $11,000
V) Continuing with improvements to the compliance program
A) This is an on-going effort

CHAPTER 8

I) Medicare Program Provider Self-Audits

MEDICARE BREAKDOWN
Service Medical Plan COST

Page 58 of 69
 CHC EXAM PREP OUTLINE
Hospital A FREE ELIGIBLE PERSONS
“Original Medicare”
Medical Coverage B Premium paid by subscriber
Physician “original medicare”
Durable Equipment
X-rays
Labs
Out-patient
Mental Health
Home Health
Ambulant
Combines A& B C Medicare policy that allows approved
Co-Pays private health insurance companies to
provide Medicare benefits
Out-Patient Prescription Drug D Part D is provided only through private
insurance companies that have contracts
with the government—it is never
provided directly by the government
(like Original Medicare is)

A) The function of the Medicaid fraud and abuse control units is to conduct statewide investigations and prosecutions of
applicable state laws
i) Balanced Budget Act of 1997 –the government has a three-strike rule, requiring permanent expulsion from government
health care programs for any health care organization found guilty of fraud for the third time.
(a) Providers may opt-out of Medicare program and enter into private contracts with Medicare recipients.
(b) Health care providers can be excluded from health care programs as a sanction.
(a) Exclusion List / of excluded individuals (LEI)
(i) Exclusion means that no program payments will be made for items or services furnished, ordered or
prescribed by an excluded entity.
1. Updated monthly
2. Failure to comply could result from fines from CMP
3. May not be able to get a provider number
4. DHS cannot and should not hire individuals on the exclusion list
a. Example: Home Health Care company cannot hire a nursing assistant who is on the excluded list.
b. Example: if a hospital hires a physician that is on the exclusion list, they cannot receive
reimbursement for any tests ordered by that physician.
(b) Exclusions maybe mandatory or permissive
(i) Mandatory exclusion
1. for patient neglect and abuse
2. conviction of a program related crime
3. conviction relating to a patient abuse
4. felony conviction for controlled substances
5. felony conviction for health care fraud
(ii) Who can be excluded
1. Entities
2. Health Professionals
a. Billers
b. Physicians
c. Other medical staff
3. Volunteers
(iii) Permissive exclusion
1. Misrepresentations or omissions on an enrollment application
2. certain misdemeanors
3. loss of state license to practice
4. failure to repay health education loans
Page 59 of 69
 CHC EXAM PREP OUTLINE
5. failure to provide quality care
(iv) Length of the exclusion
1. Licensure actions--indefinite
2. Minimum term of 5 years (abuse and neglect)
3. Reinstatement is not automatic, an excluded individual must apply reinstatement and must receive
notice that it has been granted.
(c) Example: Inspector General v. Hanlester Network - The Hanlester Network (Hanlester), a California general
partnership, was formed.
(d) The original general partners in Hanlester were the Hanlester Corporation, James A. Padova, M.D., Inc., a
California medical corporation, Gene Tasha, and Ned Welsh. The Hanlester Corporation owned the majority
interest in the Hanlester Network prior to 1989. On April 9, 1987, Hanlester and SKBL entered into a master
laboratory service agreement.   In that agreement, SKBL agreed to provide laboratory management services to
all joint venture laboratories in which Hanlester had an ownership interest. Hanlester had exclusive authority to
make all management decisions for Placer, PPCL, and Omni. Between March 1987 and March 1988, Hanlester
issued private placement memoranda offering limited partnership shares in PPCL, Placer, and Omni.  On July
27, 1987, SKBL entered into a laboratory management agreement with PPCL.   The agreement required PPCL
to provide the services of a licensed Medical Director, and to pay SKBL a monthly management fee of $15,000
or 80% of all net cash receipts, whichever was greater. Hanlester and SKBL entered into a laboratory support
services agreement in which Hanlester would set up and service client accounts for PPCL. Hanlester was
notified by OIG in December 1989 that he had determined that the Hanlester respondents (hereafter referred to
as appellants) had violated § 1128B(b)(2) of the Social Security Act (the Act) by offering and paying
remuneration to physician-investors to induce them to refer laboratory tests to the three Hanlester laboratories.
By soliciting and receiving payments from SKBL in return for referrals of lab tests, and that it would be
proposed that all of the appellants be excluded from the Medicare and state health care programs under § 
1128(b)(7) for varying periods of time.
B) Federal regulations require Medicaid
i) HHS Health Care Fraud and Abuse Control (HCFAC)
ii) Self-Auditing Methodology
(a) Billing for phantom patient visits
(b) Billing for goods or services not provided
(c) Billing for more hours than there are in a day
(d) Billing for medically unnecessary testing
(e) Paying kickbacks in exchange for referrals
(f) Charging personal expenses to Medicaid
(g) Inflating the bills for services or goods provided
(h) Concealing ownership of related companies
(i) Falsifying credentials and double billing
C) Yates memo Strengthen Pursuit Individual Corporate wrong doing
i) Provide Dept with all relevant facts relating to individuals responsible for misconduct;
ii) criminal and civil corporate investigations should focus on individuals responsible for misconduct;
iii) criminal and civil attorneys handling corporate investigations should be in routine communication with one another;
iv) Individual culpability: dept. will not release culpable individuals from civil and criminal liability when resolving a
matter with a corporation;
v) dept attys should not resolve matters with a corporation without a clear to resolve related individual cases and should
memorialize any declinations as individuals in such cases;
vi) civil attorneys should consistently focus on individuals as well as company and evaluate whether to bring suit against an
individual based on considerations beyond that individual's ability to pay.
D) Office of Inspector General (OIG) investigations Specific examples
i) OIG Five Point Strategy (CORPE) to prevent fraud and waste : key principles in the strategic work plan in
efforts to effectively focus on audit, evaluation, investigation, enforcement and compliance efforts
(a) Enrollment: Scrutinize individuals and entities that want to participate as providers and suppliers prior to their
enrollment or reenrollment in the health care programs.
(b) Payment: Establish payment methodologies that are reasonable and responsive to changes in the marketplace and
medical practice.

Page 60 of 69
 CHC EXAM PREP OUTLINE
(c) Compliance: Assist health care providers and suppliers in adopting practices that promote compliance with
program requirements.
(d) Oversight: Vigilantly monitor the programs for evidence of fraud, waste, and abuse.
(e) Response: Respond swiftly to detected fraud, impose sufficient punishment to deter others, and promptly remedy
program vulnerabilities.
ii) Improper compensation arrangements
(a) Example: Adventist Health System has agreed to pay the United States $115 million to settle allegations that it
violated the False Claims Act by maintaining improper compensation arrangements with referring physicians and by
miscoding claims, the Justice Department announced today. Adventist is a non-profit healthcare organization that
operates hospitals and other health care facilities in 10 states. Adventist-owned hospitals, such as Park Ridge,
allegedly paid doctors’ bonuses based on the number of test and procedures they ordered. This type of financial
incentive is not only prohibited by law, but can undermine patients’ medical care.
iii) False Claims for mental health treatment
(a) Example: Houston-Area Psychiatrist Convicted of Health Care Fraud for Role in $158 Million Medicare Fraud
Scheme. Riaz Mazcuri, 65, of Harris County, Texas, was convicted of one count of conspiracy to commit health care
fraud and five counts of health care fraud. From 2006 until February 2012, Mazcuri and others engaged in a scheme
to defraud Medicare by submitting to Medicare, through Riverside General Hospital (Riverside). Mazcuri
participated in a scheme by which Riverside paid bribes and kickbacks to group home owners and nursing home
employees in exchange for sending Medicare patients to Riverside’s PHPs. Mazcuri indiscriminately admitted and
readmitted these patients into these intensive psychiatric programs – often for years on end – many of whom
suffered from severe Alzheimer’s or dementia and were unable to participate in the treatment purportedly provided
at the PHPs, and who therefore did not qualify for the services, the evidence showed. Mazcuri rarely saw patients
and that he visited the PHPs briefly every week or so to sign documents and briefly see patients.
iv) Nationwide false billing schemes
(a) Example: National Health Care Fraud Takedown Results in Charges Against Over 412 Individuals Responsible for
$1.3 Billion in Fraud Losses. Health care fraud enforcement action by the Medicare Fraud Strike Force, involving
412 charged defendants across 41 federal districts, including 115 doctors, nurses and other licensed medical
professionals, for their alleged participation in health care fraud schemes involving approximately $1.3 billion in
false billings. Of those charged, over 120 defendants, including doctors, were charged for their roles in prescribing
and distributing opioids and other dangerous narcotics.
v) Kickbacks through a joint venture business
(a) Example: DaVita Healthcare Partners, Inc., the largest provider of dialysis services in the United States, has agreed
to pay $450 million to resolve claims that it violated the False Claims Act by knowingly creating unnecessary waste
in administering the drugs Zemplar and Venofer to dialysis patients, and then billing the federal government for
such avoidable waste. This civil settlement resolves allegations brought in a whistleblower action that DaVita
devised and employed dosing grids and/or protocols specifically designed to create unnecessary waste of the drugs
Venofer and Zemplar. These drugs are packaged in single-use vials, which are intended for one-time use.
Sometimes, the amount of the drug in the vials does not match the dosage specified by the physician, resulting in the
remainder of the drug in the vial being discarded.
vi) Medically unnecessary chemotherapy
(a) Example: Michigan doctor who misdiagnosed patients with cancer and then bombarded them with unnecessary
treatments will have to face his victims — who lost their health, savings and trust. He was sentenced today to serve
45 years in prison for his role in a health care fraud scheme that included administering medically unnecessary
infusions or injections to 553 individual patients and submitting to Medicare and private insurance companies
approximately $34 million in fraudulent claims.
vii) Improper billing services
(a) Example: Community Health Systems Inc. (CHS), the nation’s largest operator of acute care hospitals, has agreed to
pay $98.15 million to resolve multiple lawsuits alleging that the company knowingly billed government health care
programs for inpatient services that should have been billed as outpatient or observation services. The settlement
also resolves allegations that one of the company’s affiliated hospitals, Laredo Medical Center (LMC), improperly
billed the Medicare program for certain inpatient procedures and for services rendered to patients referred in
violation of the Physician Self-Referral Law, commonly known as the Stark Law.
viii) Unlawful drug promotions and pricing

Page 61 of 69
 CHC EXAM PREP OUTLINE
(a) Example: GlaxoSmithKline LLC (GSK agreed to plead guilty and to pay $3 billion to resolve its criminal and civil
liability arising from the company’s unlawful promotion of certain prescription drugs, its failure to report certain
safety data, and its civil liability for alleged false price reporting practices, the Justice Department announced today.
From April 1998 to August 2003, GSK unlawfully promoted (off-label marketing) Paxil for treating depression in
patients under age 18, even though the FDA has never approved it for pediatric use. GSK did not make available
data from two other studies in which Paxil also failed to demonstrate efficacy in treating depression in patients under
18. From January 1999 to December 2003, GSK promoted Wellbutrin, approved at that time only for Major
Depressive Disorder, for weight loss, the treatment of sexual dysfunction, substance addictions and Attention Deficit
Hyperactivity Disorder, among other off-label uses. The United States contends that GSK paid millions of dollars to
doctors to speak at and attend meetings, sometimes at lavish resorts, at which the off-label uses of Wellbutrin were
routinely promoted and also used sales representatives, sham advisory boards, and supposedly independent
Continuing Medical Education (CME) programs to promote Wllbutrin for these unapproved uses. Between 2001 and
2007, GSK failed to include certain safety data about Avandia, a diabetes drug, in reports to the FDA that are meant
to allow the FDA to determine if a drug continues to be safe for its approved indications and to spot drug safety
trendsFDA has added two black box warnings to the Avandia label to alert physicians about the potential increased
risk of (1) congestive heart failure, and (2) myocardial infarction (heart attack).

I) HYPOS
2. You are told of a physician who is doing fraudulent billing
a. conduct an audit on the physician billing
b. if audit results in fraudulent billing:
c. prevent physician from continuing to work
d. inform the correct agency
e. audit the incorrect billing
f. return the money
g. develop an analysis as to why it happened
3. Mistakes in billings:
a. notify OIG
b. correct the practice
c. perform an analysis on what the cause of the mistake was
d. monitor and audit this area

DEFINITIONS (from mainly Compliance 101 book) Another Source AAPC

 Abuse -Includes actions that may, directly or indirectly, result in: unnecessary costs to the Medicare Program, improper
payment, payment for services that fail to meet professionally recognized standards of care, or services that are medically
unnecessary. Abuse involves payment for items or services where there is no legal entitlement to that payment and the
provider has not knowingly and/or intentionally misrepresented facts to obtain payment. Abuse includes actions similar to
fraud but not proven to be criminal. A distinction from fraud is the lack of intent.
 Accountable Care Organizations (ACOs) are groups of doctors, hospitals, and other health care providers, who come
together voluntarily to give coordinated high-quality care to their Medicare patients.
 Advance beneficiary notice of non-coverage (ABN)—written notice to a beneficiary by a provider informing the
beneficiary that Medicare may deny payment for an item or service and the beneficiary maybe responsible for payment.
Allows beneficiary to refuse that particular service or item to protect financial liability. If patient refuses to sign, Obtain the
signature of a witness on the ABN and bill the service to Medicare. Providers are prohibited from issuing these on a routine
basis.
 Anti-kickback Law –prohibits the solicitation, receiving, offering or paying of any remuneration directly or indirectly in
case or in-kind exchange for referrals.
 Attestation –affirmation by signature, usually on printed form that the action the action outlined has been accomplished by
the individual signing; agreeing to adhere to terms.
 Attorney-client privilege –accepted policy that communication between a client and attorney is confidential on the course of
the professional relationships and that such communication cannot be disclosed without the consent of client.
 Auditing-- is a formal retrospective review with a methodical approach and sampling of cases. It is performed periodically,
though less often than monitoring – e.g. every 6 months or annually. HCCA definition: A formal, systematic and disciplined
approach designed to evaluate and improve the effectiveness of processes and related controls. Auditing is governed by

Page 62 of 69
 CHC EXAM PREP OUTLINE
professional standards, completed by individual’s independent of the process being audited, and normally performed by
individuals with one of several acknowledged certifications. Objectivity in governance reporting is the benefit of
independence. Onsight auditing is considered an essential element of an effective audit program.
 Audit, baseline— a systematic inspection of records, policies and procedures with the goal to establish a set of benchmarks
for comparison for future inspections. i.e. Compliance professional discovers non-compliance with a regulation (AAPC
definition). A baseline audit is typically the initial audit in a series of identical audits, and as such establishes the baseline
against which progress measured by future audits is compared (HCCA definition).
 Audit, concurrent –inspection of records policies and procedures at a given point in time in which identified problems are
audited as they arise.
 Audit, Prospective— occur before billing or reporting, allowing an organization to correct discovered errors before
submitting the bill.
 Audit retrospective –audit of historical events (paid claims, executed contracts). How far back can be determined by statute
or milestones.
 Balanced Budget Act of 1997 –reform of Medicare/Medicaid programs in the areas of home health and patient transfers.
Mandated permanent exclusion from participation in federally funded health care programs of those convicted of three health
care related crimes.
 Benchmarking—the measurement of performance against best practice standards. In many instances, an appropriate
benchmark would be a provider that appears in the top 10% of all providers for more than a year.
 Best Practices –generally recognized superior performance by organizations in operational and financial processes.
 Business Associate –person or entity that performs certain functions or activities that involve the use or disclosure of PHI on
behalf of a covered entity. Example of services: claim processing, administration, data analysis, processing or administration,
utilization review, quality assurance, billing/benefit management, repricing. Example of BA: Legal, consulting, accounting,
actuarial, data integration, and financial services.
 Business Associate Agreement (BAA) –HIPAA privacy Rule requires that before PHI can be shared between a covered
entity and a business associate. Business associate must sign a written agreement that gives satisfactory assurances that they
will not disclose PHI in a manner than violates the Privacy rule requirements. BAA must define the function of the business
associate and limitation of their use and disclosures of PHI. It must also define what will in happen to PHI held by a BA upon
termination of the agreement.
 Caremark International Derivative Litigation –civil settlement in which an imposed CIA precluded caremark from
providing health care in certain forms for period of five years. Also suggests that the failure for a corporate director to
attempt in good faith to institute a compliance and ethics program in certain situations may be a breach of a director’s
fiduciary obligation. The duty of care principle is characterized as acting in good faith with the care of an ordinary prudent
person under similar circumstances.
 Centers for Medicare and Medicaid Services (CMS)—a component of the HHS that administers the Medicare, Medicaid
and state children’s health insurance programs.
 Certificates of Compliance Agreements (CCA)— negotiated agreement with health care providers and other entities, in
lieu of a comprehensive Corporate Integrity Agreement (CIA), under appropriate circumstances. The terms of a CCA include
a requirement that the entity maintain its existing compliance program, as described in a Declaration that is attached to the
CCA.
 Certified Professional Coder (CPC)—A coder who has satisfied certification requirements as established by the American
Academy of Professional coders.
 Comprehensive Error Rule Testing (CERT)--The Centers for Medicare & Medicaid Services (CMS) calculates the
Medicare Fee-for-Service (FFS) improper payment rate through the Comprehensive Error Rate Testing (CERT) program.
2016 Medicare FFS program improper payment rate is 11.00 percent, representing $41.08 billion in improper payments,
compared to the FY 2015 improper payment rate of 12.09 percent or $43.33 billion in improper payments.
 Chain of Command—hierarchy of reporting structure within an organization, which assumes all issues will be presented
first to one’s immediate supervisor.
 Circumvention scheme— as an arrangement or scheme (such as a cross referral arrangement) that the physician or entity
knows or should know has a principal purpose of assuring referrals by the physician to a particular entity which, if the
physician directly made referrals to such entity.
 Civil Money Penalties—The Office of Inspector General (OIG) has the authority to seek civil monetary penalties (CMPs),
assessments, and exclusion against an individual or entity based on a wide variety of prohibited conduct. In each CMP case
resolved through a settlement agreement, the settling party has contested the OIG's allegations and denied any liability. No
CMP judgment or finding of liability has been made against the settling part.
Page 63 of 69
 CHC EXAM PREP OUTLINE
 Civil Monetary Penalties Law (CMPL)—regulations which apply to any claim for an item or service that was not provided
as a claimed or that knowingly submitted as false and which provides guidelines for the levying of fines for such offenses.
 clinically integrated network or "CIN"
 Cloning -copy and pasting notes from one medical record into another without regard to individual medical diagnosis
 Clustering-the practice of coding/charging one or two middle levels of service codes exclusively, under the philosophy that
some will be higher, some lower, and the charges will average out over an extended period (in reality, this overcharges some
patients while undercharging others).
 Compliance –adherence to the laws and regulations passed by official regulating bodies as well as general principles of
ethical conduct.
 Conflict of Interest (COI)-The risk that an individual’s external financial interests or relationships may bias or compromise or
have the appearance of biasing or compromising an individual’s judgment, objectivity, or decision making in clinical,
research, and other activities.
 Corporate Integrity Agreement (CIA)—negotiated settlement between an organization and the OIG in which the provider
accepts no liability but mist agree to implement a strict plan of OIG supervised corrective action.
 Covered Entities –(1) health plan, (2) health care clearinghouse or (3) heath care provider who transmits any health
information in electronic form in connection with transaction covered by this subchapter.
 Culpability Score –a system that adds points for aggravating factors and subtract points for migrating factors in the
determination of finds imposed for fraud or abuse.
 Current Procedural Terminology (CPT)—A publication of the American medical association which lists and assigns
codes to procedures and services performed by physicians.
 De-identified information—information that does not identify an individual and which no there is no reasonable basis to
believe that the information can be used to identify an individual. Removal of all 18 identifiers,
 Dedicated Emergency Department- Licensed by the state as an emergency department; Held out to the public as a place
that provides care for emergency medical conditions on an urgent basis without an appointment; or Provided at least 1/3 of all
outpatient visits for the treatment of emergency medical conditions on an urgent basis without an appointment.
 Department of Labor –this federal agency administers and enforces laws and regulations that govern workplace activities,
including wages and OT pay, workers’ compensation, workplace safety and health, employee benefits, certain nonimmigrant
visa program.
 Designated Health Services (DHS)—physical therapy, occupational therapy, speech pathology, radiology, imaging,
radiation therapy and services, durable medical equipment and supplies, home health services, prosthetics, orthotics,
outpatient hospital services, inpatient and outpatient hospital services.
 DMEPOS-durable medical equipment, prosthetics, orthotics, and supplies. To be eligible for Medicare reimbursement, all
DMEPOS suppliers must enroll in the program and must comply with 26 supplier standards. These standards are designed to
ensure that suppliers are legitimate. Standards include but are not limited to the following: 1) The supplier must maintain a
physical facility, 2) The facility must be accessible during business hours, 3) The facility must have a visible sign, 4) The
supplier’s hours of operation must be posted, 5) The supplier must maintain a primary business telephone listed under the
name of the business.
 Designated Record Set – see above under HER
 Diagnosis related Groups (DRG) –classification of diagnosis determined by the average cost of treating a particular
condition, regardless of the number of services rendered or the length of patient stay; Medicare reimbursement is assigned by
DRG.
 Disclosure –release, transfer, provision of, access to or divulging in any other manner of information outside the entity
holding the information.
 Diversionary status- lack staff or facilities to accept additional emergency patients.
 Electronic Health Record (EHR) is an electronic version of a patient’s medical history, that is maintained by the provider
over time, and may include all of the key administrative clinical data relevant to that persons care under a particular provider,
including demographics, progress notes, problems, medications.
 Electronic medical record (EMR) is a digital version of a paper chart that contains all of a patient's medical history from
one practice.
 Employee Retirement Income Security Act (ERISA)—exempts self-insured health plans from state laws governing health
insurance and requires health plans to provide certain information to enrollees.
 Equal Employment Opportunity Commission (EEOC)—reviews and investigates charges of discrimination and if found
to be true, attempts to remedy through conciliation or legal means.

Page 64 of 69
 CHC EXAM PREP OUTLINE
 Entity- (Stark Definition) person or legal entity that furnishes DHS.
 Exclusion -OIG prevents an individual or entity from participating from Medicare or Medicaid.
 Fair Market Value—arm’s length transaction, consistent with the general market value being the price that asset as a result
of bona fide bargaining.
 False Claim Act (FCA)—prohibits anyone from knowingly submitted or causing to be submitted a false or fraudulent claim.
 Family and Medical Leave Act ("FMLA") entitles eligible employees of covered employers to take unpaid, job-protected
leave for certain family and medical reasons. These medical reasons include the "serious health condition" of an employee's
spouse, child, or parent, or the "serious health condition" of the employee that prevents him/her from performing the essential
functions of their job.
 Federal Sentencing guidelines (FSG)—developed by US Sentencing Commission, independent agency of the judicial
branch, governing the sentencing of individuals and organizations.
 Fiduciary/Fiscal Intermediary –a person or organization that under agreement with HHS under part A of Medicare,
processes claims, provided services and issues payments on health of private, federal and state health benefit programs.
 Fraud-Is knowingly and willfully executing or attempting to execute, a scheme or artifice to defraud any health care benefit
program or to obtain (by means of false or fraudulent pretenses, representations, or promises) any of the money or property
owned by, or under the custody or control of, any health care benefit program.
 General Services Administration (GSA)—federal agency that manages govt records, including the construction of
buildings
 Health and Human Services (HHS)—executive branch of the US govt with health care accountabilities, including
responsibility for the public Health Services, the CMS and SSA.
 Health Care –preventative, diagnostic, rehabilitative, maintenance, palliative care, counselling with respect to physical or
mental condition and sale or dispensing pf a drug, device, equipment or other prescription.
 Health Care Clearing House –public or private entity including a billing service, repricing company, information
management system AND does either: 1. Processes HI received from another entity containing nonstandard data content into
standard data, 2. Receives a standard transaction from another entity
 Health Care Compliance Association—professional association dedicated to helping health care compliance professionals
through education.
 Health Care Operations
 Health Care Provider –a provider of medical or health services and any other org that furnishes bills, paid for, health care
services, supplies in the normal course of business.
 Hospital efficiency programs ("HEPs") or hospital quality & efficiency programs ("HQEPs")--trend toward expansion
of single service line co-management arrangements into more comprehensive hospital or system-wide arrangements, which
incorporate multiple service lines across one or more hospitals. HEP is a mechanism to create aligned incentives to help
hospitals reduce costs associated with the delivery of care while economically rewarding physicians for their role in reducing
those costs and improving quality delivered to patients.
 Health Information –any information, oral, written that is created or received by a health care provider, health plan, public
health authority, employer, life insurer, school or university or health care clearing house and related to past, present and
future provision of care and the payment thereof.
 Health Information Technology for economic and clinical health (HITECH) / American Recovery and Reinvestment
Act - enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to
promote the adoption and meaningful use of health information technology.
 Health Insurance Portability and accountability act of 1996 (HIPAA)—comprehensive legislation that ensures access to
health coverage for those who change jobs or are temporarily out of work. Providing a mechanism for funding the DOJ and
FBI to investigate Medicare fraud. If access to a universe of records was provided for a discrete period of time, Office for
Civil Rights (OCR) interprets this provision to permit the accounting to include the range of dates.
 Health Plan –(HCCA definition) individual or group plan that provides or pays the cost of medical care. Long/short term
disability; workers' compensation; automobile liability that includes coverage for medical payments are not health plans.
 Hospital efficiency programs ("HEPs") or hospital quality & efficiency programs ("HQEPs")—
o Coordinated focus on cost and quality across the health system with physicians taking on important leadership roles;
o Creation of an internally funded value-based payment program that only creates rewards IF the system saves
money; and
o Development of a program that challenges the health system and physicians to work effectively together before
entering into meaningful commercial contracts.

Page 65 of 69
 CHC EXAM PREP OUTLINE
o Example 1: A CIN located in the Southeast recently concluded the third year of their Hospital Efficiency Program,
which was created to demonstrate improved quality and cost reduction capabilities to payers. The program achieved
over $1 million dollars of net savings (retained by the health system after payments were distributed each year) with
eligible physicians realizing on average $3,500 to $5,000 per year based on achieving the following performance
metrics: (1) Supply cost reduction; (2) Pharmacy cost reduction; and (3) Reduction in Employee health plan cost as
well as other administrative triggers such as ICD-10 training, CDI response rate and the achievement of Meaningful
Use reporting requirements. One lesson this system learned was the importance of incentivizing physician
engagement while also supporting strong IT adoption.
o Example 2: A hospital in the Midwest recently concluded the first year of their program which was created to
further align objectives and incentives between physicians and the hospital. The program has achieved savings to
the health system in excess of $2 million dollars while eligible physicians received an average of $5,000 in
incentive-based payments. Performance metrics included: (1) Per capita employee health plan costs; (2)
Standardized surgical/procedural supply cost for the health system; and (3) Achieving appropriate core measures at
99% of target. One lesson learned by this hospital is the importance of creating a focused set of first-year initiatives
to actively engage physician.
o Example 3: A Clinically Integrated Network (CIN) located in the Great Lakes region recently concluded the first
year of their program, which was created to respond to healthcare challenges by focusing on cost and quality. The
program has improved quality across evidence-based guidelines for readmission rates, patient safety and patient
satisfaction scores. They have not yet made any financial distributions to physicians. One lesson they learned was
the importance early in the process of identifying and engaging a physician leader who could successfully lead other
physicians to achieve HEP objectives.
 Hotline, Helpline—common reporting system, administered in house or by outside consultants, giving anonymous telephone
access to employees seeking to report possible instances of wrongdoing.
 Hybrid Entity-a single entity that is a CE that provides both covered and non-covered functions. For example:
university clinic that offers services to students (FERPA) and the Public (HIPAA) pg. 6 (HCPH (2014)
 ICD-10-CM –two part classification system in current use for coding patient medical information : 1) comprehensive list
diseases and 2) procedure codes independent of the disease.
 Individually identifiable health information (IIHI)-subset of HI that is collected from an individual and is created or
received by a health care provider, health plan, employer, health care clearinghouse and related to past, present or future
payment for the provision of health care that identifies and individual or a reasonable basis to believe that the information
can be used to identify the individual.
 Inspector General (IG)—officer of a federal agency that oversees audits and investigations.
 IPRO-non-profit that provides health care audits for local, state and federal gov’t agencies to ensure integrity is maintained.
 Independent Review Organizations (IRO) can be a consulting, accounting, or law firm. The key to determining the type of
organization to select to be an IRO depends on the scope of work inclusive in the Corporate Integrity Agreement (CIA).
 Joint Commission –not-for-profit org that develops standards and performance measures, on-site surveys based on standards
and measures.
 Limited Data Set—A CE may use or disclose a limited data set if a CE enters into data use agreement with the direct
identifiers of individual or relatives, employers, household of the individual removed. The health information that
may remain in the information disclosed includes: dates such as admission, discharge, service, DOB, DOD; city, state,
five digit or more zip code; and ages in years, months or days or hours.
 LOCAL COVERAGE DETERMINATION (LCD) is a decision by a fiscal intermediary or carrier whether to cover a
particular service on an intermediary-wide ormcarrier-wide basis in accordance with Section 1862(a)(1)(A) of the Social
Security Act (i.e., a determination as to whether the service is reasonable and necessary).
 Medicaid Fraud Control Units (MFCUs)-- investigate and prosecute Medicaid provider fraud as well as patient abuse or
neglect in health care facilities and board and care facilities. MFCUs operate in 49 States and the District of Columbia. The
MFCUs, usually a part of the State Attorney General's office, employ teams of investigators, attorneys, and auditors; are
constituted as single, identifiable entities; and must be separate and distinct from the State Medicaid agency. OIG, in
exercising oversight for the MFCUs, annually recertifies each MFCU.
 Medicare Improper Payments Report (Medicare FFS Error Rate) Medicare Improper Payments Report listing amount of
improper payments by contractor type.
 Medicaid Integrity Group –created under SSA as the first comprehensive federal strategy to prevent and reduce fraud.
Requires that CMS 1. Hire contractors to review Medicaid providers’ actions to determine potential fraud, 2. Audit claims for

Page 66 of 69
 CHC EXAM PREP OUTLINE
services; 3. Identify overpayments; 4. Educate providers and others on Medicaid program integrity and quality of care issues;
and 5. Provide support and assistance to the states in their efforts to combat Medicaid provider fraud and abuse.
 Monitoring –as an ongoing daily event which includes conducting analyses and tracking trends to correct issues” in real
time” at the lowest level of detection. HCCA definition, an on-going process usually directed by management to ensure
processes are working as intended and identify a need for an audit. Monitoring is an effective detective control within a
process.
 NATIONAL COVERAGE DETERMINATIONS (NCD) sets forth the extent to which Medicare will cover specific
services, procedures, or technologies on a national basis. Medicare contractors are required to follow NCDs. If an NCD does
not specifically exclude/limit an indication or circumstance, or if the item or service is not mentioned at all in an NCD or in a
Medicare manual, it is up to the Medicare contractor to make the coverage decision (see LMRP).
 National Correct Coding Initiative -- CMS uses an editing system to identify services that would normally not be reported
in conjunction with an associated service.
 Obligation-an established duty, whether or not fixed, arising from an express or implied contractual, grantor-grantee, or
licensor-licensee relationship, from a fee-based or similar relationship, from statute or regulation, or from the retention of any
overpayment.
 Occupational safety and health administration (OSHA)—component of DOL administers standards for workplace safety.
 Office of civil rights (OCR)—component of HHS that teaches workers about civil rights, health care privacy and
confidentiality. Helps to protect individuals from discrimination in certain health care and social service programs.
 Office of inspector general OIG-main responsibility is to investigate healthcare fraud, waste, and abuse. The provide
guidance in the industry in the form of advisory opinions, special fraud alerts, special advisory bulletins, compliance program
guidelines and offer substantive assistance to program participants to promote ethical and lawful conduct in their
organization. OIG dedicates 80% resources to Medicare and Medicaid.
 OIG Compliance Program Guidance
 OIG work plan- The Office of Inspector General's (OIG) work planning process is dynamic and adjustments are made
throughout the year to meet priorities and to anticipate and respond to emerging issues with the resources available. Providers
should examine the entire OIG Work Plan and review risk areas that may prompt OIG enforcement actions. Summarizes new
and ongoing reviews and activities that they plan to pursue during the next fiscal year. Mission: Prevent, detect and Correct
FWA.
o Prioritization
 mandatory requirements for OIG reviews set forth in rules and regulations
 requests made by Congress, HHS
 Top management and performance challenges facing hhs,
 work performed by partner organizations,
 management's actions to implement OIG recommendations from previous reviews; and
 Timeliness
o The following areas are non-compliant with CMS compliance program requirements
 Risk Assessment
 Monitoring and Auditing Work Plans
 Companies should create work plans development based on risk assessment (pg. 16)
 Internal Audit Function
 FWA Data Analysis
 Organized Heath Care Arrangement-a clinically integrated care setting in which individuals typically receive health care
from more than one health care providerm .
 Overpayment –payment or reimbursement for DHS services caused by human or system error, fraudulent behavior or
otherwise.
 Payment –activities undertaken by
o Health plan to obtain premiums or to determine or fulfill its responsibility for coverage under health plan OR
 Health care provider / health plan obtain reimbursement for the provision of health care AND
o Activities
 Determination of eligibility or coverage
 Risk adjusting amounts due to enrollee status and demographic characteristics
 Billing, claims management, collection activities, reinsurance, health care data processing
 Review of services to determine necessity
 Utilization of review activities: precertification, preauthorization
Page 67 of 69
 CHC EXAM PREP OUTLINE
 Disclosure to consumer reporting agencies
 Payment Error Rate Measurement (PERM)—measures improper payments in the Medicaid program and CHIP.
 Personal health information (PHI), also referred to as protected health information, generally refers to individually
identifiable health information created by a CE or an Employer such as: demographic information, medical history, test and
laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and
determine appropriate care that is transmitted by electronic media or maintained in electronic media
o Electronic Protected Health Information (ePHI)-means information that comes within the definition of protected
health information.
o Secure PHI-health information that is not rendered usuable, unreadable, or decipherable to authorized persons
through the use of technology.
 Personal health records (PHRs) contain the same types of information as EHRs—diagnoses, medications, immunizations,
family medical histories, and provider contact information—but are designed to be set up, accessed, and managed by
patients.
 Physician incentive plan- compensation arrangement between an entity and a physician or physician group that may directly
or indirectly have the effect of reducing or limiting services provided with respect to individuals enrolled with the entity.
 Physician organization –(stark definition) physician, physician practice or group practice that complies with requirements
of stark law.
 Physician Quality reporting System (PQRS) Process of Care Measures
 Physician at Teaching Hospital (PATH) HHS/OIG nationwide review of compliance with rules governing physicians at
teaching hospitals.
 Probe Sample-a general rule of thumb to remember is that a sample of 30 (OIG) & 20 to 40 (CMS), is usually considered the
minimum size in assessments. HCCA says the sample must be 100 claims. These are performed to determine high risk areas
or pursuant to a CIA.
 Prospective Payment Systems (PPS)-the system of paying for services for Medicare patients whereby patients are classified
into categories for which prices are negotiated or determined in advance.
 Protected Health Information (PHI) individually identifiable health information transmitted/maintained in electronic
medium by covered entity. Except –1. Educational records under FERPA/Records described in 20 USC 1232g(a)(4)(B)(iv)
AND employment records held by an entity in this role as an employer.
 Quality Assurance and Performance Improvement (QAPI)--plan of correction protocol developed by CMS that is
required for certain CE.
 Qui Tam—whistleblower
 Referral—a request by a physician that includes DHS, for consultation with another physician and any test or procedure
ordered by or to be performed, excluding employees and contractors.
 Realtor- qui tam provision of the False Claims Act means one who relates to the government the fraud being committed
against the government.
 Risk assessment --is typically a broad-based audit that may be used to identify opportunities for improvement either before
development of the compliance program or work plan or periodically thereafter. Used to identify areas of legal/regulatory
compliance attributed risk.
 Safe Harbors –regulatory exceptions to otherwise prohibited conduct.
 Security incident- is defined by HIPAA Security Rule an attempted or successful unauthorized access, use, disclosure,
modification, or destruction of information or interference with system operations in an information system. (See the
definition of security incident at 45 CFR 164.304.)
 Self-Disclosure Information-Health care providers, suppliers, or other individuals or entities subject to Civil Monetary
Penalties can use the Provider Self-Disclosure Protocol, which was created in 1998, to voluntarily disclose self-discovered
evidence of potential fraud.
 Self-Referral Statute; Stark Law –Omnibus Budget Reconciliation Act bans physician from referring lab specimens to any
entity with which the physician has a financial relationship.
 Self-Reporting / Voluntary disclosure-- the act of informing the govt of the discovery of wrongdoing. Although it is not a
defense it may mitigate the expected loss (fines).
 Seven elements – compliance program: 1) implementation of standards and procedures, 2) compliance oversight:
governance, organization and reporting, 3) Training and education, 4) developing effective lines of
communication/screening, 5) enforcing standards through well-publicized disciplinary guidelines, 6) conduct internal
monitoring and auditing to identify risk areas, 7) responding to non-compliance issues as they arise.

Page 68 of 69
 CHC EXAM PREP OUTLINE
 Significant Financial Interest -Includes “anything of monetary value including but not limited to salary or other payments
for services (e.g. consulting fees, or honoraria); equity interests (e.g. stocks, ownership interests); and intellectual property
rights (e.g. patents, copyrights, and royalties from such rights)
 Snapshot –OIG guidelines suggest a review of operations at inception, in order to reduce or eliminate vulnerability.
 State Program Integrity Assessment (SIPA)—is CMS first national data collection on state Medicaid program integrity
activities for the purpose of program evaluation and technical assistance.
 Titular ownership-ownership or investment interest excludes the ability or right to receive the financial benefits of
ownership.
 TPO—treatment, payment and health care operations, which areas where PHI maybe used.
 Treatment –the provision, coordination, or management of health care and related services by one or more health care
providers, or with a third party or a the referral of a patient from one health care provider to another.
 Upcoding—coding for a higher level than documentation warrants.
 United Program Integrity Contractors (UPIC) strategy that restructures and consolidates the current Medicare and
Medicaid programs integrity audit and investigation work.
 Unbundling-The Office of Inspector General (OIG) has defined unbundling as occurring when a “billing entity uses separate
billing codes for services that have an aggregate billing code.”
 Use –individually identifiable HI, the sharing, employment, application, utilization examination or analysis of such
information within an entity that maintains such information.
 Waste -Is the overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs to the
Medicare program. Waste is generally not considered to be caused by criminally negligent actions but rather the misuse of
resources.
 Workforce –staff, contractors, volunteers

Page 69 of 69