Chief Compliance Officerlfcoxrn@hotmail.com

317-370-4268

The Compliance Officer’s keyresponsibilities should include:Oversee and monitor the compliance program; Report on a regular basis to the company’s governing body,

CEO and compliance committee;Periodically revise the Compliance program in light of changes

in the needs and in the lawEnsure that employees have received the Code of ConductDeveloping educational and training program that comply

with Federal and State standards;Coordinate personnel issues with human resources; Assist in internal compliance review and monitoring activities;

andDisseminate new and upcoming laws and regulations.

While at Zotec Partners have accomplished the following:Established an officially named and documented

Compliance Committee.Established a formal, written Code of Conduct for all

employees. This is now given to all new and existing employees.

Updated and formalized the written Compliance Plan for all of Zotec Partners.

Updated the HIPAA Policies and Procedures for the Company.

Reviewed the annual compliance risk assessment and recommended changes to internal processes.

While at Zotec Partners have accomplished the following:Education

Developed education for all medical billing employees on compliance, coding, HIPAA, and security.

Updated the Code of Conduct and included this in the required employee education.

Updated the Policy and Procedure Development TeleradiologyPolicies and Procedures developed for

clients spanning 10 states. Compliance Intranet site developed

An example of initial educational announcement of Red Flag Rules:

Under the Red Flags Rules, physicians and other healthcare providers must develop a written program that identifies and detects the relevant warning signs — or “red flags” — of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. Since we are performing the billing and collections on our clients behalf, we are their partners in this process. Outlined below is our approach to responding the Red Flags Rules requirements

Our first step is to be proactive, limiting access to Social Security numbers, credit card information and other sensitive data. Our second step is for departments handling and coordinating patient data to secure that information and ensure others do the same. Therefore, as the third step, we have developed our own policy to assist our clients in the Red Flag Rules process. In addition to our policy, I have

also attached education put together by AHIMA, procedures developed by MGMA for physician practices, and the AMA guidelines for Red Flag Rules. Please share this information with your staff and clients, as needed, to help educate them on Red Flags Rules.

When you see any of the following Red Flags please notify me:A complaint or question from a patient based on the patient’s receipt of:a. A bill for another individual; (Jane Doe receives a bill for Bob Smith at her address)b. A bill for a product or service that the patient denies receiving; (Jane Doe calls to say that she never had a chest x-ray)c. A bill from health care provider that the patient never patronized; (Bob Smith calls to say that he has never seen Dr. Jones)d. A notice of insurance benefits (or Explanation of Benefits) for health services never received; (Bob Smith says that he got an EOB for a

mammogram that he did not have)e. A collection notice for services that the patient never had. (Jane Doe calls to say that Dr. Jones sent her to collections for something that she

never had.) I would be more than happy to review this information with you, your employees, or clients if you would like, just let me know. If you have any

questions, please contact me. Thank you. Lisa Hancock, RN, MHAChief Compliance Officer11460 N. Meridian StreetCarmel, IN 46032317-805-4119lhancock@zotec.com  

Policy Development ExampleIDENTITY THEFT: RED FLAG RULES COMPLIANCE PURPOSEThe purpose of this policy is to formalize Zotec Partners’s Red Flag Rules program and

set forthguidelines to prevent, detect, investigate, and respond to patterns, practices, and

specificactivities that indicate the risk of or existence of identity theft. SCOPEThis policy applies to all Zotec Partners covered accounts and all employees, temporary

workersand other workers at the organization, including consultants and contractors, and otherthird parties who may work with Zotec Partners’s covered accounts.

EXCEPTIONSAny exceptions to this policy must have the written approval of the General Counsel.

DEFINITIONSCovered Accounts – an account that a financial institution or creditor offers or

maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions.

Policy Change ManagementAn example of the type of educational information that was shared with our employees and

clients:

The ABN-G and ABN-L will no longer be valid beginning March 1, 2009. CMS implemented use of the revised Advance Beneficiary Notice of Noncoverage (ABN) (CMS-

R-131). This form replaces the General Use ABN (CMS-R-131-G), and the Lab ABN (CMS-R-131-L) for physician-ordered laboratory tests. The form (English and Spanish versions) and notice instructions are now posted on the Beneficiary Notice Initiative web page (www.cms.hhs.gov\bni). Detailed manual instructions, including the official implementation date will be posted on the BNI webpage in the near future.

Some key features of the new form are that it: Has a new official title, the “Advance Beneficiary Notice of Noncoverage (ABN)”, in order to

more clearly convey the purpose of the notice; Replaces the ABN-G and ABN-L;

May also be used for voluntary notifications, in place of the Notice of Exclusion from Medicare Benefits (NEMB) (CMS Form 20007);

Has a mandatory field for cost estimates of the items/services at issue; and Includes a new beneficiary option, under which an individual may choose to receive an

item/service, and pay for it out-of-pocket, rather than have a claim submitted to Medicare.

HITECH To Do List for Covered Entities and Business Associates Revise existing privacy and security policies and procedures to ensure compliance

within the timeframes listed below. Business Associates that do not currently have written policies and procedures must promptly take steps to draft and implement them.

Covered Entities & Business AssociatesBreach Notification Rules - effective approximately September 2009Prohibition on Sale of EHR or PHI, New Marketing Rules - effective approximately February 2011Accounting of Disclosures of Electronic Health Records - effective between 2011-2014Enforcement Provisions – effective immediately

Covered EntitiesDisclosure Restrictions – effective February 17, 2010

Business AssociatesApplication of Security and Privacy Rules – effective February 17, 2010

Review existing Business Associate Agreements to ensure that the HITECH Act requirements are incorporated.

Conduct training for employees and other staff members, focusing specifically on time sensitive issues, such as breach notifications

While at IU Medical Group Specialty CareIU Medical Group – Specialty Care is the faculty practice plan for

the IU School of Medicine. This includes 900 specialty physicians.

My position was primarily responsible for Compliance, Privacy and Quality for the specialty physicians of the IU School of Medicine. This was inclusive of 26 individual practice plans, each with

separate tax ids and covered entity status. My position was closely integrated with our affiliated hospital

systems, Clarian (Methodist, IU, Riley, West, and North,) Wishard and the local VA. If an OCR Privacy Complaint was received for our physicians I

was the person primarily responsible for the investigation and response.

All patient complaints and investigations for our physicians, regardless of the location was my responsibility.

The Compliance function also had to involve integration with Indiana University. My position had to work closely with University Council when an

issue involved physician employment or University policy.

While at Clarian Health PartnersWas designated at Director of HIPAA Compliance

and was responsible for Privacy and Security implementation for the following locations:3 Acute Care Hospitals (Methodist, IU, Riley)4 Surgery Centers1 owned physician practice (MMG)Health Net Clinic (free clinic)Occupational HealthHome CareHospiceResearch InstituteFundraising Institution