Lisa Farren (Host): Hello everyone and welcome to Crushing Healthcare, where we explore diverse perspectives regarding the state of healthcare today, and gutsy visions for a more affordable, accessible, equitable, and sustainable healthcare model. My name is Lisa Farren. For those new to Crushing Healthcare, welcome, and for those returning back, welcome back.

Today we'll be exploring the complex world of healthcare compliance, with a focus on fraud, waste, and abuse, patient rights and regulatory requirements. Our guest today is Steve Melinosky, an expert in these areas, and he is going to help us understand these topics and break them down for us, including the eight elements of an Effective Compliance Program, some red flags for patients, and the evolving landscape of healthcare regulations, including the impact of artificial intelligence and cybersecurity.

So for our guest today, Steve Melinosky is the Chief Compliance and Privacy Officer at Southern New England Healthcare. Which is commonly known as SoNE Health. Steve is certified in healthcare compliance and certified in healthcare privacy compliance. His career has included seven years of civil legal experience working in healthcare quality as a data analyst, and that is where he developed a passion for compliance and privacy.

Steve has served a variety of compliance leadership positions in Connecticut health systems. He has been published in Compliance Today Magazine and is recognized as an industry leader in mitigating conflicts of interests. So with that, I can't think of a better person to guide us through these important topics today.

Welcome Steve, and thank you for joining us.

Steven Melinosky: Thanks for having me, Lisa.

Host: Awesome. So I have to be honest, these are some weighty topics; things that we should and need to be aware of, and so I'm glad you're here to help shed some light on it all and kind of sift through it all for us. Let's get started with some very basics. Can you explain to us, so what is healthcare compliance? How would you define it and how it relates to healthcare?

Steven Melinosky: Sure. So it's a very broad topic when people say compliance. It is an umbrella of compliance, but, things like OSHA compliance, clinical quality compliance, cybersecurity compliance. My focus is generally on privacy compliance, and what we call fraud, waste and abuse.

That's your general healthcare compliance topics. When we talk about fraud, waste, and abuse, that includes things like reviewing relationships, ensuring that healthcare organizations aren't going to lie or cheat or bend the rules. Oftentimes we'll see that happen if they're trying to secure more compensation from payers.

When we look at what's known as an effective compliance program, we have eight elements. And that includes auditing and monitoring for fraud, waste, and abuse. A lot of different regulations that set guardrails for fraud. And many providers, many people in compliance are familiar with Stark Law.

It's a very complex regulation, but essentially it prevents physicians from referring patients to businesses they own. The other major one we work with is the anti-kickback statute, and that makes it illegal to offer or take remuneration or compensation or anything of value in exchange for referrals.

Those are important to focus when you make decisions when you want to put patient care over profits. The big one is called the False Claims Act, and actually that a really old law. It goes back to the Civil War. Abraham Lincoln started the False Claims Act. The union realized they were getting billed for weapons and ammunitions that they never received.

So they said, we're going to make it illegal to charge the federal government with false bills. And that obviously includes Medicare, which is why it's so relevant to healthcare.

Host: Interesting. I didn't realize it went that far back. So obviously an effective compliance program is necessary both legally and ethically as well. So, what are the main elements of an effective program?

Steven Melinosky: Sure. So the OIG, the department of Health and Human Services, Office of the Inspector General, I'll just call it the OIG; they set forth a program, back in the day, which started with seven elements. Many consider that there are eight elements now. I previously mentioned auditing and monitoring as an element. A lot of other equally important elements that make an effective compliance program. Any organization that receives federal funds needs to have policies and procedures, an enforceable code of conduct. They need to put out privacy and compliance education. They need to have oversight of the compliance program, with documentation of, of a leader of that compliance program.

There also has to be a risk assessment to identify compliance risks and create a work plan to address those throughout the year. A major element is also an anonymous reporting system for employees. Organizations should ensure that they have a way for employees to talk about fraud, waste, and abuse and that they respond to fraud, waste, and abuse complaints.

And OIG also has a lot of great compliance resources that can offer things for small practices, large organizations, anything like that. The OIG is a valuable resource to learn more about those elements of a program.

Host: Interesting. So, in any of the topics that we talk about here, I always like to think of just the average man on the street. Because not everybody is a healthcare provider or works for a healthcare organization, but we're all healthcare consumers. We're all patients, right? Or a loved one is.

So let's look at it a little bit through the patient lens, if that's okay. So what are things patients need to be aware of with regard to compliance?

Steven Melinosky: Yeah. There are a lot of red flags patients should look out for in healthcare compliance. Patients s hould feel more empowered to protect themselves. I, I think that's one thing that a lot of people don't understand is, as a patient you have rights and responsibilities. The healthcare organization you go to is required to notify you of those rights and responsibilities.

And a lot of that is you have to double check your bills, make sure that you're not getting billed for things that they didn't do. That's a huge part of the fraud program is a false claim. And, it's just, we don't call it a false claim when it goes to a private payer. It's just fraud.

But check your bills, right? That's a big part of it. Make sure that you're getting billed only for services you received. Make sure that the tests you're getting are medically necessary. You know, get a second opinion if you have to. Broadly, patients also have a right to privacy.

 That's putting it very plainly. But you are required to receive from your medical provider a copy of your Notice of Privacy prac of their Notice of privacy practices. It's usually displayed at a practice or it's available online. You generally, patients will sign off on it, but those rights are important because they tell you as a patient how the organization is using your medical information.

It provides you information on how to opt out of certain things, make complaints either to the company or to the office for civil rights, for privacy issues. Another red flag I would look out for as a patient is if there's a conflict of interest. So there's this act called the Sunshine Act, and that mandated that vendors like pharmaceutical companies, medical device companies, they have to publish information on anything they give to providers.

So whether that's direct compensation for like consulting, whether it's a meal you know, travel and lodging. All is logged by the pharmaceutical and medical device company. So if you go to Open Payments, that's a website that is mandated under the Sunshine Act. You can just Google open payments.

It'll take you to the CMS website. You type your doctor's name and you can actually see all the money that they received from different companies and why they received it. And it goes back years. So for example, if your doctor's prescribing a medicine. It's helpful to understand if they received compensation from that company that owns that medicine, that pharmaceutical company. Like I said earlier, there's also Stark Law and the Anti-Kickback Statute. Those are very complex laws, but patients should be aware they exist. A lot of people don't even know about them, but it basically, like I said, Stark puts guardrails on a physician referral. So if you're a provider, you go to your PCP. They own a laboratory and they refer you to it for blood work where there's a lab closer or more in your network or cheaper, what have you, that could be a violation of Stark Law because they own it and they're referring essentially to themselves. And then the other one, I said, the anti kickback statute, it makes it illegal for them to take money for referrals. So keep that in mind if you are going to a provider and they refer you to somebody.

They should be doing it in good faith, that it's because they believe that person has clinical excellence. So these are very broad overviews of complex regulations and Stark and anti-kickback, they both have exceptions. And those are extremely prescriptive. So I'm not going to go into that in too much detail.

But again, it all, sort of falls into that broad fraud concern, and we go back to false claims. Those are especially important because we look at that through the lens of the government. If a provider bills for services, they didn't complete, the OIG is going to bring the hammer down on them. The government takes them extremely seriously.

They can impose fines. Right now, the fines can be $14,000 to $20,000 for each instance. And when the government learns about one. You can bet they're going to try to find more. And generally you're not going to see these for that 14 to $20,000; you're going to see them for hundreds of thousands of dollars because the government does a major probe into that provider.

Now the thing about a false claim is that there's a whistleblower act involved with that. So a whistleblower, person on the inside who's aware of a false claim, who's made it known, and who was either ignored or terminated or what have you; if they tell the government about it, and the government imposes fines, that whistleblower can recuperate some of the money if the provider is found guilty of defrauding the government.

So they make it easy. They incentivize people to blow the whistle assuming that it was escalated internally first. If you're aware of it and you don't say anything, you just call the government, they're going to say, thank you, we'll look into it, and then you won't get anything. But if you have a good faith effort to try to fix it internally and they don't, then you're entitled to compensation for that as well if you bring it forward.

I think it's important to mention, that both patients and providers, should educate themselves on these laws. As I mentioned earlier, the OIG has some really great resources, CMS, the OCR, the Office for Civil Rights. But whether you're a patient and provider, the OIG has told us that a compliance program isn't just a good suggestion, right?

It's a regulatory requirement. You can't say you have one. You can't build one and not act on it. You have to have a compliance program as a provider. You have to be able to prove you have one, and you have to be able to prove that it's effective. You can't do the bare minimum. The OIG doesn't stand for that anymore.

Host: Wow, that was interesting. A lot there. And I love how you said like there's a sense of empowerment as a patient. I didn't realize, you know, we have, I always heard of patient rights and everyone thought of patient responsibility. So you're right. Like anytime before we're going to open our wallets and pay any bill, we always kind of check it.

So I think we should check our medical invoices when we're billed from our providers and that sort of thing. So good tips there. So now flipping back to as you wrapped up there from the provider or the medical practice side, they're required to have a compliance program. How do they have to prove it somehow? Are they what's involved in that from their perspective?

Steven Melinosky: Yeah, so like I said, you have to have a compliance program. You have to prove that you have it, and you have to prove that it's effective. Those are what the OIG would ask for if they came to you asking about it. So a lot of ways to prove you have an effective compliance program, but a lot of it mostly comes down to documenting what you're doing.

So a compliance program starts with what's called a risk assessment, and that's where you go through your compliance and privacy risks that you know of, and ones that you don't know of. They come up throughout the year based on changes in regulation. You have conversations with leadership, with employees, with board members.

You look back at what happened, you look at the future and you say, once you have all this documented, what are my risks for the year? That once your risk assessment is done you have a document that's going to sort of guide what's called a work plan. So the risk assessment is what is, what are the risks?

The work plan is how and when will I address these risks throughout the year. Now, these are living documents, right? They change monthly, quarterly, ad hoc. A lot of companies will use larger online compliance management tools to document their activities. Smaller companies, as long as you're documenting it, you can do a spreadsheet, file folder, stuff like that.

You don't have to make it so complex, and searchable as long as you document what you're doing. So if you just document on April 25th, I had a meeting with leadership and we discussed this, this, or that. As long as that's documented somewhere, that's a good start to a compliance program.

But you have to stay organized if you're going to do it that way. And most importantly, if it ever comes down to a regulatory agency imposing fines, having an active and effective compliance program can significantly reduce civil monetary penalties. So if they come after you for penalties and they say you have a compliance program and it is effective and it is active and you did a good job, a good faith effort, they'll reduce your fines for that. So important from that aspect as well.

Host: Okay, so there's a lot that can be done. It sounds like starting simply even at least to get started, essentially that's the point, is to prove that you're doing something at least at the start. But I'm curious, you've talked a lot about compliance and the programs from both the provider perspective through the patient lens.

What are some of the biggest compliant threats or okay, opportunities even that are being faced in the healthcare sector today?

Steven Melinosky: It's going to be different for every organization depending on if you are a healthcare provider, if you are, for example, an ACO, if you're a pharmaceutical company. Anybody in healthcare needs to have a risk assessment and all those risks are going to be different from where you are, but broadly for me, I think there are four major risks this year in 2025 that should be addressed.

And the first, I've been pushing this for about a year and a half or two years, that this is going to be a major risk. And now everyone's finally listening to me. It's artificial intelligence and machine learning. It's everywhere. It's a multi-billion dollar industry. It's getting bigger by the day.

But without human oversight, AI has a dangerous bias. And, we talk about the large language models like chatGPT or Gemini or Grock or, or those but there's also in-house homemade AI. There's vendor AI. A lot of vendors we use are using AI to process data at a lightning speed, which is great.

And it, helps with the majority of tasks, but when you lose that human touch, it's a dangerous path that you're walking down that can affect patient lives. AI can be biased. It's the same with any computer program. Garbage in, garbage out. If you put garbage data into AI, you're going to get garbage responses. I have a love-hate relationship with artificial intelligence. It's exciting. I love learning about it. I love talking about it, but I also see it as very dangerous, especially when it comes to healthcare.

The next obvious risk I see is the administrative change in federal government. We have seen significant changes occurring in the federal level at speeds we've never seen before. In the past changes that we've seen now in the past three months, took years to occur better for worse. We're seeing both threats and opportunities with what's happening.

And I think it's important that every patient, provider, leader, anybody involved in healthcare keeps an eye on those changes because they're coming in fast. So when you look at your risk assessment, when you look at your organizational strategy, what works today might not work tomorrow based on the rapidity of how fast these changes are happening. So you have to be agile, you have to keep looking at it. And whenever a regulation is changed or proposed or what have you, make sure you're on top of that.

The third major risk always is privacy. The OCR, they've been on a rampage with what's called patient right of access. So when patients request their medical records, the provider or organization has a statutory amount of time to respond to those.

It can vary from state, but generally you're supposed to have it within 30 days, f rom the organization to the patient. Or within 30 days, you're supposed to notify them that you need an extension of 30 days. So at most there, I believe it's supposed to be 60 days to provide those. And if you don't get the records to the patient on time, you can face penalties.

And it's usually such an easy thing to do. Whether it's printing out records or emailing them or putting them on a disk or a USB or what have you. That is such a preventable error. And these companies that don't give these patients medical records on time are getting fined tens of thousands of dollars.

And for a large organization that doesn't seem like much, but we are looking at small private practices, one or two doctors who are getting fined tens of thousands of dollars because they simply didn't get the patient's medical records to them on time. With privacy, the OCR is also starting a huge cybersecurity campaign.

That's an entirely different beast. If you're, as a company subject to a cybersecurity threat that compromises patient information, it affects patients, obviously, but your organization. Many people recall the change healthcare breach. It was February 2024. We're still dealing with a follow up from it.

180 million patients, individuals were affected by a cybersecurity breach, and we're still seeing the follow up 14 months later. That it was anomalous. That was the biggest one that's ever occurred as far as cybersecurity patient breaches. But it happens, right? You get an email from somebody you don't know, and it says, click this link.

And you just click it and suddenly there's malware on your computer. It has access to patient information, and that patient information sent to other people. So, cybersecurity is taken seriously. They're proposing a new addition to HIPAA, the security rule. There's a lot of requirements that are, they're out there right now and they're looking to put out a lot more to make sure that this sort of thing doesn't happen.

The last risk I'm going to to talk about was language services. So the OCR, the Office for Civil Rights, they not only oversee privacy, but they also oversee the enforcement of the Affordable Care Act, specifically what's known as section 1557, and that's about language services. I've seen a lot of enforcement action recently for organizations that did not provide language translation and interpretations to their patients for free. Now, from what I can tell, they're ramping up a campaign to address this more this year. So it's a good idea to review your language services, make sure you have a policy, make sure you have a procedure for it. Make sure patients are, made aware that they have a right to a translator for free. And be prepared to provide that to them. Any patient that requests it, it's not an option like you have to do this. So that's going to be the big one I also see coming up this year.

Host: That's great. I really didn't realize that, providing translation services was required. That's very interesting. Now from a personal perspective, so you're a compliance and privacy officer. You're clearly well versed in all this. You're the expert. And so you probably look at things, I'm going to guess from a more critical eye, but, so when you go to your physician office, your PCP for example, what are you looking for?

Steven Melinosky: Interesting. Well, obviously I go for my health right, when I do go. But as I'm waiting, I am very much in-tuned to privacy. For me, when you're physically at the office, the privacy of patients is just, it's tantamount only to your health, right? And it's easy to identify privacy issues.

I'll tell you, I was, I'll be honest, I was a victim of the change healthcare cybersecurity incident. So I take it seriously and I imagine most people do. So when I'm there in the waiting room first I read the notice of privacy practices. It should be displayed on the wall. You should have a copy of it. You gotta make sure that you know what you're, they're doing with your personal, your protected health information. I want to make sure also that people aren't hearing about my health issues, why I'm there, right? If somebody calls out my name and I'm in the waiting area and somebody says, Steve, you're here for your checkup.

I don't want people to know I'm here for a checkup because they could say something else like, Steve, you're here for somebody to check your hemorrhoids, right? I don't have hemorrhoids, but just an example of how that could be embarrassing for somebody and why that privacy is important. But when I'm in the room, it's the same thing, right?

 You'll often hear the patient next door to you, you'll hear a muffled noise of them talking to the doctor, and that's okay, but if you can clearly hear it, that's more of an issue. And I mean, I've seen a lot of provider's offices use white noise machines in their waiting areas and in some of their rooms, which is a great idea to make sure that person is protected from verbal disclosures.

I also make sure nothing with my name is available to anybody walking by. Right. Most doctors' offices, they don't use whiteboards anymore, but some used to. Hospitals still use them. But they usually don't put the whole name on anymore. So that's not as much a concern these days. But making sure paper records with your name aren't out.

Some doctors still use sign-in sheets and that's not great, right? Because you're letting people know that these are the patients that were there today, and it's incidental to your visit, like you're going to hear some other people's information, but that's preventable. You shouldn't have paper sign in sheets.

And honestly, I do look for new ways and new ideas to protect patient privacy. So there's some really innovative offices out there with some good ideas for us to pick up on. Like I said, those white noise machines, just a simple thing you put under a chair and you, it's like it's background noise, but it prevents you from hearing other things that you might not want to hear.

 I've seen practices with b oards in their exam rooms that change as you walk in, right? So you walk in and it the screen changes with your name and your information on it. I'm attuned to that. I'm attuned to people sort of leaving their computers on, leaving themselves logged into medical records.

So that's, as a patient, really what I look out for is the privacy piece. And then, like I said, I check my bill at the end of the day, right? You get the bill. You gotta make sure that you're not being charged for more than what they did for you.

Host: Those are all really good tips. I have to say, definitely the next time I visit a doctor, I'm just going to look out for all of those things that, most of which never occurred to me to think about or keep an eye out for. So, good tips. Yeah, really good tips. So, wow. We've covered a lot in a relatively short time talking about compliance.

All really good information. I especially appreciate the multiple perspectives you gave particularly from the patient perspective as I mentioned, because we are all healthcare consumers, we're all patients. And our loved ones are. And it's nice to know that the sense of empowerment, that there are things that we can look out for, things we can do if we see a red flag to protect ourselves and our loved ones.

And we all interact with the healthcare system. So it's important for everyone to have some understanding around this topic of compliance.

The AI piece in particular, like you said, it's so interesting and it's so ubiquitous right now. Like everyone's talking about it, everyone's interested. I think it's come up in other episodes as well that we've done on Crushing Healthcare.

I'm thinking we might need to do a future podcast on AI and I predict you'll be returning.

Steven Melinosky: I would love to. I would love to if I could make one plug for AI from a compliance perspective, do not put PHI don't put patient information in your artificial intelligence. That is forever.

Host: All right. The good tip. There you go. And for those who aren't aware of PHI as the acronym?

Steven Melinosky: Yeah Protected Health All right, thank you.

Host: Thanks again, Steve, for sharing all your expertise in a way that is really understandable, relatable, and accessible. And also thank you to all our listeners. So until next time, please remember we all have a role to play in healthcare transformation, so join us in Crushing Healthcare.