1. Highlights from ExL Pharma’s 4th Clinical Billing & Research Compliance March 1-2, 2010 New Orleans, LA

2. HOT TOPICS IN RESEARCH & HEALTHCARE COMPLIANCE

3. Healthcare Regulatory Environment

4. Research Misconduct: Scientific versus Regulatory Misconduct Regulatory Misconduct Conduct inconsistent with the regulations and standards that govern the process of research Scientific Misconduct Fabrication, falsification, plagiarism or other practices that seriously deviate from those that are commonly accepted within the scientific community for proposing , conducting or reporting research Research Compliance Professionals Handbook

5. Scientific Misconduct Means fabrication, falsification, or plagiarism in proposing, performing, or reviewing research, or in reporting results Fabrication is making up data or results and recording or reporting them. Falsification is manipulating research materials, equipment, or processes, or changing or omitting data or results such that the research is not accurately represented in the research record. Plagiarism is the appropriation of another person’s ideas, processes, results, or words without giving appropriate credit. Research Misconduct does not include honest error or differences of opinion. 42CFR93.103

6. Non-Compliance and Misconduct Non-Compliance / Regulatory Misconduct Failure to comply with laws, regulations, protocols May be intentional or unintentional Scientific Misconduct Fabrication Falsification Plagiarism Non-Compliance / Regulatory Misconduct Scientific Misconduct

7. Specific Legal Standards Professional Malpractice Fraud and Misrepresentation Fraud / False Statements Mail Fraud Wire Fraud Fraud, Waste and Abuse Anti-Kickback Law Anti-Self Referral Law False Claims Act - qui tam relators

8. Hot Topics in Research Compliance Investigator Responsibilities Privacy HIPAA / ARRA / HiTech GINA Clinical Research Billing Lagniappe

9. Protecting the Rights, Safety & Welfare of Study SubjectsFDA Guidance Published October 2009 Clarifies for investigators and sponsors FDA’s expectation regarding investigator responsibility regarding: ensuring that the study is conducted in accordance with the agreements, investigational plans, protocols and applicable regulations supervising the conduct of the investigations study staff delegated tasks protecting the rights, safety and welfare of study subjects controlling the test article – drugs, biological products, and devices

10. Protecting the Rights, Safety & Welfare of Study SubjectsFDA Guidance Published October 2009 Investigators commit themselves to conduct and supervise investigations and to protect the rights, safety and welfare of participants. The level of supervision should be appropriate to the staff, nature of the trial and the subject population. This includes the following: When tasks are delegated, the Investigator is responsible for ensuring that the individual to whom a task is delegated is qualified to perform the task. The Investigator should ensure that there is adequate training for all staff participating in the conduct of the study. The Investigator is accountable for regulatory violations resulting from failure to adequately supervise the conduct of a clinical study.

11. Protecting the Rights, Safety & Welfare of Study SubjectsFDA Guidance Published October 2009 Protecting the Rights, Safety and Welfare of Study Subjects includes the following: Providing reasonable medical care for study subjects for medical problems arising during participation in the trial that are, or could be, related to study intervention. Providing reasonable access to needed medical care, either by the investigator or by another identified, qualified individual. Adhering to the protocol so the study subjects are not exposed to unreasonable risks.

12. Health Information Privacy Health Insurance Portability and Accountability Act (HIPAA) American Recovery and Reinvestment Act of 2009 (ARRA) Health Information Technology for Economic and Clinical Health Act (HiTech) Genetic Information Nondiscrimination Act (GINA)

13. Health Insurance Portability and Accountability Act (HIPAA) Under HIPAA’s “Privacy Rule” a covered entity may not use or disclose an individual’s “protected health information” (PHI) unless the use or disclosure is authorized in writing by the individual (or their personal representative) or a specified regulatory exception applies: Privacy Board or IRB Waiver or alteration of authorization Preparatory to Research Information on Decedent Limited Data Sets De-identified Data Minimum Necessary Standard Business Associate Agreements Fines / Penalties

14. ARRA, HiTech & Privacy Changes to the HIPAA Privacy and Security Rules Mandatory reporting for “breaches” Applies directly tobusiness associates Caps on payment for PHI in research New civil and criminal penalties

15. HiTech - Mandatory Breach Notification Any Covered Entity (or Business Associate) that “accesses, maintains, retains, modifies, destroys, or otherwise holds, uses or discloses” unsecured PHI must notify individuals whose unsecured PHI has been (or reasonably believed to have been) accessed, acquired, or disclosed as a result of a breach Breach of Unsecured PHI = Notification to individuals Secured PHI = Encryption

16. HiTech - Mandatory Breach Notification Effective Now! (September 23, 2009) Exceptions Must notify each individual Method of Notice: Each individual by first class mail (or email if individual agrees) Alternative method if insufficient contact information (if for more than 10 individuals, then website posting or media notice) Notice to “prominent media outlets” if more than 500 residents of the state or jurisdiction are affected Concurrent Notice to HHS is more than 500 residents are affected; an annual report to HHS including every breach Timing of notice – without unreasonable delay / within 60 days Content of notice requirements

17. HiTech – No sale of PHI Current Rule: CE may receive payment for a disclosure of PHI where that disclosure is permitted by the regulations (such as for research) HiTech Rule: prohibits indirect and direct remuneration for a disclosure without the individual’s authorization; authorization must explain whether PHI can be further exchanged for remuneration by the downstream entity receiving the PHI – with exceptions HHS regulations required by 8/17/10; will apply to disclosures 6 months after regulations issued Exceptions apply

18. HiTech – No sale of PHI - Exceptions For public health activities For research, where the price charged reflects the costs of preparation and transmittal of the data For treatment For the sale, merger or transfer of the covered entity To a business associate to perform functions for the covered entity To an individual who wants copies of his or her PHI That fall within any future regulatory exceptions

19. HiTech Enforcement Clarifies / expands liability for criminal violations Increases civil penalties Harmed individuals to receive percentage of Civil Monetary Penalties State Attorneys General may bring civil actions Continuation of the Office of Civil Rights corrective action plans Audits

20. HiTech EnforcementState Attorney General State AG may bring civil action in federal court: To enjoin further violation To obtain damages on behalf of the victim Statutory damages: Up to $100 times the number of violations Not to exceed $25,000 for identical violations in a calendar year Defendant pays State’s attorney fees Effective NOW!

21. New Mandatory Civil Monetary Penalties (CMPs) Maximum CMPs for Identical Violations in a CY - $1,500,000

22. Genetic Info Nondiscrimination Act (GINA) New Federal law that generally prohibits health insurance companies, group health plans, and most employers to discriminate against subjects based on genetic information. This law generally protects research subjects as follows: Health insurance companies and group health plans may NOT: request genetic information from research studies use genetic information from research studies when making decisions regarding eligibility or premiums Employers with 15 or more employees may not use subjects’ genetic information obtained from research studies when making a decision to hire, promote, or fire individuals, or when setting the terms of employment GINA does not extend to life insurance, disability insurance, or long term care insurance. Informed Consent Implications http://www.hhs.gov/ohrp/humansubjects/guidance/gina.html

23. Medicare Billing and Clinical Research Medicare’s Clinical Trial Policy Extended Medicare coverage to “routine costs” of “qualifying clinical trials”, as well as “reasonable and necessary” items and services used to diagnose and treat complications from participating in clinical trials All other Medicare rules apply Device Trials – Requires Medicare contractor approval

24. Research News on the Horizon Clinical Research Billing Therapeutic Intent Off-Label Consistency among protocol, trial agreement and informed consent Medicare Secondary Payer Rule PhRMA and AdvaMed Codes of Ethics Prohibits entertainment, recreational items or branded promotional gifts Provides guidance for educational meetings Prohibits more “non-educational” freebies

25. Research News on the Horizon Conflict of Interest & Physician Payment Sunshine Act of 2009 Manufacturers would be required to report annually certain payments or other transfers to physicians or physician medical or group practices; and physician ownership interests in applicable manufacturing or group purchasing organizations Payments include gifts, honoraria, speaking fees, consulting fees, travel, services, dividends, profit distributions, stock or stock option grants and ownership or investment interests The aggregate amounts to initiate compliance would be $100 per calendar year. Failure to report could results in civil monetary penalties

26. Technology & Compliance Lessons Learned

27. Identifying a Solution Step 1 – Understand what you have and where you are Systems Business office Patient Records / Registration Current Research Systems IT Capacity Who owns what and who makes what decisions ?

28. Step 2 : What else to think about People and Processes Does the current process work and is it compliant ( how do you know that ? ) What’s done on the front end – what’s done on the back end - who is responsible / held accountable ? How are research patients identified in your system ? Do the people involved even talk to each other ? Do you have the requisite expertise to really understand what is involved ? What do your clinicians ( investigators) understand?

29. Step 3: What solution is right for you ? Knowing what you have to start with is really important Let me tell you a story !!!! What kind of IT support will you have internally - what will you need from your vendor How much modification are willing to / want to / should do ? How change ready / averse is your organization ? What do you need to right now – what can you do implement in a more phased approach

30. Budget + Contract + Protocol + Consent + MCA = Billing Compliance Standardize contract language to extent possible Master Agreements Pass through costs Standardize budget templates Standardize routine costs My experience ---- centralize key components / decisions ( may not work for everyone) Budget detail takes time – but pays off in the end - build budget / MCA to include investigational and conventional care items

31. Benefits of Web Based Systems This is the easy part ---- Access to information Investigators / coordinators can view status Where is your information currently ? Data security / back up Easier to manage across multiple organizations Build links to real time resource information through links and “help”

32. Conclusions -- Education is a key component in assuring success Create a taxonomy – How much integration can you accomplish across all of your systems ? In the end there is no Genie in the lamp -- our vision is to have all information related to research activity available with a single sign on

33. Still have any questions? For additional information on ExL Pharma’s Clinical Billing & Research Compliance Conferences, please visit www.exlpharma.com