July 16, 2025
The Compliance4U newsletter offers insight into the day-to-day functions of the Health Plan’s Compliance Program and serves as a resource to help staff stay informed about key regulatory updates, reporting obligations, audit activities, and policy changes. Its goal is to promote awareness, accountability, and a culture of compliance across all departments.
Regulatory Affairs
The Compliance Regulatory Affairs department is responsible for analyzing and implementing regulatory changes, coordinating the timely filing of routine regulatory reports, overseeing regulatory audits, managing DMHC provider complaint resolution, and tracking member complaints submitted to state and federal regulators to ensure the Plan maintains ongoing compliance with all applicable requirements. Check out what has happened since we released our last newsletter.
The Department of Health Care Services (DHCS) has released Amendment 7 to our Medi-Cal contract. This amendment introduces several regulatory and operational changes that affect multiple areas of Plan activity. Many of these updates reflect recent guidance issued through All Plan Letters (APLs) and other DHCS communications.
The full text of the updated contract is available on the Compliance Team SharePoint > Regulatory Resources > Regulatory Contracts and Licenses > MediCal Contract
Compliance is actively partnering with impacted departments to ensure implementation and alignment with all applicable requirements.
Key Changes Include:
1. Updated Terms and Definitions – Includes clarifications for CCS roles, new aid codes, and terminology updates.
2. Medical Loss Ratio (MLR) & Directed Payments – Enhanced language aligning with federal requirements for provider payments and reporting.
3. Physician-Administered Drugs – New requirements for prior authorization and benefit determination.
4. Contract Language for Network Providers and Subcontractors – Additional provisions must now be included to reflect updated responsibilities.
5. Minor Consent Services – Language is included in this amendment; however, DHCS has indicated that further revisions are expected in a future amendment to fully align with AB 665
What’s going on at the State and Federal levels? To support you in your role and ensure timely awareness of changes to regulatory and contractual requirements, Regulatory Affairs staff attends regulatory calls (DHCS Managed Care Plan Call - MCPC) and other regulatory meetings/calls where key regulatory information is shared
DMHC Fined Blue Shield for Denying and Mishandling 36 Claims
The California Department of Managed Health Care (DMHC) has taken enforcement action against Blue Shield of California, issuing a significant fine for mishandling several claims payments, delaying reimbursement payments to a plan member for approved medical care over a five-year period. DMHC levied a $300,000 fine. Blue Shield of California approved a member’s request for speech and occupational therapy from an out-of-network provider at the in-network rate and then denied or mishandled 36 claims connected to these services between 2020 and 2024. As a result, the member’s parent filed 10 Consumer Complaints with DMHC. Blue Shield paid the fine and “completed corrective actions to improve claims processing, including educating its staff on therapy authorizations and improving the documentation of claims.”
Important takeaways from these enforcement actions:
All
�
• This situation highlights the critical importance of ensuring that claims processing systems and procedures are aligned with prior authorization decisions. Failure to do so not only risks member dissatisfaction but can also result in regulatory scrutiny, potential enforcement actions, and reputational harm.
� For more details, read the official press releases here.
�
�
Calls Held by Health Plan’s Regulators
Regulatory Affairs staff maintains materials from regulator calls. Check out previous meetings HERE.
Plan Letters (APLs)
DHCS and DMHC issue All Plan Letters (APLs) to formally communicate updates to federal or state policy, regulatory requirements, or operational procedures. These directives are intended to guide Managed Care Plans (MCPs) on how to implement changes and ensure compliance with applicable laws and regulations.
Regulatory Affairs reviews and analyzes each APL to interpret its impact, coordinate internal implementation, and ensure timely compliance and required filings.
Draft APLs often identified with placeholder codes such as “XXX” are released by the regulators to solicit feedback from MCPs before finalization. During this comment period, MCPs can raise concerns or seek clarification, which may influence the final version of the policy.
Below is a list of recently released APLs for your awareness:
A. DHCS Regulatory Notices
APL 25-010 Adult and Youth Screening and Transition of Care Tools for MediCal Mental Health Services
Issue Date: June 3, 2025
Summary: This APL provides guidance on standardized, statewide Adult and Youth Screening and Transition of Care Tools to guide referrals of adult and youth Members to the appropriate Medi-Cal mental health delivery system and guide timely care coordination for Members requiring transition between delivery systems.
APL 25-011 House Resolution 1 – Federal Payments to Prohibited Entities
Issue Date: July 3, 2025
Summary: This APL provides guidance on the handling of payments to MediCal and Family Planning, Access, Care, and Treatment Program (Family PACT) Providers who may be impacted by House Resolution (H.R.) 1.
Retired APL Update: APL 22-009 COVID-19 Guidance for Medi-Cal Managed Care Health Plans
Retirement Date: July 2, 2025
Guidance: DHCS refers plans seeking guidance on COVID-19-related benefits and services to the Immunizations section of the Medi-Cal Provider Manual, relevant provider bulletins and updates, and APL 24-008: Immunization Requirements, which contains current immunization policy information.
B. DMHC Regulatory Notices
APL 25-010 Sections 1357.503 and 1357.505 MEWA Registration and Annual Compliance Requirements
Issue Date: May 20, 2025
Summary: This APL is not applicable to Health Plan, as it discusses the requirements on Plans and MEWAs for the initial MEWA registration pursuant to Section 1357.505.
APL 25-011 Health Plan Coverage of HIV Preexposure Prophylaxis (PrEP)
Issue Date: May 23, 2025
Summary: This APL reminds health plans of their obligations to cover Human Immunodeficiency Virus (HIV) antiretroviral drugs and preexposure prophylaxis (PrEP). This APL supplements the two prior DMHC APLs and gives further guidance to ensure health plans meet their obligations to cover PrEP with no prior authorization or cost-sharing.
APL 25-012 Closure of Rite Aid Pharmacies
Issue Date: June 9, 2025
Summary: This APL is not applicable to Health Plan, as it discusses filing requirements for plans that are contracted with Rite Aid Pharmacies.
Regulatory Reports
Under the terms of our contract with DHCS and in alignment with our KnoxKeene license requirements regulated by DMHC the Plan is required to routinely
submit reports that demonstrate operational performance and regulatory compliance.
Regulatory Affairs tracks and coordinates these submissions to ensure timeliness and accuracy across all departments.
Below is a list of upcoming regulatory reports due in the next several weeks. The table includes:
• A hyperlink to each report,
• The accountable Director and Executive sponsor, and
• Departmental ownership for awareness and coordination.
Please review the list to determine which reports fall within your area. Click the report title for detailed information and submission guidance.
CBAS Waiver Report 2025-05
Consolidated Billing 2025-05
Pamela Lee Lakshmi Dhanvanthari
Clarence Rao Victoria Worthy
Data Certification Report 2025-05 Tamara Hayes Betty Clark
Drug Utilization Review (DUR) FFY 2024 Matthew Garrett Lakshmi Dhanvanthari
Monthly Financial 2025-05
Somatra Sourng Michelle Tetreault
NMT-NEMT Report 2025-03 Dale Standfill Liz Le
Post Payment Recovery 2025-05 Christopher Navarro Michelle Tetreault
Provider Directory File and Use 2025-05 Ana Aranda Liz Le
Provider Incentives/VBP SDR Christopher Navarro Michelle Tetreault
Provider Information Network (PIN)2025-05 Ana Aranda Liz Le
Restricted Provider Site Verification 2025-05 Toni White Betty Clark
Provider Complaints
Provider complaints come to the Health Plan in different forms (e.g., direct call to us or dispute submission to DMHC). While our Provider Services and Claims teams address those coming into us, Compliance is the point of contact for those coming through DMHC. In 2025, Health Plan received 20 requests (5 new
Provider Complaints and 15 additional information requests), disputing 12 claims. In 2024, we received 67 requests (28 Provider Complaints and 39 additional information requests), disputing 56 claims. In addition, each complaint may contain multiple issues that require a response. In 2023, Health Plan received 20 requests (13 Provider Complaints and 7 additional information requests), disputing 28 claims.
Compliance coordinates a cross-functional group to review each complaint we receive. This group investigates the cases (from the original request to claim processing and dispute resolution) and prepares a comprehensive response to the DMHC about the provider’s concerns and the actions taken by us These tables outline the status:
Compliance & Ethics Week: November 2–8, 2025
Compliance & Ethics Week is a nationwide initiative that highlights the importance of integrity, accountability, and ethical decision-making in the workplace. It’s a time to reflect on our shared responsibility to uphold the standards that protect our members, our organization, and each other.
Check out the monthly newsletter for reminders, tips, and mini-games to help reinforce everyone’s role in maintaining a culture of compliance across all departments.
Please see the answers below to our ‘Spot the Issue’ exercise:
Spot the Issue: There are 3 violations in the picture above. Locate and identify the violation.
1. PHI is written on the paper on the desktop
2. Password written on blue Post-It note on the monitor
3. Gift/Donation accepted
Stay tuned for more games in our next issue!
Do you have a question for Compliance? To submit an inquiry, go to Team Sites > Compliance > Requests > Submit an Inquiry on SharePoint or simply use this link: check it out here.
Program Integrity Unit (PIU)
The PIU investigates and reports all potential fraud, waste, or abuse (FWA) and HIPAA violations. We also conduct exclusion monitoring of our third parties, provide subject matter expertise for audits, manage members’ rights to access/limit their PHI and plan and track annual compliance training.
Privacy & Security
Remember to report HIPAA privacy incidents at this link as soon as you suspect an incident has occurred. We may have to report the incident to our regulators.
Privacy Incident Reporting Requirements
Do you know the requirements to report privacy and security incidents to governmental regulatory agencies such as the Department of Health Care Services (DHCS) and Office of Civil Rights (OCR)? Just in case you do not know or need a refresher, take a moment to review the requirements below.
DHCS
Per our HPA07 Reporting and Mitigating Suspected Privacy & Security Incidents and Breaches policy, Health Plan is required by our DHCS contract to report breaches to them within 24 hours of discovery. We are also required to provide DHCS with an update within 72 hours of discovery and a final report within ten (10) workings days of discovery.
We aren’t required to report every privacy or security incident we receive to DHCS. We are only required to report incidents that we believe are or might be breaches. Therefore, we report the incidents that are higher risk, such malicious intent, or if the PHI that was disclosed is still missing, or unauthorized disclosures involving a large number of Health Plan members. We also report incidents to DHCS that affect 500 or more individuals, or incidents that aren’t able to be instantly mitigated, such as a system issue that we still need to determine how to correct. We report incidents to DHCS through their DHCS Portal at this link.
OCR
Health Plan is also required by the Breach Notification Rule to report breaches affecting 500 or more individuals to OCR within 60 days of discovery. However, if the breaches affect fewer than 500 individuals we are required to report them to OCR on an annual basis, within 60 days after the end of the calendar year. We report breaches to OCR through their website at this link.
For more information about reporting privacy and security incidents, please refer to HPA07 Reporting and Mitigating Suspected Privacy & Security Incidents and Breaches policy
Privacy & Security Incidents
In the months of May and June we had 55 HIPAA incidents reported to PIU, six (6) of these were reportable to DHCS.
Fraud, Waste, and Abuse (FWA) - Reporting Requirements
As part of our contract with the Department of Health Care Services (DHCS), we also have a responsibility to report any suspected fraud, waste, or abuse (FWA) within specific timelines. Below is a breakdown of these reporting requirements:.
• Initial Reporting – Due in 10 Working Days of Discovery
o If we discover or are made aware of suspected FWA, whether through an internal or external source, we need to file an initial MC 609to the DHCS and Department of Justice (DOJ).
• Completion of an Investigation – Due 10 Working Days After the Investigation is Complete
o Once we have completed an FWA investigation we have 10 working days to file a final MC 609 and provide the final investigative report to DHCS and DOJ. This report must explain what we found, what actions we took, and include all supporting documentation related to the case.
• Overpayment Reporting – Due in 10 Working Days of Identifying Overpayments
o When we identify an overpayment or recover an overpayment related to FWA, we must report it to DHCS’ Audits and Investigations Intake Unit and our Managed Care Operations Division (MCOD) Contract Manager within 10 working days from the date of identifying the overpayment.
• Quarterly Status Reports – Due Quarterly
o Every quarter, we must send DHCS a status report that includes all open and closed FWA cases. This report is due 10 working days after the end of each calendar quarter.
Reporting suspected FWA is not just a compliance requirement; it is an important part of protecting the integrity of the Medi-Cal program and the communities we serve. By understanding and meeting these deadlines and documentation standards, we uphold the trust placed in us by DHCS, our members, and our partners.
For more information about suspected FWA, please refer to CMP05 Fraud, Waste and Abuse policy.
Fraud, Waste and Abuse Cases
In May and June, the PIU opened three (3) cases and closed zero (0). Our team currently has 25 ongoing cases.
Your Role
If you notice a suspicious activity, don’t hesitate to report it. Stay vigilant. Stay committed.
Upcoming Compliance Trainings
Sexual Harassment Prevention – August Diversity, Equity, and Inclusion (DEI) – November
Provider Exclusion Monitoring
PIU regularly monitors vendors and providers we contract with for exclusions, per 42 Code of Federal Regulations (C.F.R.) §438.610, which prohibits Medi-Cal Managed Care Plans (MCPs) from contracting or maintaining a contract with physicians or other health care providers who are excluded, suspended, or terminated from participating in the Medicare or Medi-Cal programs.
For more information about suspected FWA, please refer to CMP20 Exclusion and Ineligibility policy.
Exclusion Monitoring (LOA Providers)
Zero (0) provider exclusions were identified.
Audit & Oversight (A&O)
Types of Audits
One of the primary functions of the Audit & Oversight (A&O) Department is to ensure our internal stakeholders and delegated entities are in compliance with federal and state regulatory requirements. To fulfill this responsibility, A&O conducts various types of comprehensive audits, including Readiness Assessment, Baseline, Annual, and Focused audits. The table below provides the definitions, occurrence, and audit scope for each type. Audit Type
Readiness Assessment
A formal and systematic approach to review, evaluate, and assess processes and related controls using a set of standards to determine the entity’s ability to perform the potential contracted services on behalf of Health Plan.
Focused Audit A formal and systematic approach designed to review, evaluate, and improve the effectiveness of a process or remediation effort to ensure compliance with statutory, regulatory, accreditation, or
Conducted before establishing a contract with a new entity or expanding delegation activities.
• Review of policies and procedures*
• File review, as applicable
Conducted as needed in response to instances of noncompliance, risk indicators, or regulatory changes.
• Review of policies and procedures* Universe validation & system walkthrough, as applicable
• File review, as applicable
contractual requirements.
Baseline Audit A formal and systematic approach to review, evaluate, and assess processes and related controls using a set of standards for contracts that were established without conducting a Readiness Assessment.
Annual Audit
A formal and systematic approach to review, evaluate, and improve the effectiveness of processes and related controls using a set of standards to assess compliance at least on an annual basis.
Conducted when a readiness assessment was not performed prior to contract execution.
• Review of policies and procedures*
• Universe validation & system walkthrough, as applicable
• File review, as applicable
Conducted annually after the start of contracted services, and each year thereafter based on the date of the most recent audit, with consideration given to performance and inherent risk.
• Review of policies and procedures*
• Universe validation & system walkthrough, as applicable
• File review, as applicable
*Policy and procedure reviews take a program-focused approach for each delegated areas and may include an evaluation of the entity’s Compliance Program, including Fraud, Waste, and Abuse (FWA); Information System Security (IS); and HIPAA Privacy.
Through this structured and comprehensive audit framework, the A&O team remains committed to fostering a culture of accountability and continuous improvement, ensuring that both internal stakeholders and delegated entities consistently meet regulatory requirements and remain in compliance.
This proactive and collaborative approach not only strengthens our Compliance Program but also supports the delivery of high-quality, efficient, and membercentered services across the organization.
