May 22, 2025
Compliance4U newsletter provides you with insight into the day-to-day functions of the Health Plan’s Compliance Program.
Regulatory Affairs & Communication (RAC)
At Health Plan of San Joaquin and Mountain Valley Health Plan, every employee plays a critical role in supporting our Culture of Compliance. Noncompliance is defined as any failure to meet requirements outlined in the MediCal Managed Care Contract, federal or state regulations, or internal policies. Examples include untimely grievance resolution, inaccurate claims processing, or failure to oversee delegated entities. Recognizing and reporting these issues ensures we uphold our responsibilities to members and regulators while minimizing the risk of penalties under state and federal enforcement actions such as those outlined in DHCS APL 25-007 and the Knox-Keene Act.
All staff are expected to report any known or suspected compliance violations within one business day of discovery. Reports can be submitted directly to Compliance Regulatory Affairs through the Compliance Hotline. Upon receiving the report, the department will initiate a thorough investigation and, if necessary, coordinate with operational leaders to implement corrective actions. This shared commitment to early identification, root cause analysis, and resolution is vital to maintain operational integrity and regulatory readiness.
• If you observe or suspect any activity that may be inconsistent with regulatory requirements, company policies, or ethical standards, it is your responsibility to report it to the Compliance Department.
• Reports can be made confidentially, and anonymous reporting options are available.
• Your commitment to speaking up helps protect our organization, our members, and the integrity of our programs.
How to report a Non-Compliance issue (link)
Call Health Plan’s Ethics and Compliance Hotline at telephone number (855) 400-6002.
Go to Health Plan’s Home page > Select “Report an incident” from the left panel > select “Report a Non-Compliance Issue”
What’s going on at the State and Federal levels? To support you in your role and ensure timely awareness of changes to regulatory and contractual requirements, RAC attends regulatory calls (DHCS Managed Care Plan Call - MCPC) and other regulatory meetings/calls where key regulatory information is shared
DMHC Fined Kaiser for Failing to Quickly Handle Member Grievances
The California Department of Managed Health Care (DMHC) has taken enforcement action against Kaiser Permanente, issuing significant fines for compliance failures related to health plan member grievances/appeals. DMHC levied a $819,500 fine against Kaiser for failing to handle member grievances/appeals promptly. A review of 61 cases from 2021 - 2023 found:
14 late grievance acknowledgment letters
54 late resolution letters
Kaiser has acknowledged its failure to comply with its grievance/appeal requirements and agreed to pay the imposed fine.
Important takeaways from these enforcement actions:
• Grievances, Appeals, and Utilization Management procedures are critical health plan functions that must adhere to the DHCS and DMHC requirements. This work also impacts Customer Service, where most grievances are received. Health Plan must maintain administrative capacity and proper procedures/training to ensure our day-to-day operations are compliant with DHCS and DMHC requirements.
�
�
�
� For more details, read the official press releases here.
DMHC Fined Blue Cross for Delaying Medically Necessary Care
The California Department of Managed Health Care (DMHC) has taken enforcement action against Blue Cross of California Partnership Plan, issuing a significant fine for failing to implement an Independent Medical Review (IMR) determination timely, delaying medically necessary care. DMHC levied a $550,000 fine against Blue Cross. Through the IMR process, DMHC overturned the plan’s denial for a member to receive an in-home therapy evaluation and in-home therapy services. Blue Cross acknowledged the IMR determination and authorized the evaluation, but did not authorize the inhome therapy services “due to a processing error.” Blue Cross authorized the services 54 days late.
Important takeaways from these enforcement actions:
• Grievances, Appeals, and Utilization Management procedures are critical health plan functions that must adhere to the DHCS and DMHC requirements. Health Plan must maintain administrative capacity and proper procedures/training to ensure our day-to-day operations are compliant with DHCS and DMHC requirements. Determinations made as a result of State Fair Hearing, Independent Medical Review, and Consumer Complaint cases must be implemented timely to avoid enforcement actions and/or sanctions from our regulators.
�
� For more details, read the official press releases here.
�
�
Calls Held by Health Plan’s Regulators
RAC maintains materials from regulator calls. Check out previous meetings HERE.
All Plan Letters (APLs)
DHCS and DMHC release APLs to communicate changes in federal or state policy or procedure and instruct managed care plans (MCPs) on implementing these changes. RAC analyzes the APLs to ensure compliance with the requirements and to meet timely filing. Draft APLs (denoted by “XXX” indicating that both regulators have not assigned a policy number) are issued by both DHCS and DMHC regularly to solicit feedback from MCPs before they are officially published and become effective. During this period, MCPs can provide feedback or concerns to DHCS and DMHC on upcoming APLs. Here are the APLs that were recently released:
A. DHCS Regulatory Notices
APL
25-006 Timely Access Requirements
Issue Date: April 25, 2025
Summary: The APL requires Health Plan to guarantee timely access to medical, mental health, and dental services, including interpreter services without delays. It sets clear appointment and phone wait time standards, establishes performance thresholds (70% in 2025, increasing to 90% by 2028), and mandates participation in statewide Timely Access Surveys. Health Plan must ensure accurate provider information, arrange out-of-network care when timely access isn’t available, and update policies within 90 days. Failure to comply can result in corrective actions and monetary penalties.
APL 25-007 Enforcement Actions: Corrective Action Plans, Administrative and Monetary Sanctions
Issue Date: April 25, 2025
Summary: The APL, superseding APL 23-012, outlines DHCS’s authority and procedures for imposing corrective action plans (CAPs), administrative sanctions, and monetary penalties when Health Plan or their subcontractors fail to comply with contractual obligations or applicable state and federal laws. Key enforcement tools include:
• Corrective Action Plans (CAPs): Required for non-compliance issues, with strict timelines and oversight. Health Plan must submit detailed plans to address deficiencies and follow up with regular updates and documentation. CAPs may be used alone or alongside other sanctions, including monetary fines.
• Monetary Sanctions: Fines ranging from $15,000 to $100,000 per violation, with higher penalties for repeated or harmful violations.
• Administrative Sanctions: Includes suspension of enrollment or marketing, personnel or subcontractor restrictions, and temporary management.
• Contract Termination: DHCS may terminate contracts for serious or repeated non-compliance.
The APL also provides guidance on network adequacy, timely access to care, quality performance metrics, and outlines Health Plan’s appeal rights.
Redline APL 25-007 and Attachments:
• APL 25-007 Sanctions Compare to 23-012.pdf
• Attachment A-Network Adequacy Enforcement FINAL.pdf
• Attachment B- Timely Access Standards Enforcement FINAL.pdf
• Attachment C- MCAS FINAL.pdf
APL 25-008 Hospice Services and Medi-Cal Managed care
Issue Date: May 5, 2025
Summary: The APL, superseding APL 13-014, outlines Health Plan’s responsibilities in providing and coordinating hospice services for beneficiaries, in compliance with federal and state regulations.
• Eligibility: Beneficiaries must be certified as terminally ill (life expectancy of 6 months or less) and elect palliative (not curative) care.
• Required Services: Health Plan must cover a full scope of hospice services including nursing care, pain management, social work, counseling, and more.
• Care Settings: Services may be delivered at home, in skilled nursing facilities, or dedicated hospice facilities.
• Health Plan Duties: Ensure access to services, coordinate care, reimburse providers, and comply with continuity of care policies (up to 12 months if pre-enrolled).
• Provider Standards: Hospice providers must be state-licensed and Medicare-certified.
• Integration with LTSS: Services must be coordinated with other longterm supports like IHSS and CBAS.
• Reporting: Health Plan must maintain records and submit utilization data to DHCS.
Redline Comparison:
• APL 25-008 Hospice_Compare 13-014 to Final 25-008.pdf
B. DMHC Regulatory Notices
APL 25-008 - Provider Directory Annual Filing Requirements (2025)
Issue Date: April 8th, 2025
Summary: The Department of Managed Health Care (the Department) issues this All Plan Letter (APL) to remind health care service plans (plans) of the requirement to annually submit provider directory policies and procedures to the Department. The Department also reminds plans to submit the changes to their provider directory policies and procedures as instructed in APL 24-018 – Compliance with Senate Bill 923.
APL
25-009
– 2025 Health Plan Annual Assessments
Issue Date: April 15th, 2025
Summary: DMHC issued this APL to provide information to health care service plans (health plans) pertaining to the DMHC’s fiscal year (FY) 2025-26 annual assessment.
Reminder All Plan Letter (APL) Policy Filing Process
All policies must complete the policy workflow before submission to DHCS/DMHC. Policy owners must ensure their policies are approved by their department executive on the Policy Management Application (PMA). Upon receipt of the policies, the Compliance Policy team will review and then send the policies for CEO approval. Once all approvals have been obtained, Compliance will submit the policies to DHCS/DMHC.
RESPONSIBLE PERSON
Regulatory Reports
Under our contract with DHCS and in compliance with our Knox-Keene license (DMHC), we must routinely submit reports demonstrating compliance and performance. Below is a list of reports due for submission in the next few weeks. The table includes a hyperlink to the report and the accountable Director and Executive for the report. Check out the list to find out which ones are in your department Click on the report title for more information
Report Title
Provider Directory File & Use 2025-05
TGI Cultural Competency Retraining
Verification Report 2025-04
ECM/JSON 2025-04
CBAS Waiver 2024-04
274 File 2025-04
MCPDIP 2025-04
Data Certification 2025-04
Monthly Restricted Provider Site Verification 2025-04
Post Payment Recovery 2025-04
PIN 2025-04
Encounter Data 2025-04
Consolidated Billing 2025-04
NEMT/NMT 2025-02
DMHC Monthly Financials 2025-04
Annual Forecast Report FY25/26
DHCS Quarterly Financial Report Quarter Ending 3.31.2025
New Members Mailing Attestation 2025-05
Prop 56 Value Based Payment Report 2025-05
DMHC Claims Settlement Report 2025-Q2
DMHC Health Plan Annual Assessment
Community Health Worker Q1 2025
Accountable
Ana Aranda Liz Le
Jeffrey Miller Robert Ruiz
Clarence Rao Victoria Worthy
Pamela Lee Tracy Hitzeman
Clarence Rao Victoria Worthy
Clarence Rao Victoria Worthy
Tamara Hayes Betty Clark
Cambria Day Betty Clark
Christopher Navarro Michelle Tetreault
Ana Aranda Liz Le
Clarence Rao Victoria Worthy
Clarence Rao Victoria Worthy
Dale Standfill Liz Le
Somatra Sourng Michelle Tetreault
Christopher Navarro Michelle Tetreault
Somatra Sourng Michelle Tetreault
Vena Ford Evert Hendrix
Aimee Griffin Michelle Tetreault
Aimee Griffin Michelle Tetreault
Somatra Sourng Michelle Tetreault
Niyati Reddy Liz Le
ECM/CS Quarterly Implementation Q1 2025 Niyati Reddy Liz Le
LTC/SNF Quarterly Q1 2025 Johnathan Yeh Lakshmi Dhanvanthari
Written Summary QIHEC Q1 2025 Kathleen Dalziel Robert Ruiz
Provider Complaints
Provider complaints come to the Health Plan in different forms (e.g., direct call to us or dispute submission to DMHC). While our Provider Services and Claims teams address those coming into us, Compliance is the point of contact for those coming through DMHC. In 2025, Health Plan received 13 requests (2 new Provider Complaints and 11 additional information requests), disputing 2 claims. In 2024, we received 67 requests (28 Provider Complaints and 39 additional information requests), disputing 56 claims. In addition, each complaint may contain multiple issues that require a response. In 2023, Health Plan received 20 requests (13 Provider Complaints and 7 additional information requests), disputing 28 claims.
Compliance coordinates a cross-functional group to review each complaint we receive. This group investigates the cases (from the original request to claim processing and dispute resolution) and prepares a comprehensive response to the DMHC about the provider’s concerns and the actions taken by us. These tables outline the status:
Spot the Issue: There are 3 violations in the picture above. Locate and identify the violation.
Word Scramble
Instructions: Rearrange the letters to form the correct word in each of the lines below. Please see the answers from last month’s Word Scramble game.
1. ETTIRGYNI =INTERGRITY
2. TIAUD =AUDIT
3. GNTRIANI = TRAINING
4. DCEO OF CNUCTOD=CODE OF CONDUCT
5. ILEHATC =ETHICAL
6. TYULQAI = QUALITY
7. OSRBLSEIENP= RESPONSIBLE
8. CEOFFI FO NSOPRIECT GENEARL = OFFICE OF INSPECTOR GENERAL
9. AESFL SMLCIA CTA= FALSE CLAIMS ACT
10. AYIUNAOTILTCB =ACCOUNTABILITY
Do you have a question for Compliance? To submit an inquiry, go to Team Sites > Compliance > Requests > Submit an Inquiry on SharePoint or simply use this link: check it out here.
Program Integrity Unit (PIU)
The PIU investigates and reports all potential fraud, waste, or abuse (FWA) and HIPAA violations. We also conduct exclusion monitoring of our third parties, provide subject matter expertise for audits, manage members’ rights to access/limit their PHI and plan and track annual compliance training.
Privacy & Security
Remember to report HIPAA privacy incidents at this link as soon as you suspect an incident has occurred. We only have 24 hours to report it to DHCS from the date of discovery. Please report these incidents during Health Plan standard working hours, Monday through Friday 8:00 a.m. to 5:00 p.m., so that a PIU Analyst can immediately address the incident report. If you submit a HIPAA privacy incident after 5:00 p.m. on a Friday, the incident may not be addressed until Monday morning; therefore, missing our reporting obligation to report within 24 hours. It is important to not procrastinate and prioritize the submitting of privacy incident reports.
Investigating & Mitigating HIPAA Incidents
This month we are highlighting the steps to investigate and mitigate HIPAA privacy incidents. When conducting a HIPAA privacy incident investigation, the below questions need to be answered to determine the impact of the incident and create a mitigation plan for it:
• How can we stop the PHI from being further disclosed?
• What was the root cause of the incident?
• What kind of PHI was disclosed?
• To whom was the PHI disclosed to?
• How many members did the PHI disclosure impact?
• Was the disclosed PHI destroyed or retrieved?
• Can we prevent this incident from recurring again?
• Who disclosed the PHI, and how can we assure that the person(s) will not disclose it again?
• Should the privacy incident be reported to governmental regulatory agencies such as DHCS and OCR?
If the PIU Analyst investigating the incident, is not able to determine the answers to the above questions, then the PIU Analyst will reach out to appropriate individual(s) for answers to these questions. Once the PIU Analyst has obtained the answers to the above questions, they will implement the following mitigation steps:
• Stop the disclosure of PHI if it is continuing to be disclosed. For example, if an incident has resulted from a Health Plan system sending EOB statements to incorrect Providers, then that system is stopped from sending out further EOB statements to Providers, until the issue has been resolved.
• The receiver of the disclosed PHI is requested to destroy it if it is in paper, fax, or email form. If the location of the disclosed PHI is unknown, we will continue to track it down, until it can be destroyed or retrieved.
• The person who disclosed the PHI is coached by their direct supervisor and if applicable re-trained in their department processes and the Health Plan’s HIPAA policies and procedures. If their disclosure was intentional,
further disciplinary steps (including up to termination) may be taken. (The specific disciplinary steps taken will depend on the severity of the disclosure, refer to HPA09 Health Plan Workforce Disciplinary Action on Privacy and Security Rules Violations.)
• The root cause of the PHI disclosure is determined, and steps are taken to ensure it is fixed and does not reoccur.
• The privacy incident is reported to the appropriate governmental agency if it meets the requirements outlined in the HIPAA and breach notification rules, and the Health Plan’s contract with DHCS.
In our next newsletter, we will go over the privacy incident reporting requirements to DHCS and OCR in more detail.
Privacy & Security Incidents
We had 25 HIPAA incidents occur between April 1 – April 30, 2025. Two (2) of these were reportable to DHCS.
Fraud, Waste, and Abuse (FWA)
Medical record reviews play a crucial role in helping the PIU verify that providers are billing correctly and documenting what they bill. We start with identifying a problem billing pattern in the data, but the data only tells part of the story. By reviewing the medical records that correspond to what was billed, we can determine if the provider rendered the services as bill. Below are some of the things we look for when conducting a review of medical records.
• We verify the documentation is for the correct member date of service.
• We look for start and stop times and signatures.
• We compare what is stated in the record with the requirements to bill for a service.
• We look for who is listed as rendering the service and where the service was rendered to check for appropriate licensure for the services billed.
• We verify the diagnosis, place of service, service, modifiers, and number of units match what was billed in the claim form.
At the conclusion of a medical record review the PIU weighs the evidence of the identified problems and determines if we will educate the provider or educate and pursue overpayment recovery.
Recent Updates
In the last month, our team opened one (1) case and closed four (4). Our team investigated 24 active cases and monitored three (3) cases.
Your Role
If you notice a suspicious activity, don’t hesitate to report it. Stay vigilant. Stay committed.
Upcoming Compliance Trainings
Sexual Harassment Prevention – Jun 7, and due Jul 7
Diversity, Equity, and Inclusion (DEI) – Nov 3, and due Dec 3
Provider Exclusion Monitoring
PIU regularly monitors vendors and providers we contract with for exclusions, per 42 Code of Federal Regulations (C.F.R.) §438.610, which prohibits Medi-Cal Managed Care Plans (MCPs) from contracting or maintaining a contract with physicians or other health care providers who are excluded, suspended, or terminated from participating in the Medicare or Medi-Cal programs.
LOA
Exclusion Monitoring
Zero (0) provider exclusions were identified.
Audit & Oversight (A&O)
For healthcare organizations, maintaining compliance with state, federal, and contractual requirements is essential to ensuring the delivery of safe, high-quality care. Any gaps or deviations from these requirements can introduce significant compliance risks and potential impacts to member care, operations, and regulatory standing.
One of the most effective tools for identifying and addressing these risks are internal audits. At Health Plan, the Compliance Audit & Oversight (A&O) team is responsible for conducting these audit activities on a retrospective basis.
What is an Internal Audit?
An internal audit is conducted to assess whether Health Plan’s operational processes align with applicable regulatory and contractual requirements, particularly those set forth by the Department of Health Care Services (DHCS), and the Department of Managed Health Care (DMHC), and soon the Centers for Medicare and Medicaid Services (CMS). These audits help identify areas of opportunity and non-compliance, allowing functional areas to implement corrective actions, strengthen internal controls, and proactively mitigate potential risks.
Types of Internal Audits
Internal A&O audit activities fall into two primary categories: Annual Audits and Ad Hoc Audits.
• Annual Audits: Conducted on a yearly basis for functional areas that include review of policies and procedures, file review, interviews, and regulatory CAP validation, as applicable.
• Ad Hoc Audits: Conducted as needed in response to instances of noncompliance, risk indicators, or regulatory changes.
2025 Internal Audit Work Plan
The 2025 Internal Audit Work Plan was approved by the Audit & Oversight Committee (AOC) in February 2025. The prioritization of the internal functional areas were determined based on prior regulatory audit findings, as well as operational performance opportunities identified. Our goal is to perform 90% of Clinical and Non-Clinical audits by the end of the year.
The table below outlines the functional areas subject to internal audits this year, and engagement timeline:
Clinical Audits
Utilization Management (Medical)
Appeals
Utilization Management (Pharmacy-PDA)
Non-Emergency Medical Transportation (NEMT)
Potential Quality Issues (PQI)
Case Management
Population Health
Behavioral Health
Credentialing
Q2 2025
Q2 2025
Q3 2025
Q3 2025
Q3 2025
Q3 2025
Q4 2025
Q4 2025
Q4 2025
