August 18, 2025
The Compliance4U newsletter offers insight into the day-to-day functions of the Health Plan’s Compliance Program and serves as a resource to help staff stay informed about key regulatory updates, reporting obligations, audit activities, and policy changes. Its goal is to promote awareness, accountability, and a culture of compliance across all departments.
Regulatory Affairs
The Compliance Regulatory Affairs department is responsible for analyzing and implementing regulatory changes, coordinating the timely filing of routine regulatory reports, overseeing regulatory audits, managing DMHC provider complaint resolution, and tracking member complaints submitted to state and federal regulators to ensure the Plan maintains ongoing compliance with all applicable requirements. Check out what has happened since we released our last newsletter.
Complianceʼs Role in Third Party Risk Assessments
The Third-Party Risk Assessment (TPRA) is a critical process to ensure that vendor and Third-Party relationships are evaluated for regulatory compliance, data privacy, and operational risk. The primary purpose of this assessment is to evaluate whether the contracted services are necessary:
Protected Health Information (PHI) review: ensuring the vendor has the appropriate security and privacy protocols in place to safeguard member data.
Delegation Review: determining whether the vendor is performing a delegated function.
Regulatory review by DMHC or DHCS: ensuring compliance with Regulatory Requirements for healthcare service plans, as mandated by the Knox-Keene Act and Health Plan’s DHCS contract.
This proactive review process ensures we remain compliant with all state and federal regulatory standards while protecting the interest of our members and the integrity of our operations.
How Requests Are Initiated:
The assessment process begins when Procurement submits a request through one of the following:
• Procurement Request Intake Form
• Contract Intake Form
• Review of contract activity within the CLM system
This ensures that any vendor or contract triggering compliance concerns is routed through an established intake process.
Compliance Review Process
Once the request is received, Regulatory Affairs & Compliance:
1. Reviews the submitted request and all historical contract documents.
2. Completes Step 1 and Step 2 of the Third-Party Risk Assessment tool, which evaluate:
a. Need for PHI Review – Whether the vendor has access to protected member data.
b. Need for Delegation Oversight – Whether the vendor is performing a delegated function that requires oversights
c. Requirement for DMHC or DHCS Review – Ensuring compliance with the Knox-Keene Health Care Service Plan Act and related regulations.
Communication of Results and Triggered Actions
Upon completion:
Regulatory Affairs & Compliance sends an email to all relevant stakeholders with:
o The results of the risk assessment
o Supporting documentation
o Recommended next steps
This email and TPRA results automatically trigger:
o Audit & Oversight (A&O) to confirm Delegation Review, and if applicable, the Program Integrity Unit (PIU), Information System Security, and A&O team are engaged to conduct a Readiness Assessment, as applicable
These downstream activities ensure all impacted departments act on the findings and apply additional oversight or security measures as necessary.
Why This Matters
This structured process:
Protects member data and ensures PHI security.
Supports robust oversight of delegated functions.
Maintains compliance with DMHC and DHCS requirements, ensuring health plan operations meet all state regulatory obligations.
What’s going on at the State and Federal levels? To support you in your role and ensure timely awareness of changes to regulatory and contractual requirements, Regulatory Affairs staff attends regulatory calls (DHCS Managed Care Plan Call - MCPC) and other regulatory meetings/calls where key regulatory information is shared
DMHC Fined Blue Cross for Failing to Correct Deficiencies including Mishandling Member Complaints
The California Department of Managed Health Care (DMHC) has taken enforcement action against Blue Cross of California, issuing a significant fine for failing to correct deficiencies identified in a medical survey, or audit, of the plan’s operations. This included direct impacts to members, including failing to properly handle and resolve health plan member complaints, also called grievances or appeals. DMHC levied a $500,000 fine. At a follow-up medical survey from DMHC, Blue Cross of California did not correct deficiencies that were identified during its previous routine medical survey.
Important takeaways from these enforcement actions:
• This situation highlights the critical importance of ensuring that Health Plan adequately track and correct any regulator audit findings.
�
�
�
� For more details, read the official press releases here.
Calls Held by Health Plan’s Regulators
Regulatory Affairs staff maintains materials from regulator calls. Check out previous meetings HERE.
All Plan Letters (APLs)
DHCS and DMHC issue All Plan Letters (APLs) to formally communicate updates to federal or state policy, regulatory requirements, or operational procedures.
These directives are intended to guide Managed Care Plans (MCPs) on how to implement changes and ensure compliance with applicable laws and regulations.
Regulatory Affairs reviews and analyzes each APL to interpret its impact, coordinate internal implementation, and ensure timely compliance and required filings.
Draft APLs often identified with placeholder codes such as “XXX” are released by the regulators to solicit feedback from MCPs before finalization. During this comment period, MCPs can raise concerns or seek clarification, which may influence the final version of the policy.
Below is a list of recently released APLs for your awareness:
A. DHCS Regulatory Notices
APL 25-011 House Resolution 1 – Federal Payments to Prohibited Entities
Issue Date: July 3, 2025
REVISED: July 31, 2025
Summary: This APL provides guidance on the handling of payments to MediCal and Family Planning, Access, Care, and Treatment Program (Family PACT) Providers who may be impacted by House Resolution (H.R.) 1.
B. DMHC Regulatory Notices
No new or revised notices were published this past month.
Regulatory Reports
Under the terms of our contract with DHCS and in alignment with our KnoxKeene license requirements regulated by DMHC the Plan is required to routinely submit reports that demonstrate operational performance and regulatory compliance.
Regulatory Affairs tracks and coordinates these submissions to ensure timeliness and accuracy across all departments.
Below is a list of upcoming regulatory reports submitted last month. The table includes:
• A hyperlink to each report,
• The accountable Director and Executive sponsor, and
• Departmental ownership for awareness and coordination.
Please review the list to determine which reports fall within your area. Click the report title for detailed information and submission guidance. Report Title
Pending & Unresolved Grievances 2025-Q2
NEMT/NMT Report 2025-04
Provider Network Impact Report 2025Q2
Quarterly Network Change Report 2025-Q2
Interoperability API Utilization 2025-Q2
Community Support MOC
FSR/MRR 2025-01
Adult Expansion Default Assignment Report 2025-01
Provider Directory File and Use 2025-07
LTC-SNF Quarterly Reporting Q2-2025
Monthly Financial 2025-06
MOU Status Report
CBAS Report 2025-Q2
Consolidated Billing Report 2025-06
Provider Information Network (PIN) 2025-06
Restricted Provider Site Verification 2025-07
Post-Payment Recovery 2025-06
Quarterly Fraud, Waste and Abuse Status Report 2025-Q2
Ramanpreet
Kaur Robert Ruiz
Dale Standfill Liz Le
Ana Aranda Liz Le
Ana Aranda Liz Le
Clarence Rao Victoria Worthy
Jeanette Lucht Lakshmi Dhanvanthari
Ramanpreet
Kaur Robert Ruiz
Ana Aranda Liz Le
Ana Aranda Liz Le
Johnathan Yeh Lakshmi Dhanvanthari
Somatra Sourng Michelle Tetreault
Eric Cubillo Michelle Tetreault
Pamela Lee Lakshmi Dhanvanthari
Clarence Rao Victoria Worthy
Ana Aranda Liz Le
Toni White Betty Clark
Christopher Navarro Michelle Tetreault
Toni White Betty Clark
Report Title Accountable
CBAS Waiver Report 2025-06
Member Death Notification Report 2025-Q2
Provider Complaints
Pamela Lee Lakshmi Dhanvanthari
Somatra Sourng Michelle Tetreault
Provider complaints come to the Health Plan in different forms (e.g., direct call to us or dispute submission to DMHC). While our Provider Services and Claims teams address those coming into us, Compliance is the point of contact for those coming through DMHC. In 2025, Health Plan received 38 requests (20 new Provider Complaints and 18 additional information requests), disputing 27 claims. In 2024, we received 67 requests (28 Provider Complaints and 39 additional information requests), disputing 56 claims. In addition, each complaint may contain multiple issues that require a response. In 2023, Health Plan received 20 requests (13 Provider Complaints and 7 additional information requests), disputing 28 claims.
Compliance coordinates a cross-functional group to review each complaint we receive. This group investigates the cases (from the original request to claim processing and dispute resolution) and prepares a comprehensive response to the DMHC about the provider’s concerns and the actions taken by us. These tables outline the status:
DMHC Consumer Complaints and Independent Medical Review (IMR):
Effective immediately, Regulatory Affairs Compliance will manage the intake, tracking, and submission of all DMHC consumer complaints and Independent Medical Reviews (IMR) to ensure timely, compliance, and coordinated responses in collaboration with Grievance & Appeals. Please note, Tables 1-3 below show the Consumer Complaints and received and tracked beginning May 30, 2025 when Regulatory Affairs Compliance began formally monitoring and managing these complaints.
DMHC Consumer Complaints
Tables 1 and 2 reflect the number of Consumer Health Plan received has received 15 requests (7 new Consumer Complaints and 8 additional information requests).
• Table A shows the reason for the consumer complaints for Standard Cases, Expedited Cases and Additional Information Requests.
• Table B shows the case outcomes for the consumer complaints for Standard Cases, Expedited Cases and Additional Information Requests.
Table 1: DMHC Consumer Complaints by Case Reason (May 30, 2025-July 23, 2025)
Table 2: DMHC Consumer Complaints by Case Outcome (May 30, 2025-July 23, 2025)
Table 3: DMHC Independent Medical Review (IMR) (May 30, 2025-July 23, 2025)
The below table reflects the number of IMR Cases received from the Department from May 30th, 2025-July 23rd, 2025. Health Plan received 1 Standard IMR during this time frame.
Regulatory Audits:
As part of our commitment to compliance and quality care, our health plan is regularly audited by the DHCS and the DMHC. These audits help ensure that we’re meeting all state and federal requirements, fulfilling our contractual obligations, and providing the highest level of service to our members.
Each audit focuses on key areas such as access to care, timely claims processing, grievance and appeals handling, and provider network adequacy. These reviews not only hold us accountable but also give us opportunities to strengthen our processes and improve outcomes. Your role in supporting these efforts whether through documentation, timely responses, or following procedures plays a critical part in our overall success.
Here is a look into how we have done with our most recent audits.
DHCS Full Scope Medical Survey – Opportunities for Improvement and Audit Readiness
On April 11, 2025, the DHCS Audit Monitoring Unit issued a corrective action plan (CAP) to the Health Plan following five findings in the final Full Scope Medical Survey report. In response, we submitted a detailed remediation plan with milestones, completion dates, and a commitment to provide regular progress updates until all actions are fully resolved.
Summary of Findings:
1. Improper application of prior authorization requirements to preventive services and cancer biomarker testing.
2. Failure to issue adverse benefit determination notices within required timeframes.
3. Failure to fully use the DHCS-issued template for prior authorization denials.
4. Non-compliance with Medi-Cal Provider Manual requirements in pharmacy coverage decisions.
5. Incorrect application of prior authorization to family planning services.
Progress to Date (as of August 1, 2025):
• Four consecutive monthly updates have been submitted to DHCS, documenting both completed and ongoing remediation efforts.
• Actions taken include policy and procedure revisions, workflow redesigns, staff training, and system configuration updates.
• Several findings have been fully resolved and accepted by DHCS; the remaining items are progressing according to the revised timelines.
Opportunities to Strengthen Our Operations:
This CAP process has highlighted key areas where we can strengthen compliance, streamline processes, and improve member and provider experience. Specific opportunities include but are not limited to the following:
• Reinforcing regulatory timelines and requirements through targeted training.
• Standardizing use of state-issued templates to ensure consistency.
• Enhancing system controls to reduce manual intervention and potential errors.
By addressing these findings thoroughly and embedding these improvements into our day-to-day operations, we will not only close out this CAP successfully but also strengthen our readiness for future DHCS and DMHC audits. Your continued collaboration and attention to these improvements are critical to sustaining compliance and operational excellence.
DMHC Financial Examination – Findings and Next Steps for Audit Readiness
The DMHC conducted the Health Plan’s virtual onsite financial examination from June 9, 2025, through July 21, 2025, concluding with an exit conference on July 21. During the conference, auditors provided a preliminary review of their findings.
Preliminary Results:
• Non-Compliance Finding: Failure to file Key Personnel changes within the required timeframes.
• Items of Concern (not currently regulatory findings but may be scrutinized in future exams):
o Accuracy of claims payment processes.
o Completeness and clarity of responses to provider disputes.
o Appropriateness of the deductible amount for fidelity bonds.
Proactive Opportunities for Improvement:
While only one issue rose to the level of non-compliance, the items of concern highlight areas where we can strengthen controls and documentation ahead of future DMHC examinations:
• Implementing tighter monitoring and cross-department coordination for Key Personnel change filings.
• Enhancing claims payment accuracy through quality checks and automated validations.
• Standardizing provider dispute response templates and review processes for clarity and completeness.
By addressing these areas now, we will not only resolve the current noncompliance finding but also demonstrate proactive compliance management to regulators.
Regulatory and contractual compliance is everyone’s responsibility. Supporting the Plan’s strategic goal of Continuous Compliance means demonstrating audit readiness at all times and fostering a sustained culture of compliance across all departments. In our next issue we will update you on the DHCS Network Adequacy Validation Audit.
Compliance & Ethics Week: November 2–8, 2025
Compliance & Ethics Week is a nationwide initiative that highlights the importance of integrity, accountability, and ethical decision-making in the workplace. It’s a time to reflect on our shared responsibility to uphold the standards that protect our members, our organization, and each other. Let’s continue to test your knowledge with three trivia questions*.
�
�
� Q: What is the best way to report a suspected compliance or ethics concern at work?
A. Post about it on social media
B. Tell your favorite coworker during lunch
C. Report it confidentially through the compliance hotline or designated reporting channels
D. Wait to see if it fixes itself
� � Q: Which of the following is an example of a potential conflict of interest?
�
A. Using company time to volunteer at a charity
B. Accepting a holiday gift from a vendor you oversee
C. Asking a coworker to join your fantasy football league
D. Bringing donuts to a meeting
� Level 3: Q: Under the federal False Claims Act, which of the following is not true?
A. It allows whistleblowers to file lawsuits on behalf of the government
B. Violations can lead to penalties of over $10,000 per false claim
C. It only applies to government employees
D. It’s one of the key laws used to combat healthcare fraud
*Answers are at the end of the newsletter
Do you have a question for Compliance? To submit an inquiry, go to Team Sites > Compliance > Requests > Submit an Inquiry on SharePoint or simply use this link: check it out here.
Program Integrity Unit (PIU)
The PIU investigates and reports all potential fraud, waste, or abuse (FWA) and HIPAA violations. We also conduct exclusion monitoring of our third parties, provide subject matter expertise for audits, manage members’ rights to access/limit their PHI and plan and track annual compliance training.
Privacy & Security
Remember to report HIPAA privacy incidents at this link as soon as you suspect an incident has occurred. We may have to report the incident to our regulators.
Privacy Incident Reporting Requirements
Do you know the requirements to report privacy and security incidents to governmental regulatory agencies such as the Department of Health Care Services (DHCS) and Office of Civil Rights (OCR)? Just in case you do not know or need a refresher, take a moment to review the requirements below.
Reporting to DHCS
Health Plan is required by our DHCS contract to report breaches to them within 24 hours of discovery. We are also required to provide DHCS with a final report within ten (10) workings days of discovery.
We aren’t required to report every privacy or security incident we receive to DHCS. We are only required to report incidents that we believe are or might be breaches. Therefore, we report the incidents that are higher risk, such malicious intent, or if the PHI that was disclosed is still missing, or unauthorized disclosures involving a large number of Health Plan members. We also report incidents to DHCS that affect 500 or more individuals, or incidents that aren’t able to be instantly mitigated, such as a system issue that we still need to determine how to correct. We report incidents to DHCS through their DHCS Portal at this link
Reporting to OCR
Health Plan is also required by the Breach Notification Rule to report breaches affecting 500 or more individuals to OCR within 60 days of discovery. However, if the breaches affect fewer than 500 individuals we are required to report them to OCR on an annual basis, within 60 days after the end of the calendar year. We report breaches to OCR through their website at this link. For more information about reporting privacy and security incidents, please refer to HPA07 Reporting and Mitigating Suspected Privacy & Security Incidents and Breaches policy.
Privacy & Security Incidents
In the month of July we had 73 HIPAA incidents reported to PIU, four (4) of these were reportable to DHCS.
Five Common Types of Fraud, Waste, and Abuse in Healthcare Fraud, waste, and abuse (FWA) in healthcare impacts everyone – from patients and providers to health plans and taxpayers. Understanding how FWA occurs helps us all play a role in prevention. Here are five common types:
1.
Billing
for Services Not Rendered
Submitting claims for services, procedures, or supplies that were never provided is a common form of fraud. This includes entire fake claims or adding items to legitimate claims.
2. Upcoding
This occurs when a provider bills for a more expensive service than what was actually performed. For example, billing for a comprehensive office visit when only a brief consultation occurred.
3. Unbundling
Some procedures are supposed to be billed together under a single code. Unbundling is the practice of billing services separately to receive higher reimbursement.
4. Medically Unnecessary Services
Performing and billing for services that are not medically necessary can be a form of waste or abuse. This includes ordering tests or procedures that do not align with the patient’s diagnosis.
5. Kickbacks and Referral Schemes
Offering or receiving anything of value in exchange for patient referrals or the use of specific services, tests, or equipment is illegal and a form of fraud.
Why It Matters
FWA drives up costs, reduces the quality of care, and undermines trust in the healthcare system. By staying alert and reporting suspicious activities, we help protect both our members and the integrity of our organization.
Fraud, Waste, and Abuse Cases
In July, the PIU opened three (3) cases and closed seven (7). Our team currently has 21 ongoing cases.
Upcoming Compliance Trainings
Sexual Harassment Prevention – September
Provider Exclusion Monitoring
PIU regularly monitors vendors and providers we contract with for exclusions, per 42 Code of Federal Regulations (C.F.R.) §438.610, which prohibits Medi-Cal Managed Care Plans (MCPs) from contracting or maintaining a contract with physicians or other health care providers who are excluded, suspended, or terminated from participating in the Medicare or Medi-Cal programs.
For more information about suspected FWA, please refer to CMP20 Exclusion and Ineligibility policy.
Exclusion Monitoring (LOA Providers)
Zero (0) provider exclusions were identified.
