UK HealthCare is now part of Cigna’s medical insurance network.

UK HealthCare Corporate Compliance Overview

Message from Leadership

Robert DiPaola, MD, and Eric Monday, PhD, Co-Executive Vice Presidents for Health Affairs, standing in a UK HealthCare corridor.

A Word from the Co-EVPHAs for UK HealthCare

Our work at UK HealthCare is built upon a foundation of trust and transparency. We must earn the trust of our patients, our people, and our community by fulfilling our mission — clinical care, research, and education for Kentucky — with integrity.

Our Corporate Compliance Program allows us to meet this mission within the bounds of policy, regulation, and law. It encourages transparency in our decisions and the ethical use of our resources.

Our corporate compliance policies show we expect ethical conduct of each other — doing what is right in all cases — and strive to manage and reduce risks to our patients and our organization. Ethical conduct is demonstrated. Trust is earned. Through both, we deliver on our commitment to our patients, the Commonwealth and each other.

Robert DiPaola, MD, Co-Executive VP for Health Affairs
Eric Monday, PhD, Co-Executive VP for Health Affairs

R. Brett Short, Chief Compliance Officer, University of Kentucky / UK HealthCare.

A Word from the Chief Compliance Officer

The University's high standards extend to those we hire — we are well aware that even the best corporate compliance infrastructure relies upon committed team members to understand it, live it and make it real.

We know that to be the kind of high-quality, highly reputable organization required, every employee must be prepared to speak up when they see a problem or a concern.

As you read this overview of Corporate Compliance at UK HealthCare, you will find a variety of programs that are here to support you in complying with the many rules and regulations that govern the provision of health care. By working together, we ensure UK HealthCare holds itself to the highest standards of conduct and integrity.

R. Brett Short, CHC, CHPC, CHRC
Chief Compliance Officer
University of Kentucky / UK HealthCare

Supporting UK HealthCare's Mission

UK HealthCare is committed to the pillars of academic health care — research, education, and clinical care — with dedication to improving the health of the people of Kentucky by providing advanced health care, serving as an information resource, and strengthening local health care by partnering with community hospitals and physicians.

The Office of Corporate Compliance for UK HealthCare supports the University's mission and strategic plan by helping to navigate the highly regulated environment in which UK HealthCare operates.

UK HealthCare 2025 Strategic Plan: Vision — One community committed to creating a healthier Kentucky. Five strategic pillars: Build Our Culture, Create a Healthier Kentucky, Invest in Our People, Advance Care Strategically, Provide More Value.

Working with the Best

 

UK HealthCare prides itself on working with great people and great businesses. UK HealthCare and the Office of Corporate Compliance value the integrity of our relationships and maintain a process for reviewing our relationships. This process includes:

  • Regularly screening our employees and vendors against exclusion lists, some of which include the HHS Office of Inspector General and General Services System for Award Management lists;
  • Annually reviewing conflict of interest disclosures for designated employees; and
  • Supporting our downstream entities' compliance with CMS requirements.

Our Team Is Everyone

The Office of Corporate Compliance considers every UK HealthCare staff member and faculty member to be a part of the Corporate Compliance team because, at the University of Kentucky, compliance is everyone's responsibility.

Corporate Compliance Overview

The Office of Corporate Compliance works within a wide array of areas, categorized into three specialized teams: Compliance, Auditing, and Privacy.

Compliance

  • Fraud, Waste, and Abuse
  • Controlled Substances Act
  • Stark Law
  • Contractual Arrangements
  • Outreach
  • 340B Drug Discount Program
  • Telehealth
  • EMTALA
  • Gifting
  • Anti-Kickback Statute
  • KASPER
  • FDR Compliance
  • Conflicts of Interest
  • False Claims Act
  • Provider-Based Requirements
  • OIG Work Plan
  • Surprise Billing
  • Price Transparency

Auditing

  • Documentation Guidelines
  • RAC Audits
  • Post-Payment Review
  • Physician and Coder Education
  • Overpayments
  • Professional Fee Claims
  • Procedure (CPT) Codes
  • Modifier Usage
  • General Billing Requirements
  • Payer Rules and Regulations
  • Underpayments
  • Code Assignments
  • Teaching Physician Rules

Privacy

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Business Associate Agreements
  • Treatment, Payment, Operations
  • Patient Access to Records
  • Amendment of Records
  • Accounting of Disclosures
  • Disposal of Paper
  • Breach Notification
  • Breach Analysis
  • Law Enforcement Requests for Patient Information
  • Patient Privacy Rights
  • Information Blocking
  • Covered Entity Determination

Corporate Compliance Essentials

The Office of Corporate Compliance's purpose is to:

  • Promote a culture of ethics and compliance that is central to all of UK HealthCare's operations and activities;
  • Understand the nature of the risks and potential risks of UK HealthCare's operations and activities; and
  • Manage risks that may lead to financial, legal, and/or reputational loss.

In simple terms, the Office of Corporate Compliance engages a three-step process to evaluate activity and operations at UK HealthCare:

  1. Assess Activity
  2. Identify Obligations
  3. Develop Work Plans
Three-step compliance evaluation process: (1) Assess Activity, (2) Identify Obligations, (3) Develop Work Plans.
 

The OIG's 7 Elements to an Effective Compliance Program

UK HealthCare's complete Corporate Compliance Program Manual is available on the Office of Corporate Compliance's website.

1. Standards, Policies, and Procedures

The Office of Corporate Compliance assists with the development, modification, issuance, distribution, and review of the Code of Conduct and compliance policies. UK HealthCare employees are provided with online access to our policies and Code of Conduct.

2. Compliance Administration

Compliance is an integrated part of UK HealthCare. The Chief Compliance Officer leads our Corporate Compliance team and program. The Office of Corporate Compliance regularly reports to a Compliance Committee and the HealthCare Committee of the University of Kentucky Board of Trustees.

3. Communication

UK HealthCare emphasizes the importance of communicating all compliance concerns and offers several methods of reporting, including a 24-hour anonymous hotline and online reporting.

4. Training and Education

UK HealthCare promotes compliance through training our staff and faculty members. Designated UK HealthCare employees are required to complete compliance, privacy, and IT security training within 90 days of hire and annually thereafter. UK HealthCare retains compliance training documentation.

5. Monitoring and Auditing

The Office of Corporate Compliance proactively audits, monitors, and surveys our activities to verify adherence to the Code of Conduct, policies, and applicable regulatory requirements.

6. Disciplinary Guidelines

UK HealthCare publicizes disciplinary standards to our employees through multiple methods, including our policies and procedures, Corporate Compliance Manual, and staff training.

7. Prompt Investigation and Remedial Measures

The Office of Corporate Compliance investigates or oversees the investigation for reports of violations of the Code of Conduct, policies, and legal requirements, and provides recommendations for remedial measures, as needed.

Risk Assessment Overview

The Office of Corporate Compliance continuously monitors and assesses potential risks to the health care enterprise. After completing an annual risk assessment, area-specific work plans are implemented. However, due to the evolving nature of health care regulations and risks, work plans are modified as needed throughout the year.

The risk assessment process moves through four continuous stages:

  1. Identify Risk — Review trending issues, integrity agreements, and enforcement actions affecting the health care industry; partner with key stakeholders to identify issues.
  2. Assess Risk — Conduct risk assessment; audit relevant data.
  3. Mitigate Risk — Develop standards, procedures, or policies; educate and train staff.
  4. Monitor Risk — Develop a plan to audit or monitor implemented risk controls; re-assess risk as needed.
The four-stage risk assessment cycle: Identify Risk → Assess Risk → Mitigate Risk → Monitor Risk (continuous loop).
The four-stage risk assessment cycle: Identify Risk → Assess Risk → Mitigate Risk → Monitor Risk (continuous loop).

Privacy Essentials

UK HealthCare is committed to protecting the privacy rights of its patients. The Office of Corporate Compliance's privacy program:

  • Regularly monitors activity and accesses of patient information to verify the use of patient information is for authorized purposes;
  • Investigates reports of privacy violations to safeguard patient rights;
  • Serves as a resource for patients and staff regarding patient privacy rights under HIPAA; and
  • Provides staff education and information on protecting patient privacy rights as an organization.

Patient Privacy and Social Media

The UK HealthCare Privacy team works to ensure that patient information is not inappropriately posted on social media platforms. UK HealthCare has established guidelines for use of social media by staff to ensure that educational uses of social media platforms do not include identifying information about patients. UK HealthCare's Privacy team discusses the social media guidelines in regular privacy training activities with staff and investigates possible social media incidents as they are reported.

Elevating Your Concerns

All UK HealthCare employees are required to report any activity believed, in good faith, to be illegal, unethical, abusive, or in violation of the intent of UK HealthCare's Corporate Compliance Program within 24 hours of discovery of the activity. Methods of reporting include:

  1. Reporting directly to your supervisor or other departmental authority.
  2. Contacting the Office of Corporate Compliance at 859-323-8002.
  3. Contacting the University of Kentucky Comply-Line at 1-877-898-6072 or reporting online at ukhealthcare.uky.edu/staff/corporate-compliance.

No matter the reporting method, employees maintain responsibility for ensuring privacy concerns are reported to the Compliance Office. The Comply-Line is available 24 hours a day, seven days a week, and both the hotline and online reporting allow for anonymous, good-faith reporting.

Comply-Line

1-877-898-6072

Non-Retaliation Policy: UK HealthCare prohibits retaliation against any employee who makes a good faith report or who refuses to carry out any activity that is the subject of a good faith report. However, any employee who fails to make a report or makes a malicious report may be subject to discipline, up to and including termination, depending on the nature and severity of the issue. The Office of Corporate Compliance regularly collaborates with Employee Relations, as appropriate. Employee Relations may be contacted at 859-257-8758.

Compliance Resources