CONTRA COSTA COUNTY - File #: 25-5395

Date	Ver.	Action By	Action	Result	Tally	Action Details	Meeting Details	Video
No records to display.

Advisory Board: Contra Costa Health Plan Joint Conference Committee

Subject: Compliance Activities Report

To: Joint Conference Committee (JCC) Members

From: Sunny T. Cooper, Senior Director of Compliance and Regulatory Affairs (Interim)

Compliance Department

Date: December 19, 2025

Subject: Q4 2025 Compliance Activity Report

Purpose

This compliance report is being submitted to provide the Joint Conference Committee (JCC) with required oversight information on the effectiveness of the Plan’s Compliance Program, the status of key compliance activities, and any significant risks or issues that warrant JCC attention, in accordance with Department of Health Care Services (DHCS), Centers for Medicare and Medicaid Services (CMS) contractual obligations and Knox Keene Act of 1975 for Medi-Cal, Commercial and Medicare D-SNP managed care regulations.

I. Executive Summary

During this reporting period, the Compliance Department continued to strengthen the organization’s overall compliance posture across our Medi-Cal and Commercial lines of business while preparing for the D-SNP go live date of 01/01/2026. Our efforts focused on maintaining regulatory readiness, improving coordination between operational teams, and ensuring timely identification and remediation of compliance risks.

Regulatory monitoring remains stable. All required Medi-Cal and Medicare submissions were completed on time, and no critical findings were identified in ongoing state or federal monitoring activities. Preparations for the upcoming Department of Managed Health Care (DMHC) Financial audit are on track, with targeted workgroups addressing documentation, reporting, and operational control enhancements. The design and implementation of various compliance programs to strengthen regulatory compliance and audit readiness are also underway, prioritizing high-risk areas such as fraud prevention, privacy safeguards, and timely regulatory filings and responses.

CalAIM oversight activities are progressing as planned. All annual audits of Enhanced Care Management (ECM) and Community Support Services (CSS) entities are on schedule, and corrective action plans for identified issues are in progress. Enhanced monitoring of high-risk delegates, such as Pharmacy Benefit Manager (PBM), continues to reduce operational and regulatory exposure.

Fraud, Waste, and Abuse (FWA) monitoring shows no emerging risks; investigations are being completed within required timeframes in this past quarter, and overpayment recovery processes remain compliant. Privacy and security events remain low in volume, with no reportable breaches this period. Ongoing staff training and updated technical safeguards continue to strengthen our overall security posture.

Overall, the organization’s compliance health is stable and trending positively. While there were several compliance gaps identified, a concerted effort, a.k.a., Compliance Performance Improvement Workgroup, has been put in place to tackle these gaps. The Compliance Department will continue to work collaboratively across the organization to maintain regulatory readiness, promote a culture of compliance, and ensure timely escalation of any emerging risks to the JCC members and to the Board of Supervisors (BOS) as needed.

II. Compliance Dashboard

In an effort to monitor the health of our Compliance Program Performance Dashboard (CPPD), we plan to design and implement a comprehensive Compliance Dashboard to monitor critical Key Performance Indicators (KPIs) in the next few years.

• A typical Compliance Program Performance Dashboard could include the following categories:

o Compliance Program Performance Dashboard: Examples - compliance training completion rates, policies & procedures review status, etc.

o Delegation Oversight Dashboard: Examples - number and types of delegated entities, annual audit statuses, compliance training rates, etc.

o Member Grievances & Appeals Dashboard: Examples - total grievances and appeals by category, timeliness of resolution, D-SNP integrated grievance/appeal metrics, etc.

o Access & Network Adequacy Dashboard: Examples - network adequacy, appointment availability test results, call center access metrics, etc.

o Fraud, Waste & Abuse (FWA) Dashboard: Examples - FWA referrals and investigations, timely regulatory reporting, case aging and resolution timeliness, etc.

o Privacy & Security Dashboard: Examples - HIPAA breach incidents & risk levels, Breach investigation timeliness, timely regulatory reporting, etc.

o Audit & Regulatory Oversight Dashboard: Examples - regulatory audits status & findings, submission, etc.

o Clinical Quality & Performance Dashboard: Examples - HEDIS performance and outliers, care coordination metrics (IHSS, LTSS, CS referrals, transitions of care), D-SNP health risk assessment (HRA) completion timeliness, etc.

o Claims, Encounters & Payment Integrity Dashboard: Examples - claims payment timeliness, encounter data submission timeliness and acceptance rates, overpayment identification and return compliance, etc.

Due to competing priorities, we plan to design and implement these dashboards in a phased approach. We will highlight each dashboard as they become available in our upcoming reports. Below is a highlight of our current mandatory Compliance Training Dashboard.

• Mandatory Compliance Training

Mandatory Compliance Trainings are defined as those trainings that are specifically required by regulatory agencies via contractual requirements or codified in relevant laws governing the Plan. The chart below provides a summary of what we currently track and monitor on an ongoing basis.

Trainings (Due Dates)	CCHP
2025 Transgender, Gender Diverse or Intersex (TGI) Inclusive Care Act (01/31/25)	88%
2025 Diversity Equity & Inclusion (DEI) (10/31/25)	84%
2025 D-SNP Model of Care (MOC) (11/10/25)	68%
2025 General Compliance & FWA (12/31/25)	98%
2025 HIPAA Privacy & Security (12/31/25)	76%

The targeted threshold for attainment is >95%. A discussion topic on how to increase the training attainment rate is planned for our next Compliance Committee meeting which is scheduled to be held on 12/15/25.

III. Program Integrity & Fraud, Waste and Abuse Prevention Program

Our Fraud, Waste, and Abuse (FWA) Prevention Program is designed to prevent, detect, and correct improper activities that could harm members, providers, or program integrity. The program includes clear policies, mandatory training, data monitoring, auditing, and processes for reporting and investigating suspected FWA. We partner with internal teams, delegated entities, and regulators to ensure timely identification of risks and implementation of corrective actions. This program helps safeguard financial resources, uphold regulatory requirements, and protect the integrity of our health care services. As such, we perform regular FWA prevention analyses and FWA investigations for irregular billing practices observed and complaints received.

Between January 1, 2025, and October 22, 2025, a total of 35 FWA incidents were received and investigated. Ten (10) cases were closed during the same period. Per contractual requirements, CCHP is required to file these FWA cases with DHCS within 10 business days. During the same period of time, 33 credible FWA cases were filed with DHCS. Untimely filing was noted in 10% (3) cases. Below tables outline the FWA incidents in more detail.

Table 1: Cases Received and Closed by Month for Reporting Period 1/1/25 - 10/22/25
	Jan	Feb	Mar	Apr	May	Jun	July	Aug	Sept	Oct	Nov	Dec	Tot
# Rec.	1	0	1	1	4	5	7	7	5	4	-	-	35
# Closed.	0	0	0	2	1	1	2	1	2	1	--		10

Per DHCS contractual requirements, preliminary reports must be filed with DHCS’ Program Integrity Unit (PIU) detailing any suspected FWA identified by or reported to us and our third-party entities including contracted providers within 10 working days. We monitor and track the timely filing of our FWA incidents as well as the types of cases in question. Based on the monitoring results, we remediate our processes for any deficiencies. Tables 2 and 3 summarize FWA statuses and results for Calendar Year 2025 to date.

Table 2: Timely Regulatory Reporting of FWA Incident for Reporting Period 1/1/25 - 10/22/25
Filing Status	Count	% of Total
Timely Filing (within 10 working days of incident)	27	90%
Untimely*	3	10%
N/A (Reported by DHCS)	3	N/A
Total	33	100%

Table 3: FWA Case Type (Closed Cases) for Reporting Period 1/1/25 - 10/22/25
Filing Status	Count	% of Total
Services Not Rendered	3	30%
Medically Unnecessary Services	1	10%
Other	1	10%
Not FWA	5	50%
Total	10	100%

IV. Privacy, Security & HIPAA Compliance

Our HIPAA Privacy Program is designed to protect member information, ensure compliance with federal and state regulations, and safeguard the member’s Protected Health Information (PHI), Personally Identifiable Information (PII), and other confidential information relevant to privacy laws. The Program establishes clear policies, workforce training, ongoing monitoring, incident response procedures, and risk-based security controls to prevent unauthorized access, use, or disclosure of protected information. It also ensures we continuously evaluate risks, strengthen safeguards, and maintain transparency with regulators and stakeholders. Together, these efforts help maintain member trust and support the organization’s commitment to ethical and compliant operations.

Between January 2025 and November 2025, we received and investigated a total of 38 cases. Of the 38 cases investigated, 25 (83%) cases were reported timely within 24 hours of discovery while 5 (17%) were reported untimely. One of the primary reasons for untimely reporting was the delay in reporting to Compliance (16%). This may indicate the need to generate awareness within the organization to ensure that any observed HIPAA violation is reported immediately to Compliance without delay. Compliance is currently working on developing a Compliance Awareness training series to educate and remind CCHP Workforce to report non-compliance incidents timely.

To date, 97% of the HIPAA incidents reported did not result in any reportable breach. The only incident that required additional remediation effort took place with our Pharmacy Benefit Manager (PBM) which impacted 244 Commercial members. The incident involved a data processing error which resulted in our members’ PHI being sent to another health plan client. The file containing our members’ PHI was deleted by the receiving plan and the PBM confirmed that the deficiency was remediated on July 22, 2025. Tables below summarize the HIPAA investigation monitoring activities between January 2025 and November 2025.

Table 5: Timely Regulatory Reporting of HIPAA Incident for Reporting Period 1/1/25 - 11/30/25
Report within 24 Hours	Jan	Feb	Mar	Apr	May	Jun	July	Aug	Sept	Oct	Nov	Dec	Tot
Not Timely	1		1		2	1		1					6
Timely	7	5	2	1	4	1	4		1	3	4		32
Grand Total	8	5	3	1		2	4	1	1	3	4		38

Table 6: HIPAA Incident by Breach of No Breach Categories
Internal Reporting Delays	Jan	Feb	Mar	Apr	May	Jun	July	Aug	Sept	Oct	Nov	Dec	Tot
Breach					1								1
No Breach	8	5	3	1	5	2	4	1	1	3	4		37
Grand Total	8	5	3	1	6	2	4	1	1	3	4		38

V. Compliance Investigations & Internal Audits

We plan to design and implement an Internal Audit Program between Q4 2026 and Q2 2027.

VI. Policies & Culture of Compliance

We plan to develop & implement a Policy Management Program (PMP) including the establishment of a Policy Review Committee between Q1 2026 and Q3 2026. This effort also includes establishing a Compliance Awareness training series within CCHP and the participation of the nationwide Compliance Week celebration in the first week of November in 2026 to instill a culture of compliance within the organization.

VII. Risk Assessment & CAP Tracking

• 2024 Medical Survey CAP Status Update

There was a total of 19 deficiencies identified from the 2024 DHCS Medical Survey. Of the 19 deficiencies identified, one remaining deficiency is being remediated along with our ECM providers. The status of this deficiency is included below:

• 2025 DHCS Medical Survey (closing conference held on 8/26/25)

Pending final DHCS audit report.

• 2022 Financial Audit CAP

The Department of Managed Health Care (DMHC) conducts financial auditing of Medi-Cal Managed Care Plans (MCPs) every 3 years. Our last financial audit was conducted in 2022. We are currently gathering evidence of remediations in preparation for the upcoming 2026 Financial Audit which is in progress currently. The table below outlines the deficiencies identified in 2022.

VIII. Compliance Performance Improvement Workgroup Update

To ensure sustainability and operational excellence amid various pressures, CCHP established a structured framework of Performance Improvement Workgroups (PIWs). These cross-functional teams will identify and implement opportunities for improvement across departments and functions - enhancing efficiency, accountability, and alignment within the integrated system. Identified as one of the workgroups supporting these goals, Compliance Performance Improvement Workgroup (CPIW) is put in place with the following team members.

Compliance PIW will leverage the 7 Elements of an Effective Compliance Program, published in the US Sentencing Guidelines, as our guiding principles to establish an effective compliance and ethics program. In addition, per DHCS Contract Section 1.3.1, 42 CFR §§ 422.503(b)(4)(vi) and 423.504(b)(4)(vi), CCHP must have a Compliance Program in place which adopts these 7 elements.

• Written Policies and Procedures: Establish clear, written guidelines for conduct (Code of Conduct) and compliance across the organization.

• Compliance Leadership & Governance: Designate a compliance officer and a Compliance Committee with authority and oversight to manage the Program involving the highest levels of leadership.

• Training and Education: Provide regular, effective training and educational programs to all employees to ensure they understand their compliance obligations.

• Effective Communication: Develop clear and accessible channels for employees to report concerns and ask questions without fear of retaliation.

• Monitoring and Auditing: Conduct regular internal/delegate monitoring and auditing to assess the Program's effectiveness and identify potential areas of non-compliance.

• Enforcement & Discipline: Implement and publicly communicate disciplinary standards and consequences for non-compliance to ensure accountability across the organization.

• Response to Offenses: Establish a system for promptly responding to detected offenses, including investigating issues and taking appropriate corrective action to prevent recurrence.

In this report, we are highlighting our Plan related to the second element - “Compliance Leadership & Governance”. The governance structure planned includes:

• JCC Oversight via regular Compliance Officer updates.

• A Compliance Committee, chaired by the Compliance Officer, consists of CCHP leadership team members with the authority and oversight to manage the Compliance Program.

• Sub-committees consist of members from both Compliance and business Subject Matter Experts (SMEs) within the organization to resolve escalated non-compliance risks and propose and/or implement remediation steps.

• Compliance programs monitor day-to-day operational tasks and mitigate non-compliance incidents in real time or via structured audit workplan.

The plan to structure CCHP’s Compliance Governance is depicted below.