Compliance program plan & code of conduct

I. Introduction

Path CCM, Inc. d/b/a Rula Health ("Rula") provides management and administrative support services to SUD Specialty Group -- CA; Mental Health Specialty Group, P.A.; Mental Health Specialty Group NJ, PC; and Mental Health Specialty Group KS, P.A. (collectively, the "Group"). This plan applies to Rula CCM, Inc. and its medical group affiliates listed above. The Plan applies to all employees, Board members, providers, contractors, interns, and others doing business with the Group.  Each employee or contractor is responsible for their own conduct in complying with the Plan’s content. 

The Group is committed to the highest standards of ethics, honesty, and integrity in pursuit of its mission: to make mental health work for everyone. The Compliance Program at the Group demonstrates our commitment to ethical conduct and compliance by setting forth guidelines for conduct designed to prevent and detect violations of law and by encouraging compliance through support, training, and educational resources. This Compliance Program Plan assists the Group in fulfilling its compliance responsibilities by creating an operational structure that outlines and documents the Group’s compliance efforts.

The Plan is intended as a guide to help implement compliance with all applicable standards. The laws, regulations and ethical rules that govern behavioral health care are too numerous to list in the Plan.  Fundamentally, all parties of the Group are expected to conduct all business activities honestly and fairly.  Any form of lying, cheating, or misrepresentation is forbidden.  

II. Written Standards of Conduct

The Compliance and Privacy Program at the Group consists of this Compliance Program Plan (“Plan”), a Code of Conduct (see Appendix A), and Compliance and HIPAA Policies and Procedures that apply to all employees, the Board of Directors, interns, and contractors when they are doing business with or for Group. The Plan, Code of Conduct, and Policies and Procedures provide the guiding standards of conduct for the Group and set forth our commitment to our patients in following federal and state contractual and regulatory requirements. Each leader is responsible for ensuring that the Plan, Code of Conduct, and Policies and Procedures are observed by all for whom this Plan applies. All employees, Board of Directors, and contractors of the Group are responsible for reading and understanding these standards of conduct. 

Any employee, Director, intern or contractor who is in doubt as to the appropriateness of a course of action or concerned about the application of a policy must promptly communicate with his or her supervisor, the Compliance Officer, or the Compliance hotline, before taking action.

III. Compliance Program Governance

Board of Directors: The Board of Directors has overall responsibility for oversight of the Compliance Program with the Group. The Compliance Officer has direct access to the Board of Directors and has the authority to report any compliance concerns if s/he believes an issue is not being adequately addressed by the Group CEO. 

Compliance Committee: The Group has a Compliance Committee which has direct oversight responsibility for the compliance activities of the Group and which assists the Group in fulfilling its legal and contractual compliance obligations. The Compliance Committee provides oversight and support for the Group’s functions and company-wide activities. The Compliance Committee is chaired by the Compliance Officer and consists of representatives from Revenue Cycle Management, Credentialing, Quality, Finance, Engineering, the Medical Director, as well as the Head of Clinical Care, and the HIPAA Security and Privacy Officer. Legal counsel will be engaged as needed.  This committee meets quarterly.

The Committee members oversee the following areas of compliance activity:

  • Informing, training, and educating Group employees, Directors and contractors about the Code of Conduct and ethical obligations under this Code;
  • Monitoring compliance activities, including provider auditing, implementing policies and procedures, and training and education programs;
  • Serving as a resource to the Group on matters of compliance and legal and regulatory changes, and assessing and identifying areas of risk;
  • Assisting People Operations and functional leaders in developing corrective action plans;
  • Recommending and reviewing disciplinary action for violations of the Code of Conduct; and
  • Reporting on compliance activities to the Group CEO and when necessary, to the Board of Directors through the Compliance Officer.

Compliance Officer: The Compliance Officer supports and assists the Compliance Committee in its oversight responsibilities. The Compliance Officer is responsible for the day-to-day operations of the Compliance Program and works in partnership with the Group’s Privacy & Security Officer. Responsibilities include:

  • Training employees, Directors and contractors on the Code of Conduct and Compliance and Privacy Policies;
  • Monitoring compliance activities;
  • Assisting with corrective action plan development, review, and monitoring;
  • Monitoring emerging issues in the field of compliance;
  • Coordinating cross-functional compliance efforts;
  • Maintaining a reporting hotline for compliance matters;
  • Providing support for the Committee’s operational activities; and
  • Submitting quarterly reports to the Group CEO and Board of Directors on the activities of the Compliance Program.

Outside Counsel: The Compliance Officer and/or the HIPAA Privacy & Security Officer consult with outside Counsel as may be necessary or appropriate to monitor and enforce the Plan.

IV. Education and Training

New Employee Orientation Training (or Onboarding for contractors): All new Group employees, Directors, interns, and contractors are required to complete new employee orientation (or onboarding for contractors) and training on the Code of Conduct, conflicts of interest, HIPAA security and privacy, and must sign off on receipt and understanding of the Compliance Plan. Prior to having access to any Group systems containing Electronic Protected Health Information, new Group employees, Directors and contractors must complete HIPAA Privacy training.

Employees and Other Representatives: All Group employees, Directors, interns, and contractors are expected to carry out their duties for the Group in accordance with this Plan. Group Leadership is responsible for ensuring that all employees, Directors and contractors observe the Plan, Code of Conduct, and Policies and Procedures. Supervisors are responsible to see that employees under their supervision and contractors follow these documents.

Compliance Program Training: Each employee and contractor at the Group is required to complete annual compliance and privacy training as a condition of employment. Annual training is required to maintain good standing as a Group employee or contractor. Supervisors are responsible for collaborating with People Operations and the Compliance team in monitoring completion of all required training.

The Group reviews and updates, as necessary, the compliance training annually or when there are material changes in regulations, policy, or guidance.

Ongoing Training: The Compliance Officer, in conjunction with Group Leadership, will also hold subject-matter specific training and educational programs. Further training may also be required as a result of an investigation or corrective action. 

V. Reporting

An open line of communication between the Compliance Officer and employees or others associated with the Group is critical to the successful operation of the Compliance Program. Specific questions about whether any action complies with Group policies or applicable law shall be directed to the Compliance Officer via phone call, Zoom, email, or the anonymous Compliance hotline.

Reportable Compliance Concerns:

  • Criminal conduct and safety concerns: All employees and persons associated with the Group have a duty to report to the Compliance Officer any suspected or actual violation of the Plan, Code of Conduct, or policies that relate to the Group, to the Group’s assets, or to regulatory contracts. Such individuals are encouraged to seek clarification regarding any ethical or legal concerns and will cooperate fully with the Compliance Officer and his or her investigations. 
  • Violations of law or policy: All Group employees and contractors are encouraged to report any concerns that there are violations of law or policy.
  • False Claims Act: It is a violation of the False Claims Acts (FCA) for anyone to knowingly submit, or cause another to submit, false claims for payment of government funds. Examples of FCA violations include filing a claim for services that were not rendered; filing a claim for services that were not medically necessary; “upcoding” or inflating of services; unbundling of services; or submitting a claim containing information known to be false. Anyone who suspects a violation of the FCA, this Plan, the Code of Conduct, or other Policies or Procedures is required to promptly report the situation. False accusations made with the intent of harming or retaliating against another person can subject the accuser to disciplinary action. 
    • Special FCA whistleblower provisions: The FCA contains provisions that allow citizens with evidence of fraud against the government to sue on behalf of the government, in order to recover stolen funds.
    • No retaliation: Any threat of retaliation or harassment against an individual, who makes a report in good faith, is against Group policy. Retaliation or harassment, if found to be substantiated, is subject to appropriate discipline up to and including termination of employment. In addition to the Group’s internal policy against retaliation, state and federal law provide protection to those who make a good faith report. 
    • For more information regarding the Group’s compliance with the False Claims Act, please refer to the following policies: Conflict of Interest and Non-Retaliation. 

How to Report a Compliance Concern:

  • An individual may seek guidance or report a violation to his or her supervisor, the Compliance Officer directly, or by calling the anonymous Compliance hotline at (833) 613-2443.. Compliance reports may also be filed via to Report Online. 
  • The Group compliance officer is: 

Trevor Purifoy


  • Hotline Procedures: The Compliance Officer will keep all reports confidential when possible; however, during investigation the individual who reported the violation may become known or may have to be reported to government authorities.

VI. Monitoring and Auditing

In order to detect noncompliance and improve the quality of operations, an ongoing assessment and evaluation is integral to the success of the Group’s Compliance Program. The Compliance Officer participates in periodic internal and external audits of the Group’s compliance with regulatory contracts, the Code of Conduct, and Group Policies and Procedures.  

The audit process will focus on areas targeted by state and federal agencies, external audit review with payors, results, contractual obligations, and industry guidance. The Compliance Officer will create an annual audit plan based on completed risk assessments. The Compliance Officer receives and reviews all internal audits and apprises the Group CEO, Compliance Committee, and the Board of Directors of audit results, as appropriate.

Risk Assessments: The Group conducts periodic risk assessments to evaluate and prioritize the compliance-related risks facing the company. Each risk assessment shall measure the magnitude of applicable events of noncompliance in light of the likelihood of occurrence for each such event under existing Group Policies and Procedures. The Compliance Committee shall address the results of these risk assessments and oversee the development and implementation of appropriate corrective action plans.

Effectiveness Evaluations: The Compliance Officer will periodically conduct evaluations of the effectiveness of the Code of Conduct, training, and the Compliance Program in general. These evaluations may include comparisons with other compliance programs at other similar companies.

Debarment Reviews and Background Checks: The Group and its subcontractors conduct regular monthly checks of the U.S. Department of Health and Human Services Office of Inspector General (OIG) List of Excluded Individuals/Entities and the System for Award Management (SAM) database. If any names on these lists match Group employees or contractors, they are forwarded to the Credentialing Committee and the Compliance Officer for verification and review. If the Credentialing Committee or Compliance Officer verifies that a debarred individual or contractor is working or proposes to work for the Group, the Group will take appropriate action to ensure that the debarred party is not hired or is terminated immediately. 

Provider Monitoring and Auditing: To ensure that all Group providers comply with Group, state and federal laws and regulations, and to detect fraud, waste, and abuse, the Group has developed a provider audit program. Provider audits are conducted: 

  • On a random basis as part of continuous quality improvement and/or compliance monitoring activities;
  • As part of routine quality and/or billing audits;
  • As may be required by patient, provider, and/or government, regulatory or payor contracts;
  • As part of periodic reviews conducted pursuant to accreditation requirements to which the Group is or may be subject;
  • In response to an identified or alleged specific quality of care, professional competency or professional conduct issue or concern;
  • As required by state and/or federal laws, rules, and/or regulations;
  • In the course of claims reviews and/or audits;
  • As part of the review of delivery of services; or
  • As may be necessary to verify compliance with regulatory or payor contracts.

All providers are contractually required to comply with all aspects of the Group’s audit program, which may include, but are not limited to: virtual site reviews, desk audits, medical record reviews, and claim reviews and/or data mining. Additionally, these audits will ensure that Providers’ billing accurately reflects the level of services provided to patients so that there is no intentional or unintentional upcoding or miscoding of services. 

The Compliance Officer may initiate immediate disciplinary action and when appropriate, in cooperation with the Head of People Operations, up to and including corrective action plans or suspension of payments against a provider who fails to comply with medical record documentation requirements or coding and billing requirements. 

The Group will notify any necessary entities (including payors) when it takes adverse action against a provider for program integrity related reasons as required by contract or state and federal laws and regulations. 


As part of the comprehensive Compliance and Privacy Program, the Group has established an internal investigation and corrective action process to ensure that timely, complete, and objective investigations are conducted in response to allegations. The exact nature and level of thoroughness of the internal investigation will vary according to the circumstances.  The Compliance Officer or a designee will be responsible for completion of timely, complete, objective investigations. 

In most cases, a Compliance Investigation template will be used to document the investigation.  Compliance Investigations will be maintained by the Compliance Officer and when necessary, will be included in employee or contractor personnel files.

Upon conclusion of an internal investigation, corrective action and preventative measures are determined and implemented as appropriate. If the identity of the complainant is known, the Compliance Officer (or designee) shall report to the complainant that an investigation has been completed, and, if appropriate, that corrective action has been taken.


Disciplinary Action: The Group will take appropriate disciplinary action, up to and including termination of employment or termination of a contractor’s engagement against parties who fail to comply with state and federal laws and regulations or Group Policies and Procedures. Disciplinary action may also apply to a supervisor who knowingly directs or approves an employee or contractor’s improper actions, or is aware of those improper actions but does not act appropriately and within the supervisor's scope of authority to correct them.

The Compliance Officer or designee will investigate, evaluate, and make recommendations consistent with Group Policies and Procedures to the supervisor and People Operations. Any disciplinary action shall be determined and enforced by the supervisor pursuant to existing disciplinary standards, policies, and procedures set forth in the Employee Handbook or contractor contract.

Severity of Action: The disciplinary action taken shall correspond to the severity of the violation considering, among other factors, whether the violation was intentional or unintentional, and whether the violation created a safety or security risk. Disciplinary action taken may include oral or written warning, disciplinary probation, suspension, or termination from employment.

Notification to Others: Violations may also result in notification to the U.S. Department of Health and Human Services, Office of Civil Rights, law enforcement officials, regulatory bodies, and licensure organizations as appropriate.

For more information related to discipline for compliance and/or privacy violations, please refer to the Rula Employee Handbook. 



Fiscal Year 2022 Group Compliance Program Plan

Documentation of approval and recommendations

Review Date Reviewer Action
3/8/22 Compliance Officer Written
3/19/22 Josh Bruno, Group CEO

Reviewed and Revised 

(or Approved as written)

3/28/22 Compliance Committee

Reviewed and Revised 

(or Approved as written)

TBD Board of Directors Adopted



Appendix A:  Code of Conduct

RULA Logo Grayscale.png

Code of Conduct

  1. It is expected that all employees and contractors providing clinical and/or administrative services at the Group will maintain the highest level of professionalism, accountability and ethical behavior.
  2. Employees and contractors will follow all the Group’s policies and procedures.
  3. Employees and contractors will adhere to the Group’s Compliance Plan.
  4. Employees will adhere to all elements of the employee handbook. Contractors will adhere to all elements of their contract. 
  5. All employees and contractors are expected to behave in a manner consistent with Group’s Mission and Values statements
  6. The Group does not discriminate on the basis of race, color, national origin, religion, age, sex, gender, sexual orientation, or disability. 
  7. All employees and contractors are strictly prohibited to engage in any type of intimate relationship, flirting, or sexual activity with patients and/or former patients.
  8. It is strictly prohibited to condone or promote any type of sexual harassment of employees, contractors and/or patients.
  9. Any misrepresentation of clinical skills, knowledge, education or licensure is strictly prohibited.
  10. It is strictly prohibited to falsify documents, including clinical documentation.  
  11. It is expected that all clinical and non-clinical employees and contractors will complete assigned and required paperwork on a timely basis.
  12. It is expected that licensed employees and contractors will keep current applicable licenses and training and will adhere to the ethical code for their profession.
  13. It is expected that all employees and contractors will treat patients, community partners, and peers courteously and respectfully at all times.
  14. It is expected that all employees and contractors comply with all governing rules and regulations authorized through regulatory agencies and contracted commercial insurance payors. 
  15. It is expected that all employees and contractors of the Group will adhere to all federal and/or state confidentiality requirements related to Personal Health information (PHI) and personally identifiable information (PII) at all times.
  16. All employees and contractors who are mandatory reporters are required by law to report suspected child abuse, exploitation, and neglect. All employees and contractors who are mandatory reporters are required by law to report suspected risk for mistreatment (abuse, caretaker neglect or exploitation) of at-risk elder adults or at-risk adults with intellectual and developmental disabilities.  
  17. All employees and contractors are required to be aware of and respect patient rights. 


I understand this Code of Conduct and that violation of the Code of Conduct may be grounds for dismissal or termination of employment with the Group.  

I agree I will report any suspected or known violation of the Code of Conduct. 


Note: A signature is not required at this time.  Please maintain a copy of the Compliance Plan & Code of Conduct for your records. 

Was this article helpful?

4 out of 4 found this helpful