Anti-Fraud & Compliance Program

1. Purpose

Rymeda, Inc. ("Rymeda," "we," "us," or "our") is committed to the highest standards of ethical conduct and compliance with all applicable federal and state healthcare laws and regulations. This Anti-Fraud and Compliance Program ("Program") establishes the framework by which Rymeda prevents, detects, and remediates healthcare fraud, waste, and abuse across all operations of the Rymeda healthcare platform.

Healthcare fraud costs the United States healthcare system an estimated $100 billion annually. As a healthcare technology platform facilitating clinical documentation, billing, claims processing, and provider-patient interactions, Rymeda recognizes its critical role in preventing fraud throughout the healthcare lifecycle.

This Program is designed to ensure compliance with, among other laws:

• Federal False Claims Act (31 U.S.C. §3729–3733)
• Federal Anti-Kickback Statute (42 U.S.C. §1320a-7b(b))
• Physician Self-Referral Law (Stark Law) (42 U.S.C. §1395nn)
• Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. §1320d et seq.
• OIG Compliance Program Guidance for the healthcare industry
• California Insurance Fraud Prevention Act (Cal. Ins. Code §1871 et seq.)
• California False Claims Act (Cal. Gov. Code §12650 et seq.)

2. Compliance Officer & Committee

2.1 Chief Compliance Officer

Rymeda, Inc. designates a Chief Compliance Officer ("CCO") who is responsible for the development, implementation, and day-to-day management of this Program. The CCO reports directly to the Board of Directors and has authority to:

• Oversee all compliance activities and investigations
• Develop and revise compliance policies and procedures
• Coordinate with external regulatory authorities, including the OIG and CMS
• Report compliance matters directly to the Board without interference
• Recommend disciplinary action for compliance violations
• Engage outside legal counsel for compliance investigations

2.2 Compliance Committee

The Compliance Committee consists of senior leadership from the following departments: Legal, Engineering, Product, Clinical Operations, Billing, Human Resources, and Information Security. The Committee meets quarterly to review compliance metrics, audit findings, training completion rates, incident reports, and regulatory developments. Meeting minutes are retained for a minimum of six (6) years.

3. Code of Conduct

All Rymeda workforce members, contractors, agents, and platform users are expected to adhere to the following seven principles:

4. Anti-Kickback Statute Compliance

The federal Anti-Kickback Statute (42 U.S.C. §1320a-7b(b)) makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration (including kickbacks, bribes, or rebates) directly or indirectly, overtly or covertly, in cash or in kind, in exchange for referring, ordering, or recommending any good, facility, service, or item for which payment may be made in whole or in part under a federal healthcare program.

4.1 Prohibited Conduct

Rymeda and its workforce, agents, and platform users shall not engage in any of the following:

• Offering or providing anything of value to induce referrals of patients or healthcare business to or through the Rymeda platform
• Soliciting or receiving anything of value in return for referrals of patients or healthcare business
• Structuring compensation arrangements based on the volume or value of referrals
• Providing free or below-market-rate services or technology in exchange for referrals
• Offering or providing marketing support, discounts, or other incentives conditioned on referral volume

4.2 Safe Harbor Compliance

Where applicable, Rymeda structures its business arrangements to qualify for one or more safe harbors under 42 C.F.R. §1001.952, including:

4.3 Penalties

5. False Claims Act Compliance

The federal False Claims Act (31 U.S.C. §3729–3733) imposes civil liability on any person who knowingly presents, or causes to be presented, a false or fraudulent claim for payment to the United States government, or who knowingly makes, uses, or causes to be made or used a false record or statement material to a false or fraudulent claim.

5.1 "Knowingly" Standard

Under the FCA, "knowingly" means that the person: (1) has actual knowledge of the information; (2) acts in deliberate ignorance of the truth or falsity of the information; or (3) acts in reckless disregard of the truth or falsity of the information. No proof of specific intent to defraud is required. This low scienter standard underscores the importance of Rymeda's billing compliance controls.

5.2 Qui Tam (Whistleblower) Provisions

The FCA includes qui tam provisions (31 U.S.C. §3730) that allow private individuals ("relators") to file lawsuits on behalf of the government against entities that have defrauded the government. Relators may receive between 15% and 30% of any recovery. Rymeda takes all qui tam obligations seriously and maintains robust whistleblower protections as described in Section 10.

5.3 Penalties

5.4 California False Claims Act

The California False Claims Act (Cal. Gov. Code §12650 et seq.) mirrors the federal FCA and applies to false claims submitted to the State of California, including Medi-Cal claims. It also includes qui tam provisions and anti-retaliation protections.

6. Stark Law (Physician Self-Referral) Compliance

The Physician Self-Referral Law, commonly known as the Stark Law (42 U.S.C. §1395nn), prohibits a physician from making referrals for certain "designated health services" (DHS) payable by Medicare or Medicaid to an entity with which the physician (or an immediate family member) has a financial relationship, unless an exception applies.

6.1 Designated Health Services

The following are designated health services under the Stark Law:

• Clinical laboratory services
• Physical therapy, occupational therapy, and outpatient speech-language pathology services
• Radiology and certain other imaging services
• Radiation therapy services and supplies
• Durable medical equipment and supplies
• Parenteral and enteral nutrients, equipment, and supplies
• Prosthetics, orthotics, and prosthetic devices and supplies
• Home health services
• Outpatient prescription drugs
• Inpatient and outpatient hospital services

6.2 Rymeda Platform Implications

6.3 Strict Liability

Unlike the Anti-Kickback Statute, the Stark Law is a strict liability statute — no proof of intent to violate the law is required. If a financial relationship exists and no exception applies, any referral is prohibited regardless of the parties' intent. Claims submitted in violation of the Stark Law are considered false claims under the FCA.

7. Billing Compliance

Accurate billing is a cornerstone of healthcare compliance. Rymeda's billing infrastructure is designed to promote accuracy and prevent common billing fraud schemes.

7.1 CPT and ICD-10 Code Accuracy

The Rymeda platform uses structured data models to enforce proper medical coding:

7.2 Upcoding Prevention

Upcoding — the practice of assigning a billing code that yields a higher reimbursement than the code that accurately reflects the service provided — is a form of healthcare fraud. Rymeda implements the following safeguards:

• Documentation-Code Correlation: The platform cross-references CPT codes on invoices with the clinical documentation in the corresponding encounter, flagging potential mismatches for provider review
• AI-Assisted Code Suggestions: When AI generates suggested ICD-10 codes, each code includes a confidence score and the supporting clinical evidence. Codes are marked as "AI_DRAFT" and require provider review and attestation before use in claims
• Statistical Outlier Detection: Billing patterns are monitored for statistical anomalies, including unusual frequency of high-level E/M codes, atypical modifier usage, and service patterns inconsistent with specialty norms
• Immutable Audit Trail: All billing actions are recorded in the immutable audit trail, including who created, modified, or submitted each invoice and claim, enabling forensic review

7.3 Additional Prohibited Billing Practices

• Unbundling: Billing separately for services that should be reported under a single bundled code
• Phantom Billing: Billing for services not actually rendered
• Duplicate Billing: Submitting multiple claims for the same service
• Misrepresentation of Service Date: Altering the date of service on a claim
• Misrepresentation of Provider: Billing under a provider's NPI for services performed by an unlicensed or unauthorized individual

8. Credential Verification

Rymeda implements a multi-stage credential verification system to prevent unauthorized individuals from delivering care, documenting encounters, or submitting claims through the platform.

8.1 NPI/NPPES Validation

All healthcare providers registering on the Rymeda platform undergo National Provider Identifier (NPI) validation against the CMS National Plan and Provider Enumeration System (NPPES) registry. The system verifies:

• NPI number validity and active status
• Provider name match against NPPES records
• Provider taxonomy code and specialty classification
• Practice location and state of licensure
• Enumeration date and entity type (individual vs. organizational)

8.2 Verification State Machine

Provider accounts progress through the following verification states:

8.3 Ongoing Monitoring

Rymeda performs periodic re-verification against the NPPES registry, OIG exclusion lists (LEIE), and the SAM.gov exclusion database to ensure that no excluded or debarred provider maintains active access to the platform. Providers found on exclusion lists are immediately suspended and reported.

9. Incident Reporting

Rymeda, Inc. maintains five (5) reporting channels for suspected compliance violations, fraud, waste, and abuse:

All reports are triaged within forty-eight (48) hours of receipt. The Compliance Office maintains a log of all reports, investigations, and outcomes, retained for a minimum of six (6) years.

10. Whistleblower Protection

Rymeda, Inc. is committed to protecting individuals who report suspected compliance violations in good faith. No individual shall be subjected to retaliation for reporting suspected fraud, waste, abuse, or other compliance violations.

10.1 Federal Protections

• False Claims Act Anti-Retaliation (31 U.S.C. §3730(h)): Protects employees, contractors, and agents from being discharged, demoted, suspended, threatened, harassed, or discriminated against for lawful acts done in furtherance of an FCA action.
• Sarbanes-Oxley Act (SOX) §806 (18 U.S.C. §1514A): Protects employees of publicly traded companies or their subsidiaries from retaliation for reporting securities fraud or other violations. While Rymeda is currently a private company, we adopt SOX whistleblower standards as a best practice.
• Section 1558 of the ACA: Protects employees who report violations of any consumer protection provision of the Affordable Care Act.

10.2 State Protections

• California Labor Code §1102.5: Protects employees who report suspected violations of state or federal law to a government or law enforcement agency, person with authority over the employee, or another employee with authority to investigate.
• California False Claims Act (Cal. Gov. Code §12653): Anti-retaliation provisions mirroring the federal FCA.
• California Health & Safety Code §1278.5: Protects healthcare workers who report unsafe patient care conditions.

10.3 Rymeda Policy

Any individual who retaliates against a person who has made a good-faith compliance report will be subject to disciplinary action, up to and including immediate termination. Retaliation includes but is not limited to: termination, demotion, suspension, reduction in hours or compensation, failure to promote, threats, intimidation, or any other adverse action.

11. Training and Education

Effective compliance requires ongoing education. Rymeda maintains a multi-tier training program:

Training completion is tracked in the compliance management system. Failure to complete required training within the specified timeframe may result in suspension of platform access or other disciplinary action.

12. Monitoring & Auditing

Rymeda, Inc. maintains a comprehensive monitoring and auditing program to detect and prevent compliance violations:

12.1 AI Moderation and Trust Scoring

The Rymeda platform employs AI-powered moderation systems that assign trust scores to user activity and content. The moderation system monitors for:

• Anomalous billing patterns that may indicate fraud (statistical outlier detection)
• Documentation patterns inconsistent with clinical coding (documentation-code mismatch)
• Unusual access patterns that may indicate privacy violations
• Content that violates the Acceptable Use Policy
• Credential anomalies or identity discrepancies

12.2 Audit Trails

The platform maintains immutable, append-only audit trails that record all user actions, data access events, and system operations. Audit records include: entity type, entity ID, user ID, clinical role, action performed, timestamp, IP address, and relevant metadata. Audit logs are retained for a minimum of six (6) years in compliance with HIPAA requirements at 45 CFR §164.530(j).

12.3 Periodic Audits

• Internal Audits: The Compliance Office conducts quarterly internal audits of billing accuracy, documentation completeness, access control compliance, and credential verification status.
• External Audits: Rymeda engages independent third-party auditors annually to assess the effectiveness of the compliance program, including SOC 2 Type II audits.
• Claims Audits: Random sampling of claims submitted through the platform to verify accuracy of coding, medical necessity documentation, and payer compliance.
• Exclusion Screening: Monthly screening of all active providers against the OIG List of Excluded Individuals/Entities (LEIE) and SAM.gov.

13. Enforcement and Discipline

13.1 Progressive Discipline

Compliance violations are addressed through a progressive discipline framework:

13.2 Immediate Termination Triggers

14. Annual Review

This Program is reviewed and updated annually by the Compliance Committee. The annual review includes:

• Assessment of Program effectiveness based on audit findings, incident reports, and investigation outcomes
• Review of changes to applicable federal and state laws and regulations
• Evaluation of enforcement trends and OIG Work Plan priorities
• Review of training completion rates and comprehension assessments
• Assessment of new compliance risks arising from platform features, market expansion, or business changes
• Benchmarking against OIG Compliance Program Guidance and industry best practices
• Recommendations for Program modifications approved by the Board of Directors

Material amendments to this Program are communicated to all workforce members within thirty (30) days of adoption and may trigger supplemental training requirements.

15. Contact Information

For questions regarding this Program, to report a compliance concern, or to request additional information:

Related Policies

This Program should be read in conjunction with the following documents: