NYU LANGONE MEDICAL CENTER CORPORATE COMPLIANCE PROGRAM

Transcription

1 NYU LANGONE MEDICAL CENTER CORPORATE COMPLIANCE PROGRAM Originally Approved by the Boards of Trustees on May 25, 2004 Updated 2007 Updated 2009 Updated 2010 Updated 2011

2 NYU LANGONE MEDICAL CENTER CORPORATE COMPLIANCE PROGRAM Table of Contents Page INTRODUCTION 1 Expected Conduct The Eight Elements of a Compliance Program Purpose of this Document Disclaimer I. WRITTEN POLICIES AND PROCEDURES 5 Periodic Review Communication Compliance Policies and Procedures II. OVERSIGHT AND MANAGEMENT OF THE PROGRAM 7 Audit and Compliance Committee Chief Compliance and Privacy Officer Duties Authority Reports The Office of Compliance, Privacy & Internal Audit Office of Compliance, Privacy & Internal Audit Staff Hospital Compliance

3 Physician Billing Compliance Research Compliance School of Medicine Compliance Conflicts of Interest Management Compliance Education and Communication Compliance & Privacy Investigations Privacy and Security Enterprise Risk Management & Internal Audit Compliance Committees Compliance Oversight Committees Operational Compliance Committees Medical Center Departmental Directors and Managers III. TRAINING AND EDUCATION 18 Requirement Content Initial Education On-going Training Additional Training On-going Regulatory Training Types of Training Training Documentation Failure to Comply with Training Requirements Training Program Evaluation IV. COMMUNICATION 24 Requirement Reporting Compliance Concerns Helplines Compliance Helpline HIPAA/HITECH Helpline

4 Feedback Confidentiality Non-Retaliation Documentation Annual Compliance Report V. ENFORCEMENT THROUGH DISCIPLINE 28 VI. AUDITING and MONITORING 29 Reimbursement Related Reviews Access Action Documents Hospital Compliance Auditing and Monitoring Program Faculty Group Practice Billing Auditing and Monitoring Program HIPAA/HITECH Auditing and Monitoring Program Screening For Excluded Persons New Employees and Applicants Providers Referring Providers Vendors and Contractors Prohibition Screening Process VII. RESPONDING TO OFFENSES AND DEVELOPING CORRECTIVE ACTIONS 35 Investigations Investigation by Managers and Directors Compliance Investigation Process Documentation Responses

5 Possible Fraud, Waste and Abuse Possible HITECH Breaches Other Non-Compliance Relationship of Investigations to New York University Disciplinary Regulation Voluntary Disclosures Reports by Compliance Officer Response to Governmental Inquiries Process Documents VIII. Risk Assessment 40 Conclusion 41

6 NYU LANGONE MEDICAL CENTER CORPORATE COMPLIANCE PROGRAM Introduction Agencies and departments of the federal and state government including but not limited to the Office of the Inspector General ( OIG ), Centers for Medicare and Medicaid Services ( CMS ), and the New York State Office of the Medicaid Inspector General ( NYS OMIG or OMIG ) have identified a number of instances of fraud, waste, and abuse in federally funded health care programs including Medicare and Medicaid and have required the adoption and implementation of compliance programs. The Board of Trustees of NYU Hospitals Center ( NYUHC ) and the New York University School of Medicine Foundation ( NYUSoM ), together the Medical Center or ( NYULMC ), as well as Medical Center administration and management, recognize the seriousness of the issues raised by the Government and recognize that failure to comply with applicable laws and regulations could threaten the Medical Center s continuing participation in these health care programs. The Board, therefore, has directed that the Medical Center undertake an integrity program in order to maintain the Medical Center s commitment to high standards of conduct, honesty, and reliability in its business practices. This integrity program is called a Compliance Program (the Program ). The primary purpose of the Program is to make a sincere effort to prevent, detect, and correct any fraud, waste, and abuse in the Medical Center in connection with federally funded health care programs and private health plans. In order to accomplish this goal, the Program strives to create a culture that promotes understanding of and adherence to applicable federal, state, and local laws and regulations. To be effective the Compliance Program should be a continuously evolving effort to meet the changing regulatory landscape. 1

7 Expected Conduct The Program describes the expected conduct of all NYULMC Members ( Members ) who include: Trustees: individuals appointed to serve as a member of the NYULMC Board of Trustees, including Associate Trustees and Life Trustees Employees Medical Staff : the executives, managers, and staff as well as any other person or individual hired on a full or part-time basis by and in the paid service of the Medical Center, including per diem and casual employees Faculty Volunteers: : all individuals credentialed through the Medical Staff Services Office : those individuals as defined in the New York University Faculty Handbook under Bylaw 64 as it applies to NYUSoM Medical Students: Contractors those individuals working in the NYULMC on an unpaid basis individuals in pursuit of a degree conferred by NYUSoM : an entity with whom NYULMC has a written agreement to provide items or services, perform billing or coding functions, or monitor health care provided by NYULMC There are several parts to the Program, each outlined below, and each of which is important to achieving a responsive and effective Compliance Program. The essential policies, procedures, and initiatives that define an effective, robust Program are discussed herein and constitute the NYULMC Compliance Program. The Eight Elements of a Compliance Program The U.S. Sentencing Commission Guidelines have outlined eight (8) elements that comprise an effective Compliance Program. These elements include: 1. Written policies and procedures 2. A designated compliance officer and a compliance committee 3. Effective training and education 4. Effective lines of communication 5. Standards enforced through well-publicized disciplinary guidelines 2

8 6. Auditing and monitoring 7. Response to detected offences and corrective action plans and 8. Ongoing risk assessment New York State law (NYS Social Services Law 363-d) and regulations (18 NYCRR Part 521) require all providers participating in the New York State Medicaid Program to have a mandatory compliance program. Title 18 Part 521 of the Codes, Rules and Regulations of the State of New York outlines seven requirements of a compliance program that New York State providers must incorporate into their compliance program. In addition, all providers are required to certify on an annual basis that they have the required compliance program in place. Providers are subject to Office of Medicaid Inspector General (OMIG) Compliance Effectiveness Reviews to ensure that the compliance program that is in place is effective and achieving the requirements outlined in the statute and regulations. Purpose of this Document This document describes the elements of effective compliance programs outlined by both the U.S. Sentencing Guidelines and the NYS OMIG as they fit within NYULMC and details the fundamental principles, values, and operational framework for compliance within the Medical Center. This document articulates the Medical Center s commitment to compliance and the goals to which the Medical Center strives. Throughout the document, words and phrases such as shall, should, and strive to are used to describe the organizational framework of the NYULMC compliance program and the basic responsibilities of Members. This Program description is designed to be accompanied by more specific policies that detail expected behavior and plans that detail compliance goals and objectives. Policies can be found at or on the Compliance website at Disclaimer Nothing in this document shall (i) constitute a contract of or agreement for employment; (ii) modify or alter in any manner any employee s at-will employment status; or (iii) modify any 3

9 rights of faculty members of the School of Medicine as provided in the New York University Faculty Handbook. Any part of this Program may be changed or amended at any time without notice to any employee. 4

10 I WRITTEN POLICIES AND PROCEDURES An effective Compliance Program should define the expected conduct of its Members through the establishment of written, dynamic policies and procedures. Within the Medical Center, these policies and procedures begin with the mission statement and values, which provide a framework. This conduct is more specifically defined in the Code of Conduct, the Medical Staff Bylaws, the Faculty Handbook, and the Employee Handbook, as well as in policies and procedures that address the specific risk areas of the Medical Center. Policies and procedures pertaining to each business unit or department are the responsibility of those departments. Periodic Review To manage known risks effectively, adherence to policies and procedures should be reviewed on a periodic basis. In addition, newly identified risks should result in the promulgation of new policies and procedures or revisions to old ones as well as Corrective Action Plans ( CAPs ), where necessary, to address those risks. Communication Policies and procedures, to be effective, should be clearly communicated to Members such that they are capable of integrating them into their daily operations. Methods for accomplishing this might include administrative notification via , presentation at appropriate meetings, posting of policies and procedures on the Intranet, inclusion in documents such as Member handbooks, position descriptions, performance evaluations, newsletters, and via the provision of training. Compliance Policies and Procedures Detailed policies outlining important compliance activities shall be maintained in the Office of Compliance, Privacy & Internal Audit. The Compliance Program shall have policies including but not limited to Health Insurance Portability and Accountability Act ( HIPAA )/Health 5

11 Information Technology for Economic and Clinical Health Act ( HITECH ) privacy, conducting excluded persons monitoring, conducting investigations, responding to external investigations, providing conflicts of interest management, identity theft, whistleblower protections, nonretaliation, and reporting compliance concerns. Copies of these policies are available at and on the Compliance website at 6

12 II OVERSIGHT AND MANAGEMENT OF THE PROGRAM Audit and Compliance Committee The Audit and Compliance Committee of the Board of Trustees (the A & C Committee ) is established, in part, for the purpose of assisting the Board in the oversight of the Medical Center s regulatory compliance and business ethics. The purpose, authority, composition, duties, and responsibilities of the A & C Committee are fully described in the A & C Committee Charter. Chief Compliance and Privacy Officer The A & C Committee, working in consultation with the Dean and CEO of the Medical Center, shall appoint a Vice President for Compliance, Privacy & Internal Audit (the Chief Compliance and Privacy Officer or CCO ) as the executive in charge of the continued development, implementation, and operation of the Program. The performance of the duties and responsibilities of the CCO shall be reviewed at least annually by the A & C Committee. Duties The CCO and the Compliance Oversight Committees (as described below) shall prepare, and revise as necessary, a job description for the CCO. The CCO s primary responsibilities set out in the job description shall include: Overseeing and monitoring the implementation of the Compliance Program Reporting on a regular basis to the Board of Trustees, the A & C Committee, the CEO/Dean, and the Oversight Committees on the progress of implementation Assisting the Board, the A & C Committee, the CEO/Dean, and the Oversight Committees in establishing methods to improve the Medical Center s efficiency and quality of services, and to reduce the Medical Center s vulnerability to fraud, waste, and abuse Periodically revising the Compliance Program as required by changes in federal and state laws and regulations as well as policies and procedures of government and private payor health plans 7

13 Developing, coordinating, and participating in an education and training program that focuses on the elements of the Compliance Program, and seeks to ensure that all individuals to whom this Program is extended are knowledgeable of, and comply with, applicable federal and state requirements Working with the Medical Center Information Technology ( MCIT ) Department and the MCIT Security Officer to ensure the privacy and security of all Protected Health Information ( PHI ) Ensure all Members are aware of the Medical Center s obligations under federal and state laws and regulations regarding maintaining PHI confidentially and securely Ensuring that independent contractors and agents who furnish services to the Medical Center are aware of the requirements of the Medical Center s Compliance Program with respect to coding, billing, marketing, and PHI privacy and security, among other things Coordinating personnel issues with the Senior Vice President and Vice Dean of Human Resources and the Medical Staff Office to ensure that the National Practitioner Data Bank and Cumulative Sanction Report have been checked with respect to all employees, medical staff, and independent contractors, as applicable Ensure monitoring for excluded persons in federal and state programs occurs on a monthly basis and that such monitoring shall cover all employees, faculty, medical staff, vendors, contractors, and referring physicians Coordinating regulatory issues of a clinical nature with the Chief Regulatory Officer Coordinating internal compliance reviews and monitoring activities including annual or periodic reviews of departments Oversee physician billing audits to ensure Faculty Group Practice ( FGP ) compliance with federal and state billing laws and regulations as well as third party insurance requirements After consultation with Legal Counsel, investigating and acting on matters related to compliance, including the flexibility to design and coordinate internal investigations (e.g., responding to reports of problems or suspected violations) and any resulting corrective action with all Medical Center departments, providers, sub-providers, agents and, if appropriate, independent contractors 8

14 Developing policies and programs that encourage all employees to report suspected fraud and other improprieties without fear of retaliation Ensure that the Medical Center completes all required NYS OMIG certifications consistent with regulatory requirements Authority The CCO shall have direct access to both the CEO/Dean and the Chairman of the Audit & Compliance Committee of the Board of Trustees. The CCO shall have access to all documents and information relevant to compliance activities, including but not limited to all computer applications utilized by the Medical Center for patient records, billing records, financial records, contracts, computer systems, written arrangements, agreements with others, and all other Medical Center files and documents The CCO shall seek the advice of the General Counsel and other legal counsel as may be retained by the General Counsel, and may retain necessary consultants or experts. Reports The CCO shall make written and/or oral reports on compliance activities including reports on complaints received from employees, investigations, audits, and monitoring to the A & C Committee, CEO/Dean, and members of the Oversight Committees on a regular basis. Reports to the Board of Trustees shall be at least annually or more often as necessary or advisable. The Office of Compliance, Privacy & Internal Audit Compliance Program management is executed through the Office of Compliance, Privacy and Internal Audit under guidance of the CCO. The Compliance Program s financial support is the joint responsibility of the Hospitals Center and the School of Medicine. Office of Compliance, Privacy & Internal Audit Staff The Office of Compliance, Privacy and Internal Audit staffing consists of various Directors and Managers as well as auditing and support staff who serve as the focal point for compliance activities, in the following areas: i. Hospital Compliance 9

15 ii. Physician Billing Compliance iii. Research Compliance iv. School of Medicine Compliance v. Conflicts of Interest Management vi. Compliance Education and Communication vii. Compliance & Privacy Investigations viii. Privacy and Security ix. Enterprise Risk Management & Internal Audit The Compliance staff work closely with the CCO, Compliance Committees, General Counsel, clinical and non-clinical departments, faculty practices, billing personnel, research personnel, and all levels of staff and administration within the Medical Center to foster and enhance compliance with applicable legal and Medical Center requirements. Hospital Compliance Hospital compliance efforts are designed to promote accurate billing including billing for services that are actually provided, documented appropriately, correctly coded and medically necessary. Hospital Compliance staff conducts billing and documentation audits at each of the three NYULMC facilities: Tisch Hospital, Rusk Institute for Rehabilitation, and Hospital for Joint Diseases. Hospital compliance is also responsible for Stark and Anti-Kickback statute compliance including physician/hospital contracting reviews. Physician Billing Compliance Physician Billing Compliance staff is responsible for auditing FGP physician billing, coding, and documentation. Physician Billing Compliance staff provide group and individual training and education, pre-billing consultations, and ongoing assessments of compliance risks in the physician billing area. Physician Billing Compliance staff work with individual faculty group practices to respond to governmental and third party payor inquiries and audits. 10

16 Research Compliance Research Compliance staff provide support and education for Members in conducting scientific research in compliance with regulatory requirements and ethical standards. Research Compliance staff support all research related institutional oversight functions including: Human Subjects Protection, Animal Subjects Protection, Scientific Misconduct and Responsible Conduct of Research, Financial Administration of Research, Environmental Health and Safety, Radiation Safety, and Office of Industrial Liaison. The Research Compliance team assists in the development of research related policies and procedures, auditing and monitoring of compliance with federal and state laws and regulations involving the conduct of research, grant reporting, and clinical trials. School of Medicine Compliance School of Medicine compliance is involved in ensuring that all Medical School staff is informed of all federal and state laws and regulations related to providing patient care, conducting research, and maintaining Protected Health Information ( PHI ) confidentially and securely. School of Medicine compliance staff ensures that all necessary education and training is provided to School of Medicine faculty and staff. Conflicts of Interest Management The role of the Conflicts of Interest Management Unit ( CIMU ) is to coordinate the disclosure of potential conflicts of interest matters, monitor, and verify compliance with the Medical Center s conflicts of interest policies, and to educate the Members of the Medical Center regarding those conflicts of interest policies. The Conflicts of Interest Management Unit staff obtain and maintain financial interest disclosures from all relevant Medical Center Members through an annual disclosure process and on a per project basis with regard to research, maintains records of all disclosures, reviews and evaluates disclosures to determine if a potential conflict exists, monitors compliance with conflict management plans created by the Research Conflict of Interest and Business Conflict of Interest Committees, provides ongoing training and updates to promote awareness of federal and state laws and regulations as well as Medical Center policies regarding conflict of interest, and serves as the liaison between the Research Conflict of 11

17 Interest Committee and/or Business Conflict of Interest Committee and among the NYULMC community, other research related entities, and the A & C Committee. Compliance Education and Communication The Compliance Education and Communication staff creates and conducts various training programs for Members throughout the Medical Center and coordinates all Compliance Communication efforts with Medical Center Members. Compliance Education and Communication staff conducts a training assessment to determine the compliance courses that are needed within the Medical Center. This assessment includes providing the education required in this Program, reviewing new and changing federal and state laws and regulations and working with Medical Center management to determine what compliance education is required. Compliance Education and Communication staff conducts the compliance module of the New Beginnings Orientation Program for new employees and New Beginnings for Managers Program. The Compliance Education and Communication staff is also responsible for maintaining the compliance training computer system and maintaining accurate training attendance records. The Compliance Education and Communication team is responsible for designing and maintaining the Compliance website, coordinating Compliance Week activities, and coordinating all compliance outreach activities. Compliance & Privacy Investigations The Director of Compliance & Privacy Investigations is responsible for monitoring both Medical Center Helplines and investigating any issues raised via Helpline reports or communicated to the Office of Compliance, Privacy & Internal Audit. The Office of Compliance & Privacy Investigations is also responsible for review of all incidents identified via use of the Data Loss Prevention software. All Break the Glass reports related to electronic access of sensitive electronic health information generated in the Epic electronic health record are reviewed by the Office of Compliance & Privacy Investigations. In addition to handling HIPAA/HITECH investigations, the Director of Compliance & Privacy Investigations is responsible for all HIPAA/HITECH related matters including policy and procedure development, form development, and Notice of Privacy Practices maintenance. All HIPAA audits and reviews for both physical security compliance as well as electronic access audits are conducted by the 12

18 Director of Compliance & Privacy Investigations. The Office of Compliance & Privacy Investigations is also responsible for all monthly excluded persons checks required by federal and state law. Privacy and Security The CCO serves as the Privacy Officer for the Medical Center with responsibility for overseeing compliance with all federal and state privacy laws and regulations, including HIPAA/HITECH. The CCO works with the Director of Compliance & Privacy Investigations reviewing HIPAA/HITECH Helpline reports, investigating possible privacy breaches, working with the federal Office of Civil Rights ( OCR ) on potential HIPAA/HITECH matters, reviewing and revising Medical Center policies and procedures to comply with federal and state privacy requirements, conducting privacy and security audits to ensure compliance with HIPAA/HITECH requirements, working with the MCIT department to ensure HIPAA/HITECH security requirements are implemented throughout the Medical Center, providing education and training on privacy and security matters, and working with the electronic medical record implementation team to assure HIPAA/HITECH compliance and to ensure that appropriate security features are in place. Enterprise Risk Management & Internal Audit The enterprise risk management activities provide a Medical Center-wide coordinated risk assessment program designated as Enterprise Risk Management (ERM). The Office Enterprise Risk Management & Internal Audit shall on at least an annual basis conduct an enterprise-wide risk assessment to determine the key risks facing the Medical Center, the probability of those risks occurring, and the impact those risks could have on the Medical Center. The risk list will be based on input from key management personnel and/or key risk owners through workshop forums, survey tools, etc. The risk list will be presented at the Audit & Compliance Committee on an annual basis and include the top risk list, as well as the activities being undertaken to mitigate risk exposures. In coordination with ERM activities, The Office of Compliance, Privacy & Internal Audit shall conduct additional risk assessments including interviews with key management personnel on perceived risks including those departmental staff dealing with operational and billing issues, privacy matters, IT systems, and major, new Medical Center 13

19 initiatives. As input to the risk assessments, the Office of Compliance, Privacy & Internal Audit staff shall review OIG and NYS OMIG Annual Work Plans, CMS Bulletins, LCDs, NCDs, Recovery Audit Contractor ( RAC ) audit plans, new federal and state laws and regulations, changes to federal and state laws and regulations, as well as the occurrence of actual compliance breaches and sanctions in the health care sector to determine those items that present a greater risk to the Medical Center. In alignment with these risk assessments, the Office of Enterprise Risk Management & Internal Audit shall develop Heat Maps to quantify the risks and shall develop Annual Work plans that identify those areas that the Office of Compliance, Privacy & Internal Audit shall audit, monitor or review and the timeframe for accomplishing these activities. The status and results of the reviews identified in the Annual Work Plans shall be reviewed with the A & C Committee at its regular meetings. Internal Audit provides independent, objective assurance designed to add value and improve Medical Center operations. Internal Audit helps to accomplish this goal by providing audits and reviews of the organization s operations including testing systems of internal controls including the soundness, accuracy, and application of the accounting, financial, and operating controls to ascertain the extent of compliance with established policies and procedures and applicable laws and regulations, determining the extent to which the Medical Center s assets are accounted for and safeguarded from losses of any kind, reviewing the adequacy of information technology security and controls, ascertaining the reliability of management data developed and reported within the Medical Center, and appraising the effectiveness and timeliness of management s Corrective Action Plans ( CAPs ). Compliance Committees To assist the CCO in promoting the effectiveness of the Compliance Program and striving to create a culture that promotes understanding of and adherence to applicable federal, state, and local laws and regulations, the Medical Center has established the following Compliance Committees: 14

20 Compliance Oversight Committees ( Oversight Committees ) Medical Center Compliance Research Compliance Operational Compliance Committees ( Operational Committees ) Hospital For Joint Diseases Tisch Hospital/Rusk Institute for Rehabilitation School of Medicine/Faculty Group Practice HIPAA Compliance Compliance Oversight Committees Membership and Duties The Oversight Committees, which include members of Medical Center senior leadership, shall promote the effectiveness of the Compliance Program by performing the leadership functions identified below: Understand the legal/compliance requirements of the Medical Center in order to identify and assess risks to prioritize Program initiatives Recommend, develop, and help to implement policies, procedures, and controls that reflect preferred practices to address identified risks Identify and promote training relevant to general compliance as well as training responsive to specific risk areas Evaluate the performance of the Compliance Program including the systems for communicating, evaluating, and responding to complaints and other compliance matters Help identify potential instances of non-compliance and possible fraud, waste, and abuse at the Medical Center Assist in adjudicating identified compliance issues and implementation of CAPs 15

21 Ensure the ongoing enforcement of compliance policies and procedures and, if required, provide direction regarding disciplinary actions for repeated violations Encourage a culture of compliance throughout the Medical Center Operational Compliance Committees Membership and Duties The Operational Compliance Committees, which include members of Medical Center management, shall promote the effectiveness of the Compliance Program by performing the functions identified below: Collaborate with the CCO and attend monthly meetings Assist in identifying and resolving compliance risks within the various Medical Center departments Communicate and encourage a culture of compliance within the various Medical Center departments Raise and maintain compliance awareness Assist in drafting departmental billing and compliance guidelines Address compliance issues and bring them to the attention of the CCO Communicate Compliance Program updates to Medical Center departments Participate in planning department education and training sessions and facilitating the completion of mandatory training within the Medical Center departments Medical Center Departmental Directors and Managers In order to create a culture supportive of compliance and ethics, the directors, managers, chairs, and/or administrators of all departments shall be responsible for: Participating in the identification of risks in each department 16

22 Developing and maintaining departmental compliance policies and procedures that support applicable laws and regulations in consultation with the CCO Ensuring that each new employee receives initial compliance training within sixty (60) days of hire and that all employees within the department complete required training as it is assigned Providing or arranging for training for all departmental employees to implement these policies and procedures in consultation with the CCO Responding to audits performed by Compliance and Internal Audit staff including development and monitoring of CAPS and verifying that any claims requiring rebilling or refunding has occurred Taking all measures reasonably necessary to ensure compliance with the Code of Conduct, Medical Center policies and procedures, and applicable laws and regulations by: Monitoring employee adherence to established policies and procedures Reporting and encouraging departmental staff to report suspected violations to the Office of Compliance, Privacy & Internal Audit or the anonymous Compliance Helplines Investigating suspected violations in conjunction with the CCO Initiating appropriate disciplinary action in the event of a confirmed violation Implementing post-audit CAPs Within each department there should be assigned responsibility for updating the compliance standards, the departmental compliance policies and procedures, training and education records, and post-audit work plans as requested by the CCO. The department compliance activities can serve as a resource for the employees of each department to enhance their ability to perform their jobs in compliance with this Program and applicable laws and regulations. 17

23 III TRAINING AND EDUCATION Requirement Rules and regulations relating to delivery of healthcare and the conduct of research are complex. The consequences of failure to comply with these requirements, particularly in the areas of coding and billing of federal healthcare claims and federal research grant claims, can be severe. Sometimes conduct undertaken with good intentions, but with inadequate knowledge, may violate applicable laws and regulations. Training is required by the federal and state governments and considered a necessity at the Medical Center in order to provide Members with the knowledge and skills to carry out their responsibilities in compliance with all requirements. Proper and continuing training and education of Members at all levels is, therefore, a significant element of the Medical Center s Compliance Program. Adherence to and promotion of this Program shall be a factor in evaluating the performance of employees, including supervisory, managerial, and administrative personnel. Content The Office of Compliance, Privacy & Internal Audit strives to ensure that training and education for all Medical Center employees, faculty, contractors, and agents includes the dissemination of written policies and procedures regarding: The Federal False Claims Act The Deficit Reduction Act The New York State False Claims Act Specific statutory and regulatory provisions named in section 1902(a)(68)(A) of the Social Security Act Applicable state civil or criminal laws State and federal whistleblower protections Detecting and preventing fraud, waste, and abuse HIPAA/HITECH Privacy & Security Non-Retaliation State insurance fraud laws and regulations 18

24 Initial Education The CCO strives to ensure that all new employees participate in New Beginnings Orientation where they receive training introducing them to the purpose of compliance, the Compliance Helplines, conflicts of interest, documentation and coding, healthcare fraud and abuse, and HIPAA/HITECH privacy and security. All new employees also receive the Employee Handbook and the Code of Conduct. In combination, they provide the new employee with an introduction to the Compliance Program, giving them a sense of its importance in the Medical Center s culture. The Employee Handbook includes a specific discussion of the laws described in the Medical Center s written policies, the rights of employees to be protected as whistleblowers, and a specific discussion of the Medical Center s policies and procedures for detecting and preventing fraud, waste, and abuse. In addition to the introduction to compliance provided to all new employees during the New Beginnings Orientation program, all new employees are required to complete Code of Conduct and HIPAA/HITECH Awareness training within sixty (60) days of commencing employment. Each new employee is required to read and sign a confidentiality agreement upon completion of HIPAA/HITECH Awareness training acknowledging the requirement to keep Medical Center sensitive information and documents and PHI confidential and secure. The CCO strives to ensure that all employees and selected Members complete basic compliance education. This training, available in a variety of formats, provides education about the Code of Conduct; quality of care and Emergency Medical Treatment and Active Labor Act ( EMTALA ); fraud, waste, and abuse laws; conflicts of interest; the importance of proper documentation, coding, and billing; as well as an overview of HIPAA/HITECH privacy and security. The training also provides detailed information on the complaint reporting process, highlighting non-retaliation and other important policies, and demonstrates the Medical Center s commitment to integrity in its business operations and compliance with applicable laws and regulations. 19

25 On-going Training Periodically, but not less than biennially, employees shall be retrained on the Medical Center s Compliance Program including the fraud, waste, and abuse laws; relevant federal and state law requirements; how to identify and report potential violations of policy or law; and the consequences both to the Medical Center and to individuals for failing to comply with applicable laws and regulations. The purpose of this training is to emphasize the importance of the Compliance Program and the Medical Center s commitment to honesty and integrity in its business dealings. Through the development of a Compliance Course Catalog, Members will be required to take Compliance courses based on their role within the Medical Center. Courses will include billing, coding and documentation for physicians and hospital employees, privacy and security laws and regulations, research compliance, conflicts of interest, federal and state laws and regulations related to fraud, waste, and abuse including the Anti-kickback Statute, STARK Law and regulations, False Claims Act, Civil Monetary Penalty Act and others. Each department director or manager should consult with the Office of Compliance, Privacy & Internal Audit to identify training and education necessary or advisable for any employees of his/her department. By way of example: Patient Access personnel should receive training and education in such areas as HIPAA/HITECH Privacy & Security, EMTALA, obtaining the necessary demographic, insurance, and other information to support proper application of the discharge appeal process, advanced beneficiary notification, Medicare as secondary payor, and the three (3) day rule. Personnel should also receive training on research procedures vs. standard of care considerations and other claim submission requirements. Providers of Patient Care (physicians, nurses, social workers, etc.) should receive training that includes clinical documentation requirements, medical necessity considerations, HIPAA/HITECH Privacy & Security, Physician at Teaching Hospital ( PATH ) rules, discharge in lieu of transfer documentation, EMTALA, and other activities affecting the claim submission process. 20

26 Ancillary department personnel training should focus on their role in compliance with applicable Local Coverage Determinations ( LCDs ), National Coverage Determinations ( NCDs ), bundling/unbundling of services, accuracy of procedure documentation, charge capture, and HIPAA/HITECH Privacy & Security. Hospital Health Information Management and FGP coding personnel training should include correct coding initiatives, risks of upcoding and Diagnosis Related Group ( DRG ) creep, Ambulatory Payment Classification System ( APCs ), PATH requirements, discharge in lieu of transfer considerations, confidentiality of patient information, records retention, present on admission requirements, adverse events, and hospital acquired conditions. Patient Financial Services personnel should receive training that includes many of the subjects identified above, plus additional training regarding specific requirements such as claim composition, credit balance reporting and disposition, billing only for items and services actually rendered, and avoiding duplicate billing. In addition to basic compliance training, research personnel should receive training applicable to the type of research they perform. Such training may include information on animal welfare, human-subjects protections, scientific misconduct, and specific fiscal requirements related to grant funded projects and/or commercially funded clinical trials. This training would include an overview of governing regulations including cost principles, administrative requirements and the audit requirements of receiving federal funds; pre-award institutional processes, including roles and responsibilities, form and content of a proposal, budgeting, and pre-acceptance review of receiving federal funds; post award financial and program management as well as reporting requirements; and Medicare and other third-party coverage rules and avoidance of double billing for clinical research procedures. Financial and other administrative management personnel should receive training in areas including submission of cost reports, disposition of credit balances, charity and bad debt policies and requirements, graduate medical education requirements, and tax-exempt status. 21

27 Other management training should include courses related to prohibited provider relationships such as anti-kickback, self-referral laws, hospital/physician relationships, joint ventures, and antitrust laws. New Managers are provided additional compliance training during the New Beginnings for Managers Program that is offered quarterly by the Medical Center for all newly hired employees at the supervisory/managerial level and for those employees recently promoted to supervisory/managerial positions. Not all Members need to have the identical amount of training and education, nor should the focus of training and educational efforts be the same for all Members. Targeted training and education should be provided to Members whose actions may affect the accuracy of claims submitted to the government. The actual amount of training should reflect necessity, an analysis of risk areas, or areas of concern identified by the Medical Center or the OIG, NYS OMIG, the Medical Center s compliance experience, and the results of periodic audits or monitoring. Additional Training The Office of Compliance, Privacy & Internal Audit may establish the need for additional training if issues are discovered in response to identified problems, as part of a CAP, or if requested by a department to address concerns identified by that department. In this case, the monitoring team, having identified a problem, will alert the education team who will develop and provide specific training for the identified department. As part of the regularly scheduled Risk Assessment process, risk areas will be identified. Training for these risk areas will be specific to the departments and employees involved. On-going Regulatory Training As new federal and state laws and regulations are implemented, the Office of Compliance, Privacy & Internal Audit will develop appropriate training programs and are available to assist departments in interpreting regulations, implementing training, and the development of policies and procedures in response to regulatory requirements. 22

28 Types of Training Training and education may occur in sessions with individual employees, in mandatory inservice meetings, incorporated into special or regular departmental meetings, at leadership meetings throughout the Medical Center or in other effective venues. Training and education may consist of live presentations, videos, question-and-answer sessions, written material, and/or web-based/online sessions. Training includes participation in both in-house or external workshops and seminars. Training Documentation Documentation of training activities including copies of all training materials, sign-in/attendance sheets, and individual certificates of training completion are integral to an effective training and education program. The Office of Compliance, Privacy & Internal Audit shall ensure that all training participants receive credit for having attended all training programs. Training documentation should be retained on file for a minimum of seven (7) years. Failure to Comply With Training Requirements Failure to comply with training requirements or to attend scheduled training sessions of the Medical Center or of each department may result in disciplinary action. Training Program Evaluation There shall be periodic evaluations of training and education programs to determine, and if necessary improve, the value, effectiveness, and appropriateness of any such program. Training course materials shall be reviewed periodically to reflect changes in laws, regulations, and Medical Center policies. 23

29 IV COMMUNICATION Requirement In compliance with federal laws and regulations, OIG Guidances, NYS OMIG laws and regulations, and the U.S. Sentencing Commission Guidelines among others and through a variety of methods, the Office of Compliance, Privacy & Internal Audit shall communicate to Members on Medical Center policies, the Code of Conduct, regulatory guidelines, and/or changes in the law. Communication methods can include one-on-one conversations, broadcast s, mailings to individual members, education sessions, small-and large-group meetings, periodic newsletters, [email protected] an online help and question resource, and an internet website ( NYULMC strives to ensure that open, two-way communication lines to the CCO are accessible to all employees, persons associated with the institution, executives, and governing body members to allow compliance issues to be reported, discussed, and reviewed. This open communication is essential to maintaining an effective Compliance Program. Communication increases the Medical Center s ability to identify and respond to compliance problems and reduces the potential for fraud, waste, and abuse. Without help from employees, it may be difficult to learn of possible compliance issues and make necessary corrections. At any time, Members should be free to request information or education. Members should be able to seek clarification or advice from the Office of Compliance, Privacy & Internal Audit in the event of any confusion or question regarding any element of this Program, any Medical Center policy or procedure related to this Program, billing and documentation rules, and state and federal laws and regulations. Reporting Compliance Concerns Members who are aware of or suspect possible fraud, waste, or abuse, violations of Medical Center policy, or violations of the standards of conduct have a duty to notify the Medical Center 24

30 of such activities, including giving the Medical Center reasonable time to investigate and respond to such allegations. Having knowledge of inappropriate conduct and choosing not to report it is, in itself, a violation of the Code of Conduct. The Medical Center strives to establish and maintain several independent reporting paths for a Member to report fraud, waste, or abuse including: Members who suspect a violation of federal or state laws or regulations or Medical Center policies are expected to notify the Medical Center via their supervisors or other managers in the chain of command (to the extent they are not involved) Individuals who feel that management is not responding (or that management may be involved), may express their concerns to a staff person from the Office of Compliance, Privacy & Internal Audit or anonymously to the Compliance Helplines Individuals who feel that the Office of Compliance, Privacy & Internal Audit, or the Helplines are not responding may address their concern directly with the CCO The Medical Center will investigate all allegations individuals bring forward and will attempt to correct those found to be true and initiate CAPs to prevent future occurrences Individuals who feel that nothing is being done to address their concerns have the right to report their suspicions to the appropriate government agency Helplines The Medical Center contracts with an independent company to operate two (2) 24-hour, 365-day hotlines known as the Compliance Helpline (1-866-NYU-1212) and the HIPAA/HITECH Helpline (1-877-PHI-LOSS). Compliance Helpline Members may use this line anonymously at any time, day or night. The phone number of the Helpline is published in various places throughout the Medical Center and Members are reminded of the number and of their duty to report actual or suspected wrongdoing through training, badge buddies, posters, the intranet, and other methods. Members are encouraged to use the Helpline. This Helpline has been established to give Members of the Medical Center community an opportunity to voice concerns and raise questions about such issues as Code of 25

31 Conduct violations, billing and coding problems, conflicts of interest, financial reporting, retaliation, documentation, kickbacks, and research-related issues among other issues. HIPAA/HITECH Helpline The HIPAA/HITECH Helpline has been established for Members of the Medical Center community to report potential breaches of PHI. Members are required to report issues such as finding unsecured patient information, losing or misplacing patient information, accidently releasing patient information to someone who should not have it, having a laptop, portable data assistant ( PDA ), or portable media device lost or stolen, or sending a fax or containing patient information to the wrong number or address or sending or receiving a fax not meant for them. Members may also call the hotline of the Office of Inspector General of the Department of Health and Human Services ( DHHS ) at HHS-TIPS ( ) or the New York State Office of the Medicaid Inspector General at Feedback The Office of Compliance, Privacy & Internal Audit strives to provide appropriate feedback regarding resolution of reported issues. Such feedback may include reports through the anonymous Helpline system, confidential meetings, and a variety of confidential communications. Confidentiality The CCO will strive to treat all reports confidentially, to the extent possible under applicable law. However, there may be a time when an individual s identity may become known or have to be revealed if governmental authorities become involved or in response to a subpoena or other legal proceedings. Non-Retaliation The Office of Compliance, Privacy & Internal Audit strives to ensure that there will be no intimidation of or retaliation against any employee who in good faith reports acts or suspected 26

32 acts of fraud, waste, or abuse; violations or suspected violations of the standards of conduct; violations or suspected violations of Medical Center policy; or other wrongdoing or misconduct. However, an employee who makes an intentionally false report or a report not in good faith may be subject to disciplinary action. Documentation The CCO will maintain a record of reports received, detailing violations of this Program, the standards of conduct, or relevant laws or regulations. The CCO will periodically furnish a summary of such reports to the CEO/Dean, the Compliance Committees, and the A & C Committee. Annual Compliance Report The Office of Compliance, Privacy & Internal Audit will annually compile a report summarizing all of the activities, training, investigations, Helpline issues, audits, and other compliance activities undertaken during the prior year. This report will be distributed to the A & C Committee, the Compliance Committees, members of senior leadership, and posted on the Compliance website. The Annual Compliance Report will serve as a communications tool informing the Members of the Medical Center of the various compliance activities undertaken. 27

33 V ENFORCEMENT THROUGH DISCIPLINE In addition to possible disciplinary action mentioned elsewhere in this Program, Medical Center policies shall encourage good faith participation in the Compliance Program by all Members, including policies that articulate expectations for reporting compliance issues and assisting in their resolution. These Medical Center policies include sanctions for: Failing to report suspected problems Participating in non-compliant behavior Encouraging, directing, facilitating, or permitting non-compliant behavior Failing to perform any obligation or duty required of employees relating to compliance with this Program or applicable laws or regulations Failure of supervisory or management personnel to detect non-compliance with applicable policies and legal requirements and this Program, where reasonable diligence on the part of the manager or supervisor would have led to the discovery of any violations or problems The Office of Compliance, Privacy and Internal Audit strives to ensure that any disciplinary action follows the Medical Center s existing disciplinary policies and procedures, including Human Resources policies and procedures, provisions of applicable labor contracts, Hospital Medical Staff Bylaws and for faculty of the School of Medicine, the policies and procedures set forth in the New York University Faculty Handbook. Discipline should be fairly, firmly, and consistently enforced. 28

34 VI AUDITING AND MONITORING NYULMC strives to ensure that the Medical Center s Compliance Program is effective. An important element of this effort is identifying and correcting any deficiencies in the Medical Center s business processes. Identification efforts include built-in monitoring systems, and periodic reviews conducted by members of the Compliance team, as well as larger, more formal reviews and/or audits conducted by the Internal Audit Department. The Office of Compliance, Privacy & Internal Audit strives to encourage the design of monitoring systems that are incorporated into day-to-day processing systems in each department. Built-in departmental monitoring systems can include the evaluation of a small sample of orders and/or claims at the end of each month to ensure proper documentation, coding, billing, and reimbursement. In keeping with this goal, the Medical Center shall devote such resources as are reasonably necessary to ensure that persons with appropriate knowledge and experience perform reviews. Reviews include both reimbursement related reviews such as billing, coding and documentation as well as required screenings for excluded persons. If these reviews identify an issue that calls for further assessment, either a concurrent or a retroactive assessment may be employed by either a member of the Compliance team or the Internal Audit Department. Reimbursement Related Reviews The Medical Center, under the direction of the CCO, strives to conduct periodic reimbursement related reviews and audits. By way of example, these reviews might include claims submitted to Medicare, Medicaid, and other federal healthcare payors and third-party payors. Reviews will also include the claims development and submission process. Reviews may include the work of coders, billers, and admitting or registration representatives; patient care providers (including physicians); ancillary departments such as laboratory and diagnostic imaging; as well as risk areas identified by the OIG, NYS OMIG, or Medicare Administrative Contractors ( MACs ). Reviews and audits may also cover the Medical Center s relationship with third party 29

35 contractors, including physicians on its medical staff, and compliance with laws governing kickback arrangements and the self-referral laws. The Office of Compliance, Privacy & Internal Audit may request that the departmental director or manager prepare and submit testing, audit, and monitoring plans for his or her department to address various reimbursement related issues. Access Auditors and reviewers shall have access to all necessary documents and computer applications utilized in the claim development and submission process, patient records, and the contents of computers and electronic storage devices. Auditors and reviewers shall maintain confidentiality as appropriate. Action The CCO will be notified of the results of all audits performed by department personnel, consultants, or government auditors that identify potential compliance issues. Further action, if any, by the CCO with respect to any deviation or discrepancy revealed by an audit will be taken under the provisions of Section VII. Documents All audits shall be thoroughly documented. Such documents shall be maintained in the permanent files of the Office of Compliance, Privacy & Internal Audit and adequately secured. Hospital Compliance Auditing & Monitoring Program Hospital documentation and coding shall be monitored periodically for both inpatient and outpatient services. Random samples of records shall be reviewed to determine the accuracy of the code assignment, sequencing of codes, and identification of all reportable diagnoses and procedures. Hospital bills shall also be reviewed to ensure that all hospital charges are accurately reflected. Specific areas to be audited are selected based upon risks associated with claims submission including but not limited to: 30

36 Incorrect coding Upcoding & undercoding Unbundling of services Billing medically unnecessary services Duplicate billing Lack of documentation to support the reported diagnoses and procedure codes billed Reporting of the incorrect discharge status code In addition, as new risk areas are identified by the various government payers and auditing agencies, these shall be incorporated into the Hospital Compliance Work Plan. All audit findings shall be discussed with the respective department and CAPs shall be developed. Corrective Actions Plans can include revision of existing policies, changes in staffing, rebilling of claims, and/or educational sessions, as well as other identified activities. Faculty Group Practice Auditing and Monitoring Program In order to assess the accuracy and appropriateness of physician coding and documentation the Office of Compliance, Privacy & Internal Audit conducts audits of FGP physician billing records and patient charts. It is the goal of the Office of Compliance, Privacy & Internal Audit to conduct a provider audit for each FGP physician at least biennially. A random sample of twenty (20) encounters representing those services most frequently rendered by that provider are reviewed for accuracy of coding, documentation to support medical necessity, and documentation to support the billed Evaluation & Management Code. Providers who do not meet the standards required in the chart audit will receive focused training on their specific errors and/or deficiencies and will be re-audited within one (1) to six (6) months. The Office of Compliance, Privacy & Internal Audit also assists the FGP with external reviews and inquires from government agencies such as CMS, OIG, and NYS OMIG and other third party payors, in order to ensure a timely and appropriate response. 31

37 HIPAA/HITECH Auditing and Monitoring Program The Office of Compliance, Privacy & Internal Audit shall conduct various audits in compliance with the federal HIPAA/HITECH laws and regulations including verifying distribution and receipt of acknowledgment of the Notice of Privacy Practices, proper use of HIPAA Authorization forms for disclosure of PHI to certain outside entities, access to computer applications containing PHI, destruction methods used for disposing of paper PHI, and working with the MCIT Department conducting appropriate security audits. Compliance staff shall monitor and investigate all issues identified by Data Loss Prevention software and Break the Glass reports generated by the Epic electronic health record to ensure the confidentiality and security of PHI. Screening For Excluded Persons The Medical Center strives to conduct the required level of screening to ensure that it does not employ, receive referrals from, or contract with ineligible persons. New Employees and Applicants The Medical Center shall conduct a reasonable background investigation of all new employees, or applicants for employment. This investigation is of primary importance for those employees who will have discretionary authority to make decisions that may materially affect the Medicare/Medicaid claim development and submission process or the Medical Center s relationship with physicians on its medical staff. The purpose of the background investigation is to determine whether any such employee or applicant has been (i) convicted of a criminal offense related to healthcare or (ii) listed by a federal agency as debarred, excluded, or otherwise ineligible for federal program participation. Providers A similar reasonable background investigation to that conducted for new employees and applicants shall be undertaken for all healthcare providers who do or will possess an individual Medicare or Medicaid provider number. Such providers are also periodically screened. 32

38 Referring Providers All providers that refer patients to the Medical Center for any health care services, in accordance with federal and state law, will be screened to determine whether they have been disbarred or excluded by a federal agency. Vendors and Contractors Vendors and contractors shall be periodically screened to determine whether they have been disbarred or excluded by a federal agency. Prohibition It is the goal of the Medical Center not to hire or retain an employee in a position which has or will have discretionary authority to make decisions or whose job functions may materially impact the Medicare/Medicaid claim development and submission process or the Medical Center s relations with its staff physicians if such prospect or employee has been convicted of a crime related to healthcare or has been excluded or debarred. The Medical Center also strives to not contract with any person or entity that has been so convicted, excluded, or debarred, and will attempt to terminate its contractual arrangements with any such person or entity, subject to legal constraints such as damages for breach of contract. The Medical Center strives to make reasonable and prudent efforts not to submit any claims for services ordered or furnished by any person or entity, including physicians, excluded from participation. Screening Process The Department of Compliance & Privacy Investigations, with the assistance of an outside contractor, shall conduct a monthly review of the exclusion, disbarment, and disqualified status of all Medical Center employees, providers, referring physicians, and vendors, against relevant exclusion lists provided by the following federal and state government monitoring agencies: U.S. Department of Health and Human Services - Office of the Inspector General U.S. General Services Administration ( GSA ) U.S. Treasury Department Office of Foreign Asset Control ( OFAC ) U.S. Food and Drug Administration ( FDA ) New York State Office of the Medicaid Inspector General 33

39 State Exclusion Mandates [all other relevant mandates for all fifty (50) states] The Department of Compliance & Privacy Investigations shall follow-up and report all confirmed exceptions noted during its review to the appropriate governmental oversight entity and shall advise senior leadership of steps mandated by government oversight entities to comply with their reporting requirements. The Department of Compliance & Privacy Investigations shall provide management with recommendations to remove confirmed violations and how to maintain prospective compliance with exclusion mandates. 34

40 VII RESPONDING TO OFFENSES AND DEVELOPING CORRECTIVE ACTIONS Violations of the Medical Center s Compliance Program, failures to comply with applicable federal and state law, and other types of misconduct threaten the Medical Center s status as a reliable, honest, and trustworthy provider, capable of participating in federal healthcare programs. The Medical Center strives to ensure that all allegations of failure to comply are promptly and thoroughly investigated and that there is a prompt and appropriate response to all government inquiries. Investigations The Medical Center strives to ensure that all issues reported to managers and supervisors, the Office of Compliance, Privacy & Internal Audit, and the Helplines are promptly and thoroughly investigated under the guidance of the Office of Compliance, Privacy & Internal Audit. The goals of an internal investigation include: Discovering facts and circumstances related to allegations of legal or regulatory noncompliance Discovering all relevant facts, including those that are both incriminating and nonincriminating Assessing the significance of the facts discovered to determine whether the conduct was illegal, a violation of the HITECH Act, or legal but in violation of the Medical Center s Code of Conduct or policies Collaborating with Human Resources and Medical Center administration to recommend both disciplinary actions and corrective actions Investigation by Managers and Directors Managers or directors who receive a report of a suspected violation are expected to initiate a prompt investigation of the allegations. Reports of violations might include any reasonable indication of violations of this Program, the Code of Conduct, departmental policies and procedures, or applicable law or regulation by employees or others within their supervision. If the report involves reasonable suspicion of a violation of law or regulations, managers and 35

41 directors are expected to report the allegations to the CCO or the Chief Regulatory Officer, as appropriate, and to conduct the investigation as guided. Compliance Investigation When there is reasonable indication of a violation of applicable laws or regulations or a privacy breach, the Office of Compliance, Privacy & Internal Audit strives to ensure that it maintains primary responsibility for conducting the investigation. If the potential for uncovering illegal conduct or significant liability exposure exists, the internal investigation should be conducted at the direction of the Office of General Counsel, and should be protected pursuant to attorneyclient privilege. In undertaking investigations, the CCO may consult with the respective manager, director, or administrator who has responsibility for the department. The CCO may also utilize other Medical Center employees (consistent with appropriate confidentiality), outside attorneys selected by the General Counsel, outside accountants and auditors, or other consultants or experts for assistance or advice. Process The CCO, or his or her designee, may conduct interviews with any Medical Center employee and with other persons; may review any Medical Center document including but not limited to those related to the claim development and submission process, patient records, s, and the contents of computers and electronic storage devices; and may undertake other processes and methods as the CCO deems necessary. Documentation At the direction of the General Counsel, the CCO may prepare a report which (i) defines the nature of the situation or problem (ii) summarizes the investigation process (iii) identifies any person(s) whom the investigator believes to have acted deliberately or with reckless disregard or intentional indifference, particularly toward the Medicare/Medicaid laws, regulations, and policies, and (iv) if possible, estimates the nature and extent of any resulting overpayment by the government or another entity. 36

42 Responses The Medical Center strives to respond promptly and appropriately to the discovery of possible fraud, waste, abuse, or privacy breaches. Possible Fraud, Waste, and Abuse In the event an investigation reveals or uncovers what appears to be fraud, waste, or abuse on the part of any employee or department, the following actions shall be taken: All billing involved in the situation or problem shall be discontinued until appropriate corrections are made A summary of the results of the investigation shall be sent for appropriate disciplinary action to the direct supervisor of the implicated employee, as well as the Human Resources Department. Pending disciplinary action, any such employee may be removed from any position with oversight of or impact upon the claims development and submission process. Federal, state, and/or local agencies shall be notified as deemed appropriate by Legal Counsel, the administrator, and/or the CCO Possible HITECH Breaches In the event an investigation determines that a privacy breach has occurred as a result of the loss or disclosure of PHI, the Medical Center shall follow the requirements outline by the federal HITECH regulations that include reporting and notification within sixty (60) days of the Medical Center s discovery of the breach. Other Non-Compliance In the event the investigation reveals claims development and submission problems, which does not appear to be the result of criminal activity on the part of any employee or department, the following action shall be taken: A CAP will be developed to ensure that all policies, procedures and practices that contributed to the problem are corrected 37

43 If any monies were received by the Medical Center in error, these amounts will be quantified and returned to the affected payor within sixty (60) days of determination that an overpayment exists An education and training program will be developed for the employee and/or department to ensure that the staff are knowledgeable of the federal and state laws and regulations, Medical Center policies and procedures, and applicable billing and documentation rules to ensure that problems do not occur in the future A summary of the results of the investigation shall be sent for appropriate disciplinary action, if any, to the department director or manager, and to Human Resources as deemed appropriate Relationship of Investigations to New York University Disciplinary Regulations An investigation by the CCO shall be preliminary to the initiation of disciplinary proceedings under New York University general disciplinary regulations that are applicable to faculty members and students. If there is reasonable cause to believe a violation exists, the CCO or respective manager or director, shall initiate a formal complaint against the faculty member or student. The adjudication of such complaint shall proceed in accordance with the applicable policies and procedures of New York University. Voluntary Disclosures Voluntary self-disclosures will be guided by the OIG s Provider Self-Disclosure Protocol 63 Fed.Reg (October 21, 1998) and Section 6402(a) of H.R. 3590, the Patient Protection and Affordable Care Act of 2010 ( PPACA ), in conjunction with legal counsel. Reports by Compliance Officer The CCO periodically shall furnish information with appropriate confidentiality protections about such investigations to the CEO/Dean, the Compliance Committees, and the Audit and Compliance Committee of the Board of Trustees. 38

44 Response to Governmental Inquiries Federal agencies have available a number of investigation tools including search warrants, subpoenas, and civil investigation demands. Actions also may be brought against the Medical Center to exclude it from participating in Medicare/Medicaid if the Medical Center fails to grant immediate access to agencies conducting surveys or reviews. It is, therefore, the policy of the Medical Center to cooperate with and properly respond to all governmental inquiries and investigations. Process Employees who receive a search warrant, subpoena, or other demand or request for investigation, or who are approached by a federal agency, should attempt to identify the investigator, if any. They should also immediately notify their supervisor, the CCO, or in the CCO's absence, the General Counsel or other member of the legal or compliance staff. Employees should request the government representative to wait until the CCO or his or her designee arrives before conducting any interview or reviewing documents. The CCO, in consultation with General Counsel and, as necessary, outside legal counsel, is responsible for coordinating the Medical Center s response to warrants, subpoenas, inquiries, and investigations by federal agencies. If appropriate, the Medical Center may provide legal counsel to employees. Documents The Medical Center s response to any warrant, subpoena, investigation, or inquiry must be complete and accurate. No employee shall alter, destroy, or mutilate any document or record or alter, delete, or download any material from any computer, word processor, disk, or tape, except in accordance with the Medical Center s Records Retention policies. If a document is required to be retained, it must be preserved in its original form. 39

45 VIII RISK ASSESSMENT The Office of Compliance, Privacy & Internal Audit shall conduct on-going risk assessments to determine the types of risks facing the Medical Center, the probability of those risks occurring, and the impact those risks would have on the Medical Center. Through its ERM Program the Office of Compliance, Privacy & Internal Audit shall conduct interviews with key management personnel to get feedback on the perceived risks facing the Medical Center including interviews with departmental staff dealing with operational and billing issues. Office of Compliance, Privacy & Internal Audit staff shall also review OIG and NYS OMIG Annual Work Plans, CMS Bulletins, LCDs, NCDs, Recovery Audit Contractor ( RAC ) audit plans, new federal and state laws and regulations, and changes to federal and state laws and regulations to determine those items that present a greater risk to the Medical Center. Assessments will also be conducted of the regulatory landscape and internal landscape considering major new projects that the Medical Center is engaging in. In response to these risk assessments, the Office of Compliance, Privacy & Internal Audit shall develop Heat Maps to quantify the risks and shall develop Annual Work plans that identify those areas that the Office of Compliance, Privacy & Internal Audit shall audit, monitor or review and the timeframe for accomplishing these reviews. The status of the reviews identified in the Annual Work Plans shall be reviewed with the A & C Committee at its regular meetings. Results of the reviews shall also be presented to the A & C Committee. 40

46 Conclusion The Compliance Program plays an integral part in assisting the Medical Center in achieving its commitment to the highest standards of conduct, honesty, integrity, and reliability in its business practices. The Compliance Program assists the Medical Center in preventing, detecting, and correcting any fraud, waste, or abuse in Medical Center practices. The Compliance Program promotes understanding and adherence to applicable federal and state laws and regulations related to federally funded healthcare programs as well as third party payors. The Compliance Program is a constantly evolving Program responding to changes in federal and state laws and regulations, billing, coding and documentation rules, and the results of external audits. This Compliance Program document represents the current state of the Compliance Program. This document will be updated as required but not less than biennially. All changes to the Compliance Program shall be reviewed and approved by the A & C Committee of the Board of Trustees. 41