NYU LANGONE MEDICAL CENTER CORPORATE COMPLIANCE PROGRAM

Transcription

1 NYU LANGONE MEDICAL CENTER CORPORATE COMPLIANCE PROGRAM Originally Approved by the Boards of Trustees on May 25, 2004 Updated 2007 Updated 2009 Updated 2010 Updated 2011

2 NYU LANGONE MEDICAL CENTER CORPORATE COMPLIANCE PROGRAM Table of Contents Page INTRODUCTION 1 Expected Conduct The Eight Elements of a Compliance Program Purpose of this Document Disclaimer I. WRITTEN POLICIES AND PROCEDURES 5 Periodic Review Communication Compliance Policies and Procedures II. OVERSIGHT AND MANAGEMENT OF THE PROGRAM 7 Audit and Compliance Committee Chief Compliance and Privacy Officer Duties Authority Reports The Office of Compliance, Privacy & Internal Audit Office of Compliance, Privacy & Internal Audit Staff Hospital Compliance

3 Physician Billing Compliance Research Compliance School of Medicine Compliance Conflicts of Interest Management Compliance Education and Communication Compliance & Privacy Investigations Privacy and Security Enterprise Risk Management & Internal Audit Compliance Committees Compliance Oversight Committees Operational Compliance Committees Medical Center Departmental Directors and Managers III. TRAINING AND EDUCATION 18 Requirement Content Initial Education On-going Training Additional Training On-going Regulatory Training Types of Training Training Documentation Failure to Comply with Training Requirements Training Program Evaluation IV. COMMUNICATION 24 Requirement Reporting Compliance Concerns Helplines Compliance Helpline HIPAA/HITECH Helpline

4 Feedback Confidentiality Non-Retaliation Documentation Annual Compliance Report V. ENFORCEMENT THROUGH DISCIPLINE 28 VI. AUDITING and MONITORING 29 Reimbursement Related Reviews Access Action Documents Hospital Compliance Auditing and Monitoring Program Faculty Group Practice Billing Auditing and Monitoring Program HIPAA/HITECH Auditing and Monitoring Program Screening For Excluded Persons New Employees and Applicants Providers Referring Providers Vendors and Contractors Prohibition Screening Process VII. RESPONDING TO OFFENSES AND DEVELOPING CORRECTIVE ACTIONS 35 Investigations Investigation by Managers and Directors Compliance Investigation Process Documentation Responses

5 Possible Fraud, Waste and Abuse Possible HITECH Breaches Other Non-Compliance Relationship of Investigations to New York University Disciplinary Regulation Voluntary Disclosures Reports by Compliance Officer Response to Governmental Inquiries Process Documents VIII. Risk Assessment 40 Conclusion 41

6 NYU LANGONE MEDICAL CENTER CORPORATE COMPLIANCE PROGRAM Introduction Agencies and departments of the federal and state government including but not limited to the Office of the Inspector General ( OIG ), Centers for Medicare and Medicaid Services ( CMS ), and the New York State Office of the Medicaid Inspector General ( NYS OMIG or OMIG ) have identified a number of instances of fraud, waste, and abuse in federally funded health care programs including Medicare and Medicaid and have required the adoption and implementation of compliance programs. The Board of Trustees of NYU Hospitals Center ( NYUHC ) and the New York University School of Medicine Foundation ( NYUSoM ), together the Medical Center or ( NYULMC ), as well as Medical Center administration and management, recognize the seriousness of the issues raised by the Government and recognize that failure to comply with applicable laws and regulations could threaten the Medical Center s continuing participation in these health care programs. The Board, therefore, has directed that the Medical Center undertake an integrity program in order to maintain the Medical Center s commitment to high standards of conduct, honesty, and reliability in its business practices. This integrity program is called a Compliance Program (the Program ). The primary purpose of the Program is to make a sincere effort to prevent, detect, and correct any fraud, waste, and abuse in the Medical Center in connection with federally funded health care programs and private health plans. In order to accomplish this goal, the Program strives to create a culture that promotes understanding of and adherence to applicable federal, state, and local laws and regulations. To be effective the Compliance Program should be a continuously evolving effort to meet the changing regulatory landscape. 1

7 Expected Conduct The Program describes the expected conduct of all NYULMC Members ( Members ) who include: Trustees: individuals appointed to serve as a member of the NYULMC Board of Trustees, including Associate Trustees and Life Trustees Employees Medical Staff : the executives, managers, and staff as well as any other person or individual hired on a full or part-time basis by and in the paid service of the Medical Center, including per diem and casual employees Faculty Volunteers: : all individuals credentialed through the Medical Staff Services Office : those individuals as defined in the New York University Faculty Handbook under Bylaw 64 as it applies to NYUSoM Medical Students: Contractors those individuals working in the NYULMC on an unpaid basis individuals in pursuit of a degree conferred by NYUSoM : an entity with whom NYULMC has a written agreement to provide items or services, perform billing or coding functions, or monitor health care provided by NYULMC There are several parts to the Program, each outlined below, and each of which is important to achieving a responsive and effective Compliance Program. The essential policies, procedures, and initiatives that define an effective, robust Program are discussed herein and constitute the NYULMC Compliance Program. The Eight Elements of a Compliance Program The U.S. Sentencing Commission Guidelines have outlined eight (8) elements that comprise an effective Compliance Program. These elements include: 1. Written policies and procedures 2. A designated compliance officer and a compliance committee 3. Effective training and education 4. Effective lines of communication 5. Standards enforced through well-publicized disciplinary guidelines 2

8 6. Auditing and monitoring 7. Response to detected offences and corrective action plans and 8. Ongoing risk assessment New York State law (NYS Social Services Law 363-d) and regulations (18 NYCRR Part 521) require all providers participating in the New York State Medicaid Program to have a mandatory compliance program. Title 18 Part 521 of the Codes, Rules and Regulations of the State of New York outlines seven requirements of a compliance program that New York State providers must incorporate into their compliance program. In addition, all providers are required to certify on an annual basis that they have the required compliance program in place. Providers are subject to Office of Medicaid Inspector General (OMIG) Compliance Effectiveness Reviews to ensure that the compliance program that is in place is effective and achieving the requirements outlined in the statute and regulations. Purpose of this Document This document describes the elements of effective compliance programs outlined by both the U.S. Sentencing Guidelines and the NYS OMIG as they fit within NYULMC and details the fundamental principles, values, and operational framework for compliance within the Medical Center. This document articulates the Medical Center s commitment to compliance and the goals to which the Medical Center strives. Throughout the document, words and phrases such as shall, should, and strive to are used to describe the organizational framework of the NYULMC compliance program and the basic responsibilities of Members. This Program description is designed to be accompanied by more specific policies that detail expected behavior and plans that detail compliance goals and objectives. Policies can be found at or on the Compliance website at Disclaimer Nothing in this document shall (i) constitute a contract of or agreement for employment; (ii) modify or alter in any manner any employee s at-will employment status; or (iii) modify any 3

9 rights of faculty members of the School of Medicine as provided in the New York University Faculty Handbook. Any part of this Program may be changed or amended at any time without notice to any employee. 4

10 I WRITTEN POLICIES AND PROCEDURES An effective Compliance Program should define the expected conduct of its Members through the establishment of written, dynamic policies and procedures. Within the Medical Center, these policies and procedures begin with the mission statement and values, which provide a framework. This conduct is more specifically defined in the Code of Conduct, the Medical Staff Bylaws, the Faculty Handbook, and the Employee Handbook, as well as in policies and procedures that address the specific risk areas of the Medical Center. Policies and procedures pertaining to each business unit or department are the responsibility of those departments. Periodic Review To manage known risks effectively, adherence to policies and procedures should be reviewed on a periodic basis. In addition, newly identified risks should result in the promulgation of new policies and procedures or revisions to old ones as well as Corrective Action Plans ( CAPs ), where necessary, to address those risks. Communication Policies and procedures, to be effective, should be clearly communicated to Members such that they are capable of integrating them into their daily operations. Methods for accomplishing this might include administrative notification via , presentation at appropriate meetings, posting of policies and procedures on the Intranet, inclusion in documents such as Member handbooks, position descriptions, performance evaluations, newsletters, and via the provision of training. Compliance Policies and Procedures Detailed policies outlining important compliance activities shall be maintained in the Office of Compliance, Privacy & Internal Audit. The Compliance Program shall have policies including but not limited to Health Insurance Portability and Accountability Act ( HIPAA )/Health 5

11 Information Technology for Economic and Clinical Health Act ( HITECH ) privacy, conducting excluded persons monitoring, conducting investigations, responding to external investigations, providing conflicts of interest management, identity theft, whistleblower protections, nonretaliation, and reporting compliance concerns. Copies of these policies are available at and on the Compliance website at 6

12 II OVERSIGHT AND MANAGEMENT OF THE PROGRAM Audit and Compliance Committee The Audit and Compliance Committee of the Board of Trustees (the A & C Committee ) is established, in part, for the purpose of assisting the Board in the oversight of the Medical Center s regulatory compliance and business ethics. The purpose, authority, composition, duties, and responsibilities of the A & C Committee are fully described in the A & C Committee Charter. Chief Compliance and Privacy Officer The A & C Committee, working in consultation with the Dean and CEO of the Medical Center, shall appoint a Vice President for Compliance, Privacy & Internal Audit (the Chief Compliance and Privacy Officer or CCO ) as the executive in charge of the continued development, implementation, and operation of the Program. The performance of the duties and responsibilities of the CCO shall be reviewed at least annually by the A & C Committee. Duties The CCO and the Compliance Oversight Committees (as described below) shall prepare, and revise as necessary, a job description for the CCO. The CCO s primary responsibilities set out in the job description shall include: Overseeing and monitoring the implementation of the Compliance Program Reporting on a regular basis to the Board of Trustees, the A & C Committee, the CEO/Dean, and the Oversight Committees on the progress of implementation Assisting the Board, the A & C Committee, the CEO/Dean, and the Oversight Committees in establishing methods to improve the Medical Center s efficiency and quality of services, and to reduce the Medical Center s vulnerability to fraud, waste, and abuse Periodically revising the Compliance Program as required by changes in federal and state laws and regulations as well as policies and procedures of government and private payor health plans 7

13 Developing, coordinating, and participating in an education and training program that focuses on the elements of the Compliance Program, and seeks to ensure that all individuals to whom this Program is extended are knowledgeable of, and comply with, applicable federal and state requirements Working with the Medical Center Information Technology ( MCIT ) Department and the MCIT Security Officer to ensure the privacy and security of all Protected Health Information ( PHI ) Ensure all Members are aware of the Medical Center s obligations under federal and state laws and regulations regarding maintaining PHI confidentially and securely Ensuring that independent contractors and agents who furnish services to the Medical Center are aware of the requirements of the Medical Center s Compliance Program with respect to coding, billing, marketing, and PHI privacy and security, among other things Coordinating personnel issues with the Senior Vice President and Vice Dean of Human Resources and the Medical Staff Office to ensure that the National Practitioner Data Bank and Cumulative Sanction Report have been checked with respect to all employees, medical staff, and independent contractors, as applicable Ensure monitoring for excluded persons in federal and state programs occurs on a monthly basis and that such monitoring shall cover all employees, faculty, medical staff, vendors, contractors, and referring physicians Coordinating regulatory issues of a clinical nature with the Chief Regulatory Officer Coordinating internal compliance reviews and monitoring activities including annual or periodic reviews of departments Oversee physician billing audits to ensure Faculty Group Practice ( FGP ) compliance with federal and state billing laws and regulations as well as third party insurance requirements After consultation with Legal Counsel, investigating and acting on matters related to compliance, including the flexibility to design and coordinate internal investigations (e.g., responding to reports of problems or suspected violations) and any resulting corrective action with all Medical Center departments, providers, sub-providers, agents and, if appropriate, independent contractors 8

14 Developing policies and programs that encourage all employees to report suspected fraud and other improprieties without fear of retaliation Ensure that the Medical Center completes all required NYS OMIG certifications consistent with regulatory requirements Authority The CCO shall have direct access to both the CEO/Dean and the Chairman of the Audit & Compliance Committee of the Board of Trustees. The CCO shall have access to all documents and information relevant to compliance activities, including but not limited to all computer applications utilized by the Medical Center for patient records, billing records, financial records, contracts, computer systems, written arrangements, agreements with others, and all other Medical Center files and documents The CCO shall seek the advice of the General Counsel and other legal counsel as may be retained by the General Counsel, and may retain necessary consultants or experts. Reports The CCO shall make written and/or oral reports on compliance activities including reports on complaints received from employees, investigations, audits, and monitoring to the A & C Committee, CEO/Dean, and members of the Oversight Committees on a regular basis. Reports to the Board of Trustees shall be at least annually or more often as necessary or advisable. The Office of Compliance, Privacy & Internal Audit Compliance Program management is executed through the Office of Compliance, Privacy and Internal Audit under guidance of the CCO. The Compliance Program s financial support is the joint responsibility of the Hospitals Center and the School of Medicine. Office of Compliance, Privacy & Internal Audit Staff The Office of Compliance, Privacy and Internal Audit staffing consists of various Directors and Managers as well as auditing and support staff who serve as the focal point for compliance activities, in the following areas: i. Hospital Compliance 9

15 ii. Physician Billing Compliance iii. Research Compliance iv. School of Medicine Compliance v. Conflicts of Interest Management vi. Compliance Education and Communication vii. Compliance & Privacy Investigations viii. Privacy and Security ix. Enterprise Risk Management & Internal Audit The Compliance staff work closely with the CCO, Compliance Committees, General Counsel, clinical and non-clinical departments, faculty practices, billing personnel, research personnel, and all levels of staff and administration within the Medical Center to foster and enhance compliance with applicable legal and Medical Center requirements. Hospital Compliance Hospital compliance efforts are designed to promote accurate billing including billing for services that are actually provided, documented appropriately, correctly coded and medically necessary. Hospital Compliance staff conducts billing and documentation audits at each of the three NYULMC facilities: Tisch Hospital, Rusk Institute for Rehabilitation, and Hospital for Joint Diseases. Hospital compliance is also responsible for Stark and Anti-Kickback statute compliance including physician/hospital contracting reviews. Physician Billing Compliance Physician Billing Compliance staff is responsible for auditing FGP physician billing, coding, and documentation. Physician Billing Compliance staff provide group and individual training and education, pre-billing consultations, and ongoing assessments of compliance risks in the physician billing area. Physician Billing Compliance staff work with individual faculty group practices to respond to governmental and third party payor inquiries and audits. 10

16 Research Compliance Research Compliance staff provide support and education for Members in conducting scientific research in compliance with regulatory requirements and ethical standards. Research Compliance staff support all research related institutional oversight functions including: Human Subjects Protection, Animal Subjects Protection, Scientific Misconduct and Responsible Conduct of Research, Financial Administration of Research, Environmental Health and Safety, Radiation Safety, and Office of Industrial Liaison. The Research Compliance team assists in the development of research related policies and procedures, auditing and monitoring of compliance with federal and state laws and regulations involving the conduct of research, grant reporting, and clinical trials. School of Medicine Compliance School of Medicine compliance is involved in ensuring that all Medical School staff is informed of all federal and state laws and regulations related to providing patient care, conducting research, and maintaining Protected Health Information ( PHI ) confidentially and securely. School of Medicine compliance staff ensures that all necessary education and training is provided to School of Medicine faculty and staff. Conflicts of Interest Management The role of the Conflicts of Interest Management Unit ( CIMU ) is to coordinate the disclosure of potential conflicts of interest matters, monitor, and verify compliance with the Medical Center s conflicts of interest policies, and to educate the Members of the Medical Center regarding those conflicts of interest policies. The Conflicts of Interest Management Unit staff obtain and maintain financial interest disclosures from all relevant Medical Center Members through an annual disclosure process and on a per project basis with regard to research, maintains records of all disclosures, reviews and evaluates disclosures to determine if a potential conflict exists, monitors compliance with conflict management plans created by the Research Conflict of Interest and Business Conflict of Interest Committees, provides ongoing training and updates to promote awareness of federal and state laws and regulations as well as Medical Center policies regarding conflict of interest, and serves as the liaison between the Research Conflict of 11

17 Interest Committee and/or Business Conflict of Interest Committee and among the NYULMC community, other research related entities, and the A & C Committee. Compliance Education and Communication The Compliance Education and Communication staff creates and conducts various training programs for Members throughout the Medical Center and coordinates all Compliance Communication efforts with Medical Center Members. Compliance Education and Communication staff conducts a training assessment to determine the compliance courses that are needed within the Medical Center. This assessment includes providing the education required in this Program, reviewing new and changing federal and state laws and regulations and working with Medical Center management to determine what compliance education is required. Compliance Education and Communication staff conducts the compliance module of the New Beginnings Orientation Program for new employees and New Beginnings for Managers Program. The Compliance Education and Communication staff is also responsible for maintaining the compliance training computer system and maintaining accurate training attendance records. The Compliance Education and Communication team is responsible for designing and maintaining the Compliance website, coordinating Compliance Week activities, and coordinating all compliance outreach activities. Compliance & Privacy Investigations The Director of Compliance & Privacy Investigations is responsible for monitoring both Medical Center Helplines and investigating any issues raised via Helpline reports or communicated to the Office of Compliance, Privacy & Internal Audit. The Office of Compliance & Privacy Investigations is also responsible for review of all incidents identified via use of the Data Loss Prevention software. All Break the Glass reports related to electronic access of sensitive electronic health information generated in the Epic electronic health record are reviewed by the Office of Compliance & Privacy Investigations. In addition to handling HIPAA/HITECH investigations, the Director of Compliance & Privacy Investigations is responsible for all HIPAA/HITECH related matters including policy and procedure development, form development, and Notice of Privacy Practices maintenance. All HIPAA audits and reviews for both physical security compliance as well as electronic access audits are conducted by the 12

18 Director of Compliance & Privacy Investigations. The Office of Compliance & Privacy Investigations is also responsible for all monthly excluded persons checks required by federal and state law. Privacy and Security The CCO serves as the Privacy Officer for the Medical Center with responsibility for overseeing compliance with all federal and state privacy laws and regulations, including HIPAA/HITECH. The CCO works with the Director of Compliance & Privacy Investigations reviewing HIPAA/HITECH Helpline reports, investigating possible privacy breaches, working with the federal Office of Civil Rights ( OCR ) on potential HIPAA/HITECH matters, reviewing and revising Medical Center policies and procedures to comply with federal and state privacy requirements, conducting privacy and security audits to ensure compliance with HIPAA/HITECH requirements, working with the MCIT department to ensure HIPAA/HITECH security requirements are implemented throughout the Medical Center, providing education and training on privacy and security matters, and working with the electronic medical record implementation team to assure HIPAA/HITECH compliance and to ensure that appropriate security features are in place. Enterprise Risk Management & Internal Audit The enterprise risk management activities provide a Medical Center-wide coordinated risk assessment program designated as Enterprise Risk Management (ERM). The Office Enterprise Risk Management & Internal Audit shall on at least an annual basis conduct an enterprise-wide risk assessment to determine the key risks facing the Medical Center, the probability of those risks occurring, and the impact those risks could have on the Medical Center. The risk list will be based on input from key management personnel and/or key risk owners through workshop forums, survey tools, etc. The risk list will be presented at the Audit & Compliance Committee on an annual basis and include the top risk list, as well as the activities being undertaken to mitigate risk exposures. In coordination with ERM activities, The Office of Compliance, Privacy & Internal Audit shall conduct additional risk assessments including interviews with key management personnel on perceived risks including those departmental staff dealing with operational and billing issues, privacy matters, IT systems, and major, new Medical Center 13

19 initiatives. As input to the risk assessments, the Office of Compliance, Privacy & Internal Audit staff shall review OIG and NYS OMIG Annual Work Plans, CMS Bulletins, LCDs, NCDs, Recovery Audit Contractor ( RAC ) audit plans, new federal and state laws and regulations, changes to federal and state laws and regulations, as well as the occurrence of actual compliance breaches and sanctions in the health care sector to determine those items that present a greater risk to the Medical Center. In alignment with these risk assessments, the Office of Enterprise Risk Management & Internal Audit shall develop Heat Maps to quantify the risks and shall develop Annual Work plans that identify those areas that the Office of Compliance, Privacy & Internal Audit shall audit, monitor or review and the timeframe for accomplishing these activities. The status and results of the reviews identified in the Annual Work Plans shall be reviewed with the A & C Committee at its regular meetings. Internal Audit provides independent, objective assurance designed to add value and improve Medical Center operations. Internal Audit helps to accomplish this goal by providing audits and reviews of the organization s operations including testing systems of internal controls including the soundness, accuracy, and application of the accounting, financial, and operating controls to ascertain the extent of compliance with established policies and procedures and applicable laws and regulations, determining the extent to which the Medical Center s assets are accounted for and safeguarded from losses of any kind, reviewing the adequacy of information technology security and controls, ascertaining the reliability of management data developed and reported within the Medical Center, and appraising the effectiveness and timeliness of management s Corrective Action Plans ( CAPs ). Compliance Committees To assist the CCO in promoting the effectiveness of the Compliance Program and striving to create a culture that promotes understanding of and adherence to applicable federal, state, and local laws and regulations, the Medical Center has established the following Compliance Committees: 14

20 Compliance Oversight Committees ( Oversight Committees ) Medical Center Compliance Research Compliance Operational Compliance Committees ( Operational Committees ) Hospital For Joint Diseases Tisch Hospital/Rusk Institute for Rehabilitation School of Medicine/Faculty Group Practice HIPAA Compliance Compliance Oversight Committees Membership and Duties The Oversight Committees, which include members of Medical Center senior leadership, shall promote the effectiveness of the Compliance Program by performing the leadership functions identified below: Understand the legal/compliance requirements of the Medical Center in order to identify and assess risks to prioritize Program initiatives Recommend, develop, and help to implement policies, procedures, and controls that reflect preferred practices to address identified risks Identify and promote training relevant to general compliance as well as training responsive to specific risk areas Evaluate the performance of the Compliance Program including the systems for communicating, evaluating, and responding to complaints and other compliance matters Help identify potential instances of non-compliance and possible fraud, waste, and abuse at the Medical Center Assist in adjudicating identified compliance issues and implementation of CAPs 15

21 Ensure the ongoing enforcement of compliance policies and procedures and, if required, provide direction regarding disciplinary actions for repeated violations Encourage a culture of compliance throughout the Medical Center Operational Compliance Committees Membership and Duties The Operational Compliance Committees, which include members of Medical Center management, shall promote the effectiveness of the Compliance Program by performing the functions identified below: Collaborate with the CCO and attend monthly meetings Assist in identifying and resolving compliance risks within the various Medical Center departments Communicate and encourage a culture of compliance within the various Medical Center departments Raise and maintain compliance awareness Assist in drafting departmental billing and compliance guidelines Address compliance issues and bring them to the attention of the CCO Communicate Compliance Program updates to Medical Center departments Participate in planning department education and training sessions and facilitating the completion of mandatory training within the Medical Center departments Medical Center Departmental Directors and Managers In order to create a culture supportive of compliance and ethics, the directors, managers, chairs, and/or administrators of all departments shall be responsible for: Participating in the identification of risks in each department 16

22 Developing and maintaining departmental compliance policies and procedures that support applicable laws and regulations in consultation with the CCO Ensuring that each new employee receives initial compliance training within sixty (60) days of hire and that all employees within the department complete required training as it is assigned Providing or arranging for training for all departmental employees to implement these policies and procedures in consultation with the CCO Responding to audits performed by Compliance and Internal Audit staff including development and monitoring of CAPS and verifying that any claims requiring rebilling or refunding has occurred Taking all measures reasonably necessary to ensure compliance with the Code of Conduct, Medical Center policies and procedures, and applicable laws and regulations by: Monitoring employee adherence to established policies and procedures Reporting and encouraging departmental staff to report suspected violations to the Office of Compliance, Privacy & Internal Audit or the anonymous Compliance Helplines Investigating suspected violations in conjunction with the CCO Initiating appropriate disciplinary action in the event of a confirmed violation Implementing post-audit CAPs Within each department there should be assigned responsibility for updating the compliance standards, the departmental compliance policies and procedures, training and education records, and post-audit work plans as requested by the CCO. The department compliance activities can serve as a resource for the employees of each department to enhance their ability to perform their jobs in compliance with this Program and applicable laws and regulations. 17

23 III TRAINING AND EDUCATION Requirement Rules and regulations relating to delivery of healthcare and the conduct of research are complex. The consequences of failure to comply with these requirements, particularly in the areas of coding and billing of federal healthcare claims and federal research grant claims, can be severe. Sometimes conduct undertaken with good intentions, but with inadequate knowledge, may violate applicable laws and regulations. Training is required by the federal and state governments and considered a necessity at the Medical Center in order to provide Members with the knowledge and skills to carry out their responsibilities in compliance with all requirements. Proper and continuing training and education of Members at all levels is, therefore, a significant element of the Medical Center s Compliance Program. Adherence to and promotion of this Program shall be a factor in evaluating the performance of employees, including supervisory, managerial, and administrative personnel. Content The Office of Compliance, Privacy & Internal Audit strives to ensure that training and education for all Medical Center employees, faculty, contractors, and agents includes the dissemination of written policies and procedures regarding: The Federal False Claims Act The Deficit Reduction Act The New York State False Claims Act Specific statutory and regulatory provisions named in section 1902(a)(68)(A) of the Social Security Act Applicable state civil or criminal laws State and federal whistleblower protections Detecting and preventing fraud, waste, and abuse HIPAA/HITECH Privacy & Security Non-Retaliation State insurance fraud laws and regulations 18

24 Initial Education The CCO strives to ensure that all new employees participate in New Beginnings Orientation where they receive training introducing them to the purpose of compliance, the Compliance Helplines, conflicts of interest, documentation and coding, healthcare fraud and abuse, and HIPAA/HITECH privacy and security. All new employees also receive the Employee Handbook and the Code of Conduct. In combination, they provide the new employee with an introduction to the Compliance Program, giving them a sense of its importance in the Medical Center s culture. The Employee Handbook includes a specific discussion of the laws described in the Medical Center s written policies, the rights of employees to be protected as whistleblowers, and a specific discussion of the Medical Center s policies and procedures for detecting and preventing fraud, waste, and abuse. In addition to the introduction to compliance provided to all new employees during the New Beginnings Orientation program, all new employees are required to complete Code of Conduct and HIPAA/HITECH Awareness training within sixty (60) days of commencing employment. Each new employee is required to read and sign a confidentiality agreement upon completion of HIPAA/HITECH Awareness training acknowledging the requirement to keep Medical Center sensitive information and documents and PHI confidential and secure. The CCO strives to ensure that all employees and selected Members complete basic compliance education. This training, available in a variety of formats, provides education about the Code of Conduct; quality of care and Emergency Medical Treatment and Active Labor Act ( EMTALA ); fraud, waste, and abuse laws; conflicts of interest; the importance of proper documentation, coding, and billing; as well as an overview of HIPAA/HITECH privacy and security. The training also provides detailed information on the complaint reporting process, highlighting non-retaliation and other important policies, and demonstrates the Medical Center s commitment to integrity in its business operations and compliance with applicable laws and regulations. 19

25 On-going Training Periodically, but not less than biennially, employees shall be retrained on the Medical Center s Compliance Program including the fraud, waste, and abuse laws; relevant federal and state law requirements; how to identify and report potential violations of policy or law; and the consequences both to the Medical Center and to individuals for failing to comply with applicable laws and regulations. The purpose of this training is to emphasize the importance of the Compliance Program and the Medical Center s commitment to honesty and integrity in its business dealings. Through the development of a Compliance Course Catalog, Members will be required to take Compliance courses based on their role within the Medical Center. Courses will include billing, coding and documentation for physicians and hospital employees, privacy and security laws and regulations, research compliance, conflicts of interest, federal and state laws and regulations related to fraud, waste, and abuse including the Anti-kickback Statute, STARK Law and regulations, False Claims Act, Civil Monetary Penalty Act and others. Each department director or manager should consult with the Office of Compliance, Privacy & Internal Audit to identify training and education necessary or advisable for any employees of his/her department. By way of example: Patient Access personnel should receive training and education in such areas as HIPAA/HITECH Privacy & Security, EMTALA, obtaining the necessary demographic, insurance, and other information to support proper application of the discharge appeal process, advanced beneficiary notification, Medicare as secondary payor, and the three (3) day rule. Personnel should also receive training on research procedures vs. standard of care considerations and other claim submission requirements. Providers of Patient Care (physicians, nurses, social workers, etc.) should receive training that includes clinical documentation requirements, medical necessity considerations, HIPAA/HITECH Privacy & Security, Physician at Teaching Hospital ( PATH ) rules, discharge in lieu of transfer documentation, EMTALA, and other activities affecting the claim submission process. 20

26 Ancillary department personnel training should focus on their role in compliance with applicable Local Coverage Determinations ( LCDs ), National Coverage Determinations ( NCDs ), bundling/unbundling of services, accuracy of procedure documentation, charge capture, and HIPAA/HITECH Privacy & Security. Hospital Health Information Management and FGP coding personnel training should include correct coding initiatives, risks of upcoding and Diagnosis Related Group ( DRG ) creep, Ambulatory Payment Classification System ( APCs ), PATH requirements, discharge in lieu of transfer considerations, confidentiality of patient information, records retention, present on admission requirements, adverse events, and hospital acquired conditions. Patient Financial Services personnel should receive training that includes many of the subjects identified above, plus additional training regarding specific requirements such as claim composition, credit balance reporting and disposition, billing only for items and services actually rendered, and avoiding duplicate billing. In addition to basic compliance training, research personnel should receive training applicable to the type of research they perform. Such training may include information on animal welfare, human-subjects protections, scientific misconduct, and specific fiscal requirements related to grant funded projects and/or commercially funded clinical trials. This training would include an overview of governing regulations including cost principles, administrative requirements and the audit requirements of receiving federal funds; pre-award institutional processes, including roles and responsibilities, form and content of a proposal, budgeting, and pre-acceptance review of receiving federal funds; post award financial and program management as well as reporting requirements; and Medicare and other third-party coverage rules and avoidance of double billing for clinical research procedures. Financial and other administrative management personnel should receive training in areas including submission of cost reports, disposition of credit balances, charity and bad debt policies and requirements, graduate medical education requirements, and tax-exempt status. 21

27 Other management training should include courses related to prohibited provider relationships such as anti-kickback, self-referral laws, hospital/physician relationships, joint ventures, and antitrust laws. New Managers are provided additional compliance training during the New Beginnings for Managers Program that is offered quarterly by the Medical Center for all newly hired employees at the supervisory/managerial level and for those employees recently promoted to supervisory/managerial positions. Not all Members need to have the identical amount of training and education, nor should the focus of training and educational efforts be the same for all Members. Targeted training and education should be provided to Members whose actions may affect the accuracy of claims submitted to the government. The actual amount of training should reflect necessity, an analysis of risk areas, or areas of concern identified by the Medical Center or the OIG, NYS OMIG, the Medical Center s compliance experience, and the results of periodic audits or monitoring. Additional Training The Office of Compliance, Privacy & Internal Audit may establish the need for additional training if issues are discovered in response to identified problems, as part of a CAP, or if requested by a department to address concerns identified by that department. In this case, the monitoring team, having identified a problem, will alert the education team who will develop and provide specific training for the identified department. As part of the regularly scheduled Risk Assessment process, risk areas will be identified. Training for these risk areas will be specific to the departments and employees involved. On-going Regulatory Training As new federal and state laws and regulations are implemented, the Office of Compliance, Privacy & Internal Audit will develop appropriate training programs and are available to assist departments in interpreting regulations, implementing training, and the development of policies and procedures in response to regulatory requirements. 22

28 Types of Training Training and education may occur in sessions with individual employees, in mandatory inservice meetings, incorporated into special or regular departmental meetings, at leadership meetings throughout the Medical Center or in other effective venues. Training and education may consist of live presentations, videos, question-and-answer sessions, written material, and/or web-based/online sessions. Training includes participation in both in-house or external workshops and seminars. Training Documentation Documentation of training activities including copies of all training materials, sign-in/attendance sheets, and individual certificates of training completion are integral to an effective training and education program. The Office of Compliance, Privacy & Internal Audit shall ensure that all training participants receive credit for having attended all training programs. Training documentation should be retained on file for a minimum of seven (7) years. Failure to Comply With Training Requirements Failure to comply with training requirements or to attend scheduled training sessions of the Medical Center or of each department may result in disciplinary action. Training Program Evaluation There shall be periodic evaluations of training and education programs to determine, and if necessary improve, the value, effectiveness, and appropriateness of any such program. Training course materials shall be reviewed periodically to reflect changes in laws, regulations, and Medical Center policies. 23

29 IV COMMUNICATION Requirement In compliance with federal laws and regulations, OIG Guidances, NYS OMIG laws and regulations, and the U.S. Sentencing Commission Guidelines among others and through a variety of methods, the Office of Compliance, Privacy & Internal Audit shall communicate to Members on Medical Center policies, the Code of Conduct, regulatory guidelines, and/or changes in the law. Communication methods can include one-on-one conversations, broadcast s, mailings to individual members, education sessions, small-and large-group meetings, periodic newsletters, Compliance.Help@nyumc.org an online help and question resource, and an internet website ( NYULMC strives to ensure that open, two-way communication lines to the CCO are accessible to all employees, persons associated with the institution, executives, and governing body members to allow compliance issues to be reported, discussed, and reviewed. This open communication is essential to maintaining an effective Compliance Program. Communication increases the Medical Center s ability to identify and respond to compliance problems and reduces the potential for fraud, waste, and abuse. Without help from employees, it may be difficult to learn of possible compliance issues and make necessary corrections. At any time, Members should be free to request information or education. Members should be able to seek clarification or advice from the Office of Compliance, Privacy & Internal Audit in the event of any confusion or question regarding any element of this Program, any Medical Center policy or procedure related to this Program, billing and documentation rules, and state and federal laws and regulations. Reporting Compliance Concerns Members who are aware of or suspect possible fraud, waste, or abuse, violations of Medical Center policy, or violations of the standards of conduct have a duty to notify the Medical Center 24

30 of such activities, including giving the Medical Center reasonable time to investigate and respond to such allegations. Having knowledge of inappropriate conduct and choosing not to report it is, in itself, a violation of the Code of Conduct. The Medical Center strives to establish and maintain several independent reporting paths for a Member to report fraud, waste, or abuse including: Members who suspect a violation of federal or state laws or regulations or Medical Center policies are expected to notify the Medical Center via their supervisors or other managers in the chain of command (to the extent they are not involved) Individuals who feel that management is not responding (or that management may be involved), may express their concerns to a staff person from the Office of Compliance, Privacy & Internal Audit or anonymously to the Compliance Helplines Individuals who feel that the Office of Compliance, Privacy & Internal Audit, or the Helplines are not responding may address their concern directly with the CCO The Medical Center will investigate all allegations individuals bring forward and will attempt to correct those found to be true and initiate CAPs to prevent future occurrences Individuals who feel that nothing is being done to address their concerns have the right to report their suspicions to the appropriate government agency Helplines The Medical Center contracts with an independent company to operate two (2) 24-hour, 365-day hotlines known as the Compliance Helpline (1-866-NYU-1212) and the HIPAA/HITECH Helpline (1-877-PHI-LOSS). Compliance Helpline Members may use this line anonymously at any time, day or night. The phone number of the Helpline is published in various places throughout the Medical Center and Members are reminded of the number and of their duty to report actual or suspected wrongdoing through training, badge buddies, posters, the intranet, and other methods. Members are encouraged to use the Helpline. This Helpline has been established to give Members of the Medical Center community an opportunity to voice concerns and raise questions about such issues as Code of 25

31 Conduct violations, billing and coding problems, conflicts of interest, financial reporting, retaliation, documentation, kickbacks, and research-related issues among other issues. HIPAA/HITECH Helpline The HIPAA/HITECH Helpline has been established for Members of the Medical Center community to report potential breaches of PHI. Members are required to report issues such as finding unsecured patient information, losing or misplacing patient information, accidently releasing patient information to someone who should not have it, having a laptop, portable data assistant ( PDA ), or portable media device lost or stolen, or sending a fax or containing patient information to the wrong number or address or sending or receiving a fax not meant for them. Members may also call the hotline of the Office of Inspector General of the Department of Health and Human Services ( DHHS ) at HHS-TIPS ( ) or the New York State Office of the Medicaid Inspector General at Feedback The Office of Compliance, Privacy & Internal Audit strives to provide appropriate feedback regarding resolution of reported issues. Such feedback may include reports through the anonymous Helpline system, confidential meetings, and a variety of confidential communications. Confidentiality The CCO will strive to treat all reports confidentially, to the extent possible under applicable law. However, there may be a time when an individual s identity may become known or have to be revealed if governmental authorities become involved or in response to a subpoena or other legal proceedings. Non-Retaliation The Office of Compliance, Privacy & Internal Audit strives to ensure that there will be no intimidation of or retaliation against any employee who in good faith reports acts or suspected 26

32 acts of fraud, waste, or abuse; violations or suspected violations of the standards of conduct; violations or suspected violations of Medical Center policy; or other wrongdoing or misconduct. However, an employee who makes an intentionally false report or a report not in good faith may be subject to disciplinary action. Documentation The CCO will maintain a record of reports received, detailing violations of this Program, the standards of conduct, or relevant laws or regulations. The CCO will periodically furnish a summary of such reports to the CEO/Dean, the Compliance Committees, and the A & C Committee. Annual Compliance Report The Office of Compliance, Privacy & Internal Audit will annually compile a report summarizing all of the activities, training, investigations, Helpline issues, audits, and other compliance activities undertaken during the prior year. This report will be distributed to the A & C Committee, the Compliance Committees, members of senior leadership, and posted on the Compliance website. The Annual Compliance Report will serve as a communications tool informing the Members of the Medical Center of the various compliance activities undertaken. 27