Compliance for Beginners: What Every Healthcare Worker Needs to Know About Compliance Activities

Transcription

1 Compliance for Beginners: What Every Healthcare Worker Needs to Know About Compliance Activities

2 What is Corporate Compliance? Corporate compliance refers to a program designed to ensure an organization s compliance with federal, state, and local laws regulations and billing regulations as well as organizational policies and ethical standards. Includes Medicare, Medicaid, Blue Cross and Commercial Insurance Companies. 2

3 Why should I care about corporate compliance? Our compliance program carries the following benefits: Creates a culture that promotes doing the right thing and increases sensitivity to ethics Provides a way for employees to report potential problems Formalizes education concerning regulatory risk areas Prevents errors before they occur Leads to enhanced communication between administrators and clinicians Limits the amount our organization will pay in a potential settlement regarding a billing or coding error 3

4 Enforcement overview Who is policing corporate compliance and what are they looking for? Department of Health and Human Services Office of Inspector General (OIG) Internal Revenue Service Centers for Medicare & Medicaid Services U.S. Department of Justice Federal Bureau of Investigation State Medicaid Fraud Units Office of Civil Rights 4

5 Ingredients for a Successful Compliance Program Support from top management Clearly-identified responsibilities and expected behavior Education for all workforce members (employees, volunteers and physicians) An environment where all employees feel safe in reporting suspected violations Fair and consistent administration of disciplinary action for failure to follow policies and procedures 5

6 7 Elements of a Compliance Program According to the Office of Inspector General (OIG) 1. Written Standards 2. Education and Training 3. Designation of a Compliance Officer 4. Effective Communication 5. Discipline and Enforcement 6. Auditing and Monitoring 7. Response and Prevention 6

7 Written Standards Policies and Procedures CC Corporate Director of Compliance Duties and Responsibilities CC Corporate Compliance Committee Duties and Responsibilities CC Compliance Office Reporting Procedures CC Responding to Government Official Visits - Search Warrants and Subpoenas CC Auditing and Monitoring CC Technology Resources CC Nonmonetary Compensation for Referral Sources CC Audit/Investigation Response, Follow-Up, and Resolution Policy CC Conflict of Interest Disclosures and Business Integrity CC Record Retention and Destruction Policy and Retention Schedule CC Prevention Fraud-Abuse-FCA CC Non Retaliation CC Disclosure of Misconduct CC Identity Theft Prevention Policy CC MHC Standards of Conduct CC User Access Termination Policy CC Use Policy CC EMTALA CC HIPAA Uses and Disclosures of PHI-General CC HIPAA PHI Disclosures Not Requiring Authorizations CC HIPAA OHCA Board Resolution CC HIPAA Notice of Privacy Practices CC HIPAA Administrative Policy CC HIPAA Business Associate CC HIPAA Limited-Deidentified Data Sets CC HIPAA Patient Rights 7

8 Standards of Conduct Purpose So all MHC Board members, employees, physicians, volunteers, contractors follow the same guidelines Governing board support Leadership must support and lead by example Standards are the public sign of our compliance to legal and ethical behavior 8

9 Standards of Conduct A Commitment to Providing Patient Care Document all care and services given If it s not documented, it s not done Effective communication using plain language, making eye contact, using proper phone etiquette, smiling and greeting patients and family members, environmental awareness Goal is to exceed the expectations of patients, patient family members, and co-workers ties in with McLaren Excellence initiatives. 9

10 Standards of Conduct A Commitment to Our Community You are identified with McLaren Bay Region when in public 10

11 Standards of Conduct A Commitment to Ongoing Monitoring Every department is asked to perform a periodic risk assessment to determine whether there is any potential for fraud or abuse, any violation of hospital policy, or any violation of state or federal laws and regulations. Any potential risk areas identified are analyzed, necessary changes are made and monitoring is performed to assure the risk has been removed. Monitoring activities are reported to the Compliance Officer. 11

12 Standards of Conduct A Commitment to Environmental Health and Safety Follow all governing rules and regulations, i.e. OSHA, FDA, CDC, etc. Wear appropriately-displayed name badge at all times and be familiar with others that work in your area Report suspicious persons or situations immediately Appropriately respond to difficult situations by remaining calm, listening, and attempting to diffuse verbally hostile situations. Call for help if needed. 12

13 Standards of Conduct A Commitment to Proper Employment Practices McLaren takes reasonable precautions to ensure the work environment is free of discrimination or harassment Employees may not solicit or accept anything of monetary value, including a loan, reward, gift or property, from a patient or a patient s family, visitor, contractor, vendor, supplier or competitor. Employees may not use their employment, or any information received through McLaren, to obtain financial gain (direct or indirect) for themselves, a member of their family or a business with which they or a member of their family, is associated. 13

14 Standards of Conduct A Commitment to Ethical Business Conduct Outside employment or business activities must be limited to off-work time Report any situation that may be considered a conflict of interest 14

15 Standards of Conduct A Commitment to Assets and Financial Transactions Honest, accurate, and complete reporting of financial transactions Appropriately representing productivity Accurately recording travel expenses and mileage Securing money, equipment, or supplies from theft 15

16 Standards of Conduct A Commitment to Accurate Coding and Billing Transactions Providing and billing only for services that are reasonable and necessary and are supported by medical record documentation Waiving of co-pays or deductibles only in accordance with policy and procedure Attempting to collect outstanding balances from a Medicare or Medicaid patients only when Advance Beneficiary Notices were provided prior to service Prevention of duplicate billing Ensuring coding accuracy through periodic audits and ongoing education 16

17 Standards of Conduct A Commitment to Confidentiality and Electronic Security Patients have rights: to confidential communication of PHI to receive a notice of uses/disclosures of their PHI when they request it to access or receive a copy of their medical records to request a restriction to how their PHI is used to request changes (amendments) to their medical record to receive a listing, or accounting of disclosures, if requested The same safeguards used to protect confidential patient information should be used to protect our business and financial information. 17

18 Standards of Conduct A Commitment to Laws and Regulations Anti-Kickback Stark Laws (Physician Self-Referral Law) Federal False Claims Act State False Claims Act EMTALA (Emergency Medical Treatment and Active Labor Act) 18

19 2. Education and Training Key component to a successful program is educating all workforce members Must educate all workforce members on current compliance trends and information and expected behaviors All employees MUST receive a minimum of one hour compliance education each year. High risk employees (billers, coders, registrars) are required to receive a minimum of 3 hours of compliance education each year 19

20 3. Designate a Compliance Officer High-level official with direct access to the governing body, the CEO, all other senior management and legal counsel. Has the appropriate authority to oversee and facilitate the compliance program and all compliance activities The Compliance Officer is Heather McAllister. 20

21 Department Compliance Representatives Appointed by the department director Conducts compliance education for employees of their department Responsible for completion of department monitors Works with compliance officer to resolve complaints or concerns 21

22 Workforce Members Includes all employees, volunteers and physicians Attend all compliance training programs Read all material distributed by your Compliance Representative Report any real or suspected violations to your Supervisor, to the Compliance Representative or to the Compliance Officer 22

23 4. Effective Communication Reporting Investigating Compliance Hotline Non-retaliation Education 23

24 5. Discipline and Enforcement Fair, equitable, and consistent Obligation to report Sanctions for non-compliance 24

25 6. Auditing and Monitoring An important component of the compliance program is the use of audits and/or other evaluation techniques to monitor compliance and assist in the reduction of identified problem areas. Internal audits External audits Surveys Risk assessments for proactive identification of potential problem areas 25

26 7. Response and Prevention Evaluate, analyze, address, educate Employment practices Sanction screening Conflict of Interest Survey Compliance Surveys Risk Assessments resulting in action plans developed to address identified risk areas 26

27 Reporting Violations Open communication helps your organization respond to compliance problems. If you see something that you feel violates the law or hospital policy: Report the issue to your Supervisor, to your Compliance Representative, or to your Compliance Officer, Heather McAllister They already got themselves in trouble. You are just doing what we have asked you to do. 27

28 Compliance Hotline Most organizations have an established, confidential compliance reporting line to report any and all suspected violations. The following are some examples of when you might use this reporting mechanism: When you suspect than any employee, physician, or vendor is engaged in wrongdoing When you suspect that your supervisor is committing or ignoring wrongdoing When you notice suspected wrongdoing outside of your supervisor s scope of authority When you are more comfortable remaining anonymous 28

29 Compliance Hotline MBR Compliance Officer (989) MBR Hot Line (989) If you should report a problem, know that your organization and the law prohibit retaliation. You can leave an anonymous message on the hotline, but remember to leave enough information for us to deal with the issue. 29

30 Questions? 30

31 Privacy for Beginners: What Every Healthcare Worker Needs to Know About HIPAA and Privacy

32 What is HIPAA? Health Insurance Portability and Accountability Act (HIPAA) is broad federal legislation that includes rules to protect the privacy and confidentiality of patient information. Does not replace existing confidentiality laws Establishes a minimum requirement 32

33 Protected Health Information (PHI) HIPAA regulates the use and disclosure of what is known as Protected Health Information or PHI. PHI is any information that can be used to identify the past, present, or future healthcare of an individual or the payment for that care. 33

34 PHI This is virtually all information about a patient, whether on paper, saved on a computer, or spoken aloud. This includes their: Name Address Age Social Security number Other personal information License plate numbers Fax machine numbers 34

35 HIPAA confidentiality HIPAA rules also protect the following: The reason the patient is sick or in the hospital The treatments and medication he or she receives Caregivers notes Information about past health conditions 35

36 Use of PHI A healthcare provider can access and use PHI without specific patient authorization if it is to be used for treatment, payment, or healthcare operations (TPO). Before looking at a patient s health information, ask yourself, Do I need to see/know this to do my job? 36

37 Use of PHI A healthcare provider can disclose PHI without patient authorization: Required by law Public Health Activities Law Enforcement Other national priorities - funeral directors, organ donation, research, prevent a disaster, special government functions, worker s compensation 37

38 Use of PHI Minimum Necessary Standard - Always use or disclose only the minimum amount of information necessary to honor the request. If you are not sure whether you should disclose any form of PHI, ASK your Supervisor, your Compliance Representative or the call the Compliance Officer. Once the disclosure is made it s too late to get it back. If you disclose information in error, report it immediately to your Supervisor, to your Compliance Representative or to the Compliance Officer. 38

39 Security for Beginners: What Every Healthcare Worker Needs to Know About HIPAA Security

40 Use of electronic Protected Health Information (ephi) HIPAA security rules apply only to ephi stored, maintained or transmitted in an electronic format ephi is the same information as PHI; anything that could identify the patient, their medical condition or method of payment Security rules require additional compliance 40

41 Use of ephi Appropriately use computers and other technology. Workforce members cannot use their computers or access to review personal or family PHI. If you use a laptop or other portable device, or removable storage media, it is your responsibility to: Obtain approval before transferring ephi to a portable device. Protect ALL ephi from theft both electronic and physical. Assure ephi is encrypted. 41

42 Use ephi Monitor the use of cell phones. Information and images (ephi) sent over the Internet are not encrypted. Do not send unencrypted ephi outside of our e- mail system. Use and Internet access appropriately Workforce members should remember that s sent to or from MBR computers are not considered private. MBR can and does audit and Internet usage. 42

43 Use of ephi Password control is key. Log off an application or computer when you are finished. You are your password. Protect it! Never share it! If you believe your password has been compromised, call the service desk immediately. Tell them your concern and ask for a new password. 43

44 What Does HIPAA Mean To Me? Our patients have a right to expect we will keep their information confidential. This information includes anything that could identify or be used to find out the identity of the patient or their medical condition. As employees, volunteers and physicians, we come in contact with many forms of patient information, including a patient census list. We need to understand what are acceptable uses of this information. Always discard paper containing patient information in a shredding bin. Never throw it in a regular trash receptacle. Follow the need to know rule. Ask yourself, Do I need to see patient information to perform my job?. If the answer is yes, you have nothing to worry about. If the answer is no, STOP. 44

45 What Does This All Mean To Me? The cafeteria, elevator or any of the social media sites are not the place to discuss the medical condition or other aspects of a patient s care. Information you have access to must not be the subject of conversation with family, friends or neighbors. Most disclosures of PHI do not need an authorization by the patient. PHI can be disclosed without an authorization for reasons of TPO and any of the 12 permitted uses under the Privacy Rules. Any other disclosure requires an authorization by the patient. The minimum necessary standard needs to be applied to all disclosures except for treatment purposes, disclosures to the patient or as required by law. 45

46 What Does This All Mean To Me? Never send ephi to anyone unless you have verified who will receive the information and how the information will be used. If it doesn t seem right to you, it probably isn t. Protect yourself and the hospital by verifying the information. Use the callback method. This gives you a few minutes to think about the validity of the request and to verify that the caller and location you are sending the information to is indeed correct. Use and internet services in the proper manner. 46

47 What Does This All Mean To Me? Violations can also result in personal civil penalties of up to $25,000 per person and criminal penalties of up to $250,000 and/or 10 years in prison. Violations of confidentiality and privacy policies can result in disciplinary action up to and including discharge. If you know of any violation of our existing confidentiality policies or the Privacy Policy, it is your obligation to bring the violation to the attention of your supervisor, compliance representative, Privacy Officer or Compliance Officer. Treat patient information as you would your own! Compliance is the responsibility of every employee! 47

48 Questions? 48

49 Questions? Heather McAllister, Compliance Officer Direct Line (989) Hot Line (989)