GENERAL INTEGRITY, COMPLIANCE, PRIVACY AND SECURITY EDUCATION. For staff of Providence Clinical Service Joint Ventures

Transcription

1 GENERAL INTEGRITY, COMPLIANCE, PRIVACY AND SECURITY EDUCATION For staff of Providence Clinical Service Joint Ventures

2

3 INTEGRITY AND COMPLIANCE Section 1

4 The services provided are governed by a variety of federal and state laws and regulations that aim to prevent fraud (being dishonest in order to be paid money or to get other benefits), waste (using health care resources when they are not necessary) and abuse (adopting bad business practices that result in being paid undue money). Violations of fraud, waste and abuse laws and regulations can be prosecuted criminally and/or enforced civilly.

5 The FCA covers fraudulent claims paid by a government program such as Medicare or Medicaid. Submitting a claim for payment that contains false or fraudulent information could trigger the FCA. Our organization should only bill for services that were provided and documented in the medical record. To avoid violating the FCA, you should not: Change a diagnosis for the purpose of getting a claim reimbursed without supporting documentation, Falsify statements in the medical record to receive payment, or Bill for services not provided. FCA Key Points Documentation must be clear and legible Documentation must be present in the medical record Documentation must identify who requested and provided the services performed Documentation must support all services billed, including laboratory tests, medications and therapy sessions

6 The AKS prohibits giving or receiving anything of value in exchange for or to induce patient referrals for services or items payable by Medicare or Medicaid, unless an exception (known as Safe Harbor ) is met. The AKS is a federal statute that applies to physicians, facilities and others who are in a position to make or influence referrals and covers activities such as: Discounts or Rebates Kickbacks Bribes Examples of AKS Violations Payments to physicians or facilities for referrals Reimbursing the cost of a physician s travel and expenses for a conference in exchange for referrals Use of free or significantly discounted office space or equipment in exchange for referrals

7 The Stark Law prohibits physicians from making referrals for specific types of services (called designated health services ) to entities with which the physician or his/her immediate family has a financial interest such as an ownership or compensation arrangement. Under the law, referrals are prohibited unless an exception is met; the intent of the parties is irrelevant. Designated Health Services Laboratory Physical, speech & occupational therapy Radiology & imaging Radiation therapy & supplies Durable medical equipment & supplies Prosthetics/devices Orthotics & supplies Home health services & supplies Outpatient prescription drugs Outpatient/inpatient hospital services

8 Conflicts of Interest (COI) occur when personal interests or activities influence or appear to influence a caregiver s actions and decisions. They also occur when we allow another interest to be more important to our decisions than the interests of our organization and those who provide services on behalf of our organization. As caregivers, we should avoid activities and relationships that may impair our independent judgment and unbiased decision-making. Recuse yourself from all decisions in which you have a COI. We do not use our position for personal gain or advantage, or to assist others, including family members, from profiting in any way at the expense of our organization. A COI happens when the impartiality of our organization caregiver is called into question because of the person s actions. These actions can include accepting gifts from patients or their family members, vendors and others; and having a close relationship with someone in a position to influence your behavior at work. CONFLICTS OF INTEREST COI

9 Caregivers should keep relationships with patients and their family members, vendors, non-employed physicians and their offices and other third parties impartial, and avoid accepting gifts or other items of value. Accepting gifts and offers of entertainment creates a risk that our judgment and decisions can be influenced. In some cases, acceptance of gifts and entertainment may be considered a violation of federal and/or state laws. Any gift, regardless or value, may not be accepted if the circumstances surrounding the giving and receipt of the gift indicate the intent to influence your behavior or decision making. GIFTS AND ENTERTAINMENT G&E

10 DISRUPTIVE BEHAVIOR Disruptive behavior is a style of interaction. It can involve staff, physicians, patients, family members and others. Disruptive behavior could interfere with patient care and our operations. We do not tolerate disruptive behavior. Our behavior should always be appropriate and promote a positive workplace environment. Examples of such behaviors include, but are not limited to: Treat everyone in a respectful manner Speak in a respectful tone Handle conflicts or disagreements in an appropriate manner and setting Provide constructive feedback

11 EFFECTIVE COMMUNICATION IS IMPORTANT Healthcare organizations are required to provide effective means of communication for patients, family members or companions and visitors wherever and whenever they are interacting with caregivers. It is the law: Americans with Disabilities Act (ADA), Title VI, Section 504 of the Rehabilitation Act of 1973: 45 CFE Part 84 It is a regulatory requirement; CMS, TJC, DNV

12 WHAT SHOULD YOU DO? Assess each patient s communication needs: At first contact When setting up an appointment Ask each patient: Do you or your family member or other companion have any hearing, vision or language communication needs? What help do you or your companion need to communicate? Ensure each patient, family member or other companion knows about and how to access services.

13 All services, assistive devices & interpretation are provided to patients and/or family members or other companions free of charge. Some examples of services are: Exchanging written notes or using a computer key board & screen to type our brief and simple conversations Helping a person with vision loss fill out paperwork, reading the patient materials out loud to the person, or taking notes for the person Providing written, large print, braille or tape recorded information Using Sign Language or oral interpreter for patients/visitors with sensory loss (deaf, deaf-blind, hard of hearing) Using Communication Boards or use of materials with graphics Using auxiliary/assistive devices for the patient/companion/visitor, such as TTYs, video remote interpreting services or telephone handset amplifiers. Always ask each person their preferred method of communication and make every effort to accommodate their request. Document in the patients chart the expressed preference and the accommodation provided to the patient, family member or other companion.

14 To comply with important regulatory and legal requirements, our organizations expects caregivers to prepare and maintain accurate records. Records include financial records, claims for payment, patient records, caregiver records, student records, and expense records. Caregivers are prohibited from altering and destroying records or information that can be relevant to a government investigation. Our organization is committed to an effective records management system that preserves records essential to documenting the business transactions and legal obligations of our organization. RECORDS Accuracy and Retention

15 Federal law protects caregivers from retaliation even if the claim turns out to be unfounded, as long as it was made in good faith. Retaliation is any negative action that adversely impacts a caregiver because of the caregiver s good faith report of concerns about misconduct or for assisting in the investigation of a concern. NON RETALIATION Reporting a Concern

16 If contacted by a government investigator, you should respond appropriately to the request and use caution to ensure you do not interfere with a government inquiry. If you are contacted for information, you should take the following actions: 1) Identify and document the investigator s information: I. In person contact- Request to view identification and note the name, title, and office location of the investigator II. Other contact All the above and return phone number of the caller 2) Contact your supervisor immediately. You are not required to follow this procedure before participating in a government investigation concerning the terms and conditions of your employment consistent with state and federal laws. If you are asked to participate in a government interview, you are free to do so, but are not required to without a subpoena. If you choose to grant an interview, you should be aware that what you say could be used against you, even if you have not been provided your Miranda warnings. If you would like to grant the interview but would like to have legal counsel present, contact your supervisor for assistance. GOVERNMENT INVESTIGATORS Use Caution **Our organization is committed to investigating all alleged violations of laws, policies, standards or procedures. Any corrective action will be based on the facts and circumstances of the violation. Violations may result in disciplinary action up to and including termination of employment and could result in fines, civil and/or criminal penalties.

17 PRIVACY AND SECURITY Section 2

18 PRIVACY VS INFORMATION SECURITY To get started, we must first understand the difference between privacy and information security. Keeping a patient record confidential? Limiting access to human resource records? Think Privacy. Privacy restricts the use and disclosure of confidential patient, client, caregiver and business information with which we work each day. Traveling with a laptop? Worried about a phishing ? Think Information Security. Security practices and technology protect confidential information and keep our computer system secure.

19 Privacy and security requirements must be enforced for Protected Health Information (PHI), Personally Identifiable Information (PII), and Confidential Information (CI), which include internal documents, patient medical records or data which, if lost or stolen, could compromise the privacy of our patients and caregivers, or seriously damage our business or our reputation. Protecting this information through strong privacy and security practices is everyone s responsibility. PHI: Any information, including demographic information, that is created or received by the covered entity and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes information concerning persons living or deceased (less than 50 years) and may be written, oral or electronic. PII: Information that uniquely identifies an individual (e.g., name plus one of the following: social security number, driver s license or ID card number, date of birth, financial information such as credit card number). Most states have laws requiring that individuals be notified in certain circumstances if their PII has been compromised. CI: Any information, regardless of format, about patients, caregivers, students, residents, or business operations that the organization deems should not be available without specific authorization. Loss or inappropriate access to this kind of data could harm patients and the organization s ability to do business. Confidential information includes but is not limited to PHI, ephi, PII, card holder data (PCI), caregiver information, and financial information.

20 UNAUTHORIZED ACCESS No one has a right to access or use patient information for reasons other than the performance of his or her duties. This protects the privacy of the patient. Remember to access and use only the information you need to do your job. Do not look up your spouse s, children s or family members medical records Do not look up medical records of a fellow employee Do not look up the records of a celebrity or VIP Do not share information about patient care with anyone who doesn t have a need to know

21 PRACTICES THAT PROTECT INFORMATION To protect information, all of the organization s caregivers have a responsibility to keep computers, network systems, laptops and other mobile devices secure. Here is a list of actions you can take to secure such information: Protect your unique IDs and passwords Use only your own ID and password to access systems Use different passwords for work and personal accounts Access only the minimum necessary to perform your job duties Lock your screen or close your application when you are away from your workstation Do not open any links or attachments in s from people you do not know

22 When traveling, there are additional steps you should take to protect information on mobile devices: Keep any mobile device in a secure location when it is not in use (e.g., behind locked doors and drawers) or keep it in your possession Do not leave mobile devices or confidential information in an unattended vehicle without taking additional security measures Turn your laptop off if you must travel between sites to ensure any encryption is enabled Rather than bringing confidential information off-site, if possible use a secure remote connection to access your work. Refer to local policies for more information. PRACTICES THAT PROTECT INFORMATION Traveling

23 CI, Confidential Information, (including Protected Health Information and Personally Identifiable Information) can only be transmitted via text in an emergency. Prior to texting CI you must first attempt to relay the information over the telephone. If no other option exists the following guidelines must be followed when texting: Only provide the minimum amount of information needed to convey the message. Never text financial information. Direct messages only to individuals authorized to view the data. Update addresses in your device regularly to ensure messages are received by those intended. Do not store confidential information on the device. Messages should not be stored on the device and must be promptly deleted from the in-box and the deleted items. Do not use the auto forwarding feature. Texting is NOT encrypted! TEXTING AND PATIENT PRIVACY CI, PHI, PII

24 PHOTOGRAPHY Photos may be required as part of a medical record. If the photograph is necessary as part of the medical record or for treatment of the patient follow all approved processes. Approved processes should also be followed to securely transmit and store the photo within the medical record. If the picture is being taken where other patient s are present, take care not to include any other patient in the phone that is not intended to be in the photo.

25 SOCIAL MEDIA Social media use should be approached in ways that are compliant with laws and regulations. As a caregiver, you cannot share patient confidential, or proprietary information, photographs or videos about Providence on personal sites. This restriction does not apply to pictures or videos of Providence s name, logo or premises taken while engaged in concerted activities.

26 Unfortunately, cybercriminals use social media to trick people into performing actions or sharing confidential information (CI) they would not ordinarily share. You should always be cautious about whom you befriend via social media and limit any personal information you share. Rule #1 is NEVER provide CI or information about the organization s patients or caregivers in any social media environments. You can avoid the traps created by cybercriminals by adhering to the following tips: If something sounds too good to be true, assume that it is not true Do not automatically trust a message or post on a social networking site just because it looks authentic or professional Be suspicious of links provided within social media sites and be sure to check the URL in the address bar to ensure the link goes to the legitimate location Be careful when accepting friend requests and consider an off-line verification process (e.g., follow-up phone call)

27 To protect the privacy of the people we serve, never send CI unencrypted. When CI is sent to an address outside the network, send the using the approved encryption process. CI leaks from our system when: You transmit information to be posted to 3 rd party applications such as Evernote, icloud, Google Docs, etc.; You automatically forward messages to non-organization accounts; and You send CI or sensitive business information to your personal accounts. SENDING INFORMATION SECURELY Confidential Information (CI)

28 In 2014 the number of phishing attacks increased dramatically. Phishing is an attack that allows cybercriminals to access a private computer network. Through phishing cybercriminals can overcome these protections by gaining the cooperation of people to share their credentials. Once they have these credentials, they get inside our network. Phishing attacks are plentiful because they are easy for criminals to execute and the payoff can be substantial. your mailbox is almost full Phishing can often look legitimate, which increases the chances of a caregiver responding to it. When a caregiver clicks on the link it takes them to a fraudulent website, where malicious software harvests their information (e.g., username, password and credentials used to log on to the network). Do not open attachments or click on any links provided in a suspicious . Our organization will never ask for your user I.D. or password via . If you receive a suspicious in your account, delete it. PHISHING ATTACKS

29 HIPAA/HITECH FINAL RULES In 2013 the Department of Health and Human Services (HHS) released final rules which amend provisions of the Health Insurance Portability and Accountability Act (HIPAA). The new rules require covered entities to notify affected patients and the Office for Civil Rights (OCR) of breaches of protected health information (PHI). The final rules define breach as an unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. PLUS

30 BREACH REPORTING For HIPAA covered entities, an impermissible acquisition, access, use, or disclosure of PHI is now presumed to be a reportable breach unless you can demonstrate that there is a low probability that the PHI has been compromised. To demonstrate a low probability that PHI was compromised, a risk assessment must be performed by the covered entity s Privacy Officer. A breach is treated as discovered by the covered entity on the first day the breach is known to the covered entity, or by exercising reasonable due diligence, should have been known to the covered entity. It is important to remember that breach discovery is not related to when management or compliance becomes aware. In the event of a breach, our organization has the burden of proof to demonstrate that an unauthorized disclosure is not a breach. This means that if no action is taken to show that an unauthorized disclosure is not a breach, then the covered entity must notify the patient and OCR.

31 With the changes to the definition of breach, it is more important than ever for caregivers to follow the Minimum Necessary Requirement when using or disclosing PHI. The Minimum Necessary Requirement means only accessing or disclosing PHI needed to do your job. Caregivers should ask themselves these questions to determine if access is needed: Do I need to access this information for a work-related task I am assigned to do? What is the minimum amount of information I need to get the job done?

32 YOU HAVE COMPLETED THE ICPS POWER POINT EDUCATION The End

33