Corporate Compliance and HIPAA Security for New Hires

Transcription

1 Corporate Compliance and HIPAA Security for New Hires

2 GOALS OF SESSION Review Northside s Compliance Program and Code of Conduct Emphasize the importance of Northside s Compliance Program Review the role of the Compliance Department

3 Goals of Session Help you to Understand: The standards described in the Compliance Program The application of those standards to you Your role in compliance The importance of complying with the Compliance Program The Compliance Department s commitment to helping you understand the Compliance Program and answering your compliance related questions

4 NORTHSIDE S COMPLIANCE PROGRAM Northside remains committed to compliance and strives to conduct its operations in compliance with applicable laws and regulations. Northside s comprehensive Compliance Program assists the organization in those efforts.

5 Who must comply with the Compliance Program? Everyone!!! Employees Management Administration Board members Medical staff Contractors and vendors Volunteers

6 Elements of Northside s Compliance Program 1. Compliance Committee and Chief Compliance Officer 2. Written Policies and Procedures 3. Compliance Training and Education 4. Open Lines of Communication 5. Compliance Monitoring and Auditing 6. Corrective Action Process

7 No. 1 Compliance Committee and Chief Compliance Officer Northside s Chief Compliance Officer Jorge Hernandez Northside s Compliance Committee: Jorge Hernandez, Chair (Vice President of Administrative Services and Chief Compliance Officer) Catherine Butler (Director, Legal Services) David Converse (Director, Information Systems) Bridget Green (Director, Human Resources) Debbie Mitcham (Vice President of Finance and Chief Financial Officer) Robert Skip Putnam (Vice President of Administration and Northside Forsyth CEO) Susan Sommers (Vice President, Legal, Risk Management and Ancillary Services)

8 No. 2 Written Policies and Procedures Compliance Manual Contains Northside s Code of Conduct Compliance Program Policies and Procedures Available on Lucidoc All employees are responsible for being familiar with and complying with the Code of Conduct and these Policies and Procedures

9 CODE OF CONDUCT Northside s Code of Conduct is a summary of the most important ethical and legal standards that guide our behavior. Please Read Code Now Please click the link below to read Northside s Code of Conduct (opens in new window) This step is mandatory and will take minutes to review Code of Conduct If you would like to print a copy of the Code of Conduct for further review click on the print icon when the file is opened.

10 PATIENT CARE IS PARAMOUNT Northside s No. 1 priority is to provide the highest level of care to our patients and our community while maintaining the highest level of integrity. We pledge compassionate support, personal guidance and uncompromising standards to our patients in their journeys toward health of body and mind. We provide care without discrimination based on gender, race, color, age, religion, national origin, sexual orientation or disability.

11 LEGAL AND REGULATORY COMPLIANCE We know our legal and ethical obligations and we create policies to help us comply with these responsibilities. We work throughout the Northside system to understand how ethical, moral and legal standards apply to our operations. We require you to understand the basic legal obligations that pertain to your job function or the services that you provide to Northside.

12 Relationships with Other Providers Northside monitors its business dealings to structure relationships with physicians and other healthcare providers consistent with relevant federal and state laws in furtherance of Northside s mission. Northside trains appropriate personnel on the restrictions governing the manner in which Northside transacts business and its relationships with physicians and other healthcare providers.

13 Avoidance of Conflicts of Interest Northside understands that any private activities or interests that influence (or could appear to influence) an individual s ability to objectively perform his or her work must be avoided. Northside employees and agents should disclose to their supervisor, the Chief Compliance Officer or the Legal Services Department any situation that could be a conflict of interest with Northside as well as any financial interest or other position with a Northside vendor, supplier, competitor or other business relation that could create a conflict of interest with Northside.

14 Government Contractors Northside is committed to conducting business with all Government agencies Federal, State, local and foreign. Northside has developed a Code of Business Conduct and Ethics for Government Contracts Click here to view the document Specialized training will be provided to employees and contractors who will be working on and supervising those who work on a Government contract or subcontract. Employees who are not working directly on a Government contract should take special note of the sections concerning employment of former government employees, restrictions on gifts and gratuities, and the procurement integrity policy.

15 Strong Relationship with Payors Northside strives to accurately bill all payors, including public and commercial insurance payors. Northside monitors its practices to prevent inaccurate claim submissions and to promote accurate cost report practices.

16 Lobbying and Political Activity Northside refrains from lobbying and engaging in political activity that may jeopardize its federal and state tax exempt status. Northside resources and funds shall not be used to contribute to political campaigns or in furtherance of political activity. Officers and employees may personally participate in or contribute to political organizations or campaigns but must do so as individuals, and not as representatives of Northside.

17 Gifts of Cash or Cash Equivalents Northside employees are not permitted to accept or solicit, or to pay or provide, gifts of cash (or cash equivalents) based on the individual s position or association with Northside or related to any Government contract or subcontract, or the prospect of such contract.

18 Ineligible Persons Northside has mechanisms in place to detect and prevent the employment or engagement of any individual or entity excluded or discharged from participation in Federal healthcare programs. Prospective and current employees and contractors shall disclose any debarment, exclusion or other suspension from participation in Federal healthcare programs or any conviction of a criminal offense related to the provision of healthcare items or services.

19 Responding to Government Investigations In the unlikely event a government investigation is conducted: Immediately notify the Chief Compliance Officer or the Legal Services Department. Do not attempt to interfere with the government s investigation. Do not destroy, delete, hide, alter, or otherwise dispose of any documents, e- mails, or other information relating to the subject of the investigation. Any attempt to hide or destroy documents sought in an investigation is a serious violation of law and Northside s Compliance Program. Do not discuss the investigation or the events under investigation except at the direction of the Chief Compliance Officer or Legal Services Department.

20 Responding to Government Investigations (cont.) If a government agent or investigator contacts you or requests an interview (either at Northside or your home), you should immediately notify the Chief Compliance Officer or the Legal Services Department. You should also contact your own personal counsel (if you have counsel), before answering any questions or submitting to an interview. Always keep in mind, however, that you have no obligation to consent to an interview. You should obtain the following information from the investigators: the name, agency affiliation, business telephone number, and business address of all investigators, and the reason for the visit.

21 Confidential Information Northside has developed systems to maintain the integrity and privacy of documents, records, images and other information. Northside employees are required to safeguard and not disseminate all such information. If you are unsure of the protections that apply to a document or record, please ask your supervisor or the Chief Compliance Officer. Northside also maintains policies that apply specifically to financial information and patient information. Northside also maintains policies that apply to third party information that Northside has obtained under an obligations of confidentiality and Government contractor bid and proposal and government source selection information.

22 Safeguarding Patient Information Northside is committed to maintaining the integrity and security of patient health information and has developed policies and procedures governing the use and disclosure of this information. Northside strongly encourages you to report any issues or concerns you have about the security or integrity of patient information. If you observe or suspect any inappropriate or suspicious activity, it is your responsibility to report it to your supervisor, the Privacy Officer , the Security Officer or the HIPAA Hotline

23 HIPAA Federal and state laws contain privacy and security rules that govern the use and disclosure of patient health information. For example, a federal law, the Health Insurance Portability and Accountability Act ( HIPAA ), has standards to protect the use and disclosure of protected health information ( PHI ).

24 What is PHI? PHI consists of patient identifiable information delivered via paper, verbal communications or electronic means. Examples include: Patient name Date of birth Medical record # Address SS# address PHI may be shared among caregivers for the purposes of: Treatment, Payment or Healthcare Operations ( TPO ). Healthcare Operations include: QA/QI, Utilization Review, Disease Management, Credentialing, Auditing, etc. Requests for uses or disclosure of PHI for non-tpo purposes should be submitted to the Privacy Officer,

25 Using PHI Use or disclosure of PHI should be on a need to know basis. Access to a system does not imply that it is appropriate to search any patient information at will. In other words, never look at patient information unless it is necessary to do your job. Only use the absolute minimum necessary patient information. Employees must read and sign a Confidentiality of Information & Computer Access Code Agreement, which explains your responsibility to keep information confidential and secure.

26 PHI Security Do not leave any PHI data displayed on your monitor or unprotected at your workstation when you are away. Always log out of an application before leaving your workstation. Lock your computer and secure PHI when you leave your workstation. Always place monitors in a location that prevents others from viewing information on the screen. Use screen savers to help ensure confidentiality. Make sure laptops and PCs are monitored and secure. Never send PHI via or the Internet without using encryption that is approved by the IS department. Call the IS Help Desk at if you suspect a PC is infected with a virus or under any other sort of electronic attack.

27 Usernames and Passwords Never share your username or password with anyone. Memorize your password, do not write it down. Do not use family members or pets names, phone numbers, birth dates or other easily guessed information as your password. Change your password periodically (at least every 90 days). If you suspect your password has been compromised, change your password immediately.

28 New Breach Notification Requirement The HITECH Act may require Northside to notify patients if their PHI has been breached and the breach present a significant risk to the patient. A Breach is an unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI. Breaches do not include inadvertent disclosures of PHI made during the scope of your employment. If you are aware of, or suspect, any unauthorized acquisition, access, use or disclosure of PHI, including loss or theft of computer equipment or storage device, you must immediately contact the HIPAA Hotline. Northside will investigate the suspected breach and take the necessary corrective action, including notifying the affected individuals and other applicable entities if so required.

29 RED FLAGS Potential red flags that indicate attempted patient identity theft should be reported immediately to: Patient Access Operations Coordinator, if identified during a stay or service Customer Service Supervisor of the Business Office, if identified after discharge Examples of potential red flags include: Patient presents documents for identification that appear to be altered or forged Patient's photo, identifying characteristics (e.g. ethnicity, sex, age) or signature does not appear to match what is on file Social Security number or other identifier (e.g. insurance policy number or date of birth) is inconsistent with external information sources Address/phone number or other demographic information is inconsistent with other sources of information Medical records show treatment inconsistent with current presentation Patient complains about receiving bill for service patient did not receive

30 HITECH Act Increases Liability The HITECH Act increased caps on civil monetary penalties for violation of HIPAA

31 Be Aware of Criminal Liability tied to HIPAA Knowingly obtaining or disclosing PHI in violation of HIPAA Up to $50,000 fine; Imprisonment up to one year. Offenses committed under false pretenses Up to a $100,000 fine, Imprisonment up to five years. Offenses committed with the intent to sell, transfer, or use health information for commercial advantage, personal gain or malicious harm Up to $250,000 fine imprisonment for up to ten years.

32 Recent Enforcement Actions Civil Liability UCLA paid $865,500 after it was discovered that unauthorized employees repeatedly looked at PHI of numerous patients. Mass General paid $1,000,000 after an employee left documents on a subway train containing PHI of 192 patients (including AIDS information). Criminal Liability Woman who stole paper surgery schedule containing information of 400 patients to commit identity theft sentenced to 39 months in prison for violating HIPAA. Former employee looked up patient records of celebrities and co-workers on at least four separate occasions and was sentenced to four months in prison, a $2,000 fine, and a $100 special assessment. Vermont ultrasound technologist improperly accessed the electronic medical records of her husband s former wife and children. She was given a suspended sentence, fined $2,000, and made to perform 160 hours of community service.

33 Element No. 3 Compliance Training Northside maintains an active compliance training program. All employees are required to participate in this compliance training. In addition to this compliance training, Northside employs other methods to train you on relevant compliance matters.

34 No. 4 Open Lines of Communication Northside has established a toll-free hotline for all individuals to anonymously report suspected violations of the Compliance Program Northside Hotline No: Northside will not take disciplinary action against anyone because they submit a compliance concern.

35 No. 4 - Open Lines of Communication Northside encourages you to ask questions. All employees have an affirmative obligation to report even suspected misconduct. You may make a report through the anonymous hotline, your supervisor or the Chief Compliance Officer. Failure to communicate a known compliance concern through an established reporting mechanism will be considered a violation of the Compliance Program.

36 No. 5 Compliance Monitoring Northside takes steps to maintain compliance with its standards and procedures by utilizing monitoring and auditing systems. Northside s Internal Audit Department works closely with the Compliance Department to conduct audits of potential risk areas.

37 No. 6 Corrective Action If a violation of Northside s Compliance Program occurs the Chief Compliance Officer, working with the Compliance Committee, will determine the appropriate corrective action to take. Appropriate corrective action may include, but is not limited to: (a) training; (b) rebilling claims; (c) fixing system errors; and/or (d) disciplinary action (up to and including termination).

38 Expectations Click here if you are an employee Click here if you are a manager Managers are employees with oversight responsibility, including executive management, administrators, directors, managers and supervisory personnel Click here if you are a medical staff member Click here if you are a contractor, agent, vendor or volunteer

39 Employee Expectations Think about how the Compliance Program applies to your work and rely on the Code of Conduct and the other policies and procedures to guide your decisions. If you have a question or concern: Speak with your supervisor; Speak with the Chief Compliance Officer, ; or Call the anonymous hotline,

40 Employee Expectations Receive compliance training Read the Compliance Program Manual and Code of Conduct Sign an affirmation statement stating that you understand and agree to abide by Northside s Code of Conduct and the Compliance Program Policies and Procedures. Be familiar with compliance risk areas Report suspected misconduct If you are not sure - ASK

41 Manager Expectations Maintain Northside s culture of compliance Lead by example Encourage employees to ask questions and voice concerns Work with the Chief Compliance Officer and Compliance Committee Consider compliance when evaluating and rewarding employees Prevent compliance issues Identify risk areas and propose appropriate policies and procedures Educate your employees of relevant policies and procedures Respond to potential compliance problems Notify the Chief Compliance Officer Pursue appropriate, prompt corrective action Take appropriate disciplinary action when necessary

42 Manager Expectations (cont d) If you have questions about the Compliance Program, policies or procedures, or need guidance in responding to a question: Speak with your supervisor; Call the Chief Compliance Officer, ; or Call the anonymous hotline,

43 Medical Staff Expectations Participate in compliance activities Raise potential compliance issues and assist in possible solutions Raise questions and issues: Call the Chief Compliance Officer: Call the anonymous hotline:

44 Expectations of Contractors Contractors, agents, vendors, and volunteers should: Read and understand the Code of Conduct and policies and procedures Participate in compliance activities Raise questions or concerns by: Speaking with a Northside manager Speaking with the Chief Compliance Officer, Through the anonymous hotline,

45 COMPLIANCE WITH THE PROGRAM AND CODE OF CONDUCT Compliance with the Compliance Program and Code of Conduct is very important and will be considered in your performance evaluation Failure to follow the Code may lead to discipline as outlined by Northside s Disciplinary and Non-Retaliation Policy

46 SUMMARY OF EXPECTATIONS Understand the Compliance Program and Code of Conduct Seek assistance and ask questions Raise concerns promptly Cooperate with the Compliance Department

47 The End - Thank you! Thank you for your participation and your continued dedication to the Northside Compliance Program! * Please read & sign the Confidentiality/Security Agreement