Developed by the Centers for Medicare & Medicaid Services* *Health plan specific information added with permission from CMS.

Transcription

1 Medicare Parts C & D General Compliance Training Developed by the Centers for Medicare & Medicaid Services* *Health plan specific information added with permission from CMS.

2 Important Notice The Health Plan is a Medicare Part C & D Sponsor. All contractors of Part C & D Sponsors who provide health or administrative services to Medicare enrollees must satisfy general compliance training requirements in accordance with Compliance Program regulations at 42 C.F.R (b)(4)(vi) and (b)(4)(vi) and in Section 50.3 of the Compliance Program Guidelines found in Chapter 9 of the Medicare Prescription Drug Benefit Manual and Chapter 21 of the Medicare Managed Care Manual. Completion of this training module satisfies the 2013 annual requirement for Medicare Parts C & D General Compliance Training.

3 Why Do I Need Training? Compliance is EVERYONE S responsibility! As an individual who provides health or administrative services for Medicare enrollees, every action you take potentially affects Medicare enrollees, the Medicare program, or the Medicare trust fund.

4 Where Do I Fit In? Health or administrative services to a Part C or Part D enrollee are provided by either a: Part C or D Sponsor Employee First Tier Entity Examples: PBM, a Claims Processing Company, contracted Sales Agent Downstream Entity Example: Pharmacy Related Entity Example: Entity that has a common ownership or control of a Part C/D Sponsor The Health Plan is a Part C & D Sponsor.

5 Training Objectives To understand the organization s commitment to ethical business behavior To understand how a compliance program operates To gain awareness of how compliance violations should be reported

6 Background CMS requires Medicare Advantage, Medicare Advantage Prescription Drug, and Prescription Drug Plan Sponsors ( Sponsors ) to implement an effective compliance program. An effective compliance program should: Provide guidance on how to handle compliance questions and concerns Provide guidance on how to identify and report compliance violations Articulate and demonstrate an organization s commitment to legal and ethical conduct

7 Compliance A culture of compliance within an organization: Prevents noncompliance Detects noncompliance Corrects noncompliance

8 Compliance Program Requirements At a minimum, a compliance program must include the 7 core requirements: 1. Written Policies, Procedures and Standards of Conduct; 2. Compliance Officer, Compliance Committee and High Level Oversight; 3. Effective Training and Education; 4. Effective Lines of Communication; 5. Well Publicized Disciplinary Standards; 6. Effective System for Routine Monitoring and Identification of Compliance Risks; and 7. Procedures and System for Prompt Response to Compliance Issues 42 C.F.R (b)(4)(vi) and (b)(4)(vi); Internet Only Manual ( IOM ), Pub , Medicare Managed Care Manual Chapter 21; IOM, Pub , Medicare Prescription Drug Benefit Manual Chapter 9

9 Compliance Officer As Requirement Two states, Plans must have a Medicare Compliance Officer. The Medicare Compliance Officer is Jill Salerno. Jill can be reached at: 165 Court St. Rochester, NY (585) or via the Ethics & Compliance Hotline (800) Jill Salerno

10 Compliance Training CMS expects that all Sponsors will apply their training requirements and effective lines of communication to the entities with which they partner. Having effective lines of communication means that employees of the organization and the partnering entities have several avenues through which to report compliance concerns.

11 Ethics Do the Right Thing! Act Fairly and Honestly Comply with the letter and spirit of the law As a part of the Medicare program, it is important that you conduct yourself in an ethical and legal manner. It s about doing the right thing! Adhere to high ethical standards in all that you do Report suspected violations

12 How Do I Know What is Expected of Me? Know the Code! The Code of Business Conduct states compliance expectations and the principles and values by which the organization operates. Everyone is required to report violations of our Code of Conduct and suspected noncompliance. The Code of Conduct and Policies and Procedures identify this obligation and tell you how to report.

13 What Is Noncompliance? Noncompliance is conduct that does not conform to the law, and Federal health care program requirements, or to our ethical and business policies. Credentialing Ethics Appeals and Grievance Review HIPAA Claims Processing Marketing and Enrollment Medicare Parts C & D High Risk Areas * Conflicts of Interest Beneficiary Notices Agent / Broker Documentation Requirements *For more information, see the Medicare Managed Care Manual and the Medicare Prescription Drug Benefit Manual at Quality of Care Formulary Administration

14 Noncompliance Harms Enrollees Delayed services Denial of Benefits Without programs to prevent, detect and correct noncompliance there are: Difficulty in using providers of choice Hurdles to care

15 Noncompliance Costs Money Non Compliance affects EVERYBODY! Without programs to prevent, detect and correct noncompliance we risk: Higher Premiums Higher Insurance Copayments Exclusion from Federal Health Care programs Lower benefits for individuals and employers Lower Star ratings

16 I m Afraid to Report Noncompliance There can be NO retaliation against you for reporting suspected noncompliance in good faith. The Plan offers reporting methods that are: Confidential Anonymous Non Retaliatory

17 How Can I Report Potential Noncompliance? Contact the Medicare Compliance Officer Call the Ethics & Compliance Hot Line 800 ASK 0170 Send a message to the Ethics & Compliance box in Lotus Notes Call the Special Investigations Unit to report Fraud, Waste and Abuse Talk to your Manager or Supervisor First tier, downstream, and related entities (FDR) can call the Ethics & Compliance Hot Line, speak to a Manager or Supervisor or contact the sponsor (Health Plan) Beneficiaries of all lines of business can call the Ethics & Compliance Hot Line Medicare beneficiaries can also call 800 Medicare

18 What Happens Next? After noncompliance has been detected It must be investigated immediately And then promptly correct any noncompliance Correcting Noncompliance Avoids the recurrence of the same noncompliance Promotes efficiency and effective internal controls Protects enrollees Ensures ongoing compliance with CMS requirements

19 How Do I Know the Noncompliance Won t Happen Again? Once noncompliance is detected and corrected, an ongoing evaluation process is critical to ensure the noncompliance does not recur. Monitoring activities are regular reviews which confirm ongoing compliance and ensure that corrective actions are undertaken and effective. Auditing is a formal review of compliance with a particular set of standards (e.g., policies and procedures, laws and regulations) used as base measures Monitor/ Audit Correct Prevent Report Detect

20 Know the Consequences of Noncompliance Plans are required to have disciplinary standards in place for non compliant behavior. Those who engage in non Compliant behavior may be subject to any of the following: Mandatory Training or Re Training Disciplinary Action Termination

21 Compliance is EVERYONE S Responsibility!! PREVENT Operate within our organization s ethical expectations to PREVENT noncompliance! DETECT & REPORT If you DETECT potential noncompliance, REPORT it! CORRECT CORRECT noncompliance to protect beneficiaries and to save money!

22 What Governs Compliance? Social Security Act: Title 18 Code of Federal Regulations*: 42 CFR Parts 422 (Part C) and 423 (Part D) CMS Guidance: Manuals HPMS Memos CMS Contracts: Private entities apply and contracts are renewed/non renewed each year Other Sources: OIG/DOJ (fraud, waste and abuse (FWA)) HHS (HIPAA privacy) State Laws: Licensure Financial Solvency Sales Agents * 42 C.F.R (b)(4)(vi) and (b)(4)(vi)

23 Additional Resources For more information on laws governing the Medicare program and Medicare noncompliance, or for additional healthcare compliance resources please see: Title XVIII of the Social Security Act Medicare Regulations governing Parts C and D (42 C.F.R. 422 and 423) Civil False Claims Act (31 U.S.C ) Criminal False Claims Statute (18 U.S.C. 287,1001) Anti Kickback Statute (42 U.S.C. 1320a 7b(b)) Stark Statute (Physician Self Referral Law) (42 U.S.C. 1395nn) Exclusion entities instruction (42 U.S.C. 1395w 27(g)(1)(G)) The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law ) (45 CFR Part 160 and Part 164, Subparts A and E) OIG Compliance Program Guidance for the Healthcare Industry: guidance/index.asp

24 Remember! Compliance is EVERYONE S responsibility There can be NO retaliation against you for reporting suspected noncompliance in good faith. To report, call the Hotline at (800) ASK 0170

25 Contractor Medicare General Compliance Training Test Questions 1. What is conduct that does not conform to the law, and Federal health care program requirements, or to our ethical and business policies? a. Noncompliance b. Compliance c. Ethics d. None of these 2. What are the benefits of a culture of compliance within an organization? a. To prevent noncompliance b. To detect noncompliance c. To correct noncompliance d. All of the above 3. Without programs to prevent, detect and correct noncompliance we risk? a. Higher Star Ratings b. Lower Premiums c. Lower Insurance Copayments d. Exclusion from Federal Health Care programs 4. True or false We offer reporting methods that are confidential, anonymous and non retaliatory? a. True b. False 1

26 5. At a minimum, a compliance program must include 7 core requirements. Which of the following are core requirements? a. Effective Training and Education b. Procedures and System for Prompt Response to Compliance Issues c. Well Publicized Disciplinary Standards d. Effective System for Routine Monitoring and Identification of Compliance Risks e. All of the above 6. You have discovered an unattended address or fax machine in your office which receives beneficiary appeals requests. You suspect that no one is processing the appeals. What should you do? a. Contact Law Enforcement b. Contact your Compliance Department c. Wait to confirm someone is processing the appeals before taking further action d. Contact your supervisor 7. A sales agent, employed by the one of our first tier or downstream entities, has submitted an application for processing and has requested the enrollment date be back dated by one month and all monthly premiums for the beneficiary be waived What should you do? a. Refuse to change the date or waive the premiums, but decide not to mention the request to a supervisor or the compliance department. b. Make the requested changes because the sales agent is responsible for determining the beneficiary's start date and monthly premiums. c. Tell the sales agent you will take care of it, but then process the application properly (without the requested revisions). You will not file a report because you don't want the sales agent to retaliate against you. d. Process the application properly (without the requested revisions). Inform your supervisor and the compliance officer about the sales agent's request. 2

27 8. Last month, while reviewing a monthly report from CMS, you identified multiple enrollees for which we are being paid, who are not enrolled in our plan. You spoke to your supervisor, Tom, who said not to worry about it. This month, you have identified the same enrollees on the report again. What do you do? a. Decide not to worry about it as your supervisor, Tom, had instructed. You notified him last month and now it s his responsibility. b. Although you have seen notices about our non retaliation policy, you are still nervous about reporting. To be safe, you submit a report through your Compliance Department s anonymous tip line so that you cannot be identified. c. Contact law enforcement and CMS to report the discrepancy. d. Ask Tom about the discrepancies again. 9. True or false As a Part C & D Sponsor, we are required to have a compliance committee to oversee our compliance program; however, the hiring or appointment of a compliance officer is optional. a. True b. False 10. TRUE OR FALSE: If we subcontract with downstream entities for the performance of services, the downstream entity is ultimately responsible for complying with all CMS requirements. a. True b. False 3

28 Fraud, Waste and Abuse Training Developed by the Centers for Medicare & Medicaid Services* *Health plan specific information added with permission from CMS.

29 Important Notice The Health Plan is a Medicare Part C & D Sponsor. All Part C & D Sponsors employees must satisfy Fraud, Waste and Abuse training requirements. Completion of this training module satisfies the 2013 annual requirement for Fraud, Waste and Abuse Training.

30 Why Do I Need Training? Every year millions of dollars are improperly spent because of fraud, waste and abuse. It affects everyone. Including YOU. This training will help you detect, correct and prevent fraud, waste and abuse. YOU are part of the solution.

31 Objectives Meet the regulatory requirement for training and education Provide information on the scope of fraud, waste and abuse Explain everyone s obligation to detect, prevent and correct fraud, waste and abuse Provide information on how to report fraud, waste and abuse Provide information on laws pertaining to fraud, waste and abuse

32 Requirements The Social Security Act and CMS regulations and guidance govern the Medicare program, including parts C and D. Part C and Part D sponsors must have an effective compliance program which includes measures to prevent, detect and correct Medicare non compliance as well as measures to prevent, detect and correct fraud, waste and abuse. Sponsors must have an effective training for employees, managers and directors, as well as their first tier, downstream and related entities (FDRs). 42 C.F.R and 42 C.F.R

33 Where Do I Fit In? Health or administrative services to a Part C or Part D enrollee are provided by either a: Part C or D Sponsor Employee First Tier Entity Examples: PBM, a Claims Processing Company, contracted Sales Agent Downstream Entity Example: Pharmacy Related Entity Example: Entity that has a common ownership or control of a Part C/D Sponsor

34 What are my responsibilities? You are a vital part of the effort to prevent, detect and report Medicare non compliance as well as possible fraud, waste and abuse. FIRST you are required to comply with all applicable statutory, regulatory and other Part C or Part D requirements, including adopting and implementing an effective compliance program. SECOND you have a duty to the Medicare Program to report any violations of laws that you may be aware of. THIRD you have a duty to follow our organization s Code of Conduct that articulates your and our organization s commitment to standards of conduct and ethical rules of behavior.

35 An Effective Compliance Program Is essential to prevent, detect and correct Medicare non compliance as well as fraud, waste and abuse. Must, at a minimum, include the 7 core compliance program requirements. 42 C.F.R and 42 C.F.R

36

37 How Do I Prevent Fraud, Waste and Abuse? Make sure you are up to date with laws, regulations, policies Ensure you coordinate with other payers Ensure data/billing is both accurate and timely Verify information provided to you Be on the lookout for suspicious activity

38 Policies and Procedures Every sponsor, first tier, downstream and related entity must have policies and procedures in place to address fraud, waste and abuse. These procedures should assist you in detecting, correcting, and preventing fraud, waste and abuse. Make sure you are familiar with the policies and procedures (P&Ps).

39 Our Policies and Procedures P&Ps are housed in and are available on Compliance homepage on the Intranet. Medicare P&Ps are available on the Medicare Compliance homepage on the Intranet. To the right is a screen shot of some of the Medicare Compliance P&Ps.

40

41 Understanding Fraud, Waste and Abuse In order to detect fraud, waste and abuse you need to know the Law

42 Criminal FRAUD Knowingly and willfully executing, or attempting to execute, a scheme or artifice to defraud any health care benefit program; or to obtain, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by, or under the custody or control of, any health care benefit program. 18 United States Code 1347

43 What Does That Mean? Intentionally submitting false information to the government or a government contractor in order to get money or a benefit.

44 Waste and Abuse Waste: overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare Program. Waste is generally not considered to be caused by criminally negligent actions but rather the misuse of resources. Abuse: includes actions that may, directly or indirectly, result in unnecessary costs to the Medicare Program. Abuse involves payment for items or services when there is not legal entitlement to that payment and the provider has not knowingly and or/intentionally misrepresented facts to obtain payment.

45 Differences Between Fraud, Waste and Abuse There are differences between fraud, waste and abuse. One of the primary differences is intent and knowledge. Fraud requires the person to have an intent to obtain payment and the knowledge that their actions are wrong. Waste and abuse may involve obtaining an improper payment, but does not require the same intent and knowledge.

46 Report Fraud, Waste and Abuse Do not be concerned about whether it is fraud, waste or abuse. Just report any concerns to our Special Investigations Unit (SIU). The SIU will investigate and make the proper determination.

47 Indicators of Potential Fraud, Waste and Abuse Now that you know what fraud, waste and abuse are, you need to be able to recognize the signs of someone committing fraud, waste or abuse. The following slides demonstrate prescription drug issues to present examples of potential fraud, waste or abuse. Each slide provides areas to keep an eye on, depending on your role in our organization.

48 Key Indicators: Potential Provider Issues Does the provider write for diverse drugs or primarily only for controlled substances? Are the provider s prescriptions appropriate for the member s health condition (medically necessary)? Is the provider writing for a higher quantity than medically necessary for the condition? Is the provider performing unnecessary services for the member?

49 Key Indicators: Potential Beneficiary Issues Does the prescription look altered or possibly forged? Have you filled numerous identical prescriptions for this beneficiary, possibly from different doctors? Is the person receiving the service/picking up the prescription the actual beneficiary(identity theft)? Is the prescription appropriate based on beneficiary s other prescriptions? Does the beneficiary s medical history support the services being requested?

50 Key Indicators: Potential Pharmacy Issues Are we being billed for prescriptions that are not filled or picked up? Are drugs being diverted (drugs meant for nursing homes, hospice, etc. being sent elsewhere)?

51 Key Indicators: Potential Sponsor Issues Does the sponsor offer cash inducements for beneficiaries to join the plan? Does the sponsor lead the beneficiary to believe that the cost of benefits are one price, only for the beneficiary to find out that the actual costs are higher? Does the sponsor use unlicensed agents? Does the sponsor encourage/support inappropriate risk adjustment submissions?

52 How Do I Report Fraud, Waste or Abuse?

53 Reporting Fraud, Waste and Abuse Everyone is required to report suspected instances of fraud, waste and abuse. The Code of Conduct clearly states this obligation. The organization will not tolerate any form of retaliation against anyone who makes a good faith report in accordance with the Code.

54 Reporting Fraud, Waste and Abuse Every Part C & D Sponsor is required to have a mechanism in place in which potential fraud, waste or abuse may be reported by employees, first tier, downstream and related entities. You may report anonymously and you are protected from retaliation! When in doubt, call the Fraud Hotline ( ) or the Ethics & Compliance Hotline (800 ASK 0170).

55 Reporting Fraud, Waste and Abuse You may contact the Special Investigations Unit at the following location and numbers: 165 Court St. Rochester, NY Fraud Hotline: SIU Regional offices are as follows: Univera Rochester CNY Utica You may also report electronically by clicking on the Fraud & Abuse link at the bottom of the Excellusbcbs.com Home Page

56 Reporting Fraud, Waste and Abuse Additionally, you may contact the Chief Compliance Officer and/or the Medicare Compliance Officer at the following location and number: 165 Court St. Rochester, NY Ethics & Compliance Hotline: 800 ASK 0170 Employees may also submit s to the Corporate Compliance Officer at Ethics and Compliance through Lotus Notes. You may also contact the Corporate Legal Department via e tracker on Fingertips.

57

58 Correction Once fraud, waste or abuse has been detected it must be promptly corrected. Correcting the problem saves the government money and ensures we are in compliance with CMS requirements.

59 How Do I Correct Issues? Once issues have been identified, a plan to correct the issue needs to be developed. Consult the Medicare Compliance Officer to learn about the process for the corrective action plan development. The actual plan is going to vary, depending on the specific circumstances.

60

61 Laws The following slides provide very high level information about specific laws. For details about the specific laws, such as safe harbor provisions, consult the applicable statute and regulations concerning the law.

62 Civil Fraud Civil False Claims Act Prohibits: Presenting a false claim for payment or approval; Making or using a false record or statement in support of a false claim; Conspiring to violate the False Claims Act; Falsely certifying the type/amount of property to be used by the Government; Certifying receipt of property without knowing if it s true; Buying property from an unauthorized Government officer; and Knowingly concealing or knowingly and improperly avoiding or decreasing an obligation to pay the Government. 31 United States Code

63 New York State False Claims Act The New York State False Claims Act only applies to false claims submitted to the Medicaid program, and is very similar to the Federal False Claims Act. The New York State False Claims Act applies to persons who: 1. Knowingly submit a false or fraudulent claim to an employee, officer, or agent of the government; 2. Knowingly make a false record or statement to get a false claim paid by the state or local government; 3. Knowingly retain money owed to the government; 4. Knowingly make a false record or statement to conceal, avoid or decrease an obligation to pay money to the government; or 5. Conspire to get a false claim paid.

64 Medicare and Medicaid Program Integrity Statute In addition to potential liability under the State and Federal False Claims Acts for retaining an overpayment, health plans and providers can also be held liable for a failure to report, explain and return an overpayment to the government within 60 days of identifying it. This requirement was added as part of the federal health reform initiative. The requirement to timely report, explain and return an overpayment applies regardless of the reason for the overpayment. Even overpayments resulting from simple billing mistakes must be returned within 60 days.

65 False Claims Act Damages and Penalties Violations of the NY State False Claims Act can result in fines ranging from $6,000 to $12,000 per claim, plus three times the amount of damages sustained by the government. Violations of the Federal False Claims Act can result in civil penalties ranging from $5,500 to $11,000 per claim and up to triple the amount of damages sustained by the government. In both cases, exclusion from the Medicare and Medicaid program can also result.

66 Criminal Fraud Penalties If convicted, the individual shall be fined, imprisoned, or both. If the violations resulted in death, the individual may be imprisoned for any term of years or for life, or both. 18 United States Code 1347

67 Qui Tam The false claims act includes something called a Qui Tam provision. The Qui Tam provision allows people, also known as "whistleblowers," to hire a lawyer at their own expense and sue anyone they believe has defrauded the government. The government has the option of joining the suit as a party, which usually only occurs if they conclude the whistleblower has a good case. If the case is won, the whistleblower is entitled to a portion of the money recovered.

68 Protections under the FCA Just as we discuss in our own Code of Business Conduct, the Qui Tam provision prohibits retaliation against anyone who reports a False Claims Act violation. The Whistleblower Employee Protection Act prohibits an organization from discharging, demoting, suspending, threatening, harassing or discriminating against any employee because of lawful acts done by the employee, on behalf of the employer, or because the employee testifies or assists in an investigation of the employer. In addition, the False Claims Act provides a number of possible remedies to employees who are discharged, demoted, harassed, or otherwise discriminated against, because of lawful actions taken under the Act.

69 Anti Kickback Statute Prohibits: Knowingly and willfully soliciting, receiving, offering or paying remuneration (including any kickback, bribe, or rebate) for referrals for services that are paid in whole or in part under a federal health care program (which includes the Medicare program). Penalties: 42 United States Code 1320a 7b(b) Fine of up to $25,000, imprisonment up to five (5) years, or both fine and imprisonment.

70 Stark Statute (Physician Self Referral Law) Prohibits: A physician from making a referral for certain designated health services to an entity in which the physician (or a member of his or her family) has an ownership/investment interest or with which he or she has a compensation arrangement (exceptions apply). Penalties: 42 United States Code 1395nn Medicare claims tainted by an arrangement that does not comply with Stark are not payable. Up to a $15,000 fine for each service provided. Up to a $100,000 fine for entering into an arrangement or scheme.

71 Exclusion The Office of the Inspector General, the Office of the Medicaid Inspector General and the General Services Administration publish lists of individuals and companies who are excluded from doing business with the government. As a Health Plan with Medicare and Medicaid members, we may not employ or contract with individuals or companies that are excluded by these offices. This also applies to our first tier, downstream and related entities. We have a duty to verify, initially and monthly thereafter, that the individuals we hire, and the companies with which we contract, are not on the exclusion lists. Should an organization do business with an individual or company that it knew, or should have known, was excluded, the organization may face a civil monetary penalty of $10,000 for each claim submitted for any services or items that were furnished during the individual or company s exclusion, plus triple damages. 42 U.S.C. 1395(e)(1) 42 C.F.R

72 Health Insurance Portability and Accountability Act of 1996 (P.L ) Created greater access to health care insurance, protection of privacy of health care data, and promoted standardization and efficiency in the health care industry. Safeguards to prevent unauthorized access to protected health care information. As an individual who has access to protected health care information, you are responsible for adhering to HIPAA. Penalties: HIPAA civil penalties range from $100 per violation ($25,000 per year maximum) if the person did not know he/she was violating HIPAA to $50,000 per violation ($1,500,000 per year maximum) for violations due to willful neglect. HIPAA criminal penalties may be up to $50,000, with up to one year in prison. Add false pretenses to that and the penalties increase up to $100,000, and up to five years in prison. Adding intent to sell increases the penalties up to $250,000, with up to 10 years in prison.

73 Beneficiary Inducement Law Under the Beneficiary Inducement Law, it is illegal to offer items of value (cash, gift cards, goods and services, etc ), that a person knows (or should know), is likely to influence a potential customer/patient to select a particular provider, pharmacy or supplier. Violating the Beneficiary Inducement Law may result in fines of up to $10,000 per item or service, plus three times the damages incurred by the government. Violators also face potential exclusion from participation in government programs.

74

75 Consequences of Committing Fraud, Waste or Abuse The following are potential penalties. The actual consequence depends on the violation. Civil Money Penalties Criminal Conviction/Fines Civil Prosecution Imprisonment Loss of Provider License Exclusion from Federal Health Care programs

76 Remember! You are a vital part of the effort to prevent, detect and report Medicare non compliance as well as possible fraud, waste and abuse. YOU are part of the solution.

77 Contractor FWA Training Test Questions 1. True or false there are no differences between fraud, waste and abuse. a. True b. False 2. True or false Every Part C & D sponsor is required to have a mechanism in place in which fraud, waste and abuse may be reported. a. True b. False 3. True or false CMS may not impose civil penalties for violations of fraud and abuse laws and regulations. a. True b. False 4. True or false Sponsors may not allow employees to report FWA activities anonymously. a. True b. False 5. True or false Fraud, waste and abuse affects you. a. True b. False 1

78 6. Which of the following involves payment for items or services where there was intent to deceive or misrepresent? a. Remuneration b. Abuse c. Fraud 7. Payment for items or services when there is no legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment is an example of. a. Fraud b. Abuse c. Waste d. Remuneration 8. As a Health Plan employee, you are a: a. Part C or D Sponsor Employee b. First Tier Entity c. Downstream Entity d. Related Entity 9. How can you prevent fraud, waste and abuse? a. Make sure you are up to date with laws, regulations, policies b. Verify information provided to you c. Be on the lookout for suspicious activity d. All of the above 2

79 10. Which of the following is generally not considered to be caused by criminally negligent actions but rather the misuse of resources? a. Fraud b. Abuse c. Waste d. Underutilization 11. Your job is to submit risk diagnosis to CMS for purposes of payment. As part of this job you are to verify, through a certain process, that the data is accurate. Your immediate supervisor tells you to ignore the sponsor s process and to adjust/add risk diagnosis codes for certain individuals. What do you do? A. Do what is asked of your immediate supervisor B. Report the incident to the compliance department (via Compliance Hotline or other mechanism) C. Discuss concerns with immediate supervisor D. Contact law enforcement 12. Which of the following could prohibit a physician from referring a Medicare patient to a pharmacy with which the physician has a financial relationship? a. False Claims Act b. Stark Law c. Beneficiary Inducement Law d. Anti Kickback Statute 3

80 13. You are in charge of payment of claims submitted from providers. You notice a certain diagnostic provider ( Doe Diagnostics ) has requested a substantial payment for a large number of members. Many of these claims are for a certain procedure. You review the same type of procedure for other diagnostic providers and realize that Doe Diagnostics claims far exceed any other provider that you reviewed. What do you do? A. Call Doe Diagnostics and request additional information for the claims B. Reject the claims C. Pay the claims D. Consult with your immediate supervisor for next steps or contact the compliance department 14. Which law prohibits knowingly and willfully soliciting, receiving, offering or paying remuneration for referrals for services that are paid in whole or in part under a federal health care program (which includes the Medicare and Medicaid programs)? a. Anti Kickback Statute b. Stark Law c. HIPAA d. False Claims Act 15. Dr. Smith has a contract with the local hospital to deliver healthcare services. He refers a lot of his Medicare patients there. If Dr. Smith accepts free office space from county hospital, what law is he potentially violating? a. Balanced Budget Act b. Stark Law c. False Claims Act d. Anti Kickback Statute 4

81 16. True or false You can find Medicare Policies and Procedures on the Medicare Compliance homepage on the Intranet. a. True b. False 17. Which of the following is an indicator of potential fraud, waste and abuse? a. Are we being billed for prescriptions that are not filled or picked up? b. Does the sponsor offer cash inducements for beneficiaries to join the plan? c. Does the provider bill us for services not provided? d. All of the above 18. Which answer below best answers the question: Who is required to report suspected instances of fraud, waste and abuse? a. Special Investigations Unit team members b. The Medicare Compliance Officer c. Compliance team members d. Everyone 19. Which of the following are consequences of committing fraud, waste or abuse? a. Civil Money Penalties b. Criminal Conviction/Fines c. Imprisonment d. Exclusion from Federal Health Care programs e. All of the above 5

82 20. Which law provides safeguards to prevent unauthorized access to protected health care information? a. HIPAA b. Stark Law c. Anti Kickback Statute d. False Claims Act 6

83 Privacy and Confidentiality Training Presented by Corporate Privacy Office Office of Corporate Ethics & Compliance

84 Introduction The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to establish a national set of standards or rules for: Privacy Transactions and Code Sets Identifiers Security This training program describes the HIPAA Privacy Rule and the Plan s corporate policies that ensure compliance with the Rule and other related state and federal regulations. 2

85 HIPAA Privacy Rule The HIPAA Privacy Rule, issued by the United States Department of Health and Human Services (HHS), became effective on April 14, This Rule established a national set of standards for the protection of health information. The intent of the Rule is to protect the privacy of individuals health information without impeding the flow of health information necessary for the provision of quality care. On January 25, 2013, HHS published the HIPAA Omnibus Final Rule which includes modifications to HIPAA Privacy, Security and Enforcement rules. These include requirements for Protected Health Information (PHI) security, breach notification and penalties for non-compliance. 3

86 HIPAA Privacy Rule The Privacy Rule applies to all organizations for which the collection, use or disclosure of health information is essential to business operations. These organizations are considered covered entities and include health plans, healthcare clearinghouses and healthcare providers such as physician offices, clinics and hospitals. Business Associates of covered entities are also subject to the Privacy Rule. There are other state and federal laws and regulations that address privacy and confidentiality that are incorporated into our privacy practices. The Plan s Notice of Privacy Practices outlines the policies and procedures related to the HIPAA Privacy Rule and member rights. It is distributed at enrollment and upon request. (Corporate Policies related to the topics in this course are indicated in parenthesis and can be found on Fingertips under Policies and Procedures. Be sure to reference Corporate Policies on a regular basis to ensure you have the most recent information.) 4

87 Protected Health Information All individually identifiable health information is protected under the HIPAA Privacy Rule. Protected Health Information, or PHI, includes any data that may be used to identify the individual associated with health information. PHI includes personally identifiable information (PII) PII refers to information used to uniquely identify an individual, either alone or combined with other sources. Examples of PHI include, but are not limited to: An individual s name, address, date of birth Social Security Number, patient/insurance ID, driver s license number, financial account or credit/debit card number Personal characteristics, including photographic image, fingerprints, handwriting, or biometric image (e.g., retina scans, voice signature) Medical records or treatment information such as service rendered, diagnosis, treatment notes Claims, enrollment applications, medical/patient records, etc. all include PHI. 5

88 Workforce Use, Access and Disclosure (CP1340) A covered entity must make reasonable efforts to use, disclose or request of another covered entity only a limited data set, or, if needed by the requesting entity, the minimum necessary information to accomplish the purpose of the use or disclosure. PHI should not be used or disclosed when it is not necessary to satisfy a particular business purpose or carry out a business function. Use or disclosure of information is restricted to a need to know basis, including the access of our contractors. Contractor access to an individual s PHI must be limited to the minimum necessary for the sole purpose of fulfilling job accountabilities. Additionally, NYS has added protections around the use of information related to protected diagnoses, e.g., HIV/AIDS. Related Corporate Policies: Minimum Necessary Disclosure of Information (CP1110) Disclosure to Business Associates (CP1090) Intra-entity Privacy Agreements (CP1210) Use, Disclosure and Safeguard of PHI (CP1320) Workforce Use, Access and Disclosure of Personal Information (CP1340) 6

89 Workforce Use, Access and Disclosure (cont d) Any intentional access to information other than for job-related purposes is a violation of the minimum necessary rule and Corporate Policy. For example, accessing your own information or that of a family member or friend is not permissible under any circumstance. Knowingly accessing information for reasons other than job-related accountabilities can result in disciplinary action up to, and including, termination of employment. In some cases, criminal and civil penalties may be applied. In addition to accessing information, reasonable efforts must be taken to ensure the confidentiality of conversations when speaking with or conferring about an individual. Avoid discussing PHI in locations where there is risk that a conversation may be overheard such as in an elevator or break room. Never leave messages containing PHI on answering machines. Telephone messages should be limited to the name of the company, contact name and phone number. Related Corporate Policies: Workforce Compliance and Mitigation PHI Disclosure (CP1180) Corporate Confidentiality and Non-Disclosure Statement (CP2050) Disclosure of PHI by Phone (CP1300) Disclosure of PHI by Fax (CP1290) 7

90 De-identified Data (CP1100) De-identified health information has been stripped of PHI and cannot be used to identify a specific person or to link an individual to the health data. De-identified data must be used whenever possible. This includes internal training purposes, reports, communication with groups, etc. Exceptions to this must be approved by the Data Review Committee and/or the Corporate Privacy Office. CP1100 provides a list of elements that must be removed in order to consider the information de-identified. The list also serves as a good reference for identifying what is considered to be PHI. 8

91 The following demonstrates de-identified data: Before After 9

92 Disclosure of PHI Now that you understand what PHI is, and that the Plan will disclose a limited data set or minimum necessary to accomplish a specific task, the question remains: To whom can the Plan disclose PHI? The Plan will disclose PHI: To the individual who is the subject of the PHI To an individual s Personal Representative (with proper documentation on file) To a third party named in an Authorization to Disclose PHI form that is signed by the individual or personal representative Without authorization for purposes of payment, treatment or healthcare operations. Examples of this are to providers, facilities or regulatory agencies Business Associates (with proper documentation on file. This will be addressed in more detail in a coming slide) Examples of situations where an authorization is required include: Sharing of PHI with anyone other than the individual, including spouse, family members, children age 18 or older and group leaders (very limited exceptions) Use of PHI for the purpose of marketing and research Psychotherapy notes 10

93 Disclosure of PHI In conjunction with Federal Privacy laws, many states protect certain medical conditions even further including: HIV / AIDS Substance Abuse Mental Health conditions Genetic Testing Abortion Sexually Transmitted Diseases Disclosure related to HIV/AIDS requires a specific state-approved authorization form. For disclosure related to the other protected health diagnoses, it must be specifically identified in our authorization form. Due to the heightened protection around these conditions, internal documentation and disclosure must be limited to the minimum amount necessary to accomplish the task. Be sure to always check the Authorization Database prior to disclosing information to a third party. Related Corporate Policies: Authorization to Disclose PHI (CP1080) Personal Representative (CP1230) Disclosure to Business Associates (CP1090) Intra-entity Privacy Agreements (CP1210) Identity Verification (CP1220) Use, Disclosure and Safeguard of PHI (CP1320) Disclosure of PHI for Research Purposes (CP1250) Marketing and Fundraising Use of PHI (CP1260) 11

94 Business Associates (CP1090) Business Associates are people or organizations that are contracted to carry out activities on behalf of the organization that require the use or disclosure of PHI. Examples of business associates include external auditors, First Tier, Downstream and Related Entities (FDRs) and vendors. Since business associates may be required to use or disclose PHI, the covered entity and the business associate must enter into a Business Associate Agreement (BAA). This agreement specifies the terms and conditions for the use and disclosure of PHI and dictates the business associates responsibilities for maintaining the safety and security of the information. Disclosure to the business associate must adhere to the limited data set/minimum necessary standard. BAAs must be in place before PHI can be shared with the business associate. The Health Plan BAAs are maintained by the Contracts Office. For information regarding subsidiary BAAs, contact the Privacy Office. 12

95 Identity Verification Who are you? In all situations, and before disclosing information, it is important to verify the identity of the person to whom you are disclosing PHI and when applicable, ensure that the Plan has a valid PHI authorization on file*. Verifying identity, aka, authentication, occurs when you ask a series of questions to an individual to ensure that he/she is whom he/she claims to be. For example, you might ask a caller to verify his/her name, address and date of birth before disclosing PHI. If the individual presents in-person, you could ask the same questions or for a picture ID. Especially tricky are situations where individuals share the same name and same date of birth. If you come across unusual situations such as this, contact the Privacy Office; there are additional steps the Plan can take to safeguard PHI. * If you do not know how to verify identity, or confirm that a current, valid authorization is on file, consult with your management. Related Corporate Policies: Authorization to Disclose PHI (CP1080) Personal Representative (CP1230) Identity Verification (CP1220) Use, Disclosure and Safeguard of PHI (CP1320) 13

96 Disposal of PHI (CP1310) Most of us use PHI on a daily basis. All paper documents must be disposed of in the proper bins. Documents containing protected or confidential proprietary information must be placed in locked recycle bins for shredding in order to safeguard against unauthorized access. PHI should never be placed in recycle bins that are not locked. Computer media (disks, tapes, hard drives, microfilm, copy machines, etc.) containing protected or confidential data must be wiped clean of data or physically destroyed. 14

97 Unauthorized Disclosures A breach is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security and/or privacy of the PHI. Examples of potential breaches may include, but are not limited to, PHI that: is stolen, lost or misrouted includes social security number or other identifying number is disclosed to an unintended/unauthorized recipient such as enrollment information, test results, or explanation of benefits was improperly disposed was ed without being secured ( zixit at the end of the subject line) or sent to the incorrect address was accessed without a job-related need-to-know Related Corporate Policies: Breach Notification (CP1330) Workforce Use, Access and Disclosure of PHI (CP1340) 15

98 Unauthorized Disclosures Along with civil and criminal penalties that could be imposed, a breach can damage the Corporation s public image and trust. If an unauthorized disclosure occurs, it must be reported to the Privacy Office immediately upon discovery. It is imperative that known or suspected breaches be reported immediately in order to comply with required notification timelines that may apply. The Privacy Office will investigate the unauthorized disclosure, including the completion of a risk assessment, to determine the proper course of action. The Privacy Office will provide guidance related to the necessary and compliant action to mitigate a known or suspected breach. 16

99 Reporting Unauthorized Disclosures An unauthorized disclosure can be reported to the Corporate Privacy Office using the Accounting of Disclosure form on Fingertips, or for urgent situations, by by calling the Privacy Office Hotline ( ) or by contacting the Divisional or Corporate Privacy Officer (listed in the next slide). When reporting to the Privacy Office, it is important to have as much information as possible, but do not delay in reporting if you do not have it. To aid in the investigation, it is helpful to know: What was disclosed (specific data elements) Why information was disclosed (e.g. human error, system issue, misrouted) How you discovered the issue Where is the information now (returned, destroyed, etc.) When the disclosure occurred If you have taken any corrective action, that also should be included. 17

100 Contacting Privacy Officers The Corporate and Division Privacy Officers are listed below. For the most up-to-date listing, consult your supervisor or the Corporate Compliance home page on Fingertips. Name Region Contact Kelly Wheeless Lifetime Healthcare Companies Phone: (315) Excellus Health Plan Robyn Shaffer Lifetime Care Phone: (585) Susan Fenimore SSA Phone: (800) , x214 Angela Hoteling- MedAmerica LTC Phone: (585) Rodriguez Elaine Vanderland Lifetime Health Medical Group Phone: (716) Suzanne Budd EBS-RMSCO Phone: (315) You can also the Corporate Privacy Officer at: 18

101 Right to Access (CP1030): Individual Rights The Privacy Rule provides for a number of individual rights including, but not limited to: An individual has the right to access the health information used to make a decision about that individual. This is referred to as a Designated Record Set (DRS). If an individual wishes to access his/her complete DRS, a request must be submitted in writing and is reviewed by the Privacy Office or designee. Partial requests, such as demographic information or medical notes are handled by the applicable business area. As part of the recently published Omnibus Final Rule, additional provisions will be implemented related to electronic health records. For information on how to request a full or partial DRS, refer to departmental procedures. Denial of a full DRS must be approved by the Privacy Office. 19

102 Individual Rights Right to Amend (CP1060): Individuals have the right to request an amendment or corrections to their DRS if the information is incomplete or inaccurate. Under certain circumstances, the Corporation may deny the amendment. In most situations, the amendment is handled as standard operating procedure. Right to Request a Restriction (CP1160): Individuals may request restrictions on how their information is used, shared or disclosed for treatment, payment or healthcare operations. However, because a restriction on further use or disclosure may prevent the Plan from conducting business related to treatment, payment or healthcare operations, the Plan is not required to honor an individual s request. Examples of when the plan may honor a restriction on further use or disclosure involve a patient s right to request that a provider of care not disclose information regarding a particular treatment to a health insurance carrier. In this situation, the patient must pay in full for services rendered. 20

103 Individual Rights Right to an Accounting of Disclosures (CP1040): Individuals may request information related to how their health information was used and shared (other than disclosures made for treatment, payment and healthcare operations or to someone the Plan has been authorized to disclose). The request for an Accounting of Disclosure must be submitted in writing and is handled by the Privacy Office or designee. In order for the Plan to track disclosures, it is important that you report unauthorized or certain permissible disclosures (such as fraud investigations or court-ordered disclosures) to the Privacy Office. This is done by completing an Accounting of Disclosure form that can be found on the Corporate Compliance Intranet page or by contacting the Privacy Office. More information on what must be reported and instruction on how to complete the form can be found on the Corporate Compliance/Privacy & Confidentiality webpage of Fingertips. Disclosures containing PHI that must be reported to the Privacy Office include, but are not limited to, mail/ sent to an incorrect recipient, document loss or theft, subpoenas or court-orders, special investigations and disclosures to individuals without a valid authorization form on file. 21

104 Individual Rights Right to Confidential Communication (CP1050): This allows an individual to request that the Plan communicate with him/her through alternative locations when the individual believes it would be harmful to communicate with him/her using the normal means. The Plan may request the individual complete a confidential communication request form that includes a clear statement that disclosure of all or part of the PHI could endanger the individual if not communicated by an alternative means. The Plan may see these requests with the mailing of Explanation of Benefits, calls for appointment reminders, etc. 22

105 Workforce Compliance and Mitigation (CP1180) Anyone that violates the privacy policies and procedures are subject to disciplinary action up to and including termination of employment. Anyone who suspects a violation of the privacy policies or procedures must report the suspicion to the Corporate Privacy Office. With the enactment of HITECH, civil and criminal action can be pursued by the Department of Health and Human Services, as well as State Attorneys General. Violations of privacy laws and regulations could result in civil and criminal fines and penalties. 23

106 Thank you!!!! You have completed this course.

107 Contractor Privacy Training Test Questions 1. messages containing PHI must be manually encrypted using zixit when: A. Sent from the copy machine B. Sending an to a group C. Sending an to a provider D. All of the above 2. Complete the statement so that it is true. Identity Verification A. is not required when the caller is the subscriber B. is the same as checking for an authorization C. is a process to confirm that the caller is who they say they are D. must only be done when a group leader calls 3. True or false All business relationships that require the access to, use or disclosure of our member PHI must have a Business Associate Agreement, or in some cases a confidentiality agreement, in place. True False 4. Identify the violation in this scenario. I am an employee and recently attended a training session to learn a new software program on the computer system. After training, I went into my own file so that I could practice. While in there, I noticed my address was incorrect so I changed it. I wanted to make sure that all of my medical information was going to be sent to the correct address, so I checked my medical records and claims to make sure they had the correct address, which they did. 1

108 A. Using your own file for practice B. Changing the address C. Viewing medical records and claims D. All of the above 5. Identify the best course of action in the following scenario. A call is received indicating that a regulatory agency has received the incorrect medical records for a case they are reviewing. It is discovered that the employee that fulfilled the request sent medical records for a different individual. You would: A. Apologize, send the correct records and document the call B. Advise the agency that the correct records will be faxed and then notify the member whose information was disclosed in error C. Send the correct records, ask for the return of the incorrect records, and then notify the Privacy Office D. Ask the regulatory agency to return the records and once received, the correct records will be sent 6. An individual contacts us and asks for a copy of their medical records. You: A. Tell them that the records are confidential and we cannot send them B. Copy the records; have the content reviewed and approved, then send them C. Obtain a copy of the records but white out most information because it is confidential, protected health information D. Send them a copy of the medical records and everything else we have on file 7. Identify the best course of action in the following scenario. An individual calls and indicates they have not received any correspondence from us at all and is wondering why. Part of the process is to verify the individual s address, at which time you realize that the address is incorrect. What would you do? 2

109 A. Change the address B. Ask the individual to submit an address change request C. Change the address, resend correspondence mailed during the time period in question and submit an Accounting of Disclosure form to the Privacy Office D. None of the above 8. Mary is an employee that runs reports to monitor usage and services. Mary shares the reports with other employees. She received a specific request to include individuals with HIV related services. Can Mary provide that report to the requestor? No. Mary must remove all HIV related information before she can share the report with other employees. Yes. Mary may share the HIV related information with others if the need to know protocols authorize them to access HIV related information and they reasonably need that information in order to perform their job related duties. 9. True or false As long as we are meeting all of the requirements set by the HIPAA Privacy Regulations, there is nothing else we need to be concerned with regarding privacy and confidentiality. True False 10. You are asked for a document that explains our procedures on how we protect member/patient privacy. What is the best response? A. Advise the inquirer to contact the Privacy Office and give them the telephone number B. Send a letter explaining how we authenticate individuals asking for information, require authorizations and limit access to our processing systems C. Send a copy of the Notice of Privacy Practices D. Refer the caller to our web site 3

110 Information Security Training Presented by Corporate Data Security and Office of Corporate Ethics & Compliance

111 Introduction The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to establish a national set of standards or rules for: Privacy Transactions and Code Sets Identifiers Security This training program incorporates many other state and federal laws and regulations that address privacy and security in addition to HIPAA. This training: Provides an overview of Transactions and Code Sets Explains Identifiers Provides important information regarding the Final Security Rule and Corporate Data Security 2

112 Transactions & Code Sets 3

113 Transactions National standards for electronic healthcare transactions are required under HIPAA. The term transaction refers to the electronic exchange of information for the purpose of carrying out financial or administrative activities related to healthcare. The intent for this standard is to simplify the process, reduce administrative costs and improve efficiency. All healthcare providers who engage in any of the identified electronic transactions must comply with the standard. Examples of electronic healthcare transactions include: Submission of healthcare claims or encounter information Healthcare payment and remittance advice by a health plan Coordination of benefits to include the transmission of payment information between payers with different payment responsibilities Referral certification and authorization Exchange of information regarding eligibility, coverage and benefits under a subscriber s policy 4

114 Code Sets Medical data code sets are required for diagnoses, procedures and drugs. Specific code sets have been adopted under HIPAA standards including the ICD-9/ICD-10 and CPT-4 codes. Other codes sets that have been adopted include those associated with claims for medical supplies, dental care and drugs. For personnel whose positions require more detailed information related to this topic, additional training materials are available through your manager. 5

115 Identifiers 6

116 Identifiers The final rule for a standard unique employer identifier was published in the Federal Register. This rule requires specified entities to have standard national numbers that identify them on standard transactions. The Employer Identification Number (EIN), issued by the Internal Revenue Service (IRS), was selected as the identifier for employers. Health plans, healthcare clearinghouses and healthcare providers must use this identifier in connection with certain electronic transactions. The use of this identifier will improve the effectiveness and efficiency of the healthcare industry in general by simplifying the administration of the system and enabling the efficient electronic transmission of certain health information. For personnel whose positions require more detailed information related to this topic, additional training materials are available through your manager. 7

117 Information Security 8

118 Information Security Information Security is the protection of information from unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional and whether in storage, processing or transit. Information resources include data, processes, equipment, technology and the people involved in making the best use of the information. Every end user is responsible to secure protected and/or sensitive information and data. 9

119 Information Security Information assets include, but are not limited to: Desktop PCs Laptops Mobile Devices - Smart phones - Cell phones - PDAs - etc. Media & Storage devices - CD s - Diskettes - USB (thumb) drives - printed output - electronic data 10

120 Information Security Notify the Corporate IT Help Desk and your supervisor immediately upon: The loss, suspected loss or theft of a portable computing device; including, but not limited to, laptops, PDAs, smart phones, cell phones, USB storage devices and other external drives. Notify Corporate Data Security when you experience: The loss, suspected loss or disclosure of sensitive company information to unauthorized parties. The occurrence or suspected occurrence of unauthorized access or use of corporate information systems. The loss, suspected loss, theft or disclosure of passwords or other system access control mechanisms. The occurrence or suspected occurrence of copies being made without the appropriate license or approval by the copyright holder/software manufacturer. 11

121 Mobile Device Security A mobile device can be defined as a hand-held computing device, typically having a display screen with touch input and/or a miniature keyboard. Mobile devices include but are not limited to: Laptops Smart phones (i.e. iphone, Blackberry, Palm, etc.) Cell phones Personal Digital Assistants (PDAs) Tablet PCs (i.e. ipad) Removable media any other portable device capable of storing data 12

122 Mobile Device Security These devices are used for electronic communications. Electronic communications shall be defined as the transmission of information, via e- mail, blog, wiki, instant messaging and text messaging. As defined in the Acceptable Computer Usage policy, users must also comply with all security and privacy measures defined by the Corporation. Users must refrain from disclosing internal and confidential information in their possession without first obtaining permission from the Data Owner. As defined in the Corporate Mobile Device Standard: All mobile devices containing internal or confidential corporate data must use an approved method of encryption to protect the data The use of SMS / Texting to send internal or confidential data is prohibited Storing corporate data on non-corporate smart phones is expressly prohibited 13

123 Laptop Security Laptops, Netbooks and PDAs are easily lost or stolen. This puts the information stored on them at an increased risk of being compromised. These devices are a primary target for thieves, who steal them for resale or to obtain the information stored on them. If your mobile device is lost or stolen, sensitive business information could be exposed. The average business laptop is thought to contain information worth over $500,000. Therefore, as the users of these devices, you are the first line of defense when it comes to ensuring they are properly protected. If your laptop is stolen, it must be reported to the Help Desk immediately. Although all electronic devices are required to be encrypted, they must be disabled if stolen and the incident researched by Corporate Data Security and/or the Corporate Privacy Office. 14

124 Laptop Security: In the Office Lock it Up If you are using a docking station, use the lock if you must leave a laptop unattended. Laptops are frequently stolen within office environments. When leaving your laptop unattended, be sure to use the password lock, by using the CTRL, ALT, DELETE keys simultaneously. When leaving the office, lockup the device in a secure location. Backup Ensure all critical information stored on laptops or mobile devices are backed up to a corporate network share drive; guaranteeing information recovery in the event of device loss, theft or hardware failure. Only store information that is needed. Bag and No Tag Bags should not display visible markings or labeling, such as business cards or company logos, as this provides clues to the value of the contents or information inside. Do not leave written down usernames or passwords, or your business VPN access token, in the same bag as your laptop, as this could provide unauthorized access to information. Ensure all zippers and pockets are closed, and consider using small padlocks or cable ties to secure them. This will help ensure no one can take anything out, or put anything in, without you noticing. 15

125 Laptop Security: When Traveling or Working Remotely Public Places Avoid working on sensitive information or sit with your back to a wall and/or use a laptop privacy screen. This will prevent shoulder surfing, ensuring no one can view sensitive information displayed on screen. Avoid conducting sensitive phone calls in crowded public areas where everyone will be able to hear your conversation. Look out for your devices in distracting situations, such as checking out of a hotel or buying a coffee with your credit card. Try not to lose contact with your laptop bag during these times and never leave your laptop or mobile devices unattended, even for a short while. Car Travel Never leave your laptop or other mobile devices in full view on the seat of a car, as this makes them a tempting target for thieves. Always lock them out of sight, in the trunk. For extra security, when leaving your car remove the laptop. If you are leaving your laptop or mobile devices in your car, place them in the trunk before reaching your destination, so that no one sees you doing it when you park. 16

126 Laptop Security: When Traveling or Working Remotely (cont.) Hotel Accommodations Do not leave your laptop or mobile devices unsecured in your hotel room, as hotel rooms are not safe places at all. Remember you are not the only person with a key to your room. If you must leave them unattended in your room, always store them inside the room safe. If there is no room safe, lock your laptop out of sight using a cable lock if possible. Never leave laptops or other mobile devices with hotel personnel or the concierge. Airplane Travel Never check laptops or mobile devices with your luggage, as they will likely get damaged and may be stolen. Always ensure they remain in your carry-on baggage. While at the airport, keep an eye on your devices. Avoid putting your laptop bag on the floor and, if you do, hold it between or rest it against your legs to remain consciously aware of it at all times. When on a plane, avoid placing laptops or mobile devices in the overhead bin, where there is the potential for them to be damaged or stolen, especially when the aircraft is full. Instead, keep them under the seat in front of you. 17

127 Acceptable Usage (IT1060) Know What is Acceptable Familiarize yourself with the corporate Acceptable Computer Usage policy. This policy provides governance regarding the appropriate and acceptable use of corporate computing resources. This includes, but is not limited to, the use of , blogs, forums and other social media types, Internet, workstations (desktop or laptop computers), smartphones, cellphones, Personal Digital Assistant (PDAs), etc. This policy is designed to protect both you and the corporation. 18

128 Acceptable Usage: You may not use the corporate system to share personal photos, movies, or other sizeable information. Occasional personal use of s is permitted, as noted in Corporate Policy IT1060-Acceptable Computer Usage. Occasional and incidental personal use of is permitted, if it does not interfere with an individual s work and company operations and does not violate any company policies, practices, or other directives. 19

129 Acceptable Usage: Encryption An sent without encryption is like sending a postcard; it can be read by anyone along the way to its destination. An sent with encryption is like sending a letter inside a sealed envelope; it can only be opened and read by the recipient. Internal and confidential data sent outside of the corporate network must be encrypted. Important Note: Subject Line contents cannot be encrypted; therefore Internal and Confidential Data must be limited to the body of the . Refer to Encryption Policy (IT1070) for further details. In some circumstances, there is no sender interaction to encrypt ; this process is completely automated. However, to ensure the security of , you should always manually encrypt that contains PHI, including in attachments. If you want to initiate encryption, regardless of content, you can use a special keyword at the end of the subject line of your , and it will be automatically encrypted. The Keyword is: ZIXIT To learn more about secure messaging visit: 20

130 Computer User Access Computer users typically have access to a variety of systems and applications based on their job responsibilities. This access will need to be suspended or removed upon change in status notification. Currently, in accordance to our Corporate Standard, when a user has a status change resulting in new job responsibilities, on the effective date of status change, all access will be removed with the exception of Lotus Notes and the Network Logon for this person. Managers will need to prepare in advance to ensure that adequate transition has occurred. If additional security access is required for the new job responsibilities, the manager will need to request the applicable access. 21

131 Corporate Security Policies and Standards To assist you in understanding and carrying out your role in protecting Lifetime Healthcare Companies information, the Plan has developed security policies, procedures and standards. By following these guidelines, you will contribute to the protection and integrity of data within our business systems, network and computing facilities. One policy to be familiar with is Data Security (IT1010). This policy defines the basic principles of The Lifetime Healthcare Companies data security program and associated security policies that provide reasonable and effective controls for protecting corporate resources including, but not limited to, data and systems. The policy will assist you in understanding the policies, standards and controls that: Serve to safeguard corporate assets approved by the Corporation Comply with statutory and regulatory mandates Support the corporate objectives Protect the confidentiality, integrity and availability of corporate data 22

132 Corporate Security Policies The following is a list of all approved Corporate Data Security Policies IT1010 IT1020 IT1030 IT1050 IT1060 IT1070 IT1100 IT1110 IT1130 IT1140 IT1160 IT1170 IT1180 IT2010 IT2020 Data Security Computing Equipment Re-use and Disposal Data Backup Disaster Recovery & Business Continuity Acceptable Computer Usage Encryption Remote Access Security Monitoring Computer Virus Control Wireless Communications Security Breach Data Classification Software Licensing Change Management Electronic PHI Risk Assessment To view these policies visit: 23

133 Corporate Security Standards The following is a list of all approved Corporate Data Security Standards Viewable to All Access to Data Application Security Blackberry Copier & Printer Data Backup Data Encryption Disaster Recovery Exercises Mobile Device Remote Access Remote Requirements Risk Management Secure File Transfer User & Service Accounts Virus Control Vulnerability/Patch Management Restricted View AIX DB2 / IMS DMZ Equipment High Powered System Authority IBM HTTP Server (IHS) Internet Information Services (IIS) Lotus Notes Network Devices Oracle Database pcanywhere Solaris/Solaris10 Terminal Services UNIX / Linux VOIP Windows XP/7 Desktop Windows 2000/2003/2008 Server Websphere Application Server (WAS) Wireless Configuration To view these policies visit: 24

134 Violation of Security Policy Any suspected or confirmed violations of Corporate Policy must be reported to the Corporate Data Security Officer or to the Corporate Data Security department. You may also choose to place an anonymous report to the Security hotline. All suspected violations will be investigated. Any violation of the Corporate Data Security policies will be met with disciplinary action. Possible penalties include termination of employment or business relationship with the Lifetime Healthcare Companies and/or criminal prosecution. 25

135 Corporate Data Security Contact Information The Corporate Security contact information is listed below. For the most up-to-date listing, consult your supervisor or the departmental web pages on Fingertips. Corporate Security Officer: Patrick Celeste Telephone: (800) Security Questions or Concerns Telephone: (315) Anonymous Security Hotline: (800) De-Centralized Security Officers Patrick Celeste- Excellus Health Plan Phone: (585) Brenda Rogers- Lifetime Health Medical Group Phone: (716) John Cauvel- Lifetime Care Phone: (585) Patrick Leone- MedAmerica Phone: (585) Greg Cohen- EBS-RMSCO Phone: (315)

136 Thank you!!!! You have completed this course.

137 Contractor Information Security Training Test Questions 1. True or false Information security only involves protecting computers. True False 2. You are in the office. You have your laptop in a conference room for a meeting and it is time for lunch. You should: A. You are in the office, so the laptop will be okay until you come back B. Take your laptop back to your desk and secure it C. Make sure you password lock your laptop, turn of the lights and close the door 3. True or false Any suspected or confirmed violations of Corporate Security Policy must be reported to the Corporate Data Security Officer or to the Corporate Data Security department. True False 4. You pull into to your driveway from a long day s work and your laptop is in the case in the back seat. What is the best practice? A. Place it in the trunk so it is not visible B. It is in the laptop bag, so it can stay in the back seat until morning C. Remove the laptop from the car and take it inside with you 5. To: [email protected] Cc: [email protected] From: [email protected] Subject: John Smith ID#

138 John claims for account # for services rendered by Oncology Unit at the have been processed. What should be done before sending this ? A. Remove the identifying number from Subject Line B. Remove John Smith from Subject Line C. Add the words ZIXIT at the end of the Subject Line D. All of the above 6. You have recently started selling cooking products in the evenings for additional income. You really want individuals to be aware of your new business and plan on using your company account and telephone to organize parties and communicate with party hosts regarding supplies needed, orders, and other related details. These actions are: A. Acceptable as long as I don t include people that don t like junk B. A violation of the corporate policy C. Okay as long as I get management approval 7. Today is January 1st and John Smith is transferring from Claims to Customer Service on February 1st. What are the appropriate next steps? A. New access should be given to John now, so he can learn his new job and finish working on his current job B. Access request should be submitted by the new manager to have new access granted on February 1st C. Nothing, everything can be sorted out after John transfers 2

139 8. May employees use the corporate system to share personal photos, movies, or other sizeable information? Yes No 9. True or false Medical data code sets are required for diagnoses, procedures and drugs. Specific code sets have been adopted under HIPAA standards including the ICD 9/ICD 10 and CPT 4 codes. True False 10. Which of the following is NOT correct? A. All mobile devices containing internal or confidential corporate data must use an approved method of encryption to protect the data B. Storing corporate data on non corporate smart phones is expressly prohibited C. The use of SMS / Texting to send internal or confidential data is prohibited D. These are all correct 3