General Compliance Training General Compliance Training i The University of Texas Medical Branch at Galveston Course Overview General Compliance The intent of the Compliance Program is to: Promote compliance with all applicable laws and regulations E d h l thi l d t Encourage and help ensure ethical conduct Provide education and training Prevent non-compliance with laws and regulations Detect non-compliance if it occurs Discipline those involved in non-compliant behavior Prevent future non-compliance 1
General Compliance What does it mean to be in Compliance? To be in compliance means to adhere to all laws, rules and policies that apply to your job functions. Although you are not required to know all the laws and policies for UTMB and the UT System, you are responsible for knowing and following all the laws and policies that apply to you and your job functions at UTMB. The Standards of Conduct should be used as a guide to those policies and procedures and applied to how you operate on a day to day basis. General Compliance The Standards of Conduct Guide applies to: UTMB Employees Faculty Fellows Residents Students Consultants Volunteers Sub-contractors Independent p Contractors Vendors General Compliance How can you avoid trouble? Follow UTMB s Guiding Principle Do what s right When faced with a decision or situation that causes you to question your ethical judgment, ask yourself some of the following questions: does the action comply with UTMB policies and procedures? is the action legal? how would it look to your family, friend, our patients, and the general public if it was published on the front page of the newspaper or showed up on the 6 o clock news? If you know its wrong and you have to ask yourself this list of questions, don t do it!! 2
Progress General Compliance Fraud and Abuse Confidentiality and Integrity Business Information and Information Systems Ethical Conduct in the Workplace and Employment Practices Health and Safety Fraud: What is it? Fraud and Abuse Fraud is defined as knowingly and willfully attempting to receive financial gain by making false statements or developing ascheme eto receive eanything gof value. aue A few examples of Fraud are: Accepting free items in exchange for purchasing goods or services or patient referrals Falsifying any type of record: medical, scientific research Fraud and Abuse Abuse: What is it? Abuse is defined as activities that result in excessive or unreasonable cost to UTMB or other State or Federal agencies. An example of Abuse is: Taking products or supplies belonging to UTMB 3
Fraud and Abuse Where do I go with Compliance Issues? If you suspect any type of wrongdoing, including fraud, waste, abuse, or violation of federal and state laws you can report it by contacting: Your instructor/professor/program coordinator UTMB Institutional Compliance Office: (409)747-8700 UTMB Fraud, Abuse and Privacy Hotline: (800)898-7679 Fraud and Abuse Fraud, Abuse and Privacy Hotline (800) 898-7679 What is the Fraud, Abuse and Privacy Hotline? The hotline was created to allow anyone from any phone to report any suspected non-compliance issues that they are unable to discuss through regular administrative channels. Some advantages of the Fraud, Abuse and Privacy Hotline are: Its available 24/7, 365 days a year You can remain completely anonymous Call are answered by an off campus contracted company Fraud and Abuse What type of violations should be reported to the hotline? The hotline should be used for violations in the following areas: Substantial violations of laws, policies, regulations Specific danger to health or safety Conflicts of Interest Abuse of authority Theft or abuse of property Gross waste of funds Unethical conduct Contract or procurement irregularities Bribery and acceptance of gratuities 4
Fraud and Abuse Accepting Gifts, Gratuities, and Kickbacks. What you cannot accept: Any amount of money Cash currency or coin in any amounts Personal checks, cashier checks, money orders Gift certificates or gift cards Any gift, favor, service, or loan that might reasonably appear to influence the employee or student in the performance of duties. Tickets to athletic or other special events are expressly prohibited by Texas law. Progress General Compliance Fraud and Abuse Confidentiality and Integrity Business Information and Information Systems Ethical Conduct in the Workplace and Employment Practices Health and Safety Confidentiality and Integrity All information at UTMB is considered confidential. As employees, students, contractors, or volunteers you may have access to some confidential information and should ensure that it is handled with the appropriate discretion. S l f fid ti l d t Some examples of confidential data are: Personnel data (UTMB employee) Student information Patient information Financial data Supplier and subcontractor information Employee lists and data Proprietary computer software 5
Notification of Breach of Personal Information New federal and state laws are aimed at protecting an individual s personal information. This includes electronic, verbal and paper information. Sensitive personal information includes, but is not limited to: Social ilsecurity Number Driver's License Number Credit Card Number Protected Health Information (PHI) Breach is an unauthorized acquisition, access, use or UTMB employees and students must notify the disclosure Office of Institutional of data that Compliance or the Office of Informationcompromises Security immediately the security, if you privacy, suspect that there has been a breach of an or individual's integrity of privacy. sensitive personal information. Confidentiality and Integrity What can you say and to whom? Media Contact If you are approached by a news reporter for information about UTMB you should contact the department of Public Affairs. Public Affairs acts as the official spokesperson for UTMB and can be contacted 24 hours a day. Public Affairs (409)772-2618 Confidentiality and Integrity What can you say and to whom? Government and Outside Investigators If you receive a subpoena, inquiry, or other legal document from any government agency regarding UTMB business immediately notify the UTMB Legal Affairs department. Legal Affairs: (409)747-8738 Although you are not prohibited from speaking to a government agent or investigator, to protect yourself and UTMB, it is best to have them contact you at work if it is regarding any type of UTMB business. 6
Progress General Compliance Fraud and Abuse Confidentiality and Integrity Business Information and Information Systems Ethical Conduct in the Workplace and Employment Practices Health and Safety Business Information and Information Systems What are some examples of state owned property? Some examples of state owned property are: UTMB vehicles Computers Office supplies Proprietary software Furniture Copiers Business Information and Information Systems Use of State Owned Property UTMB Policy: UTMB assets must be used for state purposes only. Personal use of UTMB resources and the use of UTMB resources for personal financial gain is prohibited. Policy Exceptions: The following items can be used on an occasional basis as long as there is no additional cost to UTMB. Email Internet Telephones (local calls only) 7
Business Information and Information Systems What are some examples of misusing state owned property? Taking extra office supplies home for personal use Taking unused or broken furniture home for personal use Copying flyers advertising your catering business on a UTMB copier. Progress General Compliance Fraud and Abuse Confidentiality and Integrity Business Information and Information Systems Ethical Conduct in the Workplace and Employment Practices Health and Safety Progress General Compliance Fraud and Abuse Confidentiality and Integrity Business Information and Information Systems Ethical Conduct in the Workplace and Employment Practices Health and Safety 8
Health and Safety Workplace Health and Safety All UTMB employees should perform their duties in compliance with all applicable institutional policies; federal, state, and local laws; and standards relating to the environment and protection of worker health and safety. It is each employees duty to report any workplace injury or situation that may present itself as a danger to their immediate supervisor or the UTMB Safety Officer so that corrective action may be taken. Supervisors must report unsafe practices or conditions to the General Safety Committee or to UTMB Health and Safety Services at (409) 772-4191. Health and Safety Drug and Weapon Free Workplace UTMB is committed to a drug-free and weapon-free environment. Employees reporting to work with a weapon, under the influence of an illegal drug or alcohol, or using, possessing, or selling alcohol or illegal drugs during work hours or on UTMB property may be terminated. The use of alcoholic beverages is prohibited in and on UTMB facilities. However, the President may waive this prohibition with respect to any event sponsored by UTMB. Health and Safety Workplace Violence UTMB strives to assure that employees are provided a safe working environment. Violence in the workplace is not tolerated at UTMB. Employees who observe or experience any form of harassment or violence should report the incident immediately. Examples of behavior that may be considered workplace violence include but are not limited to: Physical interference with or restriction of an individual's movement; Physical fighting with anyone on UTMB property; and Making verbal or written threats against another employee. 9
Questions and Answers Let s hear from you! General HIPAA Awareness What is HIPAA? HIPAA, the Health Insurance Portability and Accountability Act of 1996, was passed to simplify claims processing and payment in the health care industry. Congress delegated to the Department of Health and Human Services (DHHS) the responsibility of establishing mandatory privacy and security standards to comply with the requirements of the federal law. In response, DHHS has issued federal regulations for: 1. simplifying of payment transactions, known as Electronic Data Interchange (EDI); 2. security; and 3. privacy. 10
HIPAA Background The HIPAA Privacy Regulations were written in response to patient concerns that their medical information was not being protected. The following factors led to the creation of HIPAA Privacy Regulations: The increased use of electronic information technology. Advances in genetic research and availability of individuals genetic information. Increased efforts to market health care products to consumers. Understanding PHI Regardless of where you work in healthcare, its important to understand what privacy and confidentiality mean when protecting patient information. Protected Health Information (PHI) is identifiable health information transmitted or maintained in any form or medium, including: verbal discussions; written communications; or electronic communications with or about patients. PHI is private and limited to those who need the information for treatment, payment, and healthcare operations (TPO). Only those people who are authorized to use and disclose PHI should have access to PHI. What Objectives Do the Privacy Regulations Accomplish? There are 5 basic objectives the Privacy Regulations try to accomplish. 1. They give patients more control over their health information. 2. They set boundaries on the use and disclosure of health records. 3. They establish appropriate safeguards that t all people who participate in or are associated with the provision of healthcare must achieve to protect the privacy of health information. 4. They hold violators accountable, with civil and criminal penalties that can be imposed if they violate patients privacy rights. 5. They strike a balance when public responsibility requires disclosure of some forms of data for example, to protect public health. 11
How Does HIPAA Achieve These Objectives? The HIPAA objectives are met through the new Privacy Regulations. The Privacy Regulations prohibit UTMB and its employees from using or disclosing an individual s PHI without an authorization from the individual, unless the use or disclosure of PHI is for Treatment, Payment, or Healthcare Operations (TPO), or in other specialized and limited situations. Additionally, UTMB must investigate violations, sanction wrongful conduct, and make process changes when required. Penalties for Failure to Comply UTMB Penalties for Violations In addition to HIPAA s civil and criminal penalties, violations of HIPAA may lead to UTMB disciplinary action including: verbal warnings written warnings suspension or termination Federal Penalties for Violations There are large civil and criminal penalties for failure to comply with HIPAA. These penalties apply to individual employees, as well as UTMB as an institution. Patient Rights Granted Under HIPAA HIPAA grants patients several unique and special rights regarding their medical records. Under HIPAA, patients have more control over their medical information. Below are seven basic rights entitled to patients under HIPAA. 1. Receive a Notice of Privacy Practices 2. Revoke an authorization for the use and disclosure of PHI 3. Restrict uses & disclosures of PHI 4. Access and receive a copy of their PHI 5. Request an amendment to their medical record 6. Receive an accounting of disclosures 7. File a Privacy Complaint 12
Storage of PHI Would it surprise you to learn that an average of 150 people have access to your medical records during the course of a typical hospitalization? (Predictive Systems, 2002) When you add poor storage procedures and uncontrolled access to that number, the realities of potential misuse becomes even more vivid. The buttons below give some examples of the kind of breaches that led to new Federal A Little regulations Rock, governing Arkansas the privacy physician of health information. and two former employees accessed In 2006, the CVS medical pharmacies records were of a found local television to be dumping anchor trash just A banker A Patient Info on because into Michigan-based open who also they dumpsters sat health on a were curious that county system about included health accidentally his medical pill board bottles gained posted history. with patient access the Each to patients medical the Internet employee names, records was addresses of and thousands suspended identified and/or personal of several patients terminated. physician people on They names. the with internet. cancer were As also a and called in their mortgages. criminally Inappropriate charged result, dumping and each CVS individual had to pay Inappropriate faces a maximum penalty of one year of PHI $2.25 in prison million and/or in penalties. a fine PHI of access up to $50,000. These examples of deliberate and accidental disclosures of information underscore the importance of establishing and maintaining effective processes for handling and storing patient information. Source: Pew Internet & American Life Project 2002 Departmental Responsibilities for Storing PHI PHI includes any paper or electronic file which contains personally identifiable patient contact information. One of the largest issues at UTMB is the amount of stored paper PHI we produce and maintain. The HIPAA team has initiated several security measures, working closely with department supervisors, to safeguard stored PHI in files, documents, letters, invoices, etc. Some of these measures include: Ensuring that the doors to medical record storage rooms are locked. Ensuring patient charts are kept face down. Adding physical security measures such as doors, locks, etc., to ensure PHI is safeguarded. Assisting departments in establishing procedures to control access to rooms or file cabinets where PHI is stored. Click on each icon below to view the ways you can ensure proper storage and the security of PHI in your possession. Outside of regular working hours, keep your desk and work area clean and be sure to keep any PHI locked in a filing cabinet, unless the immediate area can be secured from any unauthorized access. PHI stored medical equipment (e.g., EKG, Ultrasound,etc.) must be kept secure and disposed of correctly. If PHI is to be stored on a computer hard drive or PDA, it must be protected by either a password or encryption. If away from your computer, it must be password protected. If PHI is stored on diskettes, CD-ROM or other removable data storage media, it cannot be combined with other electronic information. Stored PHI must be stored separately from non-phi data. 13
Photos or Images of Patients or PHI According to UTMB IHOP Policy 9.3.2, Consent to Photograph, Video/Audio Record and/or Televise Patients the following guidelines must be followed: No pictures or images of patients may be taken at UTMB unless they comply with above IHOP Policy 9.3.2. No uploading of patient images to the internet, social network sites, emails or for personal use is allowed, even if patient identifiers have been removed. Images can only be taken for UTMB business operations that include treatment, payment, education, research or disclosures for media or advancement purposes. These require certain forms and permissions to be in place prior to taking the images. Photos or Images of Patients or PHI Examples of misuse that will lead to formal disciplinary action, which may include expulsion, are: A UTMB employee or student taking a photo of a patient and posting it on their Facebook page Using a cell phone to take a picture of a patient without the proper consent listed in IHOP Policy 9.3.2 Forwarding a picture of a patient or PHI for personal use via cell phone, email or internet Requirements for Printing & Copying PHI 1. Printers and copiers used for printing of PHI should be in secure, non-public locations. 2. If the equipment is in a public location, the information being printed or copied is required to be strictly monitored. 3. Printed versions of PHI must be promptly removed. 4. PHI printed to a shared printer must be promptly removed. Remember: PHI is very personal information and should be treated as such. 14
Disposal of Paper PHI All personnel must strictly observe the following standards relating to disposal of PHI. Paper or hardcopy PHI MUST NOT be discarded in the trash bins. Instead this information must be personally shredded or placed in a secured recycle bag. Printed material containing PHI shall be disposed of in a manner that ensures confidentiality. If paper records containing PHI are in your possession, it is your responsibility to make sure they are discarded properly. Fax Machines in Your Department Manage PHI received via fax as confidential. Fax machines used for patient care or patient related services shall not be located in areas accessible to the general public but rather must be in secure areas, and the department director or designee is responsible for limiting access to them. Each department is responsible for ensuring that incoming faxes are properly handled. Immediately remove the fax transmission from the fax machine and deliver it to the recipient. When sending PHI, use the new UTMB Fax Cover Sheet. Reporting Privacy Breaches If you witness activity that you believe is improper regarding patient privacy, you should report such activity to the UTMB Institutional Privacy Office. You may contact the Institutional Privacy Office by either calling the direct number or by anonymously reporting the activity through the Fraud/Abuse and Privacy Hotline. Institutional Privacy Office 301 University Boulevard Galveston, Texas 77555-0198 Institutional Privacy Office (409) 747-8700 Fraud, Abuse & Privacy Hotline (800) 898-7679 15
Questions Questions???? 16