Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities

Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities 09/2011

Training Goals In this training you will gain an understanding of: Our Compliance Program elements Pertinent Federal and State laws and regulations How to report any suspected Compliance program and HIPAA violations Your responsibilities for preventing and reporting violations of any laws and regulations including reporting mechanisms 2

What Does Compliance Mean? In general, Compliance means adhering to rules, such as specifications, policies, standards or laws. Regulatory Compliance is the state of being in accordance with the relevant Federal and/or regional authorities and their requirements. 3

Annual Training Provided Federal and state laws require that contracted Medicare and Medicaid plans provide thorough and effective training to each employee and all first tier, downstream, related entities(fdrs) on an annual basis. Our company can not be fully compliant unless each person adheres to all regulations and compliance policies and procedures. We all have responsibilities for reporting any suspected noncompliant activities of members, providers, employees, sales agents/brokers and other first tier, downstream, related entities (FDRs). 4

Your Training Responsibilities If your organization has contracted with other entities to provide health and/or administrative services on behalf of our plan members, you must also provide this training material to your subcontractor for training. The subcontractor and any other entity they have contracted with to provide service, must also receive this training, and should maintain P&P s, materials, sign-in sheets and dates of training. 5

First Tier, Downstream and Related Entities (FDR s) Defined... First Tier Entity means any party that enters into a written arrangement acceptable to CMS with a sponsor or applicant to provide administrative or healthcare services for a Medicare eligible individual under Part D. (hospital, provider, PBM) Downstream Entity means any party that enters into a written arrangement, acceptable to CMS, below the level of a First Tier arrangement. (pharmacy, claim or billing company) Related Entity means any entity that is related to the Sponsor by common ownership or control and: Performs some of the sponsor s management functions under contract or delegation; Furnishes services to Medicare enrollees under an oral or written agreement; or Leases real property or sells materials to the sponsor at a cost of more than $2,500 during a contract period. 42 CFR 422.2 & 423.4 6

Primary Regulatory Agencies The Centers for Medicare and Medicaid Services (CMS) is a federal entity within the U.S. Department of Health and Human Services. CMS is responsible for oversight of the Medicare and Medicaid programs. The Department of Health & Human Services Office of the Inspector General. The Agency For Health Care Administration (AHCA) is responsible for the administration of the Florida Medicaid program, for the licensure and regulation of health facilities and for providing information to Floridians about the quality of health care they receive in Florida. 7

Our Compliance Plan & Program Elements Our Compliance Plan promotes the detection, resolution and prevention of incidents and instances of individual and organizational conduct that do not conform to Federal and State laws and/or company policy. 8

Our Process for Regulatory Quality Assess Compliance Monitor Effectiveness Perform Gap Analysis Implement Action Plan Develop Action Plan 9

Compliance Responsibility Compliance with all applicable Federal and State laws and regulations as well as all organizational policies and procedures is everyone s responsibility! 10

Compliance Program Elements I. Written Policies & Procedures and Standards of Conduct that articulate the organization s commitment to comply with all applicable Federal and state standards II. Designated Compliance Officers and Compliance Committee III. Effective Training and Education programs for employees IV. Effective Lines of Communication throughout the organization V. Enforcement through well-publicized disciplinary guidelines VI. Procedures for internal monitoring and auditing VII. Provisions for ensuring prompt response to detected offenses and development of corrective action initiatives VIII. A Comprehensive Fraud, Waste and Abuse Plan 11

Written Standards of Conduct The Health Plan expects all Health Plan employees and FDRs to conduct all activities with the utmost ethical integrity and in compliance with all applicable laws and regulations. Our Standards of Conduct include a code of ethics and are designed to guide Health Plan employees in their daily business and workplace operations. All employees of the Health Plan must adhere to the laws, rules, regulations and policies of applicable governmental authorities and these Standards of Conduct. Failure to do so may be grounds for disciplinary action, up to and including termination of employment or contract termination. 12

Our Standards of Conduct Include: All records, medical, operational or financial should be maintained in accordance with applicable laws and policies. Making any false statement in a medical record used to support billing of medical services is considered fraud. Employees must follow all legal and regulatory guidelines for claims reimbursement for services provided by contract providers. 13

Our Standards of Conduct Include: The Health Plan is committed to: Complying with all applicable civil rights, human rights and labor laws. Providing equal employment opportunity to all employees, and job applicants. Maintaining a workplace free from illegal discrimination, harassment, intimidation and retaliation. All hiring and promotion decisions are based on the qualifications of individual applicants or employees. 14

Our Standards of Conduct Include: No one is permitted to sign any document on behalf of the Health Plan or in any other way represent or exercise authority on behalf of the Health plan unless specifically authorized to do so. If any Health Plan employee receives a subpoena, any legal correspondence or verbal inquiry from a governmental agency regarding the Health Plan s business, wherever received, the employee must immediately notify the Compliance Officer. 15

Our Standards of Conduct Include: The Health Plan strives to provide a work environment free of sexual harassment or discrimination based on age, color, race, national origin, veteran status, religion, sex, sexual orientation, ethnicity, marital or family status, disability or any other legally protected category. Even harassing conduct that does not rise to the level of unlawful harassment may violate Health Plan policy and be grounds for discipline, up to and including termination. The Health Plan will not tolerate harassment in any form - conduct, speech, written notes, photos, cartoons or electronic mail. Violations should be reported to the Health Plan Compliance Officer. 16

Our Standards of Conduct Include: Any Health Plan employee reporting to work under the influence of alcohol or an illegal or controlled substance will be prohibited in the workplace and on any property under the control of the Health Plan and will be subject to disciplinary action, up to and including termination. Health Plan employees who are involved in workplace violence against other individuals or verbal or written threats directed at individuals will be subject to disciplinary action, up to and including termination. 17

Health Plan Code of Ethics 1. No employee of the Health Plan shall accept or solicit any gift, favor, or service that might reasonably tend to influence their discharge of official duties or that he or she knows or should know is being offered with the intent to influence his or her official conduct. 2. No employee of the Health Plan shall intentionally or knowingly solicit, accept, or agree to accept any benefit for having exercised his or her official powers or performing his or her official duties in favor of another. 3. No employee of the Health Plan shall accept employment or engage in any business or professional activity that he or she might reasonably expect would require or induce him or her to disclose confidential information acquired by reason of his or her official position. 4. No employee of the Health Plan shall disclose confidential information gained by reason of his or her official position or otherwise use such information for his or her personal gain or benefit. 18

Health Plan Code of Ethics (con t.) 5. No employee of the Health Plan shall disclose any protected health information of any member of the organization, unless such information is otherwise required by law or authorized. 6. No employee of the Health Plan shall transact any business in his or her official capacity with any business entity that is of like competing interest of the Health Plan, including entities in which he or she owns a substantial interest. 7. No employee of the Health Plan shall make personal investments that could reasonably be expected to create a substantial conflict between his or her private interest and the interests of the Health Plan. 8. No employee of the Health Plan shall accept other outside or dual employment or compensation that could reasonably be expected to impair his or her independence of judgment in the performance of his or her professional duties. 19

Health Plan Conflict of Interest: A Conflict of Interest exists any time an employee s loyalty to the Health Plan is, or appears to be influenced by an outside interest. Employees are required to avoid financial or other outside relationships that might be adverse to the interests of the Health Plan, produce conflicting loyalties, interfere with effective job performance or involve even the appearance of such adverse interests, conflict or interference. Employees are prohibited from: Having a direct or indirect interest, financial or otherwise, in a corporation or business, Engage in professional activity, or Incur an obligation of any nature that is in substantial conflict with or might reasonably tend to influence the discharge of their official duties. 20

FDR Conflict of Interest FDRs are expected to ensure there is no conflict of interest, financial or otherwise that may be seen as a conflict with servicing beneficiaries of the Plan. If any situation should arise in the future that the FDR believes may involve a conflict of interest, it should be disclosed to the Health Plan. 21

FDR Conflict of Interest FDRs are expected to ensure that their managers, officers, and directors that are responsible for the administrative or delivery of Part D benefits to sign a conflict of interest statement, attestation, or certification at the time of hire and annually thereafter certifying that the manager, officer, or director is free from any conflict of interest in administering or delivering Part D benefits. 22

Written Policies & Procedures Each department has written Policies and Procedures that provide guidance for routine and required operational processes and outcomes. They comply with all applicable federal and state statutory, regulatory and other requirements related to Medicare and Medicaid programs. Revised periodically as necessary to stay in compliance. For Health Plan employees, Policies & Procedures may be viewed on our company Intranet and upon request for FDRs. 23

Compliance Officer The Compliance Officer is responsible for high level oversight of the plan with all applicable Federal and State regulatory and other requirements related to Medicare and/or Medicaid programs. Compliance Officer Hotline: (888) 548 0094 Fax a Suspected Compliance Violation Form to: (888) 548 0092 Submit an Email to: ComplianceReporting@americas1stchoice.com Submit a Suspected Compliance Violation Form using the Compliance Drop box. Submit a Suspected Compliance Violation Form using the Compliance P.O. Box: Compliance Department P.O. Box 152137 Tampa, FL 33684 The Compliance Officer serves as a resource to the entire organization. 24

The Compliance Committee Monitors and audits regulatory environment and specific risk areas within the company Review and assist in development of Compliance Policies & Procedures and Standards of Conduct Facilitates communication throughout the organization Recommends and Monitors internal systems and controls to reduce the incidence of compliance violations Determine strategies to promote compliance and detection of potential violations Monitors internal and external audits and investigations Provide appropriate approvals, guidance and oversight for the implementation and effectiveness of the compliance program 25

Training & Education Types of Training Provided: Employee New Hire & Annual Compliance, FWA & HIPAA Departmental & Organizational Updates or newly enacted legislation and/or guidelines in response to Audits Specialized Subject Matter Department or job specific Changes to Plan specifics Corrective Actions Sales Agent and/or Broker 26

Training & Education Delivery Methods: Classroom presentations Web-Based modules Newsletters E-mails Effective Feedback and Monitoring: Testing Feedback forms Audits Training Results: Protecting Medicare & Medicaid funds that are relied upon by millions Raising awareness and involvement of employees and all other business associates 27

Effective Lines of Communication The Compliance Department maintains effective communications with all employees via various mechanisms, such as: Training sessions and feedback E-mail communications Meetings scheduled or unscheduled Displayed notices and signs Intranet postings of newsletters and other information Systems to receive, record and respond to compliance questions or reports of suspected non-compliance that include the Compliance Hotline, Compliance Violation Forms and Drop Boxes Policies and Procedures to respond and initiate corrective action including a timely and reasonable inquiry 28

Disciplinary Guidelines The Compliance Officer is responsible for investigating suspected compliance violations. Each action will be considered on a case-by-case basis and will be imposed in accordance with our disciplinary actions policies and procedures subject to internal corrective action measures. The Compliance Officer reserves the right to impose disciplinary actions to employees or First Tier, Downstream and Related Entities (FDR) for committing a non-compliant act or omission 29 of knowledge of a non-compliant act.

Disciplinary Guidelines Employees Step 1: Counseling/Training Session Step 2: Written Warning (Performance Improvement Plan) Step 3: Extension of Written Warning or Termination Delegates/FDR s Step 1: Verbal Warning (Counseling/Training) Step 2: Corrective Action Plan (CAP) Step 3: Extension of CAP or Termination of Contract or Agreement. The Compliance Officer reserves the right to skip Step 1 and Step 2 and go directly to termination of employment or contract depending on the nature of the compliance violation and the potential harm to Plan enrollees. 30

Monitoring and Auditing The Compliance Department regularly reviews standard reports and logs in order to ensure consistent adherence to policies, procedures and protocols developed by each department. Monitoring may uncover areas that may need further audit or investigation or just minor revisions. Internal and external Audits may be performed to ensure compliance of all departments, employees, processes and procedures with all regulatory requirements. Corrective Action plans are developed for areas of noncompliance. Audits are structured in a detailed manner and provide documentation required by regulatory agencies. 31

What May be Monitored or Audited? Marketing materials and activities Enrollments and/or Dis-enrollments Claims payments Reporting accuracy Training Appeals and Grievances Beneficiary notices and communications Member Services phone activity CAP ongoing performance Pharmacy Operations 32

Ensuring Prompt Response and Corrective Action Our Compliance Plan includes procedures for promptly responding to compliance issues as they are raised, as a result of: Internal audits conducted by Compliance Member or provider raised issues Employee and/or departmental self evaluations As a result, the plan is able to correct any problems quickly and thoroughly: to reduce the potential for recurrence and ensure ongoing compliance with CMS and AHCA requirements 33

Our Inquiry and Investigation Process The inquiry includes an investigation by the Compliance Officer that includes; Recording in the Compliance Log Collecting facts Review of regulations and guidance Collecting of information from involved parties and internal staff A written summary of the findings All research, inquiries, information and activities are kept totally confidential. The Compliance Officer will request a Corrective Action Plan for violations that are supported by evidence. 34

Corrective Action Plans (CAP) A Corrective Action Plan is a series of actions taken to eliminate the causes of a noncompliant or other undesirable situation. The goal of the CAP is improved performance. CAP s include: Changes to be made to bring expected future performance of a department, operational unit or individual in line with the plan or to correct the cause. Timing commitments of these changes to be met. Criteria on which performance improvements will be measured. Compliance reviews the CAP for approval and monitors for ongoing performance. 35

What You Should Do If You Suspect Compliance Issues or Fraud, Waste & Abuse... Contact the Company s Compliance Hotline: (888) 548-0094 Submit an Email to: ComplianceReporting@americas1stchoice.com Also Contact: State Attorney General: 1-866-966-7226 Agency for Health Care Administration Medicaid Program Integrity: 1-888-419-3456 Dept. of Financial Services, Div. of Insurance Fraud: 36 1-800-378-8445

Federal Health Insurance Portability and Accountability Act (HIPAA) 37

What is HIPAA? HIPAA contains provisions and rules to protect privacy and control fraud and abuse within the health care system. The HIPAA Privacy Rule outlines specific protections for the use and disclosure of Protected Health Information (PHI.) It also grants specific rights to members. The HIPAA Security Rule outlines specific protections and safeguards for electronic PHI. The HITECH Act (Health Information Technology for Economic and Clinical Health, 2010) amends certain sections of HIPAA creating new requirements for covered entities and their business associates regarding health records, Breach notifications, increased enforcement and penalties. 38

Basic HIPAA Privacy Rule The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) provides the first national standards for protecting the privacy of health information. The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called Protected Health Information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records. 39

What Is Considered PHI? Names, Addresses All elements of dates directly related to an individual, including birth date, admission date discharge date, date of death Telephone or Fax number E-Mail Address Medical Record Number Health Plan Beneficiary Number Account Numbers Certificate/License Number Vehicle Identifier and Serial Numbers (License plates) Device Identifiers & Serial Numbers URL, IP Addresses Biometric Identifiers (finger and voice prints) Full-Face Photos and Comparable Images Any other unique identifying 40 number, characteristic or code

PHI Use & Disclosure Use = Information shared within our organization Disclosure = Information provided to individuals or entities outside our organization HIPAA prohibits use or disclosure of PHI unless: It is used to provide treatment, payment or health care operations; or It s use is authorized by our member; or Not sharing the information would present a risk to public health or safety, for example reporting disease as required by statute. 41

Federal Beneficiary Inducement Statute This law is part of HIPAA and makes it illegal to offer an exchange of remuneration that a person knows or should know is likely to influence a beneficiary to select a particular provider, practitioner or supplier. Inexpensive gifts, items or services with a retail value of no more than $10.00 individually and no more than $50.00 annually per patient are acceptable practices. Prohibited remuneration does not apply to waivers of financial debt if the waiver is based on individual financial need or an inability to collect for non-routine and unadvertised waivers. 42

Reporting HIPAA Violations If you suspect any violation regarding PHI information, you should contact the Company s Compliance Hotline: 1 (888) 548 0094 Submit an Email to: ComplianceReporting@americas1stchoice.com Contact the Attorney General at: 1 (866) 966-7226 43

Additional Resources CMS Prescription Drug Manual Chapter 9: http://www.cms.gov/manuals/downloads/pub100_18.pdf Code of Federal Register: (see 42 CFR 422.503 and 42 CFR 422.504) Office of the Inspector General: http://www.oig.hhs.gov/fraud.asp and http://www.oig.hhs.gov/fraud/physicianeducation/roadmap Medicaid Fraud: http://ahca.myflorida.com/executive/inspector_general/com plaints.shtml HIPAA: http://www.hhs.gov/ocr/privacy/ 44