COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Transcription

1 COMPLIANCE TRAINING 2015 QUALITY MANAGEMENT COMPLIANCE DEPARTMENT 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

2 Compliance Program why? Ensure ongoing education & monitoring related to all aspects of the compliance program - ANNUALLY Oversee and monitor the implementation of the compliance program. Develop policies and programs that encourage managers and employees to report suspected fraud and other improprieties without fear of retaliation. Investigate and act on matters related to compliance, including the coordination of internal investigations and any resulting corrective action with all departments, and providers where applicable.

3 Compliance Program Elements & Training Requirements Compliance Department Compliance Plan Compliance Program Training & Education Audit & Monitor Code of Conduct HIPAA Fraud, Waste, and Abuse Medi-Cal & Medicare Regulatory Requirements

4 Compliance Program Promote an environment that encourages employees to report potential problems. Increase likelihood of identification and prevention of unlawful and unethical conduct. Develop procedures that allow prompt, thorough investigation of possible misconduct Develop disciplinary mechanisms to consistently enforce standards Early detection and reporting, and thereby reducing employee and organizational exposure to civil damages and penalties, criminal sanctions, and administrative remedies, such as program exclusion.

5 Training and Education All employees are required to attend compliance training. Each employee is required to sign an attestation that reflects the employee s knowledge of, and commitment to, PPMC s Code of Conduct, FWA & HIPAA Compliance. Documentation and data submission requirements

6 Code of Conduct What is it? Overarching principles & values by which PPMC operates; defines underlying framework for compliance P&Ps Expected performance in each area of operations As such, each member of the PPMC staff is responsible for compliance with the Code of Conduct. Applies to all employees, managers, directors, administrators, Medical Directors and officers of PPMC Responsible and accountable for compliance with state and federal laws and regulations, including laws governing Medi- Cal and Medicare

7 Code of Conduct Expectations? Support the mission, vision and values of PPMC as articulated in PPMC s Mission, Vision and Values Statement. Comply with state, federal and organization policies as applicable to their respective role and job responsibilities. Conduct business in a professional and ethical manner. Attend applicable educational sessions related to compliance and fraud and abuse.

8 Code of Conduct Know PPMC policies and procedures as they relate to compliance, including notification of suspected noncompliance or fraud and abuse. Participate in compliance monitoring and auditing activities as appropriate and identify potential non-compliance issues within their respective work environment. Report suspected or potential non-compliance or fraud and abuse to their respective supervisor or the QM/Compliance Dept. in a timely fashion.

9 Code of Conduct Cooperate and assist, as appropriate, with investigations and corrective actions. Maintain confidentiality as relates to members, practitioners, organizational business, and communications. Confidentiality Agreement Keep licensure and certification current as applicable.

10 What is - HIPAA? HIPAA applies to the protection of individual s health information Protected Health Information (PHI) means individually identifiable health information names, addresses, phone numbers, medical record numbers, photos, drivers license numbers, etc. It gives patients the right to their records and the right to know who's seen their records. Notice of Privacy

11 Privacy and Security Rule what is required..? Security Standards Administrative Safeguards Risk Management Sanction Policy Information Systems Activity Reviews Physical safeguards Facility access controls Contingency operations Facility security plan Access control & validation procedures Maintenance records Workstation use & security Data backup and storage

12 Privacy and Security Rule PHI - Examples Direct Individual Identifiers name date of birth postal address, zip code telephone number fax number electronic mail address social security number medical record number health plan beneficiary number account number certificate/license number vehicle identifiers and serial numbers, including license plate numbers device identifiers and serial numbers web universal resource locators internet protocol address numbers biometric identifiers including finger and voice prints full face photographic image and any comparable images

13 Breach Notification Rule Health Information Technology for Economic and Clinical Health Act (HITECH Act) Under HITECH, "business associates," or third parties such as a billing company, now must follow the HIPAA privacy laws by protecting patient information and reporting data breaches, The Act provides for substantial penalties for failures to certify or comply with the new standards and operating rules. Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information

14 Breach Notification Rule Definition of a Breach A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

15 Breach Notification Rule Breach Notification Requirements Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Health Plan, Secretary of Health and Human Services, and, in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred.

16 Breach Notification Rule Individual Notice Must provide this individual notice in written form by firstclass mail, or alternatively, by if the affected individual has agreed to receive such notices electronically. Must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include: A description of the breach, a description of the types of information that were involved in the breach, The steps affected individuals should take to protect themselves from potential harm, A brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.

17 Breach Notification Rule Notice to Health Plan & State - TAT Report to Health Plans per their policies Will notify the State by visiting the HHS web site and filling out and electronically submitting a breach report form, if a breach affects 500 or more individuals without unreasonable delay and in no case later than 60 days following a breach. Reports of breaches affecting fewer than 500 individuals are due to the State no later than 60 days after the end of the calendar year in which the breaches occurred.

18 Breach Notification Rule Burden of Proof The IPA and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.

19 IPA/MSO Breach PREVENTION Examples of PHI Safeguards to Prevent a Breach Securing of Lap Top and mobile devices with PHI, to prevent loss or stolen Not giving unauthorized personnel access to PHI Not giving employee access codes Not using unsecure s when sending PHI(gmail, aol, yahoo.) Not using unsecure s when sending PHI (not encrypted or password protected) Not sending faxes without the disclosure statement Not leaving documents with PHI in unsecured areas Not having open discussions outside of work about members

20 Fraud, Waste & Abuse Defined Fraud: The intentional misrepresentation of data for financial gain. Fraud occurs when an individual knows or should know that something is false and makes a knowing deception that could result in some unauthorized benefit to themselves or another person.¹ Waste: Is overutilization: the extravagant, careless or needless expenditure of healthcare benefits or services that results from deficient practices or decisions.¹ Abuse: Involves payment for items or services where there was no intent to deceive or misrepresent but the outcome of poor insufficient methods results in unnecessary costs to the Medicare program. 2 Source: 1.CMS Glossary; CMS Medicare Learning Network (MLN) 2. Medicare Physician Guide: A Resource for Residents, Practicing Physicians, & Other Health Care Professionals, Tenth Edition (October 2008)

21 Physician Self Referral Law / Stark Law Purpose: Prohibit improper referral relationships that can harm the Federal health care programs and program beneficiaries. Improper referral relationships can lead to overutilization can lead to increased costs, & corruption of the medical decision making process Starks Law accomplishes this by prohibiting physician from submitting referrals for Medicare patients to entities where the physician s immediate family member has a financial relationship example?

22 Anti-Kickback Key Things Every Health Care Provider Should Know About the Anti-Kickback Statute 1. Anti-kickback statute prohibits asking for or receiving anything of value to induce or reward referrals involving federal health care programs.

23 Federal Anti-Kickback Statute 2. Know the penalties under the law Criminal = Felony = JAILTIME. Conviction can result in fines up to $25,000 per violation or up to a five year prison term or both Civil & Administrative Penalties: Can lead to False Claims Act Liability Program exclusion from Medicare & Medicaid Can lead to penalties under the civil monetary penalties law up to a $50,000 penalty per violation and an assessment of up to three times the total amount of the kickback payment (even if some part of the payment was for a legitimate purpose).

24 Conflict of Interest An employee must disclose any possible conflicts so that PPMC may assess and prevent potential conflicts of interest from arising. A potential or actual conflict of interest occurs when an employee is in a position to influence a decision that may result in a personal gain for the employee/family member as a result of the Company s business dealings. An employee/family member may not own or hold any significant interest in a supplier, customer or competitor of the company Employee must disclose actual/potential conflicts of interest in writing to supervisor / human resources.

25 Gifts & Gratuities PPMC employees will not solicit or accept gifts of significant value (i.e., in excess of $25.00), lavish entertainment or other benefits from potential and actual customers, suppliers or competitors. This policy is provided to all employees upon hire in the Employee Handbook.

26 Disciplinary Standards Disciplinary action may result where a responsible employee s failure to detect a violation is attributable to his or her negligence or reckless conduct. Possible disciplinary actions for improper conduct, including oral and written warnings, suspension, and termination. PPMC makes reasonable best efforts to see that disciplinary actions are applied consistently to all staff and managers. No employee is exempt.

27 Auditing and Monitoring Department / Company The level of compliance within each functional area is assessed on an ongoing basis. Periodic audits to determine the level of compliance with federal and state statutes, regulations and program requirements.

28 Auditing and Monitoring Prohibition of the employment of or contracting with persons known to have a propensity to engage in inappropriate or improper conduct. Efforts to ensure that individuals who have been recently convicted of a criminal offense related to heath care or who are listed as debarred, excluded or otherwise ineligible for participation in Federal health care programs are not hired. - OIG Established sanction verification processes for all potential employees and contracted providers.

29 Reporting Employees are responsible for reporting a concern or potential misconduct to their supervisor or manager. The Compliance Dept. has an open door policy to receive employee reports or concerns regarding potential violations. Employees, enrollees and providers may also use the COMPLIANCE HOTLINE to report any potential misconduct or concerns. If an investigation ultimately reveals criminal, civil, or administrative violations have occurred, the appropriate federal and state officials will be notified immediately.

30 Required Reporting Violations of the code of conduct, ethics or any fraud, waste or abuse must be reported. Not reporting fraud or suspected fraud can make you a party to a case by allowing the fraud to continue.. Fraud or suspected fraud may also be reported anonymously Everyone has the right and responsibility to report possible fraud, waste, or abuse. Remember: You may report anonymously Employees may report any suspected compliance issue (HIPAA, FWA, Clinical, etc.) anonymously, without fear of intimidation and retaliation as this is prohibited when reporting a concern in good faith.

31 PPMC Hotline Information Suspected Fraud and Abuse Suspected HIPAA / Confidentiality violations Suspected Compliance violations (951)