Cape Fear Valley Health System Corporate Compliance, HIPAA, and ACO Module Annual Required Education

Transcription

1 Cape Fear Valley Health System Corporate Compliance, HIPAA, and ACO Module Annual Required Education If you have any questions, please contact: Iris Murphy Corporate Compliance Officer (910) Sherri Roberts Privacy Officer (910) Last Updated:

2 Introduction This self-guided training will provide education on the: I. Corporate Compliance Program and Code of Conduct Policy; II. Health Insurance Portability and Accountability Act (HIPAA) Program; and III. Accountable Care Organization. There is a certification statement at the end of this training that you will be required to answer. By agreeing with this statement, you are giving your word that you have read, understand, and agree to abide by all of the information included in this training.

3 Part I: Corporate Compliance Program, Code of Conduct, and Related Policies

4 Objectives The objectives for Part I are to: Provide an overview of the Corporate Compliance Program; and Identify core compliance policies.

5 What is the Corporate Compliance Program? The Corporate Compliance Program ( Compliance Program ) was established in 1997 by a resolution of the Board of Trustees to show Cape Fear Valley Health System s ( Cape Fear Valley ) commitment to honest and responsible corporate conduct. The Compliance Program provides education related to the Code of Conduct and other compliance related policies, conducts investigations into alleged wrongdoing, and performs monitoring activities (such as audits and reviews) to assess areas of risk within the organization.

6 What does compliance mean? In the healthcare setting, compliance means following the rules, regulations, policies, and laws created by the government, insurance programs, and payers. It also means following the Health System s policies and procedures.

7 What department administers the Corporate Compliance Program? The Corporate Compliance, Internal Audit, and HIPAA department administers the Corporate Compliance Program. Under the direction of Iris Murphy, the department carries out the tasks required under an effective compliance program such as: Education and training Audits Investigations of wrong-doing

8 Who is the Corporate Compliance Officer? Iris Murphy, Corporate Director of Compliance, Internal Audit, and HIPAA, has been designated the Corporate Compliance Officer. Ms. Murphy reports directly to the Chief Executive Officer and to the Ethics and Compliance Committee of the Board of Trustees.

9 Compliance Program Basics Cape Fear Valley s Compliance Program includes seven fundamental elements as defined by the U.S. Federal Sentencing Guidelines: 1. Written standards of conduct and policies and procedures. 2. Designation of a Chief Compliance Officer with direct access to the Board of Trustees. 3. Education and training for all new hires, with annual training for all staff. 4. Processes to receive anonymous complaints without fear of retaliation. 5. Processes and procedures to respond to allegations of wrongdoing. 6. Audits to identify potential problem areas. 7. Effective means to take corrective action to remedy any weaknesses.

10 Core Compliance Policies Cape Fear Valley has two core policies that make up the Compliance Program 1. Corporate Compliance Policy: This policy explains the structure of the Compliance Program. 2. Code of Conduct Policy: The code defines work rules and behaviors for those who work at Cape Fear Valley Health System.

11 Corporate Compliance Policy The general principles of the Corporate Compliance Policy are that: It is the policy of Cape Fear Valley to comply with applicable Federal, State, and local laws and regulations - both civil and criminal; Cape Fear Valley s workforce has a duty to obey all laws and regulations that govern the Health System; and Cape Fear Valley, in turn, has a duty to follow-up on any questions that have been asked in a confidential manner without any retaliation towards the workforce member. Corporate Compliance Policy

12 How does Cape Fear Valley inform its workforce of its commitment to ethical and legal conduct? Cape Fear Valley s Code of Conduct ( Code ) provides guidance to workforce members. The Code is available in Policytech. New employees receive a copy of the Code during New Employee Orientation. Vendors, medical staff members, and the Board of Trustees also receive a copy of the Code. The Code defines the standards of behavior at Cape Fear Valley. Code of Conduct Policy

13 Who is responsible for compliance? All workforce members are required to follow the Code of Conduct, Corporate Compliance Policy, Health System policies, and laws and regulations that govern Cape Fear Valley. Employees are obligated to report violations of the Code of Conduct and other policies. Every member of Cape Fear Valley s workforce is required to promptly report any suspected violation.

14 What is Fraud, Waste, and Abuse? Fraud includes obtaining something of value through intentional misrepresentation or concealment of material facts. Waste includes incurring unnecessary costs as a result of deficient management, practices, or controls. Abuse includes excessively or improperly using government resources.

15 Examples of Healthcare Fraud and Abuse Examples of healthcare fraud and/or abuse include, but are not limited to, Billing for services or supplies that were not provided; Billing for services that are not medically necessary; Providing false information on records; Offering incentives, bribes, or payment in exchange for healthcare referrals; Billing Medicare as primary when it is secondary; Charging excessively for supplies or services; Providing services that do not meet professional standards.

16 Fraud and Abuse Laws There are numerous laws and regulations that apply to healthcare organizations. The five Federal fraud and abuse laws that are most relevant to physicians and other workforce members are: 1. The False Claims Act 2. The Anti-Kickback Statute 3. The Physician Self-Referral Statute 4. The Exclusion Authorities 5. The Civil Monetary Penalties Law

17 What is the False Claims Act? The False Claims Act makes it illegal to submit false or fraudulent claims for payment to Medicare or Medicaid. Claims may be false if the service is: Not actually rendered to the patient; Provided, but already covered under another claim; Miscoded; Not supported by documentation in the medical record.

18 How does Cape Fear Valley Avoid Violations of the False Claims Act? Cape Fear Valley has policies and procedures that reinforce its commitment to the highest ethical standards when submitting claims for payment. These policies and procedures are located in PolicyTech and are summarized in the Code of Conduct and Corporate Compliance policies. Workforce members are obligated to report improper conduct. Cape Fear Valley has a no retaliation policy for good faith reporting.

19 How Can Fraud and Abuse Be Prevented? Fraud and abuse can be prevented by ensuring that the workforce is appropriately trained. All departments are responsible for having processes and procedures in place to help ensure that staff is appropriately trained. The Financial Standard Operating Procedures (Charging) Policy, establishes guidelines to be used by each department entering orders or charges to include Charge Description Master ( CDM ) maintenance, training, and verification of patient orders, charges, and billing. Financial Standard Operating Procedures (Charging) Policy

20 What is the Anti-Kickback Statute? The Anti-Kickback Statute prohibits asking for or receiving anything of value in exchange for referrals of Federal health care program business. Kickbacks are illegal because they can lead to overutilization of items or services, Increased costs, corruption of medical decision making, patient steering, and unfair competition. Prohibited kickbacks include: Cash for referrals Free rent for medical offices Excessive compensation for medical directorships

21 What is the Physician Self-Referral Statute? The Physician Self-Referral Statute (aka Stark law) prohibits physicians from referring Medicare or Medicaid patients for designated health services (i.e. labs, physical therapy, home health) to entities with which they have a financial relationship, unless an exception applies. Consequences of violating the Physician Self-Referral Statute are: Payment denial Monetary penalties Exclusion from participation in the Federal health care programs

22 Exclusion Authorities Under the Exclusion Authorities, the Office of Inspector General (OIG) may exclude providers from participation in Medicare and Medicaid. Excluded providers may not bill for treating Medicare and Medicaid patients. Cape Fear Valley screens employees, vendors, and others to help ensure that they have not been excluded from participation in a Federal health care program. Those who have been excluded are Ineligible Persons. Cape Fear Valley does not hire or do business with Ineligible Persons.

23 Civil Monetary Penalties Law The Office of Inspector General has the authority to seek civil monetary penalties for a wide variety of abusive conduct, including: Presenting a claim that is false or fraudulent because it is for a medically unnecessary procedure; Overcharging or double billing Medicare patients.

24 Under no circumstance is a supervisor, manager, director, or any other member of management or Cape Fear Valley s workforce to instruct any workforce member not to report information to or to withhold information from the Corporate Compliance Officer. Who can help with difficult decisions? There are many resources available to the workforce at Cape Fear Valley to help decide if there is a policy, law, regulation, or standard that applies to a specific circumstance. Options include: Asking one s manager for guidance; Contacting Legal Services; Contacting the Compliance Department; Calling the Confidential Message Line.

25 What is the Confidential Message Line? The Confidential Message Line is another way to report suspected violations. It is the right of all individuals when faced with a compliance issue that they do not wish to report to their supervisor or others in the chain of command, to report the concern by calling the Confidential Message Line at (910) A Confidential Message Line flyer is displayed in a prominent location in each department throughout the Health System, including all locations not on the main campus. Individuals will not be retaliated against by Cape Fear Valley for good faith reporting of compliance concerns.

26 What is a Conflict of Interest? A conflict of interest exists when a workforce member s judgment could be affected because of a personal interest in the outcome of a decision over which he/she has influence or control. Examples of a conflict of interest include, but are not limited to: Employees requisitioning or approving items or services from a vendor to whom they are related (e.g., parents, siblings, spouse, in-laws); Accepting dinner invitations, tickets to sporting events, and lavish gifts of items or services from vendors; Influencing the selection of vendors who are household members.

27 Declaration of Potential Conflicts All employees are expected to complete a Conflict of Interest Questionnaire declaring any potential conflicts and any outside employment. A new questionnaire is to be completed each year or when a change occurs (e.g., department transfer). Anytime during the year if a potential or perceived conflict arises, the employee is expected to immediately contact his/her manager for an interpretation of policy prior to making any commitment.

28 Declaration of Potential Conflicts The Conflict of Interest Policy is located in PolicyTech and the Questionnaire is located on the Human Resources web page. Conflict of Interest Policy

29 Can Workforce Members Accept Gifts or Charitable Contributions from Vendors? All offers for charitable contributions must go directly to the Cape Fear Valley Health Foundation for the benefit of a Cape Fear Valley entity. Workforce members are prohibited from soliciting or accepting gifts, favors, invitations, etc., from persons or entities who are seeking to retain or obtain business from Cape Fear Valley.

30 Can Workforce Members Accept Gifts or Charitable Contributions from Vendors? The Gifts or Other Items of Value from Vendors, Contractors, or Suppliers policy explains the limits on the acceptance of gifts or other items of value. Gifts or Other Items of Value from Vendors, Contractors, or Suppliers Policy

31 Deficit Reduction Act (DRA) The DRA includes provisions that target Medicaid program integrity and fraud and abuse, including: Entities that receive/make payments to the State Medicaid Program of at least $5,000,000 annually must provide Federal False Claims Act education to their employees. The CMS Medicaid Integrity Program was established to provide more resources for CMS to fight Medicaid fraud, waste, and abuse. The CFV Compliance Program includes written policies and procedures addressing the False Claims Act, whistleblower protections, and the detection and prevention of fraud and abuse, as well as training and education regarding the Act for its employees.

32 Responsibilities CFVHS views participation in Federal and State medical assistance programs to be an integral part of its mission of the promotion of health to the community. Employees are expected to participate in education classes to ensure correct billing of patient claims, as well as to report any known or suspected violations of Medicare/Medicaid billing rules or regulations to the Corporate Compliance Officer. CFVHS protects the confidentiality of any employee who makes such a report, and no employee should experience retribution by the Health System for good-faith reporting.

33 Duty to Report Violations It is the duty of each CFVHS employee/agent to report any suspected violation of these standards to the Corporate Compliance Officer. Employees may raise concerns and report actual or suspected compliance violations through the CFVHS Confidential Message Line at (910) Callers are assured that their anonymity will be protected and they will not suffer retaliation as a result of the disclosure. Alternatively, suspected violations of these standards may be reported to CFVHS s Chief Executive Officer ( CEO ) or Chief Financial Officer ( CFO ).

34 Corporate Compliance is Everyone s Responsibility It is everyone s responsibility to do the right thing by: Asking questions Requesting additional education when needed Reporting concerns and suspected or known violations The Compliance Department is here to assist you - please report any violations.

35 Part II: Health Insurance Portability and Accountability Act of 1996 (HIPAA), HITECH Breach Reporting, and Identity Theft Prevention Program If you have any questions, please contact: Sherri Roberts Privacy Officer (910)

36 Objectives The objectives for Part II are to: Provide an overview of HIPAA Privacy and Security Rules. Explain HITECH Breach Reporting requirements. Provide an overview of Cape Fear Valley s Identity Theft Prevention Program and Policy.

37 What is HIPAA? Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) regulations are Federal laws that require covered entities to keep patient information private and secure. Covered entities - such as hospitals, physician and dental offices, pharmacies, and health plans - may not use or disclose protected health information ( PHI ) except as permitted or required by HIPAA.

38 Accessing Patient Information Covered entities must make reasonable efforts to limit the use or disclosure of, and requests for, protected health information ( PHI ) to the minimum amount necessary to accomplish the intended purpose. Access to patient information is based on a Need To Know. This need to know must be for job related duties to carry out essential health care functions - e.g., treatment, payment, and health care operations. The need to know includes the patient s personal information. There are serious consequences for looking at someone s PHI without a need to know.

39 What is the Purpose of the Confidentiality and Information Access Policy? The purpose of the Confidentiality and Information Access policy is to safeguard the integrity and reasonable access of CFVHS data and information and to protect and safeguard confidential and proprietary information pertaining to patients, caregivers, employees, and CFVHS operations. CFVHS has the right to audit any aspect of the computer system - including employee - to monitor compliance with this policy. Employees do not have the expectation of privacy in anything they create, send, or receive on the computer. Confidentiality and Information Access Policy

40 Confidentiality Agreement Employees and other workforce members sign the Confidentiality and Information Access Agreement ( Agreement ) before receiving access, and annually thereafter. Physicians and Allied Health Practitioners sign the Agreement as part of the credentialing process and each time they are re-credentialed.

41 Confidentiality Agreement Contractors who have a Business Associate Agreement and who access computer systems from outside CFVHS may be waived from signing the Agreement. Entities who need access to the computer system, but with whom CFVHS does not have a contractual agreement, sign a Non-Disclosure Statement and other documents requested by Information Services and Technology ( IST ).

42 Users are to utilize the same care in drafting and other electronic documents as they would for any other written communication. Anything created on the computer may be reviewed by others. that is sent to a non-cape Fear Valley account may be scanned for PHI that is not encrypted or password protected.

43 s containing patient information or other sensitive information that are sent outside of Cape Fear Valley are to be sent secure, with the tag [SendSecure] at the beginning of the Subject line. When sending Group s (e.g., to all Department Managers) it is important to ensure that all individuals included in the group have a need to know the information that is being sent to them.

44 The person visiting may be someone the patient does not want to know his or her personal business. Discussing Patient Information Before discussing PHI, make sure you are in an area where others cannot overhear your conversation. Dad won t tell me anything. What s wrong with him? I understand your concern, but I can t discuss his health care without his consent. HIPAA tells us we may discuss a patient s care with people who are involved in their care if the patient does not object. Before discussing the care of a patient in front of visitors, ask the patient if he or she wants the visitors to be involved in the discussion.

45 Disclosure of Patient s Location in the Health System If the patient is asked for by name, then the patient s location and general condition may be given without the patient s permission. However, there is a patient Opt Out exception to the rule that a patient s location and general condition may be disclosed. When a patient makes the opt-out election, the patient s location and condition status is protected and confidential, and may not be disclosed. If you do not know the Opt Out status of a patient, contact the Operator to determine the Opt Out status.

46 Faxing Misdirected faxes are the most common HIPAA Breach. To prevent errors, verify that you have selected the correct provider when entering orders. Verify all fax numbers before faxing. If a document is misdirected, ask the recipient to return the document. You can arrange to pick up the document or ask that the document be shredded if it cannot be returned. Report misdirected faxes to the Privacy Officer.

47 Computer Infrastructure Security Cape Fear Valley depends on its workforce to use the computer system as a tool in caring for patients and in daily business activities. Cape Fear Valley s security policies address various areas to include social networking, cell phone usage, , passwords, virus protection, downloading, and audits.

48 Computer Infrastructure Security Access to information on the computer system is continually audited. Audit trails record information such as the workforce member, the information accessed, and the date and time of the access. These audit trails are used to verify that workforce members have accessed information based on the need to know criterion.

49 Passwords Workforce members with access to Cape Fear Valley s computer system are to use their own user ID and password. The use of another person s User ID and password is prohibited.

50 Social Networking Information about Cape Fear Valley s patients (even if they are not mentioned by name) or business matters are not to be discussed on social networking sites such as Facebook, MySpace, Twitter, Instagram, etc. Any information that may point to a particular patient is considered a violation of the HIPAA Privacy laws.

51 Investigation of Breaches of Privacy Policy Cape Fear Valley Health System takes reasonable action to investigate reported breaches and mitigate alleged harmful effects resulting from the unauthorized use or disclosure of PHI by CFVHS or its business associates. In the event of an identified threat of harm (e.g., the potential for identity theft), CFVHS shall undertake appropriate mitigation measures. The purpose of this policy is to assist CFVHS to comply with the HIPAA Privacy and Security Rules and to minimize harm to the individual as a result of unauthorized use or disclosure of PHI by CFVHS or its business associates. Investigation of Breaches of Privacy Policies and Procedures Policy

52 Office for Civil Rights The Office for Civil Rights ( OCR ) enforces the HIPAA Privacy Rule and the HIPAA Security Rule. The HIPAA Privacy Rule protects the privacy of individually identifiable health information. The HIPAA Security Rule sets national standards for the security of electronic protected health information.

53 Definitions Breach: The unauthorized access, disclosure, or use of PHI in any form, to include electronic and hardcopy. This may be internal or external, and may or may not have a harmful effect. Privacy breaches: Incidents deemed as breaches of patient privacy include, but are not limited to, discussing patient information in public areas, accessing patient information without a need to know, and misuse of PHI. Accessing PHI belonging to one s family members or friends or others is classified as a privacy breach.

54 Definitions Security breaches: Incidents deemed security-related include, but are not limited to, misuse of passwords, unauthorized individuals in an area, failure to lock screens when leaving workstations, ing patient information outside CFVHS that is not password-protected or encrypted, and mis-faxing documents.

55 Definitions Initial Reporting: Members of the workforce have individual responsibility to report suspected privacy and security breaches. Reports may be made by or phone. Initial reporting may be made to: The Health System Privacy Officer The Privacy Hot Line The Confidential Message Line The IST Security Administrator Corporate Risk Management Human Resources

56 Definitions Investigation: Once a suspected breach is reported, an investigation is performed to ascertain the validity of the report. The investigation determines: Whether a breach did in fact occur. How the breach happened (e.g., used wrong fax number, staff member did not sign off of the computer) including an interview of staff members as necessary. What corrective actions need to be implemented to prevent the recurrence (e.g., number pre-programmed into fax machine). HIPAA Assessment Team: Depending upon the nature and level of the breach, a HIPAA Assessment Team (HAT) may be assembled to assist with the investigation.

57 Investigation of Breaches of Privacy and Security Reporting Guidelines Documentation: The Privacy Officer keeps a log of reported breaches, corrective actions, and sanctions. Allegations of breaches of confidentiality that are reported as a patient complaint are forwarded to Patient Relations for follow-up and tracking. Physician/Allied Health Professionals: Report breaches to the Privacy Officer. The Privacy Officer communicates the information to Medical Staff Services.

58 Investigation of Breaches of Privacy and Security Reporting Guidelines Physician and allied health professional breaches are handled by the Privacy Officer in collaboration with Medical Staff Services. Business Associates are required to report, in writing, to the Privacy Officer any use or disclosure of PHI or other sensitive information that is not permitted or required under the terms of the Business Associate Addendum.

59 What is a Level 1 Breach? LEVEL 1 Carelessness, Self-examination of records This occurs when a workforce member unintentionally or carelessly accesses, reviews, or reveals PHI or other sensitive information to himself/herself, or others, without a legitimate need to know the information. Examples include, but are not limited to: Discussing PHI or other sensitive information in a public area. Leaving documentation containing PHI in a public area. Leaving a computer unattended and unlocked in an accessible area. Faxing PHI to a wrong number.

60 What is a Level 2 Breach? LEVEL 2 Curiosity, Concern, or Willful Disregard of Policy (not for personal gain) This occurs when a workforce member intentionally accesses or discusses PHI or other sensitive information for purposes other than for the care of the patient or other authorized purposes. Examples include, but are not limited to: Workforce member intentionally looks up PHI that is not related to his/her job duties. Workforce member shares his/her system password. Workforce member accesses and reviews a record of a patient out of concern or curiosity (this includes family members, friends, and exspouses).

61 What is a Level 3 Breach? LEVEL 3 Personal Gain or Malice This occurs when a workforce member accesses, reviews, or discusses PHI or other sensitive information for personal gain or with malicious intent. Examples include, but are not limited to: A workforce member reviews a patient record for personal use, such as obtaining an address or phone number in order to contact a patient or family member for reasons not related to Health Systems business. A workforce member compiles a mailing list for personal use or commercial use. A workforce member provides PHI to the media for monetary reparation and /or to embarrass the patient or Health System.

62 Disciplinary Action Disciplinary Sanctions are outlined in the Administrative Policy, Investigation of Breaches of Privacy Policies and Procedures. Investigation of Breaches of Privacy Policies and Procedures Policy

63 What is the HITECH Act? The Health Information Technology for Economic and Clinical Health ( HITECH ) Act requires under certain circumstances that patients be informed when their PHI has been breached. Breach notification requirements are triggered when someone gains access to unsecured PHI. PHI is unsecured when it has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of an approved technology or methodology such as encryption.

64 What is the HITECH Act? Breach notification standards require the provision of notice to affected individuals and in some cases the media. The HITECH Act establishes the methods, content, and time period for providing such notice.

65 HITECH Act Requirements All suspected Breaches are to be reported to the Privacy Officer. Some breaches are required to be reported to the Secretary of Health and Human Services and to the North Carolina Attorney General. HITECH establishes penalties and sanctions for workforce members who violate HIPAA regulations.

66 Identity Theft Prevention Program

67 Medical Identity Theft Medical identity theft occurs when someone steals another person s personal information (e.g. name, Social Security number, Medicare number) to obtain medical care, buy drugs, or submit fake billings to Medicare. Medical identity theft disrupts lives, damages credit ratings, and can be life-threatening to patients if the wrong information ends up in their medical records. Medical identity theft is a significant and growing problem in the U.S. health-care industry. It has been estimated that medical identity theft alone costs tens of billions of dollars a year.

68 Identity Theft Prevention Policy CFVHS takes reasonable measures to identify, detect, and mitigate risks of identity theft of patients and employees of the Health System. The purpose of the Identity Theft Prevention policy is to assist CFVHS with compliance with the N.C. Identity Theft Protection Act of 2005 (NCGS et al.) and the Federal Trade Commission s Identity Theft Prevention Red Flags Rule of 2008 (16 C.F.R. Section 681.2)

69 Identity Theft Prevention Policy Report potential identity theft involving CFVH to the Privacy Officer. The Privacy Officer has the primary responsibility to investigate potential identity theft. Identity Theft Prevention Policy

70 Part III: Accountable Care Organization ( ACO ) Compliance Requirements If you have any questions, please contact: Bart Fiser ACO, Executive Director (910)

71 Objectives The objectives are to: Provide an overview of the Accountable Care Organization ( ACO ) Explain the ACO compliance obligations Describe the duty and protocol for ACO compliance investigation and reporting

72 Accountable Care Organization What is an Accountable Care Organization? An organization of healthcare providers and professionals working together to coordinate care for the Medicare fee-for-service patients that they serve. Cape Fear Valley ACO Mission: To improve the engagement, health, and wellness of community members, enhance the quality of care through clinical and service excellence, and decrease the cost of care using a collaborative team-based approach to care delivery. Cape Fear Valley ACO Vision: To become a nationally recognized leader in population health by providing our community members the best care for the best value.

73 ACO Makeup ACO Participants: Cape Fear Valley Health System, including Cape Fear Valley Medical Center, Highsmith Rainey Specialty Hospital, and physician practices and subsidiaries. Hoke Healthcare Bladen Healthcare ACO Provider/Supplier: Physicians and other practitioners that bill Medicare under an ACO Participant.

74 ACO Compliance Officer Iris Murphy is the Compliance Officer for the Cape Fear Valley ACO. She is responsible for administering the ACO Compliance Program, including: Developing compliance education; Promoting open and anonymous communication regarding any possible compliance violations; and Overseeing the investigation of any reports of suspected non-compliance or improper or illegal behavior.

75 ACO Compliance Plan Cape Fear Valley ACO Compliance Plan covers the key compliance requirements for participation in an ACO. The Compliance Plan utilizes and incorporates Cape Fear Valley s existing policies and procedures where appropriate. You should assume all of the Cape Fear Valley Health System rules, policies and procedures addressed in our compliance training also apply to Cape Fear Valley ACO. In addition, the Compliance Plan also addresses specific ACO regulations. Additional written ACO Policies and Procedures will be developed as appropriate to ensure compliance with all federal requirements. The ACO Compliance Plan, and relevant Policies and Procedures will be located on the InfoWeb and/or in department manuals.

76 Reporting Suspected Compliance Problems Cape Fear provides a Confidential Message Line to report any suspected problems to the compliance officer, including ACO compliance issues. Individuals have a duty to report suspected compliance violations. The Confidential Message Line number is: (910) Individuals will not be retaliated against by Cape Fear Valley for good faith reporting of compliance concerns.

77 Compliance With Laws Participation with an ACO requires strict compliance with applicable federal and state laws, regulations and rules, and CMS guidance, including: Federal criminal law The False Claims Act The Anti-Kickback Statute The Civil Monetary Penalties Law The Physician Self-Referral Law ( Stark Law )

78 False Claims Act Documentation provided by Cape Fear Valley ACO may be used to determine payments to be made by Medicare to Cape Fear Valley ACO. Cape Fear Valley ACO will provide accurate information and data to the government. Employees and contractors are prohibited from making false or fraudulent statements to the government in connection with the ACO.

79 Beneficiary Choice Medicare beneficiaries are assigned to different ACOs based on where they obtain their primary care services. Generally, if a Medicare patient receives the majority of primary care services from a primary care physician affiliated with the Cape Fear Valley ACO, that patient is attributed to the Cape Fear Valley ACO. But ACOs are not closed managed care networks. Patients are free to continue seeing any Medicare provider or supplier. Cape Fear Valley ACO will ensure that such beneficiary choice is maintained.

80 Regulation of Referrals ACO providers/suppliers remain free to refer beneficiaries to non-aco providers/suppliers anytime when: A beneficiary has expressed a preference for a different provider/ practitioner/ supplier. The beneficiary's insurer has made a determination of the provider/ supplier. A referral to an ACO provider/supplier is not in the beneficiary's best medical interests in the judgment of the referring party.

81 Beneficiary Inducements ACO participants, providers and suppliers may not provide any gifts, cash, or other forms of remuneration to beneficiaries for choosing to receive services as part of the ACO network or with an ACO provider. Examples: no baseball tickets, jewelry, household items, or gift certificates.

82 Permitted Beneficiary Inducements: Exception for Certain In-Kind Items/Services There is a limited exception for certain in-kind items and services that are provided to encourage care coordination and beneficiary health awareness. However, any such items and services must meet the following requirement: There is a reasonable connection between the items and services and the medical care of the beneficiary; and The items/ services are preventive care items or services that advance a clinical goal for the beneficiary, including for example adherence to a treatment regimen, adherence to a drug regimen, adherence to a followup care plan, or management of a chronic disease or condition.

83 Notice to Beneficiaries Cape Fear Valley ACO will notify beneficiaries at the point of care that their ACO providers/suppliers are participating in the Medicare Shared Savings Program. Cape Fear Valley ACO will also take the following steps to provide notice: Signs will be posted to notify beneficiaries that their ACO providers/suppliers are participating in the Medicare Shared Savings Program. Standardized written notices regarding participation in an ACO will be provided in settings in which beneficiaries receive primary care services.

84 Marketing Materials and Activities Any ACO marketing materials must be developed in collaboration with the ACO and approved by CMS. This includes any materials used to educate, solicit, notify, or contact Medicare beneficiaries or providers and suppliers regarding the Medicare Shared Savings Program: Marketing materials must not be developed or disseminated without express approval from both the President of Cape Fear Valley ACO and the Cape Fear Valley Legal Department. CMS has clarified that social media can be used as a marketing tool and therefore marketing materials and activities that must be approved include social media, such as Twitter or Facebook.

85 CMS Audits Cape Fear Valley ACO must cooperate with any CMS monitoring or evaluation activities connected to the ACO. Such cooperation includes, but is not limited to: Responding to documentation requests; Collection of any data required to measure performance regarding utilization management and clinical quality; Compliance with recommendations to improve utilization or quality performance or patient satisfaction; Record maintenance.

86 Record Maintenance Cape Fear Valley ACO, and its Participants, are obligated to maintain books, contracts, records, documents, and other evidence for a period of 10 years (or longer in some instances) from the final date of the agreement period or from the date of completion of any audit, evaluation, or inspection, whichever is later. Do not destroy ACO records without written approval from the President of Cape Fear Valley ACO and the Cape Fear Valley Legal Department that such destruction is permitted.

87 ACO Compliance is Everyone s Responsibility It is everyone s responsibility to do the right thing by: Asking questions. Requesting additional education when needed. Reporting concerns and suspected or known violations. The Compliance Department is here to assist you - please report any violations.

88 Questions? If you have any questions or concerns, please contact a member of the Compliance Department. Corporate Compliance Officer ismurphy@capefearvalley.com Privacy Officer sherriroberts@capefearvalley.com Internal Auditor egarcia2@capefearvalley.com Medical Reimbursement Auditor tcassanova@capefearvalley.com Medical Reimbursement Auditor

89 Almost Done Close this window and wait for your Assigned Items list to refresh. When the system is done recording that you have finished the presentation, you can click on the item again to see the option to take the test. Read and indicate agreement with the attestation statement: By agreeing with this statement, you are giving your word that you have read, understand, and agree to abide by all of the information included in this training.