Cape Fear Valley Health System s Corporate Compliance Program

Transcription

1 Cape Fear Valley Health System s Corporate Compliance Program If you have any questions, contact: Iris Murphy Corporate Compliance Officer (910) Tricia Urquhart-Jones Privacy Officer (910) Last Updated:

2 Part I: Corporate Compliance Program, Code of Conduct, and Related Policies If you have any questions, contact: Iris Murphy Corporate Compliance Officer (910)

3 Benefits of a Good Compliance Program A well-composed compliance program can: Avoid the potential for fraud, waste, and abuse; Increase the potential of proper submission and payment of claims; Improve the results of reviews conducted on Medicare claims; and Promote patient safety and ensure delivery of high quality patient care.

4 Introduction This self-guided training will educate you on Cape Fear Valley s Corporate Compliance Program and Code of Conduct, the Health Insurance Portability and Accountability Act (HIPAA) Program, and the Accountable Care Organization. There is a certification statement at the end of this training that you will be required to answer. By agreeing with this statement, you are giving your word that you have read, understand, and agree to abide by all of the information included in this training.

5 Introduction If you have any questions about this training, a member of the Corporate Compliance / Internal Audit / HIPAA department ( Compliance Department ) will assist you so that you are able to complete this training and are able to truthfully answer the certification statements.

6 Corporate Compliance Program The Corporate Compliance Program was established in 1997 by a resolution of the Board of Directors to demonstrate Cape Fear Valley Health System s ( Cape Fear Valley ) commitment to honest and responsible corporate conduct. The primary purpose of the Corporate Compliance Program ( Compliance Program ) is to promote an atmosphere of prevention, detection, and resolution of conduct that conforms with the requirements set forth in state and federal law; federal, state, and private payor programs; and the hospital s own ethical and business policies. Corporate Compliance means doing the right thing. Doing the right thing also means reporting known or suspected violations.

7 Objectives The objectives for Part I are to: Provide an overview of the Corporate Compliance Program; and Identify the elements of the Corporate Compliance Program and related policies.

8 Compliance Program Requirements Cape Fear Valley is committed to maintaining a Compliance Program that includes the following elements: Compliance Officer and Committee Written Standards Training and Education Review Procedures Disclosure Program Ineligible Persons Screening Reporting

9 Compliance Officer and Committee Iris Murphy is the Corporate Compliance Officer and the Administrative Chair of the Ethics and Compliance Committee of the Board of Trustees. The Ethics and Compliance Committee is responsible for providing assistance to the Board of Trustees in monitoring: Any conflicts of interest that might benefit the private interest of an officer or trustee of the Corporation; and The operation and performance of the Corporation s Corporate Compliance Program.

10 Written Standards Cape Fear Valley has established and distributed a Code of Conduct and a comprehensive set of written policies and procedures to establish clear rules to assist individuals in their job functions and to help them remain compliant with Federal and State healthcare programs. Policies and Procedures are located on the InfoWeb and/or in department manuals: Human Resources ( HR ) policies are specific to employee behavior. Administrative polices apply to the entire organization. Departmental policies address procedures unique to a given department. Many departmental policies further explain how the department complies with Administrative policies.

11 Training and Education Effective compliance training and education involves the development and implementation of regular, effective education and training programs for all affected employees. Cape Fear Valley tracks the time, attendance, topic, and results of their employee compliance training; and will conduct ongoing evaluations of training effectiveness.

12 The Administrative Policy, Financial Standard Operating Procedures (Charging), establishes guidelines to be used by each department entering orders or charges to include Charge Description Master ( CDM ) maintenance, training, and verification of patient orders, charges, and billing. Review Procedures Each department within Cape Fear Valley is responsible for having processes and procedures in place to help ensure that staff is appropriately trained. Auditing and monitoring is performed to review the charging and billing processes. These audits help to identify that checks and balances are in place to help ensure that transactions are accurately recorded.

13 Disclosure Program Cape Fear Valley maintains a Disclosure Program that includes a dedicated phone line, the Confidential Message Line, to enable individuals to disclose to the Compliance Officer or some other person who is not in the disclosing individual s chain of command, any identified issues or questions about Cape Fear Valley s policies, conduct, practices, or procedures with respect to a Federal or state health care program. Every member of Cape Fear Valley s workforce is required to promptly report any suspected violation.

14 Disclosure Program The Confidential Message Line number is: (910) The Confidential Message Line flyer should be on display in each department in an area accessible to all staff (e.g. the break room). Individuals will not be retaliated against by Cape Fear Valley for good faith reporting of compliance concerns.

15 Disclosure Program Responses to disclosures: Investigate the problem: The Compliance Department investigates allegations to determine the degree and complexity of identified problems. Correct the problem: Action plans are developed by the applicable areas to correct the problems. Follow-up reviews are often conducted. Refund overpayments: When identified, overpayments are promptly refunded. Educate: Staff involved are educated as to the correct processes and procedures.

16 Disclosure Program The Compliance Department maintains a disclosure log with the status of internal reviews and any corrective action taken in response to the internal reviews. Cape Fear Valley s Disciplinary Standards are modeled after Just Culture, which means that disciplinary actions are intended to be appropriate to the severity of the misconduct. Cape Fear Valley s disciplinary standards can be reviewed in the Code of Conduct policy and Human Resources policies located on the Cape Fear Valley Health System ( CFVHS ) InfoWeb.

17 Ineligible Persons Cape Fear Valley screens employees, vendors, and others to help ensure that they have not been excluded from participation in a Federal health care program. Those who have been excluded are Ineligible Persons. Cape Fear Valley does not hire or do business with Ineligible Persons. Employees, vendors, physicians, allied health professionals, and others are required to disclose to Cape Fear Valley if any exclusion or other event occurs that makes that person an Ineligible Person.

18 Core Compliance Policies Cape Fear Valley Health System has two core policies that make up the Compliance Program Corporate Compliance Policy: This explains the structure of the Compliance Program. Code of Conduct Policy: This defines work rules and behaviors for those who work at Cape Fear Valley Health System.

19 Corporate Compliance Policy The general principles of the Corporate Compliance Policy are that: It is the policy of CFVHS to comply with applicable Federal, State, and local laws and regulations - both civil and criminal; CFVHS employees have a duty to act in a manner consistent with the law, and are responsible for reporting any Health System activities that they feel may violate the law or ethical business practices; and CFVHS, in turn, has a duty to follow-up on any questions that have been raised in a confidential manner without any reprisal towards the employee. Corporate Compliance Policy

20 Corporate Compliance Policy Cape Fear Valley is committed: To the promotion of the public's health. CFVHS is committed to the implementation and maintenance of employment practices that comply with applicable Federal and State laws, providing appropriate quality of care and maintenance of its accreditation by The Joint Commission. To the Health System s patients. CFVHS is committed to providing an appropriate quality of care, consistent with the Health System s facilities and resources, that is responsive to patient needs and complies with State and Federal laws and regulations that govern the operation of a taxexempt hospital. To both public and private third-party payers. CFVHS is committed to providing accurate billing of charges and to using a competitive bidding process.

21 Responsibilities CFVHS views participation in Federal and State medical assistance programs to be an integral part of its mission of the promotion of health to the community. Employees are expected to participate in education classes to promote correct billing of patient claims, as well as to report any known or suspected violations of Medicare/Medicaid billing rules or regulations to the Corporate Compliance Officer. CFVHS protects the confidentiality of any employee who makes such a report, and no employee should experience retribution by the Health System for good-faith reporting.

22 Federal and State False Claims Laws Both Federal and North Carolina law prohibit healthcare providers from submitting false or fraudulent claims for reimbursement for healthcare services. These laws also provide employees protection from discrimination by their employer when employees take lawful acts in bringing or participating in a lawsuit to enforce these laws.

23 False Claims Act The False Claims Act prohibits persons or entities from, among other actions, knowingly: Presenting or causing to be presented to the federal government a false or fraudulent claim for payment or approval. Making, using, or causing to be made or used a false record or statement material to a false or fraudulent claim to get the claim paid or approved by the federal government. Penalties for False Claims Act violations are $5,500 to $11,000 per false claim, plus up to three times the amount of damages sustained by the government as a result of the false claims. The False Claims Act allows private citizens to bring Qui Tam (Whistleblower) civil actions on behalf of the Government.

24 General Definitions Healthcare Fraud is an intentional misrepresentation, deception, or intentional act of deceit for the purpose of receiving greater reimbursement for services. Healthcare Abuse is reckless disregard or conduct that goes against, and is inconsistent with, acceptable business and/or medical practices resulting in greater reimbursement for services.

25 Deficit Reduction Act (DRA) 2005 The DRA included provisions that target Medicaid program integrity and fraud and abuse including: Entities that receive/make payments to the State Medicaid Program of at least $5,000,000 annually must provide Federal False Claims Act education to their employees. The CMS Medicaid Integrity Program was established and provides more resources for CMS to fight Medicaid fraud, waste, and abuse. The CFV Compliance Program includes written policies and procedures addressing the False Claims Act, whistleblower protections, and the detection and prevention of fraud and abuse, as well as training and education regarding the Act for its employees.

26 Federal Health Programs Federal Health programs include Medicare, Medicaid, and TRICARE. Each of these programs has procedures in place to monitor claims. The programs also perform special audits to make sure that beneficiaries are receiving the services that have been billed by providers.

27 Examples of Provider Fraud and Abuse Examples of Provider Fraud and Abuse include: Submitting claims for services not rendered; Submitting claims for services that are not medically necessary; Misrepresentation of services, dates of service, and charges to include providing false or misleading information regarding services to manipulate payment benefits; Upcoding e.g., billing for a higher level of services or supplies than were actually provided, or submitting a code that represents a more extensive procedure or service than was actually performed. Unbundling - separate billing of services covered under one billing code or billing each component of a procedure as if it is a separate procedure; Billing for services rendered by non-licensed staff members.

28 Patient Care Practices CFVHS responds promptly and courteously to patient inquiries and requests, accurately represents the services that are available, and treats patient information with confidentiality.

29 Bidding, Negotiation, and Performance of Contracts CFVHS observes the laws, rules, and regulations which govern the acquisition of goods and services that are paid for in whole or in part by the State or Federal government or by private third-party payers. Employees or agents may not directly or indirectly solicit or receive remuneration from vendors who may be or may appear to be attempting to induce business from Cape Fear Valley that is reimbursed by Medicare, Medicaid, or by any other third-party payer. All purchasing decisions must be free of actual or apparent conflicts of interest.

30 Bidding, Negotiation, and Performance of Contracts CFVHS requires its employees to submit cost or pricing data that the employee feels is current, accurate, and complete. Supervisors are not to place pressure on subordinates that could cause them to deviate from acceptable norms of conduct.

31 Conflicts of Interest CFVHS Board of Trustees and employees have a duty to avoid financial, business, or other relationships that might be against the interests of CFVHS or might cause a conflict with the performance of their duties.

32 Reasonableness of Compensation The Board has delegated to CFVHS s Chief Executive Officer ( CEO ) the authority to hire, fire, and establish salaries of CFVHS employees and agents. CFVHS pays fair market value to individuals providing goods or services in adherence to the Internal Revenue Service ( IRS ) and Office of Inspector General ( OIG ) requirements governing physician and other compensation arrangements.

33 Contracting with Excluded Individuals CFVHS does not employ or contract with any individual in any capacity who the Health System knows is excluded from participation in the Medicare or Medicaid programs. CFVHS makes a good faith attempt to determine whether a potential employee is or was ever excluded from participation in the Medicare or Medicaid program.

34 Time Card Reporting CFVHS employees and independent contractors report only the true and actual number of hours worked. Shifting of costs to inaccurate departments is prohibited.

35 Relations with Government Employees CFVHS employees may not give, or offer to give, entertainment, meals, or gifts that the employee knows are in violation of governmental regulations and/or Health System policy, whichever may apply.

36 Complete and Accurate Books, Records, and Communications CFVHS s financial statements, cost reports, and books and records on which they are based must reflect the transaction in an accurate fashion. Disbursements of funds and receipts must be properly and promptly recorded. Undisclosed or unrecorded funds are not established for any purpose. Claims for payment are prepared according to procedure and are based on documentation CFVHS determines is reasonably necessary to substantiate the claim.

37 Consultants and Agents Where legally required, independent contractors execute a written agreement that requires the consultants or agents to be obligated to comply with CFVHS s policies and procedures.

38 Compliance with Antitrust Laws The antitrust laws of the United States prohibit agreements that unlawfully restrain trade in interstate commerce, as well as certain monopolistic practices. It is imperative that legal advice be sought when questions arise regarding this subject.

39 Federal and State Tax-Exempt Status CFVHS is a not-for-profit entity that is exempt from Federal taxation pursuant to Section 501(c)(3) of the Internal Revenue Code. Political contributions and activities may jeopardize CFVHS s Federal tax-exempt status. CFVHS is also exempt from certain State and local taxes.

40 Health System Resources CFVHS employees are not to make improper use of CFVHS resources - or permit others to do so - nor to seek any payment, gift, or other thing of value from any subcontractor, vendor, or supplier for the purpose of obtaining/acknowledging favorable treatment. Each CFVHS employee is responsible for guarding CFVHS s confidential information against unauthorized disclosure.

41 Security and Privacy of Confidential Information Each CFVHS employee is responsible for maintaining the security of the Health System s confidential and proprietary information, regardless of whether the employee works directly with such information.

42 Corporate Compliance Officer When the Corporate Compliance Officer is made aware of a potential violation of standards, the Corporate Compliance Officer contacts CFVHS s Chief Executive Officer (CEO) and, when necessary, secures the opinions of outside legal counsel, consultants, or experts in compliance issues. The Corporate Compliance Officer also monitors CFVHS s continued compliance with the terms and conditions set forth in any settlement agreement that may be executed by CFVHS with the Federal or State government.

43 Duty to Report Violations It is the duty of each CFVHS employee/agent to report any suspected violation of these standards to the Corporate Compliance Officer. Employees may raise concerns and report actual or suspected compliance violations through the CFVHS Confidential Message Line at (910) Callers are assured that their anonymity will be protected and they will not suffer retaliation as a result of the disclosure. Alternatively, suspected violations of these standards may be reported to CFVHS s Chief Executive Officer ( CEO ) or Chief Financial Officer ( CFO ).

44 Code of Conduct Policy The Compliance Program and related policies apply to everyone doing business with Cape Fear Valley physicians, staff, vendors, contractors, Board members. The Code of Conduct policy defines the standards of behavior at Cape Fear Valley. Code of Conduct Policy

45 Code of Conduct Policy Definitions Covered Persons are defined to include employees, officers, and trustees of Cape Fear Valley; and all contractors, subcontractors, agents, and other persons who provide patient care items or services (including ambulance transportation services) or who perform billing or coding functions on behalf of Cape Fear Valley. Ineligible Person refers to a Covered Person who has been suspended, debarred, excluded, or otherwise deemed ineligible to participate in Federal or State health care programs.

46 Code of Conduct Policy All Covered Persons are required to certify in writing or in electronic form, as applicable, that they have received, read, understood, and agree to abide by this Code of Conduct. Newly affiliated Covered Persons shall receive the Code of Conduct and complete the certification within 30 days after becoming a Covered Person. Employees are required to complete compliance training and recertification of that training and the Conflict of Interest Questionnaire, annually.

47 Code of Conduct Policy Guidelines Prohibited behaviors include: Knowingly authorizing payments or activities that violate provisions of Federal and State health care program requirements or the Internal Revenue Code. Making political contributions or other illegal or improper payments with the funds of Cape Fear Valley. Appropriating, using, or permitting others to appropriate or use any funds, property, equipment, or time compensated by Cape Fear Valley for unlawful purposes or personal gain.

48 Code of Conduct Policy Guidelines Prohibited behaviors also include: Soliciting or accepting gifts, premiums, favors, invitations, or services from suppliers, service providers, financial institutions, or other persons or entities who are seeking to retain or obtain business from Cape Fear Valley. The Gifts or Other Items of Value from Vendors, Contractors, or Suppliers policy describes the parameters regarding the acceptance of gifts or other items of value. Gifts or Other Items of Value from Vendors, Contractors, or Suppliers Policy

49 Code of Conduct Policy Guidelines Prohibited behaviors also include: Knowingly providing false or inaccurate information to other employees, management, auditors, legal counsel, the authorities, government agencies, accreditation organizations, consultants of the organization, or others who rely on the receipt of accurate information to perform some act or make decisions for Cape Fear Valley. Making or initiating any transaction involving Cape Fear Valley funds for a purpose other than as described by the documentation that supports payment or authorizing a transaction that knowingly circumvents an internal policy or procedure.

50 Code of Conduct Policy Guidelines Prohibited behaviors also include: Discrimination in the selection, hiring, retention, promotion, or transfer of qualified individuals on the basis of race, gender, religion, national origin, age, or persons with disabilities. Modifying computer software, inserting code, or otherwise affecting any computer system, its data and/or the information in a willful or intentional manner to the employee's benefit or to the detriment of the organization. Establishing, in the name of Cape Fear Valley or one of its related entities, a bank account using its tax identification number; referencing its taxexempt status; using its stationery or letterhead; or undertaking, in the name of Cape Fear Valley, its member organizations, and/or its joint ventures, any activity without prior approval, or for an unauthorized purpose.

51 Code of Conduct Policy Guidelines Prohibited behaviors also include: Disclosing, or permitting others to disclose, confidential information including non-public business information, personnel records, patient records, computer access codes and system information, peer review data, and other information protected by law without prior legal authorization. Participating in any other activity or omission that could reasonably have an effect on a Covered Person s independence of judgment as it relates to Cape Fear Valley business matters.

52 Code of Conduct Policy Guidelines Prohibited behaviors also include: Participating in outside activities that could reasonably be expected to significantly interfere with work time commitments to Cape Fear Valley. Such outside activities include, but are not limited to, receiving a fee for performing tasks (or speaking engagements for another organization) during normal work hours while simultaneously being paid as a CFVHS employee. Engaging in any activity that creates an actual conflict of interest or the appearance of a conflict between personal interests and the interests of Cape Fear Valley. Conflict of Interest Policy

53 Declaration of Potential Conflicts All employees are expected to complete a Conflict of Interest Questionnaire declaring any potential conflicts and any outside employment. A new questionnaire is to be completed each year or when a change occurs (e.g., department transfer). Anytime during the year if a potential or perceived conflict arises, the employee is expected to immediately contact his/her manager for an interpretation of policy prior to making any commitment.

54 Declaration of Potential Conflicts The Conflict of Interest Policy and Questionnaire are located on the InfoWeb on the Human Resources Web Page. Failure to declare actual or potential conflicts of interest is grounds for disciplinary action up to and including termination of employment.

55 Examples of Conflicts of Interest Some examples of a Conflict of Interest include: Employees requisitioning or approving items or services from a vendor to whom they are related (e.g., parents, siblings, spouse, in-laws). Accepting dinner invitations, tickets to sporting events, and lavish gifts of items or services from vendors. Influencing the selection of vendors who are household members or relatives.

56 Code of Conduct Policy Guidelines It is the right of all individuals when faced with a compliance issue that they do not wish to report to their supervisor or others in their chain of command, to report the concern by calling the Confidential Message Line at (910) If the individual chooses to remain anonymous, the information that is provided should be detailed enough to allow an inquiry into the matter to be initiated and to provide for a resolution.

57 Code of Conduct Policy Guidelines Additional supporting documentation may be mailed anonymously to: Corporate Compliance Officer Cape Fear Valley Health System P. O. Box 2000 Fayetteville, NC

58 Part II: Health Insurance Portability and Accountability Act of 1996 (HIPAA), HITECH Breach Reporting, and Identity Theft Prevention Program If you have any questions, please contact: Tricia Urquhart-Jones Privacy Officer (910)

59 Objectives The objectives for Part II are to: Provide an overview of HIPAA Privacy and Security Rules. Explain HITECH Breach Reporting requirements. Provide an overview of Cape Fear Valley s Identity Theft Prevention Program and Policy.

60 HIPAA Compliance Requirements Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) regulations are Federal laws that require covered entities to keep patient information private and secure. Covered entities - such as hospitals, physician and dental offices, pharmacies, and health plans - may not use or disclose protected health information ( PHI ) except as permitted or required by HIPAA.

61 Confidentiality and Information Access Policy CFVHS workforce members are expected to access data and information needed to carry out their job duties quickly, efficiently, and effectively. Reasonable access is defined as access broad enough to allow individuals to make legitimate use of information in carrying out their duties and, at the same time, restrictive enough to guard against inappropriate access. Access to information must be based upon the need to know.

62 Confidentiality and Information Access Policy The purpose of the Confidentiality and Information Access policy is to safeguard the integrity and reasonable access of CFVHS data and information and to protect and safeguard confidential and proprietary information pertaining to patients, caregivers, employees, and CFVHS operations.

63 Confidentiality and Information Access Policy CFVHS has the right to audit any aspect of the computer system - including employee - to monitor compliance with this policy. Employees do not have the expectation of privacy in anything they create, send, or receive on the computer. The computer and telecommunication systems belong to CFVHS and are used for CFVHS business. Confidentiality and Information Access Policy

64 Confidentiality Agreement Employees and other workforce members sign the Confidentiality and Information Access Agreement ( Agreement ) before receiving access, and annually thereafter. Physicians and Allied Health Practitioners sign the Agreement as part of the credentialing process and each time they are re-credentialed.

65 Confidentiality Agreement Contractors who have a Business Associate Agreement and who access computer systems from outside CFVHS may be waived from signing the Agreement. Entities who need access to the computer system, but with whom CFVHS does not have a contractual agreement, sign a Non-Disclosure Statement and other documents requested by Information Services and Technology ( IST ).

66 Users are to use the same care in drafting and other electronic documents as they would for any other written communication. Anything created on the computer may be reviewed by others. When sending Group s (e.g., to all Department Managers) it is important to ensure that all individuals included in the group have a need to know the information that is being sent to them.

67 that is sent to a non-cape Fear Valley account may be scanned for PHI that is not encrypted or password protected. s containing patient information or other sensitive information that are sent outside of Cape Fear Valley are to be sent secure, with the tag [SendSecure] at the beginning of the Subject line.

68 Accessing Patient Information Covered entities must make reasonable efforts to limit the use or disclosure of, and requests for, protected health information ( PHI ) to the minimum amount necessary to accomplish the intended purpose. Access to patient information is based on a Need To Know. This need to know must be for job related duties to carry out essential health care functions - e.g., treatment, payment, and health care operations. The need to know includes the patient s personal information.

69 Accessing Patient Information This means, do not look-up, browse, peruse, peek, checkout, peep, sneak a look, research, or look at anyone s medical or financial information unless it is part of your job. This includes records belonging to you and your spouse, children, ex-spouse, mother, father, aunt, uncle, or any other person you may know. If you need a copy of your record or the results of a test, you must go through the same process as any other patient. There are serious consequences for looking at someone s PHI without a need to know.

70 Discussing Patient Information Before discussing PHI, make sure you are in an area where others cannot overhear your conversation. Dad won t tell me anything. What s wrong with him? I understand your concern, but I can t discuss his health care without his consent. HIPAA tells us we may discuss a patient s care with people who are involved in their care if the patient does not object. Before discussing the care of a patient in front of visitors, ask the patient if he or she wants the visitors to be involved in the discussion. The person visiting may be someone the patient does not want to know his or her personal business.

71 Disclosure of the Patient s Location in the Health System If the patient is asked for by name, then the patient s location and general condition may be given without the patient s permission. However, there is a patient Opt Out exception to the rule that a patient s location and general condition may be disclosed. When a patient makes the opt-out election, the patient s location and condition status is protected and confidential, and may not be disclosed. If you do not know the Opt Out status of a patient, contact the Operator to determine the Opt Out status.

72 Faxing Misdirected faxes are the most common HIPAA Breach. To prevent errors, verify that you have selected the correct provider when entering orders. Verify all fax numbers before faxing. If a document is misdirected, ask the recipient to return the document. You can arrange to pick up the document or ask that the document be shredded if it cannot be returned. Report misdirected faxes to the Privacy Officer.

73 Computer Infrastructure Security Cape Fear Valley depends on its workforce to use the computer system as a tool in caring for patients and in daily business activities. Cape Fear Valley s security policies address various areas to include social networking, cell phone usage, , passwords, virus protection, downloading, and audits.

74 Computer Infrastructure Security Access to information on the computer system is continually audited. Audit trails record information such as the workforce member, the information accessed, and the date and time of the access. These audit trails are used to verify that workforce members have accessed information based on the need to know criterion.

75 Passwords Workforce members with access to Cape Fear Valley s computer system are to use their own user ID and password. The use of another person s User ID and password is prohibited. Passwords are not to be shared with anyone.

76 Social Networking Information about Cape Fear Valley s patients (even if they are not mentioned by name) or business matters are not to be discussed on social networking sites such as Facebook, MySpace, Twitter, Instagram, etc. Any information that may point to a particular patient is considered a violation of the HIPAA Privacy laws.

77 Investigation of Breaches of Privacy Policy CFVHS takes reasonable action to investigate reported breaches and mitigate alleged harmful effects resulting from the unauthorized use or disclosure of PHI by CFVHS or its business associates. In the event of an identified threat of harm (e.g., the potential for identity theft), CFVHS shall undertake appropriate mitigation measures. The purpose of this policy is to assist CFVHS to comply with the HIPAA Privacy and Security Rules and to minimize harm to the individual as a result of unauthorized use or disclosure of PHI by CFVHS or its business associates. Investigation of Breaches of Privacy Policies and Procedures Policy

78 Definitions Breach: The unauthorized access, disclosure, or use of PHI in any form, to include electronic and hardcopy. This may be internal or external, and may or may not have a harmful effect. Privacy breaches: Incidents deemed as breaches of patient privacy include, but are not limited to, discussing patient information in public areas, accessing patient information without a need to know, and misuse of PHI. Accessing PHI belonging to one s family members or friends or others is classified as a privacy breach.

79 Definitions Security breaches: Incidents deemed security-related include, but are not limited to, misuse of passwords, unauthorized individuals in an area, failure to lock screens when leaving workstations, ing patient information outside CFVHS that is not password-protected or encrypted, and mis-faxing documents.

80 Definitions Initial Reporting: Members of the workforce have individual responsibility to report suspected privacy and security breaches. Reports may be made by or phone. Initial reporting may be made to: The Health System Privacy Officer The Privacy Hot Line The Confidential Message Line The IST Security Administrator Corporate Risk Management Human Resources

81 Definitions Investigation: Once a suspected breach is reported, an investigation is performed to ascertain the validity of the report. The investigation determines: Whether a breach did in fact occur. How the breach happened (e.g., used wrong fax number, staff member did not sign off of the computer) including an interview of staff members as necessary. What corrective actions need to be implemented to prevent the recurrence (e.g., number pre-programmed into fax machine). HIPAA Assessment Team: Depending upon the nature and level of the breach, a HIPAA Assessment Team (HAT) may be assembled to assist with the investigation.

82 Investigation of Breaches of Privacy and Security Reporting Guidelines Documentation: The Privacy Officer keeps a log of reported breaches, corrective actions, and sanctions. Reports of breaches of confidentiality that are reported as a patient complaint are forwarded to Patient Relations for follow-up and tracking. Physician/Allied Health Professionals: Report breaches to the Privacy Officer. The Privacy Officer communicates the information to Medical Staff Services.

83 Investigation of Breaches of Privacy and Security Reporting Guidelines Physician and allied health professional breaches are handled by the Privacy Officer in collaboration with Medical Staff Services. Business Associates are required to report, in writing, to the Privacy Officer any use or disclosure of PHI or other sensitive information that is not permitted or required under the terms of the Business Associate Addendum.

84 Levels of Breaches and Sanctions LEVEL 1 Carelessness, Self-examination of records This occurs when a workforce member unintentionally or carelessly accesses, reviews, or reveals PHI or other sensitive information to himself/herself, or others, without a legitimate need to know the information. Examples include, but are not limited to: Discussing PHI or other sensitive information in a public area. Leaving documentation containing PHI in a public area. Leaving a computer unattended and unlocked in an accessible area. Faxing PHI to a wrong number. Certain instances of self-examination rise to a Level 2 breach.

85 Levels of Breaches and Sanctions If a workforce member attempts to access personal medical records (or those of a minor child) that are motivated by certain circumstances (and unrelated to the patient s care or other authorized basis), it may amount to a Level 2 breach when: Accessing the records of minor children for the purpose of learning information valuable in litigation matter such as a custody dispute. Accessing mental health records or records documenting services related to reproductive issues may fall within the breach standard. Requests for a copy of laboratory results, x-ray results, or other parts of your medical records should be directed to Health Information Management.

86 Levels of Breaches and Sanctions LEVEL 2 Curiosity, Concern, or Willful Disregard of Policy (not for personal gain) This occurs when a workforce member intentionally accesses or discusses PHI or other sensitive information for purposes other than for the care of the patient or other authorized purposes. Examples include, but are not limited to: Workforce member intentionally looks up PHI that is not related to his/her job duties. Workforce member shares his/her system password. Workforce member accesses and reviews a record of a patient out of concern or curiosity (this includes family members, friends, and exspouses).

87 Levels of Breaches and Sanctions LEVEL 3 Personal Gain or Malice This occurs when a workforce member accesses, reviews, or discusses PHI or other sensitive information for personal gain or with malicious intent. Examples include, but are not limited to: A workforce member reviews a patient record for personal use, such as obtaining an address or phone number in order to contact a patient or family member for reasons not related to Health Systems business. A workforce member compiles a mailing list for personal use or commercial use. A workforce member provides PHI to the media for monetary reparation and /or to embarrass the patient or Health System.

88 Levels of Breaches and Sanctions Disciplinary Sanctions are outlined in the Administrative Policy, Investigation of Breaches of Privacy Policies and Procedures.

89 HITECH Act Requirements The Health Information Technology for Economic and Clinical Health ( HITECH ) Act requires under certain circumstances that patients be informed when their PHI has been breached. Breach notification requirements are triggered when someone gains access to unsecured PHI. PHI is unsecured when it has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of an approved technology or methodology such as encryption.

90 HITECH Act Requirements Breach notification standards require the provision of notice to affected individuals and in some cases the media. The HITECH Act establishes the methods, content, and time period for providing such notice. All suspected Breaches are to be reported to the Privacy Officer. Some breaches are required to be reported to the Secretary of Health and Human Services and to the North Carolina Attorney General. HITECH establishes penalties and sanctions for workforce members who violate HIPAA regulations.

91 Office for Civil Rights The Office for Civil Rights ( OCR ) enforces the HIPAA Privacy Rule and the HIPAA Security Rule. The HIPAA Privacy Rule protects the privacy of individually identifiable health information. The HIPAA Security Rule sets national standards for the security of electronic protected health information.

92 HIPAA Compliance Audits by the OCR The OCR has contracted with an independent organization to audit compliance with the Privacy and Security Rules. Cape Fear Valley continues to assess its readiness for an audit. It is important for you to know what Cape Fear Valley s Privacy and Security Policies are and to report any breach of these policies.

93 Identity Theft Prevention Program

94 Medical Identity Theft Medical identity theft occurs when someone steals another person s personal information (e.g. name, Social Security number, Medicare number) to obtain medical care, buy drugs, or submit fake billings to Medicare. Medical identity theft disrupts lives, damages credit ratings, and can be life-threatening to patients if the wrong information ends up in their medical records. Medical identity theft is a significant and growing problem in the U.S. health-care industry. It has been estimated that medical identity theft alone costs tens of billions of dollars a year.

95 Identity Theft Prevention Policy CFVHS takes reasonable measures to identify, detect, and mitigate risks of identity theft of patients and employees of the Health System. The purpose of the Identity Theft Prevention policy is to assist CFVHS with compliance with the N.C. Identity Theft Protection Act of 2005 (NCGS et al.) and the Federal Trade Commission s Identity Theft Prevention Red Flags Rule of 2008 (16 C.F.R. Section 681.2)

96 Identity Theft Prevention Policy Report potential identity theft involving CFVHS to the Privacy Officer. The Privacy Officer has the primary responsibility to investigate potential identity theft. Identity Theft Prevention Policy

97 Corporate Compliance is Everyone s Responsibility It is everyone s responsibility to do the right thing by: Asking questions Requesting additional education when needed Reporting concerns and suspected or known violations The Compliance Department is here to assist you - please report any violations.

98 Part III: Accountable Care Organization ( ACO ) Compliance Requirements If you have any questions, please contact: Bart Fiser ACO, Executive Director (910)

99 Objectives The objectives are to: Provide an overview of the Accountable Care Organization ( ACO ), Explain the ACO compliance obligations, and Describe the duty and protocol for ACO compliance investigation and reporting.

100 Accountable Care Organization An Accountable Care Organization is an organization of healthcare providers and professionals working together to coordinate care for the Medicare fee-for-service patients that they serve. Cape Fear Valley ACO Mission: To improve the engagement, health, and wellness of community members; enhance the quality of care through clinical and service excellence; and decrease the cost of care using a collaborative team-based approach to care delivery. Cape Fear Valley ACO Vision: To become a nationally recognized leader in population health by providing our community members the best care for the best value.

101 ACO Makeup ACO Participants: Cape Fear Valley Health System, including Cape Fear Valley Medical Center, Highsmith-Rainey Specialty Hospital, and physician practices and subsidiaries Hoke Healthcare Bladen Healthcare ACO Provider/Supplier: Physicians and other practitioners that bill Medicare under an ACO Participant.

102 ACO Compliance Officer Iris Murphy is the Compliance Officer for the Cape Fear Valley ACO. She is responsible for administering the ACO Compliance Program, including: Developing compliance education; Promoting open and anonymous communication regarding any possible compliance violations; and Overseeing the investigation of any reports of suspected non-compliance or improper or illegal behavior.

103 ACO Compliance Plan Cape Fear Valley ACO Compliance Plan covers the key compliance requirements for participation in an ACO. The Compliance Plan utilizes and incorporates Cape Fear Valley s existing policies and procedures where appropriate. You should assume all of the Cape Fear Valley Health System rules, policies, and procedures addressed in our compliance training also apply to Cape Fear Valley ACO.

104 ACO Compliance Plan In addition, the Compliance Plan also addresses specific ACO regulations. Additional written ACO Policies and Procedures will be developed as appropriate to ensure compliance with all federal requirements. The ACO Compliance Plan, and relevant Policies and Procedures will be located on the InfoWeb and/or in department manuals.

105 Reporting Suspected Compliance Problems Cape Fear provides a Confidential Message Line to report any suspected problems to the compliance officer, including ACO compliance issues. Individuals have a duty to report suspected compliance violations. The Confidential Message Line number is (910) Individuals will not be retaliated against by Cape Fear Valley for good faith reporting of compliance concerns.

106 Compliance With Laws Participation with an ACO requires strict compliance with applicable federal and state laws, regulations and rules, and CMS guidance, including: Federal criminal law The False Claims Act The Anti-Kickback Statute The Civil Monetary Penalties Law The Physician Self-Referral Law ( Stark Law )

107 False Claims Act Documentation provided by Cape Fear Valley ACO may be used to determine payments to be made by Medicare to Cape Fear Valley ACO. Cape Fear Valley ACO will provide accurate information and data to the government. Employees and contractors are prohibited from making false or fraudulent statements to the government in connection with the ACO.

108 Beneficiary Choice Medicare beneficiaries are assigned to different ACOs based on where they obtain their primary care services. Generally, if a Medicare patient receives the majority of primary care services from a primary care physician affiliated with the Cape Fear Valley ACO, that patient is attributed to the Cape Fear Valley ACO. But ACOs are not closed managed care networks - patients are free to continue seeing any Medicare provider or supplier. Cape Fear Valley ACO will ensure that such beneficiary choice is maintained.

109 Regulation of Referrals ACO providers/suppliers remain free to refer beneficiaries to non-aco providers/suppliers anytime when: A beneficiary has expressed a preference for a different provider/ practitioner/ supplier; The beneficiary's insurer has made a determination of the provider/ supplier; and/or A referral to an ACO provider/supplier is not in the beneficiary's best medical interests in the judgment of the referring party.

110 Beneficiary Inducements ACO participants, providers, and suppliers may not provide any gifts, cash, or other forms of remuneration to beneficiaries for choosing to receive services as part of the ACO network or with an ACO provider. Some examples include: no baseball tickets, jewelry, household items, or gift certificates.

111 Permitted Beneficiary Inducements: Exception for Certain In-Kind Items/Services There is a limited exception for certain in-kind items and services that are provided to encourage care coordination and beneficiary health awareness. However, any such items and services must meet the following requirement: There is a reasonable connection between the items and services and the medical care of the beneficiary; and The items/ services are preventive care items or services that advance a clinical goal for the beneficiary, including for example adherence to a treatment regimen, adherence to a drug regimen, adherence to a followup care plan, or management of a chronic disease or condition.

112 Notice to Beneficiaries Cape Fear Valley ACO will notify beneficiaries at the point of care that their ACO providers/suppliers are participating in the Medicare Shared Savings Program. Cape Fear Valley ACO will also take the following steps to provide notice: Signs will be posted to notify beneficiaries that their ACO providers/suppliers are participating in the Medicare Shared Savings Program; and Standardized written notices regarding participation in an ACO will be provided in settings in which beneficiaries receive primary care services.

113 Marketing Materials and Activities Any ACO marketing materials must be developed in collaboration with the ACO and approved by CMS. This includes any materials used to educate, solicit, notify, or contact Medicare beneficiaries or providers and suppliers regarding the Medicare Shared Savings Program. Marketing materials must not be developed or disseminated without express approval from both the President of Cape Fear Valley ACO and the Cape Fear Valley Legal Department. CMS has clarified that social media can be used as a marketing tool and therefore marketing materials and activities that must be approved include social media, such as Twitter or Facebook.

114 CMS Audits Cape Fear Valley ACO must cooperate with any CMS monitoring or evaluation activities connected to the ACO. Such cooperation includes, but is not limited to: Responding to documentation requests; Collection of any data required to measure performance regarding utilization management and clinical quality; Compliance with recommendations to improve utilization or quality performance or patient satisfaction; and Record maintenance.

115 Record Maintenance Cape Fear Valley ACO, and its Participants, are obligated to maintain books, contracts, records, documents, and other evidence for a period of 10 years (or longer in some instances) from the final date of the agreement period or from the date of completion of any audit, evaluation, or inspection - whichever is later. Do not destroy ACO records without written approval from the President of Cape Fear Valley ACO and the Cape Fear Valley Legal Department that such destruction is permitted.

116 ACO Compliance is Everyone s Responsibility It is everyone s responsibility to do the right thing by: Asking questions Requesting additional education when needed Reporting concerns and suspected or known violations The Compliance Department is here to assist you - please report any violations.