Comprehensive
Orthopaedic and
Musculoskeletal Care,
LLC
Healthcare Compliance
Staff Training
Healthcare Compliance Training
Comprehensive Orthopaedic and
Musculoskeletal Care, LLC has an
active Compliance Program to
ensure
 the highest ethical practices
 quality care to all of our
patients and
 adherence to all applicable
Federal and State laws and
guidelines.
Healthcare Compliance Program
The COMC Compliance program consists of:
 A Compliance Committee
 Compliance Policies and Procedures
 Periodic medical record and billing audits
 A Compliance Hotline
 Staff training and education
Staff Education and Training
This training session will cover the following key
issues:
1) COMC Code of Conduct
2) Compliance Hotline
3) HIPAA
4) Red Flags Rule
Code of Conduct
The underpinnings of ethical business practices
at Comprehensive Orthopaedic and
Musculoskeletal Care, LLC are the following:
 We are committed to quality care and patient
safety.
 We shall obey the law.
 We shall communicate openly and effectively
with our patients and co-workers.
 We shall always seek to build trust, show
respect, and perform our jobs with integrity.
Code of Conduct Policy
The COMC Compliance Code of Conduct incorporates
commitment to the following:




Quality care
Ethical business practices
Adherence to HIPAA and Red Flags requirements
Adherence to federal and state laws and guidelines regarding
documentation and billing practices
 An employee’s right to confidentially disclose a compliance
violation
 Protection of workplace safety and an environment free of
harassment.
Each COMC employee is required to read and sign an
acknowledgement of the Code of Conduct.
COMPLIANCE HOTLINE
Comprehensive Orthopaedic and
Musculoskeletal Care, LLC is committed to
providing compassionate care with the
highest ethical standards.
If you witness any activity which may be a
violation of a federal or state law particularly
in the areas of fraud, abuse or waste you
may report the violation on the Compliance
Hotline: 1 (800) 511 - 4396
You may remain anonymous if you wish.
Question
The Compliance Program at Comprehensive
Orthopaedic and Musculoskeletal Care, LLC
includes:
A) A Code of Conduct
B) A Compliance Committee
C) A Compliance Hotline
D) Every COMC employee
E) All of the Above
HIPAA
Health Insurance Portability and
Accountability Act of 1996
(HIPAA)
Health Insurance Portability and
Accountability Act of 1996 (HIPAA),
 The HIPAA Privacy Rule provides federal
protections for personal health information (PHI) and
gives patients an array of rights with respect to that
information. At the same time, the Privacy Rule
permits the disclosure of personal health information
needed for patient care and other important
purposes.
 The HIPAA Security Rule specifies a series of
administrative, physical, and technical safeguards for
healthcare practices to use to assure the
confidentiality, integrity, and availability of electronic
protected health information.
HIPAA
 Comprehensive Orthopaedic and
Musculoskeletal Care, LLC expects that as per
HIPAA requirements, staff will not use, disclose
or discuss patient health information with others
unless it is necessary to perform his or her job or
is required by law. Patient health information will
be released only to persons authorized by law or
by the patient's written authorization. Only the
minimum, necessary PHI will be released when
authorized.
HIPAA: Protected Health Information
(PHI)
Protected health information is any
individually identifiable information contained
in the patient’s medical record or files. This
includes the patient’s name, address,
diagnosis, chart notes, lab or x-ray results,
treatment plan, insurance or financial
information.
Disclosure of PHI
COMC is permitted to use and disclose protected
health information, without an individual’s
authorization, for the following purposes or
situations:
1) To the Individual or persons that
he or she designates in writing
2) Treatment, Payment, and Health
Care Operations
3) Judicial request, law enforcement, public
health activities and national security
4) Disclosures about abuse, neglect or
violence.
Notice of Privacy Practices
COMC is required by law to:
 To provide patients with a notice in plain language of its privacy
practices, including the uses or disclosures COMC may make of
the individual’s information and the individual’s rights with
respect to that information.
 To make its notice available to any person who asks for it.
 To provide the notice to the individual no later than the date of
first service.
 To prominently post and make available its notice on any web
site it maintains that provides information about its customer
services or benefits.
Accessing HIPAA Forms
 A copy of the Notice of Privacy Practices
(NPP) is posted in the waiting area.
 HIPAA policies and guidelines are available
in the Compliance Manual and can be
accessed by asking any member of the
Compliance Committee (Joe-Annis Iodice,
Ray Ryan, Tracey Zotta, Felicia Cirigliano).
 HIPAA forms are available at each desk and
through “Master Forms” in the
Comprehensive Orthopaedics Directory.
Required Forms
COMC is required by HIPAA law to use the following
forms as presented in the next four slides:
 1. Notice of Privacy Practices
 2. A form which each patient must sign
acknowledging their awareness of COMC’s privacy
practices and use of PHI.
 3. A Release of Information authorization form.
 4. A Business Associate Agreement assuring that
any entity doing business with COMC will follow
HIPAA law and protect PHI.
Notice of Privacy Practices
Comprehensive Orthopaedics
and Musculoskeletal Care
203 265-3280
Health Insurance Portability and
Accountability Act of 1996
Notice of Privacy Practices
Prepared by Total Compliance Solutions, Inc.
These procedures are prepared with the
understanding that Total Compliance
Solutions and its agents are not engaged
in rendering legal, accounting, or other
professional services. This information is
advisory only. Final interpretation is the
responsibility of the regulatory or
accrediting body administering the
standard or regulation referenced.
HIPAA Security Rule
 The HIPAA Security Rule specifies a series of
administrative, physical, and technical
safeguards for healthcare practices to use to
assure the confidentiality, integrity, and
availability of electronic protected health
information
 COMC must, by law, take reasonable
measures to secure all protected health
records created, stored, accessed, and
transmitted electronically.
HIPAA Security Rule
Three Components:

Administrative


Technical


Creation of Policies and Procedures, management of
passwords and access rights, conduct risk analysis, and
develop business continuity plan.
The technology that makes safeguards possible (access
controls, antivirus protection, encryption, firewall, etc.).
Physical

Protection of the physical things (computers and facilities
where records are stored).
Together they cover the policies, procedures, processes, and
systems you need to protect PHI.
HIPAA Security Rule
 Why talk about security?



Breaches in electronic security typically result
in unauthorized access or release of protected
health information.
Everybody needs to think about security, not
just the tech guys.
Most breaches in security occur from inside
the building.
Security Walkthrough
 You need to think security just as you think safety and





privacy.
Don’t give anyone your password.
Log off or lock computer screen before walking away.
Don’t open an email attachment unless you know who
sent it.
Don’t download or install software without approval from
the IT department.
Don’t leave laptops or PDAs in an unattended vehicle.
Patient Complaints re: HIPAA
 If a patient feels that there has been a
violation of the HIPAA privacy policies, then
he or she may contact the Compliance Officer
of COMC (203-265-3280), the Compliance
Hotline (800-511-4396) or the secretary of the
U.S. Department of Health and Human
Services (800-447-8477).
Question
Which of the following statements is false:
A) HIPAA is a federal law mandating the
protection of patient health information.
B) HIPAA includes both a Privacy rule and a
Security rule.
C) HIPAA was enacted by legislators to add
more paperwork for medical offices.
D) PHI includes any patient identifier linked with
that patient’s health information.
Identity Theft Prevention and
Detection and Red Flags Rule
 The Federal Trade Commission defines
identity theft as “a fraud committed or
attempted using the identifying information of
another person without authority.” Identifying
information is “any name or number that may
be used, alone or in conjunction with any
other information, to identify a specific
person.” Medical identity theft occurs when a
person seeks healthcare using another
person’s name or insurance information.
Identity Theft Prevention and Red
Flags Rule
 It is the policy of Comprehensive Orthopaedic
and Musculoskeletal Care, LLC to follow all
federal and state laws and reporting
requirements regarding identity theft.
 This presentation outlines how COMC
employees will (1) identify, (2) detect and (3)
respond to “red flags.” A “red flag” includes a
pattern, practice or specific account or record of
activity that indicates possible identity theft.
Identify Red Flags
In the course of caring for patients, COMC employees may encounter inconsistent or
suspicious documents, information or activity that may signal identity theft. COMC
identifies the following as potential red flags:

A complaint or question from a patient based on the patient’s receipt of a bill for
another individual; a bill for a product or service that the patient denies receiving; a
bill from a health care provider that the patient never patronized; or a notice of
insurance benefits (or explanation of benefits) for health care services never
received..

A patient or health insurer report that coverage for legitimate medical services has
been denied because insurance benefits have been depleted or a lifetime cap has
been reached.

A dispute of a bill by a patient who claims to be the victim of any type of identity
theft.

A patient who has an insurance number but never produces an insurance card or
other physical documentation of insurance.

A notice or inquiry regarding identity theft from an insurance fraud investigator.

A breach of data from outside sources, for example; theft of a patient’s chart either
paper or electronic.
Detect Red Flags
COMC staff will be alert for discrepancies in documents and
patient information that suggest risk of identity theft or
fraud. COMC staff will verify patient identity, address and
insurance coverage at the time of patient
registration/check-in.
When a patient calls to request an appointment, the patient
will be asked to bring the following at the time of the
appointment:
 Driver’s license or other photo ID;
 Current health insurance card; and
 If the photo ID does not show the patient’s current
address the patient must present a utility bill or other
correspondence showing current residence. If the patient
is a minor, the patient’s parent or guardian should bring
the information listed above.
Detect Red Flags continued
Staff should be alert for the possibility of identity theft in the
following situations:

The photograph on a driver’s license or other photo ID
submitted by the patient does not resemble the patient.

The patient submits a driver’s license, insurance card, or other
identifying information that appears to be altered or forged.

Information on one form of identification the patient submitted
is inconsistent with information on another form of
identification or with information already in the practice’s
records

An address or telephone number is discovered to be incorrect,
non-existent or fictitious.

The patient fails to provide identifying information or
documents.

The patient’s signature does not match a signature in the
practice’s records.
Respond to Red Flags
If a red flag is detected by an employee of COMC:
 1. The employee should gather all documentation and report the
incident to his or her immediate supervisor or Joe-Annis Iodice,
the COMC Compliance Officer.
 2. The employee’s supervisor will report the details of the
incident to the Compliance officer.
 3. The Compliance Officer and/or Compliance Committee will
determine whether the activity is fraudulent or authentic.
 4. If the activity is determined to be fraudulent, then COMC will
take immediate action. Actions may include:
 Cancel the transaction;
 Notify appropriate law enforcement;
 Notify the affected patient;
 Notify affected physician(s); and assess impact to practice.
Respond to Red Flags
If a patient claims to be a victim of identity theft:
 The patient should be encouraged to file a police
report for identity theft if he/she has not done so
already.
 The patient should be encouraged to complete the ID
Theft Affidavit developed by the FTC, along with
supporting documentation.
 Comprehensive Orthopaedic and Musculoskeletal
Care, LLC will compare the patient’s documentation
with personal information in the practice’s records
Red Flags Rule Disclaimer
TO OUR PATIENTS:
In accordance with the rules and guidelines established by the federal government under the
Fair and Accurate Credit Transactions Act of 2003, Comprehensive Orthopaedic and
Musculoskeletal Care, LLC (COMC) is required to develop and implement a written Identity
Theft Prevention Program.
As part of that program, all patients are therefore required to provide COMC a copy of their
driver’s license (or other governmental issued photo ID) along with their health insurance
card. Parents must provide a copy of their driver’s license and insurance card for any of
their children should the child become a patient of this office.
If you decline to provide the photo identification you will be required to sign this form indicating
that you are declining to provide the required identification and will hold COMC harmless for
any breach of their identity that could have been prevented if the required identification had
been provided in the form that was required.
Should you have any questions, please ask one of our staff to put you in contact with our
Compliance officer.
I decline to provide the required photo identification and to have my picture entered into the
EMR:
_____________________________________
______________
Signature
Date
Question
Why is it important for medical
professionals to be concerned
about identity theft?