Corporate Responsibility Program FY 2013 Corporate Responsibility Program Ascension Health, its local health ministries, associates, and agents are committed to carrying out their health care ministry in a manner consistent with the Ascension Health Mission, Vision, and Values. Integrity is one of Ascension Health’s Core Values. The essence of integrity is a workplace in which we follow ethical and legal business practices. In support of these commitments, the Board of Trustees of Ascension Health has formally established a Corporate Responsibility Program. Corporate Responsibility Program • Associates of St. Mary’s receive detailed information regarding the Corporate Responsibility Program at the beginning of their employment during Organizational (General) Orientation. • This module is your ongoing review and recommitment to the program. Corporate Responsibility Program After completing this module, you will be able to: • Review the Corporate Responsibility Program Standards of Conduct. • Recall the action to take to report suspected violations. • Be familiar with the False Claims Act. • Identify your Corporate Responsibility Officer and HIPAA Privacy & Security Officer. • Pledge your recommitment to the Corporate Responsibility Program. The Corporate Responsibility Program is the: Shared accountability among all Associates of Ascension Health and St. Mary’s Health System to perform work ethically, responsibly, and legally. Standards of Conduct The following five Standards of Conduct (SOC) describe the behavior and conduct expected of all Health Ministry associates, medical staff members, Board and Board Committee members, and contractors. Standards of Conduct • • • • • Standards of Conduct (SOC): Follow Ethical and Religious Directives Deliver Clinically Excellent and Safe Patient Care Foster a Model Community of Inspired Associates Be Honest and Fair in our Business Conduct Comply with Laws and Regulations Standards of Conduct To make sure you understand the Standards of Conduct, let’s look a little more in depth at each standard. Standards of Conduct SOC: Follow Ethical and Religious Directives The Ethical and Religious Directives express the Catholic Church’s teaching on the dignity of the human person and the common good. They are made up of principles that guide our response to ethical issues in health care. Standards of Conduct • • • • SOC: Ethical and Religious Directives These principles include: Promoting the dignity of all, care for persons who are poor, and contribute to the good of the community Respect for the sacredness of human life from conception to death Providing compassionate care and relief of pain and suffering for the dying Treating our patients with respect, trust, honesty, and confidentiality Standards of Conduct • • • • Ethical and Religious Directives What is expected of me? To be familiar with and follow the Ethical and Religious Directives To be familiar with and participate in ethics education programs offered, as appropriate To talk with someone if you have a question about the Ethical and Religious Directives To respect the Health Ministry’s religious identity and promote its commitment to the Catholic Church’s moral teaching. Standards of Conduct SOC: Deliver Clinically Excellent and Safe Patient Care Clinically excellent and safe care requires an organization that is highly reliable and dependent on each associate’s and medical staff member’s participation in a culture of High Reliability. A High Reliability Organization is one that delivers on what it intends to do, putting in place systems, processes and behaviors to build strong teams that will prevent errors and improve all areas of safety and experience for patients and associates. Standards of Conduct Delivering Clinically Excellent and Safe Patient Care What is expected of me? • To follow the behaviors of a High Reliability Organization that provides our patients, visitors, and associates with a safe environment that is free of preventable injury. • To follow policies and procedures that promote a safe environment for patients, visitors, and associates. • To deliver services with compassion and respect for the dignity of every patient. • To encourage patients to participate in decisions about their care in a manner that they can understand and will enable them to make free and informed decisions. Standards of Conduct Delivering Clinically Excellent and Safe Patient Care Associates are expected to: • Not disclose confidential information about patients or their care to any unauthorized person or organization. • Not access confidential information about patients unless you have a need to know the information in order to perform your job. • Have a positive, courteous and customer-service-oriented attitude and approach to all persons you meet. • Maintain complete, timely and accurate medical records. • Maintain current professional licenses, certifications and other credentials in accordance with professional standards and regulations that apply to your position. Standards of Conduct SOC: Foster a Model Community of Inspired Associates Associates are at the core of our service as a Catholic health ministry Model community is our mutual commitment: Ascension Health’s organizational commitment to Associates for their full flourishing – personally and professionally – and Associates’ personal commitment to the Ministry and one another, all in service of our Mission. Standards of Conduct SOC: Foster a Model Community of Inspired Associates Model Community is rooted in the belief that associates deserve a respectful workplace in which their voice is heard and a clear view of how their work supports the mission. Safe, effective and reverent care can only be provided by inspired people who: • Have the required skills, knowledge and equipment to do their jobs, • Are focused on our Mission, and • Feel that they are safe, cared about, recognized and appreciated. Standards of Conduct SOC: Foster a Model Community of Inspired Associates What is expected of me? • To treat others fairly, honestly and with dignity. • To treat others respectfully, without regard to race, religion, national origin, color, age, disability, marital status, sexual orientation, gender, genetic information, amnesty, status as a covered veteran or any other legally protected status in accordance with applicable federal, state, and local laws. Standards of Conduct SOC: Foster a Model Community of Inspired Associates What is expected of me? • To communicate with others openly, honestly and respectfully • To be supportive of others and work as a team. • To be committed to ongoing learning, including training or educational opportunities. Standards of Conduct SOC: Be Honest and Fair in our Business Conduct We are committed to ethical business conduct and integrity. We act in the best interest of the Health Ministry, protect the confidentiality of information and represent the Health Ministry honestly and accurately. Standards of Conduct SOC: Be Honest and Fair in our Business Conduct What is expected of me? • Do not engage in any activity, practice or act that conflicts with the interests of the Health Ministry. • Seek guidance before accepting gifts from vendors, patients or others. • Do not accept employment or consulting arrangements outside of the Health Ministry, or make personal investments if they interfere with your job or unduly influence the decisions you are required to make on behalf of the Health Ministry. Standards of Conduct SOC: Be Honest and Fair in our Business Conduct What is expected of me? • Do not access information in patient medical records, except when you have a legitimate need to know the information to perform your job. • Do not disclose confidential information related to the Health Ministry to any outside unauthorized person or organization, or use such information for your personal benefit. • Share confidential information about the operations of the Health Ministry with associates only when they have a legitimate need to know the information in order to perform their job. Standards of Conduct • • • • SOC: Be Honest and Fair in our Business Conduct What is expected of me? Prepare all documents accurately and timely, including expense reports, time and attendance records, financial statements, and accounting records. Follow Health Ministry policies and procedures to keep internal financial controls. Deal with regulatory agencies, insurance companies and accrediting agencies honestly and accurately. Do not violate patents, trademarks, copyright and software licenses. Standards of Conduct SOC: Comply with Laws and Regulations What is expected of me? Follow all laws and regulations that apply to your work and ask for assistance if you have questions about how they affect you. False Claims Act The False Claims Act is a federal law that makes it a crime for any person or organization to knowingly make a false record or file a false claim with the government for payment. “Knowingly” includes having actual knowledge that a claim is false, or acting in “deliberate ignorance” or “reckless disregard” as to whether a claim is false. Examples of possible false claims include billing Medicare for services that were not provided, billing for a higher-level service than the service actually furnished (upcoding), or billing for services that were not ordered by a physician. False Claims Act • The False Claims Act contains provisions that allow individuals with original information (i.e., information not already the subject of legal proceedings or activities that have already been publicly disclosed) concerning fraud involving government programs to file a lawsuit on behalf of the government and, if the lawsuit is successful, to receive a portion of recoveries received by the government. • The Federal False Claims Act protects employees from being fired, demoted, threatened, or harassed by his or her employer for providing information in good faith relative to a False Claims Act investigation or lawsuit. False Claims Act • The Program Fraud Civil Remedies Act ("PFCRA") provides federal agencies, including the agencies responsible for federally funded health care programs, with administrative remedies against individuals and organizations that knowingly submit a false claim for payment, or knowingly make or use a false record or statement to get a false claim paid • The PFCRA is limited to situations where a false claim, or a group of related false claims, does not exceed $150,000. The PFCRA provides civil penalties up to $6,000 per false claim, plus an assessment equal to twice the amount of the false claim. False Claims Act • The Indiana False Claims Act (IC 12-15-23-1 et seq) mirrors many of the provisions of the Federal False Claims Act. • The actions that trigger civil penalties are substantially similar to those of the federal False Claims Act. • The Indiana False Claims Act provides civil penalties up to $500 per false claim, plus an assessment equal to three times the amount of the false claim and the repayment of reasonable costs of the attorney general’s investigation and enforcement actions. • The Indiana False Claims Act also has a whistleblower provision. Like the federal False Claims Act, the Indiana law includes provisions to prevent employers from retaliating against employees who report their employer’s false claims. False Claims Act Our Corporate Responsibility Program supports compliance with these federal and state laws by: • Monitoring and auditing to prevent or detect errors in coding or billing. • Educating our associates that they are responsible to report any concern about a possible false claim. • Investigating all reported concerns and correcting any billing errors discovered. • Protecting our associates who report concerns in good faith. Excluded Providers It is the policy of the Hospital that it will not knowingly employ, with or without pay, an individual or entity that is listed by a federal agency as excluded, suspended, or otherwise ineligible for participation in federal programs. If you are notified by a Federal agency that you have been EXCLUDED FROM PARTICIPATION IN THE FEDERAL HEALTH PROGRAMS, you must contact the St. Mary’s Health System CRO immediately. Corporate Responsibility Program As a responsible associate, it is your right and duty to find help and report situations that you believe may potentially violate laws, the Standards of Conduct or applicable policies. Corporate Responsibility Program There are several ways in which you can ask a question or share a concern: • Your Supervisor • Higher-Level Manager • Human Resources • Corporate Responsibility Officer – Michael Klueh, VP of Regulatory Compliance, Risk and Accreditation/CRO If you are not comfortable contacting any of these associates or if these associates have not fully resolved your concern, you can call the Values Line phone number or use the Values Line Web site. Values Line . What is the Values Line? The Values Line is an additional means of communication available to all Ascension Health associates. You can call this toll-free telephone service or access the website 24 hours a day, seven days a week, to report information you may have regarding a possible violation of laws or our Standards of Conduct. Values Line • Values Line phone number (1-800-707-2198) and Values Line website (www.AscensionHealthValuesLine.org) have been established to report any questionable improper conduct. • Your call is received by an independent organization (Ethics Point) that will maintain strict confidentiality. The calls are not recorded and the line is not caller ID capable. • Your information may lead to a confidential investigation and follow-up of the matter you raise. They will assign you an identification number, and you can check back with them regarding the matter. Health Insurance Portability and Accountability Act (HIPAA) The primary purpose of HIPAA was to ensure an individual could continue to maintain their health insurance benefits when they changed employers. HIPAA also included rules to reduce healthcare fraud and abuse, to improve the efficiency and effectiveness of the health care system, and to protect the privacy and security of all health information. HIPAA Privacy and Security Rules HIPAA Privacy and Security Rules work together to ensure the protection of health information. The Privacy rule covers what is protected and who is permitted to use, disclose, or access information. The Security rule refers to how health information is protected, including controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss. HIPAA Reminders • All activities on St. Mary’s information systems are subject to monitoring. Associates are responsible for activities occurring on their system IDs. • To maintain the integrity of our information systems, associates should refrain from opening files attached to an email from an unknown sender, suspicious, or untrustworthy source, which may contain viruses. • Passwords are the front line of protection for our computer systems. A poorly chosen password may result in the compromise of St. Mary’s corporate network. All associates are responsible for taking the appropriate steps to select and secure their passwords. HIPAA Reminders E-mails containing protected health information (PHI) or having attachments containing PHI must have -PHI- or -Secure- in the subject line (no spaces between the hyphens and the word -PHIor -Secure-). -PHI- and -Secure- in the subject line will “trigger” encryption for e-mails being sent outside St. Mary’s e-mail domain. Using this process for all e-mails containing PHI will help ensure the security of all confidential information. HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) act was signed into law in 2009. One of HITECH’s goals was to strengthen Federal privacy and security laws to protect individuals’ health information from misuse as the health care sector increases use of Health Information Technology. HITECH Act HITECH Improves and Expands Existing HIPAA Privacy and Security Rules by: • Establishing a breach notification requirement for health information that is not encrypted or otherwise made unreadable. It requires that we notify patients if there is an unauthorized disclosure or use of their health information. • Strengthening the requirement that providers obtain patient’s authorization before using their health information for marketing and fundraising activities. • Increasing the penalties for violations and providing greater resources for enforcement and oversight activities. • Ensuring Business Associates, entities that work on providers’ behalf, are subject to the same privacy and security rules as providers. HITECH Act HITECH’s requirements re-emphasize the importance of employees reporting all actual and potential breaches in a timely manner. Examples of possible breaches include: • Faxing PHI to the incorrect number; • Mailing statements or a medical report to the incorrect patient; • An associate who is not authorized to access PHI looks through patient files in order to learn of a friend’s treatment. What can you do? • Speak in low tones and be aware of people in your surroundings. Do not discuss patients in elevators, hallways, or the cafeteria. • Do not share patient information on personal internet sites (Facebook, MySpace, Twitter, etc.). • Select strong passwords. • Log off computers when not in use and do not leave computers displaying PHI unattended. • Verify publicity indicators. • Verify fax numbers. • Only access information that you need to know in order to perform your job duties. Points to Remember • Each associate has a personal responsibility to understand and adhere to SMMC policies and procedures to maintain confidentiality. • HIPAA regulations require that we minimize the risk that protected health information (PHI) will be disclosed to individuals who do not have a need to know. • All activities on SMMC information systems are subject to monitoring. Users are responsible for all activities occurring on their user ids. • Report possible/actual breaches such as faxing to the incorrect number, co-workers inappropriately accessing patient information, improper disposal of PHI. • HIPAA Privacy & Security Officer, Michael S. Klueh at (812) 485-6550, privacyofficer@stmarys.org Let’s review some of the key ideas of the Corporate Responsibility Program. Confidential Patient Information HIPAA’s “Minimum Necessary Standard” • This means you may only access confidential patient information that you need to know to perform your job duties. You are subject to disciplinary action, up to and including termination, if you violate this standard. Conflicts of Interest Associates may not use their positions to profit personally or to assist others in profiting at the expense of the organization. Violating the Conflict of Interest Guidelines would be grounds for dismissal. Conflicts of Interest We need to ensure that our actions represent the best interest of our patients and our organizations. If you believe that you may have a conflict of interest, please contact the Corporate Responsibility Officer at 812-485-6550 upon completion of this program to discuss the specifics of the activity in question. Responsibility to Report and Protections Associates are obligated to report in good faith all alleged violations of: – The Standards of Conduct – Policies and procedures – Federal and State laws Any such violations have the potential to impair St. Mary’s Health System’s status as a reliable, honest, and trustworthy healthcare provider. Responsibility to Report and Protections If associates believe that they will be subject to retaliation, retribution, or harassment for reporting their concern(s), they may not report them; therefore, guidelines have been established. These guidelines serve to reassure associates who wish to report concerns through the VALUES LINE, directly to the Corporate Compliance & Risk Management Services (ext. 6500), or to Human Resources and Development (ext. 4386) that a nonharassment/non-retaliation/non-retribution policy has been established. Responsibility to Report and Protections Anyone who is involved in any act of harassment, retaliation, or retribution against an associate who has reported suspected misconduct in good faith, will be subject to disciplinary action, including dismissal, on the first offense. Corporate Responsibility Officer HIPAA Privacy & Security Officer If you have questions and/or concerns about improper conduct, contact: Michael S. Klueh, PhD, EJD, CPA Vice President, Regulatory Compliance, Risk, and Accreditation/Corporate Responsibility Officer HIPAA Privacy & Security Officer 812-485-6550 msklueh@stmarys.org Receipt and Acknowledgement As an associate or agent employed by or associated with St. Mary’s Health System, I am committed to upholding the highest standard of individual ethical and legal business practices. I will not tolerate illegal or questionable activity and promise to take whatever steps are required by the Corporate Responsibility Program to identify, report, and prevent such activity. I acknowledge that I have reviewed the Standards of Conduct Booklet below and agree to follow them. I understand that compliance with the Standards of Conduct and the Corporate Responsibility Program is a condition of my continued employment or association with St. Mary’s Health System. Click here to review the Standards of Conduct Booklet: http://www.stmarys.org/body.cfm?ID=2172 The Standards of Conduct are also available on the St. Mary’s Intranet for your reference.