Comprehensive Orthopaedic and Musculoskeletal Care, LLC Healthcare Compliance Staff Training Healthcare Compliance Training Comprehensive Orthopaedic and Musculoskeletal Care, LLC has an active Compliance Program to ensure the highest ethical practices quality care to all of our patients and adherence to all applicable Federal and State laws and guidelines. Healthcare Compliance Program The COMC Compliance program consists of: A Compliance Committee Compliance Policies and Procedures Periodic medical record and billing audits A Compliance Hotline Staff training and education Staff Education and Training This training session will cover the following key issues: 1) COMC Code of Conduct 2) Compliance Hotline 3) HIPAA 4) Red Flags Rule Code of Conduct The underpinnings of ethical business practices at Comprehensive Orthopaedic and Musculoskeletal Care, LLC are the following: We are committed to quality care and patient safety. We shall obey the law. We shall communicate openly and effectively with our patients and co-workers. We shall always seek to build trust, show respect, and perform our jobs with integrity. Code of Conduct Policy The COMC Compliance Code of Conduct incorporates commitment to the following: Quality care Ethical business practices Adherence to HIPAA and Red Flags requirements Adherence to federal and state laws and guidelines regarding documentation and billing practices An employee’s right to confidentially disclose a compliance violation Protection of workplace safety and an environment free of harassment. Each COMC employee is required to read and sign an acknowledgement of the Code of Conduct. COMPLIANCE HOTLINE Comprehensive Orthopaedic and Musculoskeletal Care, LLC is committed to providing compassionate care with the highest ethical standards. If you witness any activity which may be a violation of a federal or state law particularly in the areas of fraud, abuse or waste you may report the violation on the Compliance Hotline: 1 (800) 511 - 4396 You may remain anonymous if you wish. Question The Compliance Program at Comprehensive Orthopaedic and Musculoskeletal Care, LLC includes: A) A Code of Conduct B) A Compliance Committee C) A Compliance Hotline D) Every COMC employee E) All of the Above HIPAA Health Insurance Portability and Accountability Act of 1996 (HIPAA) Health Insurance Portability and Accountability Act of 1996 (HIPAA), The HIPAA Privacy Rule provides federal protections for personal health information (PHI) and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule permits the disclosure of personal health information needed for patient care and other important purposes. The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for healthcare practices to use to assure the confidentiality, integrity, and availability of electronic protected health information. HIPAA Comprehensive Orthopaedic and Musculoskeletal Care, LLC expects that as per HIPAA requirements, staff will not use, disclose or discuss patient health information with others unless it is necessary to perform his or her job or is required by law. Patient health information will be released only to persons authorized by law or by the patient's written authorization. Only the minimum, necessary PHI will be released when authorized. HIPAA: Protected Health Information (PHI) Protected health information is any individually identifiable information contained in the patient’s medical record or files. This includes the patient’s name, address, diagnosis, chart notes, lab or x-ray results, treatment plan, insurance or financial information. Disclosure of PHI COMC is permitted to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: 1) To the Individual or persons that he or she designates in writing 2) Treatment, Payment, and Health Care Operations 3) Judicial request, law enforcement, public health activities and national security 4) Disclosures about abuse, neglect or violence. Notice of Privacy Practices COMC is required by law to: To provide patients with a notice in plain language of its privacy practices, including the uses or disclosures COMC may make of the individual’s information and the individual’s rights with respect to that information. To make its notice available to any person who asks for it. To provide the notice to the individual no later than the date of first service. To prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits. Accessing HIPAA Forms A copy of the Notice of Privacy Practices (NPP) is posted in the waiting area. HIPAA policies and guidelines are available in the Compliance Manual and can be accessed by asking any member of the Compliance Committee (Joe-Annis Iodice, Ray Ryan, Tracey Zotta, Felicia Cirigliano). HIPAA forms are available at each desk and through “Master Forms” in the Comprehensive Orthopaedics Directory. Required Forms COMC is required by HIPAA law to use the following forms as presented in the next four slides: 1. Notice of Privacy Practices 2. A form which each patient must sign acknowledging their awareness of COMC’s privacy practices and use of PHI. 3. A Release of Information authorization form. 4. A Business Associate Agreement assuring that any entity doing business with COMC will follow HIPAA law and protect PHI. Notice of Privacy Practices Comprehensive Orthopaedics and Musculoskeletal Care 203 265-3280 Health Insurance Portability and Accountability Act of 1996 Notice of Privacy Practices Prepared by Total Compliance Solutions, Inc. These procedures are prepared with the understanding that Total Compliance Solutions and its agents are not engaged in rendering legal, accounting, or other professional services. This information is advisory only. Final interpretation is the responsibility of the regulatory or accrediting body administering the standard or regulation referenced. HIPAA Security Rule The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for healthcare practices to use to assure the confidentiality, integrity, and availability of electronic protected health information COMC must, by law, take reasonable measures to secure all protected health records created, stored, accessed, and transmitted electronically. HIPAA Security Rule Three Components: Administrative Technical Creation of Policies and Procedures, management of passwords and access rights, conduct risk analysis, and develop business continuity plan. The technology that makes safeguards possible (access controls, antivirus protection, encryption, firewall, etc.). Physical Protection of the physical things (computers and facilities where records are stored). Together they cover the policies, procedures, processes, and systems you need to protect PHI. HIPAA Security Rule Why talk about security? Breaches in electronic security typically result in unauthorized access or release of protected health information. Everybody needs to think about security, not just the tech guys. Most breaches in security occur from inside the building. Security Walkthrough You need to think security just as you think safety and privacy. Don’t give anyone your password. Log off or lock computer screen before walking away. Don’t open an email attachment unless you know who sent it. Don’t download or install software without approval from the IT department. Don’t leave laptops or PDAs in an unattended vehicle. Patient Complaints re: HIPAA If a patient feels that there has been a violation of the HIPAA privacy policies, then he or she may contact the Compliance Officer of COMC (203-265-3280), the Compliance Hotline (800-511-4396) or the secretary of the U.S. Department of Health and Human Services (800-447-8477). Question Which of the following statements is false: A) HIPAA is a federal law mandating the protection of patient health information. B) HIPAA includes both a Privacy rule and a Security rule. C) HIPAA was enacted by legislators to add more paperwork for medical offices. D) PHI includes any patient identifier linked with that patient’s health information. Identity Theft Prevention and Detection and Red Flags Rule The Federal Trade Commission defines identity theft as “a fraud committed or attempted using the identifying information of another person without authority.” Identifying information is “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person.” Medical identity theft occurs when a person seeks healthcare using another person’s name or insurance information. Identity Theft Prevention and Red Flags Rule It is the policy of Comprehensive Orthopaedic and Musculoskeletal Care, LLC to follow all federal and state laws and reporting requirements regarding identity theft. This presentation outlines how COMC employees will (1) identify, (2) detect and (3) respond to “red flags.” A “red flag” includes a pattern, practice or specific account or record of activity that indicates possible identity theft. Identify Red Flags In the course of caring for patients, COMC employees may encounter inconsistent or suspicious documents, information or activity that may signal identity theft. COMC identifies the following as potential red flags: A complaint or question from a patient based on the patient’s receipt of a bill for another individual; a bill for a product or service that the patient denies receiving; a bill from a health care provider that the patient never patronized; or a notice of insurance benefits (or explanation of benefits) for health care services never received.. A patient or health insurer report that coverage for legitimate medical services has been denied because insurance benefits have been depleted or a lifetime cap has been reached. A dispute of a bill by a patient who claims to be the victim of any type of identity theft. A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance. A notice or inquiry regarding identity theft from an insurance fraud investigator. A breach of data from outside sources, for example; theft of a patient’s chart either paper or electronic. Detect Red Flags COMC staff will be alert for discrepancies in documents and patient information that suggest risk of identity theft or fraud. COMC staff will verify patient identity, address and insurance coverage at the time of patient registration/check-in. When a patient calls to request an appointment, the patient will be asked to bring the following at the time of the appointment: Driver’s license or other photo ID; Current health insurance card; and If the photo ID does not show the patient’s current address the patient must present a utility bill or other correspondence showing current residence. If the patient is a minor, the patient’s parent or guardian should bring the information listed above. Detect Red Flags continued Staff should be alert for the possibility of identity theft in the following situations: The photograph on a driver’s license or other photo ID submitted by the patient does not resemble the patient. The patient submits a driver’s license, insurance card, or other identifying information that appears to be altered or forged. Information on one form of identification the patient submitted is inconsistent with information on another form of identification or with information already in the practice’s records An address or telephone number is discovered to be incorrect, non-existent or fictitious. The patient fails to provide identifying information or documents. The patient’s signature does not match a signature in the practice’s records. Respond to Red Flags If a red flag is detected by an employee of COMC: 1. The employee should gather all documentation and report the incident to his or her immediate supervisor or Joe-Annis Iodice, the COMC Compliance Officer. 2. The employee’s supervisor will report the details of the incident to the Compliance officer. 3. The Compliance Officer and/or Compliance Committee will determine whether the activity is fraudulent or authentic. 4. If the activity is determined to be fraudulent, then COMC will take immediate action. Actions may include: Cancel the transaction; Notify appropriate law enforcement; Notify the affected patient; Notify affected physician(s); and assess impact to practice. Respond to Red Flags If a patient claims to be a victim of identity theft: The patient should be encouraged to file a police report for identity theft if he/she has not done so already. The patient should be encouraged to complete the ID Theft Affidavit developed by the FTC, along with supporting documentation. Comprehensive Orthopaedic and Musculoskeletal Care, LLC will compare the patient’s documentation with personal information in the practice’s records Red Flags Rule Disclaimer TO OUR PATIENTS: In accordance with the rules and guidelines established by the federal government under the Fair and Accurate Credit Transactions Act of 2003, Comprehensive Orthopaedic and Musculoskeletal Care, LLC (COMC) is required to develop and implement a written Identity Theft Prevention Program. As part of that program, all patients are therefore required to provide COMC a copy of their driver’s license (or other governmental issued photo ID) along with their health insurance card. Parents must provide a copy of their driver’s license and insurance card for any of their children should the child become a patient of this office. If you decline to provide the photo identification you will be required to sign this form indicating that you are declining to provide the required identification and will hold COMC harmless for any breach of their identity that could have been prevented if the required identification had been provided in the form that was required. Should you have any questions, please ask one of our staff to put you in contact with our Compliance officer. I decline to provide the required photo identification and to have my picture entered into the EMR: _____________________________________ ______________ Signature Date Question Why is it important for medical professionals to be concerned about identity theft?