Compliance Services New Employee Orientation 2009 Compliance Services Learning objectives • Understand the basics of compliance efforts at VCUHS • Be aware of reporting obligations & mechanisms • HIPAA overview & application at VCUHS • Next Steps What is Compliance? • To comply with rules and regulations • Oversight function ensuring proper conduct • Outlines our goals and responsibilities in relation to our organization • The Plan and The Program Compliance Services • Internal Investigations • Audits and Reviews • Advise all departments within the Healthsystem • HIPAA Privacy and Security Issues • Helpline Maintenance 1-800-620-1438 • Educational Efforts – New Employee Orientation – New Provider Education / Annual Provider Updates – Audio Conferences throughout the year for CEUs But “WHY?” • It is the right way to do business • And because… • Organizations receiving more than $5 million in federal funds a year must have a Compliance Program in place 7 Elements required by the OIG • Standards and Procedures • Oversight • Education and Training • Monitoring and Auditing • Reporting • Enforcement and Discipline • Response to Prevention VCUHS Code of Ethics • Respect: – We will respect individuals, diversity, and the rights of others • Honesty: – We will act and communicate honestly and candidly – We will not mislead others • Excellence: – We will strive for excellence in all that we do • Stewardship: – We will be good stewards of the resources entrusted to the Health System • Compliance: – We will understand and comply with the codes, laws, regulations, and policies & procedures that govern our Health System activities Standards of Professional Conduct • All Standards reflect these 4 Foundation Principles – – – – 1. Dignified Patient Care 2. Compliance with Laws & Regulations 3. Responsibility for Actions & Behaviors 4. Accuracy & Accountability • 9 Standards cover: 1) Patient Care 2) Workplace Responsibilities 3) Business Information & Records 4) Conflicts of Interest 5) Competitive Behavior 6) Coding and Billing of Patient Services & Cost Reporting 7) Cost Reporting to the Gov’t & Third Party Payors 8) Contact with External Entities 9) Compliance Online Activities • Bill is a VCUHS employee and has had a MySpace page for years. His personal page is complete with his own daily blog. Recently, Bill has been commenting on his work activities and what he thinks are his interesting patients and co-workers. He is careful to never mention VCUHS by name or name any of his patients. • Are these online activities ok? •Do they violate the Code of Ethics or Standards of Professional Conduct? New Challenges in these Modern Times – Internet and personal websites, blogs and chat rooms • Placing photos of patients on these sources is a HIPAA violation and a VCUHS policy violation • Communicating in any way over the Internet about patients can easily lead to violations – Remember: The best practice for compliance is to “keep your work stuff at work and your home stuff at home.” What to report? • VIOLATIONS of any kind – Violations of The Code of Ethics – Violations of The Standards of Professional Conduct – Violations of Policies or Procedures • FRAUD of any kind VCUHS has a ZERO TOLERANCE POLICY for any retaliation The Federal FALSE CLAIMS ACT • A federal act making it a crime, with heavy financial penalties, to submit any fraudulent claim to a federal payor or to participate in fraudulent activity – For example: • Knowingly using a false record to get a claim paid by the federal government • Billing for work or tests not performed • Double-Billing • Kickbacks or bribes • Fraudulent costs reports • Built-in protection for all whistleblowers A Sticky Situation Your manager asks you to change his sister’s record so that she can get an operation covered by her insurance company that otherwise would not be covered. He explains that this will be between the two of you and that no one else will be able to find out. As an employee, what are your concerns? What should you do? How do I report? • Call us: 828-0500 • Email us: info@complianceservices.com – Link located via Intranet Compliance Services page • Visit us in Old City Hall – 1001 E. Broad St. – Suite 205, 2nd Floor • Use the Helpline Confidential Reporting 24 hours a day / 7 days a week 1-800-620-1438 If it concerns you, it concerns us! Helpline web-based reporting: https://www.compliancehelpline.com/welcomePageVCU HS.jsp HIPAA The Health Information Portability & Accountability Act Health Information Portability and Accountability Act: HIPAA • We focus on the Administration Simplification section • Establishes a single national standard for the format of electronic health care claims to facilitate data interchange • Concerns with confidentiality and security of individuals’ health care information • Must protect the privacy and security of individually identifiable health information Two Important Acronyms • • • • • • • • PHI Protected Health Information Names Telephone & Fax #s Medical Records Numbers Device/Serial Numbers TPO Treatment Payment Other Health Care Operations Email Addresses SSN #s Health Plan #s URL Addresses Certificate/License Web Numbers All Dates Photos IP Addresses Vehicle ID #s Biometric Identifiers Geographic Identifiers Any Other Identifying Number, Characteristic, or Code Account #s Fact or Fiction? • One doctor’s office can send medical records of a patient to another doctor’s office without the patient’s consent? FACT! Allowable because this is considered “treatment” within permitted TPO uses and disclosures. Some Privacy Considerations • CONVERSATIONS: – Use The Minimum Necessary Rule – A private, semi-private, out-of-the-way area, or low traffic area – “Inside Voices” are best for addressing sensitive information – NOT in the cafeteria – NOT in elevators – Be mindful of roommates or visitors – Always be aware of where you are and be discreet The Media • HIPAA does prohibit releasing anything more than directory information without the patient’s authorization • Here, we refer all media inquiries to University News Services at 828-6057 Viewing Medical Records Do you have the right to look at your own medical record? • Alicia is a VCUHS employee and saw her 14 year old daughter leaving a clinic building this morning. On her lunch break, Alicia decides to look up her daughter in Cerner to see who she saw here and why. Alicia figures she has a right to see her minor child’s medical record. • Any issues with this? Other Privacy Considerations • Do you know how to respond to an “investigator”? • Do you know where the shredders are? • Phone messages left on patients’ answering machines • Are verification questions being used when patients call for their results? (Ex: D.O.B. and address) • Are calls being made to confirm faxes to new recipients? Some Security Considerations • WHAT IS “IN VIEW”? – What does your screen face? – What do you do with your screen when you leave, just for a minute? • Have you implemented “Lock Down”? – Time your screen saver after short idling to lock; requiring a password to unlock – Where do you keep charts? – How do you carry files throughout the environment? – What is written on whiteboards? – Physical locks on equipment – Encryption of file and folders when saving PHI Two most important rules • Only email PHI from your mcvh-vcu.edu email account to another mcvh-vcu.edu email account! • Confidentiality of your password! **Abuses result in disciplinary action** VCUHS Chief Compliance & Privacy Officer • Cynthia H. Earnhardt, CC&PO • Contact her by – Visiting our office (Old City Hall Suite 205) – Calling our office 828-0500 – Email info@complianceservices.com Are you obligated to report unethical or improper conduct? Your Next Steps 1. Read, Sign & Return your Employee Integrity Agreement [Located in the NEO Manual, page 26] 2. Complete the online HIPAA Training [Located on VCU’s Blackboard site] [https://blackboard.vcu.edu/] Complete this within 30 days of start date HIPAA Training: blackboard.vcu.edu