2016 Compliance Training- Standards of Business Conduct

- Fraud, Waste and Abuse

- Conflict of Interest

- HIPAA

- Information Security

- Ethical Conduct

1

Medical Student Orientation

Revision: July 24, 2016

Introduction

• Members of the University of California community share a commitment

to the highest ethical, legal, and professional standards in

furtherance of our mission of patient care, teaching, research and public

service.

• We recognize that we hold the University in trust for the people of the

State of California.

Standards of

Business Conduct

Ethical Values and Conduct

3

Applicability

• The UC Code of Conduct (“Code”) applies to everyone who is a “member” of the UC Health Sciences workforce including: faculty, house staff, medical students, health professional trainees, employees, and volunteers.

• http://healthsciences.ucsd.edu/compliance

• This Code is intended to be complimentary to the specific policies, procedures, Bylaws and rules enacted by the UC San Diego Health System and the University of California’s Statement of Ethical Values:

• http://www.ucop.edu/ethics-compliance-audit-services/

• A summary of the Code’s 12 standards follows.

Code of Conduct: 12 Standards

1. Ethical Principles

2. Individual Responsibility & Accountability

3. Respect for Rights & Dignity of Others

4. Respect for Privacy

5. High Standards of Patient Care

6. Medical Necessity

7. Accurate Billing / Financial Records

8. Avoidance of Conflict of Interest or Commitment

9. Ethical Conduct of Clinical Trials & Research

10. Maintenance & Preservation of Accurate Records

11. Comply with Laws & Prevent Improper Referrals, Kickbacks and Influences on Clinical Decisions

12. Government Investigations

Reporting Violations

• Any suspected violations of the

Code or Standards of Ethical

Conduct should be reported.

• How to Report: You may make a

report to a supervisor, the

Compliance Officer or

anonymously to the UC

confidential hot line.

• The University will, if requested, make

every reasonable effort to keep

confidential the identity of anyone

reporting a suspected violation;

except if doing so would effectively

prevent the University from

conducting a full and fair investigation

of the allegations.

Who to report concerns to:

•Supervisor

•Chief Compliance Officer

•Human Resources (HR)

•Internal Audit

•UC Legal Counsel

•UC Whistleblower Hot Line

1-800-403-4744 (24 hours)

http://www.ucop.edu/uc-whistleblower

Non-Retaliation Policy

• University employees are prohibited from retaliating against an employee who has made a good-faith report or refused to obey an illegal order, even if the allegation ultimately proves to be without merit.

• UC will, however, pursue disciplinary actions against any member who is shown to have knowingly filed a false report.

For further reading:

University of California policies and FAQs regarding reporting and

investigation of suspected improper governmental activities.

Whistleblower Policy

Whistleblower Protection Policy

http://www.ucop.edu/uc-whistleblower/policies-training/

Enforcement

• The UC Code of Conduct will be enforced!

• Corrective and disciplinary actions will be taken in response to violations.

• Everyone is expected to cooperate fully with any internal investigation undertaken.

• Disciplinary actions will be determined in accordance with applicable University policies and procedures.

• UC may make appropriate disclosures to governmental agencies.

Fraud, Waste and

Abuse TrainingAnnual training is required

9

Objectives

• Provide information on UC’s whistleblower and non-retaliation policies

• Explain how to report a concern and your role in bringing forth concerns

• Explain the scope of fraud, waste, and abuse

• Provide information on laws pertaining to fraud, waste, and abuse

University of California – Whistleblower Policy

• UC faculty and staff are encouraged to bring forward concerns about possible improper governmental activity directly to their supervisor, department head, locally designated official or any university administrator. In order to provide employees with multiple avenues for bringing forth concerns of possible wrongdoing, the UC Whistleblower Hotline was established.

• The hotline is independently operated to allow for calls or web-based reporting from faculty, staff and students on an anonymous basis. The hotline relays the reported concerns to appropriate university officials for processing. This hotline is staffed seven days a week, 24 hours per day and is capable of receiving reports in a number of different languages.

• The university-wide toll-free number is 1-800-403-4744. Web-based reports can be made by accessing: http://universityofcalifornia.edu/hotline

• Concerns may also be reported to:

• State Auditor Whistleblower Hotline: 1-800-952-5665

• California Attorney General Hotline: 1-800-952-5225

Why does UC need whistleblower policies?

• UC values ethical and lawful conduct.

• Policies are designed to:

• Encourage timely, safe and honest reporting of alleged wrongs without

fear of retaliation

• Ensure a consistent and timely institutional response

What happens next?

• Once fraud, waste, or abuse is detected and reported, the concern will

be investigated and non-compliant behavior corrected.

• Where investigation confirms the existence of non-compliant behavior, a

corrective action plan will be developed. Corrective action plans will vary

depending on the facts and circumstances.

• Non-compliant behavior may be subject to any of the following: training, re-

training, disciplinary action, termination, or other appropriate action under the

circumstances.

What types of activities should be reported?

• Here are examples of potential fraud, waste and abuse:

• Medical record documentation does not support the billed service

• Billing for a service that is not medically necessary

• Billing for a service that was not performed – either at all, or in the manner

documented

• Billing for a health service that did not meet standards of quality care

• Service violates other Federal Regulations, such as Stark or the Anti-

Kickback Statute

• Knowingly concealing or knowingly and improperly avoiding the return of an

overpayment in a timely manner

• Research misconduct or the misuse of University funds / resources

Laws

Federal and State Laws related

to False Claims & Whistleblower

Protection

15

California Whistleblower Protection Act

• California Government Code requires every state agency (including the

UC) to annually distribute to its employees a message from the

California State Auditor that provides an explanation of the California

Whistleblower Protection Act.

• The UC distributes this information to all employees electronically. Refer

to the UC Whistleblower web-site for information about the California

State Auditor’s program.

False Claims Act (FCA)

• It is illegal to submit claims for payment to Medicare or Medicaid or any other

government payer that you know, or should know, are false or fraudulent.

• FCA imposes civil and/or criminal penalties for anyone who knowingly submits

or causes the submission of a false claim to the government for payment.

• Penalties

• Civil Liability:

• Possible treble damages – 3x the amount of the false claim – and a

mandatory civil penalty of $5,500 to $11,000 per false claim.

• Can also be liable for the costs of bringing the FCA action

• Criminal Liability:

• If convicted, an individual may be fined, imprisoned, or both.

Anti-Kickback Statute

The Anti-Kickback Statute:

• Provides civil and criminal penalties for individuals and entities that knowingly and willfully offer, pay, solicit, or receive remuneration in order to induce business reimbursed (whole or in part) under a federal health care program.

• Prohibited conduct includes remuneration intended to induce:

• Referrals, or

• The purchasing, leasing, ordering or arranging for any good, facility, service, or item paid for by a federally-funded health care program.

Penalties:

• Fine of up to $25,000, imprisonment up to five (5) years, or both.

The Stark Law(Physician Self-Referral Law)

The Stark Law:

• Prohibits a physician from making a referral for certain designated health

services to an entity in which the physician (or a member of his or her

family) has an ownership / investment interest or with which he or she has

a compensation arrangement.

Penalties:

• Non-payment of Medicare claims; obligation to refund

• Civil monetary penalties (CMPs) of up to $15,000 per violation

• CMPs of up to $100,000 for entering into a circumvention scheme

Exclusion Statute

• OIG may exclude providers from participation in Federal health care programs

for: Medicare or Medicaid fraud; patient abuse or neglect; felony convictions for

other health care related fraud, theft, or financial misconduct; felony convictions

for unlawful manufacture, distribution, prescription, or dispensing controlled

substances.

• No Federal health care program payment may be made for any item or service

that:

• Has been furnished by an individual or entity excluded from participation in a

federal health care program, or

• Has been furnished at the medical direction or prescription of a physician (or

other authorized person) who is excluded from participation in a federal health

care program.

• Employers are responsible for screening professionals and staff for exclusion

status

HIPAA

Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191)

“HIPAA”:

• Created greater access to health care insurance, protection of privacy of

health care data, and promoted standardization and efficiency in the

health care industry.

• Describes safeguards to prevent unauthorized access to protected

health care information.

• As an individual who has access to protected health care information,

you are responsible for adhering to HIPAA.

• HIPAA contains other enforcement provisions. Under HIPAA, health care

fraud is a criminal offense.

Consequences

There are potential penalties and consequences of committing Fraud,

Waste or Abuse. Actual consequences depend on the violation.

• Civil Money Penalties

• Criminal Conviction / Fines

• Civil Prosecution

• Imprisonment

• Loss of provider’s medical license

• Exclusion from Federal and State health care programs

UC consequences:

• Disciplinary action up to and including termination of employment.

In Summary: Promote an Ethical Culture

Personal accountability:

• Do the right thing for the right reasons – even if it is more difficult to do.

• Ask questions!

• Report concerns – with confidence that issues will be investigated and

actions taken.

UC Policy (G-39) provides whistleblower protection for reporting false

claims and other acts of misconduct

• Retaliation is prohibited against any employee who reports wrong doing in

good faith (“reasonable belief”); even if ultimately it is proven to be without

merit.

Conflict of Interest

24

Purpose

• Educate employees to recognize a conflict of interest, to understand the

University of California’s conflict of interest policies, and to be aware of

the related Federal / State laws and regulations.

• Inform employees about the risks associated with drug and medical

device representatives interactions.

• Protect physicians, staff and the University from potential civil, criminal

investigations.

UCSD Health and its physicians and staff have a unique opportunity to advance

patient care through collaboration with health care companies.

There is nothing unethical about having a relationship with industry. To safeguard

objectivity in patient care, research and teaching, financial interests and vendor

activities need to be carefully managed to avoid improper inducements, whether real

or perceived.

What is a “Conflict of Interest” (COI)?

A Conflict of Interest is a situation in which financial or other personal

considerations may compromise or have the appearance of compromising

an employee’s professional judgment in administration, management,

teaching, research or any other professional activities.

• In health care, it often arises in the context of purchasing, prescribing,

research, and investments.

As a University of California employee you have a Conflict of Interest if you

(or a family member) have a financial interest in a decision you make or

participate in making on behalf of the University.

Conflicts of interest involve the abuse, actual or potential, of the trust people

have in others.

What are the risks of a potential Conflict of Interest?

• Appearance of impropriety – influence on clinical decisions and drug /

device prescribing on teaching, research, patient care / trust, and purchasing

decisions

• Compromise integrity – scientific studies & publications

• Conflict of time commitment and effort

• Failure to recognize the UC intellectual property & interests

• Improper channeling of funds (research and other funds)

• Misuse of UC facilities, resources, funds and personnel

• Violations can be costly:

• Civil monetary penalties (up to $5,000 per violation), misdemeanor

criminal penalties, exclusion from federal health care programs, loss of

job, license, career impact, adverse publicity…

• University policy does not permit indemnification and defense where an

employee engages in intentional illegal activity.

How do conflicts arise?

1. You have a material financial interest (personal or private);

2. You participate in, influence, or make the decision, in your official duties

/ responsibilities as a UC employee; and

3. The decision is going to materially affect your financial interest.

• All three components are required to have a conflict under the

California PRA laws.

PRA = California Political Reform Act

Examples of Potential Conflicts

• Anti-Kickback Statute – You admit or refer patients to an entity in exchange for

money, discounts or other referrals to you.

• Stark Law – You refer patients to an outside entity in which you have a financial

interest.

• False Claims Act – You submit a professional fee claim for payment for services

which were not provided.

• California PRA – You recommend a product and are on the company’s board of

directors.

• University Policy – You fail to disclose financial interests in a research project.

• UC Policy for Sponsored Research: “Disclosure of Financial Interests & Management of

Conflict of Interest Related to Sponsored Projects”, stipulates that an Investigator (any

UC employee responsible for the design, conduct, or reporting of a sponsored project at

UC) may be required to disclose significant personal financial interests related to that

project.

What types of decisions are exempt from PRA

Conflict of Interest Rules?

These activities are

not violations of PRA: Examples

Teaching Decisions Selecting texts or other educational materials

Patient Care Decisions A doctor’s decisions with respect to a specific patient’s

course of treatment

Disclose financial interests to the patient (consent

form)

UCSD Health policy MCP 750.2, Clinical COI

Personal Study /

Research

Personal decision to pursue course of study or research

Other UC rules apply to disclosure of financial

interests for research

PRA = California Political Reform Act

UCSD Health policy site, http://mcpolicy.ucsd.edu

Consent for Surgery or Special Procedure, http://forms.ucsd.edu

What are ways to mitigate a Conflict of Interest?

Disclose &

Recuse

Disclose the conflict: Failure to do so may be

considered a crime in some circumstances.

Recuse: Abstain from purchasing & formulary

decisions; and avoid making, participating in, or

influencing business decisions.

Remove the

Financial

Interest

- Sell stock on the public market

- Promptly return unused gift

- Donate unused gift to the University (e.g., put fruit

basket in public area for enjoyment of staff & public)

How to Disclose COI & Other Financial Interests

• Disclosure Forms:

• Research grants and clinical trials: 700-U form

• Clinical service agreements: 700-U form

• Annual disclosure of outside professional activities (APM 025 / APM 671)

• Prior Approval for Category I activities (Academic Faculty)

• Disclosure to Others:

• Conflict of Interest Office

• Health System Pharmacy & Therapeutics (P&T) committee

• Patients -- via the consent form for anesthesia, surgery and other procedures

• Purchasing and Procurement Offices

• Intellectual Property &Technology Transfer

• CME event learners (disclose partial support from industry)

• Publications (disclose partial support from industry of other grants)

Health Care Vendor

Relationships

University of California Policy which

supplements UC’s Conflict of

Interest Policies

Physician Payments Sunshine Act

33

University of California –

Policy on Health Care Vendor Relationships

Purpose:

• Avoid appearance of undue influence on health care decisions

• Avoid perception of product endorsement

• Protect patient privacy

• Ensure that vendors are aware of and follow UC San Diego Health System

policies and procedures that relate to vendor activities

Policy highlights:

• Prohibits vendor gifts provided to individuals

• Prohibits branded items with company logos in all UC San Diego Health

System sites.

• Vendors may provide: Branded patient education materials if necessary for

unique patient education purposes, but materials should be free of all product

bias.

UC Health Care Vendor Relations Policy (HCVR)

• Vendors may provide:

• Honoraria & related expenses (FMV) for legitimate services

• Refreshments & materials at sponsored CME seminars

• Items at a discount or free as part of a University contract or a research project

• Samples for UC’s free clinics

• Limited product for evaluation / education purposes

• Patient assistance programs through UCSD Health Pharmacy

• Product education to professional staff (marketing)

UC Health Care Vendor Relations Policy

Privacy Considerations

Vendors must

• Register with RepTrax for vendor credentialing http://www.reptrax.com

• Review UCSD Health’s policies for vendors

• Submit immunization credentials

• Review training requirements for clinical support vendors

• Wear the facility specific “Reptrax” vendor ID badge

• Have scheduled appointments

• Only be in non-clinical areas

Vendors may enter patient care areas, if:

• Pre-registered and requested by a UC representative

• Providing a specific health support service, e.g., servicing equipment

Vendors are subject to patient confidentiality provisions

• Certain activities require a HIPAA Business Associate Agreement (BAA) prior

to sharing data with the vendor.

Examples of Risks with Industry

Relationships

1. Gifts: Vendor provides free food, free drug samples, other patient-use products,

entertainment, even small items, such as pens & notepads – directly to individuals.

2. Vendor sponsored CME & Speakers Bureau: Potential for bias, preferentially promoting

the vendor’s products, “off-label” marketing; or receiving excessive payments for

education / CME activities

3. Vendor paid consulting fees: Risk of sham agreements

4. Ghostwriting: Risk of biased presentations, publications

5. Research funding and grants: Potential for study bias

6. Preceptorships: Potential for disguised marketing opportunity

7. Kickbacks: Money, fees, commissions, credits, gifts or gratuities

Be aware that payments and other transfers of value from

industry to teaching physicians and teaching hospitals must be

reported by industry to CMS under the federal “Open Payments

Law”.

Federal Open Payments Law“Physician Payments Sunshine Act”

Government is enforcing the Open Payments Law:

• Physician Payments Sunshine Act: (1) Creates transparency around financial relationships of

manufacturers, physicians and teaching hospitals; (2) Requires annual reports of payments or

other transfers of value made from industry to physicians and teaching hospitals to CMS; (3)

Increases public awareness of financial transactions with industry.

• Payment data is available to the public, http://www.cms.gov/openpayments/index.html

What should Teaching Physicians do?:

• Become familiar with the information that will be reported by industry

• Keep records of all agreements, payments and other transfers of value received from applicable

manufacturers.

• Register to review reported information before it becomes publicly available. Ensure that

information submitted about you is correct, and dispute information which is not accurate. You can

register online at https://www.cms.gov/OpenPayments/Program-Participants/Physicians-and-

Teaching-Hospitals/Registration.html.

• Review the AMA and CMS fact sheets for physicians

Resources

• UCSD Health – Medical Staff Bylaws & Health System Policies (MCPs)

• Intra-net: http://mcpolicies.ucsd.edu

• UCSD Health Sciences Compliance Program

• Code of Conduct, Billing Guidance, Research Compliance, Privacy

• http://healthsciences.ucsd.edu/compliance

• UCSD Conflict of Interest

• Policy (PPM 200-13, COI) and Disclosure Requirements

• http://blink.ucsd.edu/sponsor/coi/index.html

• UCSD Human Research Protection Program (HRPP)

• http://irb.ucsd.edu/

• University of California – Ethics, Compliance & Audit Services

• http://www.ucop.edu/ethics-compliance-audit-services

Resources

• UCSD Gift Processing, http://blink.ucsd.edu/sponsor/gift-processing/

• UCSD COI Office, http://coi.ucsd.edu

• UCSD OCGA – Contract & Grant Administration,

http://blink.ucsd.edu/sponsor/ocga/

• UCSD Health Sciences Business Contracting, http://healthsciences.ucsd.edu

• UCSD General Counsel Office – to seek legal advice prospectively,

http://www.ucop.edu/general-counsel/

• UCSD Continuing Medical Education, http://cme.ucsd.edu

• UCSD Campus Procurement & Contracts, http://procurement.ucsd.edu

University Policies Related to Vendors

• University of California:

• PP031208, Policy on Health Care Vendor Relationships & FAQs

• http://healthsciences.ucsd.edu/compliance/vendors

• UC Policy & Guidelines Regarding Acceptance of Gifts and Gratuities by Employees

• UCSD Health Policies, http://mcpolicy.ucsd.edu

• 14, Business Associate Agreements

• 410.1, Renting or leasing of equipment from outside vendors

• 428.1, Loaned Equipment

• 550.1, Vendor Policy and Guidelines

• 750.2, Clinical Conflict of Interest

• UCSD Campus

• PPM 523-9, Vendor – Employee Relationships http://adminrecords.ucsd.edu/ppm/docs/523-9.html

• Office of Continuing Medical Education (OCME): FAQs – Commercial Support, ACCME Standards, https://cme.ucsd.edu/faq_accreditation.html

Privacy & Information Security

Training

42

Objectives

• Understand what information must be protected under state and federal privacy laws

• Understand your role in maintaining privacy and security of protected health information (PHI)

• Understand patient rights regarding access, use and disclosure of medical information

• Understand your role with adhering to data security standards and responsibility for reporting incidents

• Understand the consequences for non-complianceThis training module satisfies Federal laws which mandate workforce privacy / security training at the time of hire and UC policy for annual privacy training.

Who must complete privacy / security training

at UCSD?Anyone who works with or may see health, financial, or confidential information with personal identifiers

Anyone who uses a computer or electronic device to store and/or transmit personal or health information. Examples:

• Medical Center / Medical Group / Health Science employees

• Schools of Medicine / Pharmacy employees

• Health professions students and trainees

• Campus staff who work in clinical areas

• Volunteers (including Volunteer Clinical Faculty)

• Students who work in patient care areas

• Research staff and investigators

• Accounting, Payroll and Benefits staff

• Other independent contractors with access to UC’s personal / health information who assist UCSD employees with their job

Privacy &

Security LawsFederal and State laws

The following list is not inclusive of all

federal and state privacy laws.

45

Federal Privacy Laws

Law Description

HIPAA Health Insurance Portability and Accountability Act of 1996 to make

health insurance more efficient and portable; establishes privacy

rights, standards to protect privacy and information security. HIPAA’s

laws also address Code Sets and Transaction Standards.

HITECH Health Information Technology for Economic and Clinical Health

(HITECH, 2013) implements enforcement and oversight of HIPAA,

privacy enhancements and added false claims and penalties.

GINA Genetic Information Nondiscrimination Act of 2008 (GINA) protects

job applicants, current and former employees and trainees from

discrimination based on their genetic information.

PCI Payment Card Industry Standards – address credit card data

security.

FERPA Family Educational Rights & Privacy Act protects the privacy of

student education records.

California Privacy Laws

Law Description

Confidentiality of

Medical

Information Act

(CMIA)

CMIA prohibits disclosure of “medical information” without

prior authorization unless permitted by law. “Medical

Information” means any individually identifiable information

in the possession of or derived from a provider of health

care regarding a patient’s medical history, mental or

physical condition, or treatment. [Cal. Civil Code 56.05(g)),

56.10]

Personally

Identifiable

Information (PII) (AB1298, SB541)

Data Protection / Breach Notification. Prevent unlawful or

unauthorized access to protected information and breach

notification to individuals of any reasonable suspicion of a

compromise of that protection. [Cal. Civil Code 1798.29]

Information

Practice Act

(IPA)

Limits the collection, maintenance, and distribution of

personal information by state agencies. Right to review your

personal information in state agency records.

[Cal.Civ.Code.1798-1798.78]

Personally Identifiable Information (PII)DefinitionPII is a category of sensitive personal information that includes an individual’s name (first name or initial and last name) in combination with any one or more of the following:

• Social Security number (SSN)

• Driver’s license number or State-issued Identification Card number

• Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account.

• Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional)

• Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records)

If this information is stored electronically, it must be protected from unauthorized

access. Best practice: Encrypt PII data.

Protected Health Information (PHI)Definition

PHI is any personal or health information UCSD creates or maintains in the

course of providing treatment, obtaining payment for services, or while

engaged in health care operations including teaching and research activities.

Examples of PHI include:

• Name, address, social security number, date of birth/death, dates of service

• Medical records, test results, treatment plans, appointment reminders

• Billing records, referral authorizations, health insurance information

• After visit summaries

• Photographs and images, e-mail and web-addresses

To view a complete list of HIPAA’s 18 PHI identifiers, http://healthsciences.ucsd.edu/compliance/

To the patient: All Information is Confidential!

• Patient Personal Information

• Patient Financial Information

• Patient Medical Information

• Written, Spoken, Electronic PHI

• Patient Information may be accessed, used, viewed or disclosed

only to do your job.

Requirements before PHI is Used or Disclosed

In order for UCSD to use or disclose PHI:

• The University must give each patient a “Notice of Privacy Practices” that:

• Describes how the University may use and disclose the patient’s protected health information (PHI) and

• Advises the patient of his/her privacy rights

• The University must attempt to obtain a patient’s signature acknowledging receipt of the Notice, except in emergency situations. If a signature is not obtained, the University must document the reason.

• The University must provide privacy / security training to its workforce.

• To view UC San Diego Health’s “Notice of Privacy Practices”, http://health.ucsd.edu/hipaa.html

Access to Protected Health Information (PHI)

• Patient information is confidential and shall not be accessed or viewed

other than for the sole purpose of performing employment duties and

responsibilities

• Accessing a medical record, including your own or that of a family

member or friend, without a work purpose is a violation of UCSD

policy

• UCSD monitors electronic access to PHI to assure compliance

• Violations are subject to disciplinary action up to and including

termination as well as individual fines.

• Patients may request access to their medical record via MyUCSDChart

or by contacting Health Information Management (Medical Records) for

a copy of their record.

• http://health.ucsd.edu/patients/Pages/medical-records

You may…

• Look at a patient’s PHI only if you need to do so for your job

• Use a patient’s PHI only if you need to do so for your job

• Disclose a patient’s PHI to others only when it is necessary for others to do their job

• You must… Limit your access, use and disclosure of PHI to the minimum necessary information needed to perform your job.

PHI may be Used and Disclosed for “T.P.O.”

Treatment

• We may use and disclose medical information about a patient to health

system doctors, nurses, technicians, students or providers who are involved

in the patient’s care

Payment

• We may use and disclose medical information about the patient so that

treatment and services received may be billed and payment may be

collected – subject to the minimum necessary standard

Operations

• We may use and disclose medical information for teaching, medical staff

peer review, legal purposes, internal auditing, to conduct customer service

surveys, and general business management – subject to the minimum

necessary standard

Other Permitted Uses and Disclosures

• To avert serious threat to

health and safety

• For organ and tissue

procurement, reimplantation, or

banking purposes

• To military command authorities

about armed forces patients

• To workers’ compensation

programs

• For public health disclosures

• For government oversight

activities

• To law enforcement, for certain

activities

• To coroners, medical examiners

and funeral directors

• For national security and

intelligence activities

• To correctional institutions about

inmates

• For certain legal proceedings,

lawsuits and other legal activities

• To business associates with a

written business associate

agreement (BAA)

Other Permitted Uses & Disclosures of PHI• Appointment reminders – but take care to avoid leaving messages on voice-mail

or answering machines which disclose sensitive information.

• To provide treatment alternatives

• To provide limited information about named patients (inpatient directory)

• To assist other individuals involved in the patient’s care (e.g., family, friends, etc.),

if determined to be in the patient’s best interest.

• For disaster relief efforts

• For research – with UCSD HRPP / IRB study approval and subject’s signed

consent & signed HIPAA Authorization to use PHI for Research (or IRB waiver)

• For fundraising – with opt-out notices and limited to certain demographic

information. Honor patient requests to “opt-out” of donation solicitations.

• To business associates (third parties) – who provide a service involving access to

PHI data with a signed UC Business Associate Agreement

Business Associate Agreements (BAA)How to obtain a BAA…

• Notify UCSD Health Purchasing or the UCSD Contracting Office if a

third-party provides a service to UCSD involving access to UCSD’s PHI

• Generally, UC’s approved BAA template must be used.

• BAA contracts may only be executed (signed) by individuals with

signature authority, e.g., Purchasing, Contracting.

• BAA agreements are typically signed as a separate agreement to the

purchase order, MOU, or other contractual agreements.

• Prior to the release of PHI to a third party, ensure that:

• BAA has been fully executed (signed) by authorized signers:

• View the list of signed BAAs on UCSD Health Purchasing’s site,

http://supplychain.ucsd.edu/purchasing

• HIPAA Security “risk assessment” is documented and any issues addressed.

Marketing: The Sale of PHI is Prohibited!• “Sale of PHI” is prohibited by law unless it meets an exception or

there is a valid prior patient written authorization.

• “Sale of PHI” means a disclosure of PHI where the covered entity (UCSD Health)

or business associate directly or indirectly receives remuneration from (or on

behalf of) the recipient of the PHI in exchange for the PHI.

• HIPAA exempts certain disclosures for:

• Public health purposes

• Research - where the remuneration received is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI

• Treatment and payment purposes

• Merger or change of control purposes

• UCSD Health (UCSDH) providers may recommend treatment or describe

services provided by UCSDH or UCSDH’s provider network. These

communications are not considered marketing under the HIPAA Privacy Rule.

Policy: MCP 12.2, Uses and Disclosures of PHI for Marketing, http://mcpolicy.ucsd.edu

All Other Uses of PHI Require the Patient’s

Written Authorization

HIPAA has very specific requirements for the written authorization. It must:

• Describe the PHI to be released

• Identify who may release the PHI

• Identify who may receive the PHI

• Describe the purposes of the disclosure

• Identify when the authorization expires (date)

• Be signed and dated by the patient / patient representative

Generally a HIPAA authorization expires one year from the signature date –unless indicated otherwise.

Examples of Circumstances when Patient

Authorization is Required

• Medical Records:

• For the use and disclosure of medical information or records when that

information is being provided / sent to someone other than the patient.

• Disclosure of PHI to the employer, lawyer, accountant requires the patient’s

written authorization.

• Fundraising

• For the use and disclosure of a patient’s PHI, other than limited demographic

information and name of treating department / doctor.

• Media Communications:

• For the use and disclosure of PHI to the media or news releases

• Marketing and Other Products:

• For the use and disclosure of a patient’s PHI to pharmaceutical or medical

device companies, non-profit organizations, etc.

61

Authorization Form for Release of PHIAvailable from: http://forms.ucsd.edu (form D818)

HIPAA: Patient Specific Privacy RightsNotice of Privacy Practices

• Right to request restriction of PHI uses and disclosures. Restrictions

should not be granted by faculty or staff without consulting the Privacy

Officer.

• Right to request confidential forms of communications (e.g., mail to the

P.O. Box not street address, no messages on answering machines, etc).

• Right to access and receive a copy of their medical record.

• Right to receive an accounting of the disclosures of their PHI.

• Right to request amendments to their medical record.

• Right to request NO disclosure to payers regarding services paid-in-full at

the time of service with written notice.

• Right to avoid unwanted fundraising solicitations.

• Right to receive a Notice of Privacy Practices, http://health.ucsd.edu

Information

SecurityGood Computing & Data Practices

63

Federal / State Privacy & Security Laws

Providers of health care are required to implement administrative, physical and technical safeguards to:

• Ensure the confidentiality, integrity, and availability of protected health information the covered entity creates, receives, maintains or transmits

• Protect against reasonably anticipated threats or hazards to the security or integrity of such information (45 CFR 164.306)

• Safeguard patient medical information from unauthorized or unlawful access, use or disclosure

• Implement policies and procedures to prevent, detect, contain, and correct security violations (45 CFR 164.308)

Privacy / Security: Safeguards & Reminders

• Keep office(s) secured

• Encrypt (AES-256) and password protect your computer and portable media. Use strong, complex passwords or a passphrase.

• Backup your electronic information

• Run anti-virus, anti-spam, anti-spyware software

• Keep laptops, disks, back-up tapes, USBs secure

• encrypted & locked up!

• Lock your computer session: Windows key + L

• Report privacy complaints & security incidents promptly!

• Do not leave computers or patient documents or research records in your car (even if it is locked) to avoid the risk of theft and breach notifications!

UCSD personnel /students are expected to adhere to these email computing practices:

• Send Secure: Identify messages containing restricted information by adding Secure: at the beginning of the email’s subject line and to encrypt any attachments containing HIPAA information or personally identifiable information. To learn more about email encryption, refer to: http://Blink.ucsd.edu

• Monitoring: UCSDH has the right to scan UCSD emails for unencrypted sensitive information in outbound emails and email attachments. To avoid potential email transmission delay, send secure:

• Adhere to HIPAA’s minimum necessary standard (least necessary). Avoid sending sensitive information via email.

• Use UCSDH’s secure email portal, MyUCSDChart, to emails to our patients• Register mobile devices in UCSDH’s managed device program, e.g., smart-phones,

personal laptop/computer. Go to: http://hsmdm.ucsd.edu from the mobile device. • Only use UCSDH provided email accounts when conducting UCSD business.• Auto-forwarding or redirecting your UCSD email to a personal email account is not

permitted.• When you leave UCSD, be aware that your current email account will be closed upon

separation, transfer out of UCSDH, retirement, or other change in status.

66

E-Mail: Good Computing Practices to Protect the Privacy/Security of Identified Data

• Footer: Include a privacy footer to notify email recipients of confidential information. Refer to MCP 18.1, Email for sample wording.

• Privacy breach?: Report misdirected or misaddressed emails containing HIPAA information to the UCSDH Privacy Office via: hscomply@ucsd.edu

• Phishing: Report suspected phishing or “phony” emails to abuse@ucsd.edu and delete the email. Do not click on suspicious links or respond to requests to send your password, reset your password, transmit a SSN or credit card number via email. Reputable businesses will never ask for this information by email! Call the UCSDH Help Desk (T: 619.543.7474) for assistance if you suspect a compromised computer.

• Record retention: Email is considered a temporary record and should only be retained until the administrative use ceases, typically one year (or less) unless notified by UC legal counsel to retain email records, e.g., litigation request to preserve e-records.

• Use strong/complex passwords. Do not share user passwords or tamper with emails of others.

67

E-Mail: Good Computing Practices to Protect the Privacy/Security of Identified Data

Good Computing Practices:

Passwords

Use cryptic passwords that can’t be easily guessed

Avoid using a dictionary word or a person’s name

Use long passwords (more than 8 characters), mixed upper and lower

case, symbols and numbers – or a passphrase.

Protect your passwords – don’t write them down

Never share your passwords

Good Computing Practices:

Workstation Security

Physically secure your area and data when unattended

Secure your files and portable equipment – including memory / USB

flash drive (USB stick)

Secure laptop computers with a lockdown cable

Never share your access code, card or key

Lock your screen or log-off from restricted systems promptly

Good Computing Practices:

Portable Device Security

• Don’t collect electronic information that you do not need

• Don’t keep confidential data on portable devices, unless it is absolutely necessary

• Encrypt laptops and other portable media containing restricted information

• Back-up portable device data to a secure UCSD Health server

• Erase (sanitize) devices before disposal or recycling

• Password protect smart-phones

• Activate function “find my device”, if available

• Encryption is a process that renders electronic information unusable, unreadable or

indecipherable. HITECH law advises using AES-256 FIPS approved encryption methods.

To learn more: http://blink.ucsd.edu and HHS.gov’s “Guidance to Render Unsecured Protected Health

Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” at

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

Other Good Practices:

Data Management & Paper Records

• Don’t collect information that you do not need

• Reduce the number of places where you retain restricted data

• Redact (delete) unneeded personal identifiers & other sensitive data

• Lock-up paper records with restricted, sensitive information

• Do not leave restricted information in your car – even if it is locked!

• Check conference rooms after meetings; remove sensitive information

• Purge data responsibly once the need for it has expired

• Cross-shred (confetti pieces) or use secure locked shred-bins

• Use fax cover sheets, verify the fax number and documents to be faxed prior to sending. Promptly report misdirected faxes to the Privacy Office.

• Avoid leaving sensitive information on voice-mail or answering machines where other individuals may hear the message.

Breaches

Definition and examples

Timely reporting & notification

Sanctions and penalties

Policies

72

What is a Breach?General Definition & Examples

Breach - The unauthorized acquisition of, access to, viewing of, use or

disclosure of personally identifiable information or HIPAA protected health

information (PHI) that violates state or federal privacy laws.

Regardless of the information format, e.g., electronic, paper, verbal, web

Regardless of the reason, e.g., deliberately, or unintentional, accidental

Exceptions exist for secured data meeting certain criteria, such as encryption or confetti shredded materials

Examples:

Hacked or compromised computer or network

Misdirected fax; misaddressed email; or misaddressed U.S. mail

Misdirected documents (e.g., released in error to someone else)

Snooping (unauthorized access to or viewing or restricted information)

Web-posting of restricted information (YouTube, PDFs, PPTs, XLS files)

Lost or stolen devices, e.g., laptops, USB drives, other storage media

Report Privacy & Security BreachesPromptly!

UC policy states that any unauthorized access, use (including

viewing) or disclosure of a patient’s personal or health

information is a violation of law and a violation of UC policy ---

and must be immediately reported promptly.

UC Business & Financial Bulletin, IS-3 Policy

http://policy.ucop.edu/

Reporting Procedures

and Breach Notifications

In the event of a breach, notify the UCSD Health Privacy Office promptly!

Preferably the same day that you become aware of an incident

The Privacy Office will provide assistance with incident investigation, risk

assessment and breach notification procedures to the affected individuals

and other regulatory agencies .

State & Federal laws require that affected individuals be notified of a

breach involving personally identifiable information

Privacy Office

Tel: 858-657-7487

Penalties & Sanctions

Corrective Actions

• If an incident represents a violation of policy or of state / federal laws, the

University will apply corrective and disciplinary actions and other sanctions

in accordance with UC policy up to and including dismissal -- termination of

employment.

State / Federal Privacy Penalties

• Office for Civil Rights (OCR) and the State may assess fines and civil

penalties against health care providers, business associates and individuals

• Penalties range from $2,500 - $250,000 per occurrence (or higher),

depending on the circumstances. Repeat violations and violations for

financial gain are assessed higher penalties.

• Violations may also be reported to an individual’s medical licensing board

• California law permits civil suits against the individual

Privacy & Information Security Policies UC San Diego Health’s policies

• Policy (MCP) web-site (intra-net), http://mcpolicy.ucsd.edu

• Privacy & Information Security: MCP 1-25, MCP 210.1

• Notice of Privacy Practices, http://health.ucsd.edu/hipaa/Pages/hipaa.aspx

• Privacy forms, http://forms.ucsd.edu (intra-net)

• Authorization for Release of PHI, Designation of Personal Representative, Request for Record Amendment / Addendum, Fax Cover Sheet, Email Consent Form, …

• UCSD Campus

• PPM 135-3, Electronic Communication Policy (ECP)

• Blink: Network Security: Minimum Standards

• UC HIPAA Policies & Business Finance Policy IS-3, http://policy.ucop.edu

Summary

• State and Federal privacy laws require that personally identifiable information including protected health information (PHI) must be protected.

• As a University of California workforce member, you are responsible to protect the privacy and security of information entrusted to you. Follow safeguards to prevent unauthorized viewing of PHI, or the loss or theft of information.

• Understand and respect patient privacy rights. Call the Privacy Office if you have questions.

• Understand your responsibility to promptly report incidents.

• There are consequences for violations and non-compliance.

Questions?

Information Security 619-543-7474

(or internally: 3-HELP)

Privacy Office 858-657-7487

University of California

Hot Line

800-403-4744

Callers may be confidential or ask to

remain anonymous. Hot Line is staffed

24/7.

Who to call for help or more information…

General Compliance Briefing -

Ethical Values & Conduct

For University of California employees and workforce members

80

Objectives

By the end of this briefing, you will have learned:

• About expectations and obligations with respect to your University

employment

• How the University’s ethical values and standards of ethical conduct apply

to your work life

• How to report potential instances of non-compliance and fraud

• About the UC Whistleblower Protection Policy

This briefing includes fictional scenarios which demonstrate the value of

ethical awareness and compliance while helping you evaluate appropriate

responses to situations similar to those you may experience while working

at the University.

Statement of Ethical ValuesAdopted by The Regents of the University of California, May, 2005

Members of the University of California community are committed to the highest ethical

standards in furtherance of our mission of teaching, research and public service. We recognize

that we hold the University in trust for the people of the State of California. Our policies,

procedures, and standards provide guidance for application of the ethical values stated below

in our daily life and work as members of this community.

• We are committed to:

• Integrity. We will conduct ourselves with integrity in our dealings with and on behalf of the University.

• Excellence. We will conscientiously strive for excellence in our work.

• Accountability. We will be accountable as individuals and as members of this community for our ethical conduct and for compliance with applicable laws and University policies and directives.

• Respect. We will respect the rights and dignity of others.

Additional Reading: Statement of Ethical Values (213k PDF)http://www.ucop.edu/ethics-compliance-audit-services/_files/stmt-stds-ethics.pdf

Standards of Ethical Conduct

Adopted by The Regents of the University of California, May, 2005

All members of the University community , including The Regents, Officers of The Regents, faculty and other academic personnel, staff, students, volunteers, contractors, agents and others associated with the University are expected to abide by these Standards of Ethical Conduct:

1. Fair Dealing2. Individual Responsibility and Accountability3. Respect for Others4. Compliance with Applicable Laws and Regulations5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance6. Conflicts of Interest or Commitment7. Ethical Conduct of Research8. Records: Confidentiality/Privacy and Access9. Internal Controls10. Use of University Resources11. Financial Reporting12. Reporting Violations and Protection from Retaliation

Pursuit of the University of California mission of teaching, research and public service requires a

commitment to ethical conduct by all. The Standards of Ethical Conduct reflect our belief in ethical, legal and

professional behavior in all of our dealings inside and outside the University.

Your Employment Obligations

As an employee of the University of California, it is important that you:

Know the applicable laws, regulations and policies that affect your

employment responsibilities

Understand the Statement of Ethical Values and Standards of Ethical

Conduct and University policies and procedures related to your employment

responsibilities

Ensure your actions are consistent with the Statement of Ethical Values and

Standards of Ethical Conduct

Report potential instances of non-compliance and fraud

Understand your rights and responsibilities under the UC Whistleblower

Protection Policy

Ethics and Compliance at the University:Principles & Practices

Ethics and compliance are not new to the University of California. Many

University locations, divisions and the faculty already have longstanding

ethical codes of their own, as well as "Principles of Community" addressing

our shared commitment to respect each others’ roles, diverse backgrounds

and personal responsibilities. Ethical and compliant practices are core to

the University and its mission of teaching, research and public service.

The purpose of this briefing is to raise continued awareness of University’s

Statement of Ethical Values and Standards of Ethical Conduct and to

convey University employment obligations with respect to ethical and

compliant behavior. The purpose is not to teach University policy but to

familiarize University employees with important ethics and compliance

information, issues and resources.

University of California’sFraud Risk Management Program

Being an employee of the University of California invests us as stewards of the public trust. We

have a unique mission of research, education and public service to the citizens of California,

and during these difficult financial times we must be vigilant to assure that resources are

protected and used wisely.

Fraud can be defined as any intentional act or omission designed to deceive others, resulting

in the victim suffering a loss and/or the perpetrator achieving a gain.

Understanding what fraud is and what types of programs are in place at UC to prevent or

detect fraud is a key element of everyone’s job description. Proactively, UC leadership has

decided to establish fraud risk management programs at each location. Typically the program

includes policies, procedures, increased education and training, awareness campaigns, and

audit and monitoring activities, and may be integrated within the campus or laboratory’s

internal audit, ethics and compliance risk, or risk services programs. However, oversight of the

program should remain at the highest level – typically at the campus or laboratory’s ethics and

compliance risk committee.

The following scenarios provide an insight into fraud awareness and establish a foundation for

fraud management. Utilizing the confidential and anonymous Whistleblower Hotline to report

potential instances of fraud, waste and abuse is a key step in preserving UC’s resources.

Scenario: Andrei’s Print Problem

Andrei is a manager in a newly established

unit and is responsible for selecting and

purchasing all the office equipment for the

unit. After narrowing his selection to two

vendors with similar products and pricing, he

learns that one of the vendors offers a free

printer for bulk purchases. Feeling inspired

by the prospect of a free printer, he focuses

his efforts on this company and ends up

negotiating a large discount. Given the

discount he negotiated, as well as all his

extra efforts on this project, Andrei feels

justified in accepting the printer for his home

office. However, he isn’t sure if it would be

appropriate to do so per UC policy.

Should Andrei accept the free printer for his home

office? (You may select more than one option.)

A. No. There are laws and University policies that prevent acceptance of a

significant gift from a vendor and participating in decisions to award

business to that vendor.

B. Yes. Since the University has not increased his compensation in two

years, he should be able to keep the printer as compensation.

C. Yes. It would be inappropriate to turn down such a gift.

D. No. Accepting the printer is a conflict of interest.

Feedback Text

The best answers are A and D. Proceed to next page to read a discussion of this scenario.

Discussion: Andrei’s Printer Problem

The following Standards of Ethical Conduct apply:

4. Compliance with Applicable Laws and Regulations

5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance

6. Conflicts of Interest or Commitment

Andrei may not accept the printer because it is a violation of conflict of

interest laws and the University’s gift policy. If you have questions about

whether or not a gift may be accepted, you should ask your supervisor or

your location’s COI Coordinator, or call 1-800-403-4744

Scenario: Favor for Frank

Associate Director of Facilities Teresa retired last

year and Director of Facilities Dave needed the

position filled quickly. Rather than publicly posting

the position, Dave contracted with Frank, his

former co-worker from a previous job. Dave knew

that Frank had the basic qualifications for the

position and wanted to work for the UC system.

Meanwhile, several employees in the department

were hoping to be considered for the position and

planned to apply when it was posted. The position

was not posted until twelve months later and by

that time Frank had acquired the experience to

fulfill the job requirements. Frank was hired from a

limited pool of applicants that included two long

term staff members.

Which of the following are true statements? (You may select more than one option.)

A. It is unfair for Director Dave to bypass the appropriate channels to fill an open position by contracting with a former colleague.

B. Hiring for University jobs must follow relevant laws and University policies regarding open recruitment.

C. It was appropriate for Dave to contract with Frank because Dave wanted the position filled quickly and did not want to go through the normal recruitment process.

D. University values encourage fair dealing and honest interaction between management and staff in the recruitment and promotion process.

Feedback Text

The best answers are A, B, and D. Proceed to next page to read a discussion of this scenario.

Discussion: Favor for FrankThe following Standards of Ethical Conduct apply:

• 1. Fair Dealing

• 2. Individual Responsibility and Accountability

• 4. Compliance with Applicable Laws and Regulations

• 5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance

• 10. Use of University Resources

Bypassing the normal recruitment procedures is unfair to both internal staff seeking

promotional opportunities and to external candidates interested in working for the University.

Failing to go through the formal application process violates University policies that require

open recruitment in most cases, and may also violate federal regulations. Furthermore, a

University position is a resource and should be allocated to the best qualified candidate in a

pool of qualified candidates.

If you have questions about whether or not human resources policies are being violated, you

should ask your supervisor or the Human Resources department at your location.

Scenario: Ingrid’s Interests

Ingrid is a budget officer in the School

of Engineering. She would like to serve

on a committee that will select a

company to provide consulting

services to the School of Engineering.

Ingrid’s husband works for one of the

companies bidding on the work.

However, he won't be working on the

proposal, and if his company wins the

bid, he wouldn't be part of the

consulting job.

Which of the following statements are true?

A. Ingrid's participation in a decision that involves her husband’s company violates

University policy and state law.

B. Because Ingrid’s husband’s company could benefit as a result of the decision,

Ingrid’s interests could be compromised in a number of ways.

C. Even if the bidding process means that the lowest bidder gets the consulting

job, Ingrid's involvement in the decision could be regarded as unfair by the

participants, creating the appearance of a conflict of interest.

D. All of the above

Feedback Text

The best answer is D. Proceed to next page to read a discussion of this scenario.

Discussion: Ingrid’s Interests

The following Standards of Ethical Conduct apply:

1. Fair Dealing

5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance

6. Conflicts of Interest or Commitment

• Even though the process requires selection of the lowest bid, and Ingrid’s husband will not

personally gain if his company were selected, Ingrid has a financial interest in the University’s

decision to select a consulting vendor and may not participate in any way in the decision. While

she receives no direct income from her husband’s company, Ingrid’s community property

interest in her husband’s salary is enough to constitute a conflict. She would also have a conflict

of interest if the other individual in this scenario were a registered domestic partner, rather than

her husband.

• As long as Ingrid has an interest in the decision, she has a conflict of interest and may not

participate. Even if the result of the process is that the lowest bidder gets the contract, Ingrid

could be liable for civil and criminal penalties, because she would have violated the conflict of

interest provisions of the Political Reform Act, which applies to all University employees.

Scenario: Cliff’s Consulting

Cliff is a junior faculty member in the History

department who was recently hired to teach

multiple sections of his specialty, Greek history.

Cliff is also a talented web designer, and to make

extra money, he recently entered into an outside

consulting agreement with a company to design its

website. The extra work is keeping him up very

late at night, and to meet the company deadlines,

he also uses many of his office hours to work on

the website. Cliff is so tired that he is barely able to

stay focused when lecturing. His students have

been complaining that he is falling behind with

grading, and his colleagues have also expressed

concern about his lack of participation in

department meetings.

Should Cliff continue with his consulting arrangement while still a full-time employee of the University? (You may select more than one option.)

A. No. Cliff should make sure his outside interests do not interfere with his University responsibilities.

B. No. Cliff is not being respectful to his students and colleagues.

C. Yes. Cliff is probably just tired from having to teach so many sections of Greek history.

D. No. Cliff is misusing University resources to work on outside activities for personal gain.

Feedback Text

The best answers are A, B, and D. Proceed to next page to read a discussion of this scenario.

Discussion: Cliff’s Consulting

The following Standards of Ethical Conduct apply:

• 3. Respect for Others

• 6. Conflicts of Interest or Commitment

• 10. Use of University Resources

While University employees may be able to hold outside jobs and enter into outside consulting agreements, Cliff’s primary problem in this scenario is that his outside interests are affecting his duties as a University employee. Because he is not fully participating in teaching/learning opportunities, either as a lecturer and as a colleague, he is not demonstrating respect for his colleagues and students. He is also misusing University time and resources for personal gain.

If you have questions about whether or not an outside professional activity is appropriate, you should ask your supervisor or the Academic Personnel office.

Scenario: Grant Shell Games

Jessie is a researcher paid 100% on a grant fund

in a small laboratory that is struggling to stay

funded. Meredith, the principal investigator of the

lab, asks Jessie to stop working on the project in

order to work on a proposal which will help keep

the lab afloat financially. Hayden, the departmental

manager, notices that Jesse has been assisting

with developing the proposal materials and inquires

about the situation. Jessie confides that he is

concerned that the workload associated with

generating the proposal for the new project is

preventing him from completing the work on the

grant from which he is actually being paid.

Which of the following statements related to this scenario are true?

A. As long as Jessie is getting the work done on the project he is paid from,

it is OK to work on the new grant proposal.

B. If Jessie’s time is charged 100% to the current grant and he is also

working on a grant proposal, he and his supervisor Meredith are causing

the grant to be falsely reported to the federal government.

C. Internal controls may need to be strengthened to timely prevent or detect

inaccurate charges.

D. The situation involves an allegation of wrongdoing so Hayden should

contact the Locally Designated Official (LDO).

Feedback Text

The best answers are B, C, and D. Proceed to next page to read a discussion of this scenario.

Discussion: Grant Shell GamesThe following Standards of Ethical Conduct apply:

2. Individual Responsibility and Accountability

4. Compliance with Applicable Laws and Regulations

9. Internal Controls

11. Financial Reporting

12. Reporting Violations and Protection from Retaliation

With the acceptance of research grants by the University comes a responsibility to use the research funds for

the purpose for which they were intended. Research grants are critical to the University’s mission and should

not be misused or abused. Each employee in this scenario must exercise responsibility and accountability to

assure that grants are charged only for time actually worked and within the approved program for that grant.

In this scenario, Hayden has detected possible improper salary charges to a grant fund. She should discuss

the situation with Meredith, the principal investigator, and make sure the salary charges are corrected while

the proposal work is underway. She should also ask that, going forward, Meredith tell her in advance when

she is redirecting her staff’s work assignments so that she may allocate salary charges appropriately. If

improper salary charges were found and Meredith is not willing to correct the error, Hayden has the

responsibility to consult with her location’s Locally Designated Official (LDO), the person who administers the

Whistleblower Policy. Such reports are treated confidentially by the University, and those who make them are

protected from retaliation.

Scenario: Surly Sue

Gretchen and Sue work together in the financial

aid office. When Gretchen is forced to

reschedule a meeting, Sue gets upset an yells at

Gretchen for not giving her more notice. This is

not the first time that this has happened. Sue

has a well-known temper and has yelled at

Gretchen before. Gretchen is uncomfortable

around Sue and nervous about not doing

anything to upset Sue. Gretchen has asked Sue

not to yell but it still happens. Gretchen reported

the situation to their supervisor, who brushed her

off and told her to get a thicker skin. Gretchen

avoids Sue and their work product suffers for it.

What should Gretchen do? (You may select more than one option.)

A. Confront Sue in an angry manner.

B. Report Sue through the UC Whistleblower Hotline.

C. Be more accommodating to Sue and avoid interaction with her when possible.

D. Report her concerns to HR and/or Labor Relations.

Feedback Text

The best answers are B and D. Proceed to next page to read a discussion of this case study.

Discussion: Surly SueThe following Standards of Ethical Conduct apply:

• 1. Fair Dealing

• 2. Individual Responsibility and Accountability

• 3. Respect for Others

• 5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance

• 12. Reporting Violations and Protection from Retaliation

UC employees are expected to act in a respectful manner in all dealings with co-workers

and the public at large. Sue’s outbursts are unacceptable and Gretchen was right to talk

to their supervisor about it. The supervisor had a responsibility to do something about the

complaint and failed. In this situation, Gretchen should use alternate means of reporting

Sue, including , but not limited to, calling the UC Whistleblower Hotline, reporting Sue to

Human Resources, Labor Relations, their supervisor’s supervisor, and/or her Locally

Designated Official (LDO).

The “Wall Street Journal Test”

While the previous case studies demonstrate specific violations of the Standards of Ethical Conduct, not all situations are as clear-cut. There are some activities that, while legal and not explicitly prohibited by University policy, may not pass what is known as the “Wall Street Journal Test”. That is, if what you are doing were to appear on the front page of the newspaper, would you feel proud of your actions?

The easiest way to stay out of a trouble spot is to ask yourself in these situations, "Would I want to read about this in the newspaper or online?"

Other questions you might ask include:

How would I explain what I'm doing to my family?

What would my supervisor or colleagues think about what I’m doing?

Would talking about this at a non-University social event make me feel embarrassed or uncomfortable?

Am I uneasy when I hear about colleagues doing this?

Reporting Improper Activities

• Illegal activities and significant policy violations should always be

reported in accordance with applicable laws and policies.

• The University is committed to responsible evaluation of all reports of

violations of the Standards of Ethical Conduct and/or alleged improper

activities on the part of members of the University community.

• The University has established processes for reporting and investigating

any suspected wrongdoing, including an anonymous hotline people are

encouraged to use if they don't feel comfortable bringing the matter

forward openly.

• An individual who is made aware of an improper act should consult with

someone at a higher level of authority or with the Locally Designated

Official (LDO) to determine how to handle the matter.

UC Whistleblower Hotline (anonymous/confidential)

(800) 403-4744 or http://universityofcalifornia.edu/hotline

Decision-Tree for Reporting Compliance Concerns

Reporting Contact Information

Locally Designated Officials (LDO)http://www.ucop.edu/uc-whistleblower/campus-resources/index.html

Campus Ethics and Compliance Officers (CECO)http://www.ucop.edu/ethics-compliance-audit-services/compliance/campus-ethics-

and-compliance-officers.html

Campus Counselhttp://www.ucop.edu/ogc/campuscounsel.html

Chief Compliance and Audit Officer Sheryl Vacca

510-987-9090 or sheryl.vacca@ucop.edu

UC Whistleblower Hotline (anonymous/confidential) 800-403-4744 or http://universityofcalifornia.edu/hotline

UC Campus Climate Reporting

https://ucsystems.ethicspointvp.com/custom/ucs_ccc/default.asp

Reminder: Your Employment Obligations

• As this briefing has shown, it is critical that all members of the University

community:

• Know the applicable laws, regulations and policies that affect your

employment responsibilities

• Understand the Statement of Ethical Values and Standards of Ethical

Conduct and University policies and procedures related to your employment

responsibilities

• Ensure your actions are consistent with the University Statement of Ethical

Values and Standards of Ethical Conduct

• Report potential instances of non-compliance and fraud

• Understand your rights and responsibilities under the UC Whistleblower

Protection Policy

UC San Diego Health

Compliance Program

T: 858.657.6488

http://Healthsciences.ucsd.edu/compliance

Julie Colasacco, Interim Chief Compliance / Privacy Officer

jcolasacco@ucsd.edu

Mark Neu, Director, Compliance/Privacy Program

maneu@ucsd.edu

Ken Wottge, Chief Information Security Officer

kwottge@ucsd.edu

• The protection of health and other confidential information is a right protected by law and enforced by fines, criminal penalties as well as UCSD policy. Safeguarding confidential information is a fundamental obligation for all employees, clinical faculty, house staff, students and volunteers.

• I understand and acknowledge that:1. I shall protect the privacy and security of confidential information at all times, both during and after my

employment /training with the University of California has terminated. 2. I agree to (a) access, use, or view confidential information to the minimum extent necessary for my

assigned duties; and (b) disclose such information only to persons authorized to receive it.3. I understand that UCSDH tracks user activity in electronic health records. Inappropriate access to

restricted patient, employee or student records is a violation of UC policy and law, subject to sanctions. 4. Inappropriate access and/or unauthorized release of protected information will result in disciplinary

action, up to and including termination of employment, and will result in a report to authorities charged with professional licensing, enforcement of privacy laws and prosecution of criminal acts. Federal and State authorities may levy penalties to individuals or providers of healthcare of $2,500 -$25,000 per violation.

5. User IDs and passwords must not be shared. Inappropriate use of my ID (whether by me or anyone else) is my responsibility and exposes me to severe consequences.

• Print Name: _______________________/ Sign: _________________/ Date: ____________

111

Confidentiality StatementPrint & Sign Form. Return to

the UCSD Medical Student

Affairs Office

I have read UCSD Health’s Privacy and Information Security training materials and confidentiality statement and agree to abide by UCSD Health policy, UCSD/UC policy, and Federal / State privacy and information security laws.

• Print name: _______________________________

• Department name:____________________ / UCSD

• UCSD Employee ID number: ___________________<if known>

• UCSD Student ID number: ___________________

• Non-UCSD workforce member ID: ______________

• Indicate the 2-digit birth month (MM) and last 4 letters of your last name.

112

Training CertificatePrint & Sign Form. Return to

the UCSD Medical Student

Affairs Office

UC San Diego Health - Compliance Training

Although no single course can adequately address all potential ethical and

compliance dilemmas you might face as an important member of the

University community, we hope that the information provided in this briefing

will better equip you to make the right decisions and to act in an ethical and

compliant manner. Thank you for your participation.

You may now close the course window.