compliance & privacy education · osf corp 2014 compliance education laptops! • no protected...

Compliance & Privacy Education

Together we can support our Mission,

protect our Values and achieve our Vision.

all together better

OSF CORP 2014 Compliance Education

Who is Compliance?

JOHN EVANCHOSenior VP, Chief Compliance Officer

Ministry Compliance and Risk Division consists of:‐ Audit Team‐ Compliance Officers‐ Privacy Officers‐ Conflicts of Interest Team

*Each facility has a Compliance and Privacy Officer that works on‐site.

2


What is Compliance?

• Doing the RIGHT thing, the RIGHT way – the first time and every time

• Following the RULES

3


The Rules include…

• Policies and procedures,

• Accreditation standards, and

• Government health care regulations.

The focus of this training session is onthe government regulations.

4


Why Should I Care about Compliance?

Goals:

• Reduce the risk of exclusion

• Reduce financial penalties and

• Ensure public trust

5


OSF Compliance Program Elements

Elements of an Effective Compliance ProgramPolicies and Procedures

Compliance Officer and CommitteeTraining and EducationLines of CommunicationDisciplinary GuidelinesAuditing & MonitoringResponding to Offenses

Risk Assessment

6


The OSF Compliance Program

• Help employees follow government regulations so we prevent Fraud and Abuse.

• If errors occur, we want to respond immediatelyto resolve any problems.

• OSF Compliance Plan provides guidance:http://www.osfhealthcare.org/compliance/

7


Government Regulators

CMS=Centers for Medicare & Medicaid ServicesOIG=Office of the Inspector General

Government (Federal and State) agencies thataudit and monitor us to make sure we’refollowing the rules.

8


False Claims Act (FCA)• Government tool to fight Medicare and Medicaid fraud and abuse

• Fraud – charging Medicare or Medicaid for services that were not provided

• Abuse – charging Medicare or Medicaid for unnecessary costs, such as tests or exams that were not really needed

9


Penalties for Violating FCA(Committing Fraud and Abuse)

Potential penalties include:

• monetary damage$,

• exclusion from Medicare/Medicaid programs, and

• misdemeanor & felony convictions

10


Fraud and AbuseClinical Documentation

Lack of medical necessity is a leading area of healthcare fraud and abuse in the Medicare system.

Poor medical record documentation can lead to allegations of false claims.

11


Real ExampleClinical Documentation

Facts: OIG audit of NJ Urologist‐ overpaid by $14,734

Problem: 90% claims lacked sufficient documentation:– to determine if services were actually provided (fraud)– to determine if services were medically necessary (abuse)

Result: Doctor owed Medicare $350,000 (24 x amount paid to him) after all fines

and penalties were assessed.

12


Anti‐Kickback Statute

Paying for patient referrals

• Includes anything of value, not just money

13


Anti‐Kickback StatutePenalties

• Criminal and civil penalties:

– fines, jail terms, and exclusion from participation in the Federal health care programs

– up to $50,000 per kickback plus three times the amount of the payment for the referral

14


Anti‐Kickback StatuteExample

Facts: A California doctor received $100 from a home health facility for each patient she referred to them.

Problem: She received about $30,000 from the home health facility for referring patients to them, and this is illegal under the Anti‐kickback statute.

Result: This physician was sentenced to one year in federal prison and was ordered to pay $1.088 million in restitution to Medicare. *Anybody can be guilty of violating AKS, not just doctors.

15


Conflicts of Interest• Conflicts of Interest = any relationship which is or appears to

be not in the best interest of OSF.

• Examples of Potential Conflicts of Interest: Having a financial interest in a vendor’s company or business

Receiving discounts or personal gifts from actual or potential suppliers

• If you have any questions, you may talk to your supervisor , refer to OSF’s Ministry Compliance Conflict of Interest Policies, and/or speak with someone in the Ministry Compliance and Risk Division.

16


HIPAA Privacy Rule• The Health Insurance Portability & Accountability Act (HIPAA) ‐ Federal law requiring healthcare providers to protect the privacy and security of patients’ protected health information (PHI).

17


HIPAA Privacy Rule

• Protected Health Information (PHI)‐any information that could reasonably identify an individual

• Ministry Privacy Officer‐Mary Anne Nieukirk

18


Laptops!

• No Protected Health Information (PHI) on hard drive— save to OSF network

• If need to take laptop away from work, always lock it in the trunk of your car until you arrive at your destination. – It is your responsibility to keep your computer secure– Most privacy breaches reported in the news involve laptops lost or stolen from an employee’s car or home.

• If a laptop or smart phone contains any PHI, it must be encrypted. Contact the OSF IT Service Center for information on encryption.

19


Real Example

American researcher visiting South Korea (2010)– Backpack with unencrypted laptop left in public place and stolen

– PHI for about 3,500 patients & research subjects

Result: – $1.5 million settlement with US government

20


Email Attachments

• Email and Internet only for work‐related business

• Don’t click on links from unknown senders or inappropriate websites– Could infect computer with malware, spyware, or viruses

• Never open an executable file (.exe suffix, such as “doefile.exe”) unless you know and trust the sender and are expecting the file. Delete upon receipt and don’t open attachment.

• Please exercise extreme caution and if you discover that you have opened a malicious file, contact the OSF Service Center immediately to report it.

21


Minimum Necessary• Minimum Necessary standard:

–when you need to use or disclose PHI, you must limit the information to the smallestamount necessary to accomplish the intended purpose.

22


Minimum Necessary• Only access PHI if you need the information toperform your job.

• “Do I really need access to this information to do my job?”

• Share PHI with as few individuals as needed to ensure patient care – and then only to the extent required by their roles.

23


Snooping

24

• Snooping= Inappropriately accessing PHI not needed to perform your job (it’s illegal!)

• Disciplinary action if you access PHI – including your own or that of a family member or a fellow employee – that you do not need to know to do your job.


Snooping

25

• OSF audits & monitors PHI accessed by employees

• OSF must report serious violations to patientsinvolved and to the federal government.


Snooping Example• Employee’s neighbor was in a car accident and is in surgery.

• The employee is concerned about his neighbor’s condition and accesses the neighbor’s electronic medical record.

• Is this a violation of HIPAA?

26


Snooping ExampleYES:

Even if the employee doesn’ttell anyone else what he has learned, he has violated HIPAA by accessing his neighbor’s protected health information(PHI).

27


Social Networking• Do NOT post anything about your patients – even if you do not use their name.

• Could accidentally disclose patient’s PHI.

• PHI includes any informationthat could be used to identify a patient – such as a diagnosis, a procedure or a room number.

28


Social Networking ExampleFacts: Hospital employee commented on Twitter about her ex‐husband’s new girlfriend.

Problem: The information came from girlfriend’s medical record. The girlfriend called the hospital’s compliance hotline after seeing this.

Result: Investigation = employee did access the girlfriend’s records inappropriately. The employee was disciplined accordingly.

29


Social Networking ExampleFacts: Physician posted emergency room experiences

Problem: No patient names and no intent to disclose PHI, but others still figured out the identity of one of the patientsResult: The physician was fined for violating HIPAA, was cited for unprofessional conduct, lost hospital privileges.

30


Penalties for Employees• Employees are OSF’s biggest HIPAA violation offenders.

• Employees who inappropriately access, use or disclose PHI may personally be subject to penalties of up to $1.5 millionand up to 10 years in federal prison.

• Disciplinary action taken up to and including terminating employment – as specified in theOSF Positive Discipline Policy HR 601

31


Report Suspected Compliance Violations

You have a duty to report suspected compliance violations (e.g. improper billing, unlawful disclosure of PHI, fraud or abuse)

• Contact your supervisor,

• Contact your local Compliance or Privacy Officer, or

• Contact the OSF Integrity Line by calling 1‐800‐547‐2822 or by logging on to https://OSFIntegrityLine.alertline.com

32


OSF Integrity LineThe OSF Integrity Line is a confidential method to report serious compliance

concerns such as –

HIPAA Violations Billing Fraud and Abuse Illegal Conduct Conflicts of Interest

Theft of OSF Property Workplace Violence Violations of Laws and OSF Policies Harassment or Discrimination

33


OSF Integrity Line• Call or log on: you’ll get ID # and contact date

• Investigation and a response that you can access on your contact date

• Not a substitute for communication with your supervisor

34


Employee Protection

A “whistleblower” = an employee who tells someone in authority about alleged dishonest or illegal activities.

The FALSE CLAIMS ACT and OSF policies protect whistleblowers from being fired, demoted, threatenedor harassed by their employer for speaking up.

35


We’re All Together Better When We…

• Continue to treat those we serve with the greatest care and love, each and every time

• Reduce risk of exclusion

• Help ensure that OSF complies with all the rules and avoids fines and other penalties

36

compliance & privacy education · osf corp 2014 compliance education laptops! • no protected...

Documents