Medicare Parts C & D General Compliance TrainingMedicare Parts C & D General Compliance Training

Developed by the Centers for Medicare & Medicaid Services*

*Health plan specific information added with permission from CMS.

The Health Plan is a Medicare Part C & D Sponsor. 

All contractors of Part C & D Sponsors who provide health or administrative services  to Medicare enrollees must satisfy general compliance training requirements in accordance with Compliance Program regulations at 42 C.F.R. §§ 422.503(b)(4)(vi) and  423.504(b)(4)(vi) and in Section 50.3 of the Compliance Program Guidelines found in Chapter 9 of the Medicare Prescription Drug Benefit Manual and Chapter 21 of the Medicare Managed Care Manual. 

Completion of this training module satisfies the 2013 annual requirement for Medicare Parts C & D General Compliance Training.

Important NoticeImportant Notice

Why Do I Need Training?Why Do I Need Training?

Compliance is EVERYONE’S responsibility!

As an individual who provides health or administrative services for Medicare enrollees, every action you take potentially affects Medicare enrollees, the Medicare 

program, or the Medicare trust fund. 

Where Do I Fit In?Where Do I Fit In?

Health or administrative services to a Part C or Part D enrollee are provided by either a:• Part C or D Sponsor Employee• First Tier Entity

– Examples:  PBM, a Claims Processing Company, contracted Sales Agent• Downstream Entity

– Example:  Pharmacy• Related Entity

– Example:  Entity that has a common ownership or control of a Part C/D Sponsor

The Health Plan is a Part C & D Sponsor.

To understand the organization’s commitment to ethical business behavior

To understand how a compliance program operates

To gain awareness of how compliance violations should be reported

Training ObjectivesTraining Objectives

• CMS requires Medicare Advantage, Medicare Advantage‐Prescription Drug, and Prescription Drug Plan Sponsors (“Sponsors”) to implement an effective compliance program.

• An effective compliance program should:

BackgroundBackground

Articulate and demonstrate an organization’s 

commitment to legal and ethical conduct

Provide guidance on how to handle compliance 

questions and concerns

Provide guidance on how to identify and 

report compliance violations

ComplianceCompliance

A culture of compliance within an organization:

Prevents                   noncompliance

Detects                    noncompliance

Corrects noncompliance

At a minimum, a compliance program must include the 7 core requirements:

1. Written Policies, Procedures and Standards of Conduct;2. Compliance Officer, Compliance Committee and High 

Level Oversight;3. Effective Training and Education;4. Effective Lines of Communication; 5. Well Publicized Disciplinary Standards; 6. Effective System for Routine Monitoring and 

Identification of Compliance Risks; and7. Procedures and System for Prompt Response to 

Compliance Issues42 C.F.R. §§ 422.503(b)(4)(vi) and  423.504(b)(4)(vi); Internet‐Only Manual (“IOM”), Pub. 100‐16, Medicare Managed Care Manual Chapter 21; IOM, Pub. 100‐18, Medicare Prescription Drug Benefit Manual Chapter 9

Compliance Program RequirementsCompliance Program Requirements

As Requirement Two states, Plans must have a Medicare Compliance Officer.  

The Medicare Compliance Officer is Jill Salerno.   

Jill can be reached at:

165 Court St.Rochester, NY 14647

(585) 399‐6645 

or via the Ethics & Compliance Hotline 

(800)275‐0170

Compliance OfficerCompliance Officer

Jill Salerno

Compliance TrainingCompliance Training

• CMS expects that all Sponsors will apply their training requirements and “effective lines of communication” to the entities with which they partner. 

• Having “effective lines of communication” means that employees of the organization and the partnering entities have several avenues through which to report compliance concerns. 

Ethics – Do the Right Thing!Ethics – Do the Right Thing!

Act Fairly and Honestly Comply with the letter and spirit of the law

Adhere to high ethical standards in all that you do Report suspected violations

As a part of the Medicare program, it is important that you conduct yourself 

in an ethical and legal manner. It’s about doing the right thing!

How Do I Know What is Expected of Me?

How Do I Know What is Expected of Me?

Know the Code!

The Code of Business Conduct states compliance expectations and the principles and values by which the organization 

operates. 

Everyone is required to report violations of our Code of Conduct and suspected noncompliance. 

The Code of Conduct and Policies and Procedures identify this obligation and tell you how to report.

What Is Noncompliance?What Is Noncompliance?

Noncompliance is conduct that does not conform to the law, and Federal health care program requirements, or to our ethical and business policies.

Medicare Parts C & D High Risk Areas *

Appeals and Grievance Review

Claims Processing

Marketing and Enrollment

Agent / Broker

Formulary AdministrationQuality of Care

BeneficiaryNotices

Documentation Requirements

Credentialing

Ethics

HIPAA

Conflicts of Interest

*For more information, see the Medicare Managed Care Manual and the Medicare Prescription Drug Benefit Manual at www.cms.gov.

Noncompliance Harms EnrolleesNoncompliance Harms Enrollees

Without programs to 

prevent, detect and correct 

noncompliance there are:

Delayed services 

Difficulty in using 

providers of choice

Hurdles to care

Denial of Benefits

Noncompliance Costs MoneyNoncompliance Costs Money

Non Compliance affects EVERYBODY!Without programs to prevent, detect and correct noncompliance 

we risk:

Higher Premiums

Lower benefits for individuals and employers

Higher Insurance 

Copayments

Lower Star ratings

Exclusion from Federal Health Care programs

There can be NO retaliation against you for reporting suspected noncompliance in good faith.

The Plan offers reporting methods that are:

I’m Afraid to Report NoncomplianceI’m Afraid to Report Noncompliance

Anonymous Non‐Retaliatory

Confidential

How Can I Report Potential Noncompliance?

How Can I Report Potential Noncompliance?

• Contact the Medicare Compliance Officer

• Call the Ethics & Compliance Hot Line 800‐ASK‐0170

• Send a message to the Ethics & Compliance email box in Lotus Notes 

• Call the Special Investigations Unit to report Fraud, Waste and Abuse

• Talk to your Manager or Supervisor

• First tier, downstream, and related entities (FDR) can call the Ethics & Compliance Hot Line, speak to a Manager or Supervisor or contact the sponsor (Health Plan)

• Beneficiaries of all lines of business can call the Ethics & Compliance Hot Line 

• Medicare beneficiaries can also call 800‐Medicare

Correcting Noncompliance• Avoids the recurrence of the same noncompliance

• Promotes efficiency and effective internal controls• Protects enrollees

• Ensures ongoing compliance with CMS requirements

What Happens Next?What Happens Next?

After noncompliance has been detected…

It must be investigated immediately…

And then promptlycorrect any 

noncompliance 

How Do I Know the Noncompliance Won’t Happen Again?

How Do I Know the Noncompliance Won’t Happen Again?

• Once noncompliance is detected and corrected, an ongoing evaluation process is critical to ensure the noncompliance does not recur.

• Monitoring activities are regular reviews which confirm ongoing compliance and ensure that corrective actions are undertaken and effective.  

• Auditing is a formal review of compliance with a particular set of standards (e.g., policies and procedures, laws and regulations) used as base measures

Prevent

Detect

ReportCorrect

Monitor/ Audit

Plans are required to have disciplinary standards in place for non‐compliant behavior.  Those who engage in non‐Compliant behavior may be subject to any of the following:

Know the Consequences of Noncompliance

Know the Consequences of Noncompliance

Mandatory Training or 

Re‐Training

Disciplinary Action Termination

Compliance is EVERYONE’S Responsibility!!

Compliance is EVERYONE’S Responsibility!!

PREVENT• Operate within our organization’s ethical expectations to PREVENT noncompliance!

DETECT & REPORT• If you DETECT potential noncompliance, REPORT it!

CORRECT• CORRECT noncompliance to protect beneficiaries and to save money!

What Governs Compliance?What Governs Compliance?• Social Security Act: 

• Title 18• Code of Federal Regulations*:  

• 42 CFR Parts 422 (Part C) and 423 (Part D)• CMS Guidance: 

• Manuals• HPMS Memos

• CMS Contracts: • Private entities apply and contracts are renewed/non‐renewed each year

• Other Sources: • OIG/DOJ (fraud, waste and abuse (FWA)) • HHS (HIPAA privacy)

• State Laws:• Licensure• Financial Solvency • Sales Agents* 42 C.F.R. §§ 422.503(b)(4)(vi) and  423.504(b)(4)(vi)

• For more information on laws governing the Medicare program and Medicare noncompliance, or for additional healthcare compliance resources please see:• Title XVIII of the Social Security Act• Medicare Regulations governing Parts C and D (42 C.F.R. §§ 422 and 423)• Civil False Claims Act (31 U.S.C. §§ 3729‐3733)• Criminal False Claims Statute (18 U.S.C. §§ 287,1001)• Anti‐Kickback Statute (42 U.S.C. § 1320a‐7b(b))• Stark Statute (Physician Self‐Referral Law) (42 U.S.C. § 1395nn)• Exclusion entities instruction (42 U.S.C. § 1395w‐27(g)(1)(G))• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) 

(Public Law 104‐191) (45 CFR Part 160 and Part 164, Subparts A and E)• OIG Compliance Program Guidance for the Healthcare Industry: 

http://oig.hhs.gov/compliance/compliance‐guidance/index.asp

Additional ResourcesAdditional Resources

Remember!Remember!

Compliance is EVERYONE’S responsibility

There can be NO retaliation against you for reporting suspected noncompliance in good faith.

To report, call the Hotline at  (800) ASK‐0170

1 

 

ContractorMedicareGeneralComplianceTrainingTestQuestions

 

1. What is conduct that does not conform to the law, and Federal health care program requirements, or to our ethical and business policies? 

a. Noncompliance 

b. Compliance 

c. Ethics 

d. None of these 

 

2. What are the benefits of a culture of compliance within an organization? 

a. To prevent noncompliance 

b. To detect noncompliance 

c. To correct noncompliance 

d. All of the above 

 

3. Without programs to prevent, detect and correct noncompliance we risk? 

a. Higher Star Ratings 

b. Lower Premiums 

c. Lower Insurance Copayments 

d. Exclusion from Federal Health Care programs 

 

4. True or false – We offer reporting methods that are confidential, anonymous and non‐retaliatory? 

a. True 

b. False 

2 

 

5. At a minimum, a compliance program must include 7 core requirements.  Which of the following are core requirements? 

a. Effective Training and Education 

b. Procedures and System for Prompt Response to Compliance Issues 

c. Well Publicized Disciplinary Standards 

d. Effective System for Routine Monitoring and Identification of Compliance Risks 

e. All of the above 

 

6. You have discovered an unattended email address or fax machine in your office which receives beneficiary appeals requests.   You suspect that no one is processing the appeals. What should you do? 

a. Contact Law Enforcement 

b. Contact your Compliance Department 

c. Wait to confirm someone is processing the appeals before taking further action 

d. Contact your supervisor 

 

7. A sales agent, employed by the one of our first‐tier or downstream entities, has submitted an application for processing and has requested the enrollment date be back‐dated by one month and all monthly premiums for the beneficiary be waived   

What should you do? 

a. Refuse to change the date or waive the premiums, but decide not to mention the request to a supervisor or the compliance department. 

b. Make the requested changes because the sales agent is responsible for determining the beneficiary's start date and monthly premiums. 

c. Tell the sales agent you will take care of it, but then process the application properly (without the requested revisions).  You will not file a report because you don't want the sales agent to retaliate against you. 

d. Process the application properly (without the requested revisions).  Inform your supervisor and the compliance officer about the sales agent's request.  

3 

 

8. Last month, while reviewing a monthly report from CMS, you identified multiple enrollees for which we are being paid, who are not enrolled in our plan.  You spoke to your supervisor, Tom, who said not to worry about it.  This month, you have identified the same enrollees on the report again.  What do you do? 

a. Decide not to worry about it as your supervisor, Tom, had instructed.  You notified him last month and now it’s his responsibility. 

b. Although you have seen notices about our non‐retaliation policy, you are still nervous about reporting.  To be safe, you submit a report through your Compliance Department’s anonymous tip line so that you cannot be identified. 

c. Contact law enforcement and CMS to report the discrepancy. 

d. Ask Tom about the discrepancies again. 

 

9. True or false – As a Part C & D Sponsor, we are required to have a compliance committee to oversee our compliance program; however, the hiring or appointment of a compliance officer is optional. 

a. True 

b. False 

 

10. TRUE OR FALSE: If we subcontract with downstream entities for the performance of services, the downstream entity is ultimately responsible for complying with all CMS requirements. 

a. True 

b. False 

 

Fraud, Waste and Abuse TrainingFraud, Waste and Abuse Training

Developed by the Centers for Medicare & Medicaid Services* 

*Health plan specific information added with permission from CMS.

The Health Plan is a Medicare Part C & D Sponsor. 

All Part C & D Sponsors employees must satisfy Fraud, Waste and Abuse training requirements.  

Completion of this training module satisfies the 2013 annual requirement for Fraud, Waste and Abuse Training.

Important NoticeImportant Notice

Why Do I Need Training?Why Do I Need Training?

Every year millions of dollars are improperly spent because of fraud, waste and abuse.  It affects everyone.

Including YOU.

This training will help you detect, correct and prevent fraud, waste and abuse. 

YOUare part of the solution.  

ObjectivesObjectives

• Meet the regulatory requirement for training and education

• Provide information on the scope of fraud, waste and abuse

• Explain everyone’s obligation to detect, prevent and correct fraud, waste and abuse

• Provide information on how to report fraud, waste and abuse

• Provide information on laws pertaining to fraud, waste and abuse

RequirementsRequirements

The Social Security Act and CMS regulations and guidance govern the Medicare program, including parts C and D.

• Part C and Part D sponsors must have an effectivecompliance program which includes measures toprevent, detect and correct Medicare non‐complianceas well as measures to prevent, detect and correctfraud, waste and abuse.

• Sponsors must have an effective training foremployees, managers and directors, as well as theirfirst tier, downstream and related entities (FDRs).

42 C.F.R. §422.503 and 42 C.F.R. §423.504

Where Do I Fit In?Where Do I Fit In?

Health or administrative services to a Part C or Part D enrollee are provided by either a:

• Part C or D Sponsor Employee• First Tier Entity

– Examples:  PBM, a Claims Processing Company, contracted Sales Agent• Downstream Entity

– Example:  Pharmacy• Related Entity

– Example:  Entity that has a common ownership or control of a Part C/D Sponsor

What are my responsibilities?What are my responsibilities?

You are a vital part of the effort to prevent, detect and report Medicare non‐compliance as well as possible fraud, waste and abuse.  

• FIRST you are required to comply with all applicable statutory, regulatory and other Part C or Part D requirements, including adopting and implementing an effective compliance program.

• SECOND you have a duty to the Medicare Program to report any violations of laws that you may be aware of. 

• THIRD you have a duty to follow our organization’s Code of Conduct that articulates your and our organization’s commitment to standards of conduct and ethical rules of behavior.  

An Effective Compliance ProgramAn Effective Compliance Program

• Is essential to prevent, detect and correct Medicare non‐compliance as well as fraud, waste and abuse.

• Must, at a minimum, include the 7 core compliance program requirements. 

42 C.F.R. §422.503 and 42 C.F.R. §423.504

How Do I Prevent Fraud, Waste and Abuse?

How Do I Prevent Fraud, Waste and Abuse?

• Make sure you are up to date with laws, regulations, policies

• Ensure you coordinate with other payers• Ensure data/billing is both accurate and timely• Verify information provided to you• Be on the lookout for suspicious activity

Policies and ProceduresPolicies and Procedures

Every sponsor, first tier, downstream and related entity must have policies and procedures in place to address fraud, waste and abuse.  These procedures should assist you in detecting, correcting, and preventing fraud, waste and abuse.  

Make sure you are familiar with the policies and procedures (P&Ps).  

Our Policies and ProceduresOur Policies and Procedures

P&Ps are housed in                                                                                        and are 

available on Compliance homepage on the Intranet.  

Medicare P&Ps are available on the Medicare Compliance homepage on the Intranet.

To the right is a screen shot of some of the Medicare Compliance P&Ps.

Understanding Fraud, Waste and AbuseUnderstanding Fraud, Waste and Abuse

In order to detect fraud, waste and abuse 

you need to know the Law

Criminal FRAUDCriminal FRAUD

Knowingly and willfully executing, or attempting to execute, a scheme or artifice to defraud any health care benefit program; or to obtain, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by, or under the custody or control of, any health care benefit program.

18 United States Code §1347

What Does That Mean?What Does That Mean?

Intentionally submitting false information to the 

government or a government contractor 

in order to get money or a benefit.

Waste and AbuseWaste and Abuse

Waste: overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare Program. Waste is generally not considered to be caused by criminally negligent actions but rather the misuse of resources.

Abuse: includes actions that may, directly or indirectly, result in unnecessary costs to the Medicare Program. Abuse involves payment for items or services when there is not legal entitlement to that payment and the provider has not knowingly and or/intentionally  misrepresented facts to obtain payment.

Differences Between Fraud, Waste and Abuse

Differences Between Fraud, Waste and Abuse

There are differences between fraud, waste and abuse.  

One of the primary differences is intent and knowledge.  

Fraud requires the person to have an intent to obtain payment and the knowledge that their actions are wrong.  

Waste and abusemay involve obtaining an improper payment, but does not require the same intent and knowledge.

Report Fraud, Waste and AbuseReport Fraud, Waste and Abuse

Do not be concerned about whether it is fraud, waste or abuse.  Just report any concerns to our Special Investigations Unit (SIU).

The SIU will investigate and make the proper determination.

Indicators of Potential Fraud, Waste and Abuse

Indicators of Potential Fraud, Waste and Abuse

Now that you know what fraud, waste and abuse are, you need to be able to recognize the signs of someone committing fraud, waste or abuse.

The following slides demonstrate prescription drug issues to present examples of potential fraud, waste or abuse.

Each slide provides areas to keep an eye on, depending on your role in our organization.

Key Indicators:Potential Provider Issues

Key Indicators:Potential Provider Issues

• Does the provider write for diverse drugs or primarily only for controlled substances?

• Are the provider’s prescriptions  appropriate for the member’s health condition (medically necessary)?

• Is the provider writing for a higher quantity than medically necessary for the condition?

• Is the provider performing unnecessary services for the member?

Key Indicators:Potential Beneficiary Issues

Key Indicators:Potential Beneficiary Issues

• Does the prescription look altered or possibly forged?

• Have you filled numerous identical prescriptions for this beneficiary, possibly from different doctors?

• Is the person receiving the service/picking up the prescription the actual beneficiary(identity theft)? 

• Is the prescription appropriate based on beneficiary’s other prescriptions?

• Does the beneficiary’s medical history support the services being requested?

Key Indicators:Potential Pharmacy Issues

Key Indicators:Potential Pharmacy Issues

• Are we being billed for prescriptions that are not filled or picked up?

• Are drugs being diverted (drugs meant for nursing homes, hospice, etc. being sent elsewhere)?

Key Indicators:Potential Sponsor Issues

Key Indicators:Potential Sponsor Issues

• Does the sponsor offer cash inducements for beneficiaries to join the plan?

• Does the sponsor lead the beneficiary to believe that the cost of benefits are one price, only for the beneficiary to find out that the actual costs are higher?

• Does the sponsor use unlicensed agents?• Does the sponsor encourage/support inappropriate risk adjustment submissions?

How Do I Report Fraud, Waste or Abuse?

How Do I Report Fraud, Waste or Abuse?

Reporting Fraud, Waste and AbuseReporting Fraud, Waste and Abuse

Everyone is required to report suspected instances of fraud, waste and abuse.  

The Code of Conduct clearly states this obligation.  

The organization will not tolerate any form of retaliation against anyone who makes a good faith 

report in accordance with the Code.  

Reporting Fraud, Waste and AbuseReporting Fraud, Waste and Abuse

Every Part C & D Sponsor is required to have a mechanism in place in which potential fraud, waste or abuse may be reported by employees, first tier, downstream and related entities.  

You may report anonymously and you are protected from retaliation!

When in doubt, call the Fraud Hotline (800‐378‐8024)or the Ethics & Compliance Hotline (800‐ASK‐0170).

Reporting Fraud, Waste and AbuseReporting Fraud, Waste and Abuse

You may contact the Special Investigations Unit at the following location and numbers: 

165 Court St.Rochester, NY 14647

Fraud Hotline: 800‐378‐8024

SIU Regional offices are as follows:Univera 877‐800‐0910Rochester 800‐378‐8024

CNY 800‐219‐8943Utica 800‐925‐9154

You may also report electronically by clicking on the Fraud & Abuse link at the bottom of the Excellusbcbs.com Home Page

Reporting Fraud, Waste and AbuseReporting Fraud, Waste and Abuse

Additionally, you may contact the Chief Compliance Officer and/or the Medicare Compliance Officer at the following location and number: 

165 Court St.Rochester, NY 14647

Ethics & Compliance Hotline: 800‐ASK‐0170

Employees may also submit emails to the Corporate Compliance Officer at “Ethics and Compliance” through Lotus Notes.

You may also contact the Corporate Legal Department via e‐tracker on Fingertips. 

CorrectionCorrection

Once fraud, waste or abuse has been detected it must be promptly corrected.  Correcting the problem saves the government money and ensures we are in compliance with CMS’ 

requirements.

How Do I Correct Issues?How Do I Correct Issues?

Once issues have been identified, a plan to correct the issue needs to be developed. 

Consult the Medicare Compliance Officer to learn about the process for the corrective action plan development.

The actual plan is going to vary, depending on the specific circumstances.  

LawsLaws

The following slides provide very high level information about specific laws.  For details about the specific laws, such as safe harbor provisions, consult the applicable statute and regulations concerning the law.

Civil FraudCivil False Claims Act

Civil FraudCivil False Claims Act

Prohibits:

• Presenting a false claim for payment or approval; • Making or using a false record or statement in support of a false 

claim;• Conspiring to violate the False Claims Act; • Falsely certifying the type/amount of property to be used by the 

Government; • Certifying receipt of property without knowing if it’s true; • Buying property from an unauthorized Government officer; and • Knowingly concealing or knowingly and improperly avoiding or 

decreasing an obligation to pay the Government.

31 United States Code § 3729‐3733

New York State False Claims ActNew York State False Claims Act

The New York State False Claims Act only applies to false claims submitted to the Medicaid program, and is very similar to the Federal False Claims Act.  

The New York State False Claims Act applies to persons who:

1. Knowingly submit a false or fraudulent claim to an employee, officer, or agent of the government;

2. Knowingly make a false record or statement to get a false claim paid by the state or local government;

3. Knowingly retain money owed to the government;4. Knowingly make a false record or statement to conceal, avoid or 

decrease an obligation to pay money to the government;  or 5. Conspire to get a false claim paid.

Medicare and Medicaid Program Integrity Statute

Medicare and Medicaid Program Integrity Statute

In addition to potential liability under the State and Federal False Claims Acts for retaining an overpayment, health plans and providers can also be held liable for a failure to report, explain and return an overpayment to the government within 60 days of identifying it.  

This requirement was added as part of the federal health reform initiative.  

The requirement to timely report, explain and return an overpayment applies regardless of the reason for the overpayment.  Even overpayments resulting from simple billing mistakes must be returned within 60 days.

False Claims Act Damages and Penalties

False Claims Act Damages and Penalties

Violations of the NY State False Claims Act can result in fines ranging from $6,000 to $12,000 per claim, plus three times the amount of damages sustained by the government.  

Violations of the Federal False Claims Act can result in civil penalties ranging from $5,500 to $11,000 per claim and up to triple the amount of damages sustained by the government.  

In both cases, exclusion from the Medicare and Medicaid program can also result.  

Criminal Fraud PenaltiesCriminal Fraud Penalties

If convicted, the individual shall be fined, imprisoned, or both.  If the violations resulted in death, the individual may be imprisoned for any term of years or for life, or both.

18 United States Code §1347

Qui TamQui Tam

The false claims act includes something called a Qui Tam provision.  The Qui Tam provision allows people, also known as "whistleblowers," to hire a lawyer at their own expense and sue anyone they believe has defrauded the government. 

The government has the option of joining the suit as a party, which usually only occurs if they conclude the whistleblower has a good case.  If the case is won, the “whistleblower” is entitled to a portion of the money recovered.

Protections under the FCAProtections under the FCA

Just as we discuss in our own Code of Business Conduct, the Qui Tam provision prohibits retaliation against anyone who reports a False Claims Act violation.  

The Whistleblower Employee Protection Act prohibits an organization from discharging, demoting, suspending, threatening, harassing or discriminating against any employee because of lawful acts done by the employee, on behalf of the employer, or because the employee testifies or assists in an investigation of the employer.

In addition, the False Claims Act provides a number of possible remedies to employees who are discharged, demoted, harassed, or otherwise discriminated against, because of lawful actions taken under the Act.

Anti‐Kickback StatuteAnti‐Kickback Statute

Prohibits:

Knowingly and willfully soliciting, receiving, offering or paying remuneration (including any kickback, bribe, or rebate) for referrals for services that are paid in whole or in part under a federal health care program (which includes the Medicare program).

42 United States Code §1320a‐7b(b)

Penalties:

Fine of up to $25,000, imprisonment up to five (5) years, or both fine and imprisonment.

Stark  Statute(Physician Self‐Referral Law)

Stark  Statute(Physician Self‐Referral Law)

Prohibits: 

A physician from making a referral for certain designated health services to an entity in which the physician (or a member of his or her family) has an ownership/investment interest or with which he or she has a compensation arrangement (exceptions apply).

42 United States Code §1395nn

Penalties:

Medicare claims tainted by an arrangement that does not comply with Stark are not payable.  Up to a $15,000 fine for each service provided.  Up to a $100,000 fine for entering into an arrangement or scheme.

ExclusionExclusion

The Office of the Inspector General, the Office of the Medicaid Inspector General and the General Services Administration publish lists of individuals and companies who are excluded from doing business with the government.  

As a Health Plan with Medicare and Medicaid members, we may not employ or contract with individuals or companies that are excluded by these offices.  This also applies to our first tier, downstream and related entities.  We have a duty to verify, initially and monthly thereafter, that the individuals we hire, and the companies with which we contract, are not on the exclusion lists.

Should an organization do business with an individual or company that it knew, or should have known, was excluded, the organization may face a civil monetary penalty of $10,000 for each claim submitted for any services or items that were furnished during the individual or company’s exclusion, plus triple damages. 

42 U.S.C. §1395(e)(1)42 C.F.R. §1001.1901

Health Insurance Portability and Accountability Act of 1996 (P.L. 104‐191)

Health Insurance Portability and Accountability Act of 1996 (P.L. 104‐191)

Created greater access to health care insurance, protection of privacy of health care data, and promoted standardization and efficiency in the health care industry.

Safeguards to prevent unauthorized access to protected health care information.  

As an individual who has access to protected health care information, you are responsible for adhering to HIPAA.

Penalties:

HIPAA civil penalties range from $100 per violation ($25,000 per year maximum) if the person did not know he/she was violating HIPAA to $50,000 per violation ($1,500,000 per year maximum) for violations due to willful neglect.  HIPAA criminal penalties may be up to $50,000, with up to one year in prison.  Add ‘false pretenses’ to that and the penalties increase up to $100,000, and up to five years in prison.  Adding ‘intent to sell’ increases the penalties up to $250,000, with up to 10 years in prison.

Beneficiary Inducement LawBeneficiary Inducement Law

Under the Beneficiary Inducement Law, it is illegal to offer items of value (cash, gift cards, goods and services, etc…), that a person knows (or should know), is likely to influence a potential customer/patient to select a particular provider, pharmacy or supplier.

Violating the Beneficiary Inducement Law may result in fines of up to $10,000 per item or service, plus three times the damages incurred by the government.  Violators also face potential exclusion from participation in government programs.

Consequences of Committing Fraud, Waste or Abuse

Consequences of Committing Fraud, Waste or Abuse

The following are potential penalties.  The actual consequence depends on the violation.

• Civil Money Penalties• Criminal Conviction/Fines• Civil Prosecution• Imprisonment• Loss of Provider License• Exclusion from Federal Health Care programs

Remember!Remember!

You are a vital part of the effort to prevent, detect and report Medicare non‐compliance as well as possible fraud, waste and abuse.  

YOUare part of the solution.  

1 

 

ContractorFWATrainingTestQuestions 

1. True or false ‐ there are no differences between fraud, waste and abuse. 

a. True 

b. False 

 

2. True or false ‐ Every Part C & D sponsor is required to have a mechanism in place in which fraud, waste and abuse may be reported. 

a. True 

b. False 

 

3. True or false – CMS may not impose civil penalties for violations of fraud and abuse laws and regulations. 

a. True 

b. False 

 

4. True or false ‐ Sponsors may not allow employees to report FWA activities anonymously. 

a. True 

b. False 

 

5. True or false – Fraud, waste and abuse affects you. 

a. True 

b. False 

 

 

2 

 

 

6. Which of the following involves payment for items or services where there was intent to deceive or misrepresent? 

a. Remuneration 

b. Abuse 

c. Fraud 

 

7. Payment for items or services when there is no legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment is an example of _____. 

a. Fraud 

b. Abuse 

c. Waste 

d. Remuneration 

 

8. As a Health Plan employee, you are a: 

a. Part C or D Sponsor Employee 

b. First Tier Entity 

c. Downstream Entity 

d. Related Entity 

 

9. How can you prevent fraud, waste and abuse? 

a. Make sure you are up to date with laws, regulations, policies 

b. Verify information provided to you 

c. Be on the lookout for suspicious activity 

d. All of the above 

3 

 

 

10. Which of the following is generally not considered to be caused by criminally negligent actions but rather the misuse of resources? 

a. Fraud 

b. Abuse 

c. Waste 

d. Underutilization 

 

11. Your job is to submit risk diagnosis to CMS for purposes of payment.  As part of this job you are to verify, through a certain process, that the data is accurate.  Your immediate supervisor tells you to ignore the sponsor’s process and to adjust/add risk diagnosis codes for certain individuals. 

What do you do? 

A. Do what is asked of your immediate supervisor 

B. Report the incident to the compliance department (via Compliance Hotline or other mechanism) 

C. Discuss concerns with immediate supervisor 

D. Contact law enforcement 

 

12. Which of the following could prohibit a physician from referring a Medicare patient to a pharmacy with which the physician has a financial relationship? 

a. False Claims Act 

b. Stark Law 

c. Beneficiary Inducement Law 

d. Anti‐Kickback Statute 

 

 

 

4 

 

 

13. You are in charge of payment of claims submitted from providers.  You notice a certain diagnostic provider (“Doe Diagnostics”) has requested a substantial payment for a large number of members.  Many of these claims are for a certain procedure.  You review the same type of procedure for other diagnostic providers and realize that Doe Diagnostics’ claims far exceed any other provider that you reviewed. 

What do you do? 

A. Call Doe Diagnostics and request additional information for the claims 

B. Reject the claims 

C. Pay the claims 

D. Consult with your immediate supervisor for next steps or contact the compliance department 

 

14. Which law prohibits knowingly and willfully soliciting, receiving, offering or paying remuneration for referrals for services that are paid in whole or in part under a federal health care program (which includes the Medicare and Medicaid programs)? 

a. Anti‐Kickback Statute  

b. Stark Law 

c. HIPAA 

d. False Claims Act 

 

15. Dr. Smith has a contract with the local hospital to deliver healthcare services. He refers a lot of his Medicare patients there. If Dr. Smith accepts free office space from county hospital, what law is he potentially violating? 

a. Balanced Budget Act 

b. Stark Law 

c. False Claims Act 

d. Anti‐Kickback Statute 

 

5 

 

 

16. True or false – You can find Medicare Policies and Procedures on the Medicare Compliance homepage on the Intranet.   

a. True 

b. False 

 

17. Which of the following is an indicator of potential fraud, waste and abuse? 

a. Are we being billed for prescriptions that are not filled or picked up? 

b. Does the sponsor offer cash inducements for beneficiaries to join the plan? 

c. Does the provider bill us for services not provided? 

d. All of the above 

 

18. Which answer below best answers the question:  Who is required to report suspected instances of fraud, waste and abuse? 

a. Special Investigations Unit team members 

b. The Medicare Compliance Officer 

c. Compliance team members 

d. Everyone 

 

19. Which of the following are consequences of committing fraud, waste or abuse? 

a. Civil Money Penalties 

b. Criminal Conviction/Fines 

c. Imprisonment 

d. Exclusion from Federal Health Care programs 

e. All of the above 

 

6 

 

 

20. Which law provides safeguards to prevent unauthorized access to protected health care information?   

a. HIPAA 

b. Stark Law 

c. Anti‐Kickback Statute 

d. False Claims Act 

 

Privacy and Confidentiality Training

Presented by Corporate Privacy Office

Office of Corporate Ethics & Compliance

Introduction

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to establish a national set of standards or rules for:

• Privacy• Transactions and Code Sets• Identifiers• Security

This training program describes the HIPAA Privacy Rule and the Plan’s corporate policies that ensure compliance with the Rule and other related state and federal regulations.

2

HIPAA Privacy RuleThe HIPAA Privacy Rule, issued by the United States Department of Health and Human Services (HHS), became effective on April 14, 2003. This Rule established a national set of standards for the protection of health information. The intent of the Rule is to protect the privacy of individuals’ health information without impeding the flow of health information necessary for the provision of quality care.

On January 25, 2013, HHS published the HIPAA Omnibus Final Rule which includes modifications to HIPAA Privacy, Security and Enforcement rules. These include requirements for Protected Health Information (PHI) security, breach notification and penalties for non-compliance.

3

HIPAA Privacy RuleThe Privacy Rule applies to all organizations for which the collection, use or disclosure of health information is essential to business operations. These organizations are considered “covered entities” and include health plans, healthcare clearinghouses and healthcare providers such as physician offices, clinics and hospitals. Business Associates of covered entities are also subject to the Privacy Rule.

(Corporate Policies related to the topics in this course are indicated in parenthesis and can be found on Fingertips under Policies and Procedures. Be sure to reference Corporate Policies on a regular basis to ensure you have the most recent information.)

There are other state and federal laws and regulations that address privacy and confidentiality that are incorporated into our privacy practices.

4

The Plan’s Notice of Privacy Practices outlines the policies and procedures related to the HIPAA Privacy Rule and member rights. It is distributed at enrollment and upon request.

Protected Health InformationAll “individually identifiable health information” is protected under the HIPAA Privacy Rule. Protected Health Information, or PHI, includes any data that may be used to identify the individual associated with health information. PHI includes “personally identifiable information” (PII)PII refers to information used to uniquely identify an individual, either alone or combined with other sources.

Examples of PHI include, but are not limited to:• An individual’s name, address, date of birth• Social Security Number, patient/insurance ID, driver’s license number, financial

account or credit/debit card number• Personal characteristics, including photographic image, fingerprints,

handwriting, or biometric image (e.g., retina scans, voice signature)• Medical records or treatment information such as service rendered, diagnosis,

treatment notes

Claims, enrollment applications, medical/patient records, etc. all include PHI.

5

A covered entity must make reasonable efforts to use, disclose or request of another covered entity only a limited data set, or, if needed by the requesting entity, the minimum necessary information to accomplish the purpose of the use or disclosure.

PHI should not be used or disclosed when it is not necessary to satisfy a particular business purpose or carry out a business function. Use or disclosure of information is restricted to a “need to know” basis, including the access of our contractors. Contractor access to an individual’s PHI must be limited to the minimum necessary for the sole purpose of fulfilling job accountabilities.

Workforce Use, Access and Disclosure (CP1340)

6

Related Corporate Policies:• Minimum Necessary – Disclosure of Information (CP1110)• Disclosure to Business Associates (CP1090)• Intra-entity Privacy Agreements (CP1210)• Use, Disclosure and Safeguard of PHI (CP1320)• Workforce Use, Access and Disclosure of Personal Information (CP1340)

Additionally, NYS has added protections around the use of information related to protected diagnoses, e.g., HIV/AIDS.

Any intentional access to information other than for job-related purposes is a violation of the minimum necessary rule and Corporate Policy. For example, accessing your own information or that of a family member or friend is not permissible under any circumstance.

Knowingly accessing information for reasons other than job-related accountabilities can result in disciplinary action up to, and including, termination of employment. In some cases, criminal and civil penalties may be applied.

In addition to accessing information, reasonable efforts must be taken to ensure the confidentiality of conversations when speaking with or conferring about an individual. Avoid discussing PHI in locations where there is risk that a conversation may be overheard such as in an elevator or break room.

Never leave messages containing PHI on answering machines. Telephone messages should be limited to the name of the company, contact name and phone number.

7

Workforce Use, Access and Disclosure (cont’d)

Related Corporate Policies:• Workforce Compliance and Mitigation – PHI Disclosure (CP1180)• Corporate Confidentiality and Non-Disclosure Statement (CP2050)• Disclosure of PHI by Phone (CP1300)• Disclosure of PHI by Fax (CP1290)

De-identified Data (CP1100)

De-identified health information has been stripped of PHI and cannot be used to identify a specific person or to link an individual to the health data.

De-identified data must be used whenever possible. This includes internal training purposes, reports, communication with groups, etc. Exceptions to this must be approved by the Data Review Committee and/or the Corporate Privacy Office.

CP1100 provides a list of elements that must be removed in order to consider the information de-identified. The list also serves as a good reference for identifying what is considered to be PHI.

8

The following demonstrates de-identified data:

9

Before

After

Disclosure of PHI

10

Now that you understand what PHI is, and that the Plan will disclose a limited data set or minimum necessary to accomplish a specific task, the question remains: To whom can the Plan disclose PHI?

The Plan will disclose PHI:• To the individual who is the subject of the PHI• To an individual’s Personal Representative (with proper documentation on file)• To a third party named in an Authorization to Disclose PHI form that is signed by

the individual or personal representative• Without authorization for purposes of payment, treatment or healthcare

operations. Examples of this are to providers, facilities or regulatory agencies• Business Associates (with proper documentation on file. This will be addressed

in more detail in a coming slide)

Examples of situations where an authorization is required include:• Sharing of PHI with anyone other than the individual, including spouse, family

members, children age 18 or older and group leaders (very limited exceptions) • Use of PHI for the purpose of marketing and research• Psychotherapy notes

Disclosure of PHIIn conjunction with Federal Privacy laws, many states protect certain medical conditions even further including:

• HIV / AIDS• Substance Abuse• Mental Health conditions• Genetic Testing• Abortion• Sexually Transmitted Diseases

11

Due to the heightened protection around these conditions, internal documentation and disclosure must be limited to the minimum amount necessary to accomplish the task.

Be sure to always check the Authorization Database prior to disclosing information to a third party.

Related Corporate Policies:• Authorization to Disclose PHI (CP1080)• Personal Representative (CP1230)• Disclosure to Business Associates (CP1090)• Intra-entity Privacy Agreements (CP1210)

• Identity Verification (CP1220)• Use, Disclosure and Safeguard of PHI (CP1320)• Disclosure of PHI for Research Purposes (CP1250)• Marketing and Fundraising – Use of PHI (CP1260)

Disclosure related to HIV/AIDS requires a specific state-approved authorization form. For disclosure related to the other protected health diagnoses, it must be specifically identified in our authorization form.

Business Associates (CP1090)

12

Business Associates are people or organizations that are contracted to carry out activities on behalf of the organization that require the use or disclosure of PHI. Examples of business associates include external auditors, First Tier, Downstream and Related Entities (FDRs) and vendors.

Since business associates may be required to use or disclose PHI, the covered entity and the business associate must enter into a “Business Associate Agreement (BAA).” This agreement specifies the terms and conditions for the use and disclosure of PHI and dictates the business associates’ responsibilities for maintaining the safety and security of the information.

Disclosure to the business associate must adhere to the limited data set/minimum necessary standard.

BAAs must be in place before PHI can be shared with the business associate. The Health Plan BAAs are maintained by the Contracts Office. For information regarding subsidiary BAAs, contact the Privacy Office.

Identity Verification

13

In all situations, and before disclosing information, it is important to verify the identity of the person to whom you are disclosing PHI and when applicable, ensure that the Plan has a valid PHI authorization on file*.

* If you do not know how to verify identity, or confirm that a current, valid authorization is on file, consult with your management.

Related Corporate Policies:• Authorization to Disclose PHI (CP1080)• Personal Representative (CP1230)• Identity Verification (CP1220)• Use, Disclosure and Safeguard of PHI (CP1320)

Verifying identity, aka, authentication, occurs when you ask a series of questions to an individual to ensure that he/she is whom he/she claims to be. For example, you might ask a caller to verify his/her name, address and date of birth before disclosing PHI. If the individual presents in-person, you could ask the same questions or for a picture ID.

Especially tricky are situations where individuals share the same name and same date of birth. If you come across unusual situations such as this, contact the Privacy Office; there are additional steps the Plan can take to safeguard PHI.

Who are you?

Disposal of PHI (CP1310)

Most of us use PHI on a daily basis. All paper documents must be disposed of in the proper bins. Documents containing protected or confidential proprietary information must be placed in locked recycle bins for shredding in order to safeguard against unauthorized access.

PHI should never be placed in recycle bins that are not locked.

Computer media (disks, tapes, hard drives, microfilm, copy machines, etc.) containing protected or confidential data must be wiped clean of data or physically destroyed.

14

Unauthorized Disclosures

A breach is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security and/or privacy of the PHI. Examples of potential breaches may include, but are not limited to, PHI that:

• is stolen, lost or misrouted• includes social security number or other identifying number• is disclosed to an unintended/unauthorized recipient such as

enrollment information, test results, or explanation of benefits• was improperly disposed• was emailed without being secured (“zixit” at the end of the subject

line) or sent to the incorrect email address• was accessed without a job-related “need-to-know”

15

Related Corporate Policies:• Breach Notification (CP1330)• Workforce Use, Access and Disclosure of PHI (CP1340)

Along with civil and criminal penalties that could be imposed, a breach can damage the Corporation’s public image and trust. If an unauthorized disclosure occurs, it must be reported to the Privacy Office immediately upon discovery.

It is imperative that known or suspected breaches be reported immediately in order to comply with required notification timelines that may apply. The Privacy Office will investigate the unauthorized disclosure, including the completion of a risk assessment, to determine the proper course of action. The Privacy Office will provide guidance related to the necessary and compliant action to mitigate a known or suspected breach.

16

Unauthorized Disclosures

17

An unauthorized disclosure can be reported to the Corporate Privacy Office using the Accounting of Disclosure form on Fingertips, or for urgent situations, by email (privacy.officer@excellus.com), by calling the Privacy Office Hotline (1-866-584-2313) or by contacting the Divisional or Corporate Privacy Officer (listed in the next slide).

Reporting Unauthorized Disclosures

When reporting to the Privacy Office, it is important to have as much information as possible, but do not delay in reporting if you do not have it. To aid in the investigation, it is helpful to know:

What was disclosed (specific data elements)Why information was disclosed (e.g. human error, system issue, misrouted)How you discovered the issueWhere is the information now (returned, destroyed, etc.)When the disclosure occurred

If you have taken any corrective action, that also should be included.

Contacting Privacy Officers The Corporate and Division Privacy Officers are listed below. For the most up-to-date listing, consult your supervisor or the Corporate Compliance home page on Fingertips.

Name Region Contact

Kelly Wheeless Lifetime Healthcare CompaniesExcellus Health Plan

Phone: (315) 671-7064

Robyn Shaffer Lifetime Care Phone: (585) 214-1567

Susan Fenimore SSA Phone: (800) 322-3920, x214

Angela Hoteling-Rodriguez

MedAmerica LTC Phone: (585) 327-6537

Elaine Vanderland Lifetime Health Medical Group Phone: (716) 453-7176

Suzanne Budd EBS-RMSCO Phone: (315) 448-9260

18

You can also email the Corporate Privacy Officer at:

privacy.officer@excellus.com

Individual Rights

Right to Access (CP1030):

The Privacy Rule provides for a number of individual rights including, but not limited to:

An individual has the right to access the health information used to make a decision about that individual. This is referred to as a “Designated Record Set” (DRS). If an individual wishes to access his/her complete DRS, a request must be submitted in writing and is reviewed by the Privacy Office or designee. Partial requests, such as demographic information or medical notes are handled by the applicable business area.

As part of the recently published Omnibus Final Rule, additional provisions will be implemented related to electronic health records.

For information on how to request a full or partial DRS, refer to departmental procedures. Denial of a full DRS must be approved by the Privacy Office.

19

Individual Rights

Right to Amend (CP1060):

Right to Request a Restriction (CP1160):

Individuals have the right to request an amendment or corrections to their DRS if the information is incomplete or inaccurate. Under certain circumstances, the Corporation may deny the amendment. In most situations, the amendment is handled as standard operating procedure.

Individuals may request restrictions on how their information is used, shared or disclosed for treatment, payment or healthcare operations. However, because a restriction on further use or disclosure may prevent the Plan from conducting business related to treatment, payment or healthcare operations, the Plan is not required to honor an individual’s request.

Examples of when the plan may honor a restriction on further use or disclosure involve a patient’s right to request that a provider of care not disclose information regarding a particular treatment to a health insurance carrier. In this situation, the patient must pay in full for services rendered.

20

Individual RightsRight to an Accounting of Disclosures (CP1040):

Individuals may request information related to how their health information was used and shared (other than disclosures made for treatment, payment and healthcare operations or to someone the Plan has been authorized to disclose). The request for an Accounting of Disclosure must be submitted in writing and is handled by the Privacy Office or designee.

In order for the Plan to track disclosures, it is important that you report unauthorized or certain permissible disclosures (such as fraud investigations or court-ordered disclosures) to the Privacy Office. This is done by completing an Accounting of Disclosure form that can be found on the Corporate Compliance Intranet page or by contacting the Privacy Office. More information on what must be reported and instruction on how to complete the form can be found on the Corporate Compliance/Privacy & Confidentiality webpage of Fingertips.

Disclosures containing PHI that must be reported to the Privacy Office include, but are not limited to, mail/email sent to an incorrect recipient, document loss or theft, subpoenas or court-orders, special investigations and disclosures to individuals without a valid authorization form on file.

21

Individual RightsRight to Confidential Communication (CP1050):

This allows an individual to request that the Plan communicate with him/her through alternative locations when the individual believes it would be harmful to communicate with him/her using the normal means. The Plan may request the individual complete a confidential communication request form that includes a clear statement that disclosure of all or part of the PHI could endanger the individual if not communicated by an alternative means.

The Plan may see these requests with the mailing of Explanation of Benefits, calls for appointment reminders, etc.

22

Workforce Compliance and Mitigation (CP1180)

Anyone that violates the privacy policies and procedures are subject to disciplinary action up to and including termination of employment. Anyone who suspects a violation of the privacy policies or procedures must report the suspicion to the Corporate Privacy Office.

With the enactment of HITECH, civil and criminal action can be pursued by the Department of Health and Human Services, as well as State Attorneys General. Violations of privacy laws and regulations could result in civil and criminal fines and penalties.

23

Thank you!!!!

You have completed this course.

1 

 

ContractorPrivacyTrainingTestQuestions 

1. Email messages containing PHI must be manually encrypted using “zixit” when: 

A. Sent from the copy machine 

B. Sending an email to a group 

C. Sending an email to a provider 

D. All of the above 

 

2. Complete the statement so that it is true. 

Identity Verification______________ 

A. is not required when the caller is the subscriber 

B. is the same as checking for an authorization 

C. is a process to confirm that the caller is who they say they are 

D. must only be done when a group leader calls 

 

3. True or false ‐ All business relationships that require the access to, use or disclosure of our member PHI must have a Business Associate Agreement, or in some cases a confidentiality agreement, in place.   

True 

False 

 

4. Identify the violation in this scenario.   

I am an employee and recently attended a training session to learn a new software program on the computer system.  After training, I went into my own file so that I could practice.  While in there, I noticed my address was incorrect so I changed it.  I wanted to make sure that all of my medical information was going to be sent to the correct address, so I checked my medical records and claims to make sure they had the correct address, which they did.    

2 

 

A. Using your own file for practice 

B. Changing the address 

C. Viewing medical records and claims 

D. All of the above 

 

5. Identify the best course of action in the following scenario. 

A call is received indicating that a regulatory agency has received the incorrect medical records for a case they are reviewing.  It is discovered that the employee that fulfilled the request sent medical records for a different individual.  You would: 

A. Apologize, send the correct records and document the call 

B. Advise the agency that the correct records will be faxed and then notify the member whose information was disclosed in error 

C. Send the correct records, ask for the return of the incorrect records, and then notify the Privacy Office 

D. Ask the regulatory agency to return the records and once received, the correct records will be sent 

 

6. An individual contacts us and asks for a copy of their medical records.  You: 

A. Tell them that the records are confidential and we cannot send them 

B. Copy the records; have the content reviewed and approved, then send them 

C. Obtain a copy of the records but white out most information because it is confidential, protected health information  

D. Send them a copy of the medical records and everything else we have on file 

 

7. Identify the best course of action in the following scenario. 

An individual calls and indicates they have not received any correspondence from us at all and is wondering why.  Part of the process is to verify the individual’s address, at which time you realize that the address is incorrect.  What would you do? 

3 

 

A. Change the address   

B. Ask the individual to submit an address change request  

C. Change the address, resend correspondence mailed during the time period in question and submit an Accounting of Disclosure form to the Privacy Office 

D. None of the above 

 

8. Mary is an employee that runs reports to monitor usage and services.  Mary shares the reports with other employees.  She received a specific request to include individuals with HIV‐related services.   Can Mary provide that report to the requestor? 

No.  Mary must remove all HIV‐related information before she can share the report with other employees. 

Yes.  Mary may share the HIV‐related information with others if the need‐to‐know protocols authorize them to access HIV‐related information and they reasonably need that information in order to perform their job‐related duties. 

 

9. True or false ‐ As long as we are meeting all of the requirements set by the HIPAA Privacy Regulations, there is nothing else we need to be concerned with regarding privacy and confidentiality. 

True 

False 

 

10. You are asked for a document that explains our procedures on how we protect member/patient privacy.  What is the best response? 

A. Advise the inquirer to contact the Privacy Office and give them the telephone number 

B. Send a letter explaining how we authenticate individuals asking for information, require authorizations and limit access to our processing systems 

C. Send a copy of the Notice of Privacy Practices 

D. Refer the caller to our web site 

 

Information Security Training

Presented by Corporate Data Security and

Office of Corporate Ethics & Compliance

Introduction

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to establish a national set of standards or rules for:

• Privacy• Transactions and Code Sets• Identifiers• Security

This training program incorporates many other state and federal laws and regulations that address privacy and security in addition to HIPAA.

This training:• Provides an overview of Transactions and Code Sets• Explains Identifiers• Provides important information regarding the Final Security Rule

and Corporate Data Security

2

Transactions & Code Sets

3

TransactionsNational standards for electronic healthcare transactions are required under HIPAA.

The term “transaction” refers to the electronic exchange of information for the purpose of carrying out financial or administrative activities related to healthcare. The intent for this standard is to simplify the process, reduce administrative costs and improve efficiency. All healthcare providers who engage in any of the identified electronic transactions must comply with the standard.

Examples of electronic healthcare “transactions” include: Submission of healthcare claims or encounter information Healthcare payment and remittance advice by a health plan Coordination of benefits to include the transmission of payment

information between payers with different payment responsibilities Referral certification and authorization Exchange of information regarding eligibility, coverage and benefits

under a subscriber’s policy

4

Code Sets Medical data code sets are required for diagnoses, procedures and drugs. Specific code sets have been adopted under HIPAA standards including the ICD-9/ICD-10 and CPT-4 codes. Other codes sets that have been adopted include those associated with claims for medical supplies, dental care and drugs.

For personnel whose positions require more detailed information related to this topic, additional training materials are available through your manager.

5

Identifiers

6

IdentifiersThe final rule for a standard unique employer identifier was published in the Federal Register. This rule requires specified entities to have standard national numbers that identify them on standard transactions. The Employer Identification Number (EIN), issued by the Internal Revenue Service (IRS), was selected as the identifier for employers.

Health plans, healthcare clearinghouses and healthcare providers must use this identifier in connection with certain electronic transactions. The use of this identifier will improve the effectiveness and efficiency of the healthcare industry in general by simplifying the administration of the system and enabling the efficient electronic transmission of certain health information.

For personnel whose positions require more detailed information related to this topic, additional training materials are available through your manager.

7

Information Security

8

Information Security

Information Security is the protection of information from unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional and whether in storage, processing or transit.

Information resources include data, processes, equipment, technology and the people involved in making the best use of the information. Every end user is responsible tosecure protected and/or sensitive information and data.

9

Information Security

Information assets include, but are not limited to:

Desktop PCs Laptops

Mobile Devices- Smart phones- Cell phones- PDAs- etc.

Media & Storage devices- CD’s- Diskettes- USB (thumb) drives- printed output- electronic data

10

Information SecurityNotify the Corporate IT Help Desk and your supervisor immediately upon:The loss, suspected loss or theft of a portable computing device; including, but not limited to, laptops, PDAs, smart phones, cell phones, USB storage devices and other external drives.

Notify Corporate Data Security when you experience:• The loss, suspected loss or disclosure of sensitive company information to

unauthorized parties.• The occurrence or suspected occurrence of unauthorized access or use of

corporate information systems.• The loss, suspected loss, theft or disclosure of passwords or other system

access control mechanisms.• The occurrence or suspected occurrence of copies being made without

the appropriate license or approval by the copyright holder/software manufacturer.

11

Mobile Device SecurityA mobile device can be defined as a hand-held computing device, typically having a display screen with touch input and/or a miniature keyboard. Mobile devices include but are not limited to:

• Laptops• Smart phones (i.e. iPhone, Blackberry, Palm, etc.)• Cell phones• Personal Digital Assistants (PDAs)• Tablet PCs (i.e. iPad)• Removable media• any other portable device capable of storing data

12

Mobile Device SecurityThese devices are used for electronic communications. Electronic communications shall be defined as the transmission of information, via e-mail, blog, wiki, instant messaging and text messaging.

As defined in the Acceptable Computer Usage policy, users must also comply with all security and privacy measures defined by the Corporation. Users must refrain from disclosing internal and confidential information in their possession without first obtaining permission from the Data Owner.

As defined in the Corporate Mobile Device Standard:• All mobile devices containing internal or confidential corporate data

must use an approved method of encryption to protect the data• The use of SMS / “Texting” to send internal or confidential data is

prohibited• Storing corporate data on non-corporate smart

phones is expressly prohibited

13

Laptop SecurityLaptops, Netbooks and PDAs are easily lost or stolen. This puts the information stored on them at an increased risk of being compromised. These devices are a primary target for thieves, who steal them for resale or to obtain the information stored on them. If your mobile device is lost or stolen, sensitive business information could be exposed.

The average business laptop is thought to contain information worth over $500,000. Therefore, as the users of these devices, you are the first line of defense when it comes to ensuring they are properly protected.

If your laptop is stolen, it must be reported to the Help Desk immediately. Although all electronic devices are required to be encrypted, they must be disabled if stolen and the incident researched by Corporate Data Security and/or the Corporate Privacy Office.

14

Laptop Security: In the OfficeLock it Up• If you are using a docking station, use the lock if you must leave a laptop

unattended. Laptops are frequently stolen within office environments.• When leaving your laptop unattended, be sure to use the password lock, by using

the CTRL, ALT, DELETE keys simultaneously.• When leaving the office, lockup the device in a secure location.Backup• Ensure all critical information stored on laptops or mobile devices are backed up

to a corporate network share drive; guaranteeing information recovery in the event of device loss, theft or hardware failure.

• Only store information that is needed. Bag and No Tag• Bags should not display visible markings or labeling, such as business cards or

company logos, as this provides clues to the value of the contents or information inside.

• Do not leave written down usernames or passwords, or your business VPN access token, in the same bag as your laptop, as this could provide unauthorized access to information.

• Ensure all zippers and pockets are closed, and consider using small padlocks or cable ties to secure them. This will help ensure no one can take anything out, or put anything in, without you noticing.

15

Laptop Security:When Traveling or Working Remotely

16

Public Places• Avoid working on sensitive information or sit with your back to a wall and/or use a

laptop privacy screen. This will prevent ‘shoulder surfing’, ensuring no one can view sensitive information displayed on screen.

• Avoid conducting sensitive phone calls in crowded public areas where everyone will be able to hear your conversation.

• Look out for your devices in distracting situations, such as checking out of a hotel or buying a coffee with your credit card. Try not to lose contact with your laptop bag during these times and never leave your laptop or mobile devices unattended, even for a short while.

Car Travel• Never leave your laptop or other mobile devices in full view on the seat of a car, as this

makes them a tempting target for thieves.• Always lock them out of sight, in the trunk. For extra security, when leaving your car

remove the laptop.• If you are leaving your laptop or mobile devices in your car, place them in the trunk

before reaching your destination, so that no one sees you doing it when you park.

Laptop Security:When Traveling or Working Remotely (cont.)

17

Hotel Accommodations• Do not leave your laptop or mobile devices unsecured in your hotel room, as hotel

rooms are not safe places at all. Remember you are not the only person with a key to your room.

• If you must leave them unattended in your room, always store them inside the room safe. If there is no room safe, lock your laptop out of sight using a cable lock if possible.

• Never leave laptops or other mobile devices with hotel personnel or the concierge.Airplane Travel• Never check laptops or mobile devices with your luggage, as they will likely get

damaged and may be stolen. Always ensure they remain in your carry-on baggage.• While at the airport, keep an eye on your devices. Avoid putting your laptop bag on

the floor and, if you do, hold it between or rest it against your legs to remain consciously aware of it at all times.

• When on a plane, avoid placing laptops or mobile devices in the overhead bin, where there is the potential for them to be damaged or stolen, especially when the aircraft is full. Instead, keep them under the seat in front of you.

Acceptable Usage (IT1060)

Know What is Acceptable

Familiarize yourself with the corporate “Acceptable Computer Usage” policy. This policy provides governance regarding the appropriate and acceptable use of corporate computing resources. This includes, but is not limited to, the use of email, blogs, forums and other social media types, Internet, workstations (desktop or laptop computers), smartphones, cellphones, Personal Digital Assistant (PDAs), etc. This policy is designed to protect both you and the corporation.

18

Acceptable Usage:Email

You may not use the corporate email system to share personal photos, movies, or other sizeable information. Occasional personal use of emails is permitted, as noted in Corporate Policy IT1060-Acceptable Computer Usage. Occasional and incidental personal use of email is permitted, if it does not interfere with an individual’s work and company operations and does not violate any company policies, practices, or other directives.

19

Acceptable Usage: Email EncryptionAn email sent without encryption is like sending a postcard; it can be read by anyone along the way to its destination. An email sent with encryption is like sending a letter inside a sealed envelope; it can only be opened and read by the recipient. Internal and confidential data sent outside of the corporate network must be encrypted.

Important Note: Email Subject Line contents cannot be encrypted; therefore Internal and Confidential Data must be limited to the body of the email. Refer to Encryption Policy (IT1070) for further details.

In some circumstances, there is no sender interaction to encrypt email; this process is completely automated. However, to ensure the security of email, you should always manually encrypt email that contains PHI, including in attachments. If you want to initiate encryption, regardless of content, you can use a special keyword at the end of the subject line of your email, and it will be automatically encrypted. The Keyword is: ZIXIT

To learn more about secure messaging visit:http://userawareness.zixcorp.com/excellus/securemessaging.php

20

Computer User Access

Computer users typically have access to a variety of systems and applications based on their job responsibilities. This access will need to be suspended or removed upon change in status notification.

Currently, in accordance to our Corporate Standard, when a user has a status change resulting in new job responsibilities, on the effective date of status change, all access will be removed with the exception of Lotus Notes and the Network Logon for this person.

Managers will need to prepare in advance to ensure that adequate transition has occurred. If additional security access is required for the new job responsibilities, the manager will need to request the applicable access.

21

Corporate Security Policies and StandardsTo assist you in understanding and carrying out your role in protecting Lifetime Healthcare Companies’ information, the Plan has developed security policies, procedures and standards. By following these guidelines, you will contribute to the protection and integrity of data within our business systems, network and computing facilities.

One policy to be familiar with is Data Security (IT1010). This policy defines the basic principles of The Lifetime Healthcare Companies’ data security program and associated security policies that provide reasonable and effective controls for protecting corporate resources including, but not limited to, data and systems. The policy will assist you in understanding the policies, standards and controls that:

• Serve to safeguard corporate assets approved by the Corporation• Comply with statutory and regulatory mandates• Support the corporate objectives• Protect the confidentiality, integrity and availability of corporate

data

22

Corporate Security Policies The following is a list of all approved Corporate Data Security Policies

IT1010 Data SecurityIT1020 Computing Equipment Re-use and DisposalIT1030 Data BackupIT1050 Disaster Recovery & Business ContinuityIT1060 Acceptable Computer UsageIT1070 EncryptionIT1100 Remote AccessIT1110 Security MonitoringIT1130 Computer Virus ControlIT1140 Wireless CommunicationsIT1160 Security BreachIT1170 Data ClassificationIT1180 Software LicensingIT2010 Change ManagementIT2020 Electronic PHI Risk Assessment

To view these policies visit:http://fingertips/corporate_policies/corporate_policies.shtml

23

Corporate Security StandardsThe following is a list of all approved Corporate Data Security Standards

Viewable to AllAccess to DataApplication SecurityBlackberryCopier & PrinterData BackupData EncryptionDisaster Recovery ExercisesMobile DeviceRemote AccessRemote RequirementsRisk ManagementSecure File TransferUser & Service AccountsVirus ControlVulnerability/Patch Management

To view these policies visit:http://fingertips/it2/data_security/security_standards.html

Restricted ViewAIXDB2 / IMSDMZ EquipmentHigh Powered System AuthorityIBM HTTP Server (IHS)Internet Information Services (IIS)Lotus NotesNetwork DevicesOracle DatabasepcAnywhereSolaris/Solaris10Terminal ServicesUNIX / LinuxVOIPWindows XP/7 DesktopWindows 2000/2003/2008 ServerWebsphere Application Server (WAS)Wireless Configuration

24

Violation of Security Policy

Any suspected or confirmed violations of Corporate Policy must be reported to the Corporate Data Security Officer or to the Corporate Data Security department. You may also choose to place an anonymous report to the Security hotline. All suspected violations will be investigated.

Any violation of the Corporate Data Security policies will be met with disciplinary action. Possible penalties include termination of employment or business relationship with the Lifetime Healthcare Companies and/or criminal prosecution.

25

Corporate Data Security Contact InformationThe Corporate Security contact information is listed below. For the most up-to-date listing, consult your supervisor or the departmental web pages on Fingertips.

Corporate Security Officer: Patrick CelesteTelephone: (800) 840-5113Email: SecurityOfficer@Excellus.com

Security Questions or Concerns Telephone: (315) 671-6842Email: CorporateDataSecurity@Excellus.comAnonymous Security Hotline: (800) 840-5113

De-Centralized Security OfficersPatrick Celeste- Excellus Health Plan Phone: (585) 339-7978Brenda Rogers- Lifetime Health Medical Group Phone: (716) 656-4014John Cauvel- Lifetime Care Phone: (585) 339-5588Patrick Leone- MedAmerica Phone: (585) 238-4383Greg Cohen- EBS-RMSCO Phone: (315) 671-9870

26

Thank you!!!!

You have completed this course.

1 

 

ContractorInformationSecurityTrainingTestQuestions 

1. True or false ‐ Information security only involves protecting computers. 

True 

False 

2. You are in the office. You have your laptop in a conference room for a meeting and it is time for lunch. You should:   

A. You are in the office, so the laptop will be okay until you come back 

B. Take your laptop back to your desk and secure it 

C. Make sure you password‐lock your laptop, turn of the lights and close the door 

 

3. True or false ‐ Any suspected or confirmed violations of Corporate Security Policy must be reported to the Corporate Data Security Officer or to the Corporate Data Security department. 

True 

False 

 

4. You pull into to your driveway from a long day’s work and your laptop is in the case in the back seat.  What is the best practice?  

A. Place it in the trunk so it is not visible 

B. It is in the laptop bag, so it can stay in the back seat until morning 

C. Remove the laptop from the car and take it inside with you 

 

5. To: customer@businesspartner.com Cc: billing@provideroffice.org From: claimsrep@excellus.com Subject: John Smith‐ ID#123‐45‐6789  

2 

 

John claims for account #123456789 for services rendered by Oncology Unit at the have been processed.  What should be done before sending this email? 

A. Remove the identifying number from Subject Line 

B. Remove John Smith from Subject Line 

C. Add the words “ZIXIT” at the end of the Subject Line 

D. All of the above 

 

6. You have recently started selling cooking products in the evenings for additional income. You really want individuals to be aware of your new business and plan on using your company email account and telephone to organize parties and communicate with party hosts regarding supplies needed, orders, and other related details.   These actions are: 

A. Acceptable as long as I don’t include people that don’t like junk email 

B. A violation of the corporate policy 

C. Okay as long as I get management approval 

 

7. Today is January 1st and John Smith is transferring from Claims to Customer Service on February 1st.    What are the appropriate next steps? 

A. New access should be given to John now, so he can learn his new job and finish working on his current job 

B. Access request should be submitted by the new manager to have new access granted on February 1st 

C. Nothing, everything can be sorted out after John transfers 

 

3 

 

8. May employees use the corporate email system to share personal photos, movies, or other sizeable information?   

Yes 

No 

 

9. True or false ‐ Medical data code sets are required for diagnoses, procedures and drugs. Specific code sets have been adopted under HIPAA standards including the ICD‐9/ICD‐10 and CPT‐4 codes.   

True 

False 

 

10. Which of the following is NOT correct? 

A. All mobile devices containing internal or confidential corporate data must use an approved method of encryption to protect the data 

B. Storing corporate data on non‐corporate smart phones is expressly prohibited 

C. The use of SMS / “Texting” to send internal or confidential data is prohibited 

D. These are all correct