Upload
truonglien
View
218
Download
0
Embed Size (px)
Citation preview
Medicare Parts C & D General Compliance TrainingMedicare Parts C & D General Compliance Training
Developed by the Centers for Medicare & Medicaid Services*
*Health plan specific information added with permission from CMS.
The Health Plan is a Medicare Part C & D Sponsor.
All contractors of Part C & D Sponsors who provide health or administrative services to Medicare enrollees must satisfy general compliance training requirements in accordance with Compliance Program regulations at 42 C.F.R. §§ 422.503(b)(4)(vi) and 423.504(b)(4)(vi) and in Section 50.3 of the Compliance Program Guidelines found in Chapter 9 of the Medicare Prescription Drug Benefit Manual and Chapter 21 of the Medicare Managed Care Manual.
Completion of this training module satisfies the 2013 annual requirement for Medicare Parts C & D General Compliance Training.
Important NoticeImportant Notice
Why Do I Need Training?Why Do I Need Training?
Compliance is EVERYONE’S responsibility!
As an individual who provides health or administrative services for Medicare enrollees, every action you take potentially affects Medicare enrollees, the Medicare
program, or the Medicare trust fund.
Where Do I Fit In?Where Do I Fit In?
Health or administrative services to a Part C or Part D enrollee are provided by either a:• Part C or D Sponsor Employee• First Tier Entity
– Examples: PBM, a Claims Processing Company, contracted Sales Agent• Downstream Entity
– Example: Pharmacy• Related Entity
– Example: Entity that has a common ownership or control of a Part C/D Sponsor
The Health Plan is a Part C & D Sponsor.
To understand the organization’s commitment to ethical business behavior
To understand how a compliance program operates
To gain awareness of how compliance violations should be reported
Training ObjectivesTraining Objectives
• CMS requires Medicare Advantage, Medicare Advantage‐Prescription Drug, and Prescription Drug Plan Sponsors (“Sponsors”) to implement an effective compliance program.
• An effective compliance program should:
BackgroundBackground
Articulate and demonstrate an organization’s
commitment to legal and ethical conduct
Provide guidance on how to handle compliance
questions and concerns
Provide guidance on how to identify and
report compliance violations
ComplianceCompliance
A culture of compliance within an organization:
Prevents noncompliance
Detects noncompliance
Corrects noncompliance
At a minimum, a compliance program must include the 7 core requirements:
1. Written Policies, Procedures and Standards of Conduct;2. Compliance Officer, Compliance Committee and High
Level Oversight;3. Effective Training and Education;4. Effective Lines of Communication; 5. Well Publicized Disciplinary Standards; 6. Effective System for Routine Monitoring and
Identification of Compliance Risks; and7. Procedures and System for Prompt Response to
Compliance Issues42 C.F.R. §§ 422.503(b)(4)(vi) and 423.504(b)(4)(vi); Internet‐Only Manual (“IOM”), Pub. 100‐16, Medicare Managed Care Manual Chapter 21; IOM, Pub. 100‐18, Medicare Prescription Drug Benefit Manual Chapter 9
Compliance Program RequirementsCompliance Program Requirements
As Requirement Two states, Plans must have a Medicare Compliance Officer.
The Medicare Compliance Officer is Jill Salerno.
Jill can be reached at:
165 Court St.Rochester, NY 14647
(585) 399‐6645
or via the Ethics & Compliance Hotline
(800)275‐0170
Compliance OfficerCompliance Officer
Jill Salerno
Compliance TrainingCompliance Training
• CMS expects that all Sponsors will apply their training requirements and “effective lines of communication” to the entities with which they partner.
• Having “effective lines of communication” means that employees of the organization and the partnering entities have several avenues through which to report compliance concerns.
Ethics – Do the Right Thing!Ethics – Do the Right Thing!
Act Fairly and Honestly Comply with the letter and spirit of the law
Adhere to high ethical standards in all that you do Report suspected violations
As a part of the Medicare program, it is important that you conduct yourself
in an ethical and legal manner. It’s about doing the right thing!
How Do I Know What is Expected of Me?
How Do I Know What is Expected of Me?
Know the Code!
The Code of Business Conduct states compliance expectations and the principles and values by which the organization
operates.
Everyone is required to report violations of our Code of Conduct and suspected noncompliance.
The Code of Conduct and Policies and Procedures identify this obligation and tell you how to report.
What Is Noncompliance?What Is Noncompliance?
Noncompliance is conduct that does not conform to the law, and Federal health care program requirements, or to our ethical and business policies.
Medicare Parts C & D High Risk Areas *
Appeals and Grievance Review
Claims Processing
Marketing and Enrollment
Agent / Broker
Formulary AdministrationQuality of Care
BeneficiaryNotices
Documentation Requirements
Credentialing
Ethics
HIPAA
Conflicts of Interest
*For more information, see the Medicare Managed Care Manual and the Medicare Prescription Drug Benefit Manual at www.cms.gov.
Noncompliance Harms EnrolleesNoncompliance Harms Enrollees
Without programs to
prevent, detect and correct
noncompliance there are:
Delayed services
Difficulty in using
providers of choice
Hurdles to care
Denial of Benefits
Noncompliance Costs MoneyNoncompliance Costs Money
Non Compliance affects EVERYBODY!Without programs to prevent, detect and correct noncompliance
we risk:
Higher Premiums
Lower benefits for individuals and employers
Higher Insurance
Copayments
Lower Star ratings
Exclusion from Federal Health Care programs
There can be NO retaliation against you for reporting suspected noncompliance in good faith.
The Plan offers reporting methods that are:
I’m Afraid to Report NoncomplianceI’m Afraid to Report Noncompliance
Anonymous Non‐Retaliatory
Confidential
How Can I Report Potential Noncompliance?
How Can I Report Potential Noncompliance?
• Contact the Medicare Compliance Officer
• Call the Ethics & Compliance Hot Line 800‐ASK‐0170
• Send a message to the Ethics & Compliance email box in Lotus Notes
• Call the Special Investigations Unit to report Fraud, Waste and Abuse
• Talk to your Manager or Supervisor
• First tier, downstream, and related entities (FDR) can call the Ethics & Compliance Hot Line, speak to a Manager or Supervisor or contact the sponsor (Health Plan)
• Beneficiaries of all lines of business can call the Ethics & Compliance Hot Line
• Medicare beneficiaries can also call 800‐Medicare
Correcting Noncompliance• Avoids the recurrence of the same noncompliance
• Promotes efficiency and effective internal controls• Protects enrollees
• Ensures ongoing compliance with CMS requirements
What Happens Next?What Happens Next?
After noncompliance has been detected…
It must be investigated immediately…
And then promptlycorrect any
noncompliance
How Do I Know the Noncompliance Won’t Happen Again?
How Do I Know the Noncompliance Won’t Happen Again?
• Once noncompliance is detected and corrected, an ongoing evaluation process is critical to ensure the noncompliance does not recur.
• Monitoring activities are regular reviews which confirm ongoing compliance and ensure that corrective actions are undertaken and effective.
• Auditing is a formal review of compliance with a particular set of standards (e.g., policies and procedures, laws and regulations) used as base measures
Prevent
Detect
ReportCorrect
Monitor/ Audit
Plans are required to have disciplinary standards in place for non‐compliant behavior. Those who engage in non‐Compliant behavior may be subject to any of the following:
Know the Consequences of Noncompliance
Know the Consequences of Noncompliance
Mandatory Training or
Re‐Training
Disciplinary Action Termination
Compliance is EVERYONE’S Responsibility!!
Compliance is EVERYONE’S Responsibility!!
PREVENT• Operate within our organization’s ethical expectations to PREVENT noncompliance!
DETECT & REPORT• If you DETECT potential noncompliance, REPORT it!
CORRECT• CORRECT noncompliance to protect beneficiaries and to save money!
What Governs Compliance?What Governs Compliance?• Social Security Act:
• Title 18• Code of Federal Regulations*:
• 42 CFR Parts 422 (Part C) and 423 (Part D)• CMS Guidance:
• Manuals• HPMS Memos
• CMS Contracts: • Private entities apply and contracts are renewed/non‐renewed each year
• Other Sources: • OIG/DOJ (fraud, waste and abuse (FWA)) • HHS (HIPAA privacy)
• State Laws:• Licensure• Financial Solvency • Sales Agents* 42 C.F.R. §§ 422.503(b)(4)(vi) and 423.504(b)(4)(vi)
• For more information on laws governing the Medicare program and Medicare noncompliance, or for additional healthcare compliance resources please see:• Title XVIII of the Social Security Act• Medicare Regulations governing Parts C and D (42 C.F.R. §§ 422 and 423)• Civil False Claims Act (31 U.S.C. §§ 3729‐3733)• Criminal False Claims Statute (18 U.S.C. §§ 287,1001)• Anti‐Kickback Statute (42 U.S.C. § 1320a‐7b(b))• Stark Statute (Physician Self‐Referral Law) (42 U.S.C. § 1395nn)• Exclusion entities instruction (42 U.S.C. § 1395w‐27(g)(1)(G))• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
(Public Law 104‐191) (45 CFR Part 160 and Part 164, Subparts A and E)• OIG Compliance Program Guidance for the Healthcare Industry:
http://oig.hhs.gov/compliance/compliance‐guidance/index.asp
Additional ResourcesAdditional Resources
Remember!Remember!
Compliance is EVERYONE’S responsibility
There can be NO retaliation against you for reporting suspected noncompliance in good faith.
To report, call the Hotline at (800) ASK‐0170
1
ContractorMedicareGeneralComplianceTrainingTestQuestions
1. What is conduct that does not conform to the law, and Federal health care program requirements, or to our ethical and business policies?
a. Noncompliance
b. Compliance
c. Ethics
d. None of these
2. What are the benefits of a culture of compliance within an organization?
a. To prevent noncompliance
b. To detect noncompliance
c. To correct noncompliance
d. All of the above
3. Without programs to prevent, detect and correct noncompliance we risk?
a. Higher Star Ratings
b. Lower Premiums
c. Lower Insurance Copayments
d. Exclusion from Federal Health Care programs
4. True or false – We offer reporting methods that are confidential, anonymous and non‐retaliatory?
a. True
b. False
2
5. At a minimum, a compliance program must include 7 core requirements. Which of the following are core requirements?
a. Effective Training and Education
b. Procedures and System for Prompt Response to Compliance Issues
c. Well Publicized Disciplinary Standards
d. Effective System for Routine Monitoring and Identification of Compliance Risks
e. All of the above
6. You have discovered an unattended email address or fax machine in your office which receives beneficiary appeals requests. You suspect that no one is processing the appeals. What should you do?
a. Contact Law Enforcement
b. Contact your Compliance Department
c. Wait to confirm someone is processing the appeals before taking further action
d. Contact your supervisor
7. A sales agent, employed by the one of our first‐tier or downstream entities, has submitted an application for processing and has requested the enrollment date be back‐dated by one month and all monthly premiums for the beneficiary be waived
What should you do?
a. Refuse to change the date or waive the premiums, but decide not to mention the request to a supervisor or the compliance department.
b. Make the requested changes because the sales agent is responsible for determining the beneficiary's start date and monthly premiums.
c. Tell the sales agent you will take care of it, but then process the application properly (without the requested revisions). You will not file a report because you don't want the sales agent to retaliate against you.
d. Process the application properly (without the requested revisions). Inform your supervisor and the compliance officer about the sales agent's request.
3
8. Last month, while reviewing a monthly report from CMS, you identified multiple enrollees for which we are being paid, who are not enrolled in our plan. You spoke to your supervisor, Tom, who said not to worry about it. This month, you have identified the same enrollees on the report again. What do you do?
a. Decide not to worry about it as your supervisor, Tom, had instructed. You notified him last month and now it’s his responsibility.
b. Although you have seen notices about our non‐retaliation policy, you are still nervous about reporting. To be safe, you submit a report through your Compliance Department’s anonymous tip line so that you cannot be identified.
c. Contact law enforcement and CMS to report the discrepancy.
d. Ask Tom about the discrepancies again.
9. True or false – As a Part C & D Sponsor, we are required to have a compliance committee to oversee our compliance program; however, the hiring or appointment of a compliance officer is optional.
a. True
b. False
10. TRUE OR FALSE: If we subcontract with downstream entities for the performance of services, the downstream entity is ultimately responsible for complying with all CMS requirements.
a. True
b. False
Fraud, Waste and Abuse TrainingFraud, Waste and Abuse Training
Developed by the Centers for Medicare & Medicaid Services*
*Health plan specific information added with permission from CMS.
The Health Plan is a Medicare Part C & D Sponsor.
All Part C & D Sponsors employees must satisfy Fraud, Waste and Abuse training requirements.
Completion of this training module satisfies the 2013 annual requirement for Fraud, Waste and Abuse Training.
Important NoticeImportant Notice
Why Do I Need Training?Why Do I Need Training?
Every year millions of dollars are improperly spent because of fraud, waste and abuse. It affects everyone.
Including YOU.
This training will help you detect, correct and prevent fraud, waste and abuse.
YOUare part of the solution.
ObjectivesObjectives
• Meet the regulatory requirement for training and education
• Provide information on the scope of fraud, waste and abuse
• Explain everyone’s obligation to detect, prevent and correct fraud, waste and abuse
• Provide information on how to report fraud, waste and abuse
• Provide information on laws pertaining to fraud, waste and abuse
RequirementsRequirements
The Social Security Act and CMS regulations and guidance govern the Medicare program, including parts C and D.
• Part C and Part D sponsors must have an effectivecompliance program which includes measures toprevent, detect and correct Medicare non‐complianceas well as measures to prevent, detect and correctfraud, waste and abuse.
• Sponsors must have an effective training foremployees, managers and directors, as well as theirfirst tier, downstream and related entities (FDRs).
42 C.F.R. §422.503 and 42 C.F.R. §423.504
Where Do I Fit In?Where Do I Fit In?
Health or administrative services to a Part C or Part D enrollee are provided by either a:
• Part C or D Sponsor Employee• First Tier Entity
– Examples: PBM, a Claims Processing Company, contracted Sales Agent• Downstream Entity
– Example: Pharmacy• Related Entity
– Example: Entity that has a common ownership or control of a Part C/D Sponsor
What are my responsibilities?What are my responsibilities?
You are a vital part of the effort to prevent, detect and report Medicare non‐compliance as well as possible fraud, waste and abuse.
• FIRST you are required to comply with all applicable statutory, regulatory and other Part C or Part D requirements, including adopting and implementing an effective compliance program.
• SECOND you have a duty to the Medicare Program to report any violations of laws that you may be aware of.
• THIRD you have a duty to follow our organization’s Code of Conduct that articulates your and our organization’s commitment to standards of conduct and ethical rules of behavior.
An Effective Compliance ProgramAn Effective Compliance Program
• Is essential to prevent, detect and correct Medicare non‐compliance as well as fraud, waste and abuse.
• Must, at a minimum, include the 7 core compliance program requirements.
42 C.F.R. §422.503 and 42 C.F.R. §423.504
How Do I Prevent Fraud, Waste and Abuse?
How Do I Prevent Fraud, Waste and Abuse?
• Make sure you are up to date with laws, regulations, policies
• Ensure you coordinate with other payers• Ensure data/billing is both accurate and timely• Verify information provided to you• Be on the lookout for suspicious activity
Policies and ProceduresPolicies and Procedures
Every sponsor, first tier, downstream and related entity must have policies and procedures in place to address fraud, waste and abuse. These procedures should assist you in detecting, correcting, and preventing fraud, waste and abuse.
Make sure you are familiar with the policies and procedures (P&Ps).
Our Policies and ProceduresOur Policies and Procedures
P&Ps are housed in and are
available on Compliance homepage on the Intranet.
Medicare P&Ps are available on the Medicare Compliance homepage on the Intranet.
To the right is a screen shot of some of the Medicare Compliance P&Ps.
Understanding Fraud, Waste and AbuseUnderstanding Fraud, Waste and Abuse
In order to detect fraud, waste and abuse
you need to know the Law
Criminal FRAUDCriminal FRAUD
Knowingly and willfully executing, or attempting to execute, a scheme or artifice to defraud any health care benefit program; or to obtain, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by, or under the custody or control of, any health care benefit program.
18 United States Code §1347
What Does That Mean?What Does That Mean?
Intentionally submitting false information to the
government or a government contractor
in order to get money or a benefit.
Waste and AbuseWaste and Abuse
Waste: overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare Program. Waste is generally not considered to be caused by criminally negligent actions but rather the misuse of resources.
Abuse: includes actions that may, directly or indirectly, result in unnecessary costs to the Medicare Program. Abuse involves payment for items or services when there is not legal entitlement to that payment and the provider has not knowingly and or/intentionally misrepresented facts to obtain payment.
Differences Between Fraud, Waste and Abuse
Differences Between Fraud, Waste and Abuse
There are differences between fraud, waste and abuse.
One of the primary differences is intent and knowledge.
Fraud requires the person to have an intent to obtain payment and the knowledge that their actions are wrong.
Waste and abusemay involve obtaining an improper payment, but does not require the same intent and knowledge.
Report Fraud, Waste and AbuseReport Fraud, Waste and Abuse
Do not be concerned about whether it is fraud, waste or abuse. Just report any concerns to our Special Investigations Unit (SIU).
The SIU will investigate and make the proper determination.
Indicators of Potential Fraud, Waste and Abuse
Indicators of Potential Fraud, Waste and Abuse
Now that you know what fraud, waste and abuse are, you need to be able to recognize the signs of someone committing fraud, waste or abuse.
The following slides demonstrate prescription drug issues to present examples of potential fraud, waste or abuse.
Each slide provides areas to keep an eye on, depending on your role in our organization.
Key Indicators:Potential Provider Issues
Key Indicators:Potential Provider Issues
• Does the provider write for diverse drugs or primarily only for controlled substances?
• Are the provider’s prescriptions appropriate for the member’s health condition (medically necessary)?
• Is the provider writing for a higher quantity than medically necessary for the condition?
• Is the provider performing unnecessary services for the member?
Key Indicators:Potential Beneficiary Issues
Key Indicators:Potential Beneficiary Issues
• Does the prescription look altered or possibly forged?
• Have you filled numerous identical prescriptions for this beneficiary, possibly from different doctors?
• Is the person receiving the service/picking up the prescription the actual beneficiary(identity theft)?
• Is the prescription appropriate based on beneficiary’s other prescriptions?
• Does the beneficiary’s medical history support the services being requested?
Key Indicators:Potential Pharmacy Issues
Key Indicators:Potential Pharmacy Issues
• Are we being billed for prescriptions that are not filled or picked up?
• Are drugs being diverted (drugs meant for nursing homes, hospice, etc. being sent elsewhere)?
Key Indicators:Potential Sponsor Issues
Key Indicators:Potential Sponsor Issues
• Does the sponsor offer cash inducements for beneficiaries to join the plan?
• Does the sponsor lead the beneficiary to believe that the cost of benefits are one price, only for the beneficiary to find out that the actual costs are higher?
• Does the sponsor use unlicensed agents?• Does the sponsor encourage/support inappropriate risk adjustment submissions?
Reporting Fraud, Waste and AbuseReporting Fraud, Waste and Abuse
Everyone is required to report suspected instances of fraud, waste and abuse.
The Code of Conduct clearly states this obligation.
The organization will not tolerate any form of retaliation against anyone who makes a good faith
report in accordance with the Code.
Reporting Fraud, Waste and AbuseReporting Fraud, Waste and Abuse
Every Part C & D Sponsor is required to have a mechanism in place in which potential fraud, waste or abuse may be reported by employees, first tier, downstream and related entities.
You may report anonymously and you are protected from retaliation!
When in doubt, call the Fraud Hotline (800‐378‐8024)or the Ethics & Compliance Hotline (800‐ASK‐0170).
Reporting Fraud, Waste and AbuseReporting Fraud, Waste and Abuse
You may contact the Special Investigations Unit at the following location and numbers:
165 Court St.Rochester, NY 14647
Fraud Hotline: 800‐378‐8024
SIU Regional offices are as follows:Univera 877‐800‐0910Rochester 800‐378‐8024
CNY 800‐219‐8943Utica 800‐925‐9154
You may also report electronically by clicking on the Fraud & Abuse link at the bottom of the Excellusbcbs.com Home Page
Reporting Fraud, Waste and AbuseReporting Fraud, Waste and Abuse
Additionally, you may contact the Chief Compliance Officer and/or the Medicare Compliance Officer at the following location and number:
165 Court St.Rochester, NY 14647
Ethics & Compliance Hotline: 800‐ASK‐0170
Employees may also submit emails to the Corporate Compliance Officer at “Ethics and Compliance” through Lotus Notes.
You may also contact the Corporate Legal Department via e‐tracker on Fingertips.
CorrectionCorrection
Once fraud, waste or abuse has been detected it must be promptly corrected. Correcting the problem saves the government money and ensures we are in compliance with CMS’
requirements.
How Do I Correct Issues?How Do I Correct Issues?
Once issues have been identified, a plan to correct the issue needs to be developed.
Consult the Medicare Compliance Officer to learn about the process for the corrective action plan development.
The actual plan is going to vary, depending on the specific circumstances.
LawsLaws
The following slides provide very high level information about specific laws. For details about the specific laws, such as safe harbor provisions, consult the applicable statute and regulations concerning the law.
Civil FraudCivil False Claims Act
Civil FraudCivil False Claims Act
Prohibits:
• Presenting a false claim for payment or approval; • Making or using a false record or statement in support of a false
claim;• Conspiring to violate the False Claims Act; • Falsely certifying the type/amount of property to be used by the
Government; • Certifying receipt of property without knowing if it’s true; • Buying property from an unauthorized Government officer; and • Knowingly concealing or knowingly and improperly avoiding or
decreasing an obligation to pay the Government.
31 United States Code § 3729‐3733
New York State False Claims ActNew York State False Claims Act
The New York State False Claims Act only applies to false claims submitted to the Medicaid program, and is very similar to the Federal False Claims Act.
The New York State False Claims Act applies to persons who:
1. Knowingly submit a false or fraudulent claim to an employee, officer, or agent of the government;
2. Knowingly make a false record or statement to get a false claim paid by the state or local government;
3. Knowingly retain money owed to the government;4. Knowingly make a false record or statement to conceal, avoid or
decrease an obligation to pay money to the government; or 5. Conspire to get a false claim paid.
Medicare and Medicaid Program Integrity Statute
Medicare and Medicaid Program Integrity Statute
In addition to potential liability under the State and Federal False Claims Acts for retaining an overpayment, health plans and providers can also be held liable for a failure to report, explain and return an overpayment to the government within 60 days of identifying it.
This requirement was added as part of the federal health reform initiative.
The requirement to timely report, explain and return an overpayment applies regardless of the reason for the overpayment. Even overpayments resulting from simple billing mistakes must be returned within 60 days.
False Claims Act Damages and Penalties
False Claims Act Damages and Penalties
Violations of the NY State False Claims Act can result in fines ranging from $6,000 to $12,000 per claim, plus three times the amount of damages sustained by the government.
Violations of the Federal False Claims Act can result in civil penalties ranging from $5,500 to $11,000 per claim and up to triple the amount of damages sustained by the government.
In both cases, exclusion from the Medicare and Medicaid program can also result.
Criminal Fraud PenaltiesCriminal Fraud Penalties
If convicted, the individual shall be fined, imprisoned, or both. If the violations resulted in death, the individual may be imprisoned for any term of years or for life, or both.
18 United States Code §1347
Qui TamQui Tam
The false claims act includes something called a Qui Tam provision. The Qui Tam provision allows people, also known as "whistleblowers," to hire a lawyer at their own expense and sue anyone they believe has defrauded the government.
The government has the option of joining the suit as a party, which usually only occurs if they conclude the whistleblower has a good case. If the case is won, the “whistleblower” is entitled to a portion of the money recovered.
Protections under the FCAProtections under the FCA
Just as we discuss in our own Code of Business Conduct, the Qui Tam provision prohibits retaliation against anyone who reports a False Claims Act violation.
The Whistleblower Employee Protection Act prohibits an organization from discharging, demoting, suspending, threatening, harassing or discriminating against any employee because of lawful acts done by the employee, on behalf of the employer, or because the employee testifies or assists in an investigation of the employer.
In addition, the False Claims Act provides a number of possible remedies to employees who are discharged, demoted, harassed, or otherwise discriminated against, because of lawful actions taken under the Act.
Anti‐Kickback StatuteAnti‐Kickback Statute
Prohibits:
Knowingly and willfully soliciting, receiving, offering or paying remuneration (including any kickback, bribe, or rebate) for referrals for services that are paid in whole or in part under a federal health care program (which includes the Medicare program).
42 United States Code §1320a‐7b(b)
Penalties:
Fine of up to $25,000, imprisonment up to five (5) years, or both fine and imprisonment.
Stark Statute(Physician Self‐Referral Law)
Stark Statute(Physician Self‐Referral Law)
Prohibits:
A physician from making a referral for certain designated health services to an entity in which the physician (or a member of his or her family) has an ownership/investment interest or with which he or she has a compensation arrangement (exceptions apply).
42 United States Code §1395nn
Penalties:
Medicare claims tainted by an arrangement that does not comply with Stark are not payable. Up to a $15,000 fine for each service provided. Up to a $100,000 fine for entering into an arrangement or scheme.
ExclusionExclusion
The Office of the Inspector General, the Office of the Medicaid Inspector General and the General Services Administration publish lists of individuals and companies who are excluded from doing business with the government.
As a Health Plan with Medicare and Medicaid members, we may not employ or contract with individuals or companies that are excluded by these offices. This also applies to our first tier, downstream and related entities. We have a duty to verify, initially and monthly thereafter, that the individuals we hire, and the companies with which we contract, are not on the exclusion lists.
Should an organization do business with an individual or company that it knew, or should have known, was excluded, the organization may face a civil monetary penalty of $10,000 for each claim submitted for any services or items that were furnished during the individual or company’s exclusion, plus triple damages.
42 U.S.C. §1395(e)(1)42 C.F.R. §1001.1901
Health Insurance Portability and Accountability Act of 1996 (P.L. 104‐191)
Health Insurance Portability and Accountability Act of 1996 (P.L. 104‐191)
Created greater access to health care insurance, protection of privacy of health care data, and promoted standardization and efficiency in the health care industry.
Safeguards to prevent unauthorized access to protected health care information.
As an individual who has access to protected health care information, you are responsible for adhering to HIPAA.
Penalties:
HIPAA civil penalties range from $100 per violation ($25,000 per year maximum) if the person did not know he/she was violating HIPAA to $50,000 per violation ($1,500,000 per year maximum) for violations due to willful neglect. HIPAA criminal penalties may be up to $50,000, with up to one year in prison. Add ‘false pretenses’ to that and the penalties increase up to $100,000, and up to five years in prison. Adding ‘intent to sell’ increases the penalties up to $250,000, with up to 10 years in prison.
Beneficiary Inducement LawBeneficiary Inducement Law
Under the Beneficiary Inducement Law, it is illegal to offer items of value (cash, gift cards, goods and services, etc…), that a person knows (or should know), is likely to influence a potential customer/patient to select a particular provider, pharmacy or supplier.
Violating the Beneficiary Inducement Law may result in fines of up to $10,000 per item or service, plus three times the damages incurred by the government. Violators also face potential exclusion from participation in government programs.
Consequences of Committing Fraud, Waste or Abuse
Consequences of Committing Fraud, Waste or Abuse
The following are potential penalties. The actual consequence depends on the violation.
• Civil Money Penalties• Criminal Conviction/Fines• Civil Prosecution• Imprisonment• Loss of Provider License• Exclusion from Federal Health Care programs
Remember!Remember!
You are a vital part of the effort to prevent, detect and report Medicare non‐compliance as well as possible fraud, waste and abuse.
YOUare part of the solution.
1
ContractorFWATrainingTestQuestions
1. True or false ‐ there are no differences between fraud, waste and abuse.
a. True
b. False
2. True or false ‐ Every Part C & D sponsor is required to have a mechanism in place in which fraud, waste and abuse may be reported.
a. True
b. False
3. True or false – CMS may not impose civil penalties for violations of fraud and abuse laws and regulations.
a. True
b. False
4. True or false ‐ Sponsors may not allow employees to report FWA activities anonymously.
a. True
b. False
5. True or false – Fraud, waste and abuse affects you.
a. True
b. False
2
6. Which of the following involves payment for items or services where there was intent to deceive or misrepresent?
a. Remuneration
b. Abuse
c. Fraud
7. Payment for items or services when there is no legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment is an example of _____.
a. Fraud
b. Abuse
c. Waste
d. Remuneration
8. As a Health Plan employee, you are a:
a. Part C or D Sponsor Employee
b. First Tier Entity
c. Downstream Entity
d. Related Entity
9. How can you prevent fraud, waste and abuse?
a. Make sure you are up to date with laws, regulations, policies
b. Verify information provided to you
c. Be on the lookout for suspicious activity
d. All of the above
3
10. Which of the following is generally not considered to be caused by criminally negligent actions but rather the misuse of resources?
a. Fraud
b. Abuse
c. Waste
d. Underutilization
11. Your job is to submit risk diagnosis to CMS for purposes of payment. As part of this job you are to verify, through a certain process, that the data is accurate. Your immediate supervisor tells you to ignore the sponsor’s process and to adjust/add risk diagnosis codes for certain individuals.
What do you do?
A. Do what is asked of your immediate supervisor
B. Report the incident to the compliance department (via Compliance Hotline or other mechanism)
C. Discuss concerns with immediate supervisor
D. Contact law enforcement
12. Which of the following could prohibit a physician from referring a Medicare patient to a pharmacy with which the physician has a financial relationship?
a. False Claims Act
b. Stark Law
c. Beneficiary Inducement Law
d. Anti‐Kickback Statute
4
13. You are in charge of payment of claims submitted from providers. You notice a certain diagnostic provider (“Doe Diagnostics”) has requested a substantial payment for a large number of members. Many of these claims are for a certain procedure. You review the same type of procedure for other diagnostic providers and realize that Doe Diagnostics’ claims far exceed any other provider that you reviewed.
What do you do?
A. Call Doe Diagnostics and request additional information for the claims
B. Reject the claims
C. Pay the claims
D. Consult with your immediate supervisor for next steps or contact the compliance department
14. Which law prohibits knowingly and willfully soliciting, receiving, offering or paying remuneration for referrals for services that are paid in whole or in part under a federal health care program (which includes the Medicare and Medicaid programs)?
a. Anti‐Kickback Statute
b. Stark Law
c. HIPAA
d. False Claims Act
15. Dr. Smith has a contract with the local hospital to deliver healthcare services. He refers a lot of his Medicare patients there. If Dr. Smith accepts free office space from county hospital, what law is he potentially violating?
a. Balanced Budget Act
b. Stark Law
c. False Claims Act
d. Anti‐Kickback Statute
5
16. True or false – You can find Medicare Policies and Procedures on the Medicare Compliance homepage on the Intranet.
a. True
b. False
17. Which of the following is an indicator of potential fraud, waste and abuse?
a. Are we being billed for prescriptions that are not filled or picked up?
b. Does the sponsor offer cash inducements for beneficiaries to join the plan?
c. Does the provider bill us for services not provided?
d. All of the above
18. Which answer below best answers the question: Who is required to report suspected instances of fraud, waste and abuse?
a. Special Investigations Unit team members
b. The Medicare Compliance Officer
c. Compliance team members
d. Everyone
19. Which of the following are consequences of committing fraud, waste or abuse?
a. Civil Money Penalties
b. Criminal Conviction/Fines
c. Imprisonment
d. Exclusion from Federal Health Care programs
e. All of the above
6
20. Which law provides safeguards to prevent unauthorized access to protected health care information?
a. HIPAA
b. Stark Law
c. Anti‐Kickback Statute
d. False Claims Act
Privacy and Confidentiality Training
Presented by Corporate Privacy Office
Office of Corporate Ethics & Compliance
Introduction
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to establish a national set of standards or rules for:
• Privacy• Transactions and Code Sets• Identifiers• Security
This training program describes the HIPAA Privacy Rule and the Plan’s corporate policies that ensure compliance with the Rule and other related state and federal regulations.
2
HIPAA Privacy RuleThe HIPAA Privacy Rule, issued by the United States Department of Health and Human Services (HHS), became effective on April 14, 2003. This Rule established a national set of standards for the protection of health information. The intent of the Rule is to protect the privacy of individuals’ health information without impeding the flow of health information necessary for the provision of quality care.
On January 25, 2013, HHS published the HIPAA Omnibus Final Rule which includes modifications to HIPAA Privacy, Security and Enforcement rules. These include requirements for Protected Health Information (PHI) security, breach notification and penalties for non-compliance.
3
HIPAA Privacy RuleThe Privacy Rule applies to all organizations for which the collection, use or disclosure of health information is essential to business operations. These organizations are considered “covered entities” and include health plans, healthcare clearinghouses and healthcare providers such as physician offices, clinics and hospitals. Business Associates of covered entities are also subject to the Privacy Rule.
(Corporate Policies related to the topics in this course are indicated in parenthesis and can be found on Fingertips under Policies and Procedures. Be sure to reference Corporate Policies on a regular basis to ensure you have the most recent information.)
There are other state and federal laws and regulations that address privacy and confidentiality that are incorporated into our privacy practices.
4
The Plan’s Notice of Privacy Practices outlines the policies and procedures related to the HIPAA Privacy Rule and member rights. It is distributed at enrollment and upon request.
Protected Health InformationAll “individually identifiable health information” is protected under the HIPAA Privacy Rule. Protected Health Information, or PHI, includes any data that may be used to identify the individual associated with health information. PHI includes “personally identifiable information” (PII)PII refers to information used to uniquely identify an individual, either alone or combined with other sources.
Examples of PHI include, but are not limited to:• An individual’s name, address, date of birth• Social Security Number, patient/insurance ID, driver’s license number, financial
account or credit/debit card number• Personal characteristics, including photographic image, fingerprints,
handwriting, or biometric image (e.g., retina scans, voice signature)• Medical records or treatment information such as service rendered, diagnosis,
treatment notes
Claims, enrollment applications, medical/patient records, etc. all include PHI.
5
A covered entity must make reasonable efforts to use, disclose or request of another covered entity only a limited data set, or, if needed by the requesting entity, the minimum necessary information to accomplish the purpose of the use or disclosure.
PHI should not be used or disclosed when it is not necessary to satisfy a particular business purpose or carry out a business function. Use or disclosure of information is restricted to a “need to know” basis, including the access of our contractors. Contractor access to an individual’s PHI must be limited to the minimum necessary for the sole purpose of fulfilling job accountabilities.
Workforce Use, Access and Disclosure (CP1340)
6
Related Corporate Policies:• Minimum Necessary – Disclosure of Information (CP1110)• Disclosure to Business Associates (CP1090)• Intra-entity Privacy Agreements (CP1210)• Use, Disclosure and Safeguard of PHI (CP1320)• Workforce Use, Access and Disclosure of Personal Information (CP1340)
Additionally, NYS has added protections around the use of information related to protected diagnoses, e.g., HIV/AIDS.
Any intentional access to information other than for job-related purposes is a violation of the minimum necessary rule and Corporate Policy. For example, accessing your own information or that of a family member or friend is not permissible under any circumstance.
Knowingly accessing information for reasons other than job-related accountabilities can result in disciplinary action up to, and including, termination of employment. In some cases, criminal and civil penalties may be applied.
In addition to accessing information, reasonable efforts must be taken to ensure the confidentiality of conversations when speaking with or conferring about an individual. Avoid discussing PHI in locations where there is risk that a conversation may be overheard such as in an elevator or break room.
Never leave messages containing PHI on answering machines. Telephone messages should be limited to the name of the company, contact name and phone number.
7
Workforce Use, Access and Disclosure (cont’d)
Related Corporate Policies:• Workforce Compliance and Mitigation – PHI Disclosure (CP1180)• Corporate Confidentiality and Non-Disclosure Statement (CP2050)• Disclosure of PHI by Phone (CP1300)• Disclosure of PHI by Fax (CP1290)
De-identified Data (CP1100)
De-identified health information has been stripped of PHI and cannot be used to identify a specific person or to link an individual to the health data.
De-identified data must be used whenever possible. This includes internal training purposes, reports, communication with groups, etc. Exceptions to this must be approved by the Data Review Committee and/or the Corporate Privacy Office.
CP1100 provides a list of elements that must be removed in order to consider the information de-identified. The list also serves as a good reference for identifying what is considered to be PHI.
8
Disclosure of PHI
10
Now that you understand what PHI is, and that the Plan will disclose a limited data set or minimum necessary to accomplish a specific task, the question remains: To whom can the Plan disclose PHI?
The Plan will disclose PHI:• To the individual who is the subject of the PHI• To an individual’s Personal Representative (with proper documentation on file)• To a third party named in an Authorization to Disclose PHI form that is signed by
the individual or personal representative• Without authorization for purposes of payment, treatment or healthcare
operations. Examples of this are to providers, facilities or regulatory agencies• Business Associates (with proper documentation on file. This will be addressed
in more detail in a coming slide)
Examples of situations where an authorization is required include:• Sharing of PHI with anyone other than the individual, including spouse, family
members, children age 18 or older and group leaders (very limited exceptions) • Use of PHI for the purpose of marketing and research• Psychotherapy notes
Disclosure of PHIIn conjunction with Federal Privacy laws, many states protect certain medical conditions even further including:
• HIV / AIDS• Substance Abuse• Mental Health conditions• Genetic Testing• Abortion• Sexually Transmitted Diseases
11
Due to the heightened protection around these conditions, internal documentation and disclosure must be limited to the minimum amount necessary to accomplish the task.
Be sure to always check the Authorization Database prior to disclosing information to a third party.
Related Corporate Policies:• Authorization to Disclose PHI (CP1080)• Personal Representative (CP1230)• Disclosure to Business Associates (CP1090)• Intra-entity Privacy Agreements (CP1210)
• Identity Verification (CP1220)• Use, Disclosure and Safeguard of PHI (CP1320)• Disclosure of PHI for Research Purposes (CP1250)• Marketing and Fundraising – Use of PHI (CP1260)
Disclosure related to HIV/AIDS requires a specific state-approved authorization form. For disclosure related to the other protected health diagnoses, it must be specifically identified in our authorization form.
Business Associates (CP1090)
12
Business Associates are people or organizations that are contracted to carry out activities on behalf of the organization that require the use or disclosure of PHI. Examples of business associates include external auditors, First Tier, Downstream and Related Entities (FDRs) and vendors.
Since business associates may be required to use or disclose PHI, the covered entity and the business associate must enter into a “Business Associate Agreement (BAA).” This agreement specifies the terms and conditions for the use and disclosure of PHI and dictates the business associates’ responsibilities for maintaining the safety and security of the information.
Disclosure to the business associate must adhere to the limited data set/minimum necessary standard.
BAAs must be in place before PHI can be shared with the business associate. The Health Plan BAAs are maintained by the Contracts Office. For information regarding subsidiary BAAs, contact the Privacy Office.
Identity Verification
13
In all situations, and before disclosing information, it is important to verify the identity of the person to whom you are disclosing PHI and when applicable, ensure that the Plan has a valid PHI authorization on file*.
* If you do not know how to verify identity, or confirm that a current, valid authorization is on file, consult with your management.
Related Corporate Policies:• Authorization to Disclose PHI (CP1080)• Personal Representative (CP1230)• Identity Verification (CP1220)• Use, Disclosure and Safeguard of PHI (CP1320)
Verifying identity, aka, authentication, occurs when you ask a series of questions to an individual to ensure that he/she is whom he/she claims to be. For example, you might ask a caller to verify his/her name, address and date of birth before disclosing PHI. If the individual presents in-person, you could ask the same questions or for a picture ID.
Especially tricky are situations where individuals share the same name and same date of birth. If you come across unusual situations such as this, contact the Privacy Office; there are additional steps the Plan can take to safeguard PHI.
Who are you?
Disposal of PHI (CP1310)
Most of us use PHI on a daily basis. All paper documents must be disposed of in the proper bins. Documents containing protected or confidential proprietary information must be placed in locked recycle bins for shredding in order to safeguard against unauthorized access.
PHI should never be placed in recycle bins that are not locked.
Computer media (disks, tapes, hard drives, microfilm, copy machines, etc.) containing protected or confidential data must be wiped clean of data or physically destroyed.
14
Unauthorized Disclosures
A breach is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security and/or privacy of the PHI. Examples of potential breaches may include, but are not limited to, PHI that:
• is stolen, lost or misrouted• includes social security number or other identifying number• is disclosed to an unintended/unauthorized recipient such as
enrollment information, test results, or explanation of benefits• was improperly disposed• was emailed without being secured (“zixit” at the end of the subject
line) or sent to the incorrect email address• was accessed without a job-related “need-to-know”
15
Related Corporate Policies:• Breach Notification (CP1330)• Workforce Use, Access and Disclosure of PHI (CP1340)
Along with civil and criminal penalties that could be imposed, a breach can damage the Corporation’s public image and trust. If an unauthorized disclosure occurs, it must be reported to the Privacy Office immediately upon discovery.
It is imperative that known or suspected breaches be reported immediately in order to comply with required notification timelines that may apply. The Privacy Office will investigate the unauthorized disclosure, including the completion of a risk assessment, to determine the proper course of action. The Privacy Office will provide guidance related to the necessary and compliant action to mitigate a known or suspected breach.
16
Unauthorized Disclosures
17
An unauthorized disclosure can be reported to the Corporate Privacy Office using the Accounting of Disclosure form on Fingertips, or for urgent situations, by email ([email protected]), by calling the Privacy Office Hotline (1-866-584-2313) or by contacting the Divisional or Corporate Privacy Officer (listed in the next slide).
Reporting Unauthorized Disclosures
When reporting to the Privacy Office, it is important to have as much information as possible, but do not delay in reporting if you do not have it. To aid in the investigation, it is helpful to know:
What was disclosed (specific data elements)Why information was disclosed (e.g. human error, system issue, misrouted)How you discovered the issueWhere is the information now (returned, destroyed, etc.)When the disclosure occurred
If you have taken any corrective action, that also should be included.
Contacting Privacy Officers The Corporate and Division Privacy Officers are listed below. For the most up-to-date listing, consult your supervisor or the Corporate Compliance home page on Fingertips.
Name Region Contact
Kelly Wheeless Lifetime Healthcare CompaniesExcellus Health Plan
Phone: (315) 671-7064
Robyn Shaffer Lifetime Care Phone: (585) 214-1567
Susan Fenimore SSA Phone: (800) 322-3920, x214
Angela Hoteling-Rodriguez
MedAmerica LTC Phone: (585) 327-6537
Elaine Vanderland Lifetime Health Medical Group Phone: (716) 453-7176
Suzanne Budd EBS-RMSCO Phone: (315) 448-9260
18
You can also email the Corporate Privacy Officer at:
Individual Rights
Right to Access (CP1030):
The Privacy Rule provides for a number of individual rights including, but not limited to:
An individual has the right to access the health information used to make a decision about that individual. This is referred to as a “Designated Record Set” (DRS). If an individual wishes to access his/her complete DRS, a request must be submitted in writing and is reviewed by the Privacy Office or designee. Partial requests, such as demographic information or medical notes are handled by the applicable business area.
As part of the recently published Omnibus Final Rule, additional provisions will be implemented related to electronic health records.
For information on how to request a full or partial DRS, refer to departmental procedures. Denial of a full DRS must be approved by the Privacy Office.
19
Individual Rights
Right to Amend (CP1060):
Right to Request a Restriction (CP1160):
Individuals have the right to request an amendment or corrections to their DRS if the information is incomplete or inaccurate. Under certain circumstances, the Corporation may deny the amendment. In most situations, the amendment is handled as standard operating procedure.
Individuals may request restrictions on how their information is used, shared or disclosed for treatment, payment or healthcare operations. However, because a restriction on further use or disclosure may prevent the Plan from conducting business related to treatment, payment or healthcare operations, the Plan is not required to honor an individual’s request.
Examples of when the plan may honor a restriction on further use or disclosure involve a patient’s right to request that a provider of care not disclose information regarding a particular treatment to a health insurance carrier. In this situation, the patient must pay in full for services rendered.
20
Individual RightsRight to an Accounting of Disclosures (CP1040):
Individuals may request information related to how their health information was used and shared (other than disclosures made for treatment, payment and healthcare operations or to someone the Plan has been authorized to disclose). The request for an Accounting of Disclosure must be submitted in writing and is handled by the Privacy Office or designee.
In order for the Plan to track disclosures, it is important that you report unauthorized or certain permissible disclosures (such as fraud investigations or court-ordered disclosures) to the Privacy Office. This is done by completing an Accounting of Disclosure form that can be found on the Corporate Compliance Intranet page or by contacting the Privacy Office. More information on what must be reported and instruction on how to complete the form can be found on the Corporate Compliance/Privacy & Confidentiality webpage of Fingertips.
Disclosures containing PHI that must be reported to the Privacy Office include, but are not limited to, mail/email sent to an incorrect recipient, document loss or theft, subpoenas or court-orders, special investigations and disclosures to individuals without a valid authorization form on file.
21
Individual RightsRight to Confidential Communication (CP1050):
This allows an individual to request that the Plan communicate with him/her through alternative locations when the individual believes it would be harmful to communicate with him/her using the normal means. The Plan may request the individual complete a confidential communication request form that includes a clear statement that disclosure of all or part of the PHI could endanger the individual if not communicated by an alternative means.
The Plan may see these requests with the mailing of Explanation of Benefits, calls for appointment reminders, etc.
22
Workforce Compliance and Mitigation (CP1180)
Anyone that violates the privacy policies and procedures are subject to disciplinary action up to and including termination of employment. Anyone who suspects a violation of the privacy policies or procedures must report the suspicion to the Corporate Privacy Office.
With the enactment of HITECH, civil and criminal action can be pursued by the Department of Health and Human Services, as well as State Attorneys General. Violations of privacy laws and regulations could result in civil and criminal fines and penalties.
23
1
ContractorPrivacyTrainingTestQuestions
1. Email messages containing PHI must be manually encrypted using “zixit” when:
A. Sent from the copy machine
B. Sending an email to a group
C. Sending an email to a provider
D. All of the above
2. Complete the statement so that it is true.
Identity Verification______________
A. is not required when the caller is the subscriber
B. is the same as checking for an authorization
C. is a process to confirm that the caller is who they say they are
D. must only be done when a group leader calls
3. True or false ‐ All business relationships that require the access to, use or disclosure of our member PHI must have a Business Associate Agreement, or in some cases a confidentiality agreement, in place.
True
False
4. Identify the violation in this scenario.
I am an employee and recently attended a training session to learn a new software program on the computer system. After training, I went into my own file so that I could practice. While in there, I noticed my address was incorrect so I changed it. I wanted to make sure that all of my medical information was going to be sent to the correct address, so I checked my medical records and claims to make sure they had the correct address, which they did.
2
A. Using your own file for practice
B. Changing the address
C. Viewing medical records and claims
D. All of the above
5. Identify the best course of action in the following scenario.
A call is received indicating that a regulatory agency has received the incorrect medical records for a case they are reviewing. It is discovered that the employee that fulfilled the request sent medical records for a different individual. You would:
A. Apologize, send the correct records and document the call
B. Advise the agency that the correct records will be faxed and then notify the member whose information was disclosed in error
C. Send the correct records, ask for the return of the incorrect records, and then notify the Privacy Office
D. Ask the regulatory agency to return the records and once received, the correct records will be sent
6. An individual contacts us and asks for a copy of their medical records. You:
A. Tell them that the records are confidential and we cannot send them
B. Copy the records; have the content reviewed and approved, then send them
C. Obtain a copy of the records but white out most information because it is confidential, protected health information
D. Send them a copy of the medical records and everything else we have on file
7. Identify the best course of action in the following scenario.
An individual calls and indicates they have not received any correspondence from us at all and is wondering why. Part of the process is to verify the individual’s address, at which time you realize that the address is incorrect. What would you do?
3
A. Change the address
B. Ask the individual to submit an address change request
C. Change the address, resend correspondence mailed during the time period in question and submit an Accounting of Disclosure form to the Privacy Office
D. None of the above
8. Mary is an employee that runs reports to monitor usage and services. Mary shares the reports with other employees. She received a specific request to include individuals with HIV‐related services. Can Mary provide that report to the requestor?
No. Mary must remove all HIV‐related information before she can share the report with other employees.
Yes. Mary may share the HIV‐related information with others if the need‐to‐know protocols authorize them to access HIV‐related information and they reasonably need that information in order to perform their job‐related duties.
9. True or false ‐ As long as we are meeting all of the requirements set by the HIPAA Privacy Regulations, there is nothing else we need to be concerned with regarding privacy and confidentiality.
True
False
10. You are asked for a document that explains our procedures on how we protect member/patient privacy. What is the best response?
A. Advise the inquirer to contact the Privacy Office and give them the telephone number
B. Send a letter explaining how we authenticate individuals asking for information, require authorizations and limit access to our processing systems
C. Send a copy of the Notice of Privacy Practices
D. Refer the caller to our web site
Information Security Training
Presented by Corporate Data Security and
Office of Corporate Ethics & Compliance
Introduction
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to establish a national set of standards or rules for:
• Privacy• Transactions and Code Sets• Identifiers• Security
This training program incorporates many other state and federal laws and regulations that address privacy and security in addition to HIPAA.
This training:• Provides an overview of Transactions and Code Sets• Explains Identifiers• Provides important information regarding the Final Security Rule
and Corporate Data Security
2
TransactionsNational standards for electronic healthcare transactions are required under HIPAA.
The term “transaction” refers to the electronic exchange of information for the purpose of carrying out financial or administrative activities related to healthcare. The intent for this standard is to simplify the process, reduce administrative costs and improve efficiency. All healthcare providers who engage in any of the identified electronic transactions must comply with the standard.
Examples of electronic healthcare “transactions” include: Submission of healthcare claims or encounter information Healthcare payment and remittance advice by a health plan Coordination of benefits to include the transmission of payment
information between payers with different payment responsibilities Referral certification and authorization Exchange of information regarding eligibility, coverage and benefits
under a subscriber’s policy
4
Code Sets Medical data code sets are required for diagnoses, procedures and drugs. Specific code sets have been adopted under HIPAA standards including the ICD-9/ICD-10 and CPT-4 codes. Other codes sets that have been adopted include those associated with claims for medical supplies, dental care and drugs.
For personnel whose positions require more detailed information related to this topic, additional training materials are available through your manager.
5
IdentifiersThe final rule for a standard unique employer identifier was published in the Federal Register. This rule requires specified entities to have standard national numbers that identify them on standard transactions. The Employer Identification Number (EIN), issued by the Internal Revenue Service (IRS), was selected as the identifier for employers.
Health plans, healthcare clearinghouses and healthcare providers must use this identifier in connection with certain electronic transactions. The use of this identifier will improve the effectiveness and efficiency of the healthcare industry in general by simplifying the administration of the system and enabling the efficient electronic transmission of certain health information.
For personnel whose positions require more detailed information related to this topic, additional training materials are available through your manager.
7
Information Security
Information Security is the protection of information from unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional and whether in storage, processing or transit.
Information resources include data, processes, equipment, technology and the people involved in making the best use of the information. Every end user is responsible tosecure protected and/or sensitive information and data.
9
Information Security
Information assets include, but are not limited to:
Desktop PCs Laptops
Mobile Devices- Smart phones- Cell phones- PDAs- etc.
Media & Storage devices- CD’s- Diskettes- USB (thumb) drives- printed output- electronic data
10
Information SecurityNotify the Corporate IT Help Desk and your supervisor immediately upon:The loss, suspected loss or theft of a portable computing device; including, but not limited to, laptops, PDAs, smart phones, cell phones, USB storage devices and other external drives.
Notify Corporate Data Security when you experience:• The loss, suspected loss or disclosure of sensitive company information to
unauthorized parties.• The occurrence or suspected occurrence of unauthorized access or use of
corporate information systems.• The loss, suspected loss, theft or disclosure of passwords or other system
access control mechanisms.• The occurrence or suspected occurrence of copies being made without
the appropriate license or approval by the copyright holder/software manufacturer.
11
Mobile Device SecurityA mobile device can be defined as a hand-held computing device, typically having a display screen with touch input and/or a miniature keyboard. Mobile devices include but are not limited to:
• Laptops• Smart phones (i.e. iPhone, Blackberry, Palm, etc.)• Cell phones• Personal Digital Assistants (PDAs)• Tablet PCs (i.e. iPad)• Removable media• any other portable device capable of storing data
12
Mobile Device SecurityThese devices are used for electronic communications. Electronic communications shall be defined as the transmission of information, via e-mail, blog, wiki, instant messaging and text messaging.
As defined in the Acceptable Computer Usage policy, users must also comply with all security and privacy measures defined by the Corporation. Users must refrain from disclosing internal and confidential information in their possession without first obtaining permission from the Data Owner.
As defined in the Corporate Mobile Device Standard:• All mobile devices containing internal or confidential corporate data
must use an approved method of encryption to protect the data• The use of SMS / “Texting” to send internal or confidential data is
prohibited• Storing corporate data on non-corporate smart
phones is expressly prohibited
13
Laptop SecurityLaptops, Netbooks and PDAs are easily lost or stolen. This puts the information stored on them at an increased risk of being compromised. These devices are a primary target for thieves, who steal them for resale or to obtain the information stored on them. If your mobile device is lost or stolen, sensitive business information could be exposed.
The average business laptop is thought to contain information worth over $500,000. Therefore, as the users of these devices, you are the first line of defense when it comes to ensuring they are properly protected.
If your laptop is stolen, it must be reported to the Help Desk immediately. Although all electronic devices are required to be encrypted, they must be disabled if stolen and the incident researched by Corporate Data Security and/or the Corporate Privacy Office.
14
Laptop Security: In the OfficeLock it Up• If you are using a docking station, use the lock if you must leave a laptop
unattended. Laptops are frequently stolen within office environments.• When leaving your laptop unattended, be sure to use the password lock, by using
the CTRL, ALT, DELETE keys simultaneously.• When leaving the office, lockup the device in a secure location.Backup• Ensure all critical information stored on laptops or mobile devices are backed up
to a corporate network share drive; guaranteeing information recovery in the event of device loss, theft or hardware failure.
• Only store information that is needed. Bag and No Tag• Bags should not display visible markings or labeling, such as business cards or
company logos, as this provides clues to the value of the contents or information inside.
• Do not leave written down usernames or passwords, or your business VPN access token, in the same bag as your laptop, as this could provide unauthorized access to information.
• Ensure all zippers and pockets are closed, and consider using small padlocks or cable ties to secure them. This will help ensure no one can take anything out, or put anything in, without you noticing.
15
Laptop Security:When Traveling or Working Remotely
16
Public Places• Avoid working on sensitive information or sit with your back to a wall and/or use a
laptop privacy screen. This will prevent ‘shoulder surfing’, ensuring no one can view sensitive information displayed on screen.
• Avoid conducting sensitive phone calls in crowded public areas where everyone will be able to hear your conversation.
• Look out for your devices in distracting situations, such as checking out of a hotel or buying a coffee with your credit card. Try not to lose contact with your laptop bag during these times and never leave your laptop or mobile devices unattended, even for a short while.
Car Travel• Never leave your laptop or other mobile devices in full view on the seat of a car, as this
makes them a tempting target for thieves.• Always lock them out of sight, in the trunk. For extra security, when leaving your car
remove the laptop.• If you are leaving your laptop or mobile devices in your car, place them in the trunk
before reaching your destination, so that no one sees you doing it when you park.
Laptop Security:When Traveling or Working Remotely (cont.)
17
Hotel Accommodations• Do not leave your laptop or mobile devices unsecured in your hotel room, as hotel
rooms are not safe places at all. Remember you are not the only person with a key to your room.
• If you must leave them unattended in your room, always store them inside the room safe. If there is no room safe, lock your laptop out of sight using a cable lock if possible.
• Never leave laptops or other mobile devices with hotel personnel or the concierge.Airplane Travel• Never check laptops or mobile devices with your luggage, as they will likely get
damaged and may be stolen. Always ensure they remain in your carry-on baggage.• While at the airport, keep an eye on your devices. Avoid putting your laptop bag on
the floor and, if you do, hold it between or rest it against your legs to remain consciously aware of it at all times.
• When on a plane, avoid placing laptops or mobile devices in the overhead bin, where there is the potential for them to be damaged or stolen, especially when the aircraft is full. Instead, keep them under the seat in front of you.
Acceptable Usage (IT1060)
Know What is Acceptable
Familiarize yourself with the corporate “Acceptable Computer Usage” policy. This policy provides governance regarding the appropriate and acceptable use of corporate computing resources. This includes, but is not limited to, the use of email, blogs, forums and other social media types, Internet, workstations (desktop or laptop computers), smartphones, cellphones, Personal Digital Assistant (PDAs), etc. This policy is designed to protect both you and the corporation.
18
Acceptable Usage:Email
You may not use the corporate email system to share personal photos, movies, or other sizeable information. Occasional personal use of emails is permitted, as noted in Corporate Policy IT1060-Acceptable Computer Usage. Occasional and incidental personal use of email is permitted, if it does not interfere with an individual’s work and company operations and does not violate any company policies, practices, or other directives.
19
Acceptable Usage: Email EncryptionAn email sent without encryption is like sending a postcard; it can be read by anyone along the way to its destination. An email sent with encryption is like sending a letter inside a sealed envelope; it can only be opened and read by the recipient. Internal and confidential data sent outside of the corporate network must be encrypted.
Important Note: Email Subject Line contents cannot be encrypted; therefore Internal and Confidential Data must be limited to the body of the email. Refer to Encryption Policy (IT1070) for further details.
In some circumstances, there is no sender interaction to encrypt email; this process is completely automated. However, to ensure the security of email, you should always manually encrypt email that contains PHI, including in attachments. If you want to initiate encryption, regardless of content, you can use a special keyword at the end of the subject line of your email, and it will be automatically encrypted. The Keyword is: ZIXIT
To learn more about secure messaging visit:http://userawareness.zixcorp.com/excellus/securemessaging.php
20
Computer User Access
Computer users typically have access to a variety of systems and applications based on their job responsibilities. This access will need to be suspended or removed upon change in status notification.
Currently, in accordance to our Corporate Standard, when a user has a status change resulting in new job responsibilities, on the effective date of status change, all access will be removed with the exception of Lotus Notes and the Network Logon for this person.
Managers will need to prepare in advance to ensure that adequate transition has occurred. If additional security access is required for the new job responsibilities, the manager will need to request the applicable access.
21
Corporate Security Policies and StandardsTo assist you in understanding and carrying out your role in protecting Lifetime Healthcare Companies’ information, the Plan has developed security policies, procedures and standards. By following these guidelines, you will contribute to the protection and integrity of data within our business systems, network and computing facilities.
One policy to be familiar with is Data Security (IT1010). This policy defines the basic principles of The Lifetime Healthcare Companies’ data security program and associated security policies that provide reasonable and effective controls for protecting corporate resources including, but not limited to, data and systems. The policy will assist you in understanding the policies, standards and controls that:
• Serve to safeguard corporate assets approved by the Corporation• Comply with statutory and regulatory mandates• Support the corporate objectives• Protect the confidentiality, integrity and availability of corporate
data
22
Corporate Security Policies The following is a list of all approved Corporate Data Security Policies
IT1010 Data SecurityIT1020 Computing Equipment Re-use and DisposalIT1030 Data BackupIT1050 Disaster Recovery & Business ContinuityIT1060 Acceptable Computer UsageIT1070 EncryptionIT1100 Remote AccessIT1110 Security MonitoringIT1130 Computer Virus ControlIT1140 Wireless CommunicationsIT1160 Security BreachIT1170 Data ClassificationIT1180 Software LicensingIT2010 Change ManagementIT2020 Electronic PHI Risk Assessment
To view these policies visit:http://fingertips/corporate_policies/corporate_policies.shtml
23
Corporate Security StandardsThe following is a list of all approved Corporate Data Security Standards
Viewable to AllAccess to DataApplication SecurityBlackberryCopier & PrinterData BackupData EncryptionDisaster Recovery ExercisesMobile DeviceRemote AccessRemote RequirementsRisk ManagementSecure File TransferUser & Service AccountsVirus ControlVulnerability/Patch Management
To view these policies visit:http://fingertips/it2/data_security/security_standards.html
Restricted ViewAIXDB2 / IMSDMZ EquipmentHigh Powered System AuthorityIBM HTTP Server (IHS)Internet Information Services (IIS)Lotus NotesNetwork DevicesOracle DatabasepcAnywhereSolaris/Solaris10Terminal ServicesUNIX / LinuxVOIPWindows XP/7 DesktopWindows 2000/2003/2008 ServerWebsphere Application Server (WAS)Wireless Configuration
24
Violation of Security Policy
Any suspected or confirmed violations of Corporate Policy must be reported to the Corporate Data Security Officer or to the Corporate Data Security department. You may also choose to place an anonymous report to the Security hotline. All suspected violations will be investigated.
Any violation of the Corporate Data Security policies will be met with disciplinary action. Possible penalties include termination of employment or business relationship with the Lifetime Healthcare Companies and/or criminal prosecution.
25
Corporate Data Security Contact InformationThe Corporate Security contact information is listed below. For the most up-to-date listing, consult your supervisor or the departmental web pages on Fingertips.
Corporate Security Officer: Patrick CelesteTelephone: (800) 840-5113Email: [email protected]
Security Questions or Concerns Telephone: (315) 671-6842Email: [email protected] Security Hotline: (800) 840-5113
De-Centralized Security OfficersPatrick Celeste- Excellus Health Plan Phone: (585) 339-7978Brenda Rogers- Lifetime Health Medical Group Phone: (716) 656-4014John Cauvel- Lifetime Care Phone: (585) 339-5588Patrick Leone- MedAmerica Phone: (585) 238-4383Greg Cohen- EBS-RMSCO Phone: (315) 671-9870
26
1
ContractorInformationSecurityTrainingTestQuestions
1. True or false ‐ Information security only involves protecting computers.
True
False
2. You are in the office. You have your laptop in a conference room for a meeting and it is time for lunch. You should:
A. You are in the office, so the laptop will be okay until you come back
B. Take your laptop back to your desk and secure it
C. Make sure you password‐lock your laptop, turn of the lights and close the door
3. True or false ‐ Any suspected or confirmed violations of Corporate Security Policy must be reported to the Corporate Data Security Officer or to the Corporate Data Security department.
True
False
4. You pull into to your driveway from a long day’s work and your laptop is in the case in the back seat. What is the best practice?
A. Place it in the trunk so it is not visible
B. It is in the laptop bag, so it can stay in the back seat until morning
C. Remove the laptop from the car and take it inside with you
5. To: [email protected] Cc: [email protected] From: [email protected] Subject: John Smith‐ ID#123‐45‐6789
2
John claims for account #123456789 for services rendered by Oncology Unit at the have been processed. What should be done before sending this email?
A. Remove the identifying number from Subject Line
B. Remove John Smith from Subject Line
C. Add the words “ZIXIT” at the end of the Subject Line
D. All of the above
6. You have recently started selling cooking products in the evenings for additional income. You really want individuals to be aware of your new business and plan on using your company email account and telephone to organize parties and communicate with party hosts regarding supplies needed, orders, and other related details. These actions are:
A. Acceptable as long as I don’t include people that don’t like junk email
B. A violation of the corporate policy
C. Okay as long as I get management approval
7. Today is January 1st and John Smith is transferring from Claims to Customer Service on February 1st. What are the appropriate next steps?
A. New access should be given to John now, so he can learn his new job and finish working on his current job
B. Access request should be submitted by the new manager to have new access granted on February 1st
C. Nothing, everything can be sorted out after John transfers
3
8. May employees use the corporate email system to share personal photos, movies, or other sizeable information?
Yes
No
9. True or false ‐ Medical data code sets are required for diagnoses, procedures and drugs. Specific code sets have been adopted under HIPAA standards including the ICD‐9/ICD‐10 and CPT‐4 codes.
True
False
10. Which of the following is NOT correct?
A. All mobile devices containing internal or confidential corporate data must use an approved method of encryption to protect the data
B. Storing corporate data on non‐corporate smart phones is expressly prohibited
C. The use of SMS / “Texting” to send internal or confidential data is prohibited
D. These are all correct