Www.stmaryskc.com



[pic]

General Compliance Training

«FormalNamewithDegree»: Please review this information to complete your annual compliance training required by Prime Healthcare. If you have any questions, feel free to contact the Medical Staff Office: 816-943-2124

Training Objectives

• Discussion of the complex healthcare regulatory environment in which Prime operates, including key healthcare laws and regulations

• Discussion of Prime’s Corporate Integrity Agreement

• Discussion of Prime’s Compliance Program

Overview of Relevant Healthcare Laws and the Regulatory Environment

• Main laws to consider:

• Physician Self-Referral Law (Stark)

• Anti-Kickback Statute

• Civil Monetary Penalties

• False Claims Act

Federal Physician Self-Referral Law (or “Stark”)

• Governs “financial arrangements” between physicians and hospitals. This is a “strict liability” law; arrangements that are not specifically permitted are prohibited. The intent of the parties is not relevant to the determination of a violation.

• Absent an exception to the law, a physician may not refer a Medicare patient for designated health services to an entity in which he/she (or his/her immediate family member) has a financial relationship.

• Examples

• Physician contracts that vary with or take into account referrals

• Physician compensation arrangements above Fair Market Value

• “Sham” medical director and services arrangements

• Physician compensation not commercially reasonable

Federal Anti-Kickback Statute (or “AKS”)

This is a criminal statute that prohibits soliciting, receiving, offering or paying (directly or indirectly, overtly or covertly) anything of value to induce the referral of a Medicare or Medicaid patient to receive services or products.

▪ Intent-based—“One Purpose Test”

▪ Examples:

• A laboratory offers a physician $50 per Medicare patient the physician refers to the laboratory for testing.

• A nursing home representative gives a $100 gift card to a hospital’s case manager for each patient the case manager discharges to that nursing home (as opposed to another nursing homes).

Comparison of Stark v AKS

| |Stark Law |Anti-Kickback Statute |

|Parties at Risk |Physicians & DHS entities only |Everyone |

|Types of Referrals |Designated Health Services |All federal healthcare program |

|Intent requirement |NO—strict liability |YES—actual knowledge, reckless disregard, or deliberate|

| | |ignorance |

|Criminal v Civil |Civil penalties only |Criminal and Civil penalties |

|Exceptions/Safe Harbors |Mandatory otherwise arrangement is prohibited |Voluntary—arrangement may be permissible even if all |

| | |elements of safe harbor are not satisfied |

|Fair Market Value |Most compensation exceptions require FMV |Not required, but OIG said lack of FMV could be |

| | |evidence of a kickback |

|Commercial Reasonableness |Many exceptions require it |Not required, but OIG strongly prefers it |

Civil Monetary Penalties Law (“CMP”)

• The CMP Law authorizes the Secretary of Health and Human Services to impose civil money penalties, an assessment, and even program exclusion for various forms of fraud and abuse involving the Medicare and Medicaid programs.

• The CMP Law includes a Beneficiary Inducement Prohibition:

• Prohibits providing anything of value to a federal health care program beneficiary that the offeror knows or should know is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier.

Federal False Claims Act (“FCA”)

▪ It is unlawful to submit a claim to the government that one knows is false or fraudulent.

▪ Knowledge includes: actual knowledge, deliberate ignorance or reckless disregard

▪ Examples

▪ Using a person’s Medicare I.D. and submitting claims for medical services that were never rendered to that person.

▪ Unbundling one code and splitting it into several codes to obtain more reimbursement.

▪ Retaining an overpayment longer than 60 days after identification.

60-Day Overpayment Rule

• When entities “identify” Medicare overpayments, the overpayments must be reported and returned within 60 days of identification

• CMS’s final rulemaking for Parts A and B interprets identification as placing an affirmative duty on providers to investigate potential overpayments in certain circumstances

• Identification occurs after 6-month good faith investigation (may be longer for Stark and AKS issues)

• Contemplates a 6-year lookback period

What is the Purpose of These Laws?

• Federal fraud and abuse and self-referral laws were enacted with the purpose of:

― Reducing inflated costs and lost revenue for Federal healthcare programs resulting from physician referrals to entities with which physicians had financial relationships

― Discouraging inappropriate overutilization of healthcare services for Federal healthcare program beneficiaries

― Ensuring that physician-patient relationships and patient care are not negatively impacted by business motives and profit

Penalties Can Be Significant

|Anti-Kickback Statute |Stark Law |False Claims Act |

|Criminal: |Civil: |Civil |

|Fines up to $100,000 |False Claims Act liability |Treble damages |

|Up to 10-year prison term |Civil monetary penalties and program exclusion |Penalties of $11,463 to $22,927 per claim |

|Civil: |for knowing violations | |

|False Claims Act liability |Potential $24,253 CMP for each service | |

|Civil monetary penalties and program exclusion |Civil assessment of up to three times the amount | |

|Potential $22,363 CMP per violation |claimed | |

|Civil assessment of up to three times amount of | | |

|kickback | | |

Expanding Universe of Evaluators

[pic]

Individual Accountability

• Enforcement agencies have indicated an increased focus on holding individuals accountable for corporate wrongdoing if they knowingly and actively participate in wrongdoing

• Important to understand this shift in prosecutorial philosophy and corresponding impact on numerous stakeholders, including executive leadership team, physicians, board, operational leaders, and others

• This shift is not academic—the Government is actively pursuing individual clinicians, executive leaders, directors and even board members for failing to support an effective compliance infrastructure and for failing to effectively oversee risky practices and patterns

Overview of the Prime Corporate Integrity Agreement

CIA Overview

• As part of a settlement agreement with the government to resolve allegations related to technical billing questions, Prime entered into a 5-year Corporate Integrity Agreement (“CIA”) with the Office of Inspector General (“OIG”)

• Prime denied the allegations, but decided to settle the matter in recognition of the significant costs of continuing to litigate

• The CIA presents an opportunity for Prime to evaluate and, as appropriate, make enhancements to its Compliance Program given recent heightened expectations

Prime’s CIA

• Effective August 3, 2018

– 5-year term

– Overseen by OIG

– Applicable to all Prime acute care hospitals

▪ Includes Prime Healthcare Services and the Foundation

▪ Extends to any new hospitals acquired by Prime

– Public and available on OIG’s website

Prime’s CIA Requirements

• Compliance Program Infrastructure Requirements

― Chief Compliance Officer

― Divisional Compliance Officers

― Compliance Committee

• Training

• Policies and Procedures

• Exclusion Checking

• Risk Assessment

• Disclosure Program

• Independent Review Organization Testing (Claims and Medical Necessity)

o Four facilities will be randomly selected each year for a claims review

• Significant Reporting Obligations

o Government Investigations

o Reportable Events

o Annual Reports

CIA Penalties

• CIA stipulated penalties can be significant

― Penalties range from $1,000 to $2,500 per day for failure to comply with CIA obligations

― $50,000 penalty per false certification

• Stipulated penalties are reported on OIG’s website and OIG could issue a press release if significant penalties are imposed

― In 2016, Kindred Healthcare was assessed more than $3 million in stipulated penalties for violations of their CIA

Overview of the Prime Compliance Program

Corporate Compliance

▪ A Corporate Compliance Program is a system-wide program designed to monitor, educate, audit, correct and report noncompliance with Fraud & Abuse laws and licensing rules and regulations, which will help to avoid civil and criminal penalties.

▪ 7 Elements of an Effective Compliance Program

[pic]

Program Administration

• Prime’s Chief Compliance Officer is Clay Wombacher

― You may report compliance concerns at (909)-638-0092 or CWombacher@

• Prime’s Divisional Compliance Officers

― Division I: Ritu Kaur Cooper

― Division II: Adam Fielding

• Prime’s Compliance Committee

― Consists of representation of a cross-section of departmental functions throughout the System

COMPLIANCE is EVERYONE’S Responsibility

Policies & Procedures: Prime’s Compliance Policies & Procedures and Compliance Manual are available on the Intranet

[pic]

Training

▪ All providers with active privileges must complete Compliance & HIPAA training within 30 days of privileging and annually thereafter

▪ Training is completed via an Educational Module and attestation form that is administered and tracked by the Medical Staff Office

▪ Under the 5-year CIA term, annual training must be completed by June 30th each year

Confidential Hotline

▪ A hotline has been established for the reporting (including anonymously) of any compliance issues

(877) 350-5827

▪ All calls are fully investigated and appropriate corrective actions are taken

▪ You may also report compliance concerns to your supervisor, Facility Compliance Officer, or Corporate Compliance Officer

Auditing and Monitoring

• Internal auditing and monitoring requires ongoing evaluation and assessment

• What is auditing and monitoring?

• Auditing – retrospective

• Monitoring – ongoing/contemporaneous with the operational activity

• Prime must ensure not only that its standards are accurate, but that the Compliance Program actually works

• Prime develops a compliance audit work plan that takes into account the results from the compliance risk assessment

Exclusion Checking

• Prime cannot employ or contract with an excluded person or individual.

o OIG excludes individuals and entities from participating in Federal healthcare programs under certain circumstances

o The effect of an exclusion is that no payment will be made for any items or services furnished, ordered, or prescribed by the excluded individual or entity; includes individual who perform administrative functions

• Many states maintain exclusion lists for Medicaid programs in addition to the OIG exclusion list.

• Healthcare providers are responsible for checking the applicable exclusion lists regularly to ensure they are not employing or contracting with an excluded person or entity

• Prime engaged a vendor to perform and document the required exclusion list screenings at new hire and on a monthly basis thereafter

Responding to Violations and Corrective Actions

• Prime is dedicated to investigating any matters related to non-compliance in a fair, objective, and discrete manner

• Non-compliance will be communicated to Leadership through the appropriate channels

• Committed to developing corrective action plans in response to non-compliance

• Prime will monitor the effectiveness of corrective action plans

• Prime will cooperate with government inquiries and investigations

• Prime will assure records are maintained on compliance investigations

[pic]

HIPAA Training for

Medical Staff Members

Training Objectives

• HIPAA Basics

• Privacy Rule

• Covered Entities

• Business Associate

• Protected Health Information

• De-Identified Health Information

• Security Rule

• Required Disclosures

• Breach Notification Rule

• Safeguards

• Complying with HIPAA Rules

• Current Enforcement

HIPAA BASICS

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

▪ Public Law 104-191

▪ Enacted on August 21, 1996

▪ Since Congress did not enact privacy legislation within three years on the passage of HIPAA, the Department of Health and Human Services (HHS) published the final Privacy Rule on December 28, 2000.

▪ Modifications to the Privacy Rule were published on August 14, 2002

• HIPAA is made up of three crucial parts:

1. Privacy Rule

2. Security Rule

3. Breach Notification Rule

• Main purposes of HIPAA

1. Makes health insurance portable under ERISA (Employee Retirement Income Security Act of 1974)

2. Moves healthcare onto a nationally standardized electronic billing platform

3. Prevents fraud, waste and abuse

4. Protects the privacy of health information; and

5. Provides individuals with certain rights to their health information

Privacy Rule

• The Privacy Rule provides federal protections for protected health information (“PHI”) held by covered entities, and gives individuals (patients) important rights with respect to their protected PHI (i.e., rights to examine and obtain a copy of their health records and rights for them to ask for corrections to their health records).

• Sets national standards for when protected health information (PHI) may be used and disclosed.

• Entities regulated by the Rule are obligated to comply with all of its applicable requirements.

• The Privacy Rule is balanced so that it permits the disclosure of protected health information needed for patient care and other important purposes.

• The Privacy Rule does not require you to obtain a signed consent form before sharing information for treatment purposes.

• The Privacy Rule does not require you to eliminate all incidental disclosures. 

• The Privacy Rule does not cut off all communications between you and the families and friends of patients.

• The Privacy Rule does not stop calls or visits to hospitals by family, friends, clergy or anyone else.  

• The Privacy Rule does not prevent child abuse reporting.

• The Privacy Rule is not anti-electronic.

Covered Entities

• HIPAA Rules apply to covered entities

• A Covered Entity is one of the following:

|A Health Care Provider |A Health Plan |A Health Care Clearinghouse |

|This includes providers such as: |This includes: |This includes entities that process nonstandard |

|Hospitals |Health insurance companies |health information they receive from another |

|Doctors |HMOs |entity into a standard (i.e., standard |

|Clinics |Company Health Plans |electronic format or data content), or vice |

|Psychologists |Government programs that pay for health care, |versa. |

|Dentist |such as Medicare, Medicaid, and the military and| |

|Chiropractors |veterans health care programs | |

|Nursing Homes | | |

|Pharmacies | | |

Business Associates

• HIPAA Rules apply to Business Associates

• Business Associate Defined:

• Person or Organization, other than a workforce member of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI.

▪ Examples: claims processing, data analysis, utilization review, and billing services.

• Can be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate.

• Persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information (PHI), and where any access to protected health information by such persons would be incidental, if at all.

• NOTE: A covered entity can be a business associate of another covered entity

• Business Associate Contract:

• When a covered entity uses a contractor or other non-workforce member to perform

“business associate” services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (BAA).

• In the BAA contract, the covered entity must impose specified written safeguards on the individually identified health information uses or disclosed by its business associates.

Protected Health Information (PHI)

• PHI is any information that is considered individually identified health information

• Examples:

▪ Demographic Information (e.g., name, address, birth date, Social Security Number),

▪ Information related to an individual’s past, present or future physical or mental health or condition,

▪ An individual’s provision of health care, or

▪ Any information related to the past, present, or future payment for the provision of health care to the individual

• The Privacy Rule protects all PHI

De-Identified Health Information

• This type of health information neither identifies nor provides a reasonable basis to believe that the information can be used to identify an individual.

• Example: Health information from a medical record that has been stripped of all individually identified health information.

[pic]

Security Rule

• The Security Rule is seen as a compliment to the Privacy Rule. The Privacy Rule pertains to all PHI, whether written or electronic. In contrast, the Security Rule pertains exclusively to PHI distributed over electronic channels.

• Electronic Channels: Communicating by using items like email, texting, electronic health records (EHR), computerized physician order entry systems (CPOE), etc.

Required Disclosures

• There are only two situations where it is mandatory that a covered entity discloses protected health information.

1. To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information.

2. To HHS when it is undertaking a compliance investigation or review or enforcement action.

Breach Notification Rule

• A Breach is defined as the impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.

• When such an incident occurs, it is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

2. The unauthorized person who used the PHI or to whom the disclosure was made

3. Whether the PHI was actually acquired or viewed

4. The extent to which the risk to the PHI has been mitigated.

• Most notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The covered entity must notify the affected patients; HHS; and, in some cases, the media of a breach of unsecured PHI.

• The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.

• Top 3 Causes of Data Breach:

1. Employee Action

2. Lost or Stolen Devices

3. Third-Party Error

• Examples of Common Breaches

1. Snooping at relatives, celebrity, co-worker accounts without a business need to know

2. Misdirected faxes from one covered entity to another

3. Providing incorrect discharge instructions

4. Not asking permission from patient to speak about their medical care in front of others who may be in the room

Safeguards

• Here is a list of some of the safeguards that have been implemented at Prime to ensure we protect patient’s PHI:

▪ Placing PHI into locked shred bins instead of the trashcan

▪ Locking computer screens when employees leave their work station

▪ Email encryption system

▪ Each hospital has a HIPAA Privacy Officer who conducts HIPAA walk throughs to ensure safeguards are being practiced

▪ Annual HIPAA Training to all employees and Medical Staff members

Complying with HIPAA Rules

• Covered entities and business associates, as applicable, must follow HIPAA rules. If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA rules.

[pic]

Current Enforcement

• The HHS Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. Violations may result in civil monetary penalties. In some cases, criminal penalties enforced by the U.S. Department of Justice may apply.

• Common violations include:

• Impermissible PHI use and disclosure

• Use or disclosure of more than the minimum necessary PHI

• Lack of PHI safeguards

• Lack of administrative, technical, or physical ePHI safeguards

• Lack of individuals’ access to their PHI

HIPAA in the Headlines

Cottage Health Hit With $3 Million HIPAA Settlement (February 8, 2019)

TV filming at Massachusetts hospitals leads to $1M in HIPAA fines (Sept 21, 2018)

HIPAA enforcements hit record $28 million in 2018 (February 8, 2019)

Physician offices hit with penalties for HIPAA violations (October 13, 2016)

Cancer Center Hit with $4.3 Million Texas HIPAA Fine (September 17, 2018)

Confidential Hotline

• A hotline has been established for the reporting (including anonymously) of any privacy issues

(877) 350-5827

• All calls are fully investigated and appropriate corrective actions are taken

• You may also report privacy concerns to your Facility Privacy Officer or Corporate Compliance Officer

Thank you

We thank you for your time and dedication to providing compassionate, quality patient care and our mission of improving healthcare for communities across the nation.

-----------------------

Gov’t Contractors

Accreditation and Licensure Bodies

Lenders

Shareholders

Whistleblower Law Firms

Managed Care

Insurers

Enforcement

Agencies

Traditional Regulators

Media

Whistleblowers

Potential Business Partners

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download