Presentation on theme: "Compliance Training. Introduction The training in this presentation is an overview of State and Federal Regulations governing Fraud & Abuse and HIPAA."— Presentation transcript:
Introduction The training in this presentation is an overview of State and Federal Regulations governing Fraud & Abuse and HIPAA Privacy Policies and Procedures. If additional information is required please consult the Avysion Healthcare Services Medical Resource Training and Compliance Manual, HIPAA Privacy Policies and Procedures or Information Management Guide. All manuals can be found online using the links below: Training and Compliance Manual nual%201.1.pdf nual%201.1.pdf Information Management HIPAA Manual
Management Responsibilities For new hires: System logons in place Facility access for first day of employment Training and orientation scheduled Other responsibilities Make certain that all employees receive ongoing compliance and job specific training on an annual basis Document procedures for operational and functional areas Human resources and the system administrator must be immediately informed of any termination or leave of absence. Any security violations are reported to management and the Designated Compliance Official. Make certain that all employees have access to a hard copy of procedures relevant to their job function Ensure that medical resources are familiar with the Minimum Necessary requirements and are operating accordingly.
Corporate Compliance What is Corporate Compliance? Corporate compliance includes operating in accordance with federal and state laws and regulations.
Corporate Compliance-Fraud & Abuse Federal Requirements: False Claims Act (Deficit Reduction Act of 2005) Privacy Act HIPAA Privacy and Security Rules Administrative Procedures Physical Safeguards Technical Security State Requirements: Contract specific basis
Corporate Compliance-Fraud & Abuse What is the Federal False Claims Act? The nation’s most powerful tool in fighting Medicare and Medicaid fraud. How it works: Any person or entity that knowingly submits or causes to submit false claims for payment for government funds will be liable for significant penalties and fines. Civil and criminal penalties are associated with this law The government will be allowed to bring civil action against providers to recover damages and penalties in the instance that false claims are filed.
Corporate Compliance-Fraud & Abuse Federal False Claims Act Violations of this act could include: Submission or causing submission of a false claim to the US Government for approval or payment. Creation or utilization of a false record or statement to receive payment or approval for a false claim by the US Government Conspiracy to get false claims paid or approved Creation or utilization of false records or statements to conceal, avoid or minimize the responsibility to pay money or transmit property to the US Government State False Claims Acts In addition to the Federal Claims Act, 10 States have enacted False Claims Acts, they include: California, Delaware, Florida, Hawaii, Illinois, Louisiana, Massachusetts, Nevada, Tennessee, Texas as well as the District of Columbia.
Corporate Compliance-Fraud & Abuse Civil Penalties for violations of the False Claims Act Dollar amount of the claims Three times the amount of damages caused to the US Government as a result of the false claims The cost of the civil suite to recover the damages and penalties. The key to the success of the False Claims Act is attributed to the qui tam provisions. Qui tam allows whistleblowers to file False Claims Act law suites against companies and individuals that defraud the government. The purpose of these provisions is to recover funds paid by the government for false claims. Individuals MAY be awarded a percentage of funds recovered
Corporate Compliance-HIPAA HIPAA Background The Health Insurance Portability and Accountability Act was signed into law in 1996 What this means for the Health Care Industry? Medical records must be kept private and secure Continued access to health care coverage for those that lose or change jobs Standard health care transaction formats that contribute to administrative simplification Efficient electronic transmissions
Corporate Compliance-HIPAA HIPAA Privacy and Security Requirements The appropriate policies and procedures are in place to protect the privacy and security of individually-identifiable health care information as required by law. Policies and Procedures are outlined and described in the Avysion Healthcare Services HIPAA Privacy Policies and Procedures Manual.
Corporate Compliance-HIPAA PRIVACY PRIVACY WHAT Refers to WHAT is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information SECURITY SECURITY HOW Refers to HOW private information is safeguarded— Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss.
Corporate Compliance-HIPAA Due to the constraints imposed by scope of HIPAA, privacy regulation is applicable only to: Covered Entities — Healthcare Providers, Health Plans, and Clearinghouses – ANYONE that uses PHI Business Associates – ANYONE that uses PHI on behalf of a Covered Entity bound by a Business Associate Agreement Protected Health Information (PHI) — Individually Identifiable Information health Information, transmitted or maintained in any form or medium (includes paper and oral)
Corporate Compliance-HIPAA What is a covered entity? A Health Plan, Healthcare Clearinghouse, or a Health Care Provider who transmits any health information in electronic form in connection with a transaction covered under HIPAA. Covered entities are required to contractually bind other entities with whom they share PHI format (“Business Associates Contracts”)
Corporate Compliance-HIPAA What is Protected Health Information? Protected HealthInformationPHI) Protected Health Information (PHI) = Individual identifiable information relating to the past, present or future health condition of the individual, client or recipient. ALL information whether maintained in electronic, paper or oral format.
Corporate Compliance-HIPAA Privacy Rule Summary Inform people of how their information is used Require health plans and providers to maintain administrative and physical safeguards Allow heath information to be used and shared for treatment and payment of health care Allow disclosure for national priorities Hold accountable entities that violate privacy Require NO disclosures except to individuals and HHS for investigation for enforcement Require written authorization for use and disclosure for other purposes, received by covered entity
Corporate Compliance-HIPAA Impacts of the Privacy Rule Extensive business unit involvement will be necessary to develop policies & procedures consistent with regulations Technical and physical security infrastructure must be assessed to insure safeguards to protect health information are adequate Policies and procedures must be strictly enforced to avoid penalties up to $250,000 and prison time up to 10 years Business Associate contracts and agreements must be reviewed & modified to incorporate privacy protections Initial and on-going training initiatives will be required
Corporate Compliance-HIPAA Security Rule Overview Purpose To protect both the system and the information it contains from unauthorized access & misuse Encompasses All safeguards in a covered entities structure including: Information systems (hardware/software) Personnel policies Information practice policies Disaster Preparedness Areas Affected Physical safeguards Administrative Procedures Technical Security
Corporate Compliance-HIPAA Administrative Procedures Certification that appropriate security has been implemented Appropriate Business Associate Contracts Contingency Planning Formal Mechanism for Processing Records Information Access Control Internal Audit Personnel Security Security Management Process, Policies & Procedures Termination Procedures Training Etc.
Corporate Compliance-HIPAA Physical Safeguards Assigned Security Responsibility Media Controls Physical Access Control Work Station Use Policies Secure Work Station Location Security Awareness Training Etc.
Corporate Compliance-HIPAA Technical Security Standards Access Control Procedure for Emergency access, and one of user, role, or context-based access technology Audit Control Monitoring communication system and reporting abnormalities Authorization Control Mechanism for obtaining consent for use and disclosure through either user or role-based access technology Data Authentication Ensures integrity of information, such as through double keying, message authentication code, and virus protection/anti-intrusion programs Entity Authentication Identification of user—including unique user identification Communication/Network Controls Design networks to have minimal gateways and access points
Corporate Compliance- Confidential Information Confidentiality applies to all forms of information concerning clients or recipients. Such information can be written records, facsimile transmittals, electronic records and mail, and oral communications. All medical resources and employees of Avysion Healthcare Services must comply with all policies and procedures related to the confidentiality of information. Any breach or violation of confidentiality will result in appropriate disciplinary action, up to and including termination. All medical resources and employees of Avysion Healthcare Services will sign a confidentiality statement attesting to their receipt and understanding of the organization’s confidentiality policies.
Corporate Compliance- Conflicts of Interest Medical resources operating on behalf of Avysion Healthcare Services must be free from conflicts of interest that could adversely influence their judgment or objectivity.
Corporate Compliance- Conflicts of Interest A conflict of interest is defined as any relationship or affiliation on the part of the organization or a reviewer that could compromise the independence or objectivity of the independent review process. Conflict of interest includes but is not limited to: An ownership interest of greater than 5% between any affected parties; A material professional or business relationship’ A direct or indirect financial incentive for a particular determination’ Incentives to promote the use of a certain products or services A known familial relationship; Any prior involvement in the specific case under review
Maintaining and Ensuring Compliance Privacy Policies and Procedures are easily accessible in both printed and electronic formats. Make certain that the confidentiality of PHI is maintained in all manners of communication. Annual Compliance and Ethics Training Within the first 30 days of employment and at a date selected by management every year after.