1. Corporate Compliance and HIPAA 2011
Description
Annual compliance update training, mandatory for all Aurora caregivers. Includes reminders, information regarding compliance references and resources, and training in areas of special importance. It’s estimated it will take 45 minutes to complete this course.
Instructions for Printing to Paper
Content Contact:
From the PowerPoint toolbar, select File, Print
Under “Print What”, select Handouts
Under “Color/Grayscale”, select Grayscale
Under “Handouts/Slides Per Page”, select 2
Select OK.
Nancy Vogt
Director, Corporate Compliance
Created: May 2005
Updated: January 2011

2. Learning Objectives
After completion of this course, you will be able to:
Describe your role and responsibilities in helping ensure that Aurora fulfills its legal and ethical obligations, including actions to take in the event of a compliance concern or question.
Explain the healthcare laws that relate to the work that you do.
Describe compliance resources that are available to you.
Describe how to protect patient privacy in accordance with the HIPAA Privacy and Security Rules, and how to appropriately use and protect Aurora’s electronic systems.

3. Would you know what to do?
Would you know what to do if you were approached by an FBI agent at home or at work who started asking questions about your department or practice?

4. Would you know what to do?
Do you know why you cannot just ignore a situation at work that seems illegal or unethical?
Do you know how patients and the government may find out if you would view health information when it was not necessary to perform your job?

5. Stay Tuned to Learn the Answers
Stay tuned to learn the answers to these and other questions you may have, because it’s time for your favorite program…

6. The Aurora Health Care Compliance Program
Carrie Killoran, Chief Compliance and Integrity Officer

7. Message from Nick Turkal, MD
Our 2011 season premiere includes a special message from our President and CEO,
Nick Turkal, M.D. Nick will lead us off by explaining why ethical and legal conduct is so important at Aurora Health Care.
Nick Turkal, M.D. President and Chief Executive Officer

8. High Integrity Caregivers
“We know that when caregivers are engaged at work, it makes a positive difference for our patients.  Ethical and legal conduct is a component of this engagement – it helps make Aurora an organization of high integrity caregivers who are proud of our work. An ethical work environment helps to ensure that we can deliver an excellent patient experience, which is by far our paramount goal.”
Nick Turkal, MD
President & CEO

9. Code of Ethical Conduct
Our Code of Ethical Conduct places the PATIENT FIRST, ALWAYS. You’ll note the title includes, “Providing patient-centered care with integrity.”
The Code provides guidance to all caregivers, physicians, contractors, and those who do business with us.
The Code’s guidance relates to our conduct as caregivers, and our conduct as an organization. Some of the areas it speaks to are:
- High quality and safe patient care
- Accurate documentation and billing practices
- Appropriate relationships with physicians, vendors, and government representatives

10. Code of Ethical Conduct
Read the Code of Ethical Conduct. You can find it on:
ACTION
Read the Code of Ethical Conduct
You can find on:
-The Compliance and Ethics website.
-The Employee Connection iConnect (under “Tell Me About…
Aurora Policies and Procedures”)

11. 2011 Schedule of Topics Gifts and the Caregier
Documentation and Biling
Physician Financial Relationships
Privacy Security of Health Information
Other Compliance and Legal Requirements
Reporting Compliance and Ethical Concerns
Government Investigations
How Compliance Fits In

12. Gifts and the Caregiver
Let’s tune in…

13. Gifts and the Caregiver
In general, we think of gifts as being something good — and they are! We like to receive gifts, and we feel good when we give gifts. In health care, however, a gift might be a problem and giving or receiving it might violate Aurora’s Gifts and Business Courtesies Policy.
What do the items below have in common?

14. Gifts and the Caregiver
They’re all considered to be gifts. Keep in mind that a “gift” in terms of our policy means anything of value.

15. Why is this not allowed?
The following are examples of how gifts can be used inappropriately (and in some cases, illegally) in health care.
A vendor offers to pay for the registration and travel for four Aurora caregivers to attend a professional association conference.
Why is this not allowed? The vendor is using a gift to potentially influence our continued business. We need to choose products based upon what is best for our patients in terms of quality, effectiveness and cost.
A clinic offers $25 restaurant certificates to all patients who make an appointment with a new physician.
Why is this not allowed? The clinic is trying to influence patients to choose a physician because of a gift, not because that physician is the best choice for the patient.
A patient offers a $100 gift card to a caregiver for exceptional service.
Why is this not allowed? All caregivers are expected to offer exceptional service to patients. This caregiver may come to expect rewards from patients just for doing her job, and patients may come to believe they must offer gifts in order to get the best service.

16. Influence of Gifts
Gifts such as the examples just provided create ethical issues.
We need to select our vendors based upon what is best for our patients…
Patients need to select Aurora as their health care provider because we offer the best quality, service and cost…
We need to do our jobs with the highest quality and service possible…
…because our PATIENTS ARE FIRST, ALWAYS, not because we are influenced by or influence others with gifts.

17. Illegal
It is also important for you to know that in some cases, gifts are illegal under federal law.
The Anti-Kickback Statute prohibits offering or receiving anything of value when the intent is to influence decisions related to items or services that will be billed to a federal health care program. Violating this law is a felony. Penalties can include a fine and/or a prison sentence. The government takes kick-backs seriously. The construction project manager at MetroHealth, an Ohio health system, faces up to 11 years in prison for accepting gifts from a construction company with whom MetroHealth did business.

18. Under Federal Law Individuals and Organizations Fined
Under federal law, an organization (like Aurora) can be fined, or an individual working for Aurora can be fined and/or sentenced to prison.
Federal law (Civil Monetary Penalties) prohibits offering gifts to patients in order to influence them to seek services. Penalties can include a $10,000 fine per item offered. The government takes patient inducements seriously. One example occurred in Texas. A home health agency received a significant fine for offering free nursing services to patients.

19. A Word About Vendors You may be wondering, who is a vendor?
A vendor is anyone who does business with Aurora. This includes many types of businesses, including:
Any company or business that provides us products or services (whether or not the products or services are directly related to patient care)
Any other health care provider with whom we contract or with whom we share patients (for example, a nursing home, a medical director, etc.)

20. Vendor Gift Examples
First Response
Examples of gifts that might be offered by a vendor include (but are not limited to):
- Promotional items such as pens and coffee mugs
- Gift cards
- Restaurant certificates
-Trips/travel or registration fees for professional association conferences
-Tickets to sporting events
-Work areas should be free of items with outside vendor logos. -Meals (at work or outside of work)
Dover

21. Gifts Must Benefit Patients
The Gifts and Business Courtesies Policy allows us to accept some gifts, depending upon the purpose and circumstances and only if the gift will benefit our patients.
Promotional Items: Caregivers may not have promotional items provided by vendors (such as pens, notepads, coffee mugs, etc.) on the premises of any Aurora facility.
Food and Meals: Vendors are not allowed to bring in food or meals to an Aurora facility. Vendors may provide financial support for meals at educational events through grants managed by the Aurora Grant Development office. Vendors may pay for meals that are provided at an off-site business meeting held during meal times, as long as the value of the meal is $25 or less for breakfast or lunch, and $50 or less for dinner.
Patient Educational Materials: Journal reprints and patient educational materials may be accepted from vendors, even if they are branded with the vendor’s name and logo.
The Gifts and Business Courtesies Policy addresses these and additional types of gifts.
Patients First, Always

22. Gifts to Patients
Gifts (anything of value) may be offered to patients only if:
The gift is not in the form of cash or a gift card (unless the gift card has been approved by Compliance)
The gift is valued at $10 or less; and the total for all gifts given during the year is $50 or less; or
The gift is a free service that meets one of the exceptions in the law. If you have not received specific training on these exceptions, contact a compliance officer before offering the free service; or
The service is discounted through the Helping Hands financial assistance program.

23. Gifts from Patients
A caregiver may accept a gift from a grateful patient only if:
The gift is a modest token of appreciation (approximate value of $50 or less);
The gift is not cash or a cash equivalent (such as a gift card); and
The circumstances are such that the refusal of the gift could hurt the patient’s feelings or otherwise be counterproductive to a patient relationship.
If possible, patients who wish to give a gift should be directed to the Aurora Foundation. When a gift does not meet the guidelines above and cannot be graciously refused, the gift may be accepted and must be delivered to the Aurora Foundation. Perishable gifts like food and flowers should be shared with the caregiver’s co-workers.

24. Gifts and Business Courtesies Policy
The Gifts and Business Courtesies Policy addresses various types of gifts, including some of those already discussed:
Gifts from vendors
Gifts from patients
Gifts to patients
Gifts among caregivers
Gifts to government officials
Vendor-sponsored events
Food and meals
Charitable contributions
The policy also includes enforcement of the policy, both for caregivers and vendors. The policy, however, does not include all types of relationships with vendors (for example, training provided by vendors on their products, consulting relationships with vendors, accepting samples and demo items, etc.) These other vendor relationships will be addressed in a separate policy.

25. Conflict of Interests Policy
We are also committed to managing any conflicts of interests that caregivers, physicians, or board members may have. A conflict of interest can occur when there is a personal interest in an entity with which Aurora does business. It may be difficult for a person in this situation to act in Aurora’s best interest. That is why our leaders, physicians, and board members are required to disclose their potential conflicts.
A few examples of potential conflicts are:
An administrator is selecting a new cleaning service for her clinic. One of the two services under consideration is owned by her brother-in-law.
A physician’s son is a sales representative for a medical device company. The physician is in a position to select the company that will supply medical devices for his patients.
A caregiver is participating in confidential negotiations between Aurora and two medical device companies that offer similar products. The caregiver accepted a gift from one of the companies in exchange for information regarding the other company’s proposed pricing. [Note: while most conflicts can be managed, this type of conflict is strictly prohibited.]

26. Take Action!
ACTION!
Before accepting or offering a gift of any kind, review the Gifts and Business Courtesies Policy (AHC System Policy #130).
If you potentially have a conflict of interest that needs to be disclosed, review the Conflicts of Interest Policy (AHC System Policy #80.)
**Add Aurora Administrative Manuals to your quick links in iConnect. Click on Aurora System Manual, click on Table of Contents on the right hand side and scroll to the above policies.

27. A Word From Our Sponsor – Gifts
QUIZ QUESTION: If a vendor who does business with Aurora Health Care made the following offers to you, which one could you accept?
a. A ticket to the Packers vs. Bears Game
b. A free lunch at work while you listen to the vendor representative
explain his products
c. An educational booklet for patients about managing their diabetes
d. None of the above

28. A Word From Our Sponsor – Gifts
QUIZ ANSWER
c. You may accept an educational booklet for patients about managing their diabetes. This put the patient first, always!

29. Documentation and Billing
Up next…

30. Code of Ethical Conduct Summary
Our Code of Ethical Conduct summarizes our obligations related to documentation and billing. The first two are:
First, we will document diagnosis and treatment accurately and in a timely manner.
Second, we will bill only for services that are actually provided and appropriately documented.

31. Code of Ethical Conduct Summary - continued
Patients First, Always
While accurate and timely documentation is important for billing, it is even more important for providing the best care possible for our patients.
It is also important to recognize that the government is doing more auditing and monitoring than ever before. The auditors will deny payment if documentation does not support our charges. That means we will have provided the best care possible to patients, but will not receive the payment because we failed to document the care.
In the recent Recovery Audit Contractor (“RAC”) 3-year pilot program conducted by Medicare, the auditors took back nearly $1 billion dollars in just three states (and that was just the pilot program!)

32. Code of Ethical Conduct Summary - continued
This means every dollar lost due to inadequate documentation is a dollar we cannot spend on our patients and on our caregivers.

33. Inadequate Documentation and Billing Errors
QUIZ QUESTION 1::
According to our Code of Ethical Conduct we will document diagnosis and treatment accurately and in a timely manner. Which one answer below would be considered accurate and timely documentation.
a. Documentation was entered into the patient’s record immediately after care was provided
b. A dictated report was not signed in a timely manner
c. An order for a service was not signed and dated by the physician
d. A report was not dictated in a timely manner]
e. A description of the exam or treatment was brief and did not include all
the services that were actually provided.

34. Inadequate Documentation and Billing Errors
QUIZ ANSWER 1:
a. Documentation was entered into the patient’s record immediately after care was provided.
Documenting and signing immediately after services are provided is best practice.

35. Inadequate Documentation and Billing Errors
QUIZ QUESTION 2:
According to our Code of Ethical Conduct we will bill only for services that are actually provided and appropriately documented. In the list below, which indicate that billing errors have been made. (Choose all that apply.)
a. A charge was submitted for a service that was cancelled
b. A caregiver accidentally enters a wrong charge code for a service
c. Too many charges (units) for a service were submitted
d. A charge was submitted for a service that was only partially provided

36. Inadequate Documentation and Billing Errors
QUIZ ANSWER 2:
All of the above billing errors were made

37. Avoid Fraud
In addition to unintentional or accidental billing and documentation errors, we need to be on the lookout for fraud. Committing fraud means the person knows they are submitting a false claim. Fraud is unethical and illegal. Federal law (The False Claims Act) and Wisconsin state laws prohibit submitting fraudulent claims.
Penalties can include paying back up to three times the amount of the charges submitted, plus up to $15,000 per claim.The government takes fraud seriously, and even has deployed special audit and SWAT teams dedicated to finding fraud in health care.

38. Examples of Fraud QUIZ QUESTION:
Committing fraud means the person knows they are submitting a false claim or creating false documentation. Which below indicates fraud has occurred (list all that apply.)
a. A caregiver submits charges for a service that the caregiver knows was never provided
b. A physician changes a patient’s diagnosis in order to get a claim covered by an insurance company
c. A nurses uses a physician’s ID and password to document in the patient’s electronic health record.

39. All of the examples listed are examples of fraud!
QUIZ ANSWER:
All of the examples listed are examples of fraud!

40. Government is Fighting Fraud
Some recent actions by government agencies are examples of how the government is fighting fraud, waste, and abuse in health care, and demonstrate how serious the consequences of fraud can be.
In March, 2010, a Detroit-area physical therapist was sentenced to 62 months in prison for submitting claims to Medicare and falsifying medical records for services that were not actually provided to Medicare beneficiaries. The therapist will also need to repay $2.9 million in restitution.
In January, 2009, nine podiatrists in Manhattan were sentenced to prison terms ranging from 6 months to 63 months for committing Medicare fraud. Four of their billing and administrative staff were previously convicted of charges. These podiatrists handed out flyers advertising “free treatment,” and falsified their patients’ conditions in their medical records in order to get claims paid for services that otherwise would not have been covered by Medicare.

41. How to Handle Billing Errors
Our Code of Ethical Conduct describes how we handle our billing errors:
First, we will correct any billing errors and refund money received in error in a timely manner.
Second, we will refund over-payments in a timely manner.

42. Report Possible Issues
Paying back money to our patients, Medicare and other payers that we should not have received is the right thing to do, and our patients would expect us to do so. Failure to repay in a timely manner can also mean significant financial penalties under the False Claims Act.
One of the ways we detect billing errors is by performing audits. We also find billing errors because caregivers report possible issues to our compliance officers.

43. Take Action!
ACTION!
Our Detecting, Preventing and Responding to Fraud, Waste, and Abuse Policy (AHC System Policy #174) provides more details.
Add Aurora Administrative Manuals to your quick links in iConnect. Click on Aurora System Manual, click on Table of Contents on the right hand side and scroll to down to the policy.
If you believe you might know of a possible billing error or a practice that might create billing errors, or if you suspect someone in your area is committing fraud, report your concern to a compliance officer or to the anonymous Compliance Hotline at Hotline. The phone numbers of compliance officers and the Hotline are listed on the Compliance & Ethics website.

44. A Word From Our Sponsor – Accidental Billing
QUIZ QUESTION:
If Aurora Health Care learned we accidentally billed Medicare for a service that was not provided, which of the following is true?
a. We must pay the money back to Medicare.
b. We can keep the money because it was an accidental mistake.
c. It is up to us to determine whether or not we pay the money back to Medicare.

45. A Word From Our Sponsor – Accidental Billing
QUIZ ANSWER:
a. We must pay the money back to Medicare!
Paying back money to our patients, Medicare and other payers that we should not have received is the right thing to do, and our patients would expect us to do so.

46. Physician Financial Relationships
Stay tuned…

47. Code of Ethical Conduct with Physicians
Our Code of Ethical Conduct requires ethical relationships with our physicians. It is important to our patients that physicians choose to practice at Aurora facilities because we offer the best patient experience available anywhere, not because we create inappropriate financial relationships with our physicians.

48. Physician Compensation and Services
Federal law, including “Stark” and the Anti-Kickback Statute, must also be considered whenever money exchanges hands between Aurora and a physician. These laws are complex, and you should contact a compliance officer for assistance. Two important guiding principles in these laws are:
Physician compensation arrangements require a written agreement to be signed by both parties, in advance of any services being provided. There are specific requirements for these agreements.
Compensation must be set at Fair Market Value (“FMV”). In addition, any items or services provided to physicians (like office space leases, advertising services, etc.) must be charged at FMV. Finally, FMV may not necessarily be Aurora’s costs for those services, but rather must reflect what those services would cost the physician if he purchased them in the local market.
Due to the complexity, do not attempt to create your own agreements. When you need an agreement to be drafted, contact the Contract Coordinator in the Legal Services Department.

49. Physician Gifts and Courtesies
All gifts, entertainment, and business courtesies (with limited exceptions) offered to physicians must be entered into the Physician Gifts and Courtesy tracking system on iConnect. It is important to enter the benefit before offering it, to ensure the maximum annual limit is not exceeded.

50. Physician Gifts and Courtesies
These same laws limit non-monetary gifts, entertainment, and business courtesies that we can offer to physicians who refer or may refer patients to Aurora entities. This also applies to our own employed physicians in some situations. No gift, regardless of the value, can be given if the intent is to solicit referrals from the physician. Gifts for appropriate purposes are limited to a maximum of $355 per physician per year, and can never be cash or a cash equivalent.

51. Gifts and Courtesies Website
All gifts, entertainment, and business courtesies (with limited exceptions) offered to physicians must be entered into the Physician Gifts and Courtesy tracking system on iConnect. It is important to enter the benefit before offering it, to ensure the maximum annual limit is not exceeded. Managers and above automatically have access to this tracking system, and can delegate access to others when appropriate.
The rules regarding physician gifts and courtesies are detailed and can be confusing.
There is helpful information on the tracking system website. If you have any questions, contact a compliance officer.

52. Take Action!
ACTION!
Review the Physician Services Agreements Policy (AHC System Policy #180) to learn more about the requirements for agreements.
Add Aurora Administrative Manuals to your quick links in iConnect. Click on Aurora System Manual, click on Table of Contents and scroll down to the policy.
Direct any questions, including how to determine Fair Market Value, to the Chief Compliance & Integrity Officer (Carrie Killoran) or to the Deputy Chief Compliance Officer (Nancy Vogt.)

53. Privacy and Security of Health Information
Next in today’s line up…

54. Preserve Confidentiality of Patient Information
Patients First, Always
One of the most difficult aspects of protecting the privacy of our patient’s information is that we personally know some of our patients, and we want to read their health information because we care (or maybe just because we’re nosy). Sometimes we do not know our patients personally, but we want to know something out of curiosity.
Our Code of Ethical Conduct, however, requires us to preserve the confidentiality of patient information. It is what our patients expect of us.

55. Privacy Information for Your Job
New caregivers must complete privacy training specific to their job duties. Select the appropriate option below.
First time you are taking this annual course. Proceed to the appropriate job duty/description listed on the following pages. See the additional handout provided to you pertaining to your job description. Then return to this handout for completion.
Hired prior to 2011 and have taken this course before. You are not required to repeat the job-specific privacy module.
Continue with this current handout.

56. Privacy Information for Your Job
Read each of the seven descriptions below. Proceed to the section that most closely describes your job. Talk to your supervisor if you have questions about which to use.
1. Patient Care – If you are involved in patient care on a regular basis and are not a physician or other mid-level provider.
2. Physicians/Providers – If you are a physician, nurse practitioner, physician assistant or other mid level provider.
3. HIM – If you work in a health information/medical record department or otherwise deal with medical records on a regular basis.
4. Business Office – If you work in the Central Business Office (CBO) or are involved with billing/payment services.

57. Privacy Information for Your Job- cont’d
5. Patient Access – if you work in Patient Access, are a Customer Service Representative or otherwise work with scheduling, admitting, and registering patients or if you provide switchboard, greeting, concierge, or general information services.
6. Human Resources – If you work in Human Resources (including Compensation & Benefits, Employee Health, Employment, Human Resource Services, Loss prevention, or Physician Recruitment) or otherwise work with the health information of employees.
7. Other Staff Who Use Patient Information – If you use patient information for marketing, research, fundraising, decision support, other report-writing, computer hardware and software deployment/maintenance, or quality improvement.
All other staff who do not use patient information. – Continue to the next page.

58. Protect Patient Health Information
Federal law (The HIPAA Privacy Rule) and Wisconsin state laws require us to protect patient health information in many different ways, and to allow patients certain rights in regards to their health information.

59. Protect Patient Health Information Three General Principles
General Rules – There are three general principles that will help you protect patient health information and obey these laws.
1. To Do Your Job – You may only access patient information to do your job.
2. Use What You Need – You may only use as much information as you need to
do your job.
3. Limit What You Share – You must limit the amount of information you share to
that which is needed for others to do their jobs.

60. How to Access Your Own Information
This also means that you may not access your own information if you do not need to do so to perform your job duties (and this should be avoided whenever possible even if job-related.) To access your information for personal reasons, contact the facility’s medical record department. In other words, follow the same process as our other patients.

61. Information Belongs to the Patient
Remember! The information belongs to the patient.
If you use it without a job-related need to do so, it is no different than stealing the information from the patient.

62. Take Care Faxing Information
Don’t use Aurora’s electronic health record for personal use, like for looking up the room number of a patient you wish to visit. You may see more than you should.
Page 1 of 9
Verify paperwork that you hand to a patient, you mail or you fax – make sure it doesn’t have another patient’s health information mixed in.
Page 2 of 9
When you are not sure if you can disclose a patient’s information without the patient’s consent, take the time to find out if you may do so. It is not in the patient’s best interests to simply decide not to disclose Page 8 of 9
When you recognize a patient is a friend, co-worker, or another person you know, respect their privacy and keep their presence confidential.
Page 7 of 9
Do not leave confidential documents unattended, and do not leave patient information on computer screens that might be viewed by others.
Page 5 of 9
Keep your voice low when discussing patient information in a public area.
Page 6 of 9
Patients First, Always
Incoming Fax…
Please Wait
Find a private place to hold a discussion with your patient.
Page 4 of 9
Take the extra seconds to verify the fax number is correct before hitting “send.”
Page 3 of 9
Something as seemingly simple as faxing patient information to the wrong fax number can become a real problem for our patients, depending upon who is on the receiving end of the fax.

63. Keep Information Safe
Don’t use Aurora’s electronic health record for personal use, like looking up the room number of a patient you wish to visit. You may see more than you should.
Verify paperwork that you hand to a patient, you mail or you fax – make sure it doesn’t have another patient’s health information mixed in.
Take the extra seconds to verify the fax number is correct before hitting “send.”
Find a private place to hold a discussion with your patient.
Do not leave confidential documents unattended, and do not leave patient information on computer screens that might be viewed by others.
Keep your voice low when discussing patient information in a public area.
When you recognize a patient is a friend, co-worker, or another person you know, respect their privacy and keep their presence confidential.
When you are not sure if you can disclose a patient’s information without the patient's consent, take the time to find out if you may do so. It is not in the patient’s best interest to simply decide not to disclose.
Patients First, Always

64. Sharing Patient Information
General Rules – Some caregivers experience confusion regarding sharing patient information with the patient's family and/or friends. There are three principles to remember.
1. In the Patient’s Best Interests – If the patient is not present or is incapacitated, information may be shared if the Aurora caregiver determines that sharing the information is in the best interests of the patient. In other words, use your professional judgment when you cannot ask the patient for permission.
2. Relevant Information Only – When you do share information with family or friends, limit the information discussed to that which is relevant to their involvement with the patient. Remember – your patient may have agreed to the discussion, but they cannot always anticipate what you plan to reveal.
3. Patient Verbally Agrees – If the patient is present, information may be shared with a family member or friend if the patient verbally agrees. Document the verbal agreement in the patient’s medical record.

65. Rules for Disclosing to Others
The rules for disclosing information to others (like life insurance companies, attorneys, law enforcement, etc.) are more complex:
In many cases, the patient’s written authorization is required.
Use the Disclosure Manual on the Privacy website on iConnect to determine if a written authorization is required. If you cannot find the answer, contact your local privacy officer. When in doubt, check it out.
While we are committed to cooperating with law enforcement, not all officers understand the privacy laws. There are very limited circumstances in which we can report or disclose information to law enforcement. Take the time to verify that a disclosure is permissible. Privacy laws do not require immediate disclosure, unless there is a situation where someone may be imminently harmed. Contact a privacy officer for assistance when you are not sure what to do. In an emergency, do what you believe is in the best interest of the patient (or others if the patient is threatening harm.)

66. Medical Identity Theft
One concern that we hear often from our patients is they are concerned that they may become a victim of identity theft. Each of us understands how frightening and expensive it can be if someone steals our identity.
In addition to protecting the identity of our patients, it is important for us to “raise a red flag” if we notice something about a patient’s information is not as it should be. Departments that manage billing, patient access and registration have procedures in place for raising these red flags. Anyone, however, can do so by contacting your local privacy officer.

67. OUR PRIVACY OFFICERS HAVE REAL-LIFE SCENARIOS TO SHARE
Privacy Scenarios
OUR PRIVACY OFFICERS HAVE REAL-LIFE SCENARIOS TO SHARE
SCENARIO 1
Our privacy officers want to know if you’re ready for the….
Privacy Scenario Challenge?

68. Can this information be disclosed?
A law enforcement officer states he is conducting an investigation related to drug-seeking behavior and asks for a patient’s visit history and prescription information.
Privacy Scenario
Challenge

69. Can this information be disclosed?
There are times when we can report limited patient identifiable information to law enforcement, such as to report certain wounds and burns, a crime committed on our premises, or an imminent threat of harm to the patient or others. Reporting these are either required or permitted by law, but disclosure of PHI for an investigation has very few allowable exceptions. “Reporting” is different in this case than “disclosure.”
Great job!

70. Are staff allowed to review the patient’s record?
A patient is transferred from the Emergency Department to the Cardiac Cath Lab for emergency treatment. Staff from the Emergency Department that provided the initial care want to check the patient’s electronic health record to see how the patient is doing after the cardiac treatment.
Privacy Scenario
Challenge

71. Are staff allowed to review the patient’s record?
The answer depends upon the purpose for reviewing the patient’s record. If the review is for educational or quality improvement purposes, it is allowed. If this is merely curiosity, it is not allowed.
We can use PHI for legitimate training and quality improvement activities, but not to appease our curiosity.
Exactly!

72. Is this disclosure allowed?
Privacy Scenario
Challenge
A law enforcement officer identifies a minor patient by name and states she is investigating a case of suspected child abuse.

73. Is this disclosure allowed?
Disclosure to law enforcement for the purpose of investigating suspected child abuse is allowed if the child is identified by name. In this scenario, disclosure to an agency such as Child Protective Services, could also be made. Behavioral health privacy laws also allow disclosure for this purpose.
Disclosure is not limited to the minor child’s record. The suspected perpetrator’s record could be disclosed upon request.
Awesome answer!

74. Can this be confirmed? Privacy Scenario Challenge
A patient’s employer contacts our clinic to confirm that their employee has an appointment.

75. Can this be confirmed?
No, unless this inquiry related to a Worker’s Compensation claim and the appointment is reasonably related to the claim. For non-Worker’s Compensation situations, we cannot disclose a patient’s information to their employer without their signed authorization.
When employment-related requests are received such as Return-to-Work forms, it is best to provide the form directly to the patient and let the patient choose to disclose it to their employer.
Another option is to obtain a signed authorization from the patient for the disclosure.
Right again!

76. Is it permissible to respond?
Privacy Scenario
Challenge
The Emergency Department receives a call asking about a family member.

77. Is it permissible to respond?
If the patient is present and able to respond, first obtain the patient’s verbal permission to speak with the family member. If the patient is incapacitated or otherwise unable to give permission, the Emergency Department staff may use their professional judgment, in the best interests of the patient.
In cases where a caller is attempting to locate their family member and their family member is not present in our facility, we may confirm that the family member is not present in our facility.
Inpatient units should follow the Facility Directory procedures when deciding whether or not to confirm a patient’s presence in their facility.
Good job!

78. Did the caregiver do the right thing?
A patient’s son asks to see his mother’s medical record in order to read the physician’s last note. The patient is elderly and the son is very involved in her care. The caregiver refused to allow this for HIPAA reasons.
Privacy Scenario
Challenge

79. Did the caregiver do the right thing?
Access to the full medical record for review would require the patient’s signed authorization unless the son is her legal personal representative. Since the son is asking for limited information, we should first ask the son what questions he may have that he feels might be clarified by the note. If the patient is present and verbally agrees, it would be permissible to show the son the last note. If the patient is not present or is unable to provide permission, you are allowed to use professional judgment in the best interests of the patient.
As long as the entire medical record will not be disclosed and discussing the limited content of the record is in the best interests of the patient, the son is allowed to review the note.
You’ve got it!

80. Can her friend look up her record?
Privacy Scenario
Challenge
An Aurora caregiver is worried about her test results. She has not heard back from her doctor. She has a friend in another department that has access to Aurora’s electronic health record.

81. Can her friend look up her record?
This is not permitted. The caregiver needs to call her doctor for the results, or can visit the medical record department and request her records using the established policy and procedure.
It is important to note that the access to the coworker’s record will be tracked in the electronic record system. Accesses such as this are routinely audited.
Aurora caregivers who have accessed a coworker’s record have had disciplinary action taken against them. To prevent this, just remind the coworker that the appropriate procedure is to call her doctor or stop by or call the medical record department.
Exactamundo! Join us again next week for another episode of Privacy Scenario Challenge.

82. HIPAA Security Rules HIPAA Security Rule
Thanks for watching another informative episode of Privacy Scenario Challenge.
It’s also important to know that Federal law (The HIPAA Security Rule) requires us to…
Protect electronic patient health information from unintentional disclosure
Guard the integrity of data to make sure it is not altered in a way that might harm patients
Make sure data is available to us as we take care of our patients

83. HIPAA Security Rules - continued
It is also important to note that other confidential information related to our organization needs to be kept private and secure as well.

84. Ways to Manage Electronic Information Risks
When It Comes to Security, The Best Offense is Our Defense
There are ways to manage risks to the security of electronic information:
Do not share your login ID and password. If you think someone else knows your password, change it immediately. Remember – you are responsible for any actions taken using your system account login ID and password.
Use a strong account password – one that cannot be easily guessed and has at least 8 characters, with one or two numbers in the middle (example: grt2s8fa)
Log out or suspend applications whenever you leave the computer or mobile device unattended and at the end of your work day.
Be careful when opening attachments unless you know the sender can be trusted (to prevent computer viruses from finding their way into our systems)

85. Manage Mobile Devices
One of the biggest risk areas for patient information is information on our mobile devices including:
Laptops
BlackBerries
Smartphones
iPhones
iPads
USB drives
If you know of a security risk that is not being properly managed, report it to the Service Desk or to our Information Security Officer.

86. Protect Our Patients – Mobile Device Tips
Use password protection on your mobile device
Refrain from storing confidential information on any mobile device
Use encryption if you store confidential information on any mobile device
Keep your device out-of-sight when unattended - especially when traveling
Remove your device from cars or other vehicles – especially overnight

87. Special Patient Information Databases
Some Aurora caregivers have a need to create a special database with patient information. This might be a simple Excel spreadsheet, a more complex Access database, or any other way of storing patient information outside of Aurora’s electronic health record systems or other major computer systems.

88. Bring Databases Into Compliance
It is important to understand that our major computer systems that store patient information have been evaluated to make sure they meet HIPAA Security Rule requirements and that they adequately protect the privacy of our patients. “Home-grown” databases created by Aurora caregivers may not meet these requirements, although there are things that can be done to bring them into compliance. For example, encryption and password protection might be added.

89. Implications for Legal Medical Records
In addition to privacy and security issues, some databases create issues related to the legal medical record. It must be determined if the information being stored meets the definition of what is included in the legal medical record. If yes, the medical record department needs to know about the database in order to fully respond to mandates to produce the entire medical record. We also need to determine and document the legal retention requirements for the database.
Issues related to databases can be complex. Contact the Aurora Service Desk before creating a new patient information database, so that the appropriate experts can be brought in to assist.
Patient Name
Last Cholesterol
Last F/U Contact
Jane Doe
240
9/10/2010
John Smith
259
7/14/2010

90. Breach Notifications to Patients and the Government
Federal law requires that, in certain instances:
We notify the patient of a privacy breach within 60 days of identifying it. (For example, we may need to notify a patient when a caregiver has “snooped” in a friend or neighbor’s record.)
We provide a list of privacy breaches to the government on an annual basis.
Notify Aurora’s Chief Privacy Officer (Peg Schmidt) or your local privacy officer of any suspected privacy breach, as soon as you identify the issue. In many cases, we can take action to prevent harm to the patient resulting from the breach. Preventing harm in some cases may also mean we are not required to notify the patient and the government. Preventing harm is doing what is best for our patients.
Patients First, Always

91. Breach Notification to the Media
Federal law also requires us to notify the local media in some cases when a privacy or security breach involves more than 500 patients. Imagine how this might affect patient loyalty!
A psychiatric hospital in Louisville, Kentucky disclosed that a flash drive with unencrypted data on 24,600 patients was missing and attempts to recover it were unsuccessful. In addition to sending letters to the patients, the hospital ran a legal advertisement in the Louisville daily newspaper.
A hospital in Bowling Green, Kentucky disclosed that a hard drive from the hospital’s mammography unit with unencrypted health information on 5,418 patients was reported stolen has not been recovered. The hospital is working to change their processes so that information is stored on a secure network and not on hard drives that can be stolen.

92. Fines and Prison Sentences
A prison sentence for peeking at patient records!!!
Penalties for violating HIPAA Privacy and Security Rules include fines up to $1 million and prison terms up to 10 years. The government takes HIPAA violations seriously.
For example, an ex-UCLA employee (a physician) was sentenced to four months in prison for accessing the health records of patients in the health system’s electronic health record without a job-related need to do so. Most of the accesses involved well recognized celebrities.

93. Take Action!
ACTION!
Use the Privacy Website on iConnect to access guidelines, the Disclosure Manual, and other helpful information. Contact information for all privacy officers and our Information Security Officer is also available on the website.

94. A Word From Our Sponsor – Patient Information Displayed
QUIZ QUESTION:
If you saw a computer in an Aurora facility that was displaying patient Information where people walking by could easily see it, what are you expected to do?
a. Nothing – it is not your responsibility to worry about how another department treats patient information.
b. Read the information on the computer to see if there is anything that might be harmful to the patient if it were seen by others. If you don’t think there will be harm, you can do nothing.
c. Find someone in the department and tell them about the computer.

95. A Word From Our Sponsor – Patient Information Displayed
QUIZ ANSWER:
c. Find someone in the department and tell them about the computer.

96. Other Compliance and Legal Requirements
Coming up next…

97. Other Compliance and Legal Requirements
Other important compliance and legal requirements you should be aware of include:
EMTALA or Emergency Medical Treatment and Active Labor Act
Criminal background checks or reporting
Verification of Licensure, Registration and Certification
Civil Rights

98. EMTALA (Emergency Medical Treatment and Active Labor Act)
EMTALA requires hospitals with emergency departments to screen and treat the emergency medical conditions of patients in a non-discriminatory manner to anyone, regardless of their ability to pay, insurance status, national origin, race, creed or color
EMTALA applies to any patient presenting on the hospital “campus”, which means the physical area immediately adjacent to the provider’s main buildings, other areas and structures that may not adjoin the main buildings but are located within 250 yards of the main buildings
If an emergency medical condition exists, treatment must be provided until the emergency medical condition is resolved or stabilized. If the hospital does not have the capability to treat the emergency medical condition, the patient must be “appropriately” transferred to another hospital
Hospitals with specialized capabilities are obligated to accept transfers from hospitals who lack the capability to treat unstable emergency medical conditions

99. Criminal Conduct: Checks and Reporting
Aurora performs criminal background checks on all caregivers, and in doing so, complies with Wisconsin law.
As an Aurora caregiver, you are required to report:
Convictions of any crime
Substantiated findings of or current investigations related to abuse, neglect, or misappropriation
Professional credential restrictions, limitations, or revocations
Program licensure limitations, revocations or denials
Discharge from any branch of the U.S. Armed Forces, including any reserve component
Residency outside the state of Wisconsin
Rehabilitation review requests
If you have something to report, you must make your report:
To the Human Resources Department
In writing
As soon as possible, and within 3 days of the occurrence of the event

100. Proof of Rehabilitation
There are a number of crimes that require proof of rehabilitation in order to be eligible to work in health care in Wisconsin. If you have committed any of the following crimes, you need to show proof of rehabilitation:
Regulatory approval, employment as a caregiver, and nonclient residency at and contracting with an entity are prohibited until rehabilitation approval is received, for all entities and programs that serve any clients who are under the age of 18. (For additional federal foster care bars, see part III. below.)
Wis. Stats. Crime st degree intentional homicide st degree reckless homicide Felony murder nd degree intentional homicide Assisting suicide (2) through (6) Battery (felony) (2) or (3) Sexual exploitation by therapist; duty to report

101. Proof of Rehabilitation – Cont’d
(1), (2), or (3) 1st, 2nd, or 3rd degree sexual assault Abuse of vulnerable adults (misdemeanor or felony) Abuse of residents of a penal facility Abuse or neglect of patients & residents (misdemeanor or felony) (1) or (2) 1st or 2nd degree sexual assault of a child Repeated acts of sexual assault of same child (2) (a), (b), or (c) Physical abuse of a child - intentional causation of bodily harm Sexual exploitation of a child Causing a child to view or listen to sexual activity Incest with a child Child enticement Soliciting a child for prostitution (2) (a) or (am) Exposing child to harmful materials or harmful descriptions or narrations (felony)

102. Proof of Rehabilitation – Cont’d
Possession of child pornography Child sex offender working with children (1) Neglect of a child - resulting in death (felony) Abduction of another's child; constructive custody
OTHER OFFENSES Finding by a governmental agency of neglect or abuse of a client, or of misappropriation of a client's property Finding by a governmental agency of child abuse or neglect

103. Licensure, Registration and Certification
There are three important requirements if your job requires you to be licensed, registered, or certified:
You must renew your license, registration, and/or certification before it expires.
If your license, registration or certification lapses or if limits are imposed, notify your supervisor immediately. Your supervisor will assist you in determining what to do.
If state law sets limits for your scope of practice, you must stay within those limits. If someone asks you to perform duties that are not within your scope of practice, contact your supervisor or a compliance officer for assistance.

104. Introducing Civil Rights
Individuals who participate in state and federally funded health and social service programs have special protections against discrimination. Because Aurora Health Care receives funds such as these, for example, Medicare and Medicaid payments for services, this applies to both our patients and our caregivers.
Before explaining these protections, or “civil rights,” it will be helpful to know a few definitions…

105. Civil Rights-Definitions
“Discrimination” is a direct action, whether intentional or not, that results in the unequal treatment or causes an adverse impact on categories of people protected by law.
“Person with a disability” is one who:
Has a physical or mental condition that substantially limits a major life activity;
Has a record of such a condition; or
Is regarded as a person with a disability.
Reasonable Accommodation: A person with a disability may make a request for a reasonable accommodation, and this must be given by the service provider free of charge. If the person is deaf or hard of hearing and requires a language sign interpreter, the service provider must offer, at the very least, an interpreter with minimum national certification requirements (RAD or NAD.)

106. Civil Rights-Definitions
Limited English Proficient (“LEP”) Speaker: A person who cannot speak English well enough to be able to fully in a program or service must be provided an oral interpreter who is competent in the LEP speaker’s primary language (both linguistically and culturally) and in English.
CIVIL RIGHTS
Individuals may not, because of their race, color, national origin, gender, age or disability:
Be denied any service, financial aid or benefit provided under a federally funded program;
Be subjected to segregation or separate treatment in a federally funded program;
Be provided any service, financial aid or benefit that is different or is provided in a different manner from the way that service is provided to others;
Be denied access to a service because buildings or facilities are not physically accessible to persons with disabilities or because no accommodation was provided to enable effective communication with the service provider; or
Be provided services without a competent interpreter in the primary language of a person who has limited English proficiency;

107. Civil Rights Complaints
If you believe you have been discriminated against as an employee of Aurora Health Care, contact your local Human Resources Department.
If a patient informs you that he or she has been discriminated against by an Aurora caregiver or physician, contact the Compliance Department for assistance.
Individuals who believe they have been discriminated against have the right to file a complaint with their County Department of Human Services. If not satisfied with the County’s response, they can file a complaint with the Wisconsin Department of Health Services, Affirmative Action and Civil Rights Office. Complaints can also be filed directly at the federal level with the U.S. Department of Health and Human Services, Office for Civil Rights – Region V.

108. Take Action! ACTION! If you have any questions regarding:
EMTALA, review the EMTALA: Screening, Stabilization and Transfer Policy (AHC System Policy #179).
Criminal background checks or reporting, review the Criminal Background Checks Policy (AHC System Policy #127).
Licensure, registration or certification, review the Verification of Licensure, Registration and Certification Policy (AHC System Policy #33).
Accessing sign and other language interpreters, review the Interpreter Services Policy (AHC System Policy #101).
If the policies do not provide answers to your question, see your supervisor, contact a compliance officer or your Human Resources Representative.
Add Aurora Administrative Manuals to your quick links in iConnect. Click on Aurora System Manual, click on Table of Contents on the right hand side and scroll to down to the policy.

109. Reporting Compliance and Ethical Concerns
Stayed tuned …

110. Report Concerns
Our Code of Ethical Conduct requires you to report any concerns you might have regarding possible unethical and/or illegal conduct at Aurora.
Report your concern in any of the following ways…

111. General Compliance Concerns
Discuss your concern with your supervisor or a higher level leader; or
Contact a compliance officer or the Chief Compliance & Integrity Officer (names and contact information are listed on the Compliance & Ethics website); or
Call the Compliance Hotline at You may choose not to leave your name or other contact information if you wish to remain anonymous.
Record this number now and keep it in a handy place.

112. Privacy and Security Concerns
Call the Privacy Hotline at ; or
Use one of the options listed for general compliance concerns.
It is important to know that Aurora’s policy and the law prohibit taking any action against you (“retaliation”) just because you reported a compliance concern.

113. Take Action!
ACTION!
Record the Compliance Hotline number:
HINT: You will need to know this number in order to pass the test at the end of this course.

114. Government Investigations
Latest updates…

115. Compliance Department Assistance
Our Code of Ethical Conduct requires that we cooperate with government investigations. Your Compliance Department will assist in all investigations to make sure your legal rights are protected as well as Aurora’s legal rights as an organization.
There are several important things to know...

116. Important Facts
Searches by law enforcement or government agents are not allowed unless a search warrant is presented. Do not verbally agree to a search in the absence of a valid search warrant.
The first thing to do is to politely escort the officer or agent to a private area. Ask to see his or her official identification (a badge or business card.)
Immediately contact the Chief Compliance & Integrity Officer, Carrie Killoran. If you cannot locate Carrie, check the Compliance website for compliance officers to contact. If you cannot reach a compliance officer, contact Mike Lappin, General Counsel. Do not just leave voice mails or messages, but rather make sure you make direct contact with a compliance officer.
Inform the officer or agent that a representative from Compliance is on their way.

117. Your Rights if Contacted by a Government Investigator
A government investigator has the right to contact any caregiver to request an interview. The investigator may contact you at home or at work.
You may choose to speak to the investigator, or you may refuse. He or she does not have the right to insist upon an interview.
If you speak to the investigator, you have the right to end the interview at any time.
If you are subpoenaed to speak with a government investigator, you may request an appointment for a different date.
If you agree to speak to the investigator, no matter who else is present, you must tell the truth. State only facts that you know, not guesses and not rumors.

118. Your Rights if Contacted by a Government Investigator - continued
It is extremely helpful if you immediately contact your supervisor and/or Aurora’s legal counsel. The investigator may ask you to keep the contact confidential, but there is no law that would prevent you from disclosing any detail of your discussion with your employer.
Any statements you make may be considered legal admissions, which can be used against you and/or against Aurora in a legal proceeding.
If you agree to speak to the investigator, you have the right to confer with an attorney first, and to have an attorney present during the interview. Depending upon the circumstances, you may choose to use your own attorney or the matter may be handled by Aurora’s attorneys.
Do not destroy any documents or attempt to hide evidence.

119. Take Action!
ACTION!
Review the Government Requests, Investigations, Search Warrants and Subpoenas Policy on iConnect (AHC System Policy #195.)
Add Aurora Administrative Manuals to your quick links in iConnect. Click on Aurora System Manual, click on Table of Contents on the right hand side and scroll to down to the policy.

120. How Compliance Fits In
Before we sign off…

121. Compliance and Ethics Part of Everything We Do
Compliance and ethics are a part of everything we do at Aurora. Take with you Dr. Nick Turkal’s words about the things that are most important to us.

122. Compliance and Ethics Part of Everything We Do
Who We Are – Aurora Health Care is a not-for profit health care provider and a national leader in efforts to improve the quality of health care.
Patient Experience – Our patients expect us to act in an ethical and legal manner. Ethical scandals and enforcement actions can hurt the reputation of even the best health care providers. A great reputation helps us to achieve our patient experience goals.
Financial Performance – We have a responsibility to be good stewards of the money we receive to take care of our patients and the health of our communities. We also need to and have the right to receive appropriate payment for those services we provide. Avoiding fines and penalties, and paying attention to coding, documentation, and billing practices helps us to meet our financial goals.
Caregiver Engagement – The world has heard from employees at WorldCom, Enron, Columbia HCA and other companies about how stressful and unrewarding it was to work for an organization that did not value ethics and complying with the law. Ethical and legal conduct helps make Aurora an organization that we can all be proud to work for. An ethical work environment helps ensure that we can deliver an excellent patient experience.

123. Compliance Resources to Remember
The Compliance & Ethics website on iConnect:
Compliance Officer contact information
Code of Ethical Conduct
Guidelines and links
The Privacy website on iConnect:
Privacy Officer contact information
Disclosure Manual
Guidelines, and links
The Compliance Hotline:
Report compliance concerns
You may remain anonymous if you choose
No one will retaliate against you for reporting

124. This test should be included with your handouts.
Complete Test
You are required to complete a separate test after completing this course.
This test should be included with your handouts.