VIII. CORPORATE COMPLIANCE
General Overview of Corporate Compliance
What is Corporate Compliance? •
Following business laws and regulations.
Randolph Hospital is committed to providing the best care to our patients. To accomplish this goal we created a compliance program to make sure everyone knows what the laws and regulations are AND to make sure they are enforced! •
Why RH has a Corporate Compliance Policy • A Corporate Compliance Policy: Protects our hospital from risks & consequences of regulatory violations. Enhances our credibility. Strengthens patient trust. Enforces ethical standards. Promotes quality care. Protects our patients!
What Does this Policy Mean for Staff? •
All staff are expected to know these regulations and to follow them.
•
All staff are also expected to report non-compliance.
Failure to Report Non-Compliance
Failure to report non-compliance is a violation of federal law and subject to disciplinary action.
In other words…if you see a violation occur you have a duty to report it.
The Hospital’s Code of Conduct is attached to the Corporate Compliance Program policy (ADM 38).
How to Report Non-Compliance Instances of non-compliance can be reported in any of the following manners:
Notify you immediate supervisor. Notify you departmental director. Notify a Vice-President. Notify Human Resources. Notify the Compliance Officer (ext. 7771). Call the Compliance Hot Line to anonymously or confidentially seek guidance regarding potential non-compliance without fear of retaliation.
Compliance Hotline 336-633-7724
Federal Regulations and Laws False Claim Act
EMTALA
Anti-Kickback Statute Medicare Regulations Red Flag Rules
HIPPA
Fraud Statutes STARK ACT
HIPAA
(Health Insurance Portability and Accountability Act)
What does the HIPAA rule do? ◦ ◦ ◦
Provide clear standards for the protection of personal health information. Demands Privacy of information. Demands Security of information.
HIPAA, cont. • What is Protected Health Information (PHI)? • Any and all information about an individual’s physical or mental health that identifies the individual or there is a reason to believe the information could identify them.
HIPAA, cont. • Examples of information that can Identify a Patient:
• Examples of Protected Health Information (PHI): Patient chart.
Name, address, phone/fax, email address.
Patient bill.
Employer, social security number, medical record number.
Test results.
Relative’s name, date of birth, photograph.
Reason for visit.
Surgery performed.
HIPAA, cont. How does HIPAA work?
Limits uses and certain disclosures (telling, sharing, revealing) of information.
If the hospital is going to release information on a patient for the purpose of treatment, payment, or hospital operations, it must be the minimum amount that is reasonably needed.
Gives patients the right to examine and obtain a copy of their own health records and request amendments.
Empowers patients to control certain uses and disclosures of their health information.
HIPAA, cont.
Most health care providers are permitted under HIPAA to use and disclose PHI for general purposes, including: ◦ ◦ ◦
To treat patients. To obtain payment for that treatment. For quality assurance or other healthcare operations’ purposes.
HIPAA, cont. •
If PHI is used for other purposes, usually the health care provider must first obtain a patient’ s written authorization or do so.
•
There are potential civil monetary penalties under HIPAA.
•
Criminal violations for certain wrongful disclosures of health information are punished with monetary penalties and prison sentences.
•
These penalties can be applied to any individual.
HIPAA, cont.
Randolph Hospital and Our Affiliates are required to: ◦ Notify patients about their privacy rights and how their information can be used. Patients are given a notice of our privacy practices to sign and they are available on the hospital website. ◦ Adopt and implement privacy/security procedures. ◦ Train employees. ◦ Designate a Privacy Officer to assure that privacy procedures are adopted and followed. The Compliance Officer fills this role. ◦ Designate a Security Officer to implement the Security regulations. The Chief Information Officer fills this role. ◦ Secure patient records containing individually identifiable health information.
HIPAA, cont.
At Randolph Hospital we take HIPAA Privacy and Security regulations seriously. Not only is it the law, it is the right thing to do for our patients.
If at any time you learn information about a patient as a result of your job, it is considered private and subject to the HIPAA Privacy regulation.
HIPAA, cont. Helpful Guides to Help Stay within HIPAA Compliance:
Always make sure that patient records are secure.
When leaving your work area either lock your computer or disconnect your session. (So that no patient information can be seen)
NEVER GIVE OUT YOUR COMPUTER PASSWORD(s) or PIN NUMBER. This includes not giving it to anyone in the IT department, human resources, administration or your direct supervisor or director.
HIPAA, cont. Helpful Guides, cont.
Be aware of what is on your desk when you leave your work area. Never leave confidential patient information unsecured or where it can be viewed by others.
Keep patient information out of public areas.
Do not leave patient information at fax and copy machine locations.
Avoid discussing a patient’s medical condition in public areas.
Do not discuss work on any form of electronic media, i.e. Facebook, Twitter, Instagram, etc.
HIPAA, cont. Remember: •
The only time it is permissible to access any persons medical record or patient bill is if you need it in order to do your job.
•
It is NOT ok to look up information about family or friends information, even if you are asked to do so.
HIPAA, cont. HIPAA Violations:
Can result in disciplinary actions up to and including termination.
In addition there could be civil and criminal penalties.
Criminal violations for certain wrongful disclosures of health information are punished with monetary penalties and prison sentences. Remember stop and think before you act.
Medicare Regulations Any facility that participates in Medicare must follow Medicare regulations. Facilities must:
Meet standards of quality care. Not bill Medicare for unnecessary items or services. Not bill Medicare for costs or charges that are significantly higher than the usual cost or charge. Follow other rules for claims and billing. Claims and billing are the biggest risk areas for healthcare fraud and abuse.
False Claims Act •
The False Claims Act makes it illegal to submit a falsified bill to a government agency.
•
This applies to healthcare because Medicare is a government agency.
•
This is a State and Federal Law
False Claims Act, cont. Legal Overview:
The False Claims Act permits private citizens to bring a civil action for violation of the False Claims Act on behalf of the citizen and the government and, if successful, to receive a portion of the settlement or judgment.
An employer is not permitted to discriminate against an employee because of any lawful acts done by the employee or on behalf of the employee in furtherance of an action under the False Claims Act.
The act of filing such actions is informally called “whistleblowing”.
False Claims Act, cont. Legal Overview, cont. It is illegal to: ◦ Knowingly presenting or causing to be presented a false or fraudulent claim for payment or approval to the federal or state government.This would include false claims for payment by Medicare or Medicaid. ◦ Knowingly making, using or causing to be made or used, a false record or statement to get a false or fraudulent claim paid or approved by the federal or state government. ◦ Conspiring to defraud the federal or state Government by getting a false or fraudulent claim allowed or paid. ◦ Knowingly making, using or causing to be made or used, a false record or statement to conceal, avoid or decrease an obligation to pay or transmit money or property to the government.
False Claim Act, cont. “KNOWLINGLY” is defined as:
Acting with actual knowledge that the information is false. Acting in deliberate ignorance of whether the information is true or false. Acting in reckless disregard of whether the information is true or false.
Stark Act •
The Stark statute prohibits a physician from referring Medicare patients for certain “designated health services” when those services are furnished by an entity with which the physician has a financial relationship, unless the relationship falls within a permitted exception.
•
Randolph Hospital is very limited in giving physicians money/gifts because this can be seen as a bribe for sending us patients for business.
Stark Act, cont. Examples of these types of “designated services” are:
Clinical laboratory. Physical therapy. Occupational therapy and speech-language pathology. Radiology and certain other imaging services. Radiation therapy services and supplies. Durable medical equipment and supplies. Parenteral and enteral nutrients, equipment and supplies. Prosthetics, orthotics, and prosthetic devices and supplies. Home health. Outpatient prescription drugs. Inpatient and outpatient hospital services.
Stark Act, cont. •
Penalties for violating the Stark referral prohibition are substantial and include: ◦ Repayment of all claims billed pursuant to improper referrals. ◦ Monetary penalties for specified infractions. ◦ Potential exclusion from federal health care programs. ◦ Potential False Claims Act liability.
•
Stark is a strict liability-type statute; any referral relationship prohibited by Stark (if not meeting all of the requirements of an applicable exception), is subject to the penalties mentioned above.
Anti-Kickback Statute •
The Medicare and Medicaid Patient Protection Act of 1987 is commonly referred to as the AntiKickback Statute (AKBS). This act makes it illegal to give or take kickbacks, bribes or rebates for items or services that will be paid for by a government healthcare program.
Legal Overview: Anti-Kickback and Stark II Examples of Anti-Kickback and Stark II risk areas in the hospital context include: ◦ Joint ventures with physicians who are referral sources for the hospital. ◦ Payments to a physicians to provide items or services to or on behalf of the hospital. ◦ Financial relationships with other health care providers that influence referrals to the hospital or that may receive referrals from the hospital. ◦ Payments to a physician to recruit the physician to join the medical staff . ◦ Discount arrangements with providers of items and services reimbursable by federal health care programs. ◦ Medical staff privileging that requires a certain number of referrals or a certain number of procedures (beyond volumes necessary to ensure clinical proficiency). ◦ Malpractice insurance subsidies paid on behalf of referring physicians.
Social Security Act This act makes it illegal for hospitals to:
Knowingly pay physicians or encourage them to, limit services to Medicare or Medicaid patients.
Offer gifts to Medicare or Medicaid patients to get their business.
Mail & Wire Fraud Statutes •
Mail and wire fraud statutes make it illegal to use the U.S. Mail or electronic communication as part of a fraud.
EMTALA
(Emergency Medical Treatment and Active Labor Act)
EMTALA States: ◦ Hospitals with emergency departments must provide a medical screening examination to any individual who comes to the emergency department and requests such an examination. ◦ Emergency departments CAN NOT refuse to examine or treat individuals with an emergency medical condition or those in active labor. ◦ Once seen, the patient must then be stabilized, admitted or appropriately transferred.
Red Flag Rules
A Red Flag is a pattern, practice, or specific activity that indicates the possibility of identity theft.
Fair and Accurate Credit Transactions Act (FACTA) was passed to protect consumers against identity theft.
Red Flag Rules, cont. Medical identity theft is: •
When someone uses a person’s name, SSN, insurance information, and sometimes other parts of their identity, to obtain: ◦ medical services ◦ to falsifying claims for medical services ◦ to falsifying medical records to support claims.
Red Flag Rules, cont. Examples of how PATIENTS find out someone has committed medical fraud against them:
Patient receives EOB for services not received.
Patient receives bill from facility which patient never visited.
Patient receives bill for another person.
Physician mentions inaccurate treatment history during patient’s office visit.
Accounting of disclosures.
Insurance company denies treatment for condition patient doesn’t have.
Red Flag Rules, cont. Examples of how PROVIDERS find out that someone has committed medical fraud against them:
Patient’s records show treatment inconsistent with patient’s medical history or physical exam (age, blood type).
Patient complains about receiving collection notice for services not received.
Patient provides insurance number but cannot produce insurance card.
Mail sent to patient is returned repeatedly but transactions continue to occur on patient’s account.
ID appears to have been altered or forged.
Picture or signature on file does not match that of person presenting for treatment.
Red Flag Rules, cont. What happens if we fail to comply?
The FTC will treat violations of the Red Flags Rules as an unfair & deceptive trade practice.
The FTC can get an injunction forcing compliance.
Failure to comply with the Red Flags Rules can lead to enforcement actions and penalties.
Negative press and member relations issues would also likely occur, as failing to comply would cast doubt on Randolph Hospital’s ability to safeguard its consumers’ data.
Red Flag Rules, cont. Potential Consequences of Noncompliance: When a provider is convicted of breaking any of the laws described on the previous screens, penalties can include:
Criminal fines Civil damages Jail time Exclusion from Medicare or other government programs. In addition, a conviction can lead to serious public relations harm.
