CHCN Adult Clinic Care - Community Health Center Network
HIPAA, PHI, and Fraud, Waste & Abuse Provider Training August 2017 1 Training Objectives Compliance Program overview Fraud, Waste & Abuse HIPAA overview What is PHI? Privacy & Security Reporting suspected compliance issues
2 CHCN Compliance Program 3 Compliance Plan: Written codes of conduct and policies and procedures to ensure CHCNs obligation to comply with established regulatory requirements. Compliance Officer: The designated individual charged with the
responsibility and authority of operating and monitoring the compliance program. Training: Development and implementation of routine education and training that addresses the role of everyone involved in the organization as it relates to compliance. Internal Auditing and Monitoring: Regular audits and gap analyses to monitor compliance and reduce identified areas of risk. Compliance Program (cont.) 4
Communications: Effective procedure including a hotline to facilitate confidential reporting of suspected HIPAA, fraud, waste and abuse violations. Investigation and Enforcement: Policies to conduct an appropriate investigation, consistently enforce standards and take disciplinary action if needed. Corrective Action: Procedures for responding to identified compliance problems with a plan of action to prevent further similar offenses. Fraud, Waste & Abuse Fraud: Intentional deception or misrepresentation to get an unauthorized benefit
Waste: Over-utilization of services, or other practices that result in unnecessary costs Abuse: Acting with negligence or reckless disregard for the truth in a manner that could result in an unauthorized benefit 5 Examples of Member Fraud Members allowing others use their ID card Doctor shopping to obtain multiple prescriptions for narcotics Falsifying address Pharmacy Related Fraud
6 Altering Rx Identity theft Drug diversion Examples of Provider Fraud
7 Providing unnecessary services (i.e. x-rays, blood work) Improper billing including upcoding, unbundling and/ or false claims Illegal Financial Arrangements An unlicensed or excluded provider rendering services Using information of dead or retired Providers Examples of Abuse Providing unwarranted, unnecessary, or questionable treatment and/or care
Rendering, referring, or recommending treatment, care, tests, services or supplies which would not have been rendered or utilized in the absence of insurance Ordering or recommending inappropriate lengths of stay in an inpatient facility 8 Examples of Abuse (cont.) 9
Over utilization in duration or frequency or treatment, procedures or tests Unreasonable charges: in excess of usual and customary limits beyond that range which most providers charge for the same service or similar services. Billing separately for each component a procedure or service (unbundling) Reporting a service or procedure as more intensive or extensive than was actually rendered (upcoding) Fraud, Waste, Abuse Costs Us All! $98 billion/year cost to Medicare and Medicaid spending
$272 10 billion/year cost across the entire health system False Claims Act Applies 11 to fraud in federal and state health care programs like Medicare and Medi-Cal Anyone who knowingly* presents or causes
to be presented a false or fraudulent claims can be liable Responsibility to ensure accurate billing for treatment and supported by accurate documentation * Actual knowledge, deliberate ignorance, or reckless disregard Regulations for False Claims Act Federal Penalty of up to 3 times the govts damages Civil penalties between $5500 to $11,000 per false claim
Exclusion from participating in any Federal health care programs CA FCA 12 FCA (31 USC 3279-3733) (CFCA) (12650-57 CA Govt. Code) Civil penalty up to $10,000 Assessment up to 3x value of the false claim Anti-Kickback Statute (AKS)
Federal (42 U.S.C. 1320a-7b(b)) - Knowingly and willfully receiving or paying anything of value to influence referral of Federal health care program business, including Medicare and Medicaid - can be charged with a felony Penalties for violation of AKS Up to 5 years prison Criminal fines up to $25,000
Administrative civil monetary penalties up to $50,000 (42 U.S.C. 1230a-7a) Exclusion from participating in any Federal health care programs (42 U.S.C. 1230a-7) 13 False Claims Act False Claims Act Video by OIG 14 HIPAA Overview Health Insurance Portability and Accountability Act (HIPAA): Enacted August 21, 1996.
Laws that protect the privacy and security of an individuals health information and prevent the inappropriate use and disclosure of Protected Health Information (PHI). Privacy and Security rules were implemented to establish standards for the transmission and storage of electronic PHI data. Simplify billing and other transactions with standardized code sets and transactions Specify new rights of patients to approve access/use of their medical information 15 Privacy and Security Standards There are two overlapping HIPAA Rules:
16 Privacy Standards indicating who may have access to an individuals protected health information, and on what basis Applies to communications in electronic, oral, and paper form Security Standards ensuring Covered Entities (CE) keep protected health information secure. Reduce the potential of member PHI security breach Who is Accountable? HIPAA standards apply to: Health care providers who transmit any health information in connection with certain
transactions Health plans Healthcare clearinghouses Above are CEs 17 What is PHI? PHI Protected Health Information Individually identifiable health information in any form or media, whether electronic, paper, or oral 18 PHI Identifiers 1.
2. 3. 4. 5. 6. 7. 8. 9. 19 Name Address Dates Telephone Number Drivers License Number E-mail Address
Fax Number SSN Medical Record Number 10. 11. 12. 13. 14. 15. Certificate/License Number Member ID Number VIN or License Plate Number Web Address IP Address Biometric Identifiers
(finger/voice/retinal prints) 16. Photographs 17. Account Number 18. Any other unique number, characteristic or code Examples of unsecure PHI Leaving unattended PHI out in the open on ones desk Throwing away visible PHI in the trash basket Leaving unattended PHI on the fax machine, copier or printer Writing unencrypted emails with PHI in the body of the email Sharing PHI in attachments in unencrypted emails 20
Methods to Secure PHI 21 Keep all member files locked when not in use or if you are away from your desk When leaving for the day, secure all materials containing PHI
Do not discuss patient information in public, including elevators, hallways, lobbies or restaurants Notify your supervisor if there is a stranger in your area that does not belong there Use shredders when disposing of confidential documents Permissible Use & Disclosure of PHI HIPAA allows use of PHI for three functions (TPO): - Treatment - Payment - Operations Payment and Operations 22
are the main functions of CHCN, which we perform on behalf of our clinics. Methods to secure PHI 23
Never leave company issued laptops and mobile devices unattended in automobiles, gym lockers or checked-in luggage during travels While using public transportation, do not have PHI visible on the screen of laptop of smartphone Do not store PHI on portable drives like flash drives and external hard drives Always use encrypted or secure email when emailing PHI Double check recipient information when faxing PHI and confirm receipt of PHI with recipient How to handle PHI
24 Follow HIPAA policies and procedures. Make an effort to limit access to the minimum necessary information required to perform a particular function Treat PHI as how you would want your health care provider to handle your medical information If the members PHI is not needed for you to complete your job functions, do not access it. Minimum Necessary
25 Apply the minimum necessary standard whenever you use or disclose PHI by asking yourself: What is the minimum amount of PHI necessary for permissible use and disclosure? Note: The minimum necessary standard only applies to payment and operations; it does not apply to treatment of a member by a provider (i.e., when a provider is talking with another provider about treatment.)
Minimum Necessary Example: If you only need DOB to assess member utilization patterns, you should not include member name, authorization number, etc. Example: If a colleague only needs a report of authorization numbers, you should not give her DOB, member names, or any other additional PHI. Think of examples in your work of how to apply the minimum necessary standard in use and disclosure of PHI? 26
HIPAA Violations 27 March 31, 2009, 23 staff workers at Kaiser attempted sneak peeks at Octomoms medical history. Although none of the offending employees had provided medical information to the media, 2 hospital workers were fired, 13 opted to resign and 8 were disciplined. In the weeks leading up to the octuplets birth,
employees had been trained on the importance of keeping patient information confidential. Kaiser was also fined $250,000 for the violation Secure Email Do Not Email PHI Unless Necessary! If You Must Email PHI Externally, Always Encrypt! 28 Internal Email Can Result in a Breach Be careful and remember that its possible to breach HIPAA law even when sending PHI internally: To a colleague who doesnt need to see the PHI for his job To a colleague who only needs to see a subset of the PHI (the
minimum necessary) actually sent to her To the wrong colleague If you forward an email containing PHI to someone who shouldnt see it Write PHI on the subject line to alert the recipient(s) message contains sensitive material 29 Best Practice: Pause before you hit send to make certain youre not breaking the law! Its Far More Serious a Problem If You Delay or Do Not Report the Error! 30
If the Privacy Officer and your supervisor dont know about the breach, the ability to mitigate any risk is severely limited. The consequences to you and to the organization can be far greater if you do not report. The consequence to an employee for committing a breach and for not reporting a breach could be anything from a verbal warning, a written warning, a performance improvement plan, suspension, and/or termination.
Privacy Breach HIPAA Breach defined: 31 The unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. Steps in Event of a Violation Take
prompt and appropriate action to correct the situation and/or minimize harmful effects Notify your supervisor immediately of any suspected breach of security, intrusion or unauthorized use or disclosure of PHI Report the incident to the Compliance Officer and Security Officer so incident report can be created 32 Exceptions of Breach Unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if: Acquisition, was made within the course and scope
of the employment or other professional relationship with the covered entity or business associate information is not further disclosed by any person 33 Penalties for Privacy Breach 34 Civil penalty of $100 up to $50,000 per violation, and up to $1.5M per year for identical violation.
Criminal penalties from $50,000 to $250,000 and from 1 to 10 years in prison depending upon the nature and severity of the breach. CA Bills AB 211 and SB 541 make every provider of health care accountable for unauthorized access to medical information. Fines range from $1,000 to $250,000 and $25,000 to $250,000, respectively, per violation. What is the HIPAA Privacy Rule? HIPAA Privacy Rule Video 35 Reporting suspected violations 36
To report to CHCN: 510-297- 0407 or [email protected] To report to Alameda Alliance for Health: 1-855-747-2234 or [email protected] To report to Anthem Blue Cross: Report online at https:// mss.anthem.com/pages/wfa.aspx
To report directly to Medi-Cal: 1-800-822-6222 or [email protected] To report to California DHCS: 1-800-822-6222 or [email protected] Reporting to Federal HHS OIG Hotline http://oig.hhs.gov/fraud/report-fraud/report-fraud-form.asp Phone: 1-800-HHS-TIPS (1-800-447-8477)
TTY: 1-800-377-4950 o Fax: 1-800-223-8164 o E-mail: [email protected] o Mail: Office of Inspector General 37 Department of Health and Human Services Attn: Hotline P.O. Box 23489 Washington, DC 20026 Penalties for Compliance
Violations Violation of any laws, regulations, or CHCN policies, including Code of Conduct will result in disciplinary action, up to and including the possibility of termination Violations of any federal or state laws may result in governmental prosecution against perpetrator individually 38 Whistleblower Protections (Non-Retaliation) Whistleblower: An employee, former employee, or member of an organization who reports misconduct to people or entities that have the power to take corrective action.
The False Claims Act allows individuals to: Report fraud anonymously Sue an organization on behalf of the government and collect a portion of any settlement that results Employers cannot threaten or retaliate against whistleblowers. CA Government Code 12653 (Anti-Retaliation) 39 Quiz: Review Questions https://www.superteachertools.us/millionaire/ millionaire.php?gamefile=25217 40
Remember to use a/an for jobs: Tom's father is a doctor. ( not tom's father is doctor) I wouldn't like to be an English teacher. In sentences like these, we use plural countable nouns alone (not with some) Tom's parents...
Man Made Boards · Man-made boards: plywood, aero ply, flexiply, marine ply, chipboard, MDF and hardboard · Applications; furniture, work surfaces and exterior projects . Laminates . and veneers · Veneers such as beech, ash, oak, walnut, paper and foil...
Reception - Bayer Rotunda 6:00 - 7:00 PM "The Role of the Medical Examiner and Avoiding Cognitive Bias" - Pappert Lecture Hall . Judge Stephanie Domitrovich. RTIToday. A non-profit research institute, RTI's mission is to improve the human condition by...
Realistic exit strategies should suggest ways that owners and potential investors can harvest the business to get their money back in a new venture. Options might include continuing to operate the business as a "cash cow" or going public with...
ASSEMBLEE GENERALE ORDINAIRE Mercredi 10 juillet 2013 20 ans au service des jeunes… Une Histoire 1992 - 1999 1992 : création de la Mission Locale du Sud-ouest Seine-et-Marne ; première structure à dimension intercommunale 1993 : recrutement du premier Chargé...
Here is an example of a Coursemate. A Coursemate is like a course in a box! It contains a chapter by chapter ebook, variousl learning resources like flashcards, quizzes, videos and the third part of coursemate, is the ENGAGEMENT TRACKER....
MARCO TEORICO. Retomando el cuadro de necesidades y considerando la frecuencia de la misma, es visible la atención al proceso de evaluación dentro de la planeación y aplicación de estrategias didácticas con el apoyo de las TIC.
Ready to download the document? Go ahead and hit continue!