1 / 65

Compliance and Other Training

Compliance and Other Training

crickman111
Télécharger la présentation

Compliance and Other Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance Department Training

  2. Compliance Training • HIPAA /HITECH • E-Mail Policy and Usage Guidelines • PPMS • Business Ethics • Code of Conduct • Collector’s Pledge

  3. HIPAA/HITECH • “HIPAA” refers to • H ealth • I nsurance • P ortability and • A ccountability • A ct

  4. HIPAA/HITECH • The HITECH Act is acronym for • H - Health • I - Information • T- Technology for • E - Economic & • C - Clinical • H - Health Act

  5. HIPAA/HITECH The Health Insurance Portability and Accountability Act Passed in 1996, HIPAA initially was designed to improve the portability and continuity of health insurance coverage and provide a standard for electronic transmission of health records. In 2003, HIPAA’s privacy and security standards, which are designed to protect confidential healthcare information, went into effect. HIPAA defines requirements for storing patient information before, during, and after electronic transmission. It also identifies compliance guidelines for critical business tasks such as risk analysis, awareness training, audit trail, disaster recovery plans, and information access control and encryption.

  6. HIPAA/HITECH The HITECH Act, passed as a part of the American Recovery and Reinvestment Act of 2009 (economic stimulus package), increased the privacy and security provisions of HIPAA and added new breach notification requirements.

  7. HIPAA/HITECH • Covered Entity: Hospitals, doctor’s offices, etc. are considered covered entities under HIPAA standards. • Business Associate: A business associate is someone who acts on behalf of the covered entity and performs some sort of function or activity involving the use and disclosure of individually identifiable health information. • Covered Entities = Our clients • Business Associate = Peak Revenue Group

  8. HIPAA/HITECH Protected Health Information (“PHI”) Refers to information that identifies an individual and describes his/her medical condition or treatment. It includes written documents, electronic files as well as verbal information. PHI includes any piece of information that could be used alone, or in combination with other data, to determine the identity of a patient. This type of information includes obvious data such as name, address, social security or telephone number, as well as less obvious data such as an account number, an e-mail address, or even zip code. There are 18 identifiers that constitute PHI.

  9. HIPAA - 18 PHI Identifiers • The 18 identifiers are: • Names • All geographic subdivisions smaller than a state • All elements of dates (except year) directly related to an individual, including birth date • Telephone numbers • Fax numbers

  10. HIPAA - 18 PHI Identifiers • Electronic mail addresses • Social Security Numbers • Medical Records Numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers

  11. HIPAA - 18 PHI Identifiers • Device identifiers and serial numbers • Web Universal Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometrics Identifiers, including finger and voice prints • Full face photographic images and any comparable images • Any other unique id number, character or code

  12. HIPAA/HITECH Prior to HITECH Act, Business Associates were contractually liable to Covered Entities for compliance with HIPAA privacy and security standards. With the passing of the HITECH Act, Business Associates are subject to administrative, physical and technical safeguards of HIPAA’s Security Rule as though they were a Covered Entity. Business Associates have a legal duty to ensure they are using and disclosing PHI in accordance with HIPAA’s Privacy Rule. Business Associates are now responsible for the actions of their vendors who have access to PHI provided by the Business Associate. Business Associates are also subject to monetary fines and criminal penalties to the same extent as a Covered Entity.

  13. HIPAA/HITECH • Administrative Safeguards ~ documented policies and procedures for day-to-day operations, managing the conduct of employees with access to Protected Health Information (“PHI”) and managing the selection, development and use of security controls • Physical Safeguards ~ security measures meant to protect an organization’s computer systems, as well as the building and equipment from natural hazards, environmental hazards and unauthorized intrusion • Technical Safeguards ~ security measures that specify how to use technology to protect and control access to PHI

  14. HIPAA/HITECH Breach of PHI= An unauthorized disclosure of unsecured PHI that poses a significant risk of financial, reputational, or other harm to an individual Security Breach Notification requirements ~ Following the discovery of a breach of unsecured PHI, a Covered Entity is required to notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of a breach. Timeliness: Except in instances of a delay initiated by a law enforcement official, a Covered Entity must provide notification to individuals without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach.

  15. HIPAA/HITECH Security Breach Notification Requirements (cont’d)~ Notice to Local Media: If more than 500 individuals in an area were impacted by a breach of unsecured PHI, the Covered Entity must notify local media. Notification to the Secretary of Health and Human Services: Notice must be provided to the Secretary of HHS following the discovery of a breach involving more than 500 individuals. This information will be displayed on the HHS website. For breaches involving less than 500 individuals, a Covered Entity must maintain a log of the breaches. The log must be submitted to the Secretary of HHS annually.

  16. HIPAA/HITECH Notification requirements for Business Associates~ Business Associates are required to notify Covered Entities of any unauthorized disclosure of unsecured PHI held by the Business Associate or a Business Associate’s vendor as soon as the Business Associate discovers the breach to allow the Covered Entity time to complete the notification requirements during the maximum 60 calendar day period following the discovery of the breach. The Business Associate’s name will be included in the information provided by to the Secretary of HHS by the Covered Entity if the breach involves 500 or more individuals.

  17. HIPAA/HITECH • What does this mean to you? • It means that you must ensure the confidentiality of any PHI which you have access to by: • Not sharing it with others who do not have a need to know, including co-workers, family members or friends • Minimizing opportunities for patient information to be overheard by others • Securing paperwork which contains PHI so that it can’t be viewed by others • Closing computer programs containing PHI when not in use • Disposing of paper documents containing PHI and other confidential information by placing them in the shred bins. • Following our security policies and procedures.

  18. HIPAA/HITECH • Sanctions and Penalties • Violations without knowledge: $100 per violation, not to exceed $25,000 • Violations based on reasonable cause: $1000 - $100,000 • Violations based on willful neglect: $10,000 - $250,000 • Violations based on willful neglect that are not corrected: • $50,000 to $1.5 million • In addition to monetary fines, a person may face up to 10 years in prison for the disclosure of PHI with the intent to sell, transfer, and use for commercial advantage, personal gain, or malicious harm.

  19. HIPAA in the News In the first HIPAA-related criminal case, Richard Gibson, a phlebotomist at the Seattle Cancer Care Alliance, obtained a cancer patient’s PHI in October 2003 and used that information to fraudulently obtain four credit cards in the patient’s name. He then used those cards to charge over $9,000 for various items including video games, home improvement supplies, jewelry, groceries and gasoline for his personal use. Following a plea bargain agreement, Mr. Gibson was sentenced to 16 months in a federal prison, 3 years supervised release, and required to pay restitution in the amount of $15,000 to the credit card companies and the cancer patient.

  20. HIPAA in the News • On January 11, 2007, Isis Machado and Fernando Ferrer, Jr., her cousin, were convicted of conspiring to defraud the US government, identity theft, computer fraud and wrongful disclosure of PHI. • Ms. Machado was employed at the Cleveland Clinic in Weston Florida as a front desk office coordinator. She had access to electronic medical records in the performance of her job. She exceeded her authorized use of these records by downloading a file for Ferrer, who paid her $5 to $10 per record. Ferrer was the owner of a healthcare claims administration company. He used the PHI, which included Medicare ID numbers, to submit more than $7,000,000 of fraudulent Medicare claims, which netted about $2,500,000 in payments. Ms. Machado pled guilty to conspiracy and agreed to testify against Ferrer. He pled not guilty and proceeded to trial. • His sentence: 87 months in prison (7.25 years) 3 years of supervised release, and ordered to pay restitution in the amount of $2,505,883.43. Machado was sentenced to 3 years probation, including 6 months of home confinement, and also was ordered to pay restitution in the amount of $2,505,883.43.

  21. HIPAA in the News • The U.S. Dept of Health & Human Services (HHS) announced on 2/24/11 that Massachusetts General Hospital (MGH) agreed to pay the U.S. government $1,000,000.00 to settle potential HIPAA violations. • The incident giving rise to the agreement involved the loss of PHI of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. The HHS Office of Civil Rights opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on 3/09/09. • On 3/06/09, an MGH employee removed documents containing PHI from the MGH premises for the purpose of working on the documents from home. The documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of the provider of 66 patients and the practice’s daily office schedules for 3 days containing the names and medical record numbers of 192 patients.

  22. HIPAA in the News • On 3/09/09, while commuting to work on the subway, the MGH employee removed the documents containing PHI from her bag and placed them on the seat beside her. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. • In addition to the $1,000,000.00 civil penalty, MGH agreed to enter into a Corrective Action Plan, which requires the hospital to: • Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from MGH’s premises; • Train workforce members on these policies and procedures; and • Designate the Director of Internal Audit Services of Partners HealthCare System, Inc to serve as an internal monitor who will conduct assessments of MGH’s compliance with the corrective action plan and submit semi-annual reports to HHS for a 3-year period.

  23. HIPAA/HITECH • Unauthorized disclosures fall into two categories • intentional but accidental • failure to check credentials of the person asking for the information • failure to check patient authorization intentional and not accidental • use of PHI for private or economic gain • criminal acts

  24. HIPAA/HITECH • Examples of Incidental Disclosures • an overheard telephone conversation • misdirected fax, email or US mail • Even though these disclosures are permitted under the law obviously we want to make every effort to avoid these if possible.

  25. HIPAA IMPORTANT When you use PHI, you must follow the Privacy Rule’s minimum necessary requirement by asking yourself the following question: “Am I using or accessing more PHI than I need to?”

  26. HIPAA/HITECH • Don’t • leave documents with PHI in an unsecured place such as a printer, fax or copy machine • disclose, discuss or view PHI with anyone who is not authorized to receive it

  27. HIPAA/HITECH Rule Requires Destruction of Consumer Data In an effort to crack down on identity theft a rule issued by the Federal Trade Commission that became effective June 1, 2005 requires all businesses and individuals to destroy private consumer information. The information must be “burned, pulverized, shredded or destroyed in such a way that the information cannot be read or reconstructed”. And it doesn’t just apply to paper records but electronic as well. Failure to properly dispose of the data could draw a $2,500 federal penalty per violation as well as lawsuits from people who could seek damages if their personal information was misused as a result of improper disposal.

  28. HIPAA/HITECH What should you do if you think you know about a HIPAA violation? First, rest assured that an employee who in good faith expresses a concern about HIPAA compliance issues will not be subjected to retaliation or harassment as a result of raising the concern. If you become aware of or even suspect that you may have knowledge of a HIPAA related incident you should immediately notify your supervisor.

  29. HIPAA/HITECH However, if you prefer, you may report the incident directly to the Compliance Department. This can be done in one of several ways.

  30. HIPAA/HITECH You can call the Compliance Manager at extension 1569.

  31. HIPAA/HITECH You can come by my office, which is right across the hall from the training room.

  32. HIPAA/HITECH Any questions?

  33. E-Mail Policy and Usage Guidelines

  34. E-Mail Policy and Usage Guidelines A few words of caution about electronic mail: all electronic communications should be considered public documents and are subject to monitoring by the Company. So if you wouldn’t write something in a memo and post it on the Company bulletin board, don’t e-mail it. It is a violation of company policy to send or forward e-mails that contain offensive content.

  35. E-Mail Policy and Usage Guidelines Rule # 1: Keep it brief Business e-mails should be purposeful and to the point. They allow us to communicate concisely and quickly. Create an attachment if there is a need to send a large amount of information.

  36. E-Mail Policy and Usage Guidelines Rule # 2: DON’T YELL Avoid typing a message in all capital letters since this is the equivalent of shouting if you were talking to the person face to face. Capital letters also signify “flames” which are messages that are highly emotional, angry or insulting.

  37. E-Mail Policy and Usage Guidelines Rule # 3: Check your spelling Most e-mail programs are equipped with some sort of spell check application that will alert you to misspelled words. Always take the time to proof your message by using the spell check feature before sending your message.

  38. E-Mail Policy and Usage Guidelines • Other guidelines about e-mail • Keep in mind that just because you think the message is funny or clever, the recipient may not see it the way you intended it. • Be careful if you reply to a message that has been sent to multiple people. If you use “Reply To All” each person will receive your reply.

  39. E-Mail Policy and Usage Guidelines • Only flag messages as high priority if they really are. • Avoid using slang or abbreviations that may not be familiar to the recipient since they could easily be misinterpreted or misunderstood.

  40. E-Mail Policy and Usage Guidelines Email Encryption All outbound emails containing PHI or other confidential information must be encrypted.

  41. E-Mail Policy and Usage Guidelines -Email Encryption SCOPE This policy applies to any person in the Company who may need to generate a secure outbound e-mail because it contains Protected Health Information (“PHI”) or other confidential information.

  42. E-Mail Policy and Usage Guidelines-Email EncryptionClick on “Options” on the toolbar Outbound emails containing confidential information must be encrypted. To encrypt your email, click on Options – and change the Sensitivity Level from Normal to Confidential.

  43. E-Mail Policy and Usage Guidelines - Email Encryption Select “Confidential” from the drop down box under “Sensitivity Settings”

  44. E-Mail Policy and Usage Guidelines - Email Encryption These are the ONLY steps that will cause your e-mail message to be encrypted. Because of the serious consequences associated with sending unencrypted PHI, any employee who generates an e-mail that does not conform with these procedures will be held personally responsible for any consequences resulting from their failure to do so. All outbound emails are subject to monitoring for compliance to this policy.

  45. E-Mail Policy and Usage Guidelines Any questions?

  46. Professional Practices Management System™ (“PPMS”) • is a management system for collection agencies based upon developing, implementing and adhering to a set of industry specific professional practices and policies and focuses on • how a company is managed and run • continuous improvement

  47. Professional Practices Management System™ (“PPMS”) • agencies using PPMS can • cut down on the number of mistakes it makes • increase communication among departments • handle client issues in a more efficient and professional manner

  48. Professional Practices Management System™ (“PPMS”) It is not a one-size fits-all program. Nor is it a single recipe for effective management. Agencies have the freedom to define their own procedures. It allows each company to explore its processes and procedures which improves the overall efficiency and professionalism.

  49. Professional Practices Management System™ (“PPMS”) • It includes 18 basic elements which fall into four broad categories: • Those which relate to the overall management of the business • Those which relate to the business activities • Those which provide support to the businesses activities • Those which provide client confidence

  50. Professional Practices Management System™ (“PPMS”) When something that we do deviates from the way it was supposed to be done it is referred to as a nonconformity. There are two types, major or minor. A major nonconformance is a failure or significant deficiency while a minor nonconformance is not considered severe.

More Related