REGULATORY COMPLIANCE TRAINING

1. REGULATORY COMPLIANCE TRAINING Fraud and Abuse HIPAA

2. Compliance Training Objectives • Define what constitutes Medicare and Medicaid Fraud and Abuse • Prevention of Fraud and Abuse • Overview of the Federal Fraud and Abuse laws and penalties • New York State False Claims Act • Methods of reporting suspected fraud and abuse • Conflict of Interest • Billing, Coding and Documentation • Teaching Physician Supervision Rules • Joint Commission • HIPAA and HITECH

3. HealthCare Compliance Required by law Regulates billing and coding Prevents improper treatment and billing Protects the organization by following laws and regulations

4. Medicare and Medicaid Fraud Obtaining a federal or state health care payment through misrepresentation or concealment of facts…..

5. Examples of Fraud Billing for services that were not provided Altering medical records or claims to receive a higher payment

6. Medicare and Medicaid Abuse Abuse results in unnecessary costs to governmental programs and is inconsistent with the goals of providing patients with services that are medically necessary.

7. Examples of Abuse Billing for unnecessary services Billing inaccurate diagnosis and procedure codes on claims to ensure payment

8. Fraud and Abuse Laws False Claims Act Anti-Kickback Statute Physician Self-Referral Law (Stark Law) New York State Laws

9. False Claims Act Knowingly submitting a false or fraudulent claim to the government: • Acting in deliberate ignorance of the truth • Reckless disregard of the truth http://downloads.cms.gov/cmsgov/archived-downloads/SMDL/downloads/smd032207att2.pdf

10. False Claims Act Examples • Improperly admitting patients to the hospital for services that should have been provided in an outpatient setting • Billing for tests that were not medically necessary

11. Anti-Kickback Statute Prohibits knowingly and willfully offering, paying, soliciting or receiving any remuneration to induce referrals of service reimbursable by a federal health care program. Anti-Kickback Statute examples: • Cash for referrals • Free staff in exchange for referrals • Free rent or below market value rent for referrals

12. Stark Law Prohibits physicians from referring Medicare beneficiaries for certain designated health services to an entity in which the physician or their immediate family member has an ownership/investment interest. Stark Law Example: • A physician refers a patient to a laboratory that he owns. http://oig.hhs.gov/compliance/provider-compliance-training/files/starkandakscharthandout508.pdf

13. New York False Claims Act The New York False Claims Act closely tracts the Federal False Claims Act. Penalties and fines imposed for obtaining payment from any government program such as Medicaid for filing false claims.

14. Whistleblower Protection Whistleblowers may not be discharged, demoted, suspended, threatened, harassed or in any manner discriminated against as a result of reporting fraud or abuse. http://www.ag.ny.gov/sites/default/files/pdfs/bureaus/whistleblowers/NYS_FALSE_CLAIMS_ACT.pdf

15. Penalties Federal health care fraud and enforcement efforts recovers >$4 billion annually in penalties & fines. Civil Monetary Penalties Civil and Criminal Prosecution Exclusion from Medicare and Medicaid programs Suspension of payments

16. Fraud and Abuse Prevention Follow the Compliance Program Code of Conduct Teaching physicians should be physically present for the service in order to submit a bill Maintain accurate and complete medical records and documentation Avoid submitting claims for unnecessary services Submit accurate coding and billing Avoid illegal conduct If you are not sure of the appropriateness of an action, call the Compliance Officer

17. Conflict of Interest  The Ethics law and SBUH policy prohibit situations that can create a Conflict of Interest. Conflicts of Interest arise when a person’s judgment and discretion is or may be influenced by personal considerations, or the interests of SBUH. Examples: 1. Accepting gifts from vendors 2. Misuse of hospital assets 3. Activities that violate principles governing research http://www.jcope.ny.gov/

18. Conflict of Interest According to the New York State Ethics Commission, a gift may be in the form of: • Money • Loans • Travel • Meals • Refreshments • Entertainment • Any services or goods

19. Conflict of Interest Violations of Ethics Law regarding gifts: New York State employees are not allowed to accept gifts valued above nominal Value. Examples of nominal value gifts: • Coffee mugs • Pads • Pens • Key tags Penalties imposed by the Ethics Commission are up to $10,000 per incident.

20. EMTALA It requires hospital Emergency Departments that accept payments from Medicare to provide an appropriate medical screening examination to individuals seeking treatment for a medical condition, regardless of citizenship, legal status or ability to pay. Participating hospitals may not transfer or discharge patients needing emergency treatment except: • With the patient’s informed consent, or • Stabilization of the patient, or • When their condition requires transfer to a hospital better equipped to administer the treatment. https://www.cms.gov/Regulations-and-Guidance/Legislation/EMTALA/index.html?redirect=/EMTALA/

21. Billing, Coding and Documentation Billing is based on: A Procedure code (CPT), A Diagnosis code (ICD-10), and A Modifier (if applicable, helps further describe a procedure code without changing the definition) Billing is based on services actually rendered CPT and ICD-10 Code Selection: Code and modifier selection is based on the service rendered and documented in the medical record Code and modifier selection should never be based on whether they guarantee payment

22. Billing, Coding and Documentation Documentation: Medicare’s rules for billing: “If its not documented, it didn’t happen”. Medical record documentation is required to record pertinent facts, findings, and observations about an individual’s health history including past and present illnesses, examinations, tests, treatments, and outcomes. The medical record should be complete and legible. All tests should have an order and support the medical necessity for performing the test.

23. Billing, Coding and Documentation The documentation of each patient encounter should include: The reason for encounter and relevant history, physical examination findings, and prior diagnostic test results An assessment, clinical impression, or diagnosis Plan for care If not documented, the rationale for ordering diagnostic and other ancillary services should be easily inferred Past and present diagnoses should be accessible to the treating and/or consulting physician Appropriate health risk factors should be identified

24. Medical Record Documentation Cloned Documentation Could Result in Medicare Denials for Payment With the advent of Certified Electronic Health Record Technology, the government is closely watching electronic health record documentation practices. Medicare has noted an increase in frequency of medical records that contain identical documentation across services. Cloning has been defined by Medicare as: Each entry in the medical record for a beneficiary is worded exactly like or similar to the previous entries, or When medical documentation is exactly the same from beneficiary to beneficiary. It can also occur when the documentation is exactly the same from patient to patient. Cloned documentation will be considered misrepresentation of the medical necessity requirement for coverage of services due to the lack of specific individual information for each unique patient. http://oig.hhs.gov/oei/reports/oei-01-11-00571.pdf

25. Evaluation and Management Services(E/M) Evaluation and Management Services are categorized by: • Place of service- e.g. Inpatient or Office • Type of Service- New Patient Visit, Initial Hospital Visit

26. Evaluation and Management Services(E/M) The descriptors for the levels of E/M services recognize three key components which are used in defining the levels of E/M services. These components are: • History • Physical Examination • Medical decision making Medical necessity of a service is the overarching criterion for payment in addition to the individual requirements of a CPT code. The volume of documentation should not be the primary influence upon which a specific level of evaluation and management service is billed.

27. Evaluation and Management Services(E/M) • The level of service is determined by the elements documented in the medical record. • Because the level of E/M service is dependent on two or three key components, performance and documentation of one component (e.g.,. examination) at the highest level does not necessarily mean that the encounter in its entirety qualifies for the highest level of E/M service. • In the case of visits which consist predominantly of counseling or coordination of care, time is the key or controlling factor to qualify for a particular level of E/M service. • Time spent counseling must be greater than 50% of the encounter. 1995 Guidelines: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNEdWebGuide/Downloads/95Docguidelines.pdf 1997 Guidelines https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNEdWebGuide/Downloads/97Docguidelines.pdf

28. Physicians at Teaching Hospitals(“PATH”) Payment for Physicians at Teaching Settings: The attending physician must be present during every billable service when rendered by an intern, resident or fellow. Physical Presence Requirements: Evaluation and Management Services • The Teaching Physician must personally attest to their physical presence. • The Teaching Physician must specifically document that they reviewed the resident’s progress note. • The Teaching Physician must document that they agree with the management and plan as documented by the resident. • The Teaching Physician must revise the progress note if needed.

29. Physicians at Teaching Hospitals(“PATH”) Single Surgery The Teaching Physician’s presence may be documented by an “attestation statement” by the resident or teaching physician. Two Overlapping Surgeries • The Teaching Physician must be present during the key portions of both surgeries. • The Teaching Physician must make a personal entry into the medical record documenting his/her presence during the key portion of each procedure • The key portions may not overlap • The Teaching Physician must be immediately available During non-critical or non-key portions of the surgery, if the teaching physician is not physically present, he/she must be immediately available to return to the procedure. If circumstances prevent a teaching physician from being immediately available, then he/she must arrange for another qualified surgeon to be immediately available to assist with the procedure, if needed.

30. Physicians at Teaching Hospitals(“PATH”) Procedures • The Teaching Physician must be physically present during all high risk or other complex procedures. • The Teaching Physician’s presence may be documented by an “attestation statement” by the resident or teaching physician if they are present during the entire procedure. Minor Procedures (5 minutes or less) • The Teaching Physician must be present for the entire procedure. • The Teaching Physician’s presence may be documented by an “attestation statement” by the resident or teaching physician.

31. Physicians at Teaching Hospitals(“PATH”) Diagnostic Test Interpretation • The Teaching must personally review the data, image, tracing or specimen. • The Teaching Physician must personally document that they reviewed the data, image, tracing or specimen • The Teaching Physician must review the resident’s interpretation and agree or modify the findings. Endoscopy • The Teaching Physician must be present for the entire viewing, including scope insertion and removal. • The Teaching Physician’s presence may be documented by an “attestation statement” by the resident or teaching physician.

32. Physicians at Teaching Hospitals(“PATH”) Anesthesia • The Teaching Physician must be present during all key elements including induction and emergence. • The Teaching Physician must personally document their physical presence. • The Teaching Physician must sign the anesthesia record. Maternity Services • The Teaching Physician must be present for the delivery. • The Teaching Physician must be present for the minimum number of antenatal visits listed in CPT when billing globally.

33. The Joint Commission The Joint Commission accredits and certifies health care organizations. A private agency entrusted by Medicare to certify that healthcare organizations meet a set of established standards. These criteria are incorporated in Medicare's Conditions of Participation. Purpose: Maintain a high standard of institutional care, by both establishing guidelines for the operation of health care organizations through surveys and periodic inspections.

34. The Joint Commission Standards The standards focus on important patient, individual, or resident care and organization functions that are essential to providing safe and high quality care. In addition, the Joint Commission: Helps organize and strengthen patient safety efforts Strengthens community confidence in the quality and safety of care, treatment and services Provides a competitive edge in the marketplace Improves risk management and risk reduction Provides education to improve business operations Provides professional advice and counsel, enhancing staff education Provides a framework for organizational structure and management Provides practical tools to strengthen or maintain performance excellence

35. The Joint Commission Standards Joint Commission standards are the basis of an objective evaluation process that can help health care organizations: Measure Assess Improve performance The Joint Commission’s standards set expectations for organization performance that are: Reasonable and Achievable

36. Health Insurance Portability and Accountability ActHIPAA The rule establishes national standards to protect an individual’s medical records and health information. Applies to Covered Entities: • Health plans • Health care clearinghouses • Health care providers The rule sets limits and conditions on the uses and disclosures that may be made of “Protected Health Information” without patient authorization. The rule gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

37. HIPAA Privacy The Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Privacy Rule sets the standards for who may have access to protected health information. A covered entity may use and disclose protected health information for: • Treatment, • Payment, and • Health care operations

38. Protected Health Information(PHI) Any form of information that can identify, relate or be associated with an individual obtaining healthcare services. The Privacy Rule protects all protected health information transmitted by a covered entity or its business associate, in any form or media. It may be: • Electronic • Paper • Verbal PHI is composed of: • Personal Information • Medical Information • Technical Information

39. PHI Examples of Personal Information: • Name • Address • Telephone Number • Fax Number • E-mail address • Birth Date • Social Security Number • Certificate/license number • Vehicle identification numbers

40. PHI Examples Medical Information: • Medical record number • Health plan information • Test results • Clinical notes • Care plans • Diagnoses

41. PHI Examples Technical Information: • Biometric identifiers • Photographic images • Web URLs • IP addresses • Account numbers

42. Patient Rights Under HIPAA Receive Notice of Privacy Practices Request restricted use and disclosure of their PHI Request to receive communications via alternate mechanism (cell phone vs home phone; PO Box vs. home address, etc.) Access and request a copy of medical record (including e-copies) Request an amendment to medical record Request restriction for billing insurance when paying out of pocket Request an accounting of disclosures Be notified of a breach in their confidentiality File a complaint Patients receive the Stony Brook Organized Health Care Arrangement Notice of Privacy Practices at all Stony Brook Medicine access locations.

43. Stony Brook Organized Health Care Arrangement The Stony Brook Organized Health Care Arrangement (SBOHCA) is an entity formed for the sole purpose of facilitating compliance with the Health Insurance Portability and Accountability Act (HIPAA) and creates no legal representations, warranties, obligations or responsibilities beyond HIPAA compliance. The Covered Entities participating in the Organized Health Care Arrangement (OHCA) agree to comply with the regulatory requirements under HIPAA and Stony Brook Medicine HIPAA related Policies and Procedures with respect to protected health information (PHI) accessed/created, received, maintained and/or transmitted by the Covered Entity as part of its participation in this OHCA. The Covered Entities of the SBOHCA include Stony Brook University Hospital (SBUH), voluntary members of the SBUH Medical Staff, the employees and contracted professionals of the University Faculty Practice Corporations (UFPCs), several academic health professional schools including the School of Medicine, School of Nursing, School of Health Technology and Management, School of Social Welfare and School of Dental Medicine. The covered entities, which comprise the SBOHCA, are in numerous locations throughout the greater New York area. This notice applies to all these sites.

44. Maintain Confidentiality Do not discuss patient information in public places Limit unnecessary or inappropriate access to and disclosure of protected health information Discard PHI in the confidential HIPAA bins Log off computers before walking away/leaving it unattended Do not take photographs/video or voice recording without patient permission Do not share passwords Do not snoop Do not leave PHI open to public viewing Do not send PHI over the internet or unsecured E-mail Do not store PHI on unencrypted devices or local hard-drives http://it.cc.stonybrook.edu/site_documents/google/hipaa_hitech_fact_sheet.pdf

45. HIPAA Security http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html The Security Rule sets the standards for ensuring that only those who should have access to electronic PHI will have access. The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic PH(e-PHI). Specifically, covered entities must: • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit. • Identify and protect against reasonably anticipated threats to the security or integrity of the information. • Protect against reasonably anticipated, impermissible uses or disclosures; and • Ensure compliance by their workforce.

46. HIPAA Security The Security Rule requires covered entities to Protect electronic PHI by maintaining reasonable and appropriate safeguards: Administrative-policies and procedures, training, general oversight Technical-security measures such as firewalls, virus and malware protection, encryption Physical-physical measures to protect against: • Natural disasters (hurricanes, storms) emergency back-up, redundant servers • Environmental hazards (fires) data center with halon sprinklers • Unauthorized intrusion (unauthorized access)secure areas with ID badge card entry

47. The Effects of a Compromise Business Impact Loss of revenue Legal liability Bad press Financial Penalties

48. Contacts Stony Brook University Hospital Interim Compliance Officer: John Ruth Telephone: 631-444-5776 Stony Brook Medicine Information Technology Chief Information Privacy and Security Officer: Stephanie Musso-Mantione Telephone: 631-444-5796 SB Clinical Practice Management Plan, Inc. Chief Compliance and Regulatory Officer: Cathy Cahill-Egolf Telephone: 444-8026

49. Quiz • Medicare abuse describes practices that either directly or indirectly, result in unnecessary costs to the Medicare Program. • True • False • The Federal laws used to address fraud and abuse are the False Claims Act, the Anti-kickback Statute and the Stark law. • True • False 3. Penalties for Medicare and Medicaid fraud and abuse include exclusion from participating in all federal and state health care programs. • True • False 4. When leaving your desk, you should log off your computer. • True • False 5. The attending physician must be present during every billable service when rendered by an intern, resident or fellow. • True • False

50. Certificate of Completion Please print, complete and return to Cathy Cahill in room 048 on level 5 of the Health Sciences Center(Zip=8552) or email at Cathy.Cahill@StonyBrookMedicine.edu This Certificate is presented __________________________________ Print Name For successfully completing : Regulatory Compliance Training Fraud and Abuse HIPAA ____________________ _________________ Signature Date of Completion 2016