Corporate Compliance HIPAA Privacy HIPAA Security
Training Objectives… To Help: • Bridge the Gap Between Ethics & Compliance • Find Ways to Place Regulatory Theory into Practice • Heighten Awareness of Non-Compliant Activities
Reality check… Rules provide a set of expectations towards an expected end… …they serve as a roadmap for direction
The healthcare industry is full of… RULES & REGULATIONS But they do serve a purpose!
FEDERAL COSTS • As noted by Withrow (1999): • Healthcare expenditure = >$1 trillion/per year • Healthcare billing fraud = $100 billion/per year
Compliance as abuzzwordIt’s really about doing the right thing.…Liken it to an ethical responsibility.
Practice of Clinical Medicine • Requires a strong knowledge-base of practical issues that can result in: • Informed Consent • Truthful Communication • Confidentiality • End of Life Care • Pain Relief • Patient Rights (HCCA,2004)
SBUH Responsibility Organizations should find the right balance between compliance and integrity. “Must do ” vs. “Ought to do ”
Case # 1 Mr. Cope was admitted for inpatient treatment of obesity with a protein-sparing modified fasting regimen. He was found repeatedly in the cafeteria, cheating on the diet. His physician made reasonable efforts to persuade him to change his behavior. How should the physician handle this situation?
Response It would be ethically permissible for the physician to abandon therapeutic goals and to discharge the patient from the Hospital. These goals are unachievable because of the patient’s failure to participate in the treatment program. (Jonsen, Siegler & Winslade, 1998)
Case # 2 A resident authorizes a medical student to obtain and document the history and condition of a patient without supervision. The resident then tells the student to write a progress note and leave it unsigned. Is there a compliance implication?
Response Medical students are not considered residents under the Medicare guidelines. Therefore, to meet the billing requirements under PATH, services involving medical students are only billable when performed in the physical presence of an attending physician, or jointly with a resident.
Case # 3 Dr. Brown supervised resident physicians during the hours of 8am and 10am on Monday morning. Is Dr. Brown allowed to bill Medicare for services that he provides to these patients?
Response Graduate Medical Education (GME) is reimbursed under Medicare Part A. Private physician services are reimbursed under Medicare Part B. If Dr. Brown is unable to define the line between where his academic, teaching activities end and where his private physician activities begin, then billing under Medicare Part B will be considered double-dipping, which is a fraudulent billing practice.
Case # 4 Dr. Martin has just become a part-owner of XYZ Clinical Laboratories. She intends to refer all of her patients to this facility. Are there any compliance implications for this type of activity?
Response This situation creates a conflict that violates the Stark Law; a federal, civil prohibition. Under Stark a physician is not allowed to self-refer to an entity in which the physician or an immediate family member may have a financial interest. The federal government initially surveyed Medicare patient clinical laboratory referrals and found that when the doctor had a financial interest in the facility, referrals were 65% higher than for non-Medicare patient referrals.
Conflicts of Interests The Ethics Law and SBUH policy prohibit situations that can create a conflict of interest.
A Conflict of Interests Arises… …when a person’s judgment and discretion is or may be influenced by personal considerations, or if the interests of SBUH are compromised. Examples include: • Accepting gifts from vendors • Misuse of Hospital assets • Activities that violate principles governing research
What is a Gift? According to the NYS Ethics Commission a gift may be in the form of: • Money • Loan • Travel • Meal • Refreshment • Entertainment • Any Good or Service
Violations of Ethics Law… With regard to gift taking, NYS employees are not allowed to accept gifts valued above nominal Value For example, coffee mug, pads, pens, key tags, lanyards, jar grip openers, magnets business Cards, retractable tape measures, etc. Penalties imposed by the Ethics Commission are up to $10,000/per incident.
Evaluation and Management/E&M codes… • Are categorized by place of service • (i.e. Hospital, Office, ER, etc.) • Provide definitions for new and established patients • Begin with “99” and are 5 digits in length • Require history, physical examination and/or medical decision making • Describe the “Who, What, Where, and Why”
Accurate billing = diagnosis code + procedure code • These two elements should be in harmony.
Documentation is Key… Medicare says… “…If it’s not documented then it didn’t happen.”
FACT: • Documentation must always support the billing for a claim.
EXAMPLE A patient is admitted to a unit after complaining of pain in his left arm. Any tests ordered should support this condition. • Without proper documentation an order for an MRI of the brain would be questionable.
Down the Pipeline… Billing codes are based on the documentation Codes that don’t match will raise a flag!
Implications • Rejected/Denied claims • Possible audit of the organization
Consequence • Increased governmental scrutiny • Fines • Loss of revenue • Service and staffing cuts • Loss of privileges • (i.e., exclusion from the Medicare Program)
The Joint Commission is… A private agency entrusted by Medicare to certify that healthcare organizations meet a set of established standards. These criteria are incorporated in: Medicare’s Conditions of Participation
The formula: Delivery of quality healthcare services + Imposition of governmental mandates + Cost-cutting measures by insurance carriers + Accrediting body rules = Guidance for Clinical Practice
Patient Choice vs. Patient Consent 1) Patient consent: • Patient agrees to a proposed course of treatment by medically authorized personnel. • It is best to have consent in writing
Patient Choice vs. Patient Consent 2) Patient choice: • Preferences are based on patient values and personal assessment of benefits and burdens. (HCCA, 2004)
Patient choice… What to ask? Physicians should ask… • What does the patient want? • What are the patient’s treatment goals? • Is the patient’s right to choose being respected?
Physicians are challenged when patients fail to accept or cooperate with a medical recommendation. However… “Clinicians should not be expected to render treatment that is illegal or contradictory to the recognized standard of care” (HCCA, 2004)
Beyond the Hippocratic Oath Professional Ethics for Residents must include adherence to the following doctrines: • Medical Necessity • Physicians at Teaching Hospitals (PATH)
PATH Teaching Physicians: • Are required to be present during complex procedures • Must be available to furnish all procedures for Medicare patients
PATHConstraints FACT: The inherent nature of academic medical center (AMC) operations preclude attending physicians from being present in every situation.
Deficit Reduction/False Claims Act • Federal and State Laws: • Imposes penalties and fines on INDIVIDUALS and ORGRANIZATIONS that file false or fraudulent claims for payment from Medicare, Medicaid or other federal health programs. • NYS False Claims can be Civil and or Criminal • Both provide Whistleblower protections • An employer MAY NOT take retaliatory action against an employee if the employee discloses information about the employer’s policies, practices or activities to a regulatory, law enforcement or other similar agency or public official. • The employee’s disclosure is protected only if the employee FIRST brought up the matter with a supervisor (departmental chain or command) and gave the employer a reasonable opportunity to correct the alleged violation
Compliance is more than… Adherence to regulatory requirement (i.e.): • EMTALA • Medicare & Medicaid Regulations • HIPAA • Anti-Kickback & Stark Law(s) • Deficit Reduction/False Claims Act(s)
HIPAA & HITECH REGULATIONS Stephanie Musso, SBUH HIPAA Privacy Officer
What is HIPAA? • Health Insurance Portability and Accountability Act of 1996 Focus: Title II • Addresses the privacy (4/14/03) & security (4/20/05) of health care information • Guaranteed individuals’ rights • Establish national standards for e-health care transactions • Reduce health care fraud and abuse
What is HITECH? On February 17, 2009 the Federal Stimulus Bill or American Recovery and Reinvestment Act (ARRA) was signed into law and included provisions to address Health Information Technology For Economic and Clinical Health Act (HITECH). Purpose is to create a national health information infrastructure and widespread adoption of electronic health records through monetary incentives. Provide enhanced Privacy & Security Protections under HIPAA including increased legal liability for non-compliance and greater enforcement.
Who must comply? • Organizations Involved in the Provision of Healthcare Services • Individuals Involved in the Delivery of Healthcare Services • Under the HITECH Act 2009 Business Associates are now held to the same regulatory requirements as the health care provider they do business with.
What are the HIPAA Privacy and Security Rules Protecting? PHI = Protected Health Information Any form of information that can identify, relate or be associated with an individual obtaining healthcare services and can be electronic, hard copy or verbal.
What Constitutes PHI? • Personal Information Name, Address, Phone Number, Fax Number, E-mail Address. Dates: Birth/Death, Admission/Discharge, Procedure/Surgery. Numbers: SSN, Certificate/License Number, Automobile/Vehicle Identifiers • Medical Information Medical Record Number, Health Plan Information, Test Results, Clinical Notes and Procedural Information, Care Plans, Diagnoses • Technical Information All of the above in electronic format and Biometric Identifiers (finger or voice prints), Full-Facial Photographic Images, Device Identifiers/Serial numbers, Web URL’s, IP addresses, Account Numbers The information can be written, verbal or electronic
Patient Rights • Receive Notice - Inform them how their health information is being used and shared – Joint Notice of Privacy Practices (JNPP) • Restrict - Decide whether to give permission before their information can be used or shared for certain purposes other then treatment, payment or operations (opt-out) • Access -Ask to see and get a copy of their health records • Amend - Ask to have corrections added to their health information • Accounting - Request a report on when and why their health information was shared • File a Complaint - If they believe their PHI was used or shared in a way that is not allowed under the privacy law or they were not able to exercise a right.
How is HIPAA Enforced? • Civil monetary penalty: Civil penalty forinadvertentviolation = fines of $100/per incident up to $25,000/per year for each similar offense. EXAMPLE A hospital employee violates HIPAA by misdialing a fax number and sending 100 patient records to Starbucks. The hospital & the employee may have to pay a $10,000 ($100 X 100) fine.
Worse Case Scenario……. • Criminal Penalties : Criminal penalties = large fines + jail time, and increase with the degree of the offense. Example: A hospital employee steals and sells patient information for personal profit. Criminal penalties could be as much as $1.5 million and/or 10 years in jail.