Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

OIC Annual Compliance Training

No description
by

Summer Beagle

on 13 December 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of OIC Annual Compliance Training

62
ECG
bpm
Questions?
Why We Talk About Ethics
Scandals
Enron
Arthur Anderson
Worldcom
Excessive CEO Pay and poor firm performance
Sarbanes Oxley Act of 2002

Integrity
Communication
Respect
Excellence
Their values were chiseled in marble in the main lobby, but had little to do with the real values of the organization
What Happened?
In just 15 years, Enron grew from nowhere to be America’s 7th largest company, employing 21,000 staff in more than 40 countries

But the firm’s success turned out to be an elaborate scam

Enron lied about it’s profits and concealed debts they didn’t show up in the company’s accounts

Why We Talk About Compliance
Raise Awareness
Mitigation Factor
Demonstrates Commitment
Reduce the Threat of Qui-Tams
Makes Good Business Sense
Minimize Chance of CIA

Did they have values?
2016
OIC & RAPC Annual Compliance Training
Seven Elements of Compliance Program
Standards and Procedures (Policies)
Education and Training
Oversight
Monitoring and Auditing
Reporting
Enforcement and Discipline
Response and Prevention

Standards and Procedures
Code of Conduct
Separate from policies and procedures
Provided to all new staff and employees
Did you read it?
Did you sign it?

Standards and Procedures
Senior leadership endorsed/approved by Board
Follow institutional template
Periodically reviewed
Education is provided to all affected staff
Periodically reviewed and revised

Oversight
Board’s Role
Organizational Integrity Committee
Director of Compliance
Compliance Coordinator

Education and Training

Essential to reinforcing importance of compliance program
Focuses on risk areas
New PACS and RIS
New staff
Required by law

Monitoring and Auditing
Annual plan is developed from a risk assessment and includes reviewing previous audits and monitoring controls
Sharing results across organization
Addition of ad-hoc project per Board request

Reporting and Investigation
Mechanism to report matter anonymously
Reporting to leadership
Non-retaliation policy
Confidentiality and Anonymity
Why it’s important

Enforcement and Discipline
Sanctions for non-compliant behaviors
Fair and consistent
OIG Sanctions
Incentives, Kickbacks, COI’s

Response and Prevention
Internal Investigations
Is it really a problem?
How serious is it?
Are there enough facts to investigate?
Interviews and Discovery
Assess Findings
Reporting
Follow-up to make sure controls work

Evaluating for Success
Annual review of written program
Continual review of policies and procedures
Are policies being followed?
Awareness
Who is responsible?
Annual risk assessment
Effectiveness assessment

HIPAA 101
HIPAA vs. HIPPA (common mistake)
Passed in 1996 with the intent of reducing administrative costs in healthcare.
Although associated with patient privacy, the law actually contains several areas including insurance requirements, tax law and other information.
HIPAA Privacy Rule
Two essential approaches:
1) The rule assigns rights to individual patients to provide them with some control over their own health information.

2) It provides standards for the ways healthcare providers, health plans, and health clearing houses are allowed to access, use and disclose patient health information.
State vs. Federal Law
HIPAA is a national regulation and as a general rule, HIPAA will apply.
In some states there may be specific aspects of state law that can be more protective of PHI and can provide patients with greater access other rights to control their information.
The law which is more protective of PHI will "trump" the other
California often has stricter laws because of celebrities.
Patients Rights Under the Privacy Rule
Right to Access and obtain a copy of their PHI
Right to amend their PHI
Right to obtain an accounting of disclosures of their PHI
Right to receive a Notice of Privacy Practices
Right to have communication about their PHI conducted in a confidential manner
Right to restrict disclosure of their PHI
Right to file a complaint to OCR
Access to Health Information
In general, patients can have access to their own health information. Except:
A covered entity can restrict access to psychotherapy notes AND

Information prepared for actual or anticipated litigation AND

If a licensed healthcare professional has determined that sharing the information would put the individual or another person in danger
* PHI must be provided in the format in which it is stored ( electronically vs. paper)
Right to an Amendment of PHI
A patient has a right to request that a covered entity amend their health information.
We are allowed to reject their request if we have determined that the record is accurate and complete.
Right to Request Restrictions
An individual may request additional restrictions on the uses of PHI.

The privacy rule is very explicit. While an individual has the right to request a restriction, the covered entity is under no obligation to agree to the restriction.

Generally, the administrative burden of monitoring such restrictions for a covered entity of any significant size makes agreeing to the restrictions overly burdensome.
* Exception: We are required to restrict sharing information to a health plan if the patient pays up front and in full at the time of service and requests us not to.
Right to Request for Confidential Communications
If an individual makes a reasonable request to have PHI communicated in a specific manner, the covered entity must accommodate the request.
Example: An individual may ask that we only call one number to communicate PHI

Example: An individual may ask that no messages are left on the answering machine
Right to Request an Accounting of Disclosures
HIPAA privacy regulations give an individual the right to know who has received his or her PHI. An accounting is NOT required if the disclosure was:
Treatment, payment or healthcare operations
An incidental disclosure
Made in a limited data set
Made with an authorization from the individual
Made for national security purposes
Disclosure to a correctional institution or law enforcement.
The accounting must include: who received the information, the date of the disclosure, a brief description of the information disclosed and a brief statement on the purpose of the disclosure. A patient can request an accounting that covers up to a six-year period.
Uses and Disclosures of Patient Information
THE PRIVACY REGULATIONS WERE DRAFTED WITH THE INTENT OF ALLOWING THE FREE FLOW OF INFORMATION FOR THE PROVISION OF HEALTHCARE AND FOR OTHER PURPOSES IN THE PUBLIC INTEREST.
Uses and Disclosures of PHI
Permitted Disclosures: uses and disclosures we can make without a patient's permission:
The RULE OF TPO:
Treatment:
A physician can call his or her colleague in another specialty to get colleague's input on the care being provided.

Payment:
A physician's staff can submit a bill to the individual's insurance company to obtain payment for services

Healthcare Operations:
Compliance staff can access the individual's PHI to conduct an assessment of the physicians coding and documentation practices.
Access for Purposes in the Public Interest
There are 11 categories under which we are permitted to provide PHI without a patient's permission for public interest:
1) Public health activities
2) Reporting on victims of abuse, neglect or domestic violence
3) Reporting for health oversight activities
4) Judicial or administrative proceedings
5) Law enforcement purposes
6) Information or coroners, medical examiners, funeral directors
7) Information for organ donations
8) Certain research purposes
9) Disclosures to avert a serious threat to health or safety
10) Specialized government functions
11) Worker's compensation
Minimum Necessary Standards
For most uses and disclosures of PHI, the regulation requires that the covered entity only share the minimal information actually needed to accomplish the task or activity.
This applies to every time we disclose PHI EXCEPT:
With an authorization
To a provider for treatment
To the Secretary of DHHS
As required by law
Role Based Access vs. Need to Know
Verification
When PHI is requested from a covered entity, how does the covered entity know that the party making the request is legitimately entitled to the information?

Answer: There are no good answers to this question and the regulations do not give instructions.
Solution: Ask a few questions to verify the request. DOB, DOS, MRN...
Enforcement and Penalties
Inadvertent violation and the covered entity would have taken a different action if they were aware of the violation:
-$100 up to $50,000

Violations due to reasonable causes but not willful neglect:
-minimum of $1,000 for each violation to a maximum of $50,000

Violations due to willful neglect but problem was corrected:
-minimum of $10,000 per violation to a maximum of $50,000

Violations due to willful neglect and the problems have not been corrected:
- minimum of $50,000 up to 1.5 million
*note- we are not required, but permitted
Access Requiring Opportunity to Object
-Hospital facility directory
-Disclosures to family, friends or others
-Use reasonable judgement
-If patient is incapacitated, use reasonable judgement
-Disaster relief purposes
Kaiser Permanente's Bellflower hospital fined $437,500 for breaches of PHI records of Nadya Suleman, mother of octuplets "Octomom"
Six people fired from Cedars-Sinai over patient privacy breaches
Use your best judgement. The HIPAA Privacy law is an intent based law.
Breach Notification Requirements
Breaches over 500 individuals must be immediately reported to the OCR, to the media and to the patient (no later than 60 days after the breach).
Breaches under 500 individuals can be reported to the OCR 60 days after year end and to the patient (no later than 60 days after the breach).
Notice to the individuals must include:
- Description of what happened and dates
- Type of information involved
- Steps individuals can take to protect themselves from harm
- Steps we are taking to investigate and mitigate harm
- Contact information
Full transcript