resurgeons orthopedics
Transcription
resurgeons orthopedics
9/18/14 John R Gleason M.D. Resurgens Orthopedics Atlanta Ga 1 9/18/14 So, what does compliance mean? Compliance is conforming to a rule, such as a specification, policy, standard or law. Standards, rules, regulations, values and other requirements govern the conduct of a person or the conduct of the members of a profession. Office of Inspector General U.S. Department of Health & Human Services 2 9/18/14 Code Of Conduct Meaningful Use HIPAA Coding And Billing HR OSHA Laws and Regulations Federal State • Annual Program Updates • Attestation • Conflict of Interest Disclosure • No hire list • Compliance Training – New hire orientation – New provider training – Annual OSHA training – Annual HIPAA training – Compliance intranet site 3 9/18/14 Education and Training Monitoring Investigating Enforcement Communication Communication Communication Compliance Officer: Privacy Officer (PHI): Security Officer (Information security/ePHI): Workplace Safety (OSHA): Coding and other billing guidelines: Attorney (S) = $$$ 4 9/18/14 Regulations False Claims Act FCA HIPAA/HITEC The Ethics in Patient Referral Act (STARK) Social Security Act Open Payments Act SSA Sunshine Law 5 9/18/14 The False Claims Acts The FCA’s are federal and state laws that prohibit any individual or company from knowingly submitting false or fraudulent claims for payment. Specific intent to defraud is not required for there to be a violation of the law. Deliberate ignorance of the truth, and/or reckless disregard of the truth may also be included in violations of the law. Examples of the types of activity prohibited, but not limited to, are: Billing for items or service not rendered Falsifying medical record documentation Up coding the level of service Failing to refund credit balances Individuals or companies found to have violated the statute are liable for a civil penalty for each claim of not less than $5,500 and not more than $11,000, plus up to three times the amount of damages sustained by the federal government. 6 9/18/14 Each note “stands alone” in support of the services provided for that given date of service. Documentation must support the medical necessity of the service(s)/procedure(s) performed. Chief complaint and/or the diagnosis must support 1. Level of E/M service billed 2. X-‐rays ordered/performed 3. Other diagnostic test ordered (e.g. MRI) 4. Procedures performed (e.g. injections) • Every note must be signed by the provider. The National Correct Coding Initiative is a CMS program designed to prevent improper payment of procedures that should not be submitted together. Initial implementation was January 1, 1996 and the purpose was to ensure accurate coding and reporting of services by physicians. 7 9/18/14 Incentives to report fraud 8 9/18/14 Anti-‐Kickback Law The Anti-‐Kickback law which is part of the Social Security Act makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive any transfer of anything of value, directly or indirectly, overtly or covertly, in cash or in kind to induce or reward referrals of items or services reimbursable by a Federal health care program Penalties for Kickbacks Program Exclusion 9 9/18/14 Exclusions The Social Security Act (“Act”) mandates exclusion from participation in any Federal health care program for any individual and/or entity that has been, but not limited to the following: Convicted of a Federal health care program-‐related crime Convicted of a criminal offense relating to neglect or abuse of patients Convicted of a felony related to health care fraud Convicted of a felony relating to the unlawful manufacture, distribution, prescription or dispensing of a controlled substance Failure to enter an agreement to repay Health Education Assistance Loans STARK Amendments The STARK amendments prohibit providers from referring Medicare and Medicaid patients to entities in which they (or any member of their immediate family) hold a financial interest for the furnishing of designated health services. Those amendments also prohibit entities from billing any person for services performed as a result of a prohibited referral. Exception are called Safe Harbor. 10 9/18/14 Anti-‐Trust and Competition Laws Antitrust and competition laws protect free enterprise. These laws prohibit agreements that reduce competition, such as price-‐fixing and boycotting suppliers or customers. While there is a complex body of antitrust law, there are certain principles that should guide our business activities. Employees should not: Discuss price with competitors Discuss market division or allocation with competitors Engage in group boycotts Tie the purchase of one product or service to another Under no circumstances should employees enter into arrangements with competitors affecting pricing or marketing policies. We should avoid creating even the appearance of an improper agreement or understanding by keeping communications with our competitors to a minimum and ensuring that there is a legitimate business reason for all such communications. Qui Tam (“whistleblower”) Protection Provisions 11 9/18/14 Physician Payments Sunshine Act The Physician Payments Sunshine Act commonly known as “The Sunshine Act“ requires manufacturers of drugs, medical devices and biologicals that participate in U.S. federal health care programs to report certain payments and items of value given to physicians and teaching hospitals. The items that require reporting are: Direct Payments: Manufacturers of a drug, device, biological, or medical supplies participating in federal health care programs will have to report to CMS any direct payments or transfers of value to physicians and/or teaching hospitals of $10 or more. However, there are 12 exceptions where a direct payment or transfer of value is not subject to reporting. These include product samples and educational materials that directly benefit patients. Indirect Payments: Transfers that are not made directly to physicians. These are categorized as third party transfers and other types of indirect transfers. Programs And Agencies RAC CERT ZPIC OIG DOJ OCR 12 9/18/14 13 9/18/14 What is HIPAA? 14 9/18/14 Health Insurance Portability and Accountability Act (1996) Privacy Rule Focuses on the rights of an individual to control the use of his/her personal information Includes the “physical” security of all protected health information (“PHI”) in all formats Security Rule Focuses on the administrative, technical and physical safeguards related to electronic PHI (“ePHI”) Includes protection of ePHI data whether internal or external, stored or in transit The American Recovery and Reinvestment Act of 2009 (“The Stimulus Act”) Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) • Signed into law February 17, 2009 • Includes the expansion of HIPAA Privacy and Security regulations Providers with an Electronic Health Record (“EHR”) must provide patients with an electronic accounting of all disclosures • Includes new rules regarding patient requests for restriction of their PHI • 15 9/18/14 The Stimulus Act (continued) • Notification of Confidentiality Breach • Providers must disclose to affected patients within 60 days of discovery of the breach • Providers must notify the Secretary of Health and Human Services (“HHS”) – Immediately if over 500 individuals affected – Annually if less than 500 individuals affected • Providers must also notify major media outlets if over 500 individuals affected The Stimulus Act (continued) • Increased Penalties (effective immediately) Up to $50,000 for each violation $1.5 million maximum • “Reasonable” violations are also subject to penalties • • • Business Associates are now subject to civil and criminal penalties • Patients now have financial incentive to report HIPAA violations • States Attorney Generals now authorized to investigate and enforce compliance with HIPAA regulations (effective immediately) 16 9/18/14 17 9/18/14 The Security Rule applies to all employees who create, access, transmit or receive ePHI What You Can Do to Ensure Compliance Passwords Keep you password private. Do not share your password(s) with anyone Change your passwords every 30-‐45 days Avoid risky web or e-‐mail activities Use Practice systems for patient care and business-‐related related purposes only not personal usage Avoid sending e-‐mails to patients that contain PHI Use patient Portals • What You Can Do to Ensure Compliance – Ensure your computing devices are secure • Lock your computer when you step away – Ctrl-‐ Alt-‐ Del then “Lock Computer” – Enter your password to resume – Do not leave laptops, handheld devices or storage media unattended • Lock laptops in cabinets or with locking devices whenever possible • Protect PDAs, and USB keys as if they were a laptop computer Encryption is a key to keeping data on all devices safe. 18 9/18/14 Cignet Health – Clinic fined $4.3 Million for violating HIPAA Privacy Rules 1 Mass General – Settled $1 Million for POTENTIAL breaches 2 University Medical Center at Tucson – Fired four staff for wrongfully accessing medical records of Congresswoman Gabrielle Gifford 3 1-‐Sun, Lena H. – Clinic fined $4.3 million for failing to provide patients’ medical records, Washington Post, 23 February 2011, http://www.washingtonpost.com/wp-‐dyn/content/article/2011/02/22/AR2011022207094.html 2-‐Clark, Cheryl -‐ MGH to Pay $1M to Settle ‘Potential” HIPAA Violation, Health Leaders Media, 24 February 2011, http://www.healthleadersmedia.com/content/LED-‐263046/MGH-‐to-‐Pay-‐1M-‐to-‐Settle-‐Potential-‐HIPAA-‐Violation 3 – Hensley, Scott – Snooping Tucson Hospital Workers Fired in Records Breach, NPR, 14 January 2011, http://www.npr.org/blogs/health/ 2011/01/14/132928883/snooping-‐tucson-‐hospital-‐workers-‐fired-‐in-‐records-‐breach 19 9/18/14 Health Net, Rancho Cordova, CA—Nine data servers containing sensitive health information of patients went missing. 1.9 million Sutter Physician Services and Sutter Medical Foundation, Sacramento, CA—A stolen desktop computer, with data that was password-‐ protected but not encrypted, exposed the records of patients. At least two class-‐action lawsuits have been filed. 4.2 million Tricare -‐-‐tapes containing health information from patients at military hospitals were stolen in a car theft. Four people have filed a $4.9-‐ billion lawsuit on behalf of the patients. 5.2 million Massachusetts group to pay $1.5M HIPAA settlement WASHINGTON | September 17, 2012 Another HIPAA data breach settlement has been reached, this time with the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI), which will pay $1.5 million to the Department of Health and Human Services (HHS) for potential violations of the HIPAA Security Rule. HHS officials announced Monday that the settlement also requires MEEI to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information. The settlement comes in the wake of an investigation conducted by the Office for Civil Rights (OCR) following the MEEI Feb. 2010 data breach, where an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects was reported stolen. The laptop contained ePHI – including patient prescriptions and clinical information – of some 3,621 individuals. 20 9/18/14 Alaska pays $1.7M to HHS for data breach WASHINGTON | June 27, 2012 HIPAA privacy laws are not something to be taken lightly, as the Alaska Department of Health and Social Services (DHSS) has come to understand. The state’s Medicaid agency has agreed to pay $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle possible violations of the HIPAA Security Rule, making it the second largest settlement for HIPAA violations to date. As part of the settlement, the state has also agreed to take corrective action to properly safeguard the electronic personal health information (PHI) of their Medicaid beneficiaries. The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing PHI from an estimated 2,000 individuals was stolen from the vehicle of a DHSS employee. http://www.healthit.gov/providers-‐professionals/ privacy-‐security-‐training-‐games Click on Cyber Secure your medical practice.. 21 9/18/14 -‐ Be aware of what computer you are logged onto, and lock it when possible -‐ You are responsible for what occurs with your login -‐ Be mindful of your computer bag or briefcase -‐ Lock in trunk when driving, do not leave on seat. -‐ Do not access patient records without a legitimate reason -‐ Do not discuss a patient with anyone outside the patients care -‐ Usage of VDI is an easy way to avoid storage of information on computers 22 9/18/14 23