Transcript Corporate Compliance and HIPAA

Corporate Compliance and HIPAA 2011
Description
Annual compliance update training, mandatory for all Aurora caregivers. Includes
reminders, information regarding compliance references and resources, and training in
areas of special importance. It’s estimated it will take 45 minutes to complete this
course.
Instructions for Printing to Paper
• From the PowerPoint toolbar, select File, Print
• Under “Print What”, select Handouts
• Under “Color/Grayscale”, select Grayscale
• Under “Handouts/Slides Per Page”, select 2
• Select OK.
Content Contact:
Nancy Vogt
Director, Corporate Compliance
Created: May 2005
Updated: January 2011
Learning Objectives
After completion of this course, you will be able to:
•
Describe your role and responsibilities in helping ensure that Aurora fulfills its legal
and ethical obligations, including actions to take in the event of a compliance
concern or question.
•
•
•
Explain the healthcare laws that relate to the work that you do.
Describe compliance resources that are available to you.
Describe how to protect patient privacy in accordance with the HIPAA Privacy and
Security Rules, and how to appropriately use and protect Aurora’s electronic
systems.
Would you know what to do?
•
•
Would you know what to do if
you were approached by an FBI
agent at home or at work who
started asking questions about
your department or practice?
Would you know what to do?
Do you know why you cannot
just ignore a situation at work
that seems illegal or unethical?
•
•
Do you know how patients and
the government may find out if
you would view health
information when it was not
necessary to perform your job?
Stay Tuned to Learn the Answers
Stay tuned to learn the answers
to these and other questions
you may have, because it’s
time for your favorite program…
•
•
The Aurora Health Care Compliance
Program
•
•
Carrie Killoran,
Chief Compliance and
Integrity Officer
Message from Nick Turkal, MD
Our 2011 season premiere
includes a special message from
our President and CEO,
Nick Turkal, M.D. Nick will lead us
off by explaining why ethical and
legal conduct is so important at
Aurora Health Care.
Nick Turkal, M.D. President and Chief Executive Officer
High Integrity Caregivers
“We know that when caregivers are engaged at
work, it makes a positive difference for our
patients. Ethical and legal conduct is a
component of this engagement – it helps make
Aurora an organization of high integrity
caregivers who are proud of our work. An
ethical work environment helps to ensure that
we can deliver an excellent patient experience,
which is by far our paramount goal.”
Nick Turkal, MD
President & CEO
Code of Ethical Conduct
Our Code of Ethical Conduct places the PATIENT FIRST, ALWAYS. You’ll note the
title includes, “Providing patient-centered
care with integrity.”
•
The Code provides guidance to all caregivers,
physicians, contractors, and those who do business with
us.
•
The Code’s guidance relates to our conduct as
caregivers, and our conduct as an organization. Some
of the areas it speaks to are:
- High quality and safe patient care
- Accurate documentation and billing practices
- Appropriate relationships with physicians,
vendors, and government representatives
Code of Ethical Conduct
Read the Code of Ethical Conduct. You can find it on:
ACTION
•
•
Read the Code of Ethical Conduct
•
•
•
-The Compliance and Ethics website.
You can find on:
-The Employee Connection iConnect (under “Tell Me About…
Aurora Policies and Procedures”)
2011 Schedule of Topics
 Gifts and the Caregier
 Documentation and Biling
 Physician Financial Relationships
 Privacy Security of Health Information
 Other Compliance and Legal Requirements
 Reporting Compliance and Ethical Concerns
 Government Investigations
 How Compliance Fits In
Gifts and the Caregiver
Let’s tune in…
Gifts and the Caregiver
In general, we think of gifts as being something good — and they are!
We like to receive gifts, and we feel good when we give gifts. In health
care, however, a gift might be a problem and giving or receiving it might
violate Aurora’s Gifts and Business Courtesies Policy.
What do the items below have in common?
Gifts and the Caregiver
They’re all considered to be gifts. Keep in mind that a “gift” in terms of
our policy means anything of value.
Why is this not allowed?
The following are examples of how gifts can be used inappropriately (and in some
cases, illegally) in health care.
•
A vendor offers to pay for the registration and travel for four Aurora caregivers
to attend a professional association conference.
Why is this not allowed? The vendor is using a gift to potentially influence
our continued business. We need to choose products based upon what is
best for our patients in terms of quality, effectiveness and cost.
•
A clinic offers $25 restaurant certificates to all patients who make an
appointment with a new physician.
Why is this not allowed? The clinic is trying to influence patients to choose
a physician because of a gift, not because that physician is the best
choice for the patient.
•
A patient offers a $100 gift card to a caregiver for exceptional service.
Why is this not allowed? All caregivers are expected to offer exceptional
service to patients. This caregiver may come to expect rewards from
patients just for doing her job, and patients may come to believe they
must offer gifts in order to get the best service.
Influence of Gifts
Gifts such as the examples just provided create ethical issues.
•
We need to select our vendors based upon what is best for our patients…
•
Patients need to select Aurora as their health care provider because we
offer the best quality, service and cost…
•
We need to do our jobs with the highest quality and service possible…
…because our PATIENTS ARE FIRST, ALWAYS, not because we are influenced
by or influence others with gifts.
Illegal
It is also important for you to know that in some cases, gifts are illegal
under federal law.
The Anti-Kickback Statute prohibits offering or
receiving anything of value when the intent is to influence
decisions related to items or services that will be billed to a federal health care
program. Violating this law is a felony. Penalties can include a fine and/or a prison
sentence. The government takes kick-backs seriously. The construction project
manager at MetroHealth, an Ohio health system, faces up to 11 years in prison
for accepting gifts from a construction company with whom MetroHealth did
business.
Under Federal Law Individuals and
Organizations Fined
Under federal law, an organization
(like Aurora) can be fined, or an
individual working for Aurora can be
fined and/or sentenced to prison.
Federal law (Civil Monetary Penalties) prohibits
offering gifts to patients in order to influence them
to seek services. Penalties can include a $10,000
fine per item offered. The government takes patient
inducements seriously. One example occurred in
Texas. A home health agency received a significant
fine for offering free nursing services to patients.
A Word About Vendors
You may be wondering, who is a vendor?
A vendor is anyone who does business
with Aurora. This includes many types of
businesses, including:
•
•
• Any company or business that
provides us products or services
(whether or not the products or
services are directly related to patient
care)
• Any other health care provider with
whom we contract or with whom we
share patients (for example, a nursing
home, a medical director, etc.)
Vendor Gift Examples
Examples of gifts that might be offered by
a vendor include
(but are not limited to):
•
- Promotional items such as pens
and coffee mugs
•
•
•
- Gift cards
•
•
-Tickets to sporting events
- Restaurant certificates
-Trips/travel or registration fees for
professional association conferences
-Work areas should be free of items
with outside vendor logos.
-Meals (at work or outside of work)
First
Response
Gifts Must Benefit Patients
The Gifts and Business Courtesies Policy allows us to accept some gifts,
depending upon the purpose and circumstances and only if the gift will
benefit our patients.
Patients First, Always
Promotional Items: Caregivers may not have promotional items
provided by vendors (such as pens, notepads, coffee mugs, etc.) on the
premises of any Aurora facility.
Food and Meals: Vendors are not allowed to bring in food or meals to
an Aurora facility. Vendors may provide financial support for meals at
educational events through grants managed by the Aurora Grant
Development office. Vendors may pay for meals that are provided at an
off-site business meeting held during meal times, as long as the value of
the meal is $25 or less for breakfast or lunch, and $50 or less for dinner.
Patient Educational Materials: Journal reprints and patient educational
materials may be accepted from vendors, even if they are branded with
the vendor’s name and logo.
The Gifts and Business Courtesies Policy addresses these and
additional types of gifts.
Gifts to Patients
Gifts (anything of value) may be offered to patients only if:
•
The gift is not in the form of cash or a gift card (unless the
gift card has been approved by Compliance)
•
The gift is valued at $10 or less; and the total for all gifts
given during the year is $50 or less; or
•
The gift is a free service that meets one of the exceptions in
the law. If you have not received specific training on these
exceptions, contact a compliance officer before offering the
free service; or
•
The service is discounted through the Helping Hands
financial assistance program.
Gifts from Patients
A caregiver may accept a gift from a grateful patient only if:
•
The gift is a modest token of appreciation (approximate value
of $50 or less);
•
The gift is not cash or a cash equivalent (such as a gift card);
and
•
The circumstances are such that the refusal of the gift could
hurt the patient’s feelings or otherwise be counterproductive
to a patient relationship.
If possible, patients who wish to give a gift should be directed to
the Aurora Foundation. When a gift does not meet the guidelines
above and cannot be graciously refused, the gift may be accepted
and must be delivered to the Aurora Foundation. Perishable gifts
like food and flowers should be shared with the caregiver’s coworkers.
Gifts and Business Courtesies Policy
The Gifts and Business Courtesies Policy addresses various types
of gifts, including some of those already discussed:
•
•
•
•
•
•
•
•
Gifts from vendors
Gifts from patients
Gifts to patients
Gifts among caregivers
Gifts to government officials
Vendor-sponsored events
Food and meals
Charitable contributions
The policy also includes enforcement of the policy, both for
caregivers and vendors. The policy, however, does not include all
types of relationships with vendors (for example, training provided
by vendors on their products, consulting relationships with
vendors, accepting samples and demo items, etc.) These other
vendor relationships will be addressed in a separate policy.
Conflict of Interests Policy
We are also committed to managing any conflicts of interests that caregivers,
physicians, or board members may have. A conflict of interest can occur when
there is a personal interest in an entity with which Aurora does business. It may
be difficult for a person in this situation to act in Aurora’s best interest. That is
why our leaders, physicians, and board members are required to disclose their
potential conflicts.
A few examples of potential conflicts are:
•
An administrator is selecting a new cleaning service for her clinic. One of
the two services under consideration is owned by her brother-in-law.
•
A physician’s son is a sales representative for a medical device company.
The physician is in a position to select the company that will supply medical
devices for his patients.
•
A caregiver is participating in confidential negotiations between Aurora and
two medical device companies that offer similar products. The caregiver
accepted a gift from one of the companies in exchange for information
regarding the other company’s proposed pricing. [Note: while most conflicts
can be managed, this type of conflict is strictly prohibited.]
Take Action!
ACTION!
Before accepting or offering a gift of any kind,
review the Gifts and Business Courtesies
Policy (AHC System Policy #130).
If you potentially have a conflict of interest that
needs to be disclosed, review the Conflicts of
Interest Policy (AHC System Policy #80.)
**Add Aurora Administrative Manuals to your
quick links in iConnect. Click on Aurora
System Manual, click on Table of Contents on
the right hand side and scroll to the above
policies.
A Word From Our Sponsor – Gifts
QUIZ QUESTION: If a vendor who does business with Aurora Health Care made
the following offers to you, which one could you accept?
a. A ticket to the Packers vs. Bears Game
b. A free lunch at work while you listen to the vendor representative
explain his products
c. An educational booklet for patients about managing their diabetes
d. None of the above
A Word From Our Sponsor – Gifts
QUIZ ANSWER
c. You may accept an educational booklet for patients about managing their
diabetes. This put the patient first, always!
Documentation
and Billing
Up next…
Code of Ethical Conduct Summary
Our Code of Ethical Conduct
summarizes our obligations related
to documentation and billing. The
first two are:
•
•
First, we will document diagnosis
and treatment accurately and in a
timely manner.
Second, we will bill only for
services that are actually provided
and appropriately documented.
Code of Ethical Conduct Summary continued
Patients First, Always
While accurate and timely documentation is important for billing, it is
even more important for providing the best care possible for our
patients.
It is also important to recognize that the government is doing more
auditing and monitoring than ever before. The auditors will deny
payment if documentation does not support our charges. That means we
will have provided the best care possible to patients, but will not receive
the payment because we failed to document the care.
In the recent Recovery Audit Contractor (“RAC”) 3-year pilot program
conducted by Medicare, the auditors took back nearly $1 billion dollars
in just three states (and that was just the pilot program!)
Code of Ethical Conduct Summary continued
•
•
This means every dollar
lost due to inadequate
documentation is a
dollar we cannot spend
on our patients and on
our caregivers.
Inadequate Documentation and Billing
Errors
QUIZ QUESTION 1::
According to our Code of Ethical Conduct we will document diagnosis and
treatment accurately and in a timely manner. Which one answer below would be
considered accurate and timely documentation.
a. Documentation was entered into the patient’s record immediately after
care was provided
b. A dictated report was not signed in a timely manner
c. An order for a service was not signed and dated by the physician
d. A report was not dictated in a timely manner]
e. A description of the exam or treatment was brief and did not include all
the services that were actually provided.
Inadequate Documentation and Billing
Errors
QUIZ ANSWER 1:
a. Documentation was entered into the patient’s record immediately after care was
provided.
Documenting and signing immediately after services are provided is best practice.
Inadequate Documentation and Billing
Errors
QUIZ QUESTION 2:
According to our Code of Ethical Conduct we will bill only for services that
are actually provided and appropriately documented. In the list below, which
indicate that billing errors have been made. (Choose all that apply.)
a. A charge was submitted for a service that was cancelled
b. A caregiver accidentally enters a wrong charge code for a service
c. Too many charges (units) for a service were submitted
d. A charge was submitted for a service that was only partially provided
Inadequate Documentation and Billing
Errors
QUIZ ANSWER 2:
All of the above billing errors were made
Avoid Fraud
In addition to unintentional or accidental billing and
documentation errors, we need to be on the lookout for fraud.
Committing fraud means the person knows they are submitting a
false claim. Fraud is unethical and illegal. Federal law (The False
Claims Act) and Wisconsin state laws prohibit submitting
fraudulent claims.
Penalties can include paying back up to three times the amount of
the charges submitted, plus up to $15,000 per claim.The
government takes fraud seriously, and even has deployed special
audit and SWAT teams dedicated to finding fraud in health care.
Examples of Fraud
QUIZ QUESTION:
Committing fraud means the person knows they are submitting a false claim or
creating false documentation. Which below indicates fraud has occurred (list all
that apply.)
a. A caregiver submits charges for a service that the caregiver knows was
never provided
b. A physician changes a patient’s diagnosis in order to get a claim covered by
an insurance company
c. A nurses uses a physician’s ID and password to document in the patient’s
electronic health record.
Examples of Fraud
QUIZ ANSWER:
All of the examples listed are examples of fraud!
Government is Fighting Fraud
Some recent actions by government agencies are examples of
how the government is fighting fraud, waste, and abuse in
health care, and demonstrate how serious the consequences of
fraud can be.
•
In March, 2010, a Detroit-area physical therapist was
sentenced to 62 months in prison for submitting claims to
Medicare and falsifying medical records for services that
were not actually provided to Medicare beneficiaries. The
therapist will also need to repay $2.9 million in restitution.
•
In January, 2009, nine podiatrists in Manhattan were
sentenced to prison terms ranging from 6 months to 63
months for committing Medicare fraud. Four of their billing
and administrative staff were previously convicted of
charges. These podiatrists handed out flyers advertising
“free treatment,” and falsified their patients’ conditions in
their medical records in order to get claims paid for
services that otherwise would not have been covered by
Medicare.
How to Handle Billing Errors
Our Code of Ethical Conduct
describes how we handle our
billing errors:
•
•
First, we will correct any billing
errors and refund money
received in error in a timely
manner.
Second, we will refund overpayments in a timely manner.
Report Possible Issues
Paying back money to our
patients, Medicare and other
payers that we should not
have received is the right
thing to do, and our patients
would expect us to do so.
Failure to repay in a timely
manner can also mean
significant financial penalties
under the False Claims Act.
One of the ways we detect
billing errors is by
performing audits. We also
find billing errors because
caregivers report possible
issues to our compliance
officers.
Take Action!
ACTION!
Our Detecting, Preventing and Responding to Fraud,
Waste, and Abuse Policy (AHC System Policy #174)
provides more details.
Add Aurora Administrative Manuals to your quick links
in iConnect. Click on Aurora System Manual, click on
Table of Contents on the right hand side and scroll to
down to the policy.
If you believe you might know of a possible billing error
or a practice that might create billing errors, or if you
suspect someone in your area is committing fraud,
report your concern to a compliance officer or to the
anonymous Compliance Hotline at 888-847-6331.
Hotline. The phone numbers of compliance officers
and the Hotline are listed on the Compliance & Ethics
website.
A Word From Our Sponsor –
Accidental Billing
QUIZ QUESTION:
If Aurora Health Care learned we accidentally billed Medicare for a service that
was not provided, which of the following is true?
a. We must pay the money back to Medicare.
b. We can keep the money because it was an accidental mistake.
c. It is up to us to determine whether or not we pay the money back to Medicare.
A Word From Our Sponsor –
Accidental Billing
QUIZ ANSWER:
a. We must pay the money back to Medicare!
Paying back money to our patients, Medicare and other payers that we should not
have received is the right thing to do, and our patients would expect us to do so.
Physician Financial
Relationships
Stay tuned…
Code of Ethical Conduct with Physicians
•
•
Our Code of Ethical Conduct
requires ethical relationships with
our physicians. It is important to
our patients that physicians
choose to practice at Aurora
facilities because we offer the
best patient experience available
anywhere, not because we create
inappropriate financial
relationships with our physicians.
Physician Compensation and Services
Federal law, including “Stark” and the Anti-Kickback Statute, must
also be considered whenever money exchanges hands between
Aurora and a physician. These laws are complex, and you should
contact a compliance officer for assistance. Two important guiding
principles in these laws are:
1. Physician compensation arrangements require a written
agreement to be signed by both parties, in advance of any
services being provided. There are specific requirements for
these agreements.
2. Compensation must be set at Fair Market Value (“FMV”). In
addition, any items or services provided to physicians (like office
space leases, advertising services, etc.) must be charged at FMV.
Finally, FMV may not necessarily be Aurora’s costs for those
services, but rather must reflect what those services would cost
the physician if he purchased them in the local market.
Due to the complexity, do not attempt to create your own agreements.
When you need an agreement to be drafted, contact the Contract
Coordinator in the Legal Services Department.
Physician Gifts and Courtesies
All gifts, entertainment, and
business courtesies (with limited
exceptions) offered to physicians
must be entered into the Physician
Gifts and Courtesy tracking
system on iConnect. It is important
to enter the benefit before offering
it, to ensure the maximum annual
limit is not exceeded.
Physician Gifts and Courtesies
These same laws limit non-monetary gifts, entertainment,
and business courtesies that we can offer to physicians
who refer or may refer patients to Aurora entities. This also
applies to our own employed physicians in some
situations. No gift, regardless of the value, can be given if
the intent is to solicit referrals from the physician. Gifts for
appropriate purposes are limited to a maximum of $355 per
physician per year, and can never be cash or a cash
equivalent.
Gifts and Courtesies Website
All gifts, entertainment, and business courtesies (with limited
exceptions) offered to physicians must be entered into the Physician
Gifts and Courtesy tracking system on iConnect. It is important to enter
the benefit before offering it, to ensure the maximum annual limit is not
exceeded. Managers and above automatically have access to this
tracking system, and can delegate access to others when appropriate.
The rules regarding physician gifts and courtesies are detailed and can
be confusing.
There is helpful
information on
the tracking
system website.
If you have any
questions,
contact a
compliance
officer.
Take Action!
ACTION!
•
Review the Physician Services Agreements
Policy (AHC System Policy #180) to learn
more about the requirements for agreements.
•
Add Aurora Administrative Manuals to your
quick links in iConnect. Click on Aurora
System Manual, click on Table of Contents
and scroll down to the policy.
•
Direct any questions, including how to
determine Fair Market Value, to the Chief
Compliance & Integrity Officer (Carrie
Killoran) or to the Deputy Chief Compliance
Officer (Nancy Vogt.)
Privacy and Security
of Health Information
Next in today’s line up…
Preserve Confidentiality of Patient
Information
Patients First,
Always
One of the most difficult aspects of protecting the privacy of our
patient’s information is that we personally know some of our
patients, and we want to read their health information because we
care (or maybe just because we’re nosy). Sometimes we do not
know our patients personally, but we want to know something out of
curiosity.
Our Code of Ethical Conduct, however, requires us to preserve the
confidentiality of patient information. It is what our patients expect
of us.
Privacy Information for Your Job
New caregivers must complete privacy training specific to their job duties.
Select the appropriate option below.
•
First time you are taking this annual course.
Proceed to the appropriate job duty/description listed on the following
pages. See the additional handout provided to you pertaining to your
job description. Then return to this handout for completion.
•
Hired prior to 2011 and have taken this course before.
You are not required to repeat the job-specific privacy module.
Continue with this current handout.
Privacy Information for Your Job
Read each of the seven descriptions below. Proceed to the section that
most closely describes your job. Talk to your supervisor if you have
questions about which to use.
•
1. Patient Care – If you are involved in patient care on a regular basis and
are not a physician or other mid-level provider.
•
2. Physicians/Providers – If you are a physician, nurse practitioner, physician
assistant or other mid level provider.
•
3. HIM – If you work in a health information/medical record department or
otherwise deal with medical records on a regular basis.
•
4. Business Office – If you work in the Central Business Office (CBO) or are
involved with billing/payment services.
Privacy Information for Your Job- cont’d
•
5. Patient Access – if you work in Patient Access, are a Customer Service
Representative or otherwise work with scheduling, admitting, and registering
patients or if you provide switchboard, greeting, concierge, or general
information services.
•
6. Human Resources – If you work in Human Resources (including
Compensation & Benefits, Employee Health, Employment, Human Resource
Services, Loss prevention, or Physician Recruitment) or otherwise work with
the health information of employees.
•
7. Other Staff Who Use Patient Information – If you use patient
information for marketing, research, fundraising, decision support, other
report-writing, computer hardware and software deployment/maintenance, or
quality improvement.
•
All other staff who do not use patient information. – Continue to the
next page.
Protect Patient Health Information
•
•
Federal law (The HIPAA
Privacy Rule) and Wisconsin
state laws require us to
protect patient health
information in many different
ways, and to allow patients
certain rights in regards to
their health information.
Protect Patient Health Information
Three General Principles
General Rules – There are three general principles that will help you protect
patient health information and obey these laws.
1. To Do Your Job – You may only access patient information to do your job.
2. Use What You Need – You may only use as much information as you need to
do your job.
3. Limit What You Share – You must limit the amount of information you share to
that which is needed for others to do their jobs.
How to Access Your Own Information
•
•
This also means that you may
not access your own
information if you do not need
to do so to perform your job
duties (and this should be
avoided whenever possible
even if job-related.) To access
your information for personal
reasons, contact the facility’s
medical record department. In
other words, follow the same
process as our other patients.
Information Belongs to the Patient
Remember!
The information belongs to
the patient.
•
•
If you use it without a jobrelated need to do so, it is no
different than stealing the
information from the patient.
Take Care Faxing Information
Something as seemingly simple as
faxing patient information to the
wrong fax number can become a
real problem for our patients,
depending upon who is on the
receiving end of the fax.
Keep
your
voice
low
Do
not
leave
confidential
Don’t
use
Aurora’s
When
you
recognize
When
you
are
not
sure
Take
Verify
paperwork
extra
seconds
that
Incoming
Fax…
Find
athe
private
place
toa if
when
discussing
patient
documents
unattended,
electronic
health
record
patient
isthe
ato
friend,
you
can
disclose
acoto
you
verify
fax
a patient,
number
hold
ahand
discussion
with
information
in
a fax
public
and
do
not
leave
patient
for
personal
use,
like–
worker,
oror
another
patient’s
information
is
you
correct
mail
before
you
hitting
your
patient.
Please
Wait
area.
information
on
computer
for
looking
the
room
person
you
respect
Patients
First,
without
theup
patient’s
“send.”
make
sure
itknow,
doesn’t
screens
that
might
be
number
of
a and
patient
you
their
privacy
consent,
take
thekeep
time
have
another
patient’s
Always
viewed
by
others.
wish
toinformation
visit.
their
presence
to find
out
if You
you may do
health
see
than
you
confidential.
so. more
It isin.not
in the
mixed
should.
patient’s best interests
to simply decide not to
Page
Page
of9999
Page
6
Page
21845of
3of
Page
ofof
Page
7
of999
disclose.
Page
of
Keep Information Safe
•
•
•
•
•
•
•
•
•
Don’t use Aurora’s electronic health record for personal use, like looking up the
room number of a patient you wish to visit. You may see more than you should.
Verify paperwork that you hand to a patient, you mail or you fax – make sure it
doesn’t have another patient’s health information mixed in.
Take the extra seconds to verify the fax number is correct before hitting “send.”
Find a private place to hold a discussion with your patient.
Do not leave confidential documents unattended, and do not leave patient
information on computer screens that might be viewed by others.
Keep your voice low when discussing patient information in a public area.
When you recognize a patient is a friend, co-worker, or another person you know,
respect their privacy and keep their presence confidential.
When you are not sure if you can disclose a patient’s information without the
patient's consent, take the time to find out if you may do so. It is not in the
patient’s best interest to simply decide not to disclose.
Patients First, Always
Sharing Patient Information
General Rules – Some caregivers experience confusion regarding sharing patient information
with the patient's family and/or friends. There are three principles to remember.
1. In the Patient’s Best Interests – If the patient is not present or is incapacitated, information
may be shared if the Aurora caregiver determines that sharing the information is in the best
interests of the patient. In other words, use your professional judgment when you cannot ask
the patient for permission.
2. Relevant Information Only – When you do share information with family or friends, limit the
information discussed to that which is relevant to their involvement with the patient.
Remember – your patient may have agreed to the discussion, but they cannot always
anticipate what you plan to reveal.
3. Patient Verbally Agrees – If the patient is present, information may be shared with a family
member or friend if the patient verbally agrees. Document the verbal agreement in the
patient’s medical record.
Rules for Disclosing to Others
The rules for disclosing information to others (like life insurance
companies, attorneys, law enforcement, etc.) are more complex:
1. In many cases, the patient’s written authorization is required.
2. Use the Disclosure Manual on the Privacy website on iConnect to
determine if a written authorization is required. If you cannot find the
answer, contact your local privacy officer. When in doubt, check it
out.
3. While we are committed to cooperating with law enforcement, not all
officers understand the privacy laws. There are very limited
circumstances in which we can report or disclose information to law
enforcement. Take the time to verify that a disclosure is permissible.
Privacy laws do not require immediate disclosure, unless there is a
situation where someone may be imminently harmed. Contact a
privacy officer for assistance when you are not sure what to do. In an
emergency, do what you believe is in the best interest of the patient
(or others if the patient is threatening harm.)
Medical Identity Theft
One concern that we hear often from our patients is they are
concerned that they may become a victim of identity theft. Each of us
understands how frightening and expensive it can be if someone
steals our identity.
In addition to protecting the identity of our patients,
it is important for us to “raise a red flag” if we notice
something about a patient’s information is not as
it should be. Departments that manage billing,
patient access and registration have procedures
in place for raising these red flags. Anyone, however,
can do so by contacting your local privacy officer.
Privacy Scenarios
OUR PRIVACY OFFICERS HAVE REAL-LIFE SCENARIOS TO SHARE
SCENARIO 1
Our privacy officers
want to know if you’re
ready for the….
Privacy Scenario
Challenge?
Can this information be disclosed?
A law enforcement officer states he
is conducting an investigation related
to drug-seeking behavior and asks
for a patient’s visit history and
prescription information.
Privacy Scenario
Challenge
Can this information be disclosed?
There are times when we can report limited patient
identifiable information to law enforcement, such as to
report certain wounds and burns, a crime committed on
our premises, or an imminent threat of harm to the patient
or others. Reporting these are either required or permitted
by law, but disclosure of PHI for an investigation has very
few allowable exceptions. “Reporting” is different in this
case than “disclosure.”
Great job!
Are staff allowed to review the patient’s
record?
A patient is transferred from the Emergency
Department to the Cardiac Cath Lab for emergency
treatment. Staff from the Emergency Department that
provided the initial care want to check the patient’s
electronic health record to see how the patient is doing
after the cardiac treatment.
Privacy Scenario
Challenge
Are staff allowed to review the patient’s
record?
The answer depends upon the purpose for reviewing the
patient’s record. If the review is for educational or quality
improvement purposes, it is allowed. If this is merely
curiosity, it is not allowed.
We can use PHI for legitimate training and quality
improvement activities, but not to appease our curiosity.
Exactly!
Is this disclosure allowed?
Privacy Scenario
Challenge
A law enforcement officer
identifies a minor patient by
name and states she is
investigating a case of
suspected child abuse.
Is this disclosure allowed?
Disclosure to law enforcement for the purpose of investigating
suspected child abuse is allowed if the child is identified by name.
In this scenario, disclosure to an agency such as Child Protective
Services, could also be made. Behavioral health privacy laws also
allow disclosure for this purpose.
Disclosure is not limited to the minor child’s record. The suspected
perpetrator’s record could be disclosed upon request.
Awesome
answer!
Can this be confirmed?
Privacy Scenario
Challenge
A patient’s employer contacts
our clinic to confirm that their
employee has an appointment.
Can this be confirmed?
No, unless this inquiry related to a Worker’s
Compensation claim and the appointment is
reasonably related to the claim. For nonWorker’s Compensation situations, we cannot
disclose a patient’s information to their employer
without their signed authorization.
When employment-related requests are
received such as Return-to-Work forms, it is
best to provide the form directly to the patient
and let the patient choose to disclose it to their
employer.
Another option is to obtain a signed
authorization from the patient for the disclosure.
Right
again!
Is it permissible to respond?
Privacy Scenario
Challenge
The Emergency Department
receives a call asking about a
family member.
Is it permissible to respond?
If the patient is present and able to respond, first obtain
the patient’s verbal permission to speak with the
family member. If the patient is incapacitated or
otherwise unable to give permission, the
Emergency Department staff may use their
professional judgment, in the best interests of the
patient.
In cases where a caller is attempting to locate their
family member and their family member is not
present in our facility, we may confirm that the
family member is not present in our facility.
Inpatient units should follow the Facility Directory
procedures when deciding whether or not to
confirm a patient’s presence in their facility.
Good
job!
Did the caregiver do the right thing?
Privacy Scenario
Challenge
A patient’s son asks to see his
mother’s medical record in order
to read the physician’s last note.
The patient is elderly and the son
is very involved in her care. The
caregiver refused to allow this for
HIPAA reasons.
Did the caregiver do the right thing?
Access to the full medical record for review would require the
patient’s signed authorization unless the son is her legal
personal representative. Since the son is asking for limited
information, we should first ask the son what questions he
may have that he feels might be clarified by the note. If the
patient is present and verbally agrees, it would be permissible
to show the son the last note. If the patient is not present or is
unable to provide permission, you are allowed to use
professional judgment in the best interests of the patient.
As long as the entire medical record will not be disclosed and
discussing the limited content of the record is in the best
interests of the patient, the son is allowed to review the note.
You’ve
got it!
Can her friend look up her record?
Privacy Scenario
Challenge
An Aurora caregiver is worried
about her test results. She has not
heard back from her doctor. She
has a friend in another department
that has access to Aurora’s
electronic health record.
Can her friend look up her record?
This is not permitted. The caregiver needs to call
her doctor for the results, or can visit the medical
record department and request her records using
the established policy and procedure.
It is important to note that the access to the
coworker’s record will be tracked in the electronic
record system. Accesses such as this are routinely
audited.
Aurora caregivers who have accessed a coworker’s
record have had disciplinary action taken against
them. To prevent this, just remind the coworker that
the appropriate procedure is to call her doctor or
stop by or call the medical record department.
Exactamundo!
Join us again next week
for another episode of Privacy
Scenario Challenge.
HIPAA Security Rules
HIPAA Security Rule
•
•
•
•
•
Thanks for watching another
Protect
electronic
patient
informative
episode
of Privacy
health
information
from
Scenario Challenge.
unintentional disclosure
It’s also important to know that
Guard
thelaw
integrity
data to
Federal
(The of
HIPAA
make
sureRule)
it is not
alteredus
in to…
Security
requires
a way that might harm
patients
Make sure data is available
to us as we take care of our
patients
HIPAA Security Rules - continued
•
•
It is also important to note that
other confidential information
related to our organization
needs to be kept private and
secure as well.
When It Comes to Security,
The Best Offense is Our Defense
There are ways to manage risks to the security of electronic information:
• Do not share your login ID and password. If you think someone else
knows your password, change it immediately. Remember – you are
responsible for any actions taken using your system account login ID
and password.
• Use a strong account password – one that cannot be easily guessed and
has at least 8 characters, with one or two numbers in the middle
(example: grt2s8fa)
• Log out or suspend applications whenever you leave the computer or
mobile device unattended and at the end of your work day.
• Be careful when opening e-mail attachments unless you know the sender
can be trusted (to prevent computer viruses from finding their way into
our systems)
Manage Mobile Devices
One of the biggest risk areas for patient information
is information on our mobile devices including:
• Laptops
• BlackBerries
• Smartphones
• iPhones
• iPads
• USB drives
If you know of a security risk that is not being properly managed, report it to the
Service Desk or to our Information Security Officer.
Protect Our Patients – Mobile Device Tips
•
•
•
•
•
Use password protection on your mobile device
Refrain from storing confidential information on any mobile device
Use encryption if you store confidential information on any mobile device
Keep your device out-of-sight when unattended - especially when traveling
Remove your device from cars or other vehicles – especially overnight
Special Patient Information Databases
•
•
Some Aurora caregivers have a
need to create a special
database with patient
information. This might be a
simple Excel spreadsheet, a
more complex Access
database, or any other way of
storing patient information
outside of Aurora’s electronic
health record systems or other
major computer systems.
Bring Databases Into Compliance
•
•
It is important to understand that
our major computer systems that
store patient information have
been evaluated to make sure they
meet HIPAA Security Rule
requirements and that they
adequately protect the privacy of
our patients. “Home-grown”
databases created by Aurora
caregivers may not meet these
requirements, although there are
things that can be done to bring
them into compliance. For
example, encryption and password
protection might be added.
Implications for Legal Medical Records
In addition to privacy and security issues, some databases create
issues related to the legal medical record. It must be determined if the
information being stored meets the definition of what is included in the
legal medical record. If yes, the medical record department needs to
know about the database in order to fully respond to mandates to
produce the entire medical record. We also need to determine and
document the legal retention requirements for the database.
Issues related to databases can be complex. Contact the Aurora
Service Desk before creating a new patient information database, so
that the appropriate experts can be brought in to assist.
Patient Name
Last Cholesterol
Last F/U Contact
Jane Doe
240
9/10/2010
John Smith
259
7/14/2010
Breach Notifications
to Patients and the Government
Federal law requires that, in certain instances:
•
We notify the patient of a privacy breach within 60 days of
identifying it. (For example, we may need to notify a patient when a
caregiver has “snooped” in a friend or neighbor’s record.)
•
We provide a list of privacy breaches to the government on an
annual basis.
Notify Aurora’s Chief Privacy Officer (Peg Schmidt) or your local privacy
officer of any suspected privacy breach, as soon as you identify the
issue. In many cases, we can take action to prevent harm to the patient
resulting from the breach. Preventing harm in some cases may also
mean we are not required to notify the patient and the government.
Preventing harm is doing what is best for our patients.
Patients First, Always
Breach Notification to the Media
Federal law also requires us to notify the local media in
some cases when a privacy or security breach involves
more than 500 patients. Imagine how this might affect
patient loyalty!
•
A psychiatric hospital in Louisville, Kentucky
disclosed that a flash drive with unencrypted data on
24,600 patients was missing and attempts to recover
it were unsuccessful. In addition to sending letters to
the patients, the hospital ran a legal advertisement in
the Louisville daily newspaper.
•
A hospital in Bowling Green, Kentucky disclosed that
a hard drive from the hospital’s mammography unit
with unencrypted health information on 5,418 patients
was reported stolen has not been recovered. The
hospital is working to change their processes so that
information is stored on a secure network and not on
hard drives that can be stolen.
Fines and Prison Sentences
A prison sentence
for peeking at
patient records!!!
Penalties for violating HIPAA Privacy and Security Rules include
fines up to $1 million and prison terms up to 10 years. The
government takes HIPAA violations seriously.
For example, an ex-UCLA employee (a physician) was sentenced
to four months in prison for accessing the health records of
patients in the health system’s electronic health record without a
job-related need to do so. Most of the accesses involved well
recognized celebrities.
Take Action!
ACTION!
Use the Privacy Website on iConnect to
access guidelines, the Disclosure
Manual, and other helpful information.
Contact information for all privacy
officers and our Information Security
Officer is also available on the website.
A Word From Our Sponsor – Patient
Information Displayed
QUIZ QUESTION:
If you saw a computer in an Aurora facility that was displaying patient Information
where people walking by could easily see it, what are you expected to do?
a. Nothing – it is not your responsibility to worry about how another department
treats patient information.
b. Read the information on the computer to see if there is anything that might be
harmful to the patient if it were seen by others. If you don’t think there will be
harm, you can do nothing.
c. Find someone in the department and tell them about the computer.
A Word From Our Sponsor – Patient
Information Displayed
QUIZ ANSWER:
c. Find someone in the department and tell them about the computer.
Other Compliance and
Legal Requirements
Coming up next…
Other Compliance and Legal Requirements
•
•
Other important compliance and
legal requirements you should be
aware of include:
• EMTALA or Emergency
Medical Treatment and Active
Labor Act
• Criminal background checks
or reporting
• Verification of Licensure,
Registration and Certification
• Civil Rights
EMTALA (Emergency Medical Treatment
and Active Labor Act)
• EMTALA requires hospitals with emergency departments to screen
and treat the emergency medical conditions of patients in a nondiscriminatory manner to anyone, regardless of their ability to pay,
insurance status, national origin, race, creed or color
• EMTALA applies to any patient presenting on the hospital
“campus”, which means the physical area immediately adjacent to
the provider’s main buildings, other areas and structures that may
not adjoin the main buildings but are located within 250 yards of
the main buildings
• If an emergency medical condition exists, treatment must be
provided until the emergency medical condition is resolved or
stabilized. If the hospital does not have the capability to treat the
emergency medical condition, the patient must be “appropriately”
transferred to another hospital
• Hospitals with specialized capabilities are obligated to accept
transfers from hospitals who lack the capability to treat unstable
emergency medical conditions
Criminal Conduct: Checks and Reporting
Aurora performs criminal background checks on all caregivers, and in
doing so, complies with Wisconsin law.
As an Aurora caregiver, you are required to report:
• Convictions of any crime
• Substantiated findings of or current investigations related to
abuse, neglect, or misappropriation
• Professional credential restrictions, limitations, or revocations
• Program licensure limitations, revocations or denials
• Discharge from any branch of the U.S. Armed Forces, including
any reserve component
• Residency outside the state of Wisconsin
• Rehabilitation review requests
If you have something to report, you must make your report:
• To the Human Resources Department
• In writing
• As soon as possible, and within 3 days of the occurrence of the
event
Proof of Rehabilitation
There are a number of crimes that require proof of rehabilitation in
order to be eligible to work in health care in Wisconsin. If you have
committed any of the following crimes, you need to show proof of
rehabilitation:
•Regulatory approval, employment as a caregiver, and nonclient
residency at and contracting with an entity are prohibited until
rehabilitation approval is received, for all entities and programs that
serve any clients who are under the age of 18. (For additional
federal foster care bars, see part III. below.)
•Wis. Stats. Crime
940.01 1st degree intentional homicide
940.02 1st degree reckless homicide
940.03 Felony murder
940.05 2nd degree intentional homicide
940.12 Assisting suicide
940.19 (2) through (6) Battery (felony)
940.22 (2) or (3) Sexual exploitation by therapist; duty to report
Proof of Rehabilitation – Cont’d
940.225 (1), (2), or (3) 1st, 2nd, or 3rd degree sexual assault
940.285 Abuse of vulnerable adults (misdemeanor or felony)
940.29 Abuse of residents of a penal facility
940.295 Abuse or neglect of patients & residents (misdemeanor or
felony)
948.02 (1) or (2) 1st or 2nd degree sexual assault of a child
948.025 Repeated acts of sexual assault of same child
948.03 (2) (a), (b), or (c) Physical abuse of a child - intentional
causation of bodily harm
948.05 Sexual exploitation of a child
948.055 Causing a child to view or listen to sexual activity
948.06 Incest with a child
948.07 Child enticement
948.08 Soliciting a child for prostitution
948.11 (2) (a) or (am) Exposing child to harmful materials or harmful
descriptions or narrations (felony)
Proof of Rehabilitation – Cont’d
948.12 Possession of child pornography
948.13 Child sex offender working with children
948.21 (1) Neglect of a child - resulting in death (felony)
948.30 Abduction of another's child; constructive custody
OTHER OFFENSES
Finding by a governmental agency of neglect or abuse of a client, or
of misappropriation of a client's property
Finding by a governmental agency of child abuse or neglect
Licensure, Registration and Certification
There are three important requirements if your job requires you to
be licensed, registered, or certified:
1. You must renew your license, registration, and/or certification
before it expires.
2. If your license, registration or certification lapses or if limits
are imposed, notify your supervisor immediately. Your
supervisor will assist you in determining what to do.
3. If state law sets limits for your scope of practice, you must
stay within those limits. If someone asks you to perform
duties that are not within your scope of practice, contact your
supervisor or a compliance officer for assistance.
Introducing Civil Rights
•
•
Individuals who participate in state and
federally funded health and social
service programs have special
protections against discrimination.
Because Aurora Health Care receives
funds such as these, for example,
Medicare and Medicaid payments for
services, this applies to both our
patients and our caregivers.
Before explaining these protections, or
“civil rights,” it will be helpful to know a
few definitions…
Civil Rights-Definitions
“Discrimination” is a direct action, whether intentional or not, that results in the
unequal treatment or causes an adverse impact on categories of people protected
by law.
“Person with a disability” is one who:
• Has a physical or mental condition that substantially limits a major life activity;
• Has a record of such a condition; or
• Is regarded as a person with a disability.
Reasonable Accommodation: A person with a disability may make a request for a
reasonable accommodation, and this must be given by the service provider free of
charge. If the person is deaf or hard of hearing and requires a language sign
interpreter, the service provider must offer, at the very least, an interpreter with
minimum national certification requirements (RAD or NAD.)
Civil Rights-Definitions
Limited English Proficient (“LEP”) Speaker: A person who cannot speak English
well enough to be able to fully in a program or service must be provided an oral
interpreter who is competent in the LEP speaker’s primary language (both
linguistically and culturally) and in English.
CIVIL RIGHTS
Individuals may not, because of their race, color, national origin, gender, age or
disability:
• Be denied any service, financial aid or benefit provided under a federally funded
program;
• Be subjected to segregation or separate treatment in a federally funded program;
• Be provided any service, financial aid or benefit that is different or is provided in a
different manner from the way that service is provided to others;
• Be denied access to a service because buildings or facilities are not physically
accessible to persons with disabilities or because no accommodation was provided
to enable effective communication with the service provider; or
•Be provided services without a competent interpreter in the primary language of a
person who has limited English proficiency;
Civil Rights Complaints
If you believe you have been discriminated against as an employee of Aurora
Health Care, contact your local Human Resources Department.
If a patient informs you that he or she has been discriminated against by an
Aurora caregiver or physician, contact the Compliance Department for
assistance.
Individuals who believe they have been discriminated against have the right
to file a complaint with their County Department of Human Services. If not
satisfied with the County’s response, they can file a complaint with the
Wisconsin Department of Health Services, Affirmative Action and Civil Rights
Office. Complaints can also be filed directly at the federal level with the U.S.
Department of Health and Human Services, Office for Civil Rights – Region V.
Take Action!
ACTION!
If you have any questions regarding:
• EMTALA, review the EMTALA: Screening, Stabilization and
Transfer Policy (AHC System Policy #179).
• Criminal background checks or reporting, review the
Criminal Background Checks Policy (AHC System Policy
#127).
• Licensure, registration or certification, review the
Verification of Licensure, Registration and Certification
Policy (AHC System Policy #33).
• Accessing sign and other language interpreters, review the
Interpreter Services Policy (AHC System Policy #101).
If the policies do not provide answers to your question, see
your supervisor, contact a compliance officer or your Human
Resources Representative.
Add Aurora Administrative Manuals to your quick links in
iConnect. Click on Aurora System Manual, click on Table of
Contents on the right hand side and scroll to down to the
policy.
Reporting Compliance
and Ethical Concerns
Stayed tuned …
Report Concerns
•
•
Our Code of Ethical Conduct
requires you to report any
concerns you might have
regarding possible unethical
and/or illegal conduct at
Aurora.
Report your concern in any of
the following ways…
General Compliance Concerns
1. Discuss your concern with your supervisor or a higher level leader;
or
2. Contact a compliance officer or the Chief Compliance & Integrity
Officer (names and contact information are listed on the
Compliance & Ethics website); or
3. Call the Compliance Hotline at 888-847-6331. You may choose
not to leave your name or other contact information if you wish to
remain anonymous.
Record this number now and keep it in a handy place.
Privacy and Security Concerns
1. Call the Privacy Hotline at 877-592-7996; or
2. Use one of the options listed for general compliance concerns.
It is important to know that Aurora’s policy and the law prohibit taking
any action against you (“retaliation”) just because you reported a
compliance concern.
Take Action!
ACTION!
Record the Compliance Hotline
number: 888-847-6331
HINT: You will need to know this
number in order to pass the test
at the end of this course.
Government
Investigations
Latest updates…
Compliance Department Assistance
•
•
Our Code of Ethical Conduct
requires that we cooperate with
government investigations. Your
Compliance Department will
assist in all investigations to
make sure your legal rights are
protected as well as Aurora’s
legal rights as an organization.
There are several important
things to know...
Important Facts
1. Searches by law enforcement or government agents are not allowed
unless a search warrant is presented. Do not verbally agree to a search in
the absence of a valid search warrant.
2. The first thing to do is to politely escort the officer or agent to a private
area. Ask to see his or her official identification (a badge or business
card.)
3. Immediately contact the Chief Compliance & Integrity Officer, Carrie
Killoran. If you cannot locate Carrie, check the Compliance website for
compliance officers to contact. If you cannot reach a compliance officer,
contact Mike Lappin, General Counsel. Do not just leave voice mails or
messages, but rather make sure you make direct contact with a
compliance officer.
4. Inform the officer or agent that a representative from Compliance is on
their way.
Your Rights if Contacted by a
Government Investigator
1. A government investigator has the right to contact any caregiver to
request an interview. The investigator may contact you at home or at
work.
2. You may choose to speak to the investigator, or you may refuse. He or
she does not have the right to insist upon an interview.
3. If you speak to the investigator, you have the right to end the interview at
any time.
4. If you are subpoenaed to speak with a government investigator, you may
request an appointment for a different date.
5. If you agree to speak to the investigator, no matter who else is present,
you must tell the truth. State only facts that you know, not guesses and
not rumors.
Your Rights if Contacted by a
Government Investigator - continued
6. It is extremely helpful if you immediately contact your supervisor and/or
Aurora’s legal counsel. The investigator may ask you to keep the
contact confidential, but there is no law that would prevent you from
disclosing any detail of your discussion with your employer.
7. Any statements you make may be considered legal admissions, which
can be used against you and/or against Aurora in a legal proceeding.
8. If you agree to speak to the investigator, you have the right to confer
with an attorney first, and to have an attorney present during the
interview. Depending upon the circumstances, you may choose to use
your own attorney or the matter may be handled by Aurora’s attorneys.
9. Do not destroy any documents or attempt to hide evidence.
Take Action!
ACTION!
Review the Government Requests,
Investigations, Search Warrants and
Subpoenas Policy
on iConnect (AHC System Policy
#195.)
Add Aurora Administrative Manuals
to your quick links in iConnect.
Click on Aurora System Manual,
click on Table of Contents on the
right hand side and scroll to down to
the policy.
How Compliance
Fits In
Before we sign off…
Compliance and Ethics Part of Everything
We Do
•
•
Compliance and ethics are
a part of everything we do
at Aurora. Take with you Dr.
Nick Turkal’s words about
the things that are most
important to us.
Compliance and Ethics
Part of Everything We Do
•
Who We Are – Aurora Health Care is a not-for profit health care provider and a national
leader in efforts to improve the quality of health care.
•
Patient Experience – Our patients expect us to act in an ethical and legal manner. Ethical
scandals and enforcement actions can hurt the reputation of even the best health care
providers. A great reputation helps us to achieve our patient experience goals.
•
Financial Performance – We have a responsibility to be good stewards of the money we
receive to take care of our patients and the health of our communities. We also need to and
have the right to receive appropriate payment for those services we provide. Avoiding fines
and penalties, and paying attention to coding, documentation, and billing practices helps us to
meet our financial goals.
•
Caregiver Engagement – The world has heard from employees at WorldCom, Enron,
Columbia HCA and other companies about how stressful and unrewarding it was to work for
an organization that did not value ethics and complying with the law. Ethical and legal
conduct helps make Aurora an organization that we can all be proud to work for. An ethical
work environment helps ensure that we can deliver an excellent patient experience.
Compliance Resources to Remember
•
The Compliance & Ethics website on iConnect:
 Compliance Officer contact information
 Code of Ethical Conduct
 Guidelines and links
•
The Privacy website on iConnect:
 Privacy Officer contact information
 Disclosure Manual
 Guidelines, and links
•
The Compliance Hotline: 1-888-847-6331
 Report compliance concerns
 You may remain anonymous if you choose
 No one will retaliate against you for reporting
Complete Test
You are required to complete a separate test after completing this course.
This test should be included with your handouts.