Corporate Compliance
The laws and rules that apply to the delivery of healthcare can be complex
and confusing; therefore, we have established a compliance program to
assist with the understanding and implementation of those laws and rules.
Donna Jennings, MBA, CHC, CPHQ, CPHRM
Director, Compliance and Integrity
Phone:
(325)-670-3028 | Fax: (325) 670-3578
djennings@hendrickhealth.org
Lori Sweet, CMOM, CMC, CMCA, CMCO
Compliance & Integrity Manager
Phone:
(325) 670-7607 | Fax: (325) 670-3578
lsweet@hendrickhealth.org
To anonymously report an actual or potential compliance concern:
Medical Record Management
It is vital to patient care and compliance with Federal and State law that
medical records contain current and accurate documentation. If you knew
or should have known that the submitted claim was false, then the attempt
to collect unearned money constitutes a violation.
Examples:
- An endocrinologist billed routine blood draws as critical care blood draws.
He paid $447,000 to settle allegations of upcoding and other billing violations.
- A cardiologist paid $435,000 and entered into a 5-year Integrity Agreement
with OIG to settle allegations that he knowingly submitted claims for
consultation services that were not supported by patient medical records
and did not meet the criteria for a consultation.
Anti-kickback
The fraud and abuse laws prohibit knowingly and willfully offering, paying,
soliciting or receiving any money gifts, kickbacks, bribes, rebates or
any other type of value or services in exchange for the referral of patients
for which payment may be made by the federal or state government.
Examples:
- Free or significantly discounted billing, nursing care, rent or other staff services
- Payment for services in excess of Fair Market Value
- Payment or other type of incentive when a patient is referred to Hendrick
Physician Self-Referral Act (“Stark Law”)
The federal Stark Law prohibits a physician from referring a Medicare or
Medicaid eligible patient for the provision of Medicare or Medicaid payable
designated health services by an entity with which the referring physician
has a financial relationship, unless a permitted exception applies.
Examples:
- Leasing medical office space for less than Fair Market value
- Hospital and physician operate without a current written Service Agreement
Fraud, waste and abuse
Violation of federal and state laws concerning fraud and abuse can result
in significant criminal and civil penalties, including imprisonment, fines,
and damages. You must be vigilant in avoiding any conduct that could violate
or even appear to violate these laws.
Examples:
- Claiming reimbursement for items or services that were not provided as claimed
- Failing to maintain sufficient documentation to establish that the services
were ordered and performed
HIPAA
HIPAA is the United States Health Insurance Portability and Accountability
Act of 1996. There are two sections to the Act. HIPAA Title I deals with
protecting health insurance coverage for people who lose or change jobs.
HIPAA Title II includes an administrative simplification section which
deals with the standardization of healthcare-related information systems.
In the information technology industries, this section is what most people
mean when they refer to HIPAA. HIPAA establishes mandatory regulations
that require extensive changes to the way that health providers conduct
business and focuses on protecting PHI (Protected Health Information)
such as patient names, diagnosis, addresses, birth dates or medical record numbers.
Examples
-
You have just left the office, and your nurse texts you that Mr. Smith
is having a reaction to the medication you’ve just prescribed. Texting PHI without appropriate security is a significant risk. However,
Hendrick offers software that allows physicians to securely receive and
send messages.
-
Being overheard discussing PHI. Whether it’s leaving a detailed message on a patient’s answering
machine or discussing test results with a patient in the waiting room,
be aware of who else may be listening to your voice. Train your staff
not to leave PHI in phone messages and not to discuss it within earshot
of other patients or non-staff visitors. Encourage the use of private
rooms for health discussions with patients as well as phone conversations
that could involve PHI.
-
Encryption. The best way to protect devices such as thumb drives, tablets, and laptops
from a breach is to have an IT professional encrypt the device. If the
device is lost or stolen, this process makes it very difficult for an
unauthorized person to access the data. When encrypted, a lost or stolen
device does not have to be reported to the government as a breach of unsecured
equipment—because you it was secured through encryption.
Social Media
When using social media consider the following guidelines to ensure you
do not violate HIPAA regulations.
- While you may be concerned about seeming unfriendly, limiting your social
media interactions to friends and family members is prudent. This will
protect you from having patients ask questions regarding their personal
health on a public forum and help you to avoid disclosing the names of
patients you treat.
- Avoid talking about patients, even in general terms. Even if disclosure
of PHI is unintentional it is still a violation of HIPAA.
- Avoid posting photos of patients or anything that could be used to identify
them (notes, lab results, etc.)
- Periodically check your privacy settings, as they can change.
- Never post anything that you would be uncomfortable reading re-printed
in the newspaper. This can be a helpful test to take before you hit the
‘send’ button.
Examples:
-
An obstetrician vents her frustrations on her online blog, ridiculing the
patients giving birth. Although the physician did not use patient names or any other identifying
information in her post, two of the patients recognized themselves in
the blog due to the detailed nature of the post and filed HIPAA complaints
against the doctor and the practice.
-
An ED physician in Rhode Island was fired, lost her hospital medical staff
privileges, and was reprimanded by the Rhode Island Board of Medical Licensure
and Discipline for posting information about a trauma patient on her personal
Facebook page. According to the Rhode Island Board of Medical Licensure and Discipline,
“[She] did not use patient names and had no intention to -reveal
any confidential patient information. However, because of the nature of
one person’s injury … the patient was identified by unauthorized
third parties. As soon as it was brought to [her] attention that this
had occurred, [she] deleted her Facebook account.” Despite the physician
leaving out all information she thought might make the patient identifiable,
she apparently did not omit enough.
Next: Medical Record Management →