General Compliance Training General Compliance TiiTraining · 2010. 9. 22. · 1 General Compliance Training General Compliance TiiTraining The University of Texas Medical Branch

1

General Compliance Training

General Compliance T i iTraining

The University of Texas Medical Branch at Galveston

Course Overview

General ComplianceThe intent of the Compliance Program is to:

Promote compliance with all applicable laws and regulationsE d h l thi l d tEncourage and help ensure ethical conductProvide education and trainingPrevent non-compliance with laws and regulationsDetect non-compliance if it occursDiscipline those involved in non-compliant behaviorPrevent future non-compliance

2

General ComplianceWhat does it mean to be in Compliance?To be in compliance means to adhere to all laws, rules and policies that apply to your job functions.

Although you are not required to know all the laws and policies forAlthough you are not required to know all the laws and policies for UTMB and the UT System, you are responsible for knowing and following all the laws and policies that apply to you and your job functions at UTMB.

The Standards of Conduct should be used as a guide to those policies and procedures and applied to how you operate on a day to day basis.

General ComplianceThe Standards of Conduct Guide applies to:

UTMB EmployeesFaculty

Sub-contractorsIndependent ContractorsFaculty

FellowsResidentsStudentsConsultantsVolunteers

pVendors

General ComplianceHow can you avoid trouble?

Follow UTMB’s Guiding Principle – “Do what’s right”When faced with a decision or situation that causes you to question your ethical judgment, ask yourself some of thequestion your ethical judgment, ask yourself some of the following questions:

does the action comply with UTMB policies and procedures?is the action legal?how would it look to your family, friend, our patients, and the general public if it was published on the front page of the newspaper or showed up on the 6 o’clock news?

If you know its wrong and you have to ask yourself this list of questions, don’t do it!!

3

ProgressGeneral ComplianceFraud and AbuseConfidentiality and IntegrityBusiness Information and Information SystemsEthical Conduct in the Workplace and Employment PracticesHealth and Safety

Fraud and AbuseFraud: What is it?Fraud is defined as knowingly and willfully attempting to receive financial gain by making false statements or developing a scheme to receive anything of value.a sc e e o ece e a y g o a ue

A few examples of Fraud are:

Accepting free items in exchange for purchasing goods or services or patient referralsFalsifying any type of record: medical, scientific research

Fraud and AbuseAbuse: What is it?

Abuse is defined as activities that result in excessive or unreasonable cost to UTMB orexcessive or unreasonable cost to UTMB or other State or Federal agencies.

An example of Abuse is:

Taking products or supplies belonging to UTMB

4

Fraud and AbuseWhere do I go with Compliance Issues?

If you suspect any type of wrongdoing, including fraud, waste, abuse, or violation of federal and state laws you can report it by contacting:can report it by contacting:

Your instructor/professor/program coordinatorUTMB Institutional Compliance Office: (409)747-8700UTMB Fraud, Abuse and Privacy Hotline: (800)898-7679

Fraud and Abuse

What is the Fraud, Abuse and Privacy Hotline?The hotline was created to allow anyone from any phone to report any suspected non-compliance issues that they are

Fraud, Abuse and Privacy Hotline

(800) 898-7679

report any suspected non compliance issues that they are unable to discuss through regular administrative channels. Some advantages of the Fraud, Abuse and Privacy Hotline are:

Its available 24/7, 365 days a yearYou can remain completely anonymousCall are answered by an off campus contracted company

Fraud and AbuseWhat type of violations should be reported to the hotline?

The hotline should be used for violations in the following areas:

Substantial violations of laws, policies, regulationsSpecific danger to health or safetyConflicts of InterestAbuse of authorityTheft or abuse of property

Gross waste of fundsUnethical conductContract or procurement irregularitiesBribery and acceptance of gratuities

5

Fraud and AbuseAccepting Gifts, Gratuities, and Kickbacks.

What you cannot accept:

Any amount of moneyCash – currency or coin in any amountsPersonal checks, cashier checks, money ordersGift certificates or gift cards

Any gift, favor, service, or loan that might reasonably appear to influence the employee or student in the performance of duties.Tickets to athletic or other special events are expressly prohibited by Texas law.


Confidentiality and IntegrityAll information at UTMB is considered confidential. As employees, students, contractors, or volunteers you may have access to some confidential information and should ensure that it is handled with the appropriate discretion.

S l f fid ti l d tSome examples of confidential data are:Personnel data (UTMB employee)Student informationPatient informationFinancial dataSupplier and subcontractor informationEmployee lists and dataProprietary computer software

6

Notification of Breach of Personal InformationNew federal and state laws are aimed at protecting an individual’s personal information. This includes electronic, verbal and paper information.

Sensitive personal information includes, but is not limited to:

i l i bSocial Security NumberDriver's License NumberCredit Card NumberProtected Health Information (PHI)

UTMB employees and students must notify the Office of Institutional Compliance or the Office of Information Security immediately if you suspect that there has been a breach of an individual's privacy.

Breach is an unauthorized acquisition, access, use or

disclosure of data that compromises the security, privacy,

or integrity of sensitive personal information.

Confidentiality and IntegrityWhat can you say and to whom?

Media Contact

If you are approached by a news reporter for information about UTMB you should contact the department of Publicabout UTMB you should contact the department of Public Affairs.

Public Affairs acts as the official spokesperson for UTMB and can be contacted 24 hours a day.

Public Affairs (409)772-2618

Confidentiality and IntegrityWhat can you say and to whom?

Government and Outside Investigators

If you receive a subpoena, inquiry, or other legal document from any government agency regarding UTMB businessfrom any government agency regarding UTMB business immediately notify the UTMB Legal Affairs department.

Legal Affairs: (409)747-8738

Although you are not prohibited from speaking to a government agent or investigator, to protect yourself and UTMB, it is best to have them contact you at work if it is regarding any type of UTMB business.

7


Business Information and Information Systems

What are some examples of state owned property?

Some examples of state owned property are:UTMB vehiclesUTMB vehiclesComputersOffice suppliesProprietary softwareFurnitureCopiers


Use of State Owned PropertyUTMB Policy:

UTMB assets must be used for state purposes only. Personal use of UTMB resources and the use of UTMBPersonal use of UTMB resources and the use of UTMB resources for personal financial gain is prohibited.

Policy Exceptions:The following items can be used on an occasional basis as long as there is no additional cost to UTMB.

EmailInternetTelephones (local calls only)

8


What are some examples of misusing state owned property?

Taking “extra” office supplies home for personal use

Taking unused or broken furniture home for personal use

Copying flyers advertising your catering business on a UTMB copier.



9

Health and SafetyWorkplace Health and Safety

All UTMB employees should perform their duties in compliance with all applicable institutional policies; federal, state, and local laws; and standards relating to the environment and protection of worker health and safetyhealth and safety.

It is each employees’ duty to report any workplace injury or situation that may present itself as a danger to their immediate supervisor or the UTMB Safety Officer so that corrective action may be taken.

Supervisors must report unsafe practices or conditions to the General Safety Committee or to UTMB Health and Safety Services at (409) 772-4191.

Health and SafetyDrug and Weapon Free Workplace

UTMB is committed to a drug-free and weapon-free environment. Employees reporting to work with a weapon, under the influence of an illegal drug or alcohol or using possessing or sellingillegal drug or alcohol, or using, possessing, or selling alcohol or illegal drugs during work hours or on UTMB property may be terminated.

The use of alcoholic beverages is prohibited in and on UTMB facilities. However, the President may waive this prohibition with respect to any event sponsored by UTMB.

Health and SafetyWorkplace ViolenceUTMB strives to assure that employees are provided a safe working environment. Violence in the workplace is not tolerated at UTMB. Employees who observe or experience any form of harassment or violence should report the incident immediately.

Examples of behavior that may be considered workplace violence include but are not limited to:

Physical interference with or restriction of an individual's movement; Physical fighting with anyone on UTMB property; and Making verbal or written threats against another employee.

10

Questions and Answers

Let’s hear from you!

GeneralHIPAA Awareness

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act of 1996, was passed to simplify claims processing and payment in the health care industry. Congress delegated to the Department of Health and Human Services (DHHS) the responsibility of establishing mandatory privacy and security standards to comply with the requirements of the federal law. In response, DHHS has issued federal regulations for:

1. simplifying of payment transactions, known as Electronic Data Interchange (EDI);

2. security; and3. privacy.

11

HIPAA Background

The HIPAA Privacy Regulations were written in response to patient concerns that their medical information was not being protected. The following factors led to the creation of HIPAA Privacy Regulations:

The increased use of electronic information technology.

Increased efforts to market health care products to consumers.

Advances in genetic research and availability of individuals’ genetic

information.

Understanding PHI

Regardless of where you work in healthcare, its important to understand what privacy and confidentiality mean when protecting patient information.

Protected Health Information (PHI) is identifiable health information transmitted or maintained in any yform or medium, including:

verbal discussions;written communications; orelectronic communications with or about patients.

PHI is private and limited to those who need the information for treatment, payment, and healthcare operations (TPO). Only those people who are authorized to use and disclose PHI should have access to PHI.

What Objectives Do the Privacy Regulations Accomplish?

There are 5 basic objectives the Privacy Regulations try to accomplish.

1. They give patients more control over their health information.

2. They set boundaries on the use and disclosure of health records.

3 Th t bli h i t f d th t ll l3. They establish appropriate safeguards that all people who participate in or are associated with the provision of healthcare must achieve to protect the privacy of health information.

4. They hold violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.

5. They strike a balance when public responsibility requires disclosure of some forms of data – for example, to protect public health.

12

How Does HIPAA Achieve These Objectives?

The HIPAA objectives are met through the new Privacy Regulations.

The Privacy Regulations prohibit UTMB and its employees from using or disclosing an individual’s PHI without an authorization from the individual,

f funless the use or disclosure of PHI is for Treatment, Payment, or Healthcare Operations (TPO), or in other specialized and limited situations.

Additionally, UTMB must investigate violations, sanction wrongful conduct, and make process changes when required.

Penalties for Failure to Comply

UTMB Penalties for Violations

In addition to HIPAA’s civil and criminalpenalties, violations of HIPAA may lead toUTMB disciplinary action including:

verbal warningswritten warningssuspension or termination

Federal Penalties for ViolationsThere are large civil and criminal penalties for failure to comply with HIPAA. These

penalties apply to individual employees, aswell as UTMB as an institution.

p

Patient Rights Granted Under HIPAAHIPAA grants patients several unique and special rights regarding their medical records. Under HIPAA, patients have more control over their medical information. Below are seven basic rights entitled to patients under HIPAA.

1. Receive a Notice of Privacy Practices

2. Revoke an authorization for the use and disclosure of PHI

3. Restrict uses & disclosures of PHI

4. Access and receive a copy of their PHI

5. Request an amendment to their medical record

6. Receive an accounting of disclosures

7. File a Privacy Complaint

13

Storage of PHIWould it surprise you to learn that an average of 150 people have access to your medical records during the course of a typical hospitalization? (Predictive Systems, 2002) When you add poor storage procedures and uncontrolled access to that number, the realities of potential misuse becomes even more vivid.

The buttons below give some examples of the kind of breaches that led to new Federal regulations governing the privacy of health information.A Little Rock, Arkansas physician and two former employees

accessed the medical records of a local television anchor justIn 2006, CVS pharmacies were found to be dumping trash

These examples of deliberate and accidental disclosures of information underscore the importance of establishing and maintaining effective processes for handling and storing patient information.

Source: Pew Internet & American Life Project 2002

Patient Info on the Internet

Inappropriate PHI access

Inappropriate “dumping” of PHI

accessed the medical records of a local television anchor just because they were curious about his medical history. Each employee was suspended and/or terminated. They were also

criminally charged and each individual faces a maximum penalty of one year in prison and/or a fine of up to $50,000.

A banker who also sat on a county health board gained access to patients’ records and identified several people with cancer

and called in their mortgages.

into open dumpsters that included pill bottles with patient names, addresses and personal physician names. As a

result, CVS had to pay $2.25 million in penalties.

A Michigan-based health system accidentally posted the medical records of thousands of patients on the internet.

Departmental Responsibilities for Storing PHI

PHI includes any paper or electronic file which contains personally identifiable patient contact information. One of the largest issues at UTMB is the amount of stored paper PHI we produce and maintain. The HIPAA team has initiated several security measures, working closely with department supervisors, to safeguard stored PHI in files, documents, letters, invoices, etc.

Some of these measures include:

Ensuring that the doors to medical record storage rooms are locked.

Ensuring patient charts are kept face down.

Adding physical security measures such as doors, locks, etc., to ensurePHI is safeguarded.

Assisting departments in establishing procedures to control access to rooms or file cabinets where PHI is stored.

Outside of regular working hours, keep your desk and work area clean and be sure to keep any PHIlocked in a filing cabinet, unless the immediatearea can be secured from any unauthorized access.

PHI stored medical equipment (e.g., EKG, Ultrasound,etc.) must be kept secure and disposedf tl

Click on each icon below to view the ways you can ensure proper storage and the security of PHI in your possession.

of correctly.

If PHI is to be stored on a computer hard drive orPDA, it must be protected by either a password orencryption. If away from your computer, it must be password protected.

If PHI is stored on diskettes, CD-ROM or otherremovable data storage media, it cannot be combined with other electronic information. StoredPHI must be stored separately from non-PHI data.

14

Photos or Images of Patients or PHI

According to UTMB IHOP Policy 9.3.2, Consent to Photograph, Video/Audio Record and/or Televise Patients the following guidelines must be followed:

No pictures or images of patients may be taken at UTMB unless they comply with above IHOP Policy 9.3.2.

No uploading of patient images to the internet, social network sites, emails or for personal use is allowed, even if patient identifiers have been removed.

Images can only be taken for UTMB business operations that include treatment, payment, education, research or disclosures for media or advancement purposes. These require certain forms and permissions to be in place prior to taking the images.

Photos or Images of Patients or PHI

Examples of misuse that will lead to formal disciplinary action, which may include expulsion, are:

A UTMB employee or student taking a photo of a patient and posting it on their Facebook page

Using a cell phone to take a picture of a patient without the proper consent listed in IHOP Policy 9.3.2

Forwarding a picture of a patient or PHI for personal use via cell phone, email or internet

Requirements for Printing & Copying PHI

1. Printers and copiers used for printing of PHI should be in secure, non-public locations.

2. If the equipment is in a public location, the information being printed or copied is required to be strictly monitored.

4. PHI printed to a shared printer must be promptly removed.

Remember: PHI is very personal information and should be treated as such.

3. Printed versions of PHI must be promptly removed.

15

Disposal of Paper PHI

All personnel must strictly observe the following standards relating to disposal of PHI.

Paper or hardcopy PHI MUST NOT be discarded in the trash bins. Instead this information mustbe personally shredded or placed in a secured recycle bag.recycle bag.

Printed material containing PHI shall be disposedof in a manner that ensures confidentiality.

If paper records containing PHI are in your possession, it is your responsibility to make sure they are discarded properly.

Fax Machines in Your Department

Manage PHI received via fax as confidential.

Fax machines used for patient care or patient related services shall not be located in areas accessible to the general public but rather must be in secure areas, and the department director or designee is responsible for limiting access to them.

Each department is responsible for ensuring that incoming faxes are properly handled.

Immediately remove the fax transmission from the fax machine and deliver it to the recipient.

When sending PHI, use the new UTMB Fax Cover Sheet.

Reporting Privacy Breaches

If you witness activity that you believe is improper regarding patient privacy, you should report such activity to the UTMB Institutional Privacy Office. You may contact the Institutional Privacy Office by either calling the direct number or by anonymously reporting the activity through the Fraud/Abuse and Privacy Hotline.

Institutional Privacy Office(409) 747-8700

Fraud, Abuse & Privacy Hotline(800) 898-7679

Institutional Privacy Office301 University Boulevard

Galveston, Texas 77555-0198

16

Questions

Questions????

General Compliance Training General Compliance TiiTraining · 2010. 9. 22. · 1 General Compliance Training General Compliance TiiTraining The University of Texas Medical Branch

Documents