sharp community medical group 2017 compliance education
TRANSCRIPT
General Compliance, Privacy, and Fraud, Waste, and Abuse
Sharp Community Medical Group
2017 Compliance Education
Disclosures
Portions of this training presentation were originally created by Sharp HealthCare and customized
by Sharp Community Medical Group (SCMG).
SCMG, as a delegated provider organization, is required to provide general compliance and fraud,
waste, and abuse training to employees and contracted providers because we provide
administrative services to Medicare beneficiaries.
SCMG has provided you with this material as part of our oversight process to implement the
compliance training and education requirements found in Medicare Regulations.
The information contained in this document is not intended to serve as legal advice nor should it
substitute for legal counsel. The material in this document is intended to be a resource that you
can leverage in your efforts to comply with the applicable rules. This document is not exhaustive,
therefore readers are encouraged to seek additional detailed guidance to supplement the
information contained herein.
Learning Objectives
In this module you will learn about the following:
• The elements of a Compliance Program
• The privacy requirements for California and federal laws
• Responsibilities for addressing Protected Health Information (PHI)
• How fraud, waste, and abuse affects Sharp Community Medical Group and you
• The importance of Medicare fraud, waste, and abuse laws
• Your responsibility to prevent and report fraud, waste, and abuse
General Compliance
CMS Requirements
As of January 1, 2011, Federal regulations require that Medicare
Advantage Organizations and Medicare Part D Plans have an effective
compliance program designated to deter fraud, waste, and abuse (FWA).
This includes compliance program requirements for annual training on
compliance and FWA.
Where Do I Fit in the Medicare Program?
What are my responsibilities?
You are a vital part of the effort to prevent, detect, and report Medicare
non-compliance as well as possible fraud, waste, and abuse.
• FIRST you are required to comply with all applicable statutory, regulatory, and other
Part C or Part D requirements, including adopting and using an effective compliance
program.
• SECOND you have a duty to the Medicare Program to report any violations of laws
that you may be aware of.
• THIRD you have a duty to follow your organization’s Code of Conduct that articulates
your and your organization’s commitment to standards of conduct and ethical rules of
behavior.
Compliance Program Requirements
At a minimum, an effective compliance program must include 7 core requirements:
1. Written Policies, Procedures and Standards of Conduct;
2. Compliance Officer, Compliance Committee, and High-Level Oversight;
3. Effective Training and Education;
4. Effective Lines of Communication;
5. Well-Publicized Disciplinary Standards;
6. Effective System for Routine Monitoring and Identification of Compliance Risks; and
7. Procedures and System for Prompt Response to Compliance Issues
Reasons to Implement a Compliance Program
1. Compliance Programs reinforce employees innate sense of right and wrong.
2. An effective compliance program helps an organization fulfill its legal duty to the government.
3. Adopting a Compliance Program concretely demonstrates the organization has a strong
commitment to honesty and responsible corporate integrity.
4. Compliance Programs are cost effective. Expenditures are insignificant in comparison to the
disruption and expense of defending against a fraud investigation.
5. A Compliance Program provides a more accurate view of employee and contractor behavior
relating to fraud, waste, and abuse.
6. A Compliance Program provides guidance and procedures to promptly correct misconduct.
7. An effective Compliance Program may mitigate False Claims Act liability or other sanctions
imposed by the government by preventing non-compliance, fraud, waste, and abuse.
Privacy
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires all providers and employees to:
Federal Privacy Laws:
What is HIPAA Privacy?
• Secure patients’ protected health information (PHI) both physically and
electronically.
• Adhere to the minimum necessary standard for use and disclosure of PHI.
• This means making reasonable efforts to limit PHI to the minimum
amount necessary when using, disclosing, or requesting PHI.
• Specify patients’ rights for access, use, and disclosure of their PHI.
Protected Health Information (PHI)
PHI is:
• Health information related to a patient’s past, present,
or future physical and/or mental health or condition.
This includes:
• Any one of the 18 personal identifiers (see next slide).
• Information in any format: written, spoken, or
electronic (including videos, photographs, and x‐rays).
Personal Identifiers that are Considered PHIThese are the 18 HIPAA identifiers that are considered personally identifiable information. When personally identifiable
information is used in combination with one’s physical or mental health or condition, health care, or one’s payment for that health
care, it becomes protected health information (PHI).
• Name • URL address • Device identifiers and their serial
numbers
• Postal address • IP address • Vehicle identifiers and serial number
• All elements of dates except year • Social security number • Biometric identifiers (finger prints)
• Telephone number • Account numbers • Full face photos and other comparable
images
• Fax number • Medical record number • Any other unique identifying number,
code or characteristic
• Email address • Health plan beneficiary number • License numbers
What is a Breach?
The term “Breach” means the:
Unauthorized acquisition Access Use, or Disclosure
…that compromises the security or privacy of PHI.
An employee or medical staff member peeking at a patient’s medical record merely to satisfy his or her own curiosity; even if the employee or medical staff member does not disclose any medical information about the patient to any other person.
Example of a Breach:
Paper Breaches
• Misdirected faxes with PHI sent outside of the
network.
• Loss or theft of paper documents containing PHI.
• Providing discharge documents with PHI to the
incorrect provider or patient.
Electronic Breaches
• Misdirected emails with PHI sent to individuals
outside of the network.
• Stolen unencrypted laptops, hard drives, or
personal mobile devices containing PHI.
Additional Examples of Breaches:
Safeguards for Protecting PHI
Some examples of safeguards you can use include:
Restrict patient information to those who have a “need to
know.”
Protect health information from
unauthorized access.
Never leave patient charts or computer screens open to the
public view.
Confidential information should
always be discussed in private.
Dispose of paper PHI the right way – by
shredding it!
Never share your computer passwords with anyone or log on
to a computer for someone else to use.
Logout or use secure screensavers when leaving computer
unattended.
Unauthorized Access of Medical Information
The term “unauthorized” means:
The inappropriate access, review, or viewing of patient medical
information without a direct need for medical diagnosis, treatment, or
other lawful use as permitted by the California Confidentiality of Medical
Information Act (CMIA).
California State Privacy Laws
California Medical Information Act (CMIA)
• State law that adds to the federal protection of personal medical records under HIPAA.
• Prohibits disclosure of medical information by a provider of health care, or health care service plan without prior written authorization.
The California Department of Public Health (CDPH) enforces California Privacy laws and requires licensed healthcare facilities to:
• Protect the privacy of patients’ medical information.
• Prevent unlawful or unauthorized access, use, or disclosure.
• Report unlawful or unauthorized access, use, or disclosure of medical information within 15 business days after breach detection unless there is a delay by law enforcement.
California State Privacy Law Basics
• A patient’s “medical information” is any individually identifiable information derived from a healthcare provider regarding a patient’s medical history, mental or physical condition, or treatment.
According to California state privacy laws:
• Accessing the medical information of friends, co-workers, and family members (including spouses, children, and parents, etc.).
• Faxing or otherwise providing medical information to the wrong patient, hospital, or company.
Examples of unlawfulaccess, use, or
disclosure of medical information:
Consequences of Non-Compliance
Non-compliance with HIPAA:
• Penalties up to $1.5 million for provider
non-compliance based on negligence.
• Criminal penalties up to $50,000 and/or
imprisonment more than one year for
individual who obtains or discloses PHI
without a business need to know.
• Minimum fine of $250,000 and/or
imprisonment not more than 10 years
for individual committing to sell PHI for
financial gain.
Non-compliance with the CMIA:
• Penalties of up to $25,000 per patient
whose medical information was
breached (maximum of $250,000 per
event).
• Penalties of $2,500 - $25,000 for
knowingly and willfully violating privacy
of medical information; $250,000 for
violating privacy of medical information
for financial gain.
Workplace Fraud
What is Workplace Fraud?
• The intentional, dishonest, and deceptive action of defrauding a business either directly or indirectly whether or not for personal gain.
• Most often this action is taken against businesses because the criminal mind believes they can successfully steal, hide, or use the assets for value.
Workplace fraud is:
Sharp Community Medical
Group has a zero tolerance
policy towards fraud.
Abusing authority
Committing official or moral misconduct
Falsifying information
Misusing company time, equipment, or information
Soliciting gifts from outside sources
Stealing or embezzling company property or money
Violating conflict of interest standards
Examples of Workplace Fraud:
Employee falsifying work-related documents or time cards = FRAUD
Workplace Fraud
Workplace fraud is an
expensive and growing
problem that negatively
impacts organizations and its
employees. Organizations
lose an estimated 5% of
annual revenues to
fraudulent activities.
The longer fraud lasts, the
more financial damage it can
cause. Passive detection
methods (confession,
notification by law
enforcement, external audit,
and by accident) tend to take
longer to bring fraud to
management’s attention, which
allows the related loss to grow.
Identifying Workplace Fraud
Being proactive is vital in catching fraudulent
activity early and limiting losses.
Fraud can be identified using proactive
detection measures such as:
• Compliance hotlines
• Management review procedures
• Audits
• Employee monitoring mechanisms
Identifying Fraudsters
Most workplace fraud perpetrators exhibit
certain behavior traits that can be warning
signs of fraud, such as:
• Living beyond their means
• Having unusually close associations with
vendors or customers
All employees need to recognize these
warning signs that, when combined with
other factors, might indicate fraud.
Fraud hurts organizations by
causing:
• Decreased productivity
• Investment of time & money spent
on investigations
• Lost resources
• Lowered morale
• Possible punishment
• Negative impact on organization’s
reputation
How Fraud Impacts
Organizations
Fraud perpetrated by another
individual can negatively affect
others by:
• Decreased trust throughout the
organization.
• Increased scrutiny from regulatory
agencies.
• Loss of time and resources to address
fraudulent acts.
• Fewer resources available to provide
needed care to your patients
How Fraud Impacts
Employees
Medicare Fraud, Waste, and Abuse
What is Medicare fraud?
• Knowingly and willfully executing, or attempting to
execute, a scheme or artifice to defraud any health care
benefit program, or to obtain, by means of false or
fraudulent pretenses, representations, or promises, any
of the money or property owned by, or under the
custody or control of, any health care benefit program.
• In other words, fraud is intentionally submitting false
information to the Government or a Government
contractor to get money or a benefit.
Medicare fraud is:
Waste and Abuse
Overusing services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare Program. Waste is generally not considered to be caused by criminally negligent actions but rather by the misuse of resources.
Waste
Actions that may, directly or indirectly, result in unnecessary costs to the Medicare Program. Abuse involves payment for items or services when there is no legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment.
Abuse
Differences Among Fraud, Waste, and Abuse
There are differences among fraud, waste, and abuse.
One of the primary differences is intent and knowledge.
• Fraud requires intent to obtain payment and the knowledge that
the actions are wrong.
• Waste and abuse may involve obtaining an improper payment or
creating an unnecessary cost to the Medicare Program, but does
not require the same intent and knowledge.
Examples of Fraud, Waste, and Abuse
Actions that may constitute fraud include:
• Knowingly billing for services
not furnished or supplies not
provided, including billing
Medicare for appointments that
the patient failed to keep.
• Billing for non-existent
prescriptions.
• Knowingly altering claim forms,
medical records, or receipts to
receive a higher payment.
Actions that may constitute waste include:
• Conducting excessive office
visits or writing excessive
prescriptions.
• Prescribing more medications
than necessary for the
treatment of a specific
condition.
• Ordering excessive laboratory
tests.
Actions that may constitute abuse include:
• Billing for unnecessary medical
services.
• Billing for brand name drugs
when generics are dispensed.
• Charging excessively for
services or supplies.
• Misusing codes on a claim,
such as upcoding or
unbundling codes.
How do you prevent FWA?
Look for suspicious activity;
Conduct yourself in an ethical manner;
Ensure accurate and timely data/billing;
Ensure you coordinate with other payers;
Keep up to date with FWA policies and procedures, standards
of conduct, laws, regulations, and CMS guidance; and
Verify all information provided to you.
Report Suspected FWA
• Everyone must report suspected
instances of FWA.
• Review your organization’s materials for
the ways to report FWA.
• Call or email your compliance liaison
([email protected]) or
compliance hotline.
• Additional information can be found here:
https://providers.scmg.org/compliance/
Understanding FWA Laws
To detect FWA, you need to know the law.
The following screens provide high-level information about the following laws:
• Civil False Claims Act, Health Care Fraud Statute, and Criminal Fraud;
• Anti-Kickback Statute;
• Stark Statute (Physician Self-Referral Law);
• Exclusion; and
• Health Insurance Portability and Accountability Act (HIPAA).
For details about the specific laws, such as safe harbor provisions, consult the
applicable statute and regulations.
Civil False Claims Act (FCA)
The civil provisions of the FCA make a person liable to pay damages to the
Government if he or she knowingly:
• Conspires to violate the FCA;
• Carries out other acts to obtain property from the Government by
misrepresentation;
• Knowingly conceals or knowingly and improperly avoids or decreases
an obligation to pay the Government;
• Makes or uses a false record or statement supporting a false claim; or
• Presents a false claim for payment or approval.
EXAMPLE
A Medicare Part C plan in Florida:
• Hired an outside company to review medical records to find additional diagnosis codes that could be submitted to
increase risk capitation payments from the Centers for Medicare & Medicaid Services (CMS);
• Was informed by the outside company that certain diagnosis codes previously submitted to Medicare were
undocumented or unsupported;
• Failed to report the unsupported diagnosis codes to Medicare; and agreed to pay $22.6 million to settle FCA
allegations.
Damages and PenaltiesAny person who knowingly submits false
claims to the Government is liable for
three times the Government’s damages
caused by the violator plus a penalty.
The Civil Monetary Penalty (CMP) may
range from $5,500 to $11,000 for each
false claim.
Civil FCA (continued)
Whistleblowers: A whistleblower is a person who
exposes information or activity that is deemed illegal,
dishonest, or violates professional or clinical standards.
Protected: Persons who report false claims or bring
legal actions to recover money paid on false claims are
protected from retaliation.
Rewarded: Persons who bring a successful
whistleblower lawsuit receive at least 15 percent but not
more than 30 percent of the money collected.
Health Care Fraud StatuteThe Health Care Fraud Statute states that, “Whoever knowingly and willfully executes, or attempts to execute, a
scheme to … defraud any health care benefit program … shall be fined … or imprisoned not more than 10 years, or
both.”
Conviction under the statute does not require proof that the violator had knowledge of the law or specific intent to
violate the law.
EXAMPLE
A Pennsylvania pharmacist:
• Submitted claims to a Medicare Part D plan for non-existent prescriptions and for drugs not dispensed;
• Pleaded guilty to health care fraud; and
• Received a 15-month prison sentence and was ordered to pay more than $166,000 in restitution to the plan.
The owners of two Florida Durable Medical Equipment (DME) companies:
• Submitted false claims of approximately $4 million to Medicare for products that were not authorized and not
provided;
• Were convicted of making false claims, conspiracy, health care fraud, and wire fraud;
• Were sentenced to 54 months in prison; and
• Were ordered to pay more than $1.9 million in restitution.
Criminal Fraud
Persons who knowingly make a false claim
may be subject to:
• Criminal fines up to $250,000;
• Imprisonment for up to 20 years; or
• Both.
If the violations resulted in death, the
individual may be imprisoned for any term
of years or for life.
Anti-Kickback Statute
The Anti-Kickback Statute prohibits knowingly and willfully soliciting,
receiving, offering, or paying remuneration (including any kickback, bribe,
or rebate) for referrals for services that are paid, in whole or in part,
under a Federal health care program (including the Medicare Program).
EXAMPLE
A radiologist who owned and served as medical director of a diagnostic testing center in New Jersey:
Obtained nearly $2 million in payments from Medicare and Medicaid for MRIs, CAT scans, ultrasounds, and other
resulting tests;
• Paid doctors for referring patients;
• Pleaded guilty to violating the Anti-Kickback Statute; and was sentenced to 46 months in prison.
The radiologist was among 17 people, including 15 physicians, who have been convicted in connection with this
scheme.
Damages and PenaltiesViolations are punishable by:
A fine of up to $25,000;
Imprisonment for up to 5 years;
or both.
Stark Statute (Physician Self-Referral Law)
The Stark Statute prohibits a physician from making referrals for
certain designated health services to an entity when the physician
(or a member of his or her family) has:
• An ownership/investment interest; or
• A compensation arrangement (exceptions apply).
EXAMPLE
A physician paid the Government $203,000 to settle allegations that he violated the physician self-referral prohibition
in the Stark Statute for routinely referring Medicare patients to an oxygen supply company he owned.
Damages and PenaltiesMedicare claims tainted by an
arrangement that does not comply with the
Stark Statute are not payable. A penalty of
up to $15,000 may be imposed for each
service provided. There may also be up to
a $100,000 fine for entering into an
unlawful arrangement or scheme.
Civil Monetary Penalties Law
The Office of the Inspector General (OIG) may impose civil penalties for a
number of reasons, including:
• Arranging for services or items from an excluded individual or entity.
• Providing services or items while excluded;
• Failing to grant OIG timely access to records;
• Knowing of an overpayment and failing to report and return it;
• Making false claims; or
• Paying to influence referrals.
EXAMPLE
A California pharmacy and its owner agreed to pay over $1.3 million to settle allegations they submitted claims to
Medicare Part D for brand name prescription drugs that the pharmacy could not have dispensed based on inventory
records.
Damages and PenaltiesThe penalties range from $10,000 to
$50,000 depending on the specific
violation. Violators are also subject to
three times the amount:
• Claimed for each service or item; or
• Of remuneration offered, paid,
solicited, or received.
Federal Health Care Excluded Providers
No Federal health care program payment may be made for any item or service furnished, ordered, or prescribed
by an individual or entity excluded by the OIG.
The OIG has authority to exclude individuals and entities from federally funded health care programs and maintains the
List of Excluded Individuals and Entities (LEIE). You can access the LEIE at https://exclusions.oig.hhs.gov.
The United States General Services Administration (GSA) administers the Excluded Parties List System (EPLS), which
contains debarment actions taken by various Federal agencies, including the OIG. You may access the EPLS at
https://www.sam.gov.
If looking for excluded individuals or entities, be sure to check both LEIE and EPLS since the lists are not the same.
EXAMPLE
A pharmaceutical company pleaded guilty to two felony counts of criminal fraud related to failure to file required reports
with the Food and Drug Administration (FDA) concerning oversized morphine sulfate tablets. The executive of the
pharmaceutical firm was excluded based on the company’s guilty plea. At the time the executive was excluded, he had
not been convicted himself, but there was evidence he was involved in misconduct leading to the company’s conviction.
State Suspended and Ineligible Provider List
Medi-Cal law, Welfare and Institutions Code (W&I Code), sections 14043.6 and 14123, mandate that the
Department of Health Care Services (DHCS) suspend a Medi-Cal provider of health care services from
participation in the Medi-Cal program when the individual or entity has:
• Been convicted of a felony;
• Been convicted of a misdemeanor involving fraud, abuse of the Medi-Cal program or any patient, or
otherwise substantially related to the qualifications, functions, or duties of a provider of service;
• Been suspended from the federal Medicare or Medicaid programs for any reason;
• Lost or surrendered a license, certificate, or approval to provide health care; or
• Breached a contractual agreement with the Department that explicitly specifies inclusion on this list as a
consequence of the breach.
Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
HIPAA created greater access to health care insurance, protection of
privacy of health care data, and promoted standardization and efficiency in
the health care industry.
HIPAA safeguards help prevent unauthorized access to protected
health care information. As an individual with access to protected health
care information, you must comply with HIPAA.
EXAMPLE
A former hospital employee pleaded guilty to criminal HIPAA charges after obtaining PHI with the intent to use it for
personal gain. He was sentenced to 12 months and 1 day in prison.
Damages and PenaltiesViolations may result in Civil
Monetary Penalties. In some cases,
criminal penalties may apply.
CONGRATULATIONS!
You have completed the SCMG customized CMS-required training
course on General Compliance, Privacy, and Fraud, Waste, and Abuse.
SCMG is committed to the delivery of high quality care while conducting
its business in accordance with the highest levels of professional and
business ethics, and in full compliance with all laws, regulations, and
guidelines applicable to federal and state health care programs.