Diatherix Compliance Meeting and Exceeding Expectations Objectives Understanding
Diatherix Compliance Meeting and Exceeding Expectations
Objectives • Understanding why a compliance program is important • Determine your compliance role in the company and be empowered to help prevent fraud, abuse, and disclosure of PHI from occurring • Understand the consequences of violating the law and compliance policies of the laboratory • Recognize compliance problems and issues even when they are not a component of your direct role with the company 2
Diatherix Code of Conduct – HR and Compliance Negligence- DLI has zero tolerance toward unethical, negligent, or abusive practices in the performance of your duties. Discounts & Free Services- An employee shall not offer discounted or free services to client or potential clients without the express approval of the COO. This includes any “trial sample” requests. Nonmonetary Compensation for Providers- Nothing of value may be given to providers except the items as defined in the Nonmonetary Compensation for Providers Policy. Breaches- All employees must report breaches immediately to the Compliance Officer or committee member. Failure to do so will be considered negligent and subject to disciplinary actions. 3
Acronyms- But of course! • HIPAAHealth Insurance Portability and Accountability Act 1996 HITECHHealth Information Technology for Economic and Clinical Health • PHIProtected Health Information • e. PHIelectronic Protected Health Information • OIGOffice of Inspector General • HHSDepartment of Health & Human Services • OCR- • • Office for Civil Rights CMSCenters for Medicare & Medicaid Services EMRElectronic Medical Records BABusiness Associate(s) HCAHealthcare Company TNP Test Not Performed DLIDIATHERIX Laboratories DLK DIATHERIX Laboratories Kettering 4
WHY HAVE A COMPLIANCE PLAN? • DLI adheres to an internal Compliance plan: Because a laboratory cannot afford not to have one. • The Inspector General of the Department of Health and Human Services cites a general accounting office estimate that Medicare loses 10% of total expenditure, or about $18 billion per year due to fraud and abuse. • Commercial Labs and Hospital Labs are required to monitor fraud and abuse and report suspected problems to the HHS and OIG (Health and Human Services, and Office of Inspector General). 5
WHY HAVE A COMPLIANCE PLAN? (cont) • The HHS & OIG conduct audits of CMS’s financial statements and reviews claim expenditures and supporting medical records. • Within the past 2 years, OIG recovered more than $1. 7 billion in criminal fines, civil restitution, and penalties from HCA – (2009 -2010) 2013 - $2. 9 Billion for 2013 alone! • A Compliance Plan helps a laboratory adhere to federal and state laws and avoid fraudulent and abusive practices. 6
Introduction • The government believes that fraud, abuse and waste exist in the healthcare industry today because of cases it has settled and prosecuted • All healthcare providers, including laboratories, make billing errors (billing is considered to be the highest risk area for possible compliance issues due to its exposure to outside parties) • The Office of Inspector General (OIG) believes that honest members of the healthcare community can police themselves if they have the right guidance • The OIG has published Compliance Program Guidance documents for healthcare providers & labs. • Diatherix follows the guidelines established by the OIG & HHS 7
Compliance Omnibus HIPAA HITECH Stark Law Red Flag Rule False Claims Act Anti-Kickback Law Patient’s right to access lab results and more… 8
Diatherix Expectations What you should not do Share Passwords Violate any portions of the Compliance Plan on or off the clock Instruct your clients to leave PHI in unsecured areas Allow unauthorized personnel to review PHINew policy on visitors Fail to report Use any information regarding patients or clients in Social Media Compliance Violations 9
Diatherix Expectations What you must do Maintain the code of conduct even when off the clock Ask questions if you are unclear Prevent unauthorize d access to PHI Read the Compliance Plan in it’s entirety Report any compliance issues or violations Attend annual training 10
Anti-Kickback Law • The Department of Justice has a statutory prohibition against kickbacks and rebates in the Healthcare industry. • Kickback means the knowing and willful solicitation, offer or payment of any remuneration (anything of fair market value) whether direct or indirect, overt or covert in cash or in kind, in return for: referrals and or ordering tests. • Civil penalties, monetary penalties as well as exclusion from Federally Funded Programs may result from violations 11
Anti-Kickback Monetary Penalties • Fines up to $25 k per violation Civil Penalties • Up to 5 yrs in prison per violation Program Exclusion • No longer allowed to participate in Federally • Funded Programs 12
Compliance is VITAL: In the News: BLS –Biodiagnostic Laboratory Services, LLC President of New Jersey clinical laboratory, six salesmen admit bribing doctors for more than $100 million in test referrals Headline June 13, 2013 Bribes as well as “sham leases” As of August 2015 Indicted individuals now up to 38 (9 salesmen, 27 physicians, two C-suite employees) Facing- up to 25 years in prison and fines of $750, 000 plus per individual 13
Nonmonetary Compensation for Providers Policy • Date: January 20, 2014 • As mandated by the Stark and Anti-Kickback Laws, Diatherix has issued the following guidance for maintaining Compliance while providing nonmonetary compensation to providers. It is the responsibility of each Territory Manager to adhere to this policy and stay within the policy’s limit. District Managers are to monitor their team members on a monthly basis. • Annual Allotment per Provider: $250. 00 (this includes all provider types who have a NPI number). Meal totals will be divided by the number of attendees at each in-service. NPI numbers should be listed for all providers in attendance and placed beside their names on the corresponding sign in sheet. 14
Conflicts of Interest “Diatherix has a commitment to compliance with the law and avoiding conflict of interest in sales and other business opportunities. As a result, Diatherix employees should not enter into, or be currently participating in, personal relationships with clients or potential clients without informing their supervisor and the HR Director. Employees should also inform their supervisor and the HR Director of any clients that are currently or will potentially become immediate family members. Employees have an obligation to conduct business within guidelines that prohibit actual or potential conflicts of interest. ” Personal Relationships with Clients Policy- Sept 25, 2013 15
False Claims Act • Laboratory compliance plans must ensure that all claims for testing services are accurate and correctly identify the services ordered by the physician. Our compliance plan fully explains and prohibits the following billing practices: Charging for tests not performed Unbundling 72 Hour rule (3 day rule) Upcoding Downcoding 16
False Claims Act Monetary Penalties Up to $50 K per violation Civil Penalties Up to 5 years in prison per violation Program Exclusion No longer allowed in Federally Funded Programs 17
Tests not performed The laboratory has a system in place to detect tests that are not performed and has disabled the transmission of the tests to billing No one may be billed for a test that is not performed 18
Billing and Medical Necessity • Billing - One of the highest risk activities a laboratory performs - Many of the risks areas of our compliance plan are components of the billing function, this includes HIPAA, False Claims, HITECH, and Red Flag Rules Medical Necessity - Originally the HHS stated that laboratories are responsible for proving the medical necessity of tests - Newer ruling by CMS states physicians are ultimately responsible - We have added special comment on requisition for this very reason. 19
Coding • • CPT (Current Procedural Terminology) codes are used to describe specific tests or services - The amount of payment received for testing is determined by the CPT codes used - It is against the law to use the wrong CPT code for a test for the purpose of causing or increasing payment for a test (this is a form of Upcoding) ICD-10 CM (International Classification of Disease, 10 th Editions, Clinical Modification) codes are used to classify diseases and conditions. AKA- Diagnosis - ICD-10 CM codes are used to indicate the medical necessity of a particular test - It is against the law to change the ICD-10 CM code for the purpose of causing or increasing payment for a test 20
Requisitions • As mandated by the OIG- Requisitions must be designed to ensure that ordering physicians can choose disease specific panels that are medically necessary for their patients. 21
“Physicians or other authorized by law to order test, should only order tests that are medically necessary for the diagnosis or treatment of a patient” 22
Self Referral (Stark) laws and regulations • The Stark Law is a Federal Self- Referral Prohibition that states: “a physician may not make a referral to an entity in which he or she (or an immediate family member) has a financial relationship for a designated health service. Providers may not submit or cause to be submitted a bill or claim for reimbursement for services provided pursuant to a prohibited referral”. 23
HIPAA- What it’s all about Rights to disclosures and limiting disclosures Mandated Civil, Monetary, and Exclusionary Penalties Patient’s Private Health Information Rights to request amendment to PHI Rights to review their own PHI 24
HIPAA • The information that is collected on patients is confidential and must be protected • No one should read patient information unless you have a work related, need to know reason to do so • Any patient information you may overhear should not be shared with co-workers or people outside of DLI • Keep your computer screens out of public eye and do not leave identifiable patient information in locations where it can be seen by anyone not involved in that patient’s testing or billing process 25
HIPAA • Shredding bins are available throughout the company. Use these to discard anything that contains confidential information • If you find any stray patient information, give it to a supervisor or the Compliance Committee member. 26
HIPAA Penalties Monetary Penalties Up to $250 K per violation Civil Penalties Up to 10 years in prison per violation Program Exclusion No longer allowed in Federally Funded Programs 27
Securing PHI • Verify who is requesting information PRIOR to releasing it over the phone or electronically • Fax cover sheets which state the DLI disclaimer should be utilized with each fax transmission • Document what you are disclosing when releasing PHI to outside agencies as required by law • Do not leave PHI out in view of unauthorized personnel 28
Confidentiality • All employees have a responsibility to maintain the confidentiality of a patient’s medical and financial information - This information should never be discussed outside the company except for those reasons clearly defined by HIPAA - Employees should verify the identity of anyone requesting this information - Minimal Necessary guidelines should be followed 29
Compliance is VITAL! q March 2012 BCBS of TN agreed to a $1. 5 million settlement with the Office for Civil Rights (OCR) over potential HIPAA security violations and spent another $17 million in breach response costs. 57 unencrypted hard drives were reported missing in 2009 q April 2014 Major insurance carrier received a fine of $17 million dollars for the loss of one unencrypted hard drive. 30
HITECH • Enacted as part of the American Recovery and Reinvestment Act of 2009, • Includes provisions for: Ø Increasing patient rights Ø Limits on Marketing (using PHI) Ø Breach Notification Ø Accountability for Protection and Security of e. PHI Ø Additional Penalties for Non-Compliance for: o Covered Entity o Business Associates 31
HITECH- What is a Breach? • The unauthorized acquisition, access, use, or disclosure of unsecured protected health information which compromises the security or privacy of such information. Ø Includes: electronic, verbal and paper • Omnibus Sept 2013 - all impermissible disclosures should be considered a breach unless risk analysis proves Lo. Pro. Co 32
Monitoring Compliance • Annual Satisfaction Surveys -The OIG states that all laboratories should include in the compliance plan a system of soliciting client feed back. • Billing Audits- done quarterly • Client Services Audits- done quarterly • Interviews with Employees-upcoming • Establish a Compliance Committee- Randy Ward, Brint Roden, Brittany Sasser, La. Tonia Pam, Sonya Hamilton, Vicki Caneer, Cheryl Sesler, Cathy Thomas, Serena Beck, Kathi Hathcock and Kym Creekmore 33
Breaches 2013 Target, Neiman Marcus Diatherix- Stolen Reqs • 53 Individuals • Have 60 days to notify all affected • Secondary notification required if 10 or more cannot be reached • Offered one year of credit monitoring • Must report to OIG by March 1 Breaches- All employees must report breaches immediately to the Compliance Officer or committee member. Failure to do so will be considered negligent on the employees part and subject to disciplinary actions. 34
Omnibus Rules Sept 2013 • Patients can now ask for non disclosures to all health plans when paying out of pocket. • All non-permissible disclosures should be considered a breach until proven otherwise. • BAs of BAs now held accountable 35
Breach 2014 • • Our Business Associate – Diamond Computing Server unsecure Billing correspondence 7016 patients DLI Compliance Plan August 36
Patient Direct Access to Laboratory Results • • • Form developed Authentication process Thirty days to respond to requests Age of medical consent to consider Deadline to comply October 6, 2014 37
38
The Destruction of a Multi Billion Dollar Company Health. South Corporation 39
The Destruction of a Multi Billion Dollar Company Health. South Compliance Program: Pre-2003 • 60, 000 employees • Operated in all 50 states & 5 countries • Largest provider in US of inpatient & outpatient rehab, surgery centers, diagnostics • $4. 5 B company/NYSE • 1. 5 FTE Compliance • 2 FTE Internal Auditors 40
The Destruction of a Multi Billion Dollar Company • Compliance Officer – reported to CO & CFO – no training – No independence • Reporting Methods- Answering machine that was designed to alert fraudsters • Audits – No independence – no access – Advance notice required 41
The Destruction of a Multi Billion Dollar Company • • Filing false claims DOJ notified CMS clarification- Lobbyist Stocks sold Investigation begins Whistleblowers Civil and monetary penalties for company and multiple employees 42
In 24 hours… • • • Wired conversations HQ 5 p. m. Search warrant Strategic blitz at exec homes Media – crisis management Attorneys SEC meeting 43
March 19, 2003 Wednesday • • • NYSE halts trading - $19. 55 1 st SOX plea – Weston Smith Directors – special called meeting Deals cut – 2 CFOs, 5 VPs accounting Corporate cooperation Delisted 5 days later - $0. 60 ‘pink sheet 44
• • • Health. South - $2. 7 B Accounting Fraud 15 criminal convictions [2003 -2004] $325 M False Claims Act OP group/concurrent PT settlement Reconstructed ‘financial statements’ in 6/2004 $445 M settlement paid out for civil lawsuits [2006] 3 of 4 divisions sold off to raise cash $100 s of millions in attorney, accounting, turn-around costs Relisted on NYSE [2006] Well staffed, well funded compliance department 45
Insurance Fraud can take you from this… 46
To this… 47
Reporting Concerns • If you have questions or concerns regarding Compliance you should contact the Compliance Officer by any method listed below: A. B. C. D. Talking to the Compliance Officer face to face Emailing the Compliance Officer Calling the Compliance Officer (leave a message if needed) Fax to the Compliance Officer’s direct fax number All communications may be done anonymously and without fear of discrimination or retribution 48
Summary • DLI adheres to the rules as set forth by the OIG and HHS in regard to Compliance • Monitoring and reporting Compliance issues are every employees responsibility • A Compliance Plan helps a laboratory adhere to federal and state laws and avoid fraudulent and abusive practices • Failure to report Compliance issues is considered to be negligent. 49
Stay Calm and Follow the Rules 50
Kym Creekmore, CHC Chief Compliance and Privacy Officer 256 -327 -5222 - desk and anonymous hotline 256 -327 -0954 - personal fax 256 -426 -1507 - cell kym. creekmore@diatherix. com 256 -327 -5222 is anonymous. All caller ID functions removed. 51
Questions? 52
To Be Continued…. 53
- Slides: 53