Aspirus, Inc.

Annual Provider Training: Compliance and Privacy

September 2016

Overview • An Effective Compliance Program—People and a Plan • Provider Responsibilities • Policy #6992 - Standards of Conduct • Stark Law • HIPAA Privacy Program Basics • Policy #5852 – Provider Self Treatment and Treatment of

Immediate Family Members • Duty to Report & How to Report • Non-Retaliation Commitment • Attestation

2

3

Seven Elements of an Effective Compliance Program 1. Written Policies and Procedures 2. Designation of a Compliance Officer and a Compliance

Committee 3. Conducting Effective Training and Education 4. Developing Effective Lines of Communication 5. Enforcing Standards Through Well-Publicized Disciplinary

Guidelines 6. Auditing and Monitoring 7. Responding to Detected Offenses and Developing Corrective

Action Initiatives

4

Why do I need training? Compliance is EVERYONE’S responsibility!

As an individual who provides health or administrative services for Medicare enrollees, every action you take potentially affects Medicare enrollees, the Medicare

program, or the Medicare trust fund.

Every year millions of dollars are improperly spent because of fraud, waste and abuse. It affects everyone.

Including YOU. YOU are part of the solution.

5

What are my Responsibilities? You are a vital part of the effort to prevent, detect, and report non-compliance as well as possible fraud, waste, and abuse. • FIRST you are required to comply with all applicable statutory,

regulatory, and Aspirus policies. • SECOND you have a duty to report any potential or actual

violations of law, regulation or policy that you are aware of. • THIRD you have a duty to follow Aspirus’ Standards of

Conduct policy.

6

What can I do to be in compliance with Regulatory Policies? Answer is: Document

• Accurate and clear orders • Complete, pertinent and legible notes • Medical necessity for services • Authentication of entries (sign, date and time) • Timely record keeping

7

Medicare Claims Processing Manual, Chapter 12, Section 30.

“Medical necessity of a service is the overarching criterion for payment

in addition to the individual requirements of a CPT code.

It would not be medically necessary or appropriate to bill a higher level of evaluation and management service when a

lower level of service is warranted.

The volume of documentation should NOT be the primary influence upon which a specific level of service is billed.”

8

CMS Medicare Advantage Fraud, Waste and Abuse Compliance

You will receive separate instructions for completing the CMS required training and attestation process at a later date.

9

Standards of Conduct • A Standards of Conduct policy is fundamental to a

successful compliance program because it articulates the organization’s commitment to ethical behavior. It helps to define the organization’s culture.

• Considered the cornerstone of an effective Compliance Program

• Should be distributed and acknowledged by all employees at time of hire and annually thereafter

• Policy #6992 – Standards of Conduct—Click on this link to review the policy.

10

What is a significant law that I should know about? Answer is: The Stark Law

It prohibits a physician from making a referral of a Medicare patient to an entity that furnishes

designated health services (DHS) if the physician or a member of the physician’s immediate family has a financial relationship unless an

exception applies. (CFR § 411.350(a))

11

Stark Exceptions There are many arrangements in the letter of the law, that when requirements of the law are met, qualify as an exceptions to a “financial relationship” under Stark.

– Examples include: • Rental of office space or equipment • Physician recruitment • Bona fide charitable donations made by a physician to an entity • Non-monetary compensation • Fair Market value compensation • Medical staff incidental benefits • Compliance training • OB malpractice insurance subsidies

12

HIPAA Privacy HIPAA is a federal law that tells us how we can use and to whom we may disclose protected health information (PHI), as well as what rights patients have regarding their information.

– Our Notice of Privacy Practices communicates this to our patients. – Appropriate uses include treatment, payment, and healthcare operations.

We must limit the amount of information we use to the minimum necessary for the intended purpose, except in a treatment situation.

We access and share information with co-workers only to the extent needed to do the job.

We have work-related confidential conversations in private places away from the public, not in the cafeteria, bathrooms or elevators.

Aspirus does conduct audits to verify appropriate access to PHI.

13

HIPAA Privacy If you are not directly involved with a patient’s care or performing other job related functions, you should not access the patient’s record. Some examples of inappropriate PHI access are:

– Providers are not authorized to access their own medical record at will. There are requirements from HIPAA and state law that must be met before a patient may access his/her own record, and a process has been established to ensure accurate disclosure of PHI. Providers must follow the same procedures as any other patient. Contact the HIM department for details.

– Viewing records of friends, neighbors, or relatives (outside of your job function). You may view PHI for job related activities only.

– Looking up information when you are no longer in a treatment relationship with the patient. When you are no longer providing care to an individual, you should not access his/her records. For audit purposes, 30 days after an episodic visit or termination of care will be used as the guideline.

14

Provider Self-Treatment and Treatment of Family Members • Frequently identified by privacy audits • Permitted, but discouraged • Must maintain accurate medical record • Cannot be billed to insurance: self-pay • Policy #5852 – Provider Self-Treatment and

Treatment of Immediate Family Members—Click on this link to review the policy.

15

Your behaviors and actions must support our mission of high ethical standards. You have an obligation to report questionable privacy and compliance events of which you have become aware.

To report a concern or ask a question:

A Duty to Report

SafetyZone Portal Hotline:

1-800-450-2339 1-715-847-2166

Compliance Personnel

16

I’m Afraid to Report Noncompliance • There can be NO retaliation against you for

good faith reporting of suspected noncompliance.

• Aspirus offers reporting methods that are:

Anonymous Non-Retaliatory

Confidential

17

Non-Retaliation

Retaliation or harassment toward any employee who makes a report to Compliance WILL NOT be tolerated and should be reported to the Chief Compliance Officer immediately.

18

Using SafetyZone to Report

19

Using SafetyZone to Report

20

Contact Compliance Sandy Lakey Adrienne Chase Liz Ray

Chief Privacy Officer Compliance Specialist Compliance Specialist

sandy.lakey@aspirus.org adrienne.chase@aspirus.org elizabeth.ray@aspirus.org

715-847-2181 906-932-7675 715-843-1191

Wausau, WI Ironwood, MI Wausau, WI

Andra Hinz Marne Schroeder Destinee Fiecko

Compliance Specialist Compliance Specialist Executive Assistant

andra.hinz@aspirus.org marne.schroeder@aspirus.org destinee.fiecko@aspirus.org

715-847-0437 715-843-1109 715-847-0064

Wausau, WI Wausau, WI Wausau, WI

21

Attestation

• To properly submit your attestation, please: 1. Click Reply to the email. 2. Type “Complete” in the body of the message. 3. Do not change the subject line. 4. Hit Send.

• You will receive confirmation of your

submission within 7 days.

22