El Camino Hospital Board of Directors -Corporate ... · PDF fileCORPORATE COMPLIANCE/PRIVACY...

AGENDA Corporate Compliance/Privacy and Internal Audit Committee Meeting

Monday, September 23, 2013, 5:00-7:00pm

Conference Room A, ground floor

El Camino Hospital

2500 Grant Road, Mountain View, California

And by teleconference:

One Post Street

San Francisco, CA 94104

Purpose: The Corporate Compliance/Privacy and Internal Audit Committee is responsible for providing direction for both the

Corporate Compliance and Internal Audit programs at all locations of El Camino Hospital (ECH). Responsibilities include providing

oversight on compliance issues requiring executive-level interaction, assessing physician relationship risk as it relates to compliance,

reviewing HIPAA/Privacy laws as they relate to compliance and directing ECH on compliance strategies. The Committee also serves

as the ad-hoc mobilization team for any external investigations and/or actions. Further, additional responsibilities include providing

direction and oversight to ongoing internal audit activity and determining appropriate organizational response in order to identify and

mitigate organizational risk.

PRESENTED BY

I. CALL TO ORDER/ROLL CALL John Zoglin, Chair, Corporate

Compliance Committee

5:00 p.m.

II. POTENTIAL CONFLICTS OF INTEREST

DISCLOSURES

John Zoglin, Chair, Corporate


5:01 – 5:02

III. PUBLIC COMMUNICATION



5:02 – 5:07

IV. CONSENT CALENDAR All items listed on the Consent Calendar are

considered to be routine matters or formal documents

covering previous Committee instructions. One

motion, a second and a vote may enact all of the

items listed on the Consent Calendar. There will be

no separate discussion of Consent Calendar items

unless members of the Committee, Hospital staff or

the public request discussion on a specific item at the

beginning of the consideration of the Consent

Calendar.

Approval:

a. Minutes of Corporate Compliance Meeting,

June 11, 2013

Information:

b. NPP Revisions

c. BAA Revisions

ATTACHMENT 1



public

comment motion required

5:07 – 5:10

A copy of the agenda for the meeting will be posted and distributed at least seventy-two (72) hours prior to the meeting. In

observance of the Americans with Disabilities Act, please notify us at 650-940-7301 forty-eight (48) hours prior to the meeting so

that we may provide the agenda in alternative formats or to make disability related modifications and accommodations.

/395

Agenda: Corporate Compliance/Privacy and Internal Audit Committee

September 23, 2013

V. INFORMATIONAL AND POSSIBLE

MOTION ITEMS

1. Review Revisions to Committee FY:14

Goals

ATTACHMENT 2



public


5:10 – 5:15

2. Finalized FY:13 Scorecard and proposed

key indicators for FY:14

ATTACHMENT 3

Diane Wigglesworth,

Corporate Compliance/Privacy

Officer

information

5:15 – 5:20

3. Review FY: 14 Internal Audit Work Plan

ATTACHMENT 4

Diane Wigglesworth,


Officer

public


5:20 – 5:25

4. Review Enterprise Risk Management

Program Development Plan

ATTACHMENT 5

Diane Wigglesworth,


Officer

information

5:25 – 5:35

VI. ADJOURN TO CLOSED SESSION

1. Conflict of Interest disclosures relating to Items 2-6 on the Closed Session agenda

pursuant to the code provisions listed below:

2. Approval of Closed Session Minutes (6/11/13), Govt. Code Section 54957.2;

Information:

Health and Safety Code Section 32106(b) for a report involving health care facility trade

secrets:

- Pacing Calendar

Conference with legal counsel – pending or threatened litigation - Gov’t. Code Section

54956(d)(2)

- Compliance and Privacy Logs

motion required

information

information

3. Health and Safety Code Section 32106(b) for a report involving health care facility trade

secrets.

- Report on IT Security information

4. Conference with legal counsel – pending or threatened litigation - Gov’t. Code Section

54956.9(d)(2).

- Report on Internal Audit Activity information

5. Conference with legal counsel – pending or threatened litigation - Gov’t Code Section

54956.9(d)(2).

- Summary Report on FY:13 Compliance Activity information

6. Conference with legal counsel – pending or threatened litigation - Gov’t Code Section

54956.9(d)(2).

- Report on Compliance and Privacy Program Activity information

7. Adjourn to open session

VII. RECONVENE OPEN SESSION

To report any required disclosures regarding

permissible actions taken during Closed

Session



6:51 – 6:53

VIII. CLOSING COMMENTS – Committee

Evaluations



6:53 – 7:05

IX. ADJOURNMENT John Zoglin, Chair, Corporate


7:05 p.m.

PLEASE NOTE: The CLOSED SESSION is for Corporate Compliance/Privacy and Internal Audit Committee

Members and Staff or persons required for a particular agenda item only.

Page 2/395

Separator Page

Attachment 1a - Open Session Minutes -

6_11_2013.docx

Page 4/395

Draft: Subject to Compliance

Committee and Board of

Directors Consideration

BN 13425146v2

EL CAMINO HOSPITAL

BOARD of DIRECTORS

CORPORATE COMPLIANCE/PRIVACY and INTERNAL AUDIT COMMITTEE

Meeting – June 11, 2013

MINUTES

The Meeting of the Compliance/Privacy and Internal Audit Committee of the Board of Directors

of El Camino Hospital (the “Committee”) was called to order by Chair David Reeder at

4:05 p.m. on Tuesday, June 11, 2013, Conference Room E at El Camino Hospital.

I. CALL TO ORDER

Roll call was taken. Committee members David Reeder, Wesley Alles, Dennis Chiu,

Ramy Houssaini, Sharon Anolik Shakked and Christine Sublett were present.

II. POTENTIAL CONFLICT OF INTEREST DISCLOSURES

Director Reeder asked if any Committee member had a conflict of interest. None was

reported.

III. CONSENT CALENDAR

Director Reeder asked if there were any consent calendar items, changes or corrections to

the minutes of April 9, 2013. There were no changes proposed. A motion to approve the

consent calendar was made by Committee member Chiu and seconded by Committee member

Sublett and approved by a vote of six Committee members in favor to approve the minutes of the

meeting of April 9, 2013.

IV. INFORMATIONAL ITEM

A. Review Revisions to Committee Charter

Committee member Sublett suggested adding a provision to address IT security oversight

to the Committee Charter, commenting that there is currently no reference to this in the Charter.

Diane Wigglesworth asked if such a provision would first need to go to the Governance

Committee, and it was determined that it would not.

Committee member Ramy questioned the use of the word “ensure” on page 3 of the

Charter in reference to the committees advisory role for Enterprise Risk Management reporting

and the Compliance Committee suggested substituting the word “oversee”. Ms. Wigglesworth

indicated she would incorporate the changes and submit the revised charter to the Governance

Committee for approval.

A motion was made by Committee member Shakked, seconded by Committee member

Houssaini, and adopted by a vote of six Committee members to accept the charter as amended

with a provision addressing information security to the Charter.

Page 5/395

Minutes: El Camino Hospital Board of Directors Corporate

Compliance/Privacy and Internal Audit Committee Meeting

of June 11, 2013




-2- BN 13425146v2

B. Review FY: 14 Internal Audit Risk Assessment and Audit Plan

Alex Robison, from protiviti, briefly reviewed the internal audit risk assessment

performed which resulted in recommendations for a FY: 2014 audit plan. His presentation

materials included a map depicting the 25 highest rated risks based on survey results and

feedback from staff interviews.

Tomi Ryba stated that she is aware that ECH may have about 5% of all patients medical

records erroneously duplicated in the system when one patient is associated with more than one

medical record number, and is surprised that we don’t have a maintenance program to address

this. Mike King responded that we do not yet have a fully integrated EMR, and clean-up will

need to be done. Ms. Ryba commented that the map depicts “a lot of activity for FY 2014”.

Ms. Wigglesworth indicated that she will take comments from the Executive Team and

come back with a revised audit plan for committee approval.

Committee member Chiu asked why IT disaster recovery was not a priority. It was

pointed out that a comprehensive Business Continuity/Disaster Recovery audit was completed in

2011 and management had developed a five year action plan regarding the audit findings. Chair

Reeder suggested presenting a look-back of completed audits compared to past risk maps for the

committees review. Ms. Wigglesworth indicated that at the next meeting she will present

information regarding historical audits completed to ensure that past efforts are not duplicated

with the proposed FY14 audits.

C. Enterprise Risk Management and Policy Oversight

Ms. Wigglesworth handed out for review a potential Enterprise Risk Dashboard

indicating that her goal is not to create a dashboard with a lot of metrics but to capture key

organizational risks that will identify business and strategic risks. At the next meeting she will

present a more refined dashboard, for committee feedback. Committee members Chiu and

Sublett agreed to send Ms. Wigglesworth their ideas on other metrics should be included.

Committee member Ramy suggested traceability between metric indicators and

performance. Ms. Wigglesworth she is in the process of validating the current review and

approval process for administrative policies. It was recommend regarding policy oversight that

Ms. Wigglesworth bring back a summary of the current state to address “what is the process?”

and “what are we required to review?”

D. Corporate Compliance Scorecard

Ms. Wigglesworth reviewed the corporate compliance scorecard. She noted that the

Committee remains on track, meeting key performance indicators in all areas with the exception

of new managers receiving additional compliance training within 90 days of start date, which is

currently tracking at 90% of goal. Committee members suggested to Ms. Wigglesworth some

additional modifications and changes to the scorecard to be considered for the next fiscal year.

Page 6/395

Minutes: El Camino Hospital Board of Directors Corporate

Compliance/Privacy and Internal Audit Committee Meeting

of June 11, 2013




-3- BN 13425146v2

V. ADJOURN TO CLOSED SESSION

Upon motion duly made by Committee member Sublett, seconded by Committee member

Chiu, and approved by a vote of six Committee members in favor, none opposed, the Open

Session of the meeting was adjourned to Closed Session at 4:45 p.m. pursuant to Gov’t Code

Section 54957.2 to consider and approve the Consent Calendar (the Closed Session minutes of

April 9, 2013), and pursuant to Gov’t Code Section 54956.9(d)(2) for two conferences with legal

counsel, and pursuant to Health and Safety Code Section 32106(b) for one conference with legal

counsel.

VI. CLOSED SESSION

The Committee completed its business of the Closed Session at 6:06 p.m.

VII. RECONVENE OPEN SESSION

The Committee reconvened to Open Session at 6:06 p.m.

PUBLIC COMMUNICATION

There were no comments.

VIII. CLOSED SESSION REPORTS

Reeder reported that the closed session minutes of the April 9, 2013 meeting were

approved by a vote of six Committee members in favor.

IX. CLOSING COMMENTS.

There being no further business, the meeting was adjourned at 6:07pm.

David Reeder

Chair, ECH Compliance/Privacy and

Internal Audit Committee

Attest as to the approval of the foregoing

minutes by the Corporate Compliance/Privacy

and Internal Audit Committee and by the

El Camino Hospital Board of Directors.

David Reeder

ECH Board Secretary

Page 7/395

Separator Page

Attachment 1b - NPP Revisions with Cover Memo.pdf

Page 8/395

Corporate Compliance

Date: September 16, 2013

To: Corporate Compliance/Privacy and Internal Audit Committee

From: Diane Wigglesworth

Re: Revisions to NPP and BAA

The U.S. Department of Health and Human Services (HHS) has recently moved to strengthen the

privacy and security protections for health information established under the Health Insurance

Portability and Accountability Act of 1996 (HIPAA). Accordingly more stringent requirements

have been made to the HIPAA/HITECH rule. The new revisions will enhance patient’s privacy

protections, provide individuals new rights to their health information, and strengthen the

government’s ability to enforce the law. Many of the changes expanded requirements to

business associates and covered entities that receive protected health information such as

contractors and subcontractors.

On September 23, 2013 HHS will begin enforcing the revised HIPAA/HITECH rules. Attached

for information only are revisions the hospital has made to our Notice of Privacy Practice (NPP)

and Business Associates Agreement (BAA) in order to comply with the new regulations.

The revisions to the NPP have been highlighted in red. The hospital posts the NPP on the ECH

website, distributes it to new patients, and retains receipt of an acknowledgment.

The BAA was significantly modified and for ease of review I have included only the final

version. The changes to the BAA have expanded the reporting and security responsibilities of

the business associates and their subcontractors including increasing liability for HIPAA

violations. The hospital executes a BAA for all contractual arrangements that involves the

receipt or transmission of protected health information.

Page 9/395

Separator Page

Attachment 1b.2- Notice of Privacy Practices August

2013.docx

Page 10/395

1 BN 14429379v3

NOTICE OF PRIVACY PRACTICES Date of Adoption: August ___, 2013

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED

AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

If you have any questions about this Notice, please contact the El Camino Hospital Privacy

Officer, or designee, by dialing the main Hospital number at (650) 940-7300 or by leaving a

message on the Corporate Compliance Hotline at (650) 988-7733.

Each time you visit a hospital, physician, or other health care provider, a record of your visit is

made. Typically, this record contains your symptoms, examination and test results, diagnoses,

treatment, a plan for future care or treatment, and billing-related information (“protected health

information”). This Notice applies to all of the records of your care generated by the Hospital

whether made by Hospital personnel, contractors of the Hospital, or your doctor. Your doctor

may have different policies or notices regarding the doctor’s use and disclosure of medical

information created in the doctor’s office or clinic.

OUR RESPONSIBILITIES

We are required by law to maintain the privacy of your protected health information, to provide

you with a description of our privacy practices and legal duties with respect to your protected

health information and to notify affected individuals following a breach of unsecured protected

health information.

This Notice covers the privacy practices of all health care professionals, employees, contract

staff, students and volunteers for El Camino Hospital, including all of its specialty units located

on or off of its campus, such as Evergreen Dialysis Center, Rose Garden Dialysis Center,

Cardiopulmonary Wellness Center, Hospital Drive Radiology, Maternal Connections, etc.

Within this Notice, a reference to the Hospital may also include the independent and group

physician practices who provide services in the emergency room, radiology department,

laboratory, anesthesiology and other service areas.

When the Hospital provides health care to you, we share your protected health information with

these and other physicians as necessary to perform treatment, to obtain payment or to carry out

operational activities.

Whenever we use or disclose your protected health information, we are required to abide by the

terms of this Notice of Privacy Practices. Please sign and return at your earliest convenience

the “Acknowledgment of Receipt” form which will acknowledge your receipt of this Notice.

Page 11/395

2 BN 14429379v3

USES AND DISCLOSURES

A. How We May Use and Disclose Health Information About You (No Authorization Required)

For Treatment: We may use your protected health information to provide treatment or services

to you. We may disclose your protected health information to doctors, nurses, technicians,

medical students, or other Hospital personnel who are involved in taking care of you at the

Hospital. For example, a doctor treating you for a broken leg may need to know if you have

diabetes because diabetes may slow the healing process. Different departments of the Hospital

also may share your protected health information to coordinate the different things you may

need, such as prescriptions, lab work, meals, and x-rays.

We may also share protected health information with your designated primary care physician

(“PCP”) or other subsequent health care provider in order for him or her to treat you once you

are discharged from the Hospital. This information may be shared electronically, in a

restricted, secure format.

For Payment: We may use and disclose medical information about your treatment and services

to bill and collect payment from you, your insurance company, health plan or another third party

payer (“Plan”). For example, we may need to give your Plan information about your surgery so

they will pay us or reimburse you for the treatment. We may also inform your Plan about the

treatment you are going to receive to determine whether your Plan will cover it.

For Health Care Operations: We will also use your protected health information to assist in

running our operations. Members of the Medical Staff and/or a quality improvement team may

use information in your health record to assess the care and outcomes in your case and others

like it. The results will then be used to continually improve the quality of care for all patients we

serve. For example, we may combine medical information about many patients to evaluate the

need for new services or treatment. We may disclose information to doctors, nurses, and health

care students for educational purposes. And we may combine medical information we have

with that of other hospitals to determine where we can make improvements. We may remove

information that identifies you from this set of medical information to protect your privacy.

We may also use and disclose your protected health information:

To our business associates who we contract with to perform services;

To assess your satisfaction with our services;

To contact you as part of the Hospital’s fundraising efforts (except Behavioral Health

patients). You have the right to opt out of receiving any such communications ;

For population-based activities relating to improving health or reducing health care costs;

and

For conducting training programs or reviewing the competence of health care professionals.

To Business Associates: Some services are provided to us or on our behalf through contracts

with third parties (“Business Associates”). For example, we may disclose your protected health

Page 12/395

3 BN 14429379v3

information to a copy service we use when making copies of your health record or to a

consultant who performs utilization reviews for the Hospital. When these services are

contracted, we may disclose your protected health information to our Business Associates so

that they can perform the duties we have asked them to do or to bill you or your Plan for the

services rendered. To protect your protected health information, however, we require our

Business Associates to appropriately safeguard your information.

For Fundraising Activities (except Behavioral Health Patients): We may disclose limited

information about you (such as your name, address, telephone number and the dates you

received services at the Hospital) to raise money on behalf of the Hospital. This limited

disclosure permits contact with you in an effort to expand and support the health care services

we offer, the educational programs we provide to the community, and the research we conduct

to find cure for life-threatening diseases. If you are contacted by the El Camino Foundation, you

have the right to be excluded from further contact by making a written request to the El Camino

Hospital Foundation.

For Hospital Patient Directory (except Behavioral Health Patients): We may include certain

limited information about you in the Hospital patient directory while you are a patient at the

Hospital. The information may include your name, location in the Hospital, your general

condition (e.g., good, fair, etc.) and your religious affiliation. This information may be provided

to members of the clergy even if they do not ask for you by name and, except for religious

affiliation, to other people who ask for you by name. If you would prefer not to be listed in the

Hospital patient directory, please request the “Request to Withhold Public Release of

Information” form from the admission staff.

To Individuals Involved in Your Care or Payment for Your Care: Unless you instruct us

otherwise, we may, in our professional judgment, use or disclose your protected health

information to a family member, other relative, a friend or any other person identified by you who

is involved in your medical care or who helps pay for your care (including your Plan). In an

emergency situation or in the event of your incapacity, we may exercise our professional

judgment to determine whether a disclosure to a particular person is in your best interest. We

will disclose only the information that we believe is directly relevant to the person’s involvement

with your health care or payment for your care. In addition, we may disclose your protected

health information to an entity assisting in a disaster relief effort so that your family can be

notified about your condition, status and location.

For Research if Certain Conditions are Satisfied: We may use or disclose protected health

information for research purposes if we remove certain information that may directly identify you

such as your name, telephone number, Social Security number, medical record number and

account number. We may also disclose information to researchers when an institutional review

board (“IRB”) has reviewed the research proposal, established protocols to ensure the privacy

of your protected health information and has approved their research. Unless an IRB has

issued a waiver of authorization, we will almost always ask for your written permission

(“Authorization”) before a researcher will have access to your name, address or other

information that already reveals who you are. In certain cases, prior to commencement of a

study or prior to your enrollment as a subject in a study, your personal health information may

Page 13/395

4 BN 14429379v3

be disclosed without your Authorization on a limited basis to further the Hospital’s research

mission. For example, we may disclose medical information about you to people preparing to

conduct a research project – to help researchers identify patients with specific medical

conditions and/or to assess the viability of a research idea (subject recruitment and reviews

preparatory to research) – so long as the medical information they review does not leave the

Hospital.

For Organized Health Care Arrangement: El Camino Hospital and the independent and

group physician practices with which the Hospital are presenting you this Notice as a joint

Notice. Protected health information will be shared as necessary to carry out treatment,

payment and health care operations. Physicians and caregivers may have access to protected

health information in their offices to assist in reviewing past treatment as it may affect your

current treatment.

To Affiliated Covered Entity: Caregivers at other facilities may have access to protected

health information at their locations to assist in reviewing past treatment information as it may

affect your current treatment. Please contact the Privacy Officer, or designee, for further

information on the specific sites included in this affiliated covered entity.

As Required or Permitted by Law: We will use or disclose your protected health information if

we are required or permitted by law to do so, including the following:

Public Health Activities: We may disclose your protected health information for

authorized public health activities: to public health officials to prevent or control disease,

injury or disability; to the U.S. Food and Drug Administration (“FDA”) as required or

permitted by the FDA; and to report to your employer as required under laws addressing

work-related illnesses and injuries or workplace medical surveillance.

Victims of Abuse, Neglect or Domestic Violence: If we reasonably believe you are a

victim of abuse, neglect or domestic violence, we may disclose your protected health

information to a governmental authority, including a social services or protective services

agency, authorized by law to receive reports of such abuse, neglect or domestic

violence.

For Health Oversight Activities: We may disclose your protected health information to

a health oversight agency that oversees the health care system and is charged with

responsibility for ensuring compliance with the rules of government health programs

such as Medicare or Medicaid or licensing and similar authorities.

To Law Enforcement Officials: We may disclose your protected health information to

the police or other law enforcement officials in certain limited, allowable circumstances

or in compliance with a warrant, a court order or a grand jury or an administrative

subpoena.

For Legal Proceedings: We may disclose your protected health information in the

course of a judicial or administrative proceeding in response to: (1) a court order; (2) a

Page 14/395

5 BN 14429379v3

legally-valid order or warrant issued by a state or federal authority, administrative agency

or licensing board; and (3) a subpoena, discovery request, or other lawful process in a

third party action but only after efforts have been made to notify you that your protected

health information is being sought so that you can obtain an order protecting the

information requested.

Decedents: We may disclose your protected health information to a coroner, a medical

examiner or a funeral director.

Organ & Tissue Procurement: We may disclose your protected health information to

entities engaged in procurement, banking or transplantation of cadaveric organs, eyes or

tissue for purposes of facilitating donation and transplantation.

Health or Safety: We may use or disclose your protected health information to prevent

or lessen a serious and imminent threat to your health or safety or the health or safety of

others.

Specialized Government Functions: We may use and disclose your protected health

information to units of the government with special functions, such as the U.S. military,

the U.S. Department of State, under certain circumstances, and correctional institutions.

Worker’s Compensation: We may disclose your protected health information as

authorized by and to the extent necessary to comply with laws relating to workers’

compensation or other similar programs.

Limitations: There are special restrictions on the disclosure of health information

relating to HIV/AIDS status, mental health treatment, developmental disabilities, and

drug and alcohol abuse treatment. We comply with these restrictions in our use of your

protected health information.

B. Uses and Disclosures Requiring Your Written Authorization

Marketing Activities (Marketing Authorization): We must also obtain your written

authorization prior to using your protected health information to send you any marketing

materials (“Marketing Authorization”).

However, no Marketing Authorization is required for the following informational

communications (except Behavioral Health Patients): (1) information about health-related

products or services we provide; (2) information about services or products relating to your

treatment; (3) information about services or products for purposes of case management, or care

coordination, or to recommend alternative treatments, therapies, providers or care settings;

(4) to provide you with marketing materials in a face-to-face encounter; and (5) to give you a

promotional gift of nominal value.

Marketing, if authorized or informational communications may be sent to you by e-mail or by

regular mail using information you provide us at registration.

Page 15/395

6 BN 14429379v3

Highly Confidential Information: Federal and state laws require special privacy protections

for certain highly sensitive information about you (“Highly Confidential Information”), including

the subset of your protected health information that: (1) is maintained in psychotherapy notes;

and (2) relates to alcohol and drug abuse prevention, treatment and referral. For purposes

other than those permitted or required by law, we must obtain your written authorization in order

for us to disclose your Highly Confidential Information.

C. OTHER USES OF PROTECTED HEALTH INFORMATION.

Other uses and disclosures of protected health information not covered by this Notice or the

laws that apply to us will be made only with your written authorization. If you authorized us to

use or disclose your protected health information, you may revoke that authorization, in writing,

at any time. If you revoke your authorization, we will no longer use or disclose your protected

health information for the reasons covered by your written authorization. You understand that

we are unable to take back any uses or disclosures we have already made in reliance on the

authorization, and that we are required to retain our records of the care that we provided to you.

D. Reporting and Disclosure Duties.

We are required by law to notify you if there has been improper access to your

unsecured protected health information and there is a significant risk of financial,

reputational, or other harm.

HOW YOU CAN ACCESS AND CONTROL YOUR PROTECTED HEALTH INFORMATION

The following describes the actions you may take with respect to your protected health

information that we maintain.

Inspect and Copy: You may ask to inspect and to obtain a copy of your protected health

information that may be used to make decisions about you and your treatment so long as we

maintain this information in our records. Usually, this includes medical and billing records. Under

federal law, however, you may not inspect or copy the following: (1) psychotherapy notes;

(2) information compiled in reasonable anticipation of, or use in, legal proceedings; or

(3) information subject to a federal law that prohibits access to protected health information. We

may deny your request to inspect and copy in certain very limited circumstances. If you are

denied access to your protected health information, you may request that the denial be

reviewed in some situations. We will comply with the outcome of the review.

If you request a copy of your protected health information, we may charge a fee for the cost of

copying, mailing, or other supplies we use to fulfill your request. If you wish to make a request,

you may obtain a request form from, or submit your detailed request in writing, including the

protected health information you are requesting access to and the relevant dates, to the Health

Information Management Services Department.

Amendment: If you feel that your protected health information is incorrect or incomplete, you

may ask us to amend the information so long as the information is kept by or for the Hospital.

We may deny your request for an amendment and if this occurs, you will be notified of the

Page 16/395

7 BN 14429379v3

reason for the denial. If you wish to make a request, you may obtain a request form from, or

submit your detailed request in writing, to the Health Information Management Services

Department. You must include your reasons for the request.

Accounting of Disclosures: You may request an accounting of disclosures. This is a list of

certain disclosures we made of your protected health information for purposes other than

treatment, payment or health care operations during any time period prior to the date of your

request provided: (1) the period does not exceed six years or include any date before April 14,

2003; or (2) disclosures made for treatment, payment, health care operations and certain other

limited purposes will not be included. If you wish to make a request, you may obtain a request

form from, or submit your detailed request in writing, to the Health Information Management

Services Department.

The first accounting you request within a 12-month period is free of charge. For additional

accounting(s), we may charge you for the costs of providing the accounting(s). We will notify

you of the cost involved in advance; you may choose to withdraw your request at that time

before any cost is incurred.

Request Additional Restrictions: You may request a restriction or limitation on our use or

disclose of your protected health information for purposes of treatment, payment or health care

operations. You may also request a limit on your protected health information we disclose to

someone who is involved in your care or the payment for your care, like a family member or

friend. For example, you could ask that we not use or disclose information about a surgery that

you had. We are not required to agree to your request except if the restriction pertains to

payment or health care operations related to a service you have paid in full without any

Plan contribution. Even if disclosure is restricted, the Hospital may disclose if required

by law. If we do agree, we will comply with your request unless the information is needed to

provide you with emergency treatment. If you wish to make a request, you must submit your

detailed request in writing, to your care provider or to the Privacy Officer, or designee, using

the “Request to Restrict Use Or Disclosure of Protected Health Information” form

available at the Health Information Management Services department.

Request Confidential Communications: You may request that we communicate with you

about medical matters in a certain way or at a certain location. For example, you may ask that

we contact you at work or by U.S. Mail. We will accommodate reasonable requests for

confidential communications at alternative locations and/or via alternative means only if the

request is submitted in writing to your care provider or to the Privacy Officer and the written

request includes a mailing address where you will receive bills for services rendered by the

Hospital and related correspondence regarding payment for services. Please realize, we

reserve the right to contact you by other means and at other locations if you fail to respond to

any communication from us that requires a response. We will notify you in accordance with

your original request prior to attempting to contact you by other means or at another location.

A Paper Copy of This Notice: You may obtain a paper copy of this Notice, even if you have

agreed to receive this Notice electronically. You may request a copy of this Notice at any time.

You may also obtain a copy of this Notice at our web site www.elcaminohospital.org.

Page 17/395

8 BN 14429379v3

CHANGES TO THIS NOTICE

We reserve the right to change this Notice at any time and the revised Notice will be effective for

all of the protected health information we already have about you as well as any information we

receive in the future. The revised Notice will be effective for all protected health information that

we maintain as of the effective date of such revised Notice, even if we collected or received the

protected health information prior to the revised Notice’s effective date. The most current Notice

will be posted in the Hospital and will include the date of adoption. In addition, each time you

register at or are admitted to the Hospital for treatment or health care services as an inpatient or

outpatient, we will offer you a copy of the current Notice in effect. We will also post a copy of

the current Notice on our web site www.elcaminohospital.org.

COMPLAINTS

If you believe your privacy rights have been violated, you may file a complaint with the

Hospital’s Privacy Officer. To obtain information or be contacted by the Privacy Officer, or

designee, you may leave a message on the Corporate Compliance Hotline, or you may call

Administration at 650-940-7300. You may file a complaint by contacting the Secretary of the

U.S. Department of Health and Human Services. All complaints must be submitted in writing.

You will not be penalized for filing a complaint.

STATE SPECIFIC REQUIREMENTS

Many states, including California, have requirements for reporting including population-based

activities relating to improving health or reducing health care costs. Some states have separate

privacy laws that may apply additional legal requirements. If the California law is more stringent

than the federal law, the California law will preempt the federal law.

PRIVACY OFFICER

The Hospital Privacy Officer, or designee, may be reached by dialing the main Hospital number

at (650) 940-7300. Or you can leave a message on the Corporate Compliance Hotline (650)

988-7733 for a return call from the Privacy Officer, or designee.

Page 18/395

Separator Page

Attachment 1c - Business Associate Agreement - El

Camino Hospital Sept 2013.docx

Page 19/395

BN 14835735v2

HIPAA BUSINESS ASSOCIATE AGREEMENT

El CAMINO HOSPITAL

This HIPAA Business Associate Agreement (this “Agreement”) is effective as of the ___

day of _______ (the “Effective Date”), by and between ______________, a _______

___________ (“Contractor”) and El Camino Hospital, a California nonprofit public benefit

corporation (“ECH”, Contractor and ECH are referred to collectively as “parties” and

individually as a “party”). Terms used herein shall have the meanings assigned or referred to in

Schedule A of this Agreement.

RECITALS

A. Contractor and ECH have entered into that certain [INSERT TITLE OF

SERVICES AGREEMENT] (the “Services Agreement”) effective as of ________ __, _____,

pursuant to which Contractor has agreed to perform certain services for ECH (the “Services”).

B. In connection with the Services, ECH may need to disclose to Contractor, or

Contractor may need to create, receive, maintain or transmit on behalf of ECH, certain Protected

Health Information (“PHI”) and Electronic Protected Health Information (“Electronic PHI”).

ECH is a Covered Entity and, as a result of the Services Agreement, Contractor is a Business

Associate of ECH.

C. ECH and Contractor desire to enter into this Agreement to reflect their mutual

understanding of the use, disclosure and general confidentiality obligations of Contractor in

connection with the delivery of the Services, as well as for ECH and Contractor to comply with

(a) the requirements of the Administrative Simplification provisions of Title II, Subtitle F of the

Health Insurance Portability and Accountability Act of 1996, as amended by any other statute,

rule and/or regulation, including Division A, Title XIII of the American Recovery and

Reinvestment Act of 2009 (Pub. L. No., 111-5), otherwise known as the Health Information

Technology for Economic and Clinical Health Act (the “HITECH Act”), and the regulations set

forth in Title 45 of the Code of Federal Regulations (“45 C.F.R.”) Parts 160 and 164, subparts A

and E (the “Privacy Rule”), 45 C.F.R. Part 164, subparts A and C (the “Security Rule”) and the

HIPAA Omnibus Rule, 78 Fed. Reg. 5566-5702 (Jan. 25, 2013) (collectively, the “HIPAA

Rules”) and (b) other applicable laws including, but not limited to, (i) Confidentiality of Medical

Information Act of 1981, California Civil Code Sections 56 et seq. (General Patient Medical

Records); (ii) California Welfare & Institutions Code Sections 5328.6 and 5328.7 (Mental Health

Records); (iii) California Civil Code Section 1798.80 et seq. (Data Breach Notification); and (iv)

42 U.S.C. Sections 290dd-2 and 42 C.F.R. Part 2, Section 2.31 (Alcohol and Drug Abuse

Records) (together (b)(i) to (b)(iv) are referred to as “Other Privacy Rules”).

AGREEMENTS

NOW, THEREFORE, for adequate consideration as described in the Services Agreement

and this Agreement, the receipt and sufficiency which are hereby acknowledged by each party,

the parties mutually agree as follows:

Page 20/395

BN 14835735v2 2

1. Permitted Uses and Disclosures.

1.1 Permitted Uses. Except as otherwise limited by the terms of the Services

Agreement or this Agreement, Contractor may use or disclose PHI as necessary to perform the

Services set forth in the Services Agreement, as required by law, or [Insert any specific function

from the Services Agreement]__________.

1.2 Certain Further Disclosures. Contractor shall not use or further disclose PHI in a

manner that would violate 45 C.F.R. Part 164, subpart E if done by ECH, except that Contractor

shall be permitted to use and disclose PHI for the proper management and administration of

Business Associate, and to carry out the Contractor’s legal responsibilities, provided that such

disclosure either is required by law or Contractor obtains reasonable assurances from the person

to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only

as required by law or for the purpose for which it was disclosed to the person, and the person

agrees to notify Contractor of any instances of which it is aware in which the confidentiality of

the PHI has been breached.

1.3 Certain Data Aggregation. Data aggregation services, provided that Contractor

has received ECH’s prior written authorization to provide data aggregation services, and the

purpose of such data aggregation is to provide ECH with data analyses relating to the health care

operations of ECH.

1.4 De-Identification. De-identification of PHI on behalf of ECH, provided that

Contractor has received ECH’s prior written authorization to de-identify PHI, and such de-

identification conforms to the requirements of the HIPAA Rules.

2. Required Uses and Disclosures. Contractor is required to disclose PHI as required by

law, or to report violations of law to appropriate federal and state authorities, consistent with

45 C.F.R. § 164.502(j)(1). Before Contractor makes such a disclosure, Contractor shall provide

ECH with three (3) business days’ advance written notice. ECH shall pay all of the costs and

expenses incurred by ECH in connection with any attempt to prevent disclosure or limit the

scope of any such disclosure, and Contractor agrees that it will cooperate with and not

unreasonably interfere with the actions ECH takes in connection therewith.

3. Prohibited Uses and Disclosures.

3.1 Further Use and Disclosure. Contractor shall not use or further disclose the PHI

other than as permitted or required by this Agreement, or as required by law.

3.2 Fundraising and Marketing. Contractor shall not use or disclose PHI for

fundraising or marketing purposes, unless Contractor obtains the prior written authorization of

ECH and such use or disclosure is consistent with the requirements of 45 C.F.R. § § 164.514(f)

and 164.508(a)(3).

3.3 Certain Disclosure to Health Plans. Contractor shall not disclose PHI to a health

plan for payment or health care operations purposes if Contractor has received written notice

from the individual or ECH that the individual has requested this restriction and has paid out of

Page 21/395

BN 14835735v2 3

pocket in full for the health care item or service to which the PHI solely relates, as required by

45 C.F.R. § 164.522.

3.4 No Transfer for Remuneration. Contractor shall not directly or indirectly receive

remuneration in exchange for PHI, unless Contractor obtains the prior written authorization of

ECH.

3.5 No Offshoring. No PHI shall be transferred to, or stored on servers at, any

location outside of the United States.

4. Additional Obligations of Contractor.

4.1 Minimum Necessary. Contractor will, in its performance of the Services, make

reasonable efforts to use, disclose and request of ECH only the minimum amount of PHI

reasonably necessary to accomplish the intended purpose of the use, disclosure or request.

4.2 Information Safeguards. Throughout the term of this Agreement, Contractor shall

have in place appropriate administrative, technical and physical safeguards to protect the privacy

of PHI, and shall reasonably safeguard PHI (1) from any intentional or unintentional non-

permitted use or disclosure violative of the Privacy Rule and (2) to limit incidental uses or

disclosures made pursuant to an otherwise permitted or required disclosure.

4.3 Subcontractors and Agents. Contractor shall require its subcontractors and

agents, if any, to whom Contractor is permitted in writing by ECH to disclose PHI and whom

Contractor authorizes to receive, maintain or transmit PHI on behalf of Contractor, to provide

satisfactory assurances, as set forth in a written contract, that the subcontractor or agent agrees to

the same restrictions, conditions and safeguard obligations as apply to Contractor under this

Agreement. Contractor acknowledges that any failure of any subcontractor or agent of

Contractor to adhere to the requirements of this Agreement shall be deemed a breach of such

requirement by Contractor.

4.4 Compliance with Security Rule. Contractor agrees to implement appropriate

administrative, physical and technical safeguards to protect the confidentiality, integrity and

availability of any Electronic PHI that it creates, receives, maintains or transmits on behalf of

ECH. Contractor shall further (1) identify and respond to suspected or known security incidents;

(2) mitigate, to the extent practicable, the harmful effects of security incidents that are known to

Contractor; (3) document security incidents and their outcomes; and (4) report each security

incident and the aggregate number of security incidents to ECH, provided that such reports will

be provided only as frequently as the parties mutually agree, but no more than once per month.

4.5 Access. Contractor will, within ten (10) business days following ECH’s request,

make available to ECH or, at ECH’s direction, to an individual (or the individual’s personal

representative) for inspection and obtaining copies of, PHI about the individual that is in

Contractor’s custody or control, so that ECH may meet its access obligations under

45 C.F.R. § 164.524. If ECH instructs Contractor to respond on its behalf to a request for an

electronic copy of PHI, and the PHI that is the subject of the request is maintained by Contractor

electronically in one or more designated record sets, Contractor shall respond to such request in

accordance with 45 C.F.R. § 164.524(c)(2)(ii). Further, Contractor shall respond in accordance

Page 22/395

BN 14835735v2 4

with 45 C.F.R. § 164.524(c)(3)(ii) to requests for the transmission of copies of PHI to another

person designated by the requesting individual, if ECH instructs Contractor to respond on its

behalf to such request.

4.6 Amendment. Contractor will, upon receipt of written notice from ECH, promptly

amend, or at the request of ECH permit ECH access to amend, any portion of the PHI, so that

ECH may meet its amendment obligations under 45 C.F.R. § 164.526.

4.7 Record and Documentation of Disclosure. Contractor shall maintain a record of

and document all disclosures of PHI by Contractor permitted by the terms of the Agreement as

would be required for ECH to respond to a request by an individual for an accounting of

disclosures of PHI in accordance with 45 C.F.R. § 164.528. Such documentation shall include,

but not be limited to the date of the disclosure; the name and, if known, the address of the

recipient of the PHI; a brief description of the PHI disclosed; and the purpose of the disclosure or

a copy of the written request for disclosure, if any, under 45 C.F.R. § 164.502(a)(2)(ii) (relating

to a compliance investigation by the Secretary) or for one of the purposes set forth in

45 C.F.R. § 164.512. Contractor shall make such record available to ECH upon request.

4.8 Accounting. Within thirty (30) days of notice by or on behalf of ECH to

Contractor that ECH has received a request for an accounting of disclosures of PHI, Contractor

shall make available to ECH that information collected in accordance with Section 4.7 (“Record

and Documentation of Disclosure”) of this Agreement, to permit ECH to respond to the request

in accordance with 45 C.F.R. § 164.528.

4.9 Breach of Privacy Obligations. Contractor will report to ECH in writing any use

or disclosure of PHI not permitted by this Agreement, including the breach of unsecured PHI.

Unless a law enforcement delay applies pursuant to 45 C.F.R. § 164.412, Contractor will notify

ECH’s Privacy Officer not more than five (5) calendar days after Contractor discovers such non-

permitted use or disclosure, or breach of unsecured PHI. For purposes of this Agreement, a

breach of unsecured PHI is treated as discovered by Contractor on the first day on which such

breach becomes known to Contractor or, by excising reasonable diligence, would have been

known to Contractor. Contractor shall be deemed to have knowledge of a breach if the breach is

known, or by exercising reasonable diligence would have been known to any person (other than

the person committing the breach) who is an employee, officer or other agent of Contractor. The

notification provided by Contractor shall include, to the extent possible, the identification of each

individual whose unsecured PHI has been, or is reasonably believed by Contractor to have been,

accessed, acquired, used or disclosed during the breach. Contractor shall also provide ECH with

any other available information that ECH is required to include under 45 C.F.R. § 164.404(c) at

the time of the notification or promptly thereafter as information becomes available.

4.10 Audit and Inspection. Contractor will make its internal practices, books, and

records relating to its use and disclosure of PHI and Electronic PHI available to ECH and to the

Secretary to determine compliance with the HIPAA Rules. Contractor acknowledges and agrees

that its failure to provide ECH with access to such records shall constitute a material breach of

this Agreement and shall subject this Agreement to termination by ECH under Section 6.2.

4.11 Other Privacy Rules. Contractor shall comply with the Other Privacy Rules.

Page 23/395

BN 14835735v2 5

5. Obligations of ECH.

5.1 ECH shall notify Contractor of any limitation(s) in the Notice of Privacy Practices

of ECH under 45 C.F.R. § 164.520, to the extent that such limitation may affect Contractor’s use

or disclosure of PHI.

5.2 ECH shall notify Contractor of any changes in, or revocation of, the permission

by an individual to use or disclose his or her PHI, to the extent that such changes may affect

Contractor’s use or disclosure of PHI.

5.3 ECH shall notify Contractor of any restriction on the use or disclosure of PHI that

ECH has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such

restriction may affect Contractor’s use or disclosure of PHI.

5.4 ECH shall not require Contractor to use or disclose PHI in any manner that would

not be permissible under 45 C.F.R. Part 164, subpart E if done by ECH, except as permitted in

Section 1(b).

6. Term and Termination of Agreement.

6.1 Term. This Agreement shall be effective as of the Effective Date. It shall

terminate when the Services Agreement terminates or as provided in this Agreement.

6.2 Right to Terminate for Cause. Either party may terminate this Agreement if it

determines, in its sole discretion, that the other party has breached any material provision of this

Agreement and the breaching party has not cured the breach within the time specified by the

non-breaching party. A party may exercise its right to terminate this Agreement by providing the

other party five (5) calendar days’ written notice of termination, stating the breach of this

Agreement that provides the basis for the termination. Any termination pursuant to this Section

6(b) will be effective immediately upon the expiration of such five (5) day period or at such

other date specified in the notice of termination and shall terminate the Services Agreement,

unless expressly agreed otherwise by the parties.

6.3 Breach Pattern or Practice by Agent or Subcontractor. If Contractor knows of a

pattern of activity or practice of its agent or subcontractor that constitutes a material breach or

violation of the subcontractor’s obligation under its contract or other arrangement with

Contractor, Contractor shall take reasonable steps to cure the breach or end the violation, as

applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible.

6.4 Breach Pattern or Practice by ECH. Contractor shall provide written notice to

ECH of any pattern of activity or practice of ECH that Contractor believes constitutes a material

breach or violation of ECH’s obligations under the HIPAA Rules within five (5) business days of

discovery and shall meet with ECH to discuss and attempt to resolve the problem or end the

violation.

6.5 Amendment to Comply with Law. The Parties agree to take such action as is

necessary to amend this Agreement from time to time as is necessary to comply with the

Page 24/395

BN 14835735v2 6

requirements of the HIPAA Rules and any other applicable law, rules, or regulations that might

modify the terms and conditions herein.

6.6 Termination of this Agreement. Any and all rights of Contractor to use and

disclose any PHI as set forth herein shall terminate upon termination or other conclusion of this

Agreement. Any and all obligations of Contractor with respect to PHI shall continue for the

periods set forth in Section 6.7.

6.7 Obligations of Contractor Upon Termination.

6.7.1 Return or Destruction of PHI. Upon termination or other conclusion of

this Agreement, Contractor will (a) retain only that PHI which is necessary for Contractor to

continue its proper management and administration or to carry out its legal responsibilities;

(b) return to ECH or, if agreed to by ECH, destroy all PHI in whatever form or medium,

including all copies thereof and all data, compilations, and other works derived therefrom,

including any such works that allow identification of any individual who is a subject of PHI;

(c) require every subcontractor or agent to which Contractor has disclosed any PHI to return to

Contractor (so that Contractor may return it to ECH) or destroy all PHI in whatever form or

medium received from Contractor, including all copies thereof and all data, compilations, and

other works derived therefrom that allow identification of any individual who is a subject of PHI;

(d) certify on oath to Contractor that all such information has been returned or destroyed.; and

(e) Contractor will complete these obligations as promptly as possible, but not later than sixty

(60) calendar days following the effective date of the termination of this Agreement.

6.7.2 Continuing Obligations of Contractor. For as long as Contractor retains

Electronic PHI pursuant to Section 6.7.1 above, Contractor shall continue to use appropriate

safeguards and comply with 45 C.F.R. Part 164, subpart C, to any to prevent use or disclosure of

PHI other than as provided for in this Section 6.7;

6.7.3 Continuing Indemnification Obligation. Contractor’s obligations to

indemnify ECH and to protect the privacy and confidentiality of PHI, as provided in this

Agreement, will be continuous and will survive termination or other conclusion of this

Agreement or the Services Agreement.

7. Indemnification.

7.1 Indemnification of ECH. Contractor will defend, indemnify and hold harmless

ECH and its affiliates and each of their respective directors, officers, members, shareholders,

managers, partners, employees, agents, successors and assigns from and against any and all

claims, causes of action, suits, liabilities, demands, losses, damages, costs, proceedings or

expenses of all kinds, including costs, expenses, fines, amounts paid in settlements or judgments,

reasonable attorneys’ fees, witnesses’ fees, investigation expenses, and any expenses incident

thereto (collectively, “Losses”), arising out of or in connection with (a) any non-permitted use or

disclosure of PHI or breach of unsecured PHI by Contractor or any subcontractor or agent of

Contractor or (b) any breach of this Agreement by Contractor, or any breach of a business

associate agreement subcontractor or agent breach by any of a business associate agreement with

Contractor.

Page 25/395

BN 14835735v2 7

7.2 Indemnification of Contractor. ECH will defend, indemnify and hold harmless

Contractor and its directors, officers, shareholders, managers, partners, employees, agents,

successors and assigns from and against any and all Losses, arising out of any breach of this

Agreement (a) any non-permitted use or disclosure of PHI or breach of unsecured PHI by ECH

or any subcontractor or agent of Contractor or (b) any breach of this Agreement by ECH.

7.3 Indemnification Procedure. If any demand or claim is made or suit is commenced

against one of the parties (“Indemnitee”), written notice of such demand, claim or suit shall be

provided to the other party (“Indemnitor”), within three (3) business days of receipt. Failure to

give such notice within the time required shall not relieve Indemnitor of its obligations hereunder

except to the extent the failure of notice has prejudiced the defense of such claim. Indemnitor

shall defend a claim with counsel satisfactory to Indemnitee in Indemnitee’s reasonable opinion

and Indemnitee shall cooperate fully in such defense. No settlement by Indemnitor shall be

binding upon Indemnitee without Indemnitee’s prior written consent. Notwithstanding the

foregoing, if Indemnitor fails to assume its obligation to defend Indemnitee or if there is a

conflict of interest which prevents Indemnitor from assuming its obligation to indemnify

Indemnitee in accordance with this Section 7.3, Indemnitee may assume its own defense to

protect its interests and Indemnitor shall reimburse the Indemnitee on a monthly basis for any

expenses reasonably incurred by Indemnitee in connection with the investigation and defense of

any such claim.

8. Representations and Warranties of Contractor Regarding Electronic PHI Security

Standards. Contractor hereby represents and warrants to ECH that:

8.1 Administrative Safeguards. Contractor has, as of the Effective Date,

(a) implemented policies and procedures to prevent, detect, contain, and correct security

violations in accordance with the implementation specifications set forth at

45 C.F.R. § 164.308(a)(1)(ii); (b) identified a security official who is responsible for the

development and implementation of the policies and procedures required by 45 C.F.R. Part 164,

subpart C “Security Standards Electronic PHI for the Protection of Electronic PHI” (the

“Electronic PHI Security Standards”); (c) implemented policies and procedures to ensure

appropriate access to Electronic PHI by its employees in accordance with the implementation

specifications set forth in 45 C.F.R. § 164.308(a)(3)(ii), agents or representatives as provided

under 45 C.F.R. § 164.308(a)(4) and to prevent (in accordance with the implementation

specifications set forth in 45 C.F.R. § 164.308(a)(3)(ii)) its employees, agents or representatives

who should not have access under the standards set forth at 45 C.F.R. § 164.308(a)(4) from

obtaining access to Electronic PHI; (d) implemented policies and procedures for authorizing

access to Electronic PHI that are consistent with the requirements of 45 C.F.R. Part 164, Subpart

E “Privacy of Individually Identifiable Health Information” in accordance with the

implementation specifications set forth at 45 C.F.R. § 164.308(a)(4)(ii); (e) implemented a

security awareness and training program for all of its employees and agents (including its

directors and officers), in accordance with the implementation specifications set forth at

45 C.F.R. § 164.308(a)(5)(ii); (f) implemented policies and procedures to address “Security

Incidents” in accordance with the implementation specification set forth at

45 C.F.R. § 164.308(a)(6)(ii); and (g) established (and implemented as needed) policies and

procedures for responding to an emergency or other occurrence, including fire, vandalism,

system failure and natural disaster, that damages any system that may contain Electronic PHI, in

Page 26/395

BN 14835735v2 8

accordance with the implementation specifications set forth at 45 C.F.R. § 164.308(a)(7)(ii).

Contractor performs periodic technical and nontechnical evaluations in response to any

environmental or operational changes affecting the security of Electronic PHI, and Contractor

will use such evaluations to establish the extent to which Contractor’s administrative safeguards

meet the requirements of the Electronic PHI Security Standards.

8.2 Physical Safeguards. Contractor has, as of the Effective Date, (a) implemented

policies and procedures to limit physical access to its electronic information systems and the

locations in which such electronic information systems are maintained, in accordance with the

implementation specifications set forth at 45 C.F.R. § 164.310(a)(2); (b) implemented policies

and procedures that specify the proper functions to be performed, the manner in which those

functions are to be performed, and the physical attributes of the surroundings of a specific

workstation or class of workstation that can access Electronic PHI; (c) implemented physical

safeguards for all workstations that access Electronic PHI to restrict access to authorized users

only; and (d) implemented policies and procedures that govern (i) the receipt and removal of

hardware and electronic media that contain Electronic PHI into and out of a location, and (ii) the

movement of such Electronic PHI within each such location, in accordance with the

implementation specifications set forth at 45 C.F.R. § 164.310(e)(2).

8.3 Technical Safeguards. Contractor has, as of the Effective Date, (a) implemented

technical policies and procedures for electronic information systems that maintain Electronic

PHI to allow access only to those persons or software programs that have been granted access

rights as specified at 45 C.F.R. § 164.308(a)(4), in accordance with the implementation

specifications set forth at 45 C.F.R. § 164.312(a)(2); (b) implemented hardware, software, or

procedural mechanisms that record and examine activity in any information systems that contain

or use Electronic PHI; (c) implemented policies and procedures to protect Electronic PHI from

improper alteration or destruction, in accordance with the implementation specification set forth

at 45 C.F.R. § 164.312(c)(2); (d) implemented procedures to verify that a person or entity

seeking access to Electronic PHI is authorized to receive access to such Electronic PHI; and

(e) implemented technical security measures to guard against unauthorized access to any

Electronic PHI that is being transmitted over an electronic communications network, in

accordance with the implementation specifications set forth at 45 C.F.R. § 164.312(e)(2).

8.4 Policies and Procedures and Documentation Requirements. Contractor has, as of

the Effective Date, implemented reasonable and appropriate policies and procedures to comply

with the standards, implementation specifications or other requirements of the Electronic PHI

Security Standards, taking into account the factors specified at 45 C.F.R. § 164.306(b)(2)(i), (ii),

(iii) and (iv). Throughout the term of this Agreement, Contractor shall (a) maintain the policies

and procedures implemented to comply with the Electronic PHI Security Standards in written or

electronic form and (b) if an action, activity or assessment is required by the Electronic PHI

Security Standards to be documented, maintain a written or electronic record of the action,

activity, or assessment, in accordance with the implementation specifications set forth at

45 C.F.R. § 164.316(b)(2).

Page 27/395

BN 14835735v2 9

9. General Provisions.

9.1 Regulatory References. A reference in this Agreement to a section in the HIPAA

Rules means the section as in effect or as amended.

9.2 Data Ownership. Contractor acknowledges that it has no ownership rights with

respect to the PHI.

9.3 Confidentiality. Contractor shall cooperate with ECH to preserve and protect the

confidentiality of PHI accessed or used pursuant to the Agreement and shall not disclose or

testify about such information during or after the termination of the Agreement except as

required by law.

9.4 Amendment. Subject to the provisions of Section 9.6, below, the parties agree to

take such action as is necessary to amend this Agreement from time to time as is necessary for

compliance with the HIPAA Rules and any other legal requirement related to the use and

disclosure of health information.

9.5 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit

compliance with the HIPAA Rules. If any provision of this Agreement conflicts with the

provisions of the Master Service Agreement, the provisions in this Agreement shall be deemed to

control and such conflicting provision or part thereof shall be deemed removed and replaced with

the governing provision herein to the extent necessary to reconcile the conflict.

9.6 No Modification. No modification of this Agreement will be effective unless

made in writing and executed by a duly authorized representative of each party, except as

otherwise provided hereunder.

9.7 Assistance in Litigation or Administrative Proceedings. Contractor shall make

itself, and any subcontractors, employees or agents assisting Contractor in the performance of its

obligations under this Agreement, available to ECH at no cost to provide testimony in any

capacity in the event of litigation, administrative proceedings, or other legal action threatened,

commenced or contemplated against ECH, its directors, officers or employees based upon a

claimed violation of the HIPAA Rules or other federal or state law relating to security and

privacy, except where Contractor or its Subcontractor, employee or agent is a named adverse

party.

9.8 Audits; Inspection and Enforcement. Within ten (10) days of a written request by

ECH, Contractor and its agents or subcontractors shall permit ECH to conduct a reasonable

inspection of the facilities, systems, books, records, agreements, policies and procedures relating

to the use or disclosure of PHI pursuant to this Agreement for the purpose of determining

whether Contractor has complied with the terms and conditions contained herein. The fact that

ECH inspects, fails to inspect, or has the right to inspect does not relieve Contractor of its

responsibility to comply with this Agreement nor does it constitute acceptance of any practice,

modification of Contractor’s representations and warranties set forth in Section 8 or a waiver of

ECH’s rights under this Agreement. Contractor shall notify ECH in writing within ten (10) days

of receipt of any notice that Contractor has become the subject of an audit, compliance review, or

complaint investigation by the Office for Civil Rights or other similar state or federal agency.

Page 28/395

BN 14835735v2 10

9.9 Disclaimer. ECH makes no warranty or representation that compliance by

Contractor with this Agreement, the HIPAA Rules or any other state or federal security or

privacy law will be adequate or satisfactory for Contractor’s own purposes. Contractor is solely

responsible for all decisions made by Contractor regarding the safeguarding of PHI.

9.10 Counterparts; Facsimile/PDF Signatures. This Agreement may be executed in

two (2) or more counterparts, each of which shall be deemed an original and when taken together

shall constitute one (1) agreement. The parties agree that facsimile or PDF transmission of

original signatures shall constitute and be accepted as original signatures.

9.11 Notices. Any notices to be given hereunder shall be (a) in writing, (b) addressed

to the person and address set forth below (or to such other person or address as either party may

so designate from time to time), (c) deemed to have been given on the date of delivery if

transmitted by courier, or one (1) day following traceable delivery to a nationally recognized

overnight delivery service with instructions for overnight delivery if sent by such overnight

delivery service, and (d) transmitted by courier for hand delivery, or delivered by nationally

recognized overnight delivery service with instructions for overnight delivery:

If to Contractor:

Attn:

If to ECH: El Camino Hospital

2500 Grant Road

Mountain View, California 94040

Attention: CEO

9.12 Entire Agreement; Successors; and Assignment. This Agreement, the Services

Agreement and the attached Schedule constitute the entire understanding between the parties

with respect to the subject matter hereof. No party shall assign or otherwise transfer this

Agreement or any of its rights hereunder, or delegate any of its obligations hereunder, without

the prior written consent of the other party, provided that ECH shall be permitted, without the

consent of Contractor to assign or otherwise transfer this Agreement or any of its rights

hereunder: (a) upon the purchase or sale of all or substantially all of the assets or stock of ECH

or the transfer (by operation of law or otherwise) of the ownership or control of ECH, to the

purchaser of such assets or stock or the transferee of such interests or (b) to any affiliate of

Covered Entity. Subject to the foregoing, this Agreement and the rights and obligations set forth

herein shall inure to the benefit of, and be binding upon the parties, and each of their respective

successors, heirs and assigns.

9.13 Choice of Law. All issues and questions concerning the construction, validity,

enforcement and interpretation of this Agreement and the exhibits hereto shall be governed by,

and construed in accordance with, the laws of the State of California and the HIPAA Rules.

Page 29/395

BN 14835735v2 11

9.14 Joint Preparation. Each party (a) has participated in the preparation of this

Agreement; (b) has read and understands this Agreement; and (c) has been represented by

counsel of its own choice in the negotiation and preparation of this Agreement. Each party

represents that this Agreement is executed voluntarily and should not be construed against any

party solely because it drafted all or a portion hereof.

9.15 Severability. Whenever possible, each provision of this Agreement shall be

interpreted in such manner to be effective and valid under applicable law, but if any provision of

this Agreement is held to be invalid, illegal or unenforceable in any respect under any applicable

law or rule in any jurisdiction, such invalidity, illegality or unenforceability will not affect any

other provision in any other jurisdiction, but this Agreement will be reformed, construed, and

enforced in such jurisdiction as if such invalid, illegal or unenforceable provision had never been

contained herein.

9.16 Waiver. No waiver by any party, whether express or implied, or its rights under

any provision of this Agreement shall constitute a waiver of the party’s rights under such

provisions at any other time or a waiver of the party’s rights under any other provision of this

Agreement. No failure by any party to take any action against any breach of this Agreement or

default by another party shall constitute a waiver of a party’s right to enforce any provision of

this Agreement or to take any action against such breach or default or any subsequent breach or

default by the other party. To be effective any waiver must be in writing and signed by the

waiving party.

9.17 Survival. Section 6.7 (Obligations of Contractor Upon Termination), Section 7

(Indemnification), Section 9.3 (Confidentiality), Section 9.7 (Assistance in Litigation) and

Section 9.8 (Audits and Inspections) shall survive the termination of this Agreement.

Page 30/395

BN 14835735v2 12

IN WITNESS WHEREOF, the undersigned have caused this HIPAA Business

Associate Agreement to be duly executed and effective as of the Effective Date.

Contractor:

ECH:

EL CAMINO HOSPITAL, a California

nonprofit public benefit corporation

By: By:

Name: Name:

Its: Its:

Page 31/395

BN 14835735v2 13

Schedule A

1. The term “45 C.F.R.” has the meaning set forth in Recital C of this Agreement.

2. The term “Agreement” has the meaning set forth in the Preamble to this

Agreement.

3. The term “Business Associate” has the meaning set forth in 45 C.F.R. § 160.103.

4. The term “Contractor” has the meaning set forth in the Preamble to this

Agreement.

5. The term “Covered Entity” has the meaning set forth in 45 C.F.R. § 160.103.

6. The term “ECH” has the meaning set forth in the Preamble to this Agreement.

7. The term “Effective Date” has the meaning set forth in the Preamble to this

Agreement.

8. The term “Electronic PHI” has the meaning set forth in Recital B of this

Agreement.

9. The term “Electronic PHI Security Standards” has the meaning set forth in

Section 8.1 of this Agreement.

10. The term “HIPAA Rules” has the meaning set forth in Recital C of this

Agreement.

11. The term “HITECH Act” has the meaning set forth in Recital C of this

Agreement.

12. The term “Indemnitee” has the meaning set forth in Section 7.3 of this

Agreement.

13. The term “Indemnitor” has the meaning set forth in Section 7.3 of this

Agreement.

14. The term “Losses” has the meaning set forth in Section 7.1 of this Agreement.

15. The terms “party” and “parties” have the meaning set forth in the Preamble to this

Agreement.

16. The term “PHI” has the meaning set forth in Recital B of this Agreement.

17. The terms “Privacy Rule” and “Other Privacy Rules” have the meaning set forth

in Recital C of this Agreement.

18. The terms “Protected Health Information,” and “Electronic Protected Health

Page 32/395

BN 14835735v2 14

Information” (referred to in the Agreement as “PHI” and “Electronic PHI,” respectively) have

the meanings set forth in 45 C.F.R. § 160.103, limited to the information created, received,

maintained or transmitted by Contractor from or on behalf of ECH in connection with the

provision of the Services under the Services Agreement.

19. The term “Record and Documentation of Disclosure” has the meaning set forth in

Section 4.8 of this Agreement.

20. The term “Security Rule” has the meaning set forth in Recital C of this

Agreement.

21. The term “Services” has the meaning set forth in Recital A of this Agreement.

22. The term “Services Agreement” has the meaning set forth in Recital A of this

Agreement.

23. Other capitalized terms used but not defined herein shall have the respective

meanings given to such terms in the Privacy Rule or Security Rule.

23.1. The terms “electronic media,” “individual,” and “subcontractor” have the

meanings set forth in 45 C.F.R. § 160.103. The term “required by law” has the meaning set forth

in 45 C.F.R. § 164.103.

23.2. The terms “access,” “administrative safeguards,” “information system,”

“physical safeguards,” “security,” “security incident,” “security measures,” “technical

safeguards,” “user” and “workstation” have the meanings set forth in 45 C.F.R. § 164.304.

23.3. The terms “breach” and “unsecured PHI” have the meanings set forth in

45 C.F.R. § 164.402.

23.4. The terms “data aggregation,” “designated record set,” “health care

operations” and “marketing” have the meanings set forth in 45 C.F.R. § 164.501.

23.5. The term “de-identification” has the meaning set forth in the Standard in

45 C.F.R. § 164.514.

23.6. The term “use” means, with respect to PHI, the sharing, utilization,

employment, examination, analysis or application within Contractor.

23.7. The terms “disclose” and “disclosure” mean, with respect to PHI, the

release, transfer or providing access to or divulging to a person or entity not within Contractor or

ECH.

Page 33/395

Separator Page

Attachment 2 - Review Revision to Committee FY_14

Goals.pdf

Page 34/395

Date: September 16, 2013

To: Corporate Compliance/Privacy and Internal Audit Committee From: Diane Wigglesworth

Re: Revisions to FY 2014 Committee Goals

Attached are the Governance Committee minutes from July 2, 2013 with recommendations

regarding committee goals. It was recommended that the Compliance committee provide further

specificity for the metrics. Highlighted in red are revisions made to the metrics to comply with

the governance recommendation for review and approval.

Page 35/395

Minutes of Special Meeting of the Governance Committee

July 2, 2013 Approved by the Committee on 9.3.13

Pending Board Review

EL CAMINO HOSPITAL

GOVERNANCE COMMITTEE OF THE BOARD

SPECIAL MEETING

Tuesday July 2, 2013

MINUTES

1. CALL TO ORDER/ROLL CALL

The Special Meeting of the Governance Committee of the Board of El Camino

Hospital (the “Hospital”) was called to order by John Zoglin at 5:30 pm on Tuesday,

July 2, 2013 in Conference Room A, El Camino Hospital, 2500 Grant Road,

Mountain View, California.

Roll call was taken. The Committee members present were John Zoglin, Julia

Miller, Gary Kalbach, and Mark Sickles. Cindy Murphy, Board Liaison, of El

Camino Hospital was also present. Pete Moran arrived at 5:45 pm. Patricia

Einarson, MD was absent. Executive Sponsor Tomi Ryba, CEO joined by telephone

conference call at 6:00pm, but was disconnected shortly after due to interrupted

cellular phone service.

2. CONFLICT OF INTEREST DISCLOSURES:

Mr. Zoglin asked if any Committee member had a conflict of interest regarding any

of the items on the agenda. No conflict was stated.

3. PUBLIC COMMENT:

There was no public comment.

4. CONSENT CALENDAR:

Action: A motion was made by Mr. Kalbach, seconded by Ms. Miller, and approved

by a vote of four committee members in favor, Mr. Moran and Dr. Einarson absent,

to approve the minutes of the June 4, 2013 Governance Committee meeting.

5. FY 2014 ALL COMMITTEE GOALS:

The committee members reviewed and discussed the FY 2014 Draft Goals submitted

by the Board Advisory committees. The members considered the committees’ stated

purposes, the specificity of the Draft Goals, the specificity of the metrics and the

timing of completion. The committee members also considered the status of

completion of the committees’ FY 2013 Goals and assessed whether or not the

committees’ Draft goals reflected a realistic volume of work. Finally, the committee

Page 36/395




considered whether the Draft Goals reflected any gaps in coverage of oversight or

unnecessary overlaps between the committees.

Action: A motion was made by Mr. Kalbach seconded by Ms. Miller and approved

by a vote of five committee members in favor, Dr. Einarson absent, to recommend

the Board approve the Draft goals as submitted by the Board Advisory Committees

with the following recommendations for the committees and the Board to consider:

1. Corporate Compliance and Audit Committee – Further specificity for the metrics.

2. Executive Compensation Committee – Further depth and development for Draft Goals #5 and

#7.

3. Finance Committee – In general, concern with timing as no goal is paced to be completed until

Q3.

a. Draft Goal #1 – Goal should be more specific.

b. Draft Goal #2 – Change to “Review and monitor financial implications (profitability)

of new business proposals.”

c. Draft Goal #4 – Change to “Educate the Board re the Budget development process.”

Also, consider completing earlier - maybe in Q2.

4. Investment Committee – Draft Goal #5 - Change metric to: “Provide executive

summary/dashboard that includes performance against budget and benchmarks.”

6. Quality, Patient Care, and Patient Experience Committee –

a. Draft Goal #1 – Seems unintentionally broad. The Committee might consider adding a

phrase (noted in bold) to the end of the sentence: “Review the hospital’s organizational goals and

scorecard and ensure that those metrics and goals are consistent with the strategic plan and set at

an appropriate level as they apply to the Quality, Patient Care, and Patient Experience

Committee.”

b. While important to the functioning of the committee, Draft Goals #3 and #6 seem more

like committee management than committee goals and should be recorded as important, but

probably removed as overall goals.

7. The major IT project is not currently assigned to any specific committee. The Board might

consider discussing how this project should be addressed in 2014, e.g. Board level only, Board

ad hoc Committee, or one or two committees take the lead as we did last year around the

continuum of care discussions.

6. DRAFT REVISIONS TO THE CORPORATE COMPLIANCE

COMMITEEE (“CCAC”) CHARTER

The committee members discussed the draft revisions to the CCAC charter, noting

that the revisions were related to IT security, risk management, and policy oversight.

Action: A motion was made by Mr. Moran, seconded by Mr. Kalbach and approved

by a vote of five members in favor, Dr. Einarson absent, to recommend that the

Board approve the Draft Charter Revisions for FY 2014 as submitted by the CCAC.

Page 37/395




Page 38/395

Separator Page

Attachment 2b - Goals for Compliance Committee

CCPIAC FY 14 - 7 31 13 (v2).doc

Page 39/395

Corporate Compliance/Privacy and Audit Committee

Revised Goals FY 2014

Purpose

The purpose of the Corporate Compliance/Privacy and Audit Committee (“Compliance and Audit Committee”) is to advise and assist the El Camino Hospital (ECH) Hospital Board of Directors (“Board”) in its exercise of oversight by monitoring the compliance policies, controls and processes of the organization and the engagement, independence and performance of the internal auditor and external auditor. The Compliance and Audit Committee assists the Board in oversight of any regulatory audit and in assuring the organizational integrity of ECH in a manner consistent with its mission and purpose.

Staff: Diane Wigglesworth, Director of Corporate Compliance

The Director, Corporate Compliance/Privacy and Audit Committee shall serve as the primary staff support to the Committee and is responsible for drafting the Committee meeting

agenda for the Committee Chairs consideration. Additional members of the executive team or outside consultants may participate in the Committee meetings upon the

recommendation of the Director, Corporate Compliance/Privacy and Internal Audit Committee and at the discretion of the Committee Chair.

Goals Timeline by Fiscal Year

(Timeframe applies to when the Board approves the recommended action from the Committee, if applicable.)

Metrics of Success Achieved

Review and evaluate Hospitals proposed FY 2014 Internal Audit Work Plan based on the current risk assessment for recommendation to Hospital Board.

Q2 2014 Committee Reviews FY 2014 Internal Audit Work Plan Developed by Staff in September and Recommends Plan to Board for Approval at October Board meeting.

Review FY: 2014 OIG Work Plan and evaluate suitability of Hospitals proposed response plan to the report.

Q3 2014 Committee Reviews Hospital’s Proposed Response Plan to OIG Work Plan in December and Recommends Plan to the Board for Approval at February Board Meeting.

Develop ERM Guidance for Board on Structure, Reporting and Governance Oversight

Q3- Q4 2014

Committee Recommends Process for Evaluation of ERM to the Board for Approval Not Later Than May 2014 Board Meeting.

Develop a Process for Oversight of New Policies and Changes to Existing Policies

Q4 2014 Committee Recommends Process for Policy Oversight to Board for Approval Not Later Than June 2014.

Page 40/395

Submitted by: John Zoglin, Chair, Corporate Compliance/Privacy and Compliance Committee Diane Wigglesworth, Executive Sponsor, Corporate Compliance/Privacy and Compliance Committee

Page 41/395

Separator Page

Attachment 3 - Review FY:14 Internal Audit Work

Plan.pdf

Page 42/395

Corporate Compliance Scorecard FY 2013

El Camino Hospital

Key Performance Indicator Status

Current

Period Actual

Current Period

Percentage

YTD thru

Period 12

Prior Year

YTD thru

Period 12

Actual

YTD thru

Period 12

Percentage Goal

Corporate Compliance

Education June. 2013 June. 2013Jul. - Jun.

2012

Jul .- Jun.

2013Jul .- Jun. 2013

New employees receiving basic compliance training within 30

days of start date J 32 100% 100% 507 100% 100%

New management receiving additional compliance training

within 90 days of start date K 2 100% 33% 22 90% 100%

Audits June. 2013 June. 2013Jul. - May.

2012

Jul .- Jun.

2013Jul .- Jun. 2013

Internal Audits on Work Plan initiated within the agreed upon

timetable J 0 100% 100% 12 100% 100%

Internal Audit Corrective Action Plans implemented within

agreed upon timetable J 19 100% 85% 50 100% 95%

Hotline Reporting June. 2013 June. 2013Jul. - May.

2012

Jul .- Jun.

2013Jul .- Jun. 2013

Hotline calls or reported compliance concerns responded to

within 72 hours J 25 100% 95% 312 100% 95%

Investigation June. 2013 June. 2013Jul. - May.

2012

Jul .- Jun.

2013Jul .- Jun. 2013

Privacy breaches investigated and reported to CDPH within 5

days if appropriate J 4 100% 99% 25 100% 100%

Regulatory/clinical issues investigated and reported to CDPH

within 5 days if appropriate J 0 100% 100% 15 100% 100%

J Meets goal

K Within 10% of goal

L Greater than 10% from goalPage 43/395

Separator Page

Attachment 3b - Memo Key Indicators and Corproate

Scorecard.pdf

Page 44/395

Separator Page

Attachment 4 - FY2014 Internal Audit Work Plan and

Historical Audits.pdf

Page 48/395

FY 2014 Internal Audit Work Plan

& Historical Audits

Prepared by: Diane Wigglesworth, Director Corporate Compliance

Page 49/395

Executive Summary

An organizational full risk assessment was performed in May 2013 which considered a number of factors including the current business environment, risks common to the healthcare industry, and the feedback received from key members of leadership and the compliance committee.

To further narrow the list of potential audits, compliance along with executive leadership selected those believed to have a strong focus on identifying one or more of the following:

• Issues that could result in significant, adverse, or financial impact.

• Incidents of non-compliance with regulations which could result in fines and impair the hospital’s reputation.

• Issues that the organizations does not currently routinely monitor.

We structured the body of this report as follows:

• Risk Map – depicting the 26 highest rated risks based on assessment results and feedback, including identification of the risk areas covered by audits(s) planned for FY:2014.

• Work Plan – description of the objective of the audit, the ranking of the risk and projected timing.

• Risk Map of Completed Audits – detailing the key risks that were identified during past risk assessments and audited. Many of the risks were consistent from year to year as they are inherent to the industry and the hospital.

2 Page 50/395

Imp

ort

ance

Likelihood

LOW HIGH

LOW

H

IGH

Government Reimbursement on

Devices

Charge Capture and Verification

Data Integrity and Governance

Quality and Patient Safety

Medicare Compliance

Medical and LOS Management

EHR Implementation

Readiness

IT Disaster Recovery

Quadrant 1 Quadrant 2


Legend:

Risk area covered by audit(s) planned for FY2014

Risk areas for audits in subsequent years (unless new information or changes in circumstances raises the level of risk, warranting an earlier audit )

Licensure / Accreditation

ECH Policy Compliance

Clinical Coding / Documentation

Community Relations

Strategic Planning and

Budgeting IT Logical Security

Physician Contracting

HIPAA Compliance

Pharmacy Operations

Financial Controls

ICD-10 Readiness

CDM Accuracy /Maintenance

HR, Benefits, and Compensation

Clinical and Ancillary

Services

Medical Necessity Criteria

Payer Contract Management

Billing Accuracy on Transfers

FY 2014 Risk Assessment & Internal Audit Work Plan

The map below depicts the 26 highest rated risks based on survey results and feedback from interviews. The risks are plotted based on their individual importance to the business along with the likelihood that issues and/or improvement opportunities currently exist.

Duplicate Medical Records

3 Page 51/395

Internal Audit Work Plan – FY 2014 Listed below are the proposed schedule of internal audits. The number in the Quadrant column designates where the related risk was on the risk map. Audit Quadrant Proposed Start

Date Objective of Audit Report

Presented to Committee

Duplicate Medical Records

1 July 2013 Duplicate medical records occur when one patient is associated with more that one medical record number and are often erroneously created as a result of inaccurate data entry. The audit will include a review of potential duplicate medical records existing in key clinical systems (HBOC & HPF), review the effectiveness of internal controls for managing duplicate records.

Pharmacy Operations Review

2 September 2013

Evaluate the internal controls around purchasing, receiving, storing and distributing outpatient pharmacy medications. Review inventory management regarding the maintenance and reverse distribution process for medication inventory and reconcile revenue to expected receipts.

Warranty Replaced Manufacture Device Billing

1 October 2013 Evaluate if hospital is compliant with Medicare requirements for obtaining credits available from manufacturers for replaced medical devices and reporting the appropriate billing codes and charges to reflect the credits received.

Clinical Coding/ Documentation Accuracy

2 November 2013 A coding validation would be performed to verify appropriate documentation in the medical record along with completeness and accuracy of MS-DRG assignment.

4 Page 52/395

Internal Audit Work Plan – FY 2014

Listed below are the proposed schedule of internal audits. The number in the Quadrant column designates where the related risk was on the risk map.

Audit Quadrant Proposed Start Date

Objective of Audit Report Presented to Committee

Billing Accuracy for Transfers

3 January 2014 Validate accurate Medicare billing for an inpatient discharged when the patient is readmitted the same day to another hospital unless the readmission is unrelated or the patient’s discharge is assigned to one of the qualifying DRGs or the discharge is to home or home health agency within 3 days after discharge.

Internal Control Over Financial Reporting

3 February 2014 Test the internal controls that govern the financial reporting process. Validate processes around receivables, reconciliations, significant estimates/reserves, revenue recognition and other key income statement and balance sheet accounts or metrics.

Strategic Project Valuation Realization

2 April 2014 The audit would include a look back at some selected strategic projects that were approved by the ECH Board during the last two fiscal years and validate that the expected achievement of the strategic goals or return on investment for the approved project was realized.

Physician Contracting

1 May 2014 Consistent with prior years the objective of the review is to evaluate practices and processes surrounding physician contracting and review the effectiveness of internal controls to ensure proper documentation supports payments to physicians.

5 Page 53/395

Imp

act

to B

usi

nes

s

Vulnerability

LOW HIGH

LOW

H

IGH

Release of PHI

MS/DRG Coding

Denials Mgmt & Reporting

OR Charge Capture

Financial Controls

CDM

Clinical Trials

Physician Contracts

Key Contracts - LPCH



The map below depicts the audits completed in FY 2011 thru FY 2013. The audits with the highest risk areas are shown in Quadrant 1 and generally include those risks that are inherently high for the industry or are a known concern to ECH.

Legend:

Revenue Cycle –Sr. Center

District Insurance Program

Business Continuity Mgmt.

IT Vendor Performance

Mgmt.

Electronic Time and Attendance IT Asset

Management

Data Security Incident

Management

FY 2013 Audits

FY 2012 Audits

FY 2011 Audits

Every Year

Inpatient Coding

Radiology Revenue Cycle

Accounts Payable

BAA Contracts

Vendor Policy

Billing/ Documentation

CMS Billing

3 Year Summary of Completed Audits

6 Page 54/395

Separator Page

Attachment 5 - Enterprise Risk Management Operational

Plan.pdf

Page 55/395

1

El Camino Hospital Fiscal Year 2014

Enterprise Risk Management Program Development Plan Diane Wigglesworth, Director Corporate Compliance 9/16/13

Page 56/395

2

• Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, creating a single view of all risks, designed to identify and anticipate potential events that may affect the entity, enhance risk response decisions, manage risk to be within its risk appetite, reduce operational surprises and losses and provide reasonable assurance regarding the achievement of entity objectives.

• When done correctly the board of directors and management have reasonable assurance that they

understand the extent to which the entity’s strategic and operations objectives are being achieved, and that the entity’s reporting is reliable and applicable laws and regulations are being complied with.

ERM Definition

Page 57/395

3

Enterprise Risk Management Program Development: Diane Wigglesworth & ELT

Deliverables September October November Due to Board

Identify Strategic, Operational and Regulatory Goals or Objectives That Align With The Hospitals Mission (annual and metric driven)

Understand Current Status

Draft to ELT

Draft to Compliance Committee

Revise as Needed

2nd Draft

Determine Risk Tolerance Levels for Each Goal (Board philosophy and risk appetite)

Draft to ELT Draft to Compliance Committee

Revise as Needed

2nd Draft

Risk Assessment & Measurement (develop process to ID external or internal risks to achieving objectives and determine impact )


Draft to ELT


Revise as Needed

2nd Draft

Risk Response & Action (Board & ELT to review risks and determine response: either avoiding, accepting, reducing or sharing risk )


Draft to ELT


Revise as Needed

2nd Draft

Risk Monitoring & Reporting (method of ongoing monitoring and establish roles and responsibilities)

Draft to ELT Draft to Compliance Committee

Revise as Needed

2nd Draft

ERM Program Development Plan

Page 58/395

4

PROCESS DEVELOPMENT CHECKLIST

Goals/Objective Set & Defined

Risk Philosophy (tolerance levels)

Developed

Risk Assessment & Measurement

Method

Risk Response & Actions Roles & Responsibilities

Established

Risk Monitoring

STRATEGIC GOALS Executive Sponsor Tomi

Levels Developed in Conjunction with

Planning Cycle

Approve Method of Assessment

• ELT reviews assessment

• CEO suggest response to Board as needed

Dir. Compliance reviews dashboard results with ELT & Compliance Board

OPERATIONAL GOALS Executive Sponsor Mick/Mike


Planning Cycle


• COO or CFO review assessment and suggest response to ELT


EXTERNAL AND REGULATORY REPORTING REQUIREMENTS (CMS, JACHO, Meaningful Use/HITECH etc.)

Executive Sponsor Mick & ELT

(Managers to ID existing and new

requirements each year)


Planning Cycle


• COO, CFO & CIO review assessment and suggest response to ELT


Deliverable • Targets Identified • 3 year goal

statement

• Set risk tolerance by type of goal

• Design business or clinical processes to effectively monitor and correct

• Identify external & internal risks to achieving objectives

• Determine impact • Set measurement

• Management reviews risks and determines appropriate response: avoiding, accepting, reducing, or sharing risk

• Monitor mitigation strategies

• Responsibilities set

• Method of ongoing monitoring established

• Pacing of Reports to Board

ERM Program: Proposed Processes

Page 59/395

Pages 3 and 60-395 are closed session materials not publicly available.

El Camino Hospital Board of Directors -Corporate ... · PDF fileCORPORATE COMPLIANCE/PRIVACY...

Documents

Transcript of El Camino Hospital Board of Directors -Corporate ... · PDF fileCORPORATE COMPLIANCE/PRIVACY...