General Compliance, Privacy, and Fraud, Waste, and Abuse

Sharp Community Medical Group

2017 Compliance Education

Disclosures

Portions of this training presentation were originally created by Sharp HealthCare and customized

by Sharp Community Medical Group (SCMG).

SCMG, as a delegated provider organization, is required to provide general compliance and fraud,

waste, and abuse training to employees and contracted providers because we provide

administrative services to Medicare beneficiaries.

SCMG has provided you with this material as part of our oversight process to implement the

compliance training and education requirements found in Medicare Regulations.

The information contained in this document is not intended to serve as legal advice nor should it

substitute for legal counsel. The material in this document is intended to be a resource that you

can leverage in your efforts to comply with the applicable rules. This document is not exhaustive,

therefore readers are encouraged to seek additional detailed guidance to supplement the

information contained herein.

Learning Objectives

In this module you will learn about the following:

• The elements of a Compliance Program

• The privacy requirements for California and federal laws

• Responsibilities for addressing Protected Health Information (PHI)

• How fraud, waste, and abuse affects Sharp Community Medical Group and you

• The importance of Medicare fraud, waste, and abuse laws

• Your responsibility to prevent and report fraud, waste, and abuse

General Compliance

CMS Requirements

As of January 1, 2011, Federal regulations require that Medicare

Advantage Organizations and Medicare Part D Plans have an effective

compliance program designated to deter fraud, waste, and abuse (FWA).

This includes compliance program requirements for annual training on

compliance and FWA.

Where Do I Fit in the Medicare Program?

What are my responsibilities?

You are a vital part of the effort to prevent, detect, and report Medicare

non-compliance as well as possible fraud, waste, and abuse.

• FIRST you are required to comply with all applicable statutory, regulatory, and other

Part C or Part D requirements, including adopting and using an effective compliance

program.

• SECOND you have a duty to the Medicare Program to report any violations of laws

that you may be aware of.

• THIRD you have a duty to follow your organization’s Code of Conduct that articulates

your and your organization’s commitment to standards of conduct and ethical rules of

behavior.

Compliance Program Requirements

At a minimum, an effective compliance program must include 7 core requirements:

1. Written Policies, Procedures and Standards of Conduct;

2. Compliance Officer, Compliance Committee, and High-Level Oversight;

3. Effective Training and Education;

4. Effective Lines of Communication;

5. Well-Publicized Disciplinary Standards;

6. Effective System for Routine Monitoring and Identification of Compliance Risks; and

7. Procedures and System for Prompt Response to Compliance Issues

Reasons to Implement a Compliance Program

1. Compliance Programs reinforce employees innate sense of right and wrong.

2. An effective compliance program helps an organization fulfill its legal duty to the government.

3. Adopting a Compliance Program concretely demonstrates the organization has a strong

commitment to honesty and responsible corporate integrity.

4. Compliance Programs are cost effective. Expenditures are insignificant in comparison to the

disruption and expense of defending against a fraud investigation.

5. A Compliance Program provides a more accurate view of employee and contractor behavior

relating to fraud, waste, and abuse.

6. A Compliance Program provides guidance and procedures to promptly correct misconduct.

7. An effective Compliance Program may mitigate False Claims Act liability or other sanctions

imposed by the government by preventing non-compliance, fraud, waste, and abuse.

Privacy

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires all providers and employees to:

Federal Privacy Laws:

What is HIPAA Privacy?

• Secure patients’ protected health information (PHI) both physically and

electronically.

• Adhere to the minimum necessary standard for use and disclosure of PHI.

• This means making reasonable efforts to limit PHI to the minimum

amount necessary when using, disclosing, or requesting PHI.

• Specify patients’ rights for access, use, and disclosure of their PHI.

Protected Health Information (PHI)

PHI is:

• Health information related to a patient’s past, present,

or future physical and/or mental health or condition.

This includes:

• Any one of the 18 personal identifiers (see next slide).

• Information in any format: written, spoken, or

electronic (including videos, photographs, and x‐rays).

Personal Identifiers that are Considered PHIThese are the 18 HIPAA identifiers that are considered personally identifiable information. When personally identifiable

information is used in combination with one’s physical or mental health or condition, health care, or one’s payment for that health

care, it becomes protected health information (PHI).

• Name • URL address • Device identifiers and their serial

numbers

• Postal address • IP address • Vehicle identifiers and serial number

• All elements of dates except year • Social security number • Biometric identifiers (finger prints)

• Telephone number • Account numbers • Full face photos and other comparable

images

• Fax number • Medical record number • Any other unique identifying number,

code or characteristic

• Email address • Health plan beneficiary number • License numbers

What is a Breach?

The term “Breach” means the:

Unauthorized acquisition Access Use, or Disclosure

…that compromises the security or privacy of PHI.

An employee or medical staff member peeking at a patient’s medical record merely to satisfy his or her own curiosity; even if the employee or medical staff member does not disclose any medical information about the patient to any other person.

Example of a Breach:

Paper Breaches

• Misdirected faxes with PHI sent outside of the

network.

• Loss or theft of paper documents containing PHI.

• Providing discharge documents with PHI to the

incorrect provider or patient.

Electronic Breaches

• Misdirected emails with PHI sent to individuals

outside of the network.

• Stolen unencrypted laptops, hard drives, or

personal mobile devices containing PHI.

Additional Examples of Breaches:

Safeguards for Protecting PHI

Some examples of safeguards you can use include:

Restrict patient information to those who have a “need to

know.”

Protect health information from

unauthorized access.

Never leave patient charts or computer screens open to the

public view.

Confidential information should

always be discussed in private.

Dispose of paper PHI the right way – by

shredding it!

Never share your computer passwords with anyone or log on

to a computer for someone else to use.

Logout or use secure screensavers when leaving computer

unattended.

Unauthorized Access of Medical Information

The term “unauthorized” means:

The inappropriate access, review, or viewing of patient medical

information without a direct need for medical diagnosis, treatment, or

other lawful use as permitted by the California Confidentiality of Medical

Information Act (CMIA).

California State Privacy Laws

California Medical Information Act (CMIA)

• State law that adds to the federal protection of personal medical records under HIPAA.

• Prohibits disclosure of medical information by a provider of health care, or health care service plan without prior written authorization.

The California Department of Public Health (CDPH) enforces California Privacy laws and requires licensed healthcare facilities to:

• Protect the privacy of patients’ medical information.

• Prevent unlawful or unauthorized access, use, or disclosure.

• Report unlawful or unauthorized access, use, or disclosure of medical information within 15 business days after breach detection unless there is a delay by law enforcement.

California State Privacy Law Basics

• A patient’s “medical information” is any individually identifiable information derived from a healthcare provider regarding a patient’s medical history, mental or physical condition, or treatment.

According to California state privacy laws:

• Accessing the medical information of friends, co-workers, and family members (including spouses, children, and parents, etc.).

• Faxing or otherwise providing medical information to the wrong patient, hospital, or company.

Examples of unlawfulaccess, use, or

disclosure of medical information:

Consequences of Non-Compliance

Non-compliance with HIPAA:

• Penalties up to $1.5 million for provider

non-compliance based on negligence.

• Criminal penalties up to $50,000 and/or

imprisonment more than one year for

individual who obtains or discloses PHI

without a business need to know.

• Minimum fine of $250,000 and/or

imprisonment not more than 10 years

for individual committing to sell PHI for

financial gain.

Non-compliance with the CMIA:

• Penalties of up to $25,000 per patient

whose medical information was

breached (maximum of $250,000 per

event).

• Penalties of $2,500 - $25,000 for

knowingly and willfully violating privacy

of medical information; $250,000 for

violating privacy of medical information

for financial gain.

Workplace Fraud

What is Workplace Fraud?

• The intentional, dishonest, and deceptive action of defrauding a business either directly or indirectly whether or not for personal gain.

• Most often this action is taken against businesses because the criminal mind believes they can successfully steal, hide, or use the assets for value.

Workplace fraud is:

Sharp Community Medical

Group has a zero tolerance

policy towards fraud.

Abusing authority

Committing official or moral misconduct

Falsifying information

Misusing company time, equipment, or information

Soliciting gifts from outside sources

Stealing or embezzling company property or money

Violating conflict of interest standards

Examples of Workplace Fraud:

Employee falsifying work-related documents or time cards = FRAUD

Workplace Fraud

Workplace fraud is an

expensive and growing

problem that negatively

impacts organizations and its

employees. Organizations

lose an estimated 5% of

annual revenues to

fraudulent activities.

The longer fraud lasts, the

more financial damage it can

cause. Passive detection

methods (confession,

notification by law

enforcement, external audit,

and by accident) tend to take

longer to bring fraud to

management’s attention, which

allows the related loss to grow.

Identifying Workplace Fraud

Being proactive is vital in catching fraudulent

activity early and limiting losses.

Fraud can be identified using proactive

detection measures such as:

• Compliance hotlines

• Management review procedures

• Audits

• Employee monitoring mechanisms

Identifying Fraudsters

Most workplace fraud perpetrators exhibit

certain behavior traits that can be warning

signs of fraud, such as:

• Living beyond their means

• Having unusually close associations with

vendors or customers

All employees need to recognize these

warning signs that, when combined with

other factors, might indicate fraud.

Fraud hurts organizations by

causing:

• Decreased productivity

• Investment of time & money spent

on investigations

• Lost resources

• Lowered morale

• Possible punishment

• Negative impact on organization’s

reputation

How Fraud Impacts

Organizations

Fraud perpetrated by another

individual can negatively affect

others by:

• Decreased trust throughout the

organization.

• Increased scrutiny from regulatory

agencies.

• Loss of time and resources to address

fraudulent acts.

• Fewer resources available to provide

needed care to your patients

How Fraud Impacts

Employees

Medicare Fraud, Waste, and Abuse

What is Medicare fraud?

• Knowingly and willfully executing, or attempting to

execute, a scheme or artifice to defraud any health care

benefit program, or to obtain, by means of false or

fraudulent pretenses, representations, or promises, any

of the money or property owned by, or under the

custody or control of, any health care benefit program.

• In other words, fraud is intentionally submitting false

information to the Government or a Government

contractor to get money or a benefit.

Medicare fraud is:

Waste and Abuse

Overusing services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare Program. Waste is generally not considered to be caused by criminally negligent actions but rather by the misuse of resources.

Waste

Actions that may, directly or indirectly, result in unnecessary costs to the Medicare Program. Abuse involves payment for items or services when there is no legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment.

Abuse

Differences Among Fraud, Waste, and Abuse

There are differences among fraud, waste, and abuse.

One of the primary differences is intent and knowledge.

• Fraud requires intent to obtain payment and the knowledge that

the actions are wrong.

• Waste and abuse may involve obtaining an improper payment or

creating an unnecessary cost to the Medicare Program, but does

not require the same intent and knowledge.

Examples of Fraud, Waste, and Abuse

Actions that may constitute fraud include:

• Knowingly billing for services

not furnished or supplies not

provided, including billing

Medicare for appointments that

the patient failed to keep.

• Billing for non-existent

prescriptions.

• Knowingly altering claim forms,

medical records, or receipts to

receive a higher payment.

Actions that may constitute waste include:

• Conducting excessive office

visits or writing excessive

prescriptions.

• Prescribing more medications

than necessary for the

treatment of a specific

condition.

• Ordering excessive laboratory

tests.

Actions that may constitute abuse include:

• Billing for unnecessary medical

services.

• Billing for brand name drugs

when generics are dispensed.

• Charging excessively for

services or supplies.

• Misusing codes on a claim,

such as upcoding or

unbundling codes.

How do you prevent FWA?

Look for suspicious activity;

Conduct yourself in an ethical manner;

Ensure accurate and timely data/billing;

Ensure you coordinate with other payers;

Keep up to date with FWA policies and procedures, standards

of conduct, laws, regulations, and CMS guidance; and

Verify all information provided to you.

Report Suspected FWA

• Everyone must report suspected

instances of FWA.

• Review your organization’s materials for

the ways to report FWA.

• Call or email your compliance liaison

(SCMG.compliance@sharp.com) or

compliance hotline.

• Additional information can be found here:

https://providers.scmg.org/compliance/

Understanding FWA Laws

To detect FWA, you need to know the law.

The following screens provide high-level information about the following laws:

• Civil False Claims Act, Health Care Fraud Statute, and Criminal Fraud;

• Anti-Kickback Statute;

• Stark Statute (Physician Self-Referral Law);

• Exclusion; and

• Health Insurance Portability and Accountability Act (HIPAA).

For details about the specific laws, such as safe harbor provisions, consult the

applicable statute and regulations.

Civil False Claims Act (FCA)

The civil provisions of the FCA make a person liable to pay damages to the

Government if he or she knowingly:

• Conspires to violate the FCA;

• Carries out other acts to obtain property from the Government by

misrepresentation;

• Knowingly conceals or knowingly and improperly avoids or decreases

an obligation to pay the Government;

• Makes or uses a false record or statement supporting a false claim; or

• Presents a false claim for payment or approval.

EXAMPLE

A Medicare Part C plan in Florida:

• Hired an outside company to review medical records to find additional diagnosis codes that could be submitted to

increase risk capitation payments from the Centers for Medicare & Medicaid Services (CMS);

• Was informed by the outside company that certain diagnosis codes previously submitted to Medicare were

undocumented or unsupported;

• Failed to report the unsupported diagnosis codes to Medicare; and agreed to pay $22.6 million to settle FCA

allegations.

Damages and PenaltiesAny person who knowingly submits false

claims to the Government is liable for

three times the Government’s damages

caused by the violator plus a penalty.

The Civil Monetary Penalty (CMP) may

range from $5,500 to $11,000 for each

false claim.

Civil FCA (continued)

Whistleblowers: A whistleblower is a person who

exposes information or activity that is deemed illegal,

dishonest, or violates professional or clinical standards.

Protected: Persons who report false claims or bring

legal actions to recover money paid on false claims are

protected from retaliation.

Rewarded: Persons who bring a successful

whistleblower lawsuit receive at least 15 percent but not

more than 30 percent of the money collected.

Health Care Fraud StatuteThe Health Care Fraud Statute states that, “Whoever knowingly and willfully executes, or attempts to execute, a

scheme to … defraud any health care benefit program … shall be fined … or imprisoned not more than 10 years, or

both.”

Conviction under the statute does not require proof that the violator had knowledge of the law or specific intent to

violate the law.

EXAMPLE

A Pennsylvania pharmacist:

• Submitted claims to a Medicare Part D plan for non-existent prescriptions and for drugs not dispensed;

• Pleaded guilty to health care fraud; and

• Received a 15-month prison sentence and was ordered to pay more than $166,000 in restitution to the plan.

The owners of two Florida Durable Medical Equipment (DME) companies:

• Submitted false claims of approximately $4 million to Medicare for products that were not authorized and not

provided;

• Were convicted of making false claims, conspiracy, health care fraud, and wire fraud;

• Were sentenced to 54 months in prison; and

• Were ordered to pay more than $1.9 million in restitution.

Criminal Fraud

Persons who knowingly make a false claim

may be subject to:

• Criminal fines up to $250,000;

• Imprisonment for up to 20 years; or

• Both.

If the violations resulted in death, the

individual may be imprisoned for any term

of years or for life.

Anti-Kickback Statute

The Anti-Kickback Statute prohibits knowingly and willfully soliciting,

receiving, offering, or paying remuneration (including any kickback, bribe,

or rebate) for referrals for services that are paid, in whole or in part,

under a Federal health care program (including the Medicare Program).

EXAMPLE

A radiologist who owned and served as medical director of a diagnostic testing center in New Jersey:

Obtained nearly $2 million in payments from Medicare and Medicaid for MRIs, CAT scans, ultrasounds, and other

resulting tests;

• Paid doctors for referring patients;

• Pleaded guilty to violating the Anti-Kickback Statute; and was sentenced to 46 months in prison.

The radiologist was among 17 people, including 15 physicians, who have been convicted in connection with this

scheme.

Damages and PenaltiesViolations are punishable by:

A fine of up to $25,000;

Imprisonment for up to 5 years;

or both.

Stark Statute (Physician Self-Referral Law)

The Stark Statute prohibits a physician from making referrals for

certain designated health services to an entity when the physician

(or a member of his or her family) has:

• An ownership/investment interest; or

• A compensation arrangement (exceptions apply).

EXAMPLE

A physician paid the Government $203,000 to settle allegations that he violated the physician self-referral prohibition

in the Stark Statute for routinely referring Medicare patients to an oxygen supply company he owned.

Damages and PenaltiesMedicare claims tainted by an

arrangement that does not comply with the

Stark Statute are not payable. A penalty of

up to $15,000 may be imposed for each

service provided. There may also be up to

a $100,000 fine for entering into an

unlawful arrangement or scheme.

Civil Monetary Penalties Law

The Office of the Inspector General (OIG) may impose civil penalties for a

number of reasons, including:

• Arranging for services or items from an excluded individual or entity.

• Providing services or items while excluded;

• Failing to grant OIG timely access to records;

• Knowing of an overpayment and failing to report and return it;

• Making false claims; or

• Paying to influence referrals.

EXAMPLE

A California pharmacy and its owner agreed to pay over $1.3 million to settle allegations they submitted claims to

Medicare Part D for brand name prescription drugs that the pharmacy could not have dispensed based on inventory

records.

Damages and PenaltiesThe penalties range from $10,000 to

$50,000 depending on the specific

violation. Violators are also subject to

three times the amount:

• Claimed for each service or item; or

• Of remuneration offered, paid,

solicited, or received.

Federal Health Care Excluded Providers

No Federal health care program payment may be made for any item or service furnished, ordered, or prescribed

by an individual or entity excluded by the OIG.

The OIG has authority to exclude individuals and entities from federally funded health care programs and maintains the

List of Excluded Individuals and Entities (LEIE). You can access the LEIE at https://exclusions.oig.hhs.gov.

The United States General Services Administration (GSA) administers the Excluded Parties List System (EPLS), which

contains debarment actions taken by various Federal agencies, including the OIG. You may access the EPLS at

https://www.sam.gov.

If looking for excluded individuals or entities, be sure to check both LEIE and EPLS since the lists are not the same.

EXAMPLE

A pharmaceutical company pleaded guilty to two felony counts of criminal fraud related to failure to file required reports

with the Food and Drug Administration (FDA) concerning oversized morphine sulfate tablets. The executive of the

pharmaceutical firm was excluded based on the company’s guilty plea. At the time the executive was excluded, he had

not been convicted himself, but there was evidence he was involved in misconduct leading to the company’s conviction.

State Suspended and Ineligible Provider List

Medi-Cal law, Welfare and Institutions Code (W&I Code), sections 14043.6 and 14123, mandate that the

Department of Health Care Services (DHCS) suspend a Medi-Cal provider of health care services from

participation in the Medi-Cal program when the individual or entity has:

• Been convicted of a felony;

• Been convicted of a misdemeanor involving fraud, abuse of the Medi-Cal program or any patient, or

otherwise substantially related to the qualifications, functions, or duties of a provider of service;

• Been suspended from the federal Medicare or Medicaid programs for any reason;

• Lost or surrendered a license, certificate, or approval to provide health care; or

• Breached a contractual agreement with the Department that explicitly specifies inclusion on this list as a

consequence of the breach.

Health Insurance Portability and

Accountability Act of 1996 (HIPAA)

HIPAA created greater access to health care insurance, protection of

privacy of health care data, and promoted standardization and efficiency in

the health care industry.

HIPAA safeguards help prevent unauthorized access to protected

health care information. As an individual with access to protected health

care information, you must comply with HIPAA.

EXAMPLE

A former hospital employee pleaded guilty to criminal HIPAA charges after obtaining PHI with the intent to use it for

personal gain. He was sentenced to 12 months and 1 day in prison.

Damages and PenaltiesViolations may result in Civil

Monetary Penalties. In some cases,

criminal penalties may apply.

CONGRATULATIONS!

You have completed the SCMG customized CMS-required training

course on General Compliance, Privacy, and Fraud, Waste, and Abuse.

SCMG is committed to the delivery of high quality care while conducting

its business in accordance with the highest levels of professional and

business ethics, and in full compliance with all laws, regulations, and

guidelines applicable to federal and state health care programs.