PAGE:1 of 4 / REPLACES POLICY DATED: 1/24/09
EFFECTIVE DATE: September 23, 2009 / REFERENCE NUMBER: EC.025
SCOPE: All Company-affiliated facilities and subsidiaries, including, but not limited to, hospitals, ambulatory surgery centers, outpatient imaging centers, physician practices, service centers, and all Corporate Departments, Groups, Divisions and Markets.
PURPOSE: To require that certain activities and events be reported to the appropriate Corporate department(s) as set forth in this policy.
POLICY:
There are a number of events, occurrences or issues, which are described more fully below in the Procedure section that must be reported to the Corporate Office immediately (i.e., no longer than 3 days after occurrence).
PROCEDURE:
The following events, occurrences or issues must be reported to the facility ECO. The facility ECO or designee should then report the events, occurrence or issue to the Corporate Office department identified at the links listed below:
1.Any unscheduled survey by any third party agency for any reason – pursuant to QM.001.
2.Anyrequest for copies of patient records for use in an investigation of an alleged compliance violation – pursuant to QM.001.
3.Anywritten communication from the facility’s Quality Improvement Organization (QIO) pertaining to a formal project that will involve aggregate reporting of data or information to the QIO – pursuant to QM.001.
4.Any ongoing investigation or legal proceeding conducted or brought by a governmental entity or its agents involving an allegation that the Company-affiliated facility or subsidiary has committed a crime or has engaged in fraudulent activity –to Internal Compliance Reporting.
5.Notice of audit or arrival of auditors from the OIG –to Regs Helpline
6.Potential violation of the Stark law or related regulations – to Internal Compliance Reporting. The Stark law prohibits a physician from referring patients to an entity for certain designated health services if the physician or an immediate family member of the physician has a financial relationship with the entity, unless the financial relationship falls within certain exceptions. A financial relationship may consist of an ownership or investment interest or a compensation arrangement. A compensation arrangement involves, with certain exceptions, anything of value given to a physician, whether directly or indirectly, overtly or covertly, in cash or in kind.
7.Potential violation of the Anti-Kickback Act – to Internal Compliance Reporting. The anti-kickback statute makes it unlawful to offer, pay, solicit or receive remuneration to induce or in return for 1) referring an individual for the furnishing or arranging for the furnishing of any item or service payable in whole or in part under a federal health care program, or 2) purchasing, leasing, or ordering (or arranging or recommending purchasing, leasing or ordering)any good, facility, service, or item payablein whole or in part under a federal health care program.
8.Health Insurance Portability and Accountability Act (HIPAA) issues:
- Involvinga breach of unsecured protected health information - complete Part A of the HIPAA Breach Notification Form. Part A is retained at the facility. See theProtected Health InformationBreach Notification Policy, HIM.PRI.011,for guidance. Breach is defined as any unauthorized acquisition, access or use of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. Breach does not include:
- Any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate if:
(b)Such information is not further acquired, accessed, used, or disclosed by any person.
- Any inadvertent disclosure from an individual who is otherwise authorized to access PHI at a facility operated by another covered entity or business associate to another similarly situated individual at the same facility.
- Any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.
- Involving an egregious violation of Health Information Privacy Standards–complete Part A and Part B of the HIPAA Breach Notification Formand submitto Internal Compliance Reporting. Egregious privacy violations include all privacy violations involving intentional disclosures or inadvertent disclosures with a potential for patient harm. Facilities are not required to report non-egregious privacy violations such as safeguard violations, inadvertent disclosures without the potential to harm patients, etc.
- Intentional disclosures include, but are not limited to, inappropriately accessing a patient’s PHI, gossiping about a patient’s PHI, stealing PHI, exposing family and friends to PHI, or allowing students to observe without an affiliation agreement or authorization.
- Inadvertent disclosures with potential for harm consist of misdirected or overheardcommunication where sensitive health information was disclosed to a third party who is not a Covered Entity. Information considered sensitive or a potential for harm includes information related to cancer, male or female reproduction-related issues, mental health, genetic testing, substance abuse, communicable diseases/HIV/STDs, confidential patients, employee-employer relationships, or any other types of information that might cause harm to the patient if inappropriately disclosed.
10.Potential violation of the Emergency Medical Treatment and Labor Act (EMTALA) or comparable state statutes regarding providing emergency care– to Internal Compliance Reporting.
11.EMTALA state surveysor surveys related to comparable state statutes regarding providing emergency care– to Internal Compliance Reporting.
12.Regulatory violations regarding licensure, registration, and certification requirements of individuals or health care related equipment; individuals providing services outside their scope of practice or without being appropriately licensed, registered or certified; DEA violations related to the theft or loss of controlled substances - to Internal Compliance Reporting.
13.Ineligible Persons (OIG/GSA/State exclusion lists) – to Internal Compliance Reporting. An Ineligible Person is any individual or entity that: (i) is currently excluded, suspended, debarred or is otherwise ineligible to participate in Federal health care programs; (ii) has been convicted of a criminal offense related to the provision of health care items or services but has not yet been excluded, debarred or otherwise declared ineligible; or (iii) is currently excluded on a state exclusion list.
14.Compliance-related issues in clinical research (e.g., FDA-related issues, ethical violations) – to the ClinicalServices Group.
15.Coding or billing errors that may be systemic in nature or exceed a threshold of $100,000 – the Regs Helpline. Errors that occur in the everyday routine of claims processing, as well as those errors that are caused by the processing entity (e.g., FI pays incorrectly due to incorrectly loaded wage index tables) need not be reported. However, if there is a question about whether an error needs to be reported, the Regs Helpline should be contacted for assistance.
16.Claim reviews conducted or brought by a governmental entity or its agents that involve multiple accounts and/or impact multiple facilities – the Regs Helpline.
17.Any other compliance issue that is not listed –to Internal Compliance Reporting.
REFERENCES:
- Internal Compliance Reporting folder on Atlas
- Regulatory Compliance Notification Policy, QM.001
- Protected Health Information Breach Notification Policy, HIM.PRI.011
- Compliance Alert #15
8/2009