Corporate Compliance / HIPAA and Privacy

Corporate Compliance Program
McLaren Bay Region and McLaren Bay Special Care
New Employee Orientation

Corporate Compliance

  • Corporate Compliance refers to a program designed to ensure an organization’s efforts to prevent fraud and abuse.
    • Fraud is an intentional deception or misrepresentation of fact that can result in unauthorized benefit or payment.
    • Abuse means actions that are improper, inappropriate, outside acceptable standards of professional conduct or medically unnecessary.
  • The purpose is to ensure our compliance with federal, state, and local laws and regulations, as well as billing regulations and organizational policies and ethical standards.
  • Because we participate with Medicare, Medicaid, Blue Cross and Commercial insurance companies, not following these rules could have a negative impact to our patients and ultimately to our community.
  • Corporate Compliance is governed by the Office of Inspector General.
  • HIPAA Rules fall under McLaren’s Corporate Compliance Program.

Required Elements of a Compliance Program

  1. Standards of Conduct
  2. Education and Training
  3. Designation of a Compliance Officer
  4. Effective Communication
  5. Discipline and Enforcement
  6. Auditing and Monitoring
  7. Response and Prevention

1. Standards of Conducts

  • Commitment to Providing Patient Care
    • Provide thorough and complete medical record documentation. “If it’s not documented, it’s not done.”
    • Effective Communication: Good phone etiquette, eye contact, smile, friendly greeting.
    • Use AIDET and “Manage Up” to support our McLaren Excellence initiatives.
  • Commitment to Our Community
    • When out in the community, be mindful of conduct and set a good example.
  • Commitment to Ongoing Monitoring – be proactive!
    • Periodic HIPAA walkthrough audits, Same Name access audits, coding and billing audits
  • Commitment to Environmental Health and Safety
    • Follow all OSHA, FDA, Centers for Disease Control (CDC) regulations.
    • Consistently wear your name badge.
    • Question those you don’t recognize in your work area to protect yourself, your co-workers and our patients.
    • Appropriately respond to difficult situations.
  • Commitment to Proper Employment Practices
    • McLaren takes reasonable precautions to ensure the work environment is free of discrimination and harassment.
    • Do not accept anything of monetary value from patients or their family members, or from vendors or anyone else.
  • Commitment to Ethical Business Conduct
    • Outside business/employment activities must be limited to off-work time.
  • Report any Conflict of Interest.
  • Commitment to Assets and Financial Transactions
    • Use honesty when completing financial and productivity reports, travel expenses.
    • Secure equipment and supplies from theft.
  • Commitment to Accurate Coding and Billing Transactions
    • Stay current with insurance provider billing rules and guidelines.
  • Commitment to Confidentiality and Electronic Security
    • Patients should expect that we will keep their information safe.
    • Patients have rights regarding their PHI:
      • To confidential communication of PHI.
      • To access or receive a copy of their medical records.
      • To request a restriction of how their PHI is used.
      • To request amendments (changes) to their medical record.
      • To receive an accounting of disclosures when requested.
  • Commitment to Laws and Regulations
    • Anti-Kickback (Can’t accept/offer payments to induce/reward referrals)
    • Stark Laws (Physician Self Referral Law for Medicare patients)
    • Federal and State False Claims Act (Knowingly filing a false claim)
    • EMTALA (Emergency Medical Treatment and Active Labor Act)

Education and Training

  • All employees must receive a minimum of one hour Compliance and HIPAA training annually. High risk employees, such as coders and billers, are required to receive three hours of education annually.
  • Compliance Representative: An individual from each department who has taken on the responsibility of attending Compliance meetings, assisting with investigations, completing department monitors and making sure you all receive your education, whether through e-mail or at department meetings.
  • Education is posted via e-mail, on HealthStream and at department meetings.
    • Heather’s HIPAA Headline
    • Quarterly Compliance Representative Meeting Minutes
    • Mandatory Annual Compliance Training
    • Informational messages (Phishing, Phone Scams, other cyber security issues)

Designation of a Compliance Officer

  • The Compliance Officer must be a high-level official with direct access to the governing body, CEO and senior management.
  • Oversees and facilitates the Compliance Program and all related activities.
  • Compliance Officer/Privacy Officer for McLaren Bay Region, McLaren Bay Special Care, McLaren Northern Michigan, McLaren Central Michigan, McLaren Caro Region, McLaren Thumb Region:
    Sivan Laufer

Effective Communication

  • All reported Compliance and HIPAA concerns are taken very seriously, promptly investigated, with resulting action appropriate for the issue.
  • Non-Retaliation Policy
  • Chain of Command: Direct Report, Compliance Representative, Compliance Officer
  • Compliance Hotline – confidential and anonymous (if desired)
  • Employees are empowered and obligated to report any concerns or observations that may be potentially violating Compliance or HIPAA rules or McLaren policies.
  • Findings are reported to the Executive Team, to those involved, and may be a topic of “Heather’s HIPAA Headline”. Sometimes you may not see results of an investigation if the topic is of a sensitive nature.

Discipline and Enforcement

  • The Compliance Officer and Human Resources Team work together to ensure discipline is fair, equitable and consistent.
  • Any identified problems or concerns are investigated.
  • Recommendations are communicated and acted upon.
  • Education is provided when deemed necessary.
  • Follow up monitoring is performed when appropriate to ensure ongoing compliance.

Auditing and Monitoring

  • An important component of the Compliance Program is the use of audits and other evaluation techniques to monitor ongoing compliance.
  • Internal Audit examples include coding accuracy and Same Name Access audits.
  • External Audits: Plante Moran performs Bay’s audits.
  • Surveys: Accrediting agencies such as The Joint Commission
  • Risk Assessments: HIPAA walkthrough audits, security audits

Response and Prevention

  • Record: Determine the who, what, where, when and why of a reported concern, situation or event.
  • Evaluate and Analyze: How could things have been done differently? Are there conditions that contributed to the situation that need to be changed?
  • Address: Take action. Make changes to a process, investigate other alternatives, provide guidance and discipline when warranted.
  • Educate: Communicate to those involved to ensure the same issue is not repeated.
  • Monitor: Re-audit to make sure the change is being followed and is still working. Make adjustments as necessary.

Mobile Device/Social Media Reminders

  • Even though cell phones may now be a part of our daily lives, there is a place and a time for them. Our first responsibility is to provide excellent and focused patient care.
  • You must be authorized to use your cell phone if you will be using it for work-related purposes. This includes if you will be using your personal cell phone to check your work e-mail or will be in any way communicating about patients.
  • If you are not authorized to use your cell phone during work hours, your device must be turned off or placed on silence and kept with other personal items in your locker, car, or other secure location, and should be used only during lunch and break periods.
  • Camera or videotaping may not be used unless you have obtained that specific authorization. Only hospital-owned cameras should be utilized, and only for patient-specific activities, such as the tracking of wound care.
  • Texted physician orders are not allowed and should not be accepted.
  • If you text or post on a social media site an extraordinary situation that occurred with a patient, even if you do not include patient identifying information in the message, you could be breaching patient privacy if someone can determine who you are discussing.

The Right Way to Access Your Own PHI

  • You MUST NOT use your computer or other means to access your own medical record, or the medical records of a spouse, child, other family member, friend or neighbor unless you have a work-related reason. If you are found to have done this, you will be subject to disciplinary action, including termination.
  • You may access your own medical records by submitting a request to the hospital’s Health Information Management (HIM) Department or to your physician office.
  • You may access your own medical records via the patient portal if you are a registered MyMcLaren Chart user.
  • If you witness someone accessing information without a work-related reason, you are empowered and obligated to report this to your Direct Report, your Compliance Representative or to your Compliance Officer.

Your Role in HIPAA Rule Compliance

  • Our patients have many rights under the HIPAA Rules, the most important being the right to privacy. It is your job to help maintain those rights!
  • Treat patient information the way you want yours to be treated.
  • Log out or lock computers before walking away.
  • Do not share passwords.
  • Do not use your McLaren computer to access your own information, the information of family, friends or neighbors, or to be nosy.
  • Don’t assume that because you know someone, that gives you permission to discuss their issues outside of work or with someone outside your department.
  • Stay away from social media and gossip when patient care is involved. Think before you text, tweet, snap, post, discuss or communicate in any way so that you do not violate patient privacy rules or hospital policy.
  • Report, even if they are potential violations. If you are not sure, ask!

What is your role in our Compliance Program?

  • Participate by attending your department meetings, check your e-mail regularly, and read all Compliance and HIPAA communications made available to you.
  • Follow all federal regulations, state laws and hospital policies. If you are unsure about something, ask your direct report.
  • Protect yourself and our patients from risk of a HIPAA violation by not posting anything work-related on social media and not talking about patient information away from your work area. Check fax numbers twice before hitting “send”.
  • Report! If you see or hear something that just doesn’t sit right with you, or that you know is a violation of laws, rules or policies, report it! Go to your direct report, or if they are unavailable, to your Compliance Representative, or call your Compliance Officer. You are obligated and empowered to report.

Questions for your Compliance Officer?

Sivan Laufer
Compliance Officer/Privacy Officer for McLaren Bay Region, McLaren Bay Special Care, McLaren Northern Michigan, McLaren Central Michigan, McLaren Caro Region, McLaren Thumb Region
Compliance Hotline: (989) 894-3945