What is the identification, measurement, and prioritization of relevant events that may have a material consequence on the organization to achieve its objectives

Risk Assessment, it's having the right controls in place to provide quality care

A process effected by an entity's board of directors, management, and other personnel desinged to provide reasonable assurance regarding the achievement of objectives is called....?

Objectives of Internal Controls (name 3)

1) Reliablity and Integrity of Information

2) Compliance with Policies, plans, procedures, laws, regulations and contracts 3) Safeguard Assets

4) Econsomical and efficient use of resources

5) Accomplishment of objectives and goals

What are the "types" of internal controls?

1) Preventive (e.g. ask for permission before doing an action

2) Detective (e.g. Determine if you have an issue, audit trails for accessing a patient's record)

3) Directive (e.g. put into place to advise like guidelines, P&P, training on the how to do)

Every department has its own risks and can do a Controlled Self Assesment which helps to improve upon employee buy-in, get managers involved, and do a team approach. What is a benefit of a Controlled Self Assessment from either OIG or the US Sentencing guidelines?

Periodic Risk Assessment (US Sentencing Guidelines) OIG incumbent on corporate officers/managers to ensure systems are in place to facilitate ethical and legal conduct

There are many different regulatory agencies that identify compliance risks. Name 10

1. SEC,
2. JCAHO,
3. Dept of Labor,
4. Dept of Transportation,
5. Dept of Justice,
6. Drug Enforcement Agency,
7. DME,
8. OIC,
9. FTC,
10. HHS,
11. JCAHO,
12. OSHA,
13. Treasury,
14. FBI

What are some CMS identified areas of high risk fraud? Name 5

1. Sudden changes in billing,
2. spike billing,
3. billing by inappropriate specialities or diagnosis,
4. geographical changes in billing,
5. increased beneficiary compliants,
6. compromised beneficiary / provider identities,
7. deceased patients / providers,
8. billing for part B instead of part A,
9. Identity theft,
10. High Comprehensive Error Rate (CERT) rate,
11. Hospice,
12. Nursing Facility Quality of Care,
13. DME,
14. Pharma,
15. Ambulance,
16. Research,
17. Third Party Billing

Management responsibility as it pertains to risk can be handled by implementing controls/techniques. Name four.

1) Avoid Risk

2) Transfer Risk

3) Accept Risk

4) Reduce or Mitigate Risk

Name the steps in doing a risk assessment

1) Know when to do the Risk Assessment

2) Know the purpose (Identify, Measure, Prioritize)

3) Know where to go to do a Risk Assessment (Mgmt, OIG Workplan, Fraud Alerts, Special Advisory Bulletins)

Auditing and Monitoring have distinct differences. Explain.

Auditing are formalized, independent, objective. Performed by someone with no vested interests or outcomes. Established approach for sampling Monitoring is day to day reviews, Not necessarily independent of business unit, part of doing business, approach may be informal.

Effective Auditing/Monitoring Plans consist of:

Has to be applicable to business risks/strategy Risk areas need to be understood SME's Focus on the risk area and criticality Ownership of corrective action and monitoring Follow-up Auditing

What are the steps in an auditing and monitoring plan?

1) Conduct a Risk Assessment (could include std of care/medically unnecessary procedures)

2) Prioritize the risks

3) Identify resources

4) Obtain Buyin

5) Document process of developing plan

6) Evaluate against assessed goals

7) Finalize the auditing / monitoring plan

1) Statistical (precision, could be computer system issue, overpayments for large populations, etc.)

2) Non statistical (potential area is isolated to one dept, person, etc.)

Retrospective verses Concurrent Audits can be characterized by......?

Retrospective milestone to go back to in system, you know the sample unit from system Concurrent any time up to the final, real time

1) Planning

2) Scope of Audit

3) Notication

4) Intro Mtg

5) Internal Ctls/Testing

6) Fieldwork

7) Findings / Recommendation

8) Mgmt response

9) Follow-up on CAPs

The board should review reports on the status of the compliance program, how often?

What is the term called for an organization's committment to compliance by management, employees, and contractors. Statement should summarize ethical behavior and legal principles under which the healthcare organization operates?

OIG voluntary guidance helps to enhance the internal controls of the organization. True or False

When there is poor distribution beyond the compliance officer, what happens to the organization?

Program Implementation lags which means you do not have an effective compliance program

The board must have a solid understanding of compliance objectives.

Name a consequence if this does not happen

Undue reliance on detecting vulnerabilities Weak, ineffective compliance program

Training and Education is a component of the compliance program. What are some of the responsibilities of this?

1) Educate staff, contractors on rules of compliance with their job role/function

2) Ensure visibility in to policies and procedures, and standards

What are some of the elements of an effective compliance program

1. Should be led by a member of senior mgmt team and Board supported.
2. Mission of department should be defined.
3. Compliance department should be organized.
4. Resources should be defined including staff, budget, training, and have their own autonomy to carry out the organizations compliance mission.
5. Compliance function should be autonomous and where feasible report to the board directly, not to senior counsel.
6. Good relationship with leaders in other departments

First thing one should do when considering an effective compliance program

Focus on organizational risks (risk assessment)

What are 3 benefits to a compliance program?

1. Committment to Code of Conduct.
2. Increases likelihood to prevent, detect, and correct unlawful behaviors.
3. Minimizes financial losses
4. Encourages employees to report compliance problems/issues

What is DRA and founded by?

Deficit Reduction Act founded by state Medicaid program

CMS Questions

Part A covers what?

Part B covers what?

Part C covers what?

Part D covers what?

Part A covers inpatient services provided by hospitals, SNF's and Home Health Agencies

Part B covers professional fee (physician) billing

Part C is Medicare Advantage

Part D is Medicare Pharmacy

What provided the groundwork for compliance program development?

What is the purpose of the QuiTam provision?

This is provided to a whistleblower from an organization whereby an incentive to provide information (wrongdoing against CMS) to the federal government is done. Usually this is accomplished by awarding the individual a percentage of the recovered amount

What are the penalties of the False Claims Act?

Removal from participation in governmental programs such as Medicare, Medicaid

Who can bring suit under the False Claims Act?

Attorney General

Or

Whistleblower (QuiTam)

What is the Physician Payment Sunshine Act?

Drug/Device manufacturer must disclose to government on a quarterly basis anything of value provided to physicians

Applies to companies with annual gross revenue of greater than 100 million

What is the difference between HIPAA privacy and security?

Privacy covers all forms of PHI (electronic, written, oral) whereas security ONLY covers Electronic PHI

Name a few key differences between AntiKick Back statue and Stark Law?

AKS

• Criminal/Civil
• Any Federal HealthCare program
• Any referral source
• Contains safe harbors
• OIG

Stark

• Civil only
• Medicare only
• Strict liability
• Must be a physician in the mix
• Exceptions
• CMS advisories

Stark Period of Disallowance what is this?

Period when the referrals and medicare claims and referrals are not permitted. Excluded from medicare program

Name of the safe harbors of the antikick statute

PIGSESDA is acronymn

1. Practitioner Recruitment
2. Investment Interests
3. Group Purchasing
4. Space Rental
5. Equipment Rental
6. Sale of Practice
7. Discounts
8. Ambulatory Surgical Centers

ARRA what is this? 

Breach notification under ARRA, describe

American Recovery Reinvestment Act 

Breach notification, when and how you notify when a PHI breach has occurred

What is the False Claims Act?

Most potent tool available to the government in enforcing federal fraud and abuse prohibitions

Name the 7 essential elements of compliance?

1) Policies & Procedures/Standards of Conduct

2) Compliance Officer/Compliance Committee / Compliance Oversight

3) Education and Training

4) Monitoring and Auditing

5) Reporting and Investigating

6) Enforcement and Discipline

7) Response and Prevention

What is Anti-Trust?

What is EMTALA?

What is USSC?

What is a key factor in planning for monitoring and auditing?

Scalability, you can't complete your workplan if you don't have enough resources to implement the plan by the end of the year

Response and Prevention requires ?

1) Training of people on how to conduct an investigation otherwise you can expose the organization to further litigation

2) Resolution of issues by policies and procedures

What are two primary objectives of the Board of Directors?

1. Decision Making Function apply duty of care to specific decision
2. Oversight function apply duty of care to day to day business activities, BOD can delegate to the CEO

When we use the term duty of care for the Board of Directors what does this mean?

It means that the BOD acted in:

a) good faith

b) the level of care that a prudent person would, like asking questions and understanding what is going on

c) a manner that is best for the organization

To become a Medicare Biller must setup what?

What are the primary focus areas for the Board of Directors as it pertains to compliance?

1. Structural - Understanding the scope of the compliance program
2. Operational - Understanding the operations of the compliance program

What is HIPAA?

What is Administrative Simplification?

PHI or protected health information that is collected by an individual or received by a covered entity can be used or disclosed by these four areas. Name them.

1) Uses & Disclosures for Treatment, Payment, and Healthcare Operations

2) Uses and Disclosures in public interest (e.g. flu)

3) Uses and disclosures w/an opportunity to object (e.g. spouse picking up a prescription)

4) Authorization (my permission granted)

What are the ONLY two instances where a use/disclosure does not require an authorization?

1) To the patient w/some exceptions (MH, BH, CD)

2) To the HHS to investigate alleged privacy violations

What is FERPA and is this allowed under PHI use/disclosure?

Family Educational Rights and Privacy Act, which safeguards or protects student educational records from uses and disclosures.

HIPAA consent and authorization have key differences, what are they?

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule.

Permissions and Required under the HIPAA rule are NOT the same thing. Explain

You still can be denied even if you have permissions and authorizations under HIPAA whereas required is Mandatory

Name some examples of Uses and Disclosures for other purposes aside from TPO (treatment, payments, healthcare operations)

Public Health Health Oversight Law Enforcement Avert Serious Threat Research Worker's Compensation Organ/Tissue Donation Decendents Information

What is DeIdentification as it pertains to PHI?

Removal of any identifiers or the individual, relatives, employers, or household members

What is Limited Data Set (LDS)?

Smaller paired down information necessary to do function (minimal necessary). Applies to areas such as Public Health, Research, Healthcare operations

You may disclose PHI with applicable laws and standards of ethical conduct if.....?

Good faith believes the disclosure to avert serious and imminent threat to public and/or individual.

All Uses and Disclosures of PHI that are not explicitly required or allowed under the regulations may ONLY be done with an authorization. Name 2 examples

Uses and Disclosures that provide an opportunity to object may include:

1. Facility Directory (in hospital setting)
2. Family, Friends, Others involved in patient's care or payments for patient cares
3. Notifications (natural disasters)

What information can a patient not get access to in a Designated Record Set?

Willful neglect differs from reasonable diligence, explain.

1. Reasonable diligence is the business care a reasonable person seeking to satisfy a legal requirement under similiar circumstances
2. Willful neglect is conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision.

What has OIG has identified high risk area

they are as follows

Home Health

DME

Identify the reasons for each element above as to why they are high risk for OIG

A) 

What impacts compliance infrastructure?

Size 

Financial Resources ($$)

Scope of Compliance Program

Name some Key Buy-in Techniques 

1. Motivation
2. Participation
3. Cooperation
4. Education

IN order to build to trust to facilitate what should a compliance professional do?  How to influence change in the organization.

Communicate good and bad news

Honor confidentiality

Allow frustrations 

Keep your commitment

Challenges in training physicians

1. Peer to peer instruction
2. Time commitment
3. Hesitance to open dialogue
4. Issues differ from employee

Why should training be evaluated?

1. Make sure it's correct and current
2. Make sure it's effective to identify areas of improvement
3. Is the training repeatable

What are some of the levels for training evaluation?

1. Action
2. Learning 
3. Behavior 
4. Results

Training requirements for compliance include:

1. Engaging 
2. Thought Provoking
3. Positive call for action

In a COI what is the first thing a compliance professional should do?

Has there been a disclosure?

Investigation?

Voluntary Disclosure Process with CMS

1. Validate
2. Notify Government
3. Investigate 
4. Report

You've identified a Medicare (CMS) billing issue what is the first thing you do

Stop Billing, notify CMS, and return any moneys that are due

If a provider is on the OIG sanctions list, what do you do first?  (list valuation report)

Put provider on the administrative leave

Why are Compliance Programs Important?

1. Raises Awareness (publicity exposure can harm brand/company so showing you have a compliance program helps)
2. Mitigation Factor (self disclosure penalties decrease when this is done)
3. Communicates Commitment
4. Avoids Corporate Integrity Agreemetn
5. Reduces the threat of QuiTam (whistleblowers)

If the Board of Directors do NOT exist, who should the compliance officer report to?

What is a compliance program?

1. Prevents & Detects violations of laws or policy
2. Defines expectations for employees for ethical and proper behaviors when doing business
3. Demonstrates organization's "doing the right thing"
4. Encourages problems to be reported
5. Provides mechanism for constant monitoring
6. Recommended by the government

What are some preventive ways to avoid a QuiTam (whistleblower) lawsuit?

1. Create a corporate atmosphere that encourages compliance
2. Set up a hotline
3. Listen to employees

A compliance program provides:

1. Education
2. Prevention
3. Detection
4. Collaboration
5. Enforcement

Who Needs a Compliance Program?  Name a few.

1. Physician Practices
2. DME
3. Home Health
4. Hospitals
5. Labs
6. Teaching Institutions
7. Others....

Name Organizational Steps to an Effective Compliance Program.....

1. Gain Support Commitment
   • Board
   • Management
   • Providers
   • Staff
2. Financial Support
   • Development/Start up
   • Educational Materials
   • Staffing
   • Ongoing Operations
3. Develop code of conduct
   • Organizations ethical attitude
   • Address weak areas
4. Identify Staffing needs
   • Appointment compliance officer
   • Oversight committee
   • Counsel
5. Conduct Internal Assessment
   • Interviews
   • Identify Risk Areas
6. Develop Mission and Goals

Compliance Oversight Responsibilities has different duties based on job role/function.

Name them based on the job role below:

• CEO and board of directors oversight
• Ownership/Senior Level Down
• Compliance Officer

1. CEO/Board Oversight oversee frequency of reporting and provide governance structure
2. Ownership/Senior Level Down address are resources sufficient, are compliance elements integrated into performance, how are compliance issues reported and handled
3. Compliance officer ensures they are right fit and address personal and professional risk

As part of the compliance tenets, employee training is key. name some of the elements to effective training

1. Committment presence
2. Training geared to increase compliance knowledge of employees
3. Training for high risk areas covered
4. Training incorporated into day to day business operations
5. Proof / documentation of training

What are the effective elements for monitoring and auditing?

1. Have you got an auditing plan
2. Auditing methodology what types of audits being done
3. Has your program gone beyond process audits
4. Proactive verses Reactive audits
5. Auditing strategy
6. Results reporting
7. Corrective Action and verification

What are the effective elements for enforcement and discipline?

1. Appropriate and consistent disciplinary mechanisms in place
2. Tracking system developed for disciplinary actions

If there was a problem with an employee and his manager and the compliance is contacted, what is your next action?

Direct them to Human Resources and ask for a follow-up report

If there is a detection of wrong doing, what is the first step for the compliance professional?

Contact legal counsel who can make the initial assessment of the risks involved

What is the purpose of a baseline audit?

1. Outlines current operational standard
2. Identifies real and potential weaknesses
3. Offers recommendations regarding necessary remedial actions

Compliance officer imposes disciplinary actions.

This is FALSE, since a compliance officer can ONLY recommend disciplinary actions but not impose. Management enforces discipline.

What is the next step once resources have been identified when implementing an auditing/monitoring plan?

When reviewing compliance efforts, what is the first thing to be done?

Once a compliance program is established, what is the first thing that an organization should do?

When physicians are billing for services that are performed by residents, what is this called?

You have done a compliance plan.What comprises a compliance program?

What is key techniques for obtaining buy-in?

One of the processes for risk identification is document review. Name some of the documents that should be considered for review.