Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CHC Exam > Investigation and Remedial Measures > Flashcards

Investigation and Remedial Measures Flashcards

1
Q

Discuss disciplinary actions associated with non-compliance or substandard care.

A

Because disciplinary matters are often handled by Human Resources, the compliance professional must be included in discussions when non-compliance is an issue, and this should be formalized in policies and procedures.

When non-compliance requires reporting to regulatory agencies, it’s especially important that disciplinary action be carried out immediately, commensurate with the violation. If, for example, a workforce member has intentionally breached privacy regulations, such as by unauthorized access or sharing of patient records, or purposely upcoding to increase reimbursement, the delay may increase the risk of repeated offenses and further financial penalties as well as giving the individual involved the opportunity to attempt to alter records.

A formal disciplinary conference is generally held with the individual to obtain information and complete a disciplinary action form, and the policies should clearly state whether the compliance professional is to be included or updated.

All records of compliance violations and actions taken must be stored for 10 years, including the date the violation was discovered and the dates of all subsequent actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Discuss coordinating with management that timely disciplinary action is taken.

A

If an employee may be involved in non-compliance or substandard care, an investigation should be carried out to determine culpability and disciplinary actions. Often, healthcare organizations respond by immediately suspending without pay or terminating employment although various other actions are possible, so the course of action should be determined by the severity of the possible violation and the circumstances under which it occurred.

One possibility is to require that the employee in question be monitored by another employee (usually a supervisor) or be assigned to limited duties. Job reassignment may also occur so that the employee is placed in a different department or position during the investigation. The employee may also be suspended with pay (usually for a predetermined period of time, such as 2 weeks).

Once the investigation is completed, then the final disciplinary action can be determined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Discuss communicating suspected noncompliance.

A

Corrective action plans are developed in response to non-compliance.
Steps to developing the plans include:

  • Selecting members to serve on the correction action team.
  • Identifying the specific violation, not just the category of violation, and any errors and deficiencies.
  • Analyzing how noncompliance has affected the organization and determining all aspects of the violation and resulting problems.
  • Conducting a root cause analysis to determine the cause of the problem.
  • Brainstorming and creating a corrective action plan to resolve issues identified through root cause analysis. A cost-benefit analysis may be carried out to determine the most cost-effective corrective action.
  • Establishing a timeline with achievable deadlines and targets. FMEA may be carried out before implementation.
  • Implementing the corrective action plan, including communication and training efforts for organization members.
  • Conducting ongoing monitoring and follow-up to ensure that the compliance issues are resolved, may include auditing and internal investigations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Discuss the corrective action plan.

A

Each organization should have established procedures for reporting suspected non-compliance issues (violations, fraud), such as through a hotline, web portal, communication with the compliance professional or compliance committee, or through the chain of command.

All members of the organization should be advised of their obligation to report noncompliance.

Guidelines for reporting should be available to all members of the organization and should provide examples of issues that should be reported and those that typically do not require reporting. The guidelines should include the expected timeframe for reporting and the methods of reporting.

The confidentiality and non-retaliation policies should be outlined as part of the guidelines as well as incentives for reporting.

Reports should be given with as much detail as possible. All reports should be investigated promptly because failing to do so may result in whistleblowing, which can be very costly to an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Discuss the role of root cause analysis in the development of corrective action plans.

A

Root cause analysis (RCA) is a retrospective attempt to determine the cause of an event, often a sentinel event such as an unexpected death, or a cluster of events.

Root cause analysis involves interviews, observations, and a review of medical records.

Often, an extensive questionnaire is completed by the professional doing the RCA, tracing essentially every step in hospitalization and care, including every treatment, every medication, and every contact. The focus of the RCA is on systems and processes rather than individuals. How did the system break down? Where did the problem arise? In some cases, there may be one root cause, but in others, the causes may be multiple.

The RCA also must include a thorough review of the literature to ensure that process improvement plans based on the results of the RCA reflect current best practices. Plans without RCA may be nonproductive. For example, if an infection were caused by contaminated air, process improvement plans to increase disinfection of the operating room surfaces would not be effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Discuss the role of peer review in the development of corrective action plans.

A

Peer review is a review by a like practitioner with similar training, experience, and expertise. In some cases, the pool of practitioners may be too small within one organization; so external peer reviews may be required. Peer review is often triggered by root cause analysis that indicates the need to focus on an individual in the development of corrective action plans, sometimes related to utilization review. The Joint Commission focuses on the process of peer review in both design and function.

  • The design should include definitions of “peer,” methods in which peer review panels are selected, triggering events, and time frames as well as outlining the participation of the person being reviewed.
  • The function must be consistently applied to all individuals, balanced and fair, adherent to timelines, ongoing, and valuable to the organization. Decisions should be based on solid reason and literature review and must be defensible.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Discuss the role of FMEA in the implementation of corrective action plans.

A

Failure mode and effects analysis (FMEA) is a team-based prospective analysis method that attempts to identify and correct failures in a process before utilization to ensure positive outcomes.

Steps to the process include:

  1. Definition: Define process and scope.
  2. Team creation.
  3. Description: Flow chart with each step in the process numbered consecutively and sub-steps lettered consecutively.
  4. Brainstorm each step for potential failure modes.
  5. Identification of potential causes of failures: Root cause analysis.
  6. Listing potential adverse outcomes (to patients).
  7. Assignment of severity rating: Adverse outcomes are rated on a 1-10 scale for severity of the failure.
  8. Assignment of frequency/occurrence rating: Potential failures rated on a 1-10 scale for the probability of failure in the prescribed time period.
  9. Assignment of detection rating: Potential failures are rated on a 1-10 scale for the probability that they will be identified before occurrence.
  10. Calculation of risk priority number: severity occurrence and detection (S x 0 x D) to find the RPN.
  11. Reduction of potential failures: Brainstorming.
  12. Identification of performance measures.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Discuss cooperating with government inquiries and investigations.

A

Government inquiries and investigations of fraud are handled by more than 10 federal government entities as well as state Medicaid fraud investigative units and other state agencies:

  • Formal: If a government agency initiates a formal investigation, the covered entity should receive a notice, such as a subpoena requesting specific types of information as well as information in broad categories. If a judge grants a warrant for search and seizure, this may take place immediately. The covered entity must comply but may seek legal advice.
  • Informal: The government may send a letter indicating that they are conducting a study or carrying out research and need information. Government agents may also question or interview employees in an informal manner. Informational letters may be sent that provide information and also request information. Informal inquiries may change to formal if violations are found.
    All types of inquiries should be treated as formal in that the covered entity should reply promptly and comply with all written requests for information and documentation. Employees should be advised to notify the compliance professional (in person or by hotline) of any inquiries (such as informal questioning). Under no circumstances should information/documentation be altered, hidden, or destroyed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Discuss reporting fraud to the OIG.

A

The Office of the Inspector General accepts reports of fraud, waste, abuse, crime, gross misconduct, or conflicts of interest related to federal programs, such as Medicare and Medicaid and other HHS programs, from employees of HHS, grantees, and contractors reporting wrongdoing at HHS and its programs (AKA whistleblower complaints) as well as about these individuals.

Complaints may include:
• False/Fraudulent Medicare/Medicaid claims.
• Kickbacks for referrals.
• Medical identity theft (Medicare/Medicaid).
• Violations of EMTALA (failing to stabilize emergency patients).
• Abuse/Neglect in nursing home and long-term care facilities.
• Human trafficking by employees of HHS, contractors, or grantees, including procuring a commercial sex act.

The OIG provides a number of ways to file complaints:
• Tipline: 1-800-HHS-TIPS: TTY 1-800-377-4950; FAX: 1-800-223-8164
• Web: https://oig.hhs.gov/fraud/report-fraud/
• Mail: US Dept of HHS, OIG; ATTN: OIG Hotline Operations; PO Box 23489; Washington, DC 20026

Those filing complaints may disclose their identifies to OIG, HHS, and others, disclose only to HHS-OIG or remain anonymous (although the HHS-OIG cannot then investigate a whistleblower retaliation complaint). Restricting identification may limit the ability of the HHS-OIG to investigate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Discuss breaches of the Health Insurance Portability and Accountability Act (HIPAA [45 CFR 164 404 to 408]).

A

HIPAA Breach Notification Rule (45 CFR 164.404 to 408) requires covered entities to report any breaches in protected health information:

  • Individuals: Notification by standard mail or email (if the individual has agreed) as soon as possible but no later than 60 days after the breach. If lacking contact information for 10 or more individuals, notice must be placed on the organization’s website for 90 days with a toll-free telephone number or notice provided in print or broadcast media. For fewer than 10 individuals, alternate notification, such as by telephone, is permitted. Individual breaches are reported to the HHS Secretary annually.
  • 500 or more individuals: In addition to individual notification, notice must be given to prominent media outlets serving the affected states no later than 60 days after the breach. The HHS Secretary must be notified electronically within 60 days after the breach. If the breach affected fewer than 500 individuals, the HHS Secretary must be notified within 60 days of the end of the calendar year in which the breaches occurred.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Discuss reporting Medicare/Medicaid fraud.

A

Medicare/Medicaid fraud may involve (1) billing for services not actually provided, (2) billing for patients not actually seen, (3) billing for unnecessary services, procedures, and tests, and (4) and upcoding (billing for a service at a higher level than that provided, such as billing for a complete physical exam when only a partial examination was carried out). According to CMS, about 10% of bills involve some type of fraud. Note that the whistleblower is protected by law and may be eligible for a reward.

Procedures for reporting include:

  • Medicare: Telephone report at 1-800-633-4227, TTY at 1-877-486-2048, online at the Office of the Inspector General or call directly at 1-800-447-8477 or TTY at 1-800-377-4950 or fax (up to 10 pages) to 1-800-223-8164 or Email (up to 10 pages) to HHSTips@oig.hhs.gov.
  • Medicaid: Reports can be made by calling the Department of Social Services or the State Medicaid Agency in the state where the fraud occurred. Other options include the Medicaid Fraud hotline at 1-888-742-7248 or online at https://www.medicaidfraudhotline.com/.

Convictions may result in fines, prison terms, and/or loss of license to practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Discuss notification of breaches by a business associate (45 CFR 164.410 to 414).

A

A business associate that discovers a breach of PHI (45 CFR 164.410 to 414) must notify the covered entity (such as a physician or healthcare organization) as soon as possible or no later than 60 days after discovery. The business associate must provide the identification of each individual whose PHI was breached (which means that the PHI was improperly accessed, acquired, used, and/or, disclosed) and any other available information. Disclosure may, however, be delayed if this disclosure may in some way impede a criminal investigation or damage national security.

The law enforcement officer must provide

(1) a written document that indicates the time period required for the delay or
(2) an oral statement that is documented by the business associate and that identifies the official. With an oral statement, the delay cannot exceed 30 days although the time can be extended if, within that 30-day period, the official presents a written document. In the case of violations, the business associate is required to make all required notifications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an internal investigation?

A

A review of the provider’s own programs or activities, conducted by attorneys and/or investigators operating at the provider’s discretion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When establishing an investigative team, what is one area that should be clearly defined?

A

It is imperative that an investigative team have a clearly defined reporting relationship. The provider needs to define the reporting relationship at the outset and designate one point of contact to direct internal or external legal counsel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Why should a provider retain lawyers during an investigation?

A
  • Regulatory and reimbursement issues typically under review arise from legal requirements
  • Often raise ethics, obstruction of justice, and criminal liability
  • The work becomes protected under the attorney-client privilege
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

TRUE/FALSE
Is it required that outside consultants and attorneys used for investigations must confirm that they have complied with HIPAA?

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

TRUE/FALSE
Is it required that outside consultants be used for investigations?

A
  • Stabilize the situation, stop any further errors or violations immediately
  • Prevent obstruction of justice; destruction of tangible evidence and suborning false testimony from witnesses
  • Establish or re-evaluate a document retention plan if one does not already exist
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is considered a “document”?

A
  • Paper documents
  • Electronic data (filed, spreadsheets, databases)
  • Email
  • Electronic Transactions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What should a provider’s policy state about whistle blowers?

A

The provider’s policy must be absolutely clear that no one should punish, demote, transfer, or otherwise retaliate against a whistle blower.

20
Q

What should employees know about voluntary disclosure to the government?

A
  • They should speak with legal counsel (external) prior to voluntary disclosure
  • No employee is obligated to speak with the government
  • Tell the truth
  • Employees are not allowed to provide the investigators with the provider’s property (records, documents, etc.)
  • They may stop the interview at any time
  • A lawyer can be present
  • They can choose the place and time of the interview
  • There is no such thing as “off the record”
21
Q

TRUE/FALSE
The provider can pay for an employee’s private legal counsel when seeking legal advice for voluntary disclosure?

A

TRUE- Although the employee cannot use in-house legal counsel due to conflict of interest, the provider can offer to pay for external counsel

22
Q

What are the components of an investigation Final Report?

A
  • Trigger of the investigation
  • The steps the investigator took
  • The facts they uncovered and their sources
  • An analysis of the nature and extent of the provider’s potential liability, both civil and criminal
  • Recommendations on how to prevent similar problems in the future
  • Recommendations on the provider’s obligations upon receiving the report
23
Q

How should recommendations to investigations be handled by compliance?

A
  • Compliance should ensure corrective action plans are developed in response to noncompliance
  • Compliance should monitor the effectiveness of corrective action plans in response to noncompliance
24
Q

Discuss the OIG’s recommendations for compliance violations and investigations

A

The OIG’s recommendations for compliance violations and investigations include:

  • Determining if a violation has occurred and taking corrective actions: referral to criminal/civil law enforcement, corrective action plan, report to government, and repayment of overpayments.
  • Carrying out an investigation of alleged violations with interviews and record reviews. Outside counsel and/or auditors and health care experts may assist with the investigation.
  • Ensuring thorough documentation of all steps in the investigation, including documents reviewed and witnesses interviewed as well as any disciplinary action and corrective actions.
  • Reporting findings of violations and/or misconduct to the appropriate governmental authority within no more than 60 days after credible evidence of violation was found. Failure to repay overpayments within the specified time may be considered an attempt to conceal.

Appropriate governmental authorities include the Department of Justice (Criminal and Civil divisions), the district’s U.S. Attorney, and the investigative arms for the agencies administering the affected federal or state health care programs, such as the State Medicaid Fraud Control Unit, the Defense Criminal Investigative Service, and the Offices of Inspector General of the Department of Health and Human Services, the Department of Veterans Affairs and the Office of Personnel Management (which administers the Federal Employee Health Benefits Program.

25
Q

Discuss corrective actions when noncompliance occurs in research

A

Research is common in health care organizations, especially teaching and university hospitals. Non-compliance may be intentional or unintentional, but corrective action must be taken to resolve the problems. In some cases, though no errors occurred in the research protocols, unanticipated adverse events may occur. Non-compliance may include falsification of data, non-consent, deviation from protocol approved by the Institutional Review Board (IRB), enrollment of unqualified subjects, forgeries, lost data or equipment, or medical errors.

When compliance issues are associated with research, then corrective action must be carried out:

  • Suspend/terminate research.
  • Ask subjects to sign consent forms again.
  • Advise subjects of non-compliance issues.
  • Reinstitute training for researchers.
  • Increase monitoring or research activities.
  • Restrict financial support/resources.
  • Correct or retract any publicized (print, other media) false information.
  • Limit the use of collected data.
  • Suspend/Bar researchers from carrying out further research.
  • Ensure required notifications and disclosures are carried out.
  • Carry out a follow-up with participants.
26
Q

Discuss the compliance professional’s role in facilitating communication with accrediting and regulatory bodies

A

The compliance professional’s role in facilitating communication with accrediting and regulatory bodies includes:

  • Understanding the preferred method of communication (electronic [email or messaging], telephone, personal contact, or postal mail) and to whom or what department communication should be directed.
  • Utilizing the correct format for communication.
  • Keeping abreast of all changes and compliance issues that may need to be addressed.
  • Maintaining open communication with administration and others who deal with compliance issues and reporting any changes or issues of concern.
  • Anticipating the need for more information or clarification.
  • Maintaining a timeline and monitoring activities, tracking survey and reporting dates.
  • Communicating at the appropriate time.
  • Consulting others about issues of concern and actively seeking input.
  • Greeting and orienting surveyors to the facility and introducing them to key stakeholders.
  • Preparing notes and talking points for administrators and others involved in compliance.
27
Q

Discuss steps to take to prepare for government/external audits

A

Steps to take to prepare for government/external audits include:

  • Describe the step-by-step process of responding.
  • Identify key participants who must be part of the process.
  • Develop appropriate policies and procedures for onsite auditing.
  • Educate the workforce regarding different types of audits and the necessity of compliance and accurate documentation.
  • Provide targeted education to workforce members in different departments.
  • Anticipate the types of records that may be requested and the most effective methods of quickly obtaining the records.
  • Establish anticipated timeframes for complying with records requests.
  • Provide guidance regarding different federal government audit entities (CERT, DOJ, MAC, MIC, OIG, etc.).
  • Review any requests to determine if the extrapolation method (which poses financial risk) will be employed (reviewing a few records but requiring overpayment refunds for a much larger number).
  • Determine the types of appeals that may be applied to secure payment for each claim.
28
Q

List and briefly describe the federal government auditing entities: CERT, HEAT, MFCU, MIP, MIC, MAC, and RAC

A

The federal government’s auditing entities include:

  • Comprehensive Error Rate Testing Program (CERT): Monitors accuracy of payments in Medicare Fee-for-Service program and performance of Medicare contractors.
  • Health Care Fraud Prevention and Enforcement Action Team (HEAT): Joint initiative of HHS, OIG, and DOI to fight health fraud through the Medicare Fraud Strike Force.
  • Medicaid Fraud Control Unit (MFCU): State government entity certified by HHS to investigate/prosecute those defrauding Medicaid.
  • Medicaid Integrity Program (MIP): Created by the Deficit Reduction Act (2005) to combat fraud/abuse/waste in the Medicaid programs and help states combat fraud/abuse.
  • Medicaid Integrity Contractor (MIC): Contractors review provider activities, audit, and educate.
  • Medicare Administrative Contractor (MAC): Private health insurer contracted to process Medicare A and B or DME claims for Medicare Fee-for-Service beneficiaries.
  • Medicare Recovery Audit Contractor (RAC): Audit specialists identify/recover improper Medicare payments for Fee-for-service Medicare plans.
29
Q

List and briefly describe the federal government auditing entities: OIG, PERM, RADV, Medicaid RAC, OMIG, DOJ, and ZPIC

A

The federal government’s auditing entities include:

  • Office of Inspector General (OIG): Conducts investigation for fraud/misconduct for HHS programs.
  • Payment Error Rate Measurement Program (PERM): PERM measures improper payment in Medicaid and CHIP and provides error rates for the programs.
  • Risk Adjusted Data Validation (RADV): CMS audits (annual and contract-level) accuracy of HCC codes for payment for Medicare Advantage plans and adjusts payments depending on participants’ health risks.
  • State Medicaid Recovery Audit Contractor (Medicaid RAC): State programs are required to identify and recover improper Medicaid payments for those billing through the state’s Fee-for-Service Medicaid program.
  • State Office of Medicaid Inspector General (OMIG): Investigates Medicaid fraud at the states level.
  • US Department of Justice (DOJ): Investigates fraud in HHS programs through OIG.
  • Zone Program Integrity Contractor (ZPIC): Seven regional programs established by CMS to combat fraud/waste/abuse in Medicare programs.
30
Q

Discuss regulatory negotiations: Corporate Integrity Agreements

A

A covered entity that has violated the false claim statutes may negotiate with the OIG to develop a corporate integrity agreement (CIA) as part of its settlement in order to avoid exclusion. The CIA requires that the covered entity agrees to a number of conditions for a prescribed period of time, typically 5 years. The CIA does not preclude fines, and the requirements of the CIA may be costly for the organization, especially with the costs of hiring an Independent Review Organization (IRO) and paying for legal counsel.

Requirements include:

  • Hiring a compliance officer and establishing a compliance committee.
  • Developing written standards and policies.
  • Implementing a comprehensive employee training program.
  • Retaining an IRO to carry out annual reviews to ensure compliance with the CIA.
  • Establishing a confidential disclosure program (such as hotlines).
  • Restricting employment of ineligible individuals.
  • Reporting any violations, such as overpayment, reportable events, ongoing investigations, and legal proceedings.
  • Providing an implementation report and annual reports on the status of compliance activities to OIG.

The OIG may impose stipulated penalties (monetary) for failure to comply with the requirements of the CIA. The CIA is a public document that is displayed on the OIG website and publicized.

31
Q

Discuss regulatory negotiations: Reg-neg

A

Regulatory negotiations (reg-neg) are collaborative efforts between a regulatory body (such as the FDA or EPA) and interested parties to agree on new or amended regulations. Reg-neg may involve face-to-face meetings to discuss issues of concern or may be carried out completely or partially through online communication. Often, participants come to the collaboration with definite ideas about the regulations; but, over time and with discussion and feedback from others, a consensus may be reached. Reg-neg may be initiated by the regulatory body or by others in industries or businesses affected by regulations. Reg-negs are conducted as public meetings during which the public and others who are interested in the regulations can present their points of view. For federal agencies, notice is usually placed in the Federal Register. Members of the Reg-neg may be assigned to committees that work on particular aspects of the regulations under consideration. Procedures required with the Federal Advisory Committee Act and Negotiated Rulemaking Act must be followed.

32
Q

Discuss assuring that overpayments are refunded in a timely manner:

CMS

A

Overpayments from CMS must be refunded in a timely manner. The Medicare Administrative Contractor sends a demand letter requesting the refund with an overpayment of $25.00 or more, but if a covered entity discovers the overpayment, the entity must refund the overpayment within 60 days of identifying the overpayment with a lookback period of 6 years. The demand letter should explain the reason for the overpayment, recoupment options, extended repayment options and should also explain the entity’s rebuttal and appeal rights. Interest begins to accrue if the overpayment is not fully refunded within 30 days.

Overpayments may be paid in full or (upon request) recouped by offsetting future payments or through extended repayments. If a covered entity feels the money received was not an overpayment, it can submit a rebuttal within 15 days of receiving the demand letter or file an appeal. Medicare will contact the entity by telephone if the debt is 60 days delinquent. Day 120 after receiving the demand letter is the last day to file an appeal and from days 126 to 150, a delinquent debt is referred to the US department of the Treasury.

33
Q

Discuss the OIG’s Provider Self-Disclosure Protocol

A

The OIG’s Provider Self Disclosure Protocol provides a means for an organization to report a problem it has identified to the OIG. This allows the organization and the government to collaborate on reaching a solution. All health care providers, suppliers, other individuals, or entities subject to OIG’s civil monetary penalties authorities may use the self-disclosure protocol. Self-disclosing is much better for the organization than undergoing an investigation because of a complaint. If, for example, an organization has kept funds it’s not entitled to, this can incur liability under the Federal False Claims Act and the Civil Monetary Penalties Law.

The steps involved in self-disclosure include:

  • Clarifying the issue and determining if it is in fact a potential issue of fraud. Unintentional mistakes and overpayments can generally be dealt with through the Medicare contractor in the refund process.
  • Consulting with a healthcare attorney experienced in federal health care programs to confirm that the issue relates to fraud and to discuss options.
  • Making a decision about where and to whom to disclose the fraud: Some may be reported to the local US attorney’s office, Stark Law violations to CMS, and others to the OIG.
34
Q

Discuss the OIG’s Self Disclosure Protocol: Common issues and benefits for disclosure

A

The OIG’s Provider Self Disclosure Protocol provides a means for an organization to report a problem it’s identified to the OIG. Common issues that are self-disclosed included billing for items/services by excluded individuals, DRG upcoding, duplicate billing, falsification of records, alterations of records, kickbacks, Stark Law violations. Those disclosing should consider the timing of the disclosure because all internal investigation and calculation of damages should be completed by the time of submission or within 3 months of the submission.

Disclosures should be in complete detail and any requested information should be provided promptly. Disclosures should ideally end in a settlement agreement with the DOJ and OIG, under the False Claims Act, or the OIG, under the Civil Monetary Penalties Law.

Incentives for disclosure include (1) payment of a lower settlement and (2) no Corporate Integrity Agreement (CIA) if the organization has cooperated fully.

35
Q

Outline the necessary elements of the narrative submission to the OIG’s Provider Self-Disclosure Protocol

A

Necessary elements of the narrative submission for all types of disclosures to the OIG’s Provider Self-Disclosure Protocol include:

  • Identifying information for the disclosing party and the Government payors.
  • An organizational chart, including names and addresses, as appropriate for the submission.
  • Identifying information about the disclosing party’s designated representative for purposes of disclosure.
  • A concise statement of relevant details, types of claims, conduct issues, time periods, and names and role descriptions of implicated parties.
  • Name of affected federal health care program.
  • Estimate of damages.
  • Description of corrective actions.
  • Disclosure of knowledge of current inquiry by government agency or contractor.
  • Name of the person who is authorized to enter into a settlement agreement.
  • Certification by disclosing party or authorized representative regarding the truthfulness of the disclosure.
36
Q

Outline the OIG’s Provider Self-Disclosure Protocol and additional information required for specific types of disclosure

A

The OIG’s Provider Self-Disclosure Protocol may require additional information for specific types of disclosure:

  • False Billing: A review must be conducted and a report generated that includes the objective of the review, the population involved, description of the source of the data, personnel qualification of those conducting the review, and characteristics measured as well as calculation of damages. If based on sampling, the sampling plan must be included and the sample size must include at least 100 claims.
  • Excluded Persons: Identification of excluded individual and provider identification number, job duties, dates of employment or contractual relationship, description of any background checks completed before or during employment/contract, description of how the conduct being reported was discovered, description of corrective action, and calculation of damages.
  • Anti-Kickback Statues and Physician Self-Referral Law: Method used to determine fair market value, the reason it is in question, the reason required payments were not made or collected or did not conform to a negotiated agreement, the reason the arrangement was not commercially reasonable, whether payments were made for services not performed or documented and the reason, whether referring physicians received payments from Designated Health Service entities or considered the volume/value of referrals without complying with a Stark Law exception and calculation of damages.
37
Q

Discuss the importance of subject matter experts

A

Compliance issues can be very complex and involve compliance with regulations from multiple governmental, industry, and accrediting agencies, so subject matter experts are increasingly important for an organization:

  • Guiding compliance: When establishing protocols for compliance for a department (such as billing or information systems), the subject matter expert can provide advice about applicable regulations, monitoring methods, and time frames for reporting. The subject matter expert can point out areas of risk so that preventive steps can be taken.
  • Investigating: When an internal investigation is needed, the subject matter expert is often in the best position to guide the investigation because of a thorough understanding of the area and the implications of the investigation. Additionally, if an external investigation is in process, the subject matter expert can help to explain the process and help the organization verify findings.
  • Consulting: When questions arise about compliance issues, subject matter experts can often provide insight and information needed to ensure compliance.
38
Q

Discuss documenting and maintaining records of investigations

A

Policies for documenting and maintaining records of investigations should be in place and carefully followed so that any external investigation demonstrates that the organization followed standard procedures.

Records should include:

  • Any documents or materials provided by individuals involved in the investigation.
  • All documents or materials reviewed during the investigation whether or not they are determined to be relevant.
  • All documents and materials discovered through research and review.
  • Documentation of all communication related to the investigation.
  • All notes, summaries, outlines of procedures, messages, and reports gathered during the investigation. Note: handwritten notes should be retained even if a typed summary of the notes was completed because all versions of notes may be sought in discovery.
39
Q

Discuss assuring investigation personnel have the necessary skill sets

A

Policies for documenting and maintaining records of investigations should be in place and carefully followed so that any external investigation demonstrates that the organization followed standard procedures.

Records should include:

  • Any documents or materials provided by individuals involved in the investigation.
  • All documents or materials reviewed during the investigation whether or not they are determined to be relevant.
  • All documents and materials discovered through research and record review.
  • Documentation of all communication related to the investigation.
  • All notes, summaries, outlines of procedures, messages, and reports gathered during the investigation. Note: handwritten notes should be retained even if a typed summary of the notes was completed because all versions of notes may be sought in discovery.
  • The time period for retaining records may vary according to the applicable statutes of limitation:
    Claims regarding public policy: 2 years.
    Claims regarding wages and hours: 4 years.
    Claims (qui tam) related to the False Claims Act: 10 years.
    Records of compliance investigations: 7 years.
    Retaining records for one year longer than required is often done to ensure records are available for “last minute” claims.
40
Q

Discuss measures to mitigate ongoing harm: Termination policy

A

A termination policy must be in place for when a person’s employment ends for any reason (termination for cause, quitting) or when a review of information systems indicated termination is indicated. Human Resources should immediately notify the security official who must ensure that the ex- or current employee’s access to any PHI is prevented no later than day 1 after termination. If there are concerns about violations on the part of the individual or termination is for cause, the security officer should be notified in advance so that the preventive measures are immediately in place. All termination actions should be documented.

Various methods may be utilized to prevent access:

  • Removing or locking the account of the ex-employee.
  • Assigning a new password for accounts that cannot be removed or locked because ongoing access is needed.
  • Monitoring all locked accounts at least every 6 months to determine if the account can be removed.
  • Collecting all mobile devices and equipment owned by the covered entity and allowing access to PHI or containing PHI.
41
Q

Discuss measures to mitigate ongoing harm: Password, screen saver, encryption, and firewall

A

Measures to ensure the security of electronic applications containing patient information includes:

  • Passwords: Passwords should be strong but not so complex that users write them down because that increases the risk of unauthorized access. Passwords should be changed on a regularly scheduled basis, such as monthly. Passwords should not be birthdates, anniversary dates, or names of children or pets.
  • Screen saver: Medical screensavers should be set to automatically launch after a specified period of time to protect any information that may be left on the screen.
  • Encryption: All information entered into the application or transmitted must be encrypted (protected by converting to code) so that it cannot be accessed without the proper password.
  • Firewall: A computer application or hardware that blocks unauthorized access to computer programs and data and monitors incoming data to ensure its safety. Firewalls can also block Internet users from accessing private networks (such as medical networks).
42
Q

Discuss measures to mitigate ongoing harm: Security Failures

A

Security failures may occur as the result of a number of different problems:

  • System penetration: Penetration can result from undetected vulnerabilities. Penetration tests should be conducted to identify vulnerabilities. Perpetrators may be cyberhackers, hackers, computer specialists, authorized users, unauthorized users, and opportunists.
  • Destruction/Sabotage: This may include physical damage to the system or purposeful alterations in applications. Perpetrators may be anyone with access to the computer system and issues with management or other aspects of the organization.
  • Mistakes/Errors: Errors may result from poor design, incorrect entries, system changes, poorly-trained personnel, and the absence of adequate procedures, policies, and education.
  • Password management: Poor management procedures, such as sharing passwords or posting user names and passwords where they can be accessed by unauthorized persons, can allow unauthorized people to access a system.
  • Device compromise: Handheld devices, such as PDAs and smartphones are vulnerable to theft and can easily transmit viruses and worms.
43
Q

Discuss measures to mitigate ongoing harm:

Physical Security Methods

A

Physical security is essential for computer systems. The first step is to determine who should have access to different types of equipment and then to apply methods to limit access to those authorized through the use of user names and passwords/tokens. Servers should be rack-mounted and maintained in locked, climate-controlled rooms with regular surveillance.
Vulnerable devices should remain in the locked room. Data should be backed up routinely and stored/archived in a secure remote location. Workstations should be secure, including printers. Cable lock systems should be used to secure equipment, including laptops, to furniture. Operating systems should be locked when not in use and encryption software used to secure routers used for wireless transmission. Equipment should be in restricted areas. Remote access should be done with secure modems and encryption. Public access to the Internet should be on a different network from that used to transmit healthcare information.

44
Q

Discuss measures to mitigate ongoing harm:

Device Access Control

A

Device access control can encompass a wide range of technologies and procedures. The first step is to determine what classes of users have access to different devices and then what method of authentication (password, biometrics) for role and entity-based access is required.

Clear policies and procedures must be in place for both access and use of devices. Role and entity-based access should be determined by the individual role and function within the organization rather than on hierarchy. Networked medical devices and information technology (IT) devices may be on the same network and handheld devices may connect to multiple networks, so these situations pose additional security risks.

All handheld devices, which pose the most risk, must be password protected. Security of access control must be strictly enforced and those who violate security policies and procedures should have use restricted. Each potential user of the device must be correctly identified and access controlled. Commercial access control programs are available for healthcare organizations.

45
Q

Discuss measures to mitigate ongoing harm:

Time-out

A

Once a person has logged in and gained access to a computer, the computer is vulnerable if that user leaves the computer and fails to log out, so computers connected to a secure system routinely have a time-out feature (automatic log off) that locks the system after a prescribed period (usually 10 to 15 minutes) in which there is no mouse or keyboard activity. Some software programs and applications also have time-out features. Once the time-out is initiated, a person must log in again in the prescribed manner to gain access. Time out/Automatic logoff is one of the security procedures that must be addressed as part of HIPAA’s security rule. The users’ workflow and type of use of devices should be considered when scheduling automatic log-off.

46
Q

Discuss measures to mitigate ongoing harm:

Patient Data Misuse

A

Patient data misuse is an increasing problem with the rapid proliferation of EHRs, so the compliance professional must be on alert for possible violations and monitor, such as through audit trails.

Types of misuse include:

  • Identity theft: Someone obtains identifying information, such as Social Security numbers and credit card numbers as well as birthdates and addresses, for fraudulent purposes.
  • Unauthorized access: Although EHRs and computerized documentation systems are password-protected, providers sometimes share passwords or unwittingly expose their passwords to others when logging in, allowing others to access information about patients.
  • Privacy violations: Even those authorized to access a patient’s record may share private information with others, such as family or friends.
  • Security breach: Data is vulnerable to a security breach because of carelessness or inadequate security, especially when various business associates, such as billing companies, have access to private information.

CHC Exam (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions