H Contents 2: Did You Know? 3: Member Spotlight 4: Upcoming Events 6: Member Feedback
updates and compliance happenings members of the Health Ethics Trust
BUILDING A PRIVACY AUDIT READINESS PROGRAM
In many organizations, privacy falls under the purview of Compliance. With continued increases in legislation, regulatory scrutiny, and fines/penalties in the privacy world, organizations need to be prepared for potential privacy audits. The Office for Civil Rights (OCR) started auditing HIPAA covered entities in 2012 and are continuing to expand their audit program. Pre-planning and performing audit pre-work will make everyone’s lives easier and reduces stress when your organization becomes the subject of an audit. Compliance should partner with Internal Audit to develop an audit readiness program. Below are a few basic steps that will help you prepare and simplify the audit process. Identify a core team of individuals who will be responsible for key activities during the audit including reviewing the audit request, making determinations regarding the audit responses, and reviewing/approving documentation prior to providing it to the auditor. This team may include representatives from the Privacy Office, Information Security, Legal, Human Resources, Corporate Security and the Internal Audit team. This core team will be key decision makers throughout the audit process. Continued on p. 4
Pastin’s Perspectives are just that - perspectives or opinions on compliance issues. The opinions expressed are not necessarily those of the Health Ethics Trust and should not be construed as legal compliance advice.
What is Population Health? Health Ethics Trust 214 South Payne Street Alexandria, VA 22314 HealthEthicsTrust.com 703.683.7916
Okay, this is not exactly about compliance but it is about something that should matter to compliance professionals. Somewhere along to road to healthcare reform, the term “population health” entered our vocabulary. How can anyone oppose something called population health? But before we join the parade shouldn’t we ask what population health is? Continued on p. 2
Population Health, Cont.: In its most natural meaning “population health” is no more or less then the health of the people in a population. But this could also be called people health. Or just plain health. On this reading, the way to foster population health is to make the people in the population healthier. But if all “population health” means is making people healthier, why the new term? And what could it mean if it is not about making individuals healthier? Another way of reading of “population health” is that it means making people healthier on average. This is supported by the fact that proponents of population health frequently cite the statistic that 10% of the people on Medicare use 70% of its resources. Do people who cite this statistic expect more than 10% of the Medicare population to be critically ill at a given time? Would it better if more Medicare beneficiaries were critically ill so that 30% of the people on Medicare used 70% of the resources? The problem with making people healthier on average is that it probably means making some people less healthy in the interests of the greatest good of the greatest number. That is fine if you are part of the greatest number, but not so good if you are one of the expensively ill. Surely this cannot be what is intended by “population health.” Now I expect someone to say that “population health” really means something different. It means the health of the people in a specific population as opposed to the population in general. Roughly speaking, this specific population would be all of your patients or all of your prospective patient. But even if we pick a group in
which you have a direct interest as “the population”, how is population health different from people health, where the people in question are your patients and your prospective patients? Is there more to the story? To untangle “population health,” you need two other bits of healthcare reform jargon – the “medical home” and “population health management.” The medical home is supposed to keep you from seeking expensive second opinions and care options by “coordinating” your care. Who needs the Cyber Knife if a plain old knife works almost as well? But how is the medical home, which is usually a physician practice, to find time to do all of this “coordinating?” The plan is to have non-physicians deliver more of the services. Now the problem is that non-physicians, for all of their merits, are non-physicians. They have a lower level of training which someone – presumably a non-physician - deems to be enough training. This, of course, is the Euro model that everyone says we are not emulating. Maybe we can go along with the Euros on mid-wives, but how about mid-proctologists? Maybe the payoff comes in the term “population health management.” This seems to be what we used to call “public health.” The idea is to get people to abandon unhealthy lifestyles and seek medical attention before they end up in the emergency room. This is to be accomplished by giving people have more face time with medical professionals who will coax them into better conduct. Public health is obviously commendable but it is unclear whether people will spend more time being obediently instructed by nurses or PAs.
Continued on p. 3
DID YOU KNOW? The Health Ethics Trust is partnering with NHS Human Services to sponsor the inaugural National Symposium on Quality and Compliance. We are still accepting proposals for quality and compliance presenters at the National Symposium on Quality and Compliance. We are especially interested in presentations that highlight innovative approaches to integrating compliance with quality. Please visit: www.healthethicstrust.com/nsqcproposals for more information and to submit a proposal.
Compliance Commoner- March 2014
Population Health, Cont.: One of the reasons that people avoid interacting with the healthcare system until they end up in an emergency room is that the modern medical experience diminishes our individuality. When we speak of population health, as opposed to individual health, we further dehumanize the healthcare process. Folks are so invested in population health and its related nomenclature, such as “Accountable Care Organization,” that it will be hard to get disinterested data on whether population health delivers benefits. If the outcomes are not good, this will not only signal medical failure; it will signal the failure of healthcare reform. So who is going to collect data showing a higher error rate in diagnosis if more of it is handled by nurses and PAs? Who wants to find out if there are more deaths when healthcare professionals are rewarded for steering patients away from ERs? Perhaps we would accomplish more if we called our efforts to improve healthcare “people-focused healthcare.” If we improve the health of people, the population will take care of itself. ---------------Add your own Perspective to this article in the Members Only section of the HET website: www.HealthEthicsTrust.com/pastinsperspective. Reach Mark directly at: email@example.com If there is a topic you would like discussed in Pastin’s Perspectives, please e-mail Karissa Chadwick at: firstname.lastname@example.org
In each issue, we profile a member of the Trust and ask them five compliance-related questions. This month’s member is Linda Martin, Compliance Officer at CGS Administrators, LLC. Linda Martin has 27 years of experience in healthcare administration and regulatory compliance. Her business operations experience in the healthcare provider setting has provided her intimate knowledge of the regulatory and compliance issues surrounding healthcare claims and billing. Her 15 years of hands-on experience managing healthcare auditing and corporate integrity has given her an in-depth knowledge of the overall ramifications and importance of compliance within the healthcare industry. In her role as Compliance Officer for CGS, Ms. Martin is responsible for all CGS-related compliance, ethics, and privacy matters. Prior to joining CGS, Ms. Martin served as Vice President of Compliance and Privacy Officer for the University of Tennessee Medical Group.
5 Questions: HET - Many people may not be familiar with the name “CGS Administrators” - who are you and what do you do? LM - CGS is a Medicare Administrative Contractor aka MAC. We have been a Medicare contractor since the inception of the Medicare program in 1966. CGS was formerly Cigna Government Services, we were purchased from Cigna by BCBSSC in May 2011. We service over 20 million beneficiaries and 85,000 providers. We currently are the DME MAC for Jurisdiction C for the Southeast which equates to 42% of all Medicare DME claims and are the MAC for Jurisdiction 15 AB MAC Contract which includes A/B Claims for Kentucky and Ohio as well as the Home Health & Hospice for Region B. HET - What is the role of the MAC Compliance Officer and does it differ from a provider or health plan CO? Continued on p. 5 Compliance Commoner -March 2014
Upcoming Events: Washington Executive Course
April 7-9, 2014 • Washington, DC www.healthethicstrust.com/ecc
National Symposium on Quality and Compliance June 9-10, 2014 • Philadelphia, PA www.healthethicstrust.com/NSQC
Best Compliance Practices Forum
October 20-21, 2014 • DC Metro Area http://www.bestcompliancepractices.com As always, we consider it of prime importance to assist our members who would like to attend our programs and provide partial tuition scholarships on a case by case basis. Don’t be afraid to ask us about this as we want to see you at a program above all!
Building a Privacy Audit Program, Cont.: Once you receive the audit request, you will have a very tight timeline in which to pull together anything that is needed. Create a timeline of the activities that will happen once the audit notice is received and develop a project plan to prepare the company for the audit. Identify who will be responsible for each activity. Think about pre audit activities, during audit activities and post audit activities that need to occur. Who will greet the auditors, get them the access they need, escort them while on site? Thinking carefully through these details will keep you from scrambling at the last minute. The timeline should include activities such as review of the audit request, communications to leadership informing them of the audit, kick off meetings with key stakeholders, the collection of information pertaining to the audit, and daily meetings with stakeholders. The timeline should walk through all activities that will take place from the moment the notice is received, through the audit finding review, through the corrective action processes down to the lessons learned session that will occur at the end of the audit process. Be sure to include daily meetings with participants of the audit to ensure that they are making progress on their responsibilities and to ensure that you are aware in any issues, as quickly as possible. Develop a playbook that documents your plan, include any background information that business partners may need (who is auditing, under what requirement, and what they will be auditing), define the roles and responsibilities of each participant, include the timeline and project plan for the audit, insert helpful information that others may not know such as tips on the interviewing process, provide guidance on format
Compliance Commoner - February 2014
and where data should be placed, any legal disclaimers that need to appear on documentation, and overview of review/approval process and who to contact with questions. Make sure that you do your homework and have as much detailed information on the format, legal disclaimers and how the auditor wants to receive the information to avoid rework. Writing down the details will solidify your plan. You may not be audited right away and people tend to forget everything that you have told them and panic when they hear the word “audit”. Having this information written down will help keep everyone focused and moving the same direction. Identify and document the stakeholders that you will be asking to participate in the audit process and define everyone’s roles and responsibilities. Bring all of these players to the table to review the playbook, roles and responsibilities and get their buy in prior to the audit. This will give everyone the opportunity to ask questions, confirm that any assumptions made are correct, and identify any gaps in your planning process. Do not forget to include your business associates or downstream vendors in these discussions to make sure that any information that you may need from them can easily be obtained. For each communication noted on the timeline, create a communication plan and develop draft templates that can be tweaked and easily updated. Identify each communication that may be needed, key messages, who the target audience is, and develop draft templates that can be tweaked and easily updated. Having these communications ready will take unnecessary work off your plate during the audit so your time and attention can be focused elsewhere.
Continued on p. 5
Building a Privacy Audit Program, Cont.: Have a map or crosswalk that shows how you comply with each of the compliance requirements. There are governance, risk, compliance tools that are available for purchase that create a map or you can use a simple spreadsheet. Include the citation and related language regarding the requirement, any policy that the organization follows, any training, communications, related tools, systems, monitoring and ongoing testing that takes place in the organization and that shows how you comply. Perform mock audits. You definitely want to know about any issues now instead of when an auditor has their eyes on you and the clock is ticking. Pay close attention to the quality of the documentation that is provided by the business, the amount of time that it took to collect the information, note any issues or concerns that you have found and develop a formal corrective action plan to address each issue. You still have time to fix things prior to the audit. Taking the time to pull together a thorough audit plan is smart. It will enable you, leadership, and the company to be well prepared for the audit. It will help everyone to be on the same page and reduce confusion during the audit process. Be sure to schedule a regular review of your audit program materials. Develop a plan to keep stakeholders engaged after the initial meeting including sharing your playbook and process. Engage leadership and make sure they are aware of the potential for audits and the plan. You do not want an audit to surprise your leaders. These leaders can help set the tone at the top and help you get the support and resources needed Deidre Rodriguez currently serves as the Director of the Corporate Privacy Office and Regulatory Oversight at WellPoint. She has over 20 years of healthcare experience, 15 years of compliance experience, with 10+ specifically focused on privacy. Deidre also manages the Regulatory Oversight team which monitors implementation of laws, and regulatory exams. Center. You can reach Deidre at: Deidre.email@example.com
5 Questions, Cont.: LM - The role of the MAC Compliance Officer is to ensure that the organization has strong internal controls and processes. Several times a year there is a requirement to certify to CMS that we have strong internal controls that are effective. MAC COâ€™s are responsible for internal and external audits of internal controls. I review and approve all Conflict of Interest disclosures which are required at the start of employment and annually thereafter. Another requirement is to evaluate Organizational Conflicts of Interest that may arise as we bid pursue new contracts. We have a hotline that is handled by an external vendor as well as a web reporting site and dropboxes. I am responsible for reviewing all issues that are presented and conduct the investigation or, if referred to another area for investigation, I review and approve the resolution. As the Business Associate to CMS, CGS is required to report all PHI and PII disclosures to CMS within 1 hour and to issue a final report within 45 days, it is my responsibility to ensure that CGS meets those requirements and in some cases conduct risk assessments to determine whether a breach has occurred. I review and approved the annual risk assessment and annual audit plan and report 3 times per year to the Audit Committee of the Board. Other areas that are the responsibility of compliance include Change Management ensuring that all CMS changes and technical directives have
been implemented appropriately and timely, working with the OIG on audits and investigations, and participation in the bid and proposal review process. This is a high level summary of the role of the MAC CO. It is a challenging yet rewarding position. HET - Conflicts of Interests programs are required for government contractors, but not as widely adopted elsewhere. How does your COI program advance the compliance program and why would you advocate for other organizations to adopt more robust COI programs? LM - Failure to identify an individual or organizational COI can result in the loss of a Contract for CGS. Because this COI is a contractual requirement, our COI program is robust and well understood by our employees. The first assignment for all new hires is to complete a COI disclosure, this is before new staff get beyond the lobby. The forms are completed online and sent to the CO for review. The second assignment is new hire training which addresses COI our policies and procedures related to COI and the requirement to report all potential conflicts. Current staff are required to update their COI annually (unless there are changes throughout the year that are reported) and to attend Compliance Refresher training which includes COI information. Continued on p. 6 Compliance Commoner - February 2014
5 Questions, Cont.: At the organizational level, I review all subcontractor COI disclosure to confirm that there are no COI’s in addition I participate ins the bid and proposal process with the responsibility of determining and potential organizational conflicts of interest that could arise as the result of any new contracts. As a MAC, CGS is required to have on an annual basis to have a COI audit completed by an external audit firm the results of which are provided to CMS. Contractors are required per the Contract with CMS to disclose all actual, apparent and potential conflict of interests. Failure to have a process in place to identify potential conflicts of interest can quickly result in the loss of a contract therefore it goes without saying that a key component of a strong compliance program is a robust COI program. HET - What do you think the most powerful tool a compliance officer has in their toolkit to help combat fraud, waste and abuse? LM - I would say clear and consistent communication is the most powerful tool. Communication can be in the form of education and not just during the annual training, I educate throughout the year with quiz questions, emails, posters, attending team meetings to help facilitate discussion. Clear policy and procedures and work instructions are another important communication tool. Having metrics for measuring compliance. Ensuring that your staff own compliance and that they understand the requirements related to the work they do. Publicizing how concerns are to be reported. Engaged leadership who support the program. Integrating compliance into the culture so that it is not seen as something we must do; it is something that we do to improve quality, efficiency and make CGS a better place to work and provide high quality service to our Customer. HET - The compliance profession has matured and evolved greatly over the past ten years. However, with the current pace of regulatory change, what more could be done to prepare current and future compliance professionals? LM - More thinking outside the box. Don’t just focus on your organization or organizations that are just like you. I wish I had spent more time and energy focusing on CMS compliance standards for Contractors, there is a wealth of information on the CMS web site that is directed towards contractors but is applicable to any health care entity. One example is the compliance assessment tool that CMS published for Medicare Advantage Plans, modify the tools and use them to assess your programs. The compliance professional cannot be reactive. Compliance Officers must become more proactive! The complexity and challenges we face today versus 1998 when I started working in compliance are like night and day (please insert better analogy). Current and new compliance professionals have to take their programs to a different level it’s not just about documentation, coding and billing. We have to partner at many more levels of the organization and integrate a culture of compliance into our day to day operations at all levels. Failure to do so should not be an option.
Member Feedback “Members Matter” - that’s our motto here at the Trust. If there is anything we can do to bring more value to your membership, let us know, and we’ll do our best to help. Do you have a topic you would like covered in an audioconference? Is there a sample policy that could assist you? Would you like to participate in one of our committees or working groups? Reach us at 703.683.7916 or at: firstname.lastname@example.org
Health Ethics Trust 214 South Payne Street Alexandria, VA 22314 www.healthethicstrust.com 703.683.7916