Annual Compliance Training 2014

(1)

Annual Compliance Training 2014

Self-Study Guide

Version 1.0.0

WARNING: You are required to meet with your supervisor, manager, or designated training administrator, to review the answers to the knowledge check questions and to fill out the course completion and course evaluation forms.

(2)

Version Control

Date Version Description

November 19, 2013 1.0.0 This is the version that was released to the regions January 2, 2014.

(3)

WELCOME

Kaiser Permanente is deeply committed to a culture of compliance, ethics, and integrity; it’s the way we do business. Meeting compliance expectations is an ongoing accountability for all of us; it is not just a single training event each year. This year’s compliance refresher includes the top privacy and information security risks and fraud risks for 2014, and how to report compliance concerns appropriately.

All existing employees and supervisors (and physicians, students, interns, vendors, and contractors as determined by regional compliance officers) of Kaiser Foundation Health Plan and Kaiser Foundation Hospitals (KFHP/H); KFHP/H’s subsidiaries and affiliates; and non-physician employees of California Permanente Medical Groups may take this course to meet their 2014 annual compliance training requirement. This self-study guide provides the required course materials and activities that meet the annual compliance training requirement for 2014. Note: If you are a new employee, you must take the General Compliance Training for New Employees 2014 course; the annual compliance training will not fulfill your training requirement.

WARNING: DO NOT TAKE TRAINING FOR SOMEONE ELSE

You must complete your own compliance training. Completing this training for someone else or having someone do it for you, will subject both parties to disciplinary action, up to and including termination.

REQUIRED MEETINGS

There are two required meetings for using the self-study materials to meet the annual compliance training requirement.

Meeting 1 — Set Expectations

The purpose of the first meeting is to receive the self-study materials and understand the following expectations:

 You will review all of the self-study materials.

 You will complete all of the knowledge check questions.  You will fill out a course completion form.

 You will have an opportunity to provide feedback.

Meeting 2 — Validate Completion of Training Requirements

The purpose of the second meeting is to validate that you, the self-study learner, have met the training requirements and that you get credit for taking the training. To do this, meet with your supervisor, manager, or designated training administrator to review your responses to the knowledge check questions and fill out the course completion form. Be sure to sign both the course completion and the Principles of Responsibility attestations in his or her presence. You will also have the opportunity to provide feedback, using the course evaluation form.

(6)

(7)

THE PRINCIPLES OF RESPONSIBILITY (POR) ATTESTATION

The Principles of Responsibility, or POR, is the formal code of conduct that all KP workforce members must follow. As you have learned before, the POR emphasizes the importance of honesty, integrity, and ethical behavior at Kaiser Permanente. Every year, Kaiser Permanente requires an attestation (signed or submitted online), stating that you have read and agree to abide by the POR.

You must commit to uphold the POR by completing the required annual attestation, which is included on your course completion form. Your signature means that you agree that you are accountable for complying with all of the statements contained in the POR attestation.

You are required to have read the POR as a prerequisite of this course. If you have not read the POR, you may view it online from the National Compliance, Ethics & Integrity Office website and read it before you continue with the course. It will take approximately 30 minutes to review. If you have questions, ask your supervisor for clarification.

Principles of Responsibility and related materials: https://wiki.kp.org/wiki/display/por/Home

The Principles of Responsibility Attestation Statements

Completing this requirement is a part of the Annual Compliance Training 2014 course and indicates that you are accountable for complying with the Principles of Responsibility, Kaiser Permanente’s code of conduct.

Because you are meeting your training requirement by using the self-study option, your required attestation is included on your course completion form. If you have any questions with the attestation statements, discuss them with your supervisor during your follow-up meeting when he or she validates your completion of the training requirements.

Review the following POR attestation statements.

 I have received and read a copy of the Principles of Responsibility.

 I understand that I am expected to conduct myself in an ethical and responsible manner in compliance with the Principles of Responsibility at all times. I also acknowledge my failure to comply with these principles can result in disciplinary action, up to and including termination.

 I understand that I am also required, in good faith, to report any suspected compliance or ethics concerns I become aware of, and that I am protected from retaliation for reporting wrongdoing.

 If I have any questions, I will seek clarification from the compliance and ethics resources listed in the “Know How to Get Help” chapter.

(8)

MODULE 1:

COMPLIANCE AT KAISER PERMANENTE

Compliance, Ethics, and Integrity Are Important

When we follow the Kaiser Permanente standards for compliance, ethics, and integrity, we provide better quality care and we protect our patients, our fellow employees, our jobs, and our good name.

But what does it mean to be compliant? It’s up to you to know what’s right, make the best

decisions, seek assistance when you need it, and speak up when something doesn't seem right. You need to be able to:

 Identify where compliance requirements originate.  Explain your role in compliance.

 Choose the best resource for reporting concerns.  Identify members of the compliance community.

What the Government Expects

The federal government expects us to have a strong compliance program that includes these seven elements issued by the U.S. Department of Health and Human Services Office of Inspector General (OIG):

1. Implement policies, procedures, and written standards of conduct. 2. Designate a compliance officer and a compliance committee. 3. Conduct effective training and education.

4. Develop effective lines of communication. 5. Conduct internal monitoring and auditing.

6. Enforce standards through well-publicized disciplinary guidelines. 7. Respond promptly to detected problems through corrective action.

We need to be aware of the federal requirements, the requirements of the state where we work, and the local facility requirements to ensure that we’re working in a compliant manner.

The Principles of Responsibility

One of the OIG’s seven required elements is a written standard of conduct. At Kaiser

Permanente, the Principles of Responsibility (POR) is our standard of conduct. It emphasizes how important honesty, integrity, and ethical behavior are for maintaining the trust of our members, patients, customers, each other, and business partners.

Let’s do a quick review of the POR.

To whom do the Principles of Responsibility apply?

Section 1.1 of the Introduction, “Does the Principles of Responsibility Apply to Me?”,

indicates that compliance is everyone’s responsibility. Anyone who works for or on behalf of Kaiser Permanente is required to follow all applicable laws, policies, and the Principles of

(9)

Responsibility, Kaiser Permanente’s code of conduct; this includes all of our physicians and employees.

Included in this section is information on the failure to comply with the code of conduct and how it can result in disciplinary action, up to and including termination.

Does the Principles of Responsibility address retaliation?

Yes. Section 7.4 of the “Help Make Kaiser Permanente a Best Place to Work” chapter, “Know the Facts About Retaliation,” describes how Kaiser Permanente prohibits retaliation of any kind against whistleblowers, individuals who, in good faith, report noncompliance or fraud, or who assist in investigations.

All Kaiser Permanente physicians and employees are covered by the

whistleblower protections in the Federal False Claims Act, and other federal and state whistleblower laws and regulations.

Does the Principles of Responsibility provide guidance on avoiding conflicts of interest?

Yes. Section 8, “Avoid Conflicts of Interest,” provides guidance. You must avoid even the appearance of a conflict of interest.

Conflicts of interest occur any time your personal interests or personal relationship might impair, or might reasonably appear to impair, your ability to make an objective and fair decision based solely on what is best for Kaiser Permanente and the members and patients we serve.

Refer to the POR for example situations and guidance on gifts, working with vendors, employment, investments, and outside income. The POR also describes the requirements and process for disclosing potential conflicts of interest.

Your Compliance Role

Your role is to take responsibility for knowing what’s right, make the best decisions, seek help when you need it, and speak up when something doesn't seem right.

To help you accomplish this, be sure to:

 Refer to the POR as well as the laws, regulations, accreditation standards, and the Kaiser Permanente policies and procedures that apply to you.

 Know what information you need for your job and how to protect it.  Identify potential fraud, waste, or abuse and report it immediately. At Kaiser Permanente, compliance is everyone’s responsibility.

Compliance Requirements, Policies, and Procedures

Health care is highly regulated; there are many laws and regulations, licensing requirements, accreditation standards, and other requirements that affect Kaiser Permanente and the work you do here. The intent of most regulations is to improve the quality of health care, its

affordability, and to ensure that health care is given with compassion. It’s your responsibility to comply with these regulations.

(10)

Federal, state, local, and workplace policies determine how you fulfill your duties. They’re complementary to each other.

 Federal requirements apply to everyone at Kaiser Permanente. National policies tend to reflect these requirements.

 States may augment federal requirements and have more stringent standards for everyone within the state.

 Similar to state requirements, local policies and procedures tend to be more specific to an area, expertise, or facility, and can include accreditation standards and licensing requirements.

The compliance requirements that provide a framework for your work are constantly changing. These changes are necessary to continually improve the member experience.

Depending on your role or functional area, changes may or may not affect you. That’s why it’s important that you know, understand, and follow the laws, regulations, accreditation standards, and KP policies and procedures that apply to you and the work you do. An example of this is ICD-10, which will affect how data is entered in KP HealthConnect®.

Stay up to date with the federal, state, local, and workplace requirements, to ensure that you’re working in compliance.

We Must Report Compliance and Fraud Issues

If you suspect or encounter behavior that may be illegal, prohibited, or doesn’t comply with regulations, report it to the appropriate resource as soon as possible. Don’t assume that someone else will report the incident. Let’s review some commonly asked questions about reporting.

If I report a compliance or fraud concern in good faith, how will I be protected from retaliation?

All Kaiser Permanente physicians and employees are covered by the whistleblower

protections in the Federal False Claims Act and other federal and state whistleblower laws, as well as Kaiser Permanente’s Non-Retaliation policy. If you report a compliance or fraud issue in good faith, you will be protected. Your input is important to us. If you wish, you can report anonymously by using the KP Compliance Hotline or the KP Webline.

KP does not tolerate any retaliation against any employee, contractor, or physician who makes a good faith report of possible wrongdoing. Anyone who retaliates against individuals who report or refuse to participate in violations of law, regulations, policies, or the code of conduct is subject to disciplinary action, up to and including termination.

Where can I go to discuss potential compliance or fraud issues?

Your supervisor is the best person to talk to about compliance or fraud issues. Other resources in the compliance community you can approach for guidance include any

(11)

supervisor or manager, compliance officers, regional and national compliance websites, and the Human Resources Department.

Can I call the KP Compliance Hotline or use the KP Webline for any concern? You can use the Kaiser Permanente Compliance Hotline (1-888-774-9100) or the Webline (an online reporting form) to report compliance-related issues 24 hours a day, seven days a week, 365 days a year.

You can also ask for guidance from any supervisor or manager, Human Resources representative, or compliance community resource, such as regional and national compliance officers. If you want information, you can view the national and regional websites.

What is fear of retaliation?

An employee who’s concerned that she’ll be punished by an employer, manager, or co-worker for doing the right thing is experiencing fear of retaliation.

If you believe that you or others are being retaliated against or being intimidated in any way for reporting an issue in good faith or for participating in an investigation, talk to your

compliance officer, call the KP Compliance Hotline, or use the KP Webline to address your concern.

Are there times when I should report something immediately?

Yes. Federal and state privacy laws, including HIPAA, and our policies require us to take immediate action to reduce harm to members and patients.

Here are some examples of things you should report immediately:

 Paper or electronic records that contain confidential information are lost, missing, or stolen.

 A computer, smartphone, tablet, digital camera, CD, or storage device that contains confidential information is lost, missing, or stolen.

 Confidential information is sent to the wrong email address, fax number, or mailing address, or is handed to the wrong employee or patient.

Each of these incidents is considered a privacy incident. If one occurs, immediately notify your supervisor.

How to Report Different Types of Issues

Before you report a concern, decide what type of issue it is. Ask yourself:  What type of concern or issue is this?

 Is it a departmental or facility issue? An area or regional issue? A national issue?  Can you discuss it with your supervisor or chief?

 If not, whom can you call for this type of issue? Reporting Compliance or Fraud Issues

(12)

 Supervisor: Your supervisor is the best person to speak with first.

 Higher-level manager: If your supervisor isn’t available, or is the subject of your concern, speak to a higher-level manager.

 Compliance officer: If you’re unable to report to a higher-level manager, talk to your compliance officer or a compliance representative.

 KP Compliance Hotline or Webline: If none of the resources are available, you can report the concern by calling the KP Compliance Hotline (1-888-774-9100) or by using the Webline. Both are operated by a third-party vendor, and you may report

anonymously, if desired.

Reporting Human Resources Issues

To report Human Resources issues, follow this contact sequence.

 Supervisor: Your supervisor is the best person to speak with first.

 Higher-level manager: If your supervisor isn’t available, or is the subject of your concern, speak with a higher-level manager.

 Human Resources representative: If you’re unable to report to a higher-level manager, contact your Human Resources representative.

Reporting Facility or Site Issues

To report facility or site issues, follow this contact sequence.

 Supervisor: Your supervisor is the best person to speak with first.

 Higher-level manager: If your supervisor isn’t available, or is the subject of your concern, speak with a higher-level manager.

 Facility or site representative: If you’re unable to report to a higher-level manager, contact your local facility’s manager or your local site manager.

If you encounter an issue that should be reported, first identify the type of issue, and then choose the best resource to address it efficiently.

(13)

Who’s the Best Resource?

Instructions: Select the best option for each scenario and each follow-up question. Scenario 1 of 4

What type of issue is this? A. Compliance

B. Facility or site C. Human Resources

[The best response is C. This is a Human Resources issue because it deals with our jobs as employees. ]

Scenario 1 Follow-Up Question

Who’s the best resource to resolve this issue? A. Supervisor

B. Higher-level manager

C. Human Resources representative

[The best response is A. Gwen should go to her supervisor to address behavior that’s negatively affecting the work environment. The supervisor can reinforce expected behavior and resolve any concerns locally. Or, Gwen could engage a higher-level manager. She could also talk to her local HR representative if she’s uncomfortable discussing the issue with her supervisor, or if the supervisor is the subject of her concern.]

Scenario 2 of 4

(14)

A. Compliance B. Facility or site C. Human Resources

[The best response is B. The temperature concern is a facility or site issue.] Scenario 2 Follow-Up Question

B. Higher-level manager

C. Facility or site representative

[The best response is C. Curt raised his concern with several people in his department. The work area temperature is an issue best directed to the local facility or site representative.] Scenario 3 of 4

[The best response is A. Intentionally falsifying documentation is fraud and is a compliance issue, which may result in disciplinary action, up to and including termination.]

B. Higher-level manager C. Compliance representative

D. KP Compliance Hotline or KP Webline

(15)

how to involve HR.] Scenario 4 of 4

[The best response is A. This is a compliance issue. Never store PHI on a thumb drive or any other personal mobile device without written permission from leadership (required by our Secure Electronic Storage policy).]

B. Higher-level manager C. Compliance representative

D. KP Compliance Hotline or KP Webline

[The best response is A. Rick should go to his supervisor to report the lost drive. His supervisor will address the situation immediately and determine the next steps. To further protect KP confidential information, KP implemented a "removable media encryption" program, which automatically encrypts any file that’s transferred from a KP system onto any thumb drive or other external device.]

Summary

If you encounter an issue that should be reported, first identify the type of issue, then choose the best resource to address it efficiently. If you make the wrong call, such as reporting an HR concern to a compliance resource, you’ll be guided to the best resource to handle your concern. What You Need to Provide When Reporting

The more information you have, the easier it will be to evaluate the situation and take prompt appropriate action. At a minimum, be prepared to answer the five W’s:

(16)

 Who is involved?  What happened?  When did it happen?  Where did it happen?  Why are you reporting it?

If you don’t have all of the information, report as much as you can. To prepare for the report, you can download the “Reporting Preparation Checklist” from the course resources.

The Compliance Community: Expert Resources

The experts and resources of the compliance community are available to help you make the right decisions and answer your compliance concerns.

Resources include:

 your chief, immediate supervisor, or management  your Human Resources representative

 your union representative  your compliance officer

 your Kaiser Foundation Health Plan, Inc.; Kaiser Foundation Hospitals; or Permanente Medical Group Legal counsel or department, as appropriate  internal audit services

 your controller’s office

 the National Compliance, Ethics & Integrity Office or website at kp.org/compliance  your regional compliance office

 national, regional, and local policy websites  the KP Compliance Hotline (1-888-774-9100)  the KP Compliance Webline

You may contact any of these resources when you have questions about compliance or how to make ethical decisions.

Module 1: Knowledge Checks

Instructions: Select the best answer(s) for each question.

Knowledge Check 1: Which of the following are part of your compliance role? A. Take responsibility for knowing what’s right.

B. Make the best decisions. C. Seek help when you need it.

D. Speak up when something doesn't seem right.

Knowledge Check 2: Which of the following are examples of facility or site issues? A. You see confidential documents on the parking garage floor.

B. The microwave in the break room is broken. C. There isn’t enough employee parking available. D. You hand member information to the wrong patient.

(17)

Knowledge Check 3: Hannah feels she’s being retaliated against for reporting staffing ratio concerns to an outside agency. Her supervisor has “forgotten” to include her in several critical meetings and has reassigned her project. Hannah feels threatened by the situation and feels there’s no one she can trust to address her concerns.

Which of the following is the best resource for reporting this compliance concern anonymously? A. Her supervisor

B. A higher-level manager

C. A compliance officer or compliance representative D. The KP Compliance Hotline or Webline

Discuss Compliance Topics With Your Supervisor

Acting ethically and with integrity in our work means that we always try to do the right thing and make the best decisions. When we have questions that we cannot answer ourselves, we seek help — either in the Principles of Responsibility or in the advice of another person, such as your supervisor.

Because this course cannot answer every compliance question, it’s important that you become comfortable discussing compliance topics, training expectations, and accountabilities with your supervisor. In addition to compliance training, it’s possible you may be responsible for

completing additional training, like ICD-10.

To help you get comfortable talking about compliance, see the list of common questions and answers in the Compliance Conversation Starters handout. Of course, it also helps to review the Principles of Responsibility.

MODULE 2:

PROTECTING CONFIDENTIAL INFORMATION

Protecting Confidential Information Is Important

We must comply with federal and state privacy laws that protect confidential information. Our members and patients trust us to respect their privacy during our daily work when we come into contact with their protected health information (PHI) or other confidential information.

You need to be able to:

 Recognize information that requires protection.

 Determine the minimum necessary confidential information you need to do your job.  Reduce the risk of exposing confidential information.

What Is Considered Confidential Information?

Confidential information includes both protected health information (PHI) and KP business information in any format (oral, written, or electronic).

(18)

Protected Health Information

For information to be considered PHI, it must meet the following three conditions:

1. The information is created, received, or maintained by a health provider or health plan. 2. The information is related to health care or payment for that health care.

3. The information identifies a member or patient, or there is enough information to be able to identify the individual.

Personal Information

Personal information is defined by state law and includes a person’s name in combination with his/her social security number, driver’s license number, or financial account information when it includes a password or access code. In California, personal information has also been extended to medical information and health insurance information. While PHI is always related to health care or payment for that health care, personal information is broader.

KP Business Information

KP business information includes Kaiser Permanente’s financial figures, strategies, initiatives, research, and intellectual property (ideas, patents, copyrights, inventions, and trademarked programs). It also includes employee and physician data, such as home addresses and phone numbers. KP business information should not be shared with anyone outside of the organization unless approval has been given by management.

Protected Health Information KP Business Information Personal Information  Names

 Tests  Photos  Diagnoses  Treatments

 Social Security numbers  Telephone numbers  E-mail addresses

 Medical record numbers

and medical information

 Health care payment

information

 Birth dates

 Credit card numbers

 Kaiser Permanente’s

financial figures

 Strategies  Initiatives  Research

 Intellectual property (ideas,

patents, copyrights, inventions, and

trademarked programs).

 Physician and employee

data, such as Social

Security numbers and home addresses  A person’s name in combination with Social Security number, driver’s license number, or financial account information when it includes a password or access code  In California, personal

information has also been extended to medical information and health insurance information

We encounter confidential information daily, and it’s critical that we protect all of it. It’s important to know that HIPAA requires us to protect PHI, and state laws in KP regions require us to protect personal information. Some states, including California, require notification to regulators and affected individuals when their personal (non-PHI) information is compromised.

(19)

Is This Confidential Information?

Instructions: For each example, write “PHI” for protected health Information, “BI” for business information, or “PI” for personal information.

PHI/BI/PI Examples

1. A credit card number on the receipt for payment of a doctor visit

2. An email with Kaiser Permanente’s financial report attached

3. Medical record #s in a spreadsheet

4. Employee names and social security numbers in a KP spreadsheet

[The best responses are: 1. PHI, 2. BI, 3. PHI, 4. PI]

Using and Sharing Confidential Information

Using or sharing confidential information to complete a job-related task is expected. You have nothing to worry about if you only access the information needed to do your job.

However, accessing confidential information you don’t need may have severe consequences. You could lose your job, your license, and your ability to practice your profession. You could even face fines, penalties, and jail time.

Apply the Minimum Necessary Principle

KP HealthConnect and other electronic systems at Kaiser Permanente make an abundance of information easily available to physicians and employees authorized to access it. Depending on your job-related reason, however, you may not need to view or share much of it. In fact, you are restricted from accessing what you don't need.

The law states that if you access, use, or disclose more than the minimum necessary to do your job, you are violating a member’s right to privacy. If you’re unsure about what to access or share, check with your supervisor or manager.

How do you know what’s enough?

• If you don't need confidential information to complete a task, don’t access the system. • If specific information is requested, such as a list of specific members or a person’s name,

send only that.

• If you need to reply to or forward an email or text message, remove all non-essential PHI from the message before you send it.

•

If you’re attaching a spreadsheet, make sure there are no hidden columns or rows; remove all filters, and delete all unneeded tabs before attaching and sending.

(20)

High-Risk Areas for Confidential Information

Review the four high-risk areas for confidential information. We can reduce risk in these areas by using good judgment and common sense when handling confidential information.

Distribution errorsare often caused by human error, not following procedures, negligence, or poorly-designed work processes. This risk area includes mailing and paperwork errors. Each incident exposes confidential information, is potentially reportable to government regulators, and may result in fines or additional site visits.

Inappropriate access occurs when there isn’t a job-related reason to access personally identifiable information. Often, the access is intentional, and is driven by the following: Curiosity: just want to know

Caring or concern: worried about someone Convenience: faster than following the procedure

When electronic or printed confidential information is lost, stolen, or misplaced, it is exposed and is considered a privacy incident.

This risk is often caused by human error, not following proper procedures, or negligence. Included in this category are smartphones and electronic tablets that contain identifiable member information.

Inappropriate use of social media (including blogs,

podcasts, discussion forums, and social networks such as LinkedIn and Facebook) can cause a privacy incident. Employees and physicians aren’t allowed to share any confidential information, especially if it contains anything that might identify a member or patient.

Identify the Confidential Information Risk Area

It’s important that you’re able to identify some common risk areas for confidential information and know what to do if you encounter them. In this activity, review each of the four scenarios, then identify the risk area and what should be done.

(21)

Scenario 1 of 4

What type of risk is this?

Select the risk that best matches the situation. A. Distribution error

B. Inappropriate access

C. Lost or stolen confidential information D. Inappropriate use of social media

[The best response is A. A patient’s confidential information has been exposed because of a distribution error.]

Scenario 1 Follow-Up Question What should she do next?

Select the best action to take in this situation.

A. Send the correct pre-op instructions to the member. B. Report the situation to the KP Compliance Hotline.

C. Inform her supervisor, contact compliance, and send the correct pre-op instructions to the patient.

[The best response is C. She should notify her supervisor. She must also provide the patient with the correct information and contact compliance about the information that was mistakenly sent.]

Tips to Prevent Distribution Errors  Don’t do too many things at once.

 Always double-check your work, such as ensuring the name on the envelope matches the name on the materials inside the envelope.

 Make sure your email messages include the right information and the right amount of information.

 When doing a mail merge, check the accuracy of the first one, then check samples along the way.

 Verify the patient’s identity before distributing any paperwork.  Make sure unrelated papers are not stuck together.

(22)

Scenario 2 of 4

[The best response is B. Looking in the victim’s medical record is an example of inappropriate access. His curiosity could result in disciplinary action, up to and including termination.]

Scenario 2 Follow-Up Question What should he do next?

A. Access the medical record and only look at the ER admission, the minimum amount necessary.

B. Nothing; curiosity isn’t a job-related reason to access anyone’s medical record. C. Go to the ER and ask about the victim.

[The best response is B. Curiosity is not a job-related reason to access another person’s medical record. Remember, every time you access KP HealthConnect or any other system, it records your activity. If inappropriate access is found and substantiated, these records are used to take disciplinary action, up to and including termination.]

(23)

[The best response is C. This is an example of lost or stolen confidential information. She didn’t take steps to protect the information.]

A. Report the situation to her supervisor immediately.

B. Report the situation to the KP Compliance Hotline or KP Webline. C. Say nothing; the information isn’t of interest to anyone.

[The best response is A. The right thing to do is report the incident immediately. Our laptop bags often contain confidential information on portable devices and in printed documents that we need for our jobs. When confidential information is lost, missing, or stolen, we’re required to take immediate action to reduce possible harm to members and patients. In some cases, we’re required to report the incident to regulators and notify affected members and patients.]

Scenario 4 of 4

[The best response is D. Even though he didn’t provide specific names, people in his social group know that he’s a Kaiser Permanente nurse and can potentially recognize the patients based on the pictures.]

(24)

A. Write an apology on Facebook for possibly exposing patient information.

B. Remove the information from his Facebook page and talk to his supervisor to explain the situation.

C. Do nothing. Facebook is private, and what he posts on his own time is no one else’s business.

[The best response is B. Because social media spreads information so quickly, the nurse must immediately remove all patient-identifiable information from Facebook and tell his supervisor what happened. Depending on the situation, he may face disciplinary action, up to and including termination, may be fined, and may face possible jail time. Remember, if you use social media, don't post anything that can potentially identify or hurt a colleague, member, or patient.] Summary

Avoidable risks occur when we don’t follow the policies and procedures for protecting

confidential information. Occasionally, some risks, such as distribution errors, can be caused by circumstances outside of our control. Others, such as inappropriate access or posting to social media, are in our control and can be avoided by using our good judgment.

Protect our patients and members — and yourself — by using confidential information only as allowed by the law.

Notification Requirement

We must comply with federal and state privacy laws and protect all confidential information — PHI, personal information, and KP business information. If we fail to do so, we’re often required to notify the affected individuals and regulatory agencies.

If you discover confidential information was disclosed, report it immediately. Any delay in reporting has serious consequences.

When we disclose confidential information inappropriately, the impact can be severe: 1. We may be required to report to a regulatory agency (federal or state), within very short

timeframes.

2. We can be subject to fines. Penalties may be imposed on the individual and the organization by both federal and state agencies.

3. State licensing boards can suspend or revoke licenses.

4. We may need to notify individuals about their compromised information.

Enforcement Penalties

Formulas that determine the size of the fine are based on the following:  Number of individuals affected: how many did it impact?

 Number of occurrences: how many times did it happen?

 Reporting timeliness: was it reported within required timeframes?  Willful neglect: did someone intentionally or recklessly do it?

(25)

 Corrective action taken: was it addressed? How? When?

HIPAA fines can run up to $50,000 for a single event, while in some states, fines for a single event can reach $250,000.

Module 2: Knowledge Checks

Knowledge Check 1: Which of the following are examples of confidential information? A. Social Security number

B. Financial data

C. Medical record number

D. Internal Kaiser Permanente reports

Knowledge Check 2: An employee’s brother has not received his lab results in his medical record because he hasn’t received them yet.

Does she have a job-related reason to access her brother’s medical record? A. Yes

B. No

Knowledge Check 3: A supervisor discovered that because a printer was slow, some after-visit summaries were handed to the wrong patients. Part of the corrective action was to work with her staff to find ways to prevent this from happening again.

Which of the following solutions would help avoid future distribution errors?

A. Printouts should be picked up immediately; don’t leave items on the printer. B. When you pick up a printout, double-check that you took the right one. C. If a system isn’t operating properly and a privacy incident is possible, let

staff know.

D. Verify the member’s identity before giving him or her any personal documents.

Module 2: Call to Action

You’re expected to know what information you need to use or share for your job and how to protect it. Here are some privacy and information security reminders:

 Protect passwords.

Use a password with at least a combination of eight characters and numbers. Never share a password.

 Protect your physical work environment.

Ensure that protected areas are locked, workstations and portable devices are secure, and confidential information is disposed of properly.

(26)

Use the Send Secure option in Lotus Notes or the Secure File Transfer system (SFT) option to ensure that the confidential information is protected. Only store patient information on KP network servers, KP shared drives, or servers that otherwise meet IT security standards.

 Guard against malicious software (malware).

Do not click or open unknown links or email messages. Use caution when visiting unfamiliar websites and contact the IT Service Desk if you suspect that your computer has been infected.

MODULE 3:

PREVENTING FRAUD, WASTE, AND ABUSE

Preventing Fraud, Waste, and Abuse is Important

The federal government provides many regulations and guidelines to help health care organizations detect, prevent, and respond to fraud. If we don't follow them and our internal controls and policies, patient safety can be risked, the cost of health care can rise, and our reputation can be damaged.

In this module, you’ll learn more about the risks for fraud, waste, and abuse in your work area. You need to be able to:

 Explain the difference between fraud, waste, and abuse.  Name the top four types of fraud, waste, and abuse risks.

Defining Fraud, Waste, and Abuse

You must be able to recognize fraud, waste, and abuse in the workplace, as defined in the National Fraud, Waste & Abuse Control policy (NATL.NCO.11).

What Is Fraud?

Fraud occurs when someone misrepresents the truth to get a benefit or an advantage. An example of fraud is using another person’s medical identity to receive treatment, submitting personal expenses for business reimbursement, or submitting a claim without supporting medical record documentation, even if unintentional.

(27)

What Is Waste?

Waste is the extravagant, careless, or needless use of KP or government funds. An example of waste is going to a local store to purchase office supplies instead of using Kaiser Permanente-approved vendors and discounts.

What Is Abuse?

Abuse is the wrongful or improper use of KP or government resources, including but not limited to, the misuse of position or authority that causes the loss or misuse of an

organization’s assets (for example, funds, medical equipment, vehicles, computers, or copy machines). An example of abuse is using KP office supplies for your child’s art project.

Is This Fraud, Waste, or Abuse?

Instructions: For each, write “W” for waste, “A” for abuse, or “F” for fraud.  1. Not using a KP vendor when ordering printed materials  2. Submitting more hours on a timecard than actually worked  3. Refilling your prescription, then giving it to your neighbor  4. Over-ordering pharmacy inventory; the overstock expires  5. Using a KP copy machine to make flyers for your son’s school  6. Submitting false receipts on a business expense account [The best responses are: 1. W, 2. F, 3. F, 4. W, 5. A, 6. F]

Fraud, waste, and abuse adds up quickly, and can result in inflated costs to the company, damage to the company's reputation, mandatory retraining, disciplinary action, and possible termination.

High-Risk Areas for Fraud

To prevent intentional fraud and protect our resources, we must watch for signs of fraud (also called red flags).

Drug diversion occurs when someone “diverts” drugs, medications, or other pharmacy supplies ffom their original or intended purpose.

If your job involves handling pharmacy items, you may see or suspect that people are stealing medications, forging prescriptions, or selling pharmacy items. This is intentional fraud and you should report it immediately.

(28)

Member fraud occurs when a member carries out a fraudulent activity.

If your job includes handling member information or providing patient care, you may find falsified member enrollment data or medical identity fraud. This is intentional fraud and you should report it

immediately.

Identity theftoccurs when someone pretends to be someone else by assuming that person’s identity. This is often done to access resources, or obtain credit or other benefits in that person’s name.

An example is using someone’s identity to apply for a credit card fraudulently.

Employee theft occurs when an employee unlawfully takes money or property from members, co-workers, physicians, or Kaiser Permanente.

An example is an employee who steals the

company's cash, drugs, equipment, or supplies, or who uses company funds to purchase personal items.

Identify the Fraud, Waste, and Abuse Risk Area

Kaiser Permanente has a zero-tolerance position for theft of member data, cash, or KP

property. Employees have lost their jobs, and cases have been reported to licensing boards and law enforcement for prosecution. For this activity, select the risk area illustrated by the scenario and answer the follow-up question.

Instructions: In the following four scenarios, identify the risk, then select the best action to take.

Scenario 1 of 4

(29)

A. Drug diversion B. Employee theft

C. Identity theft D. Member fraud

[The best responses are A and B. This is a red flag for possible drug diversion and employee theft; either answer is correct. There isn’t enough information, however, to confirm that a fraudulent activity has occurred.]

A. She should do nothing. Lots of people were around, so someone else will probably say something.

B. She should call the KP Compliance Hotline or use the KP Webline to report the issue. C. She should have a private conversation with her supervisor to report what she saw.

[The best response is C. She should report the incident to her supervisor privately. Recognizing a red flag is only part of the solution. By taking action, like reporting the incident to her

supervisor, she can help identify fraudulent activity. Policies and programs exist to prevent, detect, investigate, and properly respond to fraud where it occurs. Over time, people who

engage in fraudulent activities are caught. Employees have lost their jobs, and cases have been reported to law enforcement for prosecution.]

Scenario 2 of 4

Select the risk that best matches the situation. A. Drug diversion

B. Employee theft

[The best response is C. This is a red flag for identity theft and a potential privacy violation. Our patients and members look to us to protect their information.]

(30)

A. He should do nothing unless he has actual proof of improper behavior.

B. He should report his concern to a compliance officer, the KP Compliance Hotline, or the KP Webline.

C. He should have a private conversation with his supervisor.

[The best response is B. He should report this to someone in the compliance community. Failure to do so could result in corrective or disciplinary action, up to and including termination. Because his supervisor is the concern, speaking with a compliance officer, calling the KP Compliance Hotline, or using the KP Webline are better options. If his supervisor is engaged in identity theft, an outside or external investigation will be required.]

Scenario 3 of 4

[The best response is C or D. The age difference is a red flag for member fraud and identity theft. More information is required to determine if the member is involved in fraud (member fraud), or if the member is a victim of fraud (identity theft).]

A. She should ensure that she’s looking at the correct medical record.

B. She should call the KP Compliance Hotline or use the KP Webline to report the issue. C. She should talk to her supervisor.

[The best response is A. She should confirm she’s in the right medical record. Differences in a person’s age, weight, height, or diagnoses could indicate that a person might be using another member’s health plan card. Before presuming fraud, rule out mistakes. If you’ve validated that you’re looking at the right medical record and still have concerns, contact your supervisor or follow your local procedure to address this type of issue.]

(31)

Scenario 4 of 4

C. Identity theft D. Member fraud [The best response is B. This is a red flag for employee theft.]

A. He should do nothing, because he’s not the co-worker’s supervisor.

B. He should call the KP Compliance Hotline or use the KP Webline to report the issue. C. He should have a private conversation with his supervisor.

[The best response is C. Removing operating room supplies after a shift is a red flag for employee theft. He should report this to his supervisor for the quickest resolution. Kaiser Permanente has zero tolerance for employees who steal member data, cash, or KP property. If employee theft is substantiated, disciplinary action, up to and including termination, may be taken.]

Summary

Fraud can compromise patient safety, raise the cost of health care, and damage Kaiser Permanente's reputation.

Immediately report fraud, waste, and abuse that you witness.

Module 3: Knowledge Checks

Knowledge Check 1: An employee is using a Kaiser Permanente corporate credit card to make personal purchases. From the list below, which type of risk is this?

A. Drug diversion B. Employee theft C. Identity theft D. Member fraud

(32)

Knowledge Check 2: A man comes to the lab without identification. You follow the validation procedures, but are unable to confirm his identity.

Which types of risk does this red flag indicate? A. Drug diversion

B. Employee theft C. Identity theft D. Member fraud

Knowledge Check 3: Which of the following actions could be acts of fraud? A. Putting false information on documents

B. Submitting false receipts for reimbursement

C. Adding or keeping ineligible dependents on your health plan

D. Letting someone use your KP card to receive services or medication

Module 3: Call to Action

Kaiser Permanente’s compliance program protects and serves our members by protecting KP’s resources and increasing employee fraud awareness. With your help, we can improve the prevention, detection, investigation, referral to appropriate authorities, and civil recovery efforts due to health care fraud.

You have an important role in preventing fraud, waste, and abuse.  Recognize fraud, waste, and abuse in the workplace.

 Report any suspected fraud to your supervisor, higher management, or your compliance representative.

Remember, the federal law protects whistleblowers — people who report noncompliance or fraud, or who assist in investigations.

MODULE 4:

SUMMARY AND COMPLETION

Kaiser Permanente’s Compliance Program

Kaiser Permanente’s compliance program promotes an environment of trust and safety, and helps us avoid costly fines and damage to KP’s reputation. Meeting the compliance

expectations is an ongoing accountability all of us must take seriously. When we behave honestly and ethically at all times in the work we do, we:

 Deliver health care services by the right people, and all services performed are documented in a timely, accurate, and complete manner.

 Provide quality care for our members and patients while being mindful of their privacy rights.

(33)

Because your supervisor is usually the best person to approach with compliance issues or concerns, you should feel comfortable approaching him or her. If you haven’t had a compliance conversation with your supervisor, consider doing so during your next performance review.

Create a Compliance Contact List

If you suspect or encounter behavior that may be illegal, is prohibited, or doesn’t comply with regulations, report it as soon as possible.

Be prepared to act quickly by creating a list of compliance contacts ahead of time. Review or download any of these resources. For more about who to call, take the Make the Right Call: Identifying and Reporting Issues Appropriately course on KP Learn.

When reporting a compliance concern, be sure to: 1. Identify the type of issue or concern.

Is it an issue that deals with how we perform our jobs based on laws and regulations? An employment issue? A facility or site issue?

2. Identify the best resource to address the issue or concern.

Can you go to your supervisor or a higher-level manager? Or is this an issue that requires a specific expertise to resolve?

(34)

COMPLETING YOUR TRAINING

Now that you’ve completed this course, you’re required to do a few more things to complete your training record for this course.

MEET WITH YOUR SUPERVISOR OR MANAGER

Your supervisor, manager, or designated training administrator will review your answers to the knowledge check questions. Be sure you’ve answered all of them accurately. This is your time to clarify any information and ask questions about the course.

COMPLETE THE COURSE COMPLETION FORM

This form is required for you to receive credit for taking the course.

 Your supervisor, manager, or designated training administrator will give you the course completion form.

 Fill in the required information and sign both signature lines. One signature indicates completion of the course, and one is your Principles of Responsibility attestation; both are required.

 Return the completed and signed course completion form to your supervisor, manager, or designated training administrator.

COMPLETE THE COURSE EVALUATION FORM

The course evaluation is your opportunity to provide feedback on this course.

 Your supervisor, manager, or designated training administrator will give you the course evaluation form.

 Complete the evaluation.

 Return the completed form to your supervisor, manager, or designated training administrator.

POST-TRAINING RESOURCES

Access the resources, fact sheets, handouts and other support materials referenced in this course at the following URL:

Annual Compliance Training 2014