What is Corporate Compliance?
Corporate Compliance is adherence to specific laws, regulations, and ethical codes that govern our workplace. Examples of laws and regulations that directly impact all employees of St Luke’s Cornwall Hospital are the Health Insurance Portability and Accountability Act (HIPAA) and the Federal False Claims Act.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that:
- protects the privacy of Health information;
- applies to individuals, as well as institutions;
- provides for electronic and physical security of patient health information;
- defines unauthorized access as the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment or other lawful use;
- requires users to access or disclose the minimum amount of health information necessary to perform their duties; and
- specifies patient rights to approve the access and use of their medical information.
What Information Must Be Protected?
Protected Health Information (PHI)
- is information related to a patient’s past, present or future physical and/or mental health or condition;
- can be in any form: written, spoken, or electronic (including video, photographs, and x-rays); and
- includes at least one of the following 18 personal identifiers:
- Postal address
- All elements of dates except year
- Telephone number
- Fax number
- Email address
- URL address
- IP address
- Social security number
- Account numbers
- License numbers
- Medical record number
- Health plan beneficiary #
- Device identifiers and their serial numbers
- Vehicle identifiers and serial number
- Biometric identifiers (finger and voice prints)
- Full face photos and other comparable images
- Any other unique identifying number, code, or characteristiics
For Purposes Other than Treatment, Payment and Operations
Unless required or permitted by law, SLCH must obtain authorization from the patient to use, disclose, or access patient information. Mental Health, Substance Abuse, HIV and HIV related PHI can NOT be disclosed without specific written authorization from the patient.
- Verbal Exchanges:
- Be aware of your surroundings when talking.
- Do not disclose information to anyone, including a patient’s friends and family without first obtaining the patient’s authorization to do so.
- Do not discuss PHI in elevators, the parking garage, or other public areas.
- Know Where You Left Your Paperwork:
- Check printers, faxes, copier machines when you are done using them.
- Ensure paper charts are returned to applicable areas in nursing stations, medical records, or designated file rooms.
- Do not leave hard copies of PHI laying on your desk; lock it up in your desk at the end of the day.
- Seal envelopes well when mailing.
- Disposal of Paper Documents:
- Shred or destroy PHI before throwing it away.
- Dispose of paper and other records with PHI in secured shredding bins. Recycling and trash bins are NOT secure.
- Ensure your computer and data are physically secured.
- Create a strong password and do not share your username or password with anyone.
- Log off your computer terminal when you are done, or even if you walk away for a few moments.
- Ensure information on computer screens is not visible to passersby.
Examples of HIPAA Violations
- Talking in public areas, talking too loudly, talking to the wrong person;
- Sharing information with a patient’s family or friends without authorization from the patient. (Do not assume that because a patient is accompanied by friends or relatives when they present to the Hospital that they want their PHI discussed in front of them);
- Accessing information about a co-worker who is hospitalized if that access is not required in order for you to perform your job at SLCH;
- Improperly disposed of paper, mail, films, notebooks;
- Hacking of unprotected computer systems;
- Email or faxes sent to the wrong address, wrong person, or wrong number; and
- User not logging off of computer systems, allowing others to access their computer or system.
St Luke’s Cornwall Hospital has policies and procedures to protect the privacy and security of information. As a SLCH employee, you are responsible to follow these policies and procedures to protect the privacy and security of information. Remember that privacy applies to ALL verbal, written, and electronic information. If you suspect or know of a breach you must report it to the Compliance Officer immediately.
False Claims Act
As required by federal law, it is the policy of this organization to provide detailed information to all employees about federal and state False Claims Acts and this organization’s policies and procedures to detect and prevent fraud, waste and abuse.
The Federal False Claims Act prohibits, among other things:
- knowingly presenting or causing to be presented to the government a false or fraudulent claim for payment or approval;
- knowingly making or using, or causing to be made or used, a false record or statement in order to have a false or fraudulent claim paid or approved by the government;
- conspiring to defraud the government by getting a false or fraudulent claim allowed or paid; and
- knowingly making or using, or causing to be made or used, a false record or statement to conceal, avoid, or decrease an obligation to pay or transmit money or property to the government.
“Knowingly” means that a person, with respect to information: (1) has actual knowledge of the information; (2) acts in deliberate ignorance of the truth or falsity of the information; or (3) acts in reckless disregard of the truth or falsity of the information and no proof of the specific intent to defraud is required.
Federal and state laws and SLCH policy prohibit any retaliations or retribution against persons who report suspected violations of these laws to law enforcement officials or who file “whistleblower” lawsuits on behalf of the government. Anyone who believes that he or she has been subject to any retribution or retaliation should also report this to the Compliance Hotline.
HIPAA and the Federal False Claims Act are but two of the many laws and regulations that govern healthcare. The SLCH Compliance Plan is a corporate wide initiative and was designed to ensure that our organization adheres to all applicable laws and regulations. Additional information will be provided to you through department specific training, and is available in the Hospitals Administrative Manual. If you have any questions or if you would like to report a suspected violation please contact:
Darcy Shepard, Compliance Officer at x2856 (internally) or 845-568-2856 (externally).
Call the Compliance Hotline at x3505 (internally) or 845-784-3505 (externally).
Anonymous reporting is always welcome by calling x2010 and then x3505.
Other Resources for information regarding Compliance issues:
- Your Supervisor/Manager
- Privacy Officer (concerning HIPPA Privacy)
- Melissa Scalzo 845-568-2147
- Information Security Officer (concerning HIPAA Security)
- Aaron Kramer: 845-784-3711
- The St. Luke’s Cornwall Administrative Manual (available on the Hospital’s Intranet)