UNIVERSITY OF CALIFORNIA HEALTH SCIENCES CORPORATE COMPLIANCE...

1

UNIVERSITY OF CALIFORNIA HEALTH SCIENCES CORPORATE COMPLIANCE

FIRST ANNUAL REPORT TO THE BOARD OF REGENTS July 1, 2000 – June 30, 2001

ANNUAL REPORT CONTENTS

1. Purpose: University’s Health Sciences Clinical Enterprise Annual Report 2. Background: University’s Corporate Compliance Program and System Corporate

Compliance Committee (Mid-1996 – Spring 2000)

3. Summary: System Corporate Compliance Committee Activities (Fiscal Year 2001)

4. Status of the Professional Fee Billing Compliance Program

5. Assessment of the University’s Health Sciences Clinical Enterprise Corporate Compliance Program and Code of Conduct

6. Conclusions and Recommendations

PURPOSE:

THE UNIVERSITY’S HEALTH SCIENCES CLINICAL ENTERPRISE ANNUAL REPORT (REPORT)

The University’s Health Sciences Clinical Enterprise Corporate Compliance Program requires that each Campus Corporate Compliance Committee provide an annual report to their respective Chancellors and to the Office of the President in order to provide the Board of Regents with a system-wide Annual Report. This Report is the first of what will become an annual report process to The Board of Regents by the University’s System Compliance Committee and includes:

1. A review of the Campus Corporate Compliance Annual Reports and assessment of the overall Health Sciences Clinical Enterprise Corporate Compliance Program in order to:

a. Establish a benchmark assessment of the current status of system and campus compliance programs as measured against the elements of a compliance program defined by the Department of Health and Human Services/ Office of the Inspector General (OIG’s) Compliance Program Guidelines for Hospitals;

b. Summarize reviews by external agencies of the System and Campus Compliance Programs;

c. Provide examples of system and campus ongoing commitment to compliance; d. Provide a qualitative assessment of the University’s progress towards

achievement of the System Compliance Program Objectives; e. Provide information useful in developing the criteria for the FY 2002 Annual

Report; and f. Provide a summary of an independent review conducted by University Internal

Audit.

2

2. Demonstrate ongoing commitment to compliance at all levels of the University’s health

sciences clinical enterprise; and 3. Inform the Board of Regents of the work of the Academic Health Centers System

Compliance Committee and Health Insurance Portability and Accountability Act (HIPAA) Taskforce to develop guidelines and a workplan for achieving compliance with federal HIPAA requirements, particularly as related to the implementation of the HIPAA Privacy standards in April 2003.

BACKGROUND: THE UNIVERSITY’S CORPORATE COMPLIANCE PROGRAM

AND THE SYSTEM CORPORATE COMPLIANCE COMMITTEE (MID-1996 – Current)

In the spring of 1996, the Office of the Inspector General (OIG), Department of Health and Human Services (DHHS), notified the University’s academic medical centers of the OIG’s intent to conduct a review of the Medicare billing practices of the University’s physicians to determine whether Medicare reimbursements for physician services provided to Medicare beneficiaries were reasonable, allowable and documented in accordance with Medicare regulations. This nationwide initiative by DHHS/OIG to audit physician professional fee billings at teaching institutions became known as the Physicians at Teaching Hospitals PATH) Audit. In July 1996 the Health Care Financing Administration (HCFA) established new regulations to guide the Medicare billing practices of teaching physicians. In preparation for these federal initiatives, the Office of Clinical Services Development, in consultation with the leadership of the University’s academic health centers (AHCs) and the Office of the General Counsel, established the University-wide Corporate Compliance Committee (System Compliance Committee), which has met on a regular basis beginning in mid-1996. The Deans of the University’s Schools of Medicine each appointed an individual to serve as their respective representative (s) to the System Compliance Committee. The campus representatives to the System Compliance Committee also serve as the Compliance Officers at each respective AHC and chair their campus Corporate Compliance Committee. The Board of Regents charged the System Compliance Committee to:

1. Oversee the flow of information between campuses and the OIG as related to the PATH audit;

2. Provide for a University-wide coordinated effort in responding to the federal auditors and OIG;

3. Develop the University’s Professional Fee Billing Guidelines (completed and distributed to all Chancellors in September 1997) to provide the policy basis for the implementation of campus-specific compliance plans; and

4. Provide a forum for discussion of ongoing issues related to compliance with new federal regulations.

Attached (Attachment A) is a list of the FY 2001 members of the System Compliance Committee. With the exception of one campus Compliance Officer, the core System Compliance Committee membership has remained virtually the same since 1996, with additions of individuals and expertise as the need arises. The Office of the President’s representatives include

3

the Office of Clinical Services Development, Office of the General Counsel and the University Auditor. In 1998, DHHS/OIG issued the Compliance Program Guidelines for Hospitals and strongly encouraged all corporations in the health care industry to implement effective corporate compliance programs that would include the following elements: a code of conduct; clearly defined oversight responsibilities; employee training; monitoring and auditing; enforcement and discipline; and procedures to respond to and prevent further offenses once a violation has been detected. In order to provide incentives for institutions to implement effective compliance programs, the federal Compliance Program Guidelines for Hospitals also instructed federal district judges to consider whether a medical center had an effective compliance program when imposing sentences for criminal violations in the event of a federal investigation or audit, such as the PATH audit. In 1998 the University’s AHCs were engaged in responding to the PATH audits and recognized the value of proactively developing and implementing a Corporate Compliance Program that would follow the Compliance Program Guidelines for Hospitals promulgated by DHHS/OIG. As such, the System Compliance Committee recommended to The Board of Regents and their AHC executive leadership that the committee should broaden its responsibilities to include the development of The University’s Health Sciences Clinical Enterprise Corporate Compliance Program with the following objectives1:

1. Maintain and enhance quality of care; 2. Demonstrate sincere, ongoing efforts to comply with all applicable laws; 3. Revise and clarify current policies and procedures in order to enhance compliance; 4. Enhance communications with governmental entities with respect to compliance

activities; 5. Empower all responsible parties to prevent, detect, respond to, report and resolve conduct

that does not conform to applicable laws, regulations and the University’s Code of Conduct; and

6. Establish mechanisms for employees to raise questions and concerns about compliance issues and ensure those concerns are appropriately addressed.

From 1998 through February 2001, when the University reached agreement with the federal government and settled the PATH audits, the efforts of the System Compliance Committee were primarily focused on two separate, but related efforts:

1. Response to the PATH Audit, including system policy, audit and technical support to the University’s legal team and development of the strategic response to the OIG’s proposed Institutional Compliance Agreement. The Compliance Committee’s efforts contributed to the University’s successful resolution of the PATH Audit in February 2001 without litigation, double or treble damages, an OIG imposed Institutional Compliance Agreement or any suggestion of fraud and abuse on the part of the University’s physicians.

2. Development of The University’s Health Sciences Clinical Enterprise Corporate Compliance Program (University’s Program), including, through a collegial process that

1 University of California Health Sciences Clinical Enterprise Corporate Compliance Program, August 7, 2000.

4

involved the University’s Academic Senate, the University’s Corporate Compliance Code of Conduct. In August 2000 the System Compliance Committee promulgated the current version of the Code of Conduct, which has provided the framework for the development of campus-specific Compliance Programs, policies and procedures.

The individual Campus Corporate Compliance Committees, Compliance Office and the Compliance Officers, appointed by the Chancellor according to procedures established at each campus in consultation with appropriate Academic Senate Committees, provide ongoing compliance leadership on the executive management team at each campus responsible for2:

1. Implementing Campus Corporate Compliance Programs; 2. Ensuring that compliance procedures are maintained, reviewed and updated; 3. Providing compliance education; 4. Responding to employees’ questions and concerns; 5. Acting on recommendations from staff and management; 6. Providing for controls to prevent and reduce errors and identify wrongdoing; 7. Working with campus academic and administrative leadership to implement remedial

actions and take appropriate corrective and disciplinary actions; and 8. Causing reports of possible compliance wrongdoing by administration, faculty or staff to

be investigated in accordance with University policy.

For example, the campus Compliance Officers have also led local initiatives designed to strengthen and enhance compliance efforts, including the implementation of the University’s Professional Fee Billing Guidelines and identifying other operational areas requiring compliance oversight.

SUMMARY: SYSTEM CORPORATE COMPLIANCE COMMITTEE ACTIVITIES (Fiscal Year 2002)

Upon completion of the PATH audits and the development of the System Corporate Compliance Program, the System Corporate Compliance Committee has continued to identify those areas at risk and to develop initiatives that will enhance the overall compliance activities of the University, promote sound business practices, reduce risks of future audits and reduce regulatory and compliance costs for the health sciences clinical enterprise. The following is a summary of current and ongoing initiatives:

1. Professional Fee Billing Compliance Guidelines (Profee Compliance) 2. University Health Sciences Clinical Enterprise Corporate Compliance Program and Code

of Conduct (System Corporate Compliance Program) 3. System Corporate Compliance Program Education Module 4. Clinical Laboratory Compliance Seminars and Sharing of Best Practices 5. Physicians at Teaching Hospitals (PATH) Audits—system and campus efforts 6. Clinical Research Compliance Seminar and Sharing of Best Practices (In process)

2 University of California Health Sciences Clinical Enterprise Corporate Compliance Program, August 7, 2000.

5

7. Health Insurance Portability and Accountability Act—Privacy Regulations (HIPAA/Privacy Standards)—development of system guidelines, policies and procedures and development of campus shared best practice (In process)

8. Hospital Compliance Program development (In process) 9. Sharing of Compliance Best Practices among campuses and other academic medical

centers as requested (ongoing) 10. Development of the University’s Health Sciences Clinical Enterprise Annual Report to

the President and The Board of Regents, July 1, 2000 – June 30, 2001. STATUS OF PROFESSIONAL FEE BILLING COMPLIANCE PROGRAM

Overview

At the October 1996 meeting of the Board of Regents, the System Compliance Committee provided the Regents with a copy of the System-wide Compliance Guidelines for Professional Fee Billing. The principles addressed in the Guidelines are administrative in nature and the purpose is to provide clarification of billing procedures and to clarify those teaching activities that do not meet the federal Medicare requirements for Professional Part B billing. As such, the Guidelines are intended to provide faculty and other University employees with the guidance necessary to understand the potential impact of federal regulations on the University’s mission and the level of administrative activity necessary to provide for compliance with professional fee billing requirements. The System Compliance Committee incorporated faculty recommendations into the Guidelines and in September 1997 distributed the current version to all Chancellors. Subsequently, each AHC campus developed and implemented campus specific Professional Fee Billing Compliance Plans. With the determination by the System Compliance Committee that the University should broaden its compliance efforts to respond to DHHS/OIG’s 1998 Compliance Program Guidelines for Hospitals, the System Compliance Committee has now incorporated Professional Fee Billing Compliance into the overall University Corporate Compliance Program.

Oversight, Monitoring and Audit of the Professional Fee Billing Compliance As a result of the University’s PATH audit settlement with the federal government and the determination that there was no fraudulent billing practices by University physicians, the University is not subject to an Institutional Compliance Agreement (ICA) that would have been imposed by the OIG and would have provided for ongoing oversight and monitoring by the federal government of the University’s compliance activities. Until the successful resolution of the PATH audits in February 2001, it was assumed that an ICA would dictate the nature of reports to The Board of Regents as well as require the University to annually report to the federal government. Although the University is not subject to a federally imposed ICA, the System Compliance Committee recognized the value of campus and system oversight and monitoring of compliance with federal activities as a proactive, voluntary measure to minimize errors, reduce risks and enhance business practices. As such, this First Annual Report provides the baseline for future reviews and monitoring of campus compliance efforts.

6

In reviewing all campus annual reports, the following were assessed:

1. Is the Professional Fee Billing Compliance Program in effect? 2. Is the program an integral part of the overall compliance program? 3. Does the Compliance Officer have direct responsibility for the Professional Fee Billing

Compliance Program? 4. Do faculty and other employees receive training in order to comply with payor

regulations and requirements? 5. Is there a process in place for auditing sample charges, including coding and medical

record abstracting? 6. Are underpayments and overpayments identified? 7. Is there a process in place to cure systemic or individual errors and provide for a post

review once curative measures have been taken? 8. Are statistics provided regarding effectiveness of program to cure errors?

Conclusion and Recommendations

The Professional Fee Billing Compliance Program is in effect and an integral part of the overall compliance program at all campuses. At two campuses (UCSF and UCI) the Corporate Compliance Officer does not have direct reporting responsibility for the Professional Fee Billing Compliance Program. At UCI, the Profee Billing Compliance Officer is a physician, with reporting to the Dean. The Corporate Compliance Officer has direct responsibility for all compliance efforts at the campus. All campuses provide faculty and employee training, although the training methodology varies by campus; a process is in place for auditing sample charges, with overpayments identified at all sites. Future annual reports should provide a description of how training records and documentation are maintained, as well as the percentage of faculty and employees trained annually. The System Compliance Committee should consider whether there is a direct relationship between faculty training and compliance as one measure of compliance effectiveness. The System Compliance Committee should discuss the value of post-reviews once curative measures have been taken as a measure of effectiveness.

ASSESSMENT OF THE UNIVERSITY’S HEALTH SCIENCES CLINICAL ENTERPRISE CORPORATE COMPLIANCE PROGRAM

AND CODE OF CONDUCT (CORPORATE COMPLIANCE PROGRAM)

Overview The University’s health sciences clinical enterprise is committed to providing quality health care services, health professional training and biomedical and behavioral research in compliance with all laws and regulations. Over the years, the University has implemented a number of policies and procedures to provide guidance regarding federal and state laws. More recently, the federal government has required hospitals and AHCs to implement compliance programs in order to reduce fraud and abuse in today’s complex and highly regulated health care environment. In order to demonstrate its commitment to complying with all laws and regulations governing the provision of health care and provide guidance to University personnel in carrying out their daily activities, the University has developed the Health Sciences Clinical Enterprise Corporate

7

Compliance Code of Conduct (the Code) to provide standards that address issues identified by the federal government as potential areas of risk and, in particular, the seven elements of a compliance program as developed by the DHSS/OIG and outlined in the Federal Sentencing Guidelines: 1) compliance standards and procedures; 2) oversight responsibility; 3) due care in delegation of authority; 4) employee training and education; 5) monitoring, auditing and communication; 6) enforcement and discipline; and 7) response and prevention. From 1998 through 2000, the System Compliance Committee worked collaboratively, and in coordination with the Faculty Academic Senate, to develop the University’s Compliance Program. In August 2000, the Compliance Committee promulgated the current version of the Compliance Program to campus Corporate Compliance Committees and directed that the system Compliance Program should be viewed as the minimal standards for the development of Campus Compliance Programs. Campus Compliance Officers and Campus Compliance Committees have flexibility in the development of their respective programs, policies and procedures so long as they meet the basic Code of Conduct standards of the system Compliance Program as follows:

Standard 1: Quality of Care Standard 2: Medical Necessity Standard 3: Coding, Billing and Patient Accounting Standard 4: Cost Reports Standard 5: Personal and Confidential Information Standard 6: Creation and Retention of Patient and Institutional Records Standard 7: Government Investigation Policy Standard 8: Preventing Improper Referrals or Kickbacks Standard 9: Adherence to Antitrust Regulations Standard 10: Avoiding Conflicts of Interests Standard 11: Patients Freedom of Choice Standard 12: External Relations Standard 13: Fair Treatment of Employees

Criteria: Assessment of The University’s Corporate Compliance Program

The University’s system Corporate Compliance Committee identified the following criteria for evaluating each campus Annual Report and the overall Corporate Compliance Program. 1. Establish a benchmark assessment of the current status of system and campus compliance programs as measured against the OIG’s Compliance Program Guidelines for Hospitals and reported in each Campus Annual Report to the Office of the President and the Board of Regents:

a. A code of conduct; b. Clearly defined oversight responsibilities; c. Employee training; d. Communication opportunities; e. Monitoring and auditing; and f. Enforcement, discipline and procedures to respond to and prevent further

offenses.

8

2. Summarize reviews by external agencies of the system and campus compliance programs. a. Review by OIG PATH Auditors of Campus and System Corporate Compliance

Programs b. Review by the Joint Commission on Accreditation Of HealthCare Organizations

(JCAHO)

3. Provide an example (s) of system and campus ongoing commitment to compliance. a. Health Insurance Portability and Accountability Act (HIPAA)

4. Provide a qualitative assessment of the progress towards achievements of the University’s Compliance Program Objectives, as reported in each Campus Annual Report to the Office of the President and the Board of Regents:

a. Maintain and enhance quality of care; b. Demonstrate sincere, ongoing efforts to comply with all applicable laws; c. Revise and clarify policies and procedures to enhance compliance; d. Enhance communications with governmental entities with respect to compliance

activities; e. Empower all responsible parties to prevent, detect, respond to, report and resolve

conduct that does not conform to applicable laws, regulations and the University’s Code of Conduct; and

g. Establish mechanisms for employees to raise questions and concerns about compliance issues and ensure those concerns are appropriately addressed.

5. Propose recommendations for measuring Compliance Effectiveness for FY 2002 Annual Report. 6. Seek an independent review from the University’s Internal Audit Program.

Annual Report Methodology

In order to provide accountability to The Board of Regents, the University’s System Compliance Committee, in coordination with University Audit, Office of the General Counsel, and Clinical Services Development, developed a process for annual reporting to their respective School of Medicine Deans and Chancellors, as required by the system Compliance Program and The Board of Regents. The Campus Corporate Compliance Committees each developed the campus Annual Report and required review by appropriate local committees. Each School of Medicine Dean approved the Compliance Annual Report and provided copies to the Chancellor and Office of the President/Clinical Services Development. At the system level, the System Corporate Compliance Committee reviewed each of the five campus reports. Dr. Maria Faer, Director of Clinical Policy, Clinical Services Development, then prepared this Annual Report to The Regents of the overall activities of the system-wide Corporate Compliance Program. 1. Establish a benchmark assessment of the current status of system and campus compliance programs defined by the OIG’s Compliance Program Guidelines for Hospitals.

a. A code of conduct/policies and procedures; b. Clearly defined oversight responsibilities; c. Employee training;

9

d. Communication opportunities for all employees; e. Monitoring and auditing of professional fee billing; and f. Enforcement, discipline and procedures to respond to and prevent further

offenses once a violation has been detected.

a. Code of Conduct and Compliance Policies and Procedures. In reviewing all campus annual reports, the following were assessed:

1. Is the Campus Code of Conduct included in the report? 2. Does the Campus Code of Conduct comply with the guidelines established in the

University Code of Conduct? 3. Is the Campus Code of Conduct easy to read, portable with hotline and contact number

readily displayed? 4. Is there an overall theme of commitment to compliance at the highest level of the

organization? 5. Does Annual Report provide a list of compliance or related policies and procedures? 6. Does Report provide updates and/or amendments to policies and procedures? 7. Does it include an attestation or agreement to read the Code of Conduct?

b. Clearly Defined Oversight Responsibilities. In reviewing all annual reports, the following were assessed:

1. Does the Compliance Officer report to the highest level of the organization? Is the CO a

high-level official with direct access to leadership for the medical school, medical group and hospital? Is the CO highly placed in the organization? Is the CO’s Job Description included and demonstrate a high level of responsibility and accountability?

2. Is the Compliance Officer a member of University committees with oversight and responsibility for functional areas key to compliance responsibilities—e.g., audit, misuse of university resources?

3. Does the local Compliance Committee include campus individuals with functional responsibilities necessary for enhancing compliance and executive management membership---audit, controller, etc.?

4. Does the organizational structure provide for reporting and liaison to other individuals and committees that will provide for increased communication, increased knowledge and increased opportunities to support a culture of compliance? Is compliance culture woven throughout the institution and how?

5. Has the Compliance Committee identified current activities that support the Committee’s compliance charge and those oversight activities outlined in the system Compliance Program?

6. Did the Compliance Officer or Dean of the School of Medicine attest to the Annual Report and include a list of Report Recipients?

7. Has the Compliance Committee identified future initiatives and activities that demonstrate the Committee’s willingness to be accountable and assume responsibility for initiatives necessary to provide corporate compliance?

10

c. Employee training on the Corporate Code of Conduct and, where appropriate, evaluation and management and billing practices. In reviewing all annual reports, the following were assessed:

1. Is there a well-established, regular process for training current employees? 2. What percentage of employees were trained on the Code of Conduct and how? 3. Does the scope of the education include all employees with responsibility for billing

activities? 4. Does the report describe education for residents and other trainees? 5. Is there timely training of new employees? 6. Does the report provide an accounting of the number and percentage of employees

trained on professional fee billing and/or other compliance program? 7. Does the report describe the type of training and education for remedial purposes when

errors have been identified through billing and audit reviews? 8. Does the report describe training methodology and topics?

d. Confidential Communication Opportunities, including a campus compliance Hotline or Helpline so that employees can raise questions and concerns or report suspected violations. In reviewing all annual reports, the following were assessed:

1. Is there a confidential Compliance Hotline or Helpline? 2. Does report describe the nature of the calls to the confidential number? 3. Is action taken on every call? 4. Is a log maintained of issues and actions? 5. Are calls made directly to the Compliance Office? If so, how does the number and

content of the calls compare with that of the confidential number?

e. Monitoring and auditing. In reviewing all annual reports, the following were assessed:

1. Has the Compliance Committee established a regular schedule for auditing divisions and departments?

2. Do audits include a process for pre and post review when errors are identified—a post review to determine if corrective action was successful?

3. What actions are taken to effect change and correct errors? 4. Does the report describe overpayments identified through major external audits? 5. Does the report describe underpayments identified through major external audits? 6. Does the report identify the cause for both overpayment and underpayment errors and

process for correction? 7. Is there a procedure for frequent checking of new and current employees against the

DHHS/OIG’s published list of excluded individuals/entities? 8. Does the report provide data on the number of excluded individuals identified and actions

taken? 9. Does the report include an annual planning process for next fiscal year? The Annual

Audit Compliance Plan for FY 2001 – 02?

11

f. Enforcement and Discipline, including remedial and corrective procedures to respond to and prevent further errors or offenses. In reviewing all annual reports, the following were assessed:

1. Does the Campus Code of Conduct clearly state that failure to comply could result in the

individual’s being subject to corrective and/or disciplinary actions? 2. Does the Campus Code of Conduct clearly state the responsibility of the individual

employee to comply and provide guidance for following University policy regarding investigating known or suspected misuses of resources by university employees?

3. Does the Campus Annual Report provide a discussion of policies and procedures in place for enforcement and discipline?

4. Does the Campus Annual Report describe any patterns of behavior (versus distinct actions or errors) that would indicate need for systemic or cultural change?

5. Does the Report discuss challenges of or barriers to implementing remedial or corrective procedures?

Conclusions and Recommendations

The campus annual reports confirm that the University’s Compliance Program has been implemented at all AHCs. Residents, faculty and other employees receive training regarding coding and billing regulations; all campuses have developed a Corporate Compliance Code of Code that is readily accessible by employees or directly provided during training sessions. Communications to employees regarding the Compliance Program demonstrate a strong commitment to ethical behavior and compliance at the highest level of the organization—e.g., School of Medicine Deans and Medical Center Directors. Moreover, the system and campus Compliance Committees have identified and are in the process of developing additional compliance initiatives—e.g., clinical laboratory, hospital and research compliance, HIPAA---that demonstrate an ongoing and proactive commitment to and willingness to be accountable for promoting a corporate culture of compliance. With the exception of one campus (UCSF), the campuses’ Annual Reports and respective Code of Conducts correspond to system guidelines. UCSF does not reflect the same format because UCSF broadened the Code of Conduct to include all employees, not just those in the clinical enterprise. Each campus Corporate Compliance Committee should continue to maintain the campus Code of Conduct on an easily accessible Web Site, as well as provide hard copies that are easy to read and portable. The Website and other means of communications—e.g., newsletters—should provide frequent updates and revisions. At UCOP, the system Guidelines should be placed on the UCOP Web Site. In order to protect and defend the University’s clinical enterprise in the event of future reviews and audits and sustain the momentum established during the PATH audits for creating a corporate culture of compliance, continued support at the highest level of the campus and system organization will be necessary. Campus Compliance Officers should provide for increased integration with campus committees as compliance activities continue to grow. The System

12

Compliance Committee should consider whether mutual integration at the campus and system level is a measure of compliance effectiveness. All campuses have a well-established, regular process for training current employees, with a number of best practices that can be shared between campuses. Tracking of the number of employees trained, by degree and by topic, varies by campus. Educational requirements for physicians who submit professional fee billing vary by campus. This variation of methodology could provide an interesting comparison of effectiveness of training modalities. Campuses all include training and education for remedial purposes when errors have been identified through billing and audit reviews. The System Compliance Committee should consider whether a quantification of outcomes of those remedial training sessions should be included as a measure of compliance effectiveness. HIPAA Privacy Regulations require training of all health care component employees beginning in 2003. In order to reduce costs, enhance consistency and reduce risks of non-compliance, the System Compliance Committee should provide training guidelines and modalities that combine Compliance and HIPAA training. UCI and UCLA have developed web-based competency exams and these exams may be a useful tool for system competency testing. The System Compliance Committee should discuss whether an analysis of the correlation between those faculty not participating in training and audit outcomes would be a useful compliance effectiveness measure. All campuses provide a confidential Compliance Hotline and/or Helpline, with well-developed procedures for taking action on those communications. In a number of cases, the calls to the Hotline have decreased, with a corresponding increase in direct calls to the Compliance Office. This shift may suggest an increase in confidence in the Compliance Office staff and provide a measure of compliance effectiveness. There is a difference among campuses in how calls are reported and/or categorized according to compliance issues; this is due, in large part, to the fact that some campuses have hired an outside vendor who has created a template that categorizes calls. As a measure of compliance effectiveness and change over time, the System Compliance Committee should discuss the development of a template for consistent and comparable use by all campuses to categorize calls and communications with the Compliance Offices. All campus Compliance Committees have established a regular schedule for monitoring the billing activities based on their local operational procedures. The information provided in the Campus Annual Reports is not reported in a manner that would allow aggregate, system reporting of audit outcomes and efforts to correct or remediate errors identified through the audit process. However, the campuses frequently share best practices and strategies for effecting change and correcting errors during the quarterly meetings of the System Corporate Compliance Meetings and informally amongst themselves. All campuses have a procedure in place for frequent checking of new and current employees against the DHHS/OIG’s published list of excluded individuals and entities. The System Compliance Committee should discuss inclusion in the annual reports of a requirement for a description of the annual planning process or Annual Audit Compliance Plan. The System Compliance Committee should also discuss whether all campuses should provide a discussion of audit and monitoring findings and followup as a measure of compliance effectiveness over time.

13

All Campus Code of Conducts clearly state the individual’s responsibility to comply, and they provide a discussion of policies and procedures in place for enforcement and discipline. A recognized barrier to implementing remedial or corrective procedures is the varying types of remedial and corrective actions between staff and faculty and between tenured faculty and clinical faculty and the inconsistency in applying these variable standards. 2. Summarize Reviews by External Agencies of the System and Campus Compliance Programs.

a. Review by OIG PATH Auditors of Campus and System Corporate Compliance Programs

b. Joint Commission on Accreditation of Healthcare Organizations (JCAHO) Review of Organizational Ethics Standards

1. Review by OIG PATH Auditors of Campus and System Corporate Compliance Programs During the PATH audits, the OIG interviewed each of the five Campus Compliance Officers and other members of the local Campus Corporate Compliance Committees, as well as two representatives from the UC Office of the President who serve on the System Corporate Compliance Committee, John Lundberg, Deputy General Counsel/UCOP and Dr.Maria Faer, Director of Clinical Policy/UCOP. The OIG auditors reviewed both system and campus Corporate Compliance Program that were being developed simultaneous to the ongoing PATH audits. Moreover, in subsequent negotiations with DHHS/OIG , the University’s Compliance Committee represented to the federal government that it was developing a Corporate Compliance Program that met all requirements of the federal guidelines. The OIG auditors did not recommend or require substantive changes to either the University Corporate Compliance Program or campus programs. The fact that the University had proactively and voluntarily undertaken the development of a University Corporate Compliance Program that met the OIG’s compliance guidelines was effective in achieving the successful PATH outcome and in supporting the University’s position that the health sciences clinical enterprise is committed to compliance at all levels of the organization. Moreover, the rigor of the effort to develop Corporate Compliance Programs at both the system and campus level was instrumental in convincing DHHS/OIG that the University should not be subject to any form of direct compliance oversight and monitoring by the federal government. 2. Joint Commission on Accreditation of Healthcare Organizations (JCAHO) Review of Organizational Ethics Standards The principal hospital accrediting body, JCAHO, has introduced “organizational ethics” standards in the accreditation process. A key standard requires each accredited health care organization to operate “according to a code of ethical behavior” in order to preserve and enhance patients’ rights. The Compliance Program standards form the core of each hospital’s organizational ethics focus, emphasizing the need for an ethical environment to uphold patient rights.

14

Conclusion and Recommendations

The review by two external review bodies of the University and campus Corporate Compliance Programs and Code of Conduct and the determination that either no change was required, as in the case of the OIG, or the standard was met, as in the case of JCAHO, speaks to the effectiveness of the Compliance Program and Code of Conduct. When appropriate, reviews by external review bodies of the Corporate Compliance Program and Code of Conduct should be incorporated into each campus and system Annual Reports. 3. Provide an example (s) of system and campus ongoing commitment to compliance. Health Insurance Portability and Accountability Act HIPAA Privacy Regulations Overview A review of the campus Reports and System Compliance Committee efforts demonstrate a broad range of initiatives at both campus and system level to proactively provide for compliance with federal and state regulations. Of particular note at the system level is the recommendation by the Corporate Compliance Officers to the System Compliance Committee that the AHC leadership create a HIPAA Taskforce to provide for compliance with federal HIPAA Privacy and Security Regulations by April 2003. The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule of HIPAA) became effective on April 14, 2001 and most health care providers that are covered by the Privacy Rule must comply by April 2003. The HIPAA Privacy Rule provides the first comprehensive federal protection for the privacy of health information; however, DHHS and most policy makers agree that privacy protections should not interfere with a patient’s access to or the quality of health care delivery.3 The Privacy Rule creates standards that protect a patient’s medical records and personal health information and it:

1. Gives patients more control over their health information; 2. Sets boundaries on the use and release of health records; 3. Establishes appropriate safeguards that health care providers and others must achieve

to protect the privacy of health information; 4. Holds violators accountable, with civil and criminal penalties that can be imposed if

they violate patients’ privacy rights; and 5. Strikes a balance when public responsibility requires disclosure of some forms of

data—for example, to protect public health 6. Establishes a “federal floor” of safeguards, but state laws with stronger privacy

protections will take precedence over and above the new federal privacy standards.4 In general, the HIPAA Privacy regulations require providers to:

1. Provide information to patients about their privacy rights and how their information can be used;

3 Standards for Privacy of Individually Identifiable Health Information, Office of Civil Rights HIPAA Privacy guidance, TA 164.000.001, July 6, 2001. 4 Standards for Privacy of Individually Identifiable Health Information, Office of Civil Rights HIPAA Privacy guidance, TA 164.000.001, July 6, 2001.

15

2. Adopt clear privacy procedures for providers—individual physicians, medical centers and clinics;

3. Educate employees regarding privacy policies and procedures; 4. Designate an individual to be responsible for seeing that privacy procedures are

adopted and followed; and 5. Secure patient records so that they are available only to those who need them.

To ease the burden of compliance, the Privacy Rule gives flexibility to providers to create their own privacy procedures in order to provide scalability for a more efficient and appropriate means of protecting health information. The regulations recognize that “one size does not fit all” and compliance can be tailored by covered entities to fit their size and needs. Corporate Compliance Committee Initiative: Preparing the AHCs for HIPAA Privacy and Security Compliance through a System-Wide Approach to Compliance In November 2000, the campus Corporate Compliance Officers recommended to the system Corporate Compliance Committee that the committee take a lead role in developing and implementing a work-plan and strategy for providing compliance with the privacy and security regulations mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In response, the Medical Center CEOs and School of Medicine Deans appointed individuals from each of their AHCs to the University’s Academic Medical Center HIPAA Taskforce (HIPAA Taskforce) and charged the group with developing: 1) an understanding of the requirements of HIPAA given the unique mission of an AMC; 2) recommendations for providing compliance with HIPAA; and, if appropriate, 3) a work-plan (s) for achieving campus and system compliance prior to the effective date of April 2003. The AHCs’ leadership appointed the campus Corporate Compliance Officers to serve on the HIPAA Taskforce, as well as individuals representative of functional areas affected by HIPAA, including information technology, health care delivery, computer and records security, research and IRB activities, human resources, medical staff, legal, policy, and student health services. The HIPAA Taskforce convened a series of all-day workshops--- i.e., interpreter sessions---led by outside counsel for the purpose of interpreting and analyzing the implications of and requirements for the University’s AHCs. From these sessions emerged both the framework for a work-plan and a number of questions and issues regarding the meaning of the regulations and potential unintended consequences for the University due to the regulatory burden imposed by the regulations. Members of the provider, education and research communities, including the Association of Academic Medical Colleges (AAMC) and other national associations, had expressed concern during the regulatory comment period that compliance with the Privacy Rule would be burdensome, costly and could hinder both access and quality of care. The University’s HIPAA Taskforce estimated that system-wide annual compliance costs would range from $ 12 - $ 15 million; “start-up” costs, including planning, consultants and facility and computer upgrades and remodels, could add an additional $ 4.0 million per campus or $ 20 million total. In July and August 2001, members of the University’s HIPAA Taskforce met with leadership at DHHS and the Office of Civil Rights (OCR) to discuss and clarify those questions and issues identified by the Taskforce and to determine whether the “reasonableness” principle of the regulations would

16

allow the University to develop a HIPAA compliance program that would both ease the regulatory and financial burden to the AHCs and achieve the objectives of DHHS. The University of California: a Hybrid Covered Entity As a result of its interpretive and analytical work, the HIPAA Taskforce has determined that the University of California is defined, for HIPAA purposes, as a “hybrid covered entity,” a single legal entity that is either a provider, health plan or clearinghouse, but one where its covered functions are not its primary function. At a time when external challenges to the financing of the University’s mission are considerable, the University’s AHCs are seeking ways to minimize unnecessary costs and implement effective business practices in order to comply with federal and state regulatory initiatives. Therefore, building on the effective Corporate Compliance Program model of System-wide policy development and oversight, the HIPAA Taskforce has recommended to the AHC leadership that the AHCs seek Board of Regents’ action designating the University as a single health care component in order to:

1. Reduce costs of compliance by standardizing the University’s approach, creating, where appropriate, a single set of policies, procedures and practices and sharing resources;

2. Reduce the University’s business and audit risks by providing consistency of approach, shared best practices and uniform application of the “reasonableness and appropriate” principles for HIPAA compliance;

3. Enhance compliance by demonstrating commitment and leadership across the organization and providing support at all levels for the cultural change necessary to manage privacy and security; and

4. Minimize disruption to the care, research and teaching missions of the University and build patient confidence and loyalty.

HIPAA Security Regulations DHHS has not published the final HIPAA security rule; however, the Taskforce assumes that they will be finalized by January 2002 and expects to implement a planning process similar to that of the Privacy regulations.

4. Provide a qualitative assessment of the University’s progress towards achievement of the University’s Compliance Program Objectives:

1. Maintain and enhance quality of care; 8. Demonstrate sincere, ongoing efforts to comply with all applicable laws; 9. Revise and clarify current policies and procedures in order to enhance compliance; 10. Enhance communications with governmental entities with respect to compliance

activities; 11. Empower all responsible parties to prevent, detect, respond to, report and resolve conduct

that does not conform to applicable laws, regulations and the University’s Code of Conduct; and

12. Establish mechanisms for employees to raise questions and concerns about compliance issues and ensure those concerns are appropriately addressed.

17

Objective 1: Maintain and enhance quality of care. An AHC culture that promotes core values and ethical behavior in the treatment of patients and employees is an important contributing factor to quality care. From The Board of Regents to the campus executive management team to every employee, the heightened attention on ethical conduct and the required training on the core standards contribute to a culture that promotes and rewards compliance and ethical behavior. Objective 2: Demonstrate sincere, ongoing efforts to comply with all applicable laws. The System Compliance Committee proactively identifies issues and initiatives that will enhance overall compliance with federal and state regulations as exemplified by their current efforts on HIPAA. At each of the campuses, the local efforts of the Campus Compliance Officers and Compliance Committees to initiate compliance programs and activities focused on local needs and priorities augment and enhance compliance efforts of the overall clinical enterprise. Moreover, these local initiatives provide for overall reduced costs, reduced redundancy and increased cost-effectiveness for every campus because the System Corporate Compliance Committee provides a forum for sharing of efforts and information. The following are examples of some of the initiatives at the individual AHCs: UCD – Clinical Lab Compliance, Third Party Billing Vendor Compliance, Health System Facilities Compliance, Home Health/Hospice Compliance, Clinical Research Compliance Oversight, HIPAA. UCSD – Clinical Laboratories Compliance Program, UCSD Health Plan Compliance Program, Clinical Research, Hospital Compliance, Radiology, HIPAA, Home Health. UCI – Laboratory Compliance, Research Compliance, Hospital Compliance, Home Health, third Party Billing Vendor Compliance, HIPAA. UCLA – Hospital Compliance Program, Clinical Lab Compliance, Home Health, Third Party Billing Vendor Compliance, Research Compliance, HIPAA. UCSF—Hospital Compliance Program, Clinical Laboratory Medicine, Dentistry Compliance, Home Health, Third Party Billing Vendor Compliance, HIPAA. Objective 3: Revise and clarify current policies and procedures in order to enhance compliance. The annual reports of all campuses have demonstrated that the development of policies and procedures is a fluid and dynamic process designed to clarify, communicate and educate employees on compliance issues and initiatives. Most campuses have implemented a number of communication strategies, including newsletters, websites, and training sessions to enhance compliance. Campus Compliance Officers and Compliance Committees have identified and share best practices as both a part of regular compliance meetings and the development of the annual reports. The campus annual reports also comment on the fact that revised and clarified policies and procedures, particularly as related to billing practices, have contributed to improving and enhancing business practices. The response (i.e., of monitoring, audits, education and other

18

corrective actions) has also been positive as both the faculty and the department leadership see the corrective actions as opportunities to improve performance and reduce errors, which ultimately can result in better documentation and patient care. Objective 4: Enhance communications with governmental entities with respect to compliance activities. The PATH audit involved extensive communication with the federal government. Members of the System Compliance Committee also met on two separate occasions with leadership from DHHS and the OCR in order to discuss and clarify concerns regarding the impact of HIPAA on the University’s mission. These meetings in Washington have enabled the HIPAA Taskforce to move forward with their workplan in areas where there had been a lack of clarity regarding the intent of the regulations—e.g., research compliance, role of the institutional research board (IRBs), understanding the creation of protected health information (PHI), and the interpretation of a hybrid covered entity as it relates to a complex organization such as the University of California. Objective 5: Empower all responsible parties to prevent, detect, respond to, report and resolve conduct that does not conform to applicable laws, regulations and the University’s Code of Conduct. Bringing about change in an academic medical center requires a collegial process, built on mutual respect and the leadership of a number of individuals at all levels of the organization. In addition to those initial activities identified by The Board of Regents, the Corporate Compliance Committee has voluntarily expanded its responsibilities in order to achieve the overall objectives of the Corporate Compliance Program. Characterized by a spirit of cooperation, collegiality and commitment to proactively setting in motion initiatives or strategic directions to provide for the University’s compliance with federal and state regulatory initiatives in a cost-effect manner, the system and campus Corporate Compliance Committees continue to enhance compliance efforts by building on campus and individual expertise and developing and sharing best-practices. It is notable that the system Corporate Compliance Committee’s core composition has remained virtually unchanged since 1996, with all of the campus Compliance Officers now agreeing to serve, at the recommendation of the Medical Center CEOs and School of Medicine Deans, as representatives to the University’s HIPAA Taskforce. At a time when the corporate and university culture often seek outside expertise at considerable cost, the System Corporate Compliance Committee, comprised of individuals representative of a diverse and broad range of AHC expertise, has recognized that it can and should take an active leadership role in University-wide compliance policy development and local policy and procedure implementation. Objective 6: Establish mechanisms for employees to raise questions and concerns about compliance issues and ensure those concerns are appropriately addressed. All campus annual reports demonstrate a number of mechanisms for raising questions and concerns and several reports have outlined specific actions taken to respond to and address issues. A recommendation for FY 2002 Annual Report is a consistent and comprehensive reporting of and responses to questions and concerns.

19

5. Establish a process for setting Compliance Effectiveness Measures for FY 2002 Annual Report. In FY 2002, the System Corporate Compliance Committee will develop measures of Compliance Effectiveness to guide future reporting, provide for assessing change over time and, ultimately, refine and enhance compliance activities. Moreover, advice from the University’s external auditors and others knowledgeable about the federal and state regulatory climate suggests that CMS, JCAHO, and others, as a result of the heightened interest in compliance and quality of care, will require some measure of compliance effectiveness as a part of the reporting, licensing, and regulatory process. Baseline Data In an effort to provide baseline data that will inform the FY 2002 Annual Report Process and the System Compliance Committee’s development of measures of compliance effectiveness, the Committee determined, after review of the draft Annual Reports, that data would be collected regarding the following:

a. Total Calls to Compliance Hot Lines, Help Lines and Compliance Office Total calls or communications to the Compliance Office = 1367. Each Compliance Office has in place procedures to take action on all communications. b. Percentage of Monitoring Reviews Scheduled and Completed Monitoring Reviews were scheduled at all campuses, with 95% completed. The scheduling of unanticipated, non-routine reviews and audits and the subsequent diversion of staff time to complete those was the reason the remaining 5% were not completed.

c. Monitoring of Sanction List of Excluded Individuals All campuses frequently monitor the Sanction List. Five (5) individuals were identified in total. Action was taken on all five by the respective campus. d. Total Number of Physicians and Non-physicians In Attendance at Training Session Ongoing and appropriate education is an essential element of an effective compliance program. In FY 2001, over 25,000 physicians and non-physicians were trained on compliance program issues.

Best practices models or outcomes could assist in the development of Compliance Effectiveness Measures. The following are examples of shared best practices described in each campus annual report. For greater detail, refer to the specific annual reports. Compliance auditors, manager and director are responsible for training, which has resulted in more one-on-one training sessions and affirms Compliance staff commitment to partnering with faculty to enhance a culture of compliance. Corporate Compliance is a core competency in the employee performance evaluation process at UCI, with a requirement that all UCI MC staff successfully complete a corporate compliance competence exam. (UCI). Web-site testing, auditing, education and quality improvement have been initiated. Enhanced relations with faculty have resulted in improved coding, billing and documentation. Outpatient

20

physician coding training has been implemented. Discussion of audit discrepancies for surgical and non-surgical departments may provide compliance effectiveness comparisons between (UCLA). UCSF has focused on training and certification of coders and provided specific examples of profee billing audits and descriptions of risk assessments related to purchased practices and community physician leases. UCSF has initiated an “Ask a Coding/Compliance Question” Helpline. UCSD has developed the “ABCs About Billing and Compliance” as an education tool and uses a number of the forms developed during the PATH audit/ICA development process for audit and monitoring tools. UCD has implemented a Compliance Coordinator role responsible for the development of unit specific compliance plans. UCD incorporates Code of Conduct Training into the Annual Safety training conducted by Human Resources to maximize employee participation. 6. Seek an independent review by the University’s Internal Audit Program. University Internal Audit Role The University’s Internal Audit Program has played a role in the assessment of the overall Corporate Compliance Program. Under a coordinated program, each Health Sciences Campus Internal Audit Department has conducted a review of the structure, scope and implementation to date of the Campus Compliance Program and reviewed the Annual Report to the Office of the President. Each Health Science Campus Internal Audit Department has provided a report to the Office of the University Auditor based on their review. The Office of the University Auditor has reviewed the Campus Internal Audit Department Reports, and the Health Sciences Clinical Enterprise Corporate Compliance Annual Report and campus reports, and issued the report enclosed as Attachment B. Both the campus and University Auditor’s reports conclude that the Corporate Compliance Program is being carried out in accordance with the University’s approved program and federal guidelines where applicable.

21

System Corporate Compliance Committee FY 2001

UC Davis

Rory S. Jaffe, M.D., Chief Compliance Officer Geneva Harris, Clinical Affairs Teresa Porter, Manager, Investigations and Research Pari Velji, Manager, Auditing and Education

UC Irvine James R. Herron, Associate Dean and Corporate Compliance Officer Jeremiah G. Tilles, M.D., Professional Fee Compliance Officer Renee Walsh, Compliance Director

UC Los Angeles James G. Terwilliger, Chief Compliance Officer and Vice Provost Linda A. Heller, Compliance Director

UC San Diego Charles Mittman, M.D., Special Assistant for Clinical Affairs and Corporate Compliance Officer Kathleen Naughton, Manager, Corporate Compliance Program

UC San Francisco Harry Cordon, Clinical Enterprise Compliance Office, School of Medicine Controller Wanda Ziemba, Compliance Manager

UC Office of the President William H. Gurtner, Vice President of Clinical Services John Lundberg, Deputy General Counsel Patrick Reed, University Auditor Maria Faer, DrPH, Director of Clinical Policy

UNIVERSITY OF CALIFORNIA HEALTH SCIENCES CORPORATE COMPLIANCE...

Documents

Transcript of UNIVERSITY OF CALIFORNIA HEALTH SCIENCES CORPORATE COMPLIANCE...