AGENDA Corporate Compliance/Privacy and Internal Audit Committee Meeting
Monday, September 23, 2013, 5:00-7:00pm
Conference Room A, ground floor
El Camino Hospital
2500 Grant Road, Mountain View, California
And by teleconference:
One Post Street
San Francisco, CA 94104
Purpose: The Corporate Compliance/Privacy and Internal Audit Committee is responsible for providing direction for both the
Corporate Compliance and Internal Audit programs at all locations of El Camino Hospital (ECH). Responsibilities include providing
oversight on compliance issues requiring executive-level interaction, assessing physician relationship risk as it relates to compliance,
reviewing HIPAA/Privacy laws as they relate to compliance and directing ECH on compliance strategies. The Committee also serves
as the ad-hoc mobilization team for any external investigations and/or actions. Further, additional responsibilities include providing
direction and oversight to ongoing internal audit activity and determining appropriate organizational response in order to identify and
mitigate organizational risk.
PRESENTED BY
I. CALL TO ORDER/ROLL CALL John Zoglin, Chair, Corporate
Compliance Committee
5:00 p.m.
II. POTENTIAL CONFLICTS OF INTEREST
DISCLOSURES
John Zoglin, Chair, Corporate
Compliance Committee
5:01 – 5:02
III. PUBLIC COMMUNICATION
John Zoglin, Chair, Corporate
Compliance Committee
5:02 – 5:07
IV. CONSENT CALENDAR All items listed on the Consent Calendar are
considered to be routine matters or formal documents
covering previous Committee instructions. One
motion, a second and a vote may enact all of the
items listed on the Consent Calendar. There will be
no separate discussion of Consent Calendar items
unless members of the Committee, Hospital staff or
the public request discussion on a specific item at the
beginning of the consideration of the Consent
Calendar.
Approval:
a. Minutes of Corporate Compliance Meeting,
June 11, 2013
Information:
b. NPP Revisions
c. BAA Revisions
ATTACHMENT 1
John Zoglin, Chair, Corporate
Compliance Committee
public
comment motion required
5:07 – 5:10
A copy of the agenda for the meeting will be posted and distributed at least seventy-two (72) hours prior to the meeting. In
observance of the Americans with Disabilities Act, please notify us at 650-940-7301 forty-eight (48) hours prior to the meeting so
that we may provide the agenda in alternative formats or to make disability related modifications and accommodations.
Page 1/395
Agenda: Corporate Compliance/Privacy and Internal Audit Committee
September 23, 2013
Page 2
V. INFORMATIONAL AND POSSIBLE
MOTION ITEMS
1. Review Revisions to Committee FY:14
Goals
ATTACHMENT 2
John Zoglin, Chair, Corporate
Compliance Committee
public
comment motion required
5:10 – 5:15
2. Finalized FY:13 Scorecard and proposed
key indicators for FY:14
ATTACHMENT 3
Diane Wigglesworth,
Corporate Compliance/Privacy
Officer
information
5:15 – 5:20
3. Review FY: 14 Internal Audit Work Plan
ATTACHMENT 4
Diane Wigglesworth,
Corporate Compliance/Privacy
Officer
public
comment motion required
5:20 – 5:25
4. Review Enterprise Risk Management
Program Development Plan
ATTACHMENT 5
Diane Wigglesworth,
Corporate Compliance/Privacy
Officer
information
5:25 – 5:35
VI. ADJOURN TO CLOSED SESSION
1. Conflict of Interest disclosures relating to Items 2-6 on the Closed Session agenda
pursuant to the code provisions listed below:
2. Approval of Closed Session Minutes (6/11/13), Govt. Code Section 54957.2;
Information:
Health and Safety Code Section 32106(b) for a report involving health care facility trade
secrets:
- Pacing Calendar
Conference with legal counsel – pending or threatened litigation - Gov’t. Code Section
54956(d)(2)
- Compliance and Privacy Logs
motion required
information
information
3. Health and Safety Code Section 32106(b) for a report involving health care facility trade
secrets.
- Report on IT Security information
4. Conference with legal counsel – pending or threatened litigation - Gov’t. Code Section
54956.9(d)(2).
- Report on Internal Audit Activity information
5. Conference with legal counsel – pending or threatened litigation - Gov’t Code Section
54956.9(d)(2).
- Summary Report on FY:13 Compliance Activity information
6. Conference with legal counsel – pending or threatened litigation - Gov’t Code Section
54956.9(d)(2).
- Report on Compliance and Privacy Program Activity information
7. Adjourn to open session
VII. RECONVENE OPEN SESSION
To report any required disclosures regarding
permissible actions taken during Closed
Session
John Zoglin, Chair, Corporate
Compliance Committee
6:51 – 6:53
VIII. CLOSING COMMENTS – Committee
Evaluations
John Zoglin, Chair, Corporate
Compliance Committee
6:53 – 7:05
IX. ADJOURNMENT John Zoglin, Chair, Corporate
Compliance Committee
7:05 p.m.
PLEASE NOTE: The CLOSED SESSION is for Corporate Compliance/Privacy and Internal Audit Committee
Members and Staff or persons required for a particular agenda item only.
Page 2/395
Draft: Subject to Compliance
Committee and Board of
Directors Consideration
BN 13425146v2
EL CAMINO HOSPITAL
BOARD of DIRECTORS
CORPORATE COMPLIANCE/PRIVACY and INTERNAL AUDIT COMMITTEE
Meeting – June 11, 2013
MINUTES
The Meeting of the Compliance/Privacy and Internal Audit Committee of the Board of Directors
of El Camino Hospital (the “Committee”) was called to order by Chair David Reeder at
4:05 p.m. on Tuesday, June 11, 2013, Conference Room E at El Camino Hospital.
I. CALL TO ORDER
Roll call was taken. Committee members David Reeder, Wesley Alles, Dennis Chiu,
Ramy Houssaini, Sharon Anolik Shakked and Christine Sublett were present.
II. POTENTIAL CONFLICT OF INTEREST DISCLOSURES
Director Reeder asked if any Committee member had a conflict of interest. None was
reported.
III. CONSENT CALENDAR
Director Reeder asked if there were any consent calendar items, changes or corrections to
the minutes of April 9, 2013. There were no changes proposed. A motion to approve the
consent calendar was made by Committee member Chiu and seconded by Committee member
Sublett and approved by a vote of six Committee members in favor to approve the minutes of the
meeting of April 9, 2013.
IV. INFORMATIONAL ITEM
A. Review Revisions to Committee Charter
Committee member Sublett suggested adding a provision to address IT security oversight
to the Committee Charter, commenting that there is currently no reference to this in the Charter.
Diane Wigglesworth asked if such a provision would first need to go to the Governance
Committee, and it was determined that it would not.
Committee member Ramy questioned the use of the word “ensure” on page 3 of the
Charter in reference to the committees advisory role for Enterprise Risk Management reporting
and the Compliance Committee suggested substituting the word “oversee”. Ms. Wigglesworth
indicated she would incorporate the changes and submit the revised charter to the Governance
Committee for approval.
A motion was made by Committee member Shakked, seconded by Committee member
Houssaini, and adopted by a vote of six Committee members to accept the charter as amended
with a provision addressing information security to the Charter.
Page 5/395
Minutes: El Camino Hospital Board of Directors Corporate
Compliance/Privacy and Internal Audit Committee Meeting
of June 11, 2013
Draft: Subject to Compliance
Committee and Board of
Directors Consideration
-2- BN 13425146v2
B. Review FY: 14 Internal Audit Risk Assessment and Audit Plan
Alex Robison, from protiviti, briefly reviewed the internal audit risk assessment
performed which resulted in recommendations for a FY: 2014 audit plan. His presentation
materials included a map depicting the 25 highest rated risks based on survey results and
feedback from staff interviews.
Tomi Ryba stated that she is aware that ECH may have about 5% of all patients medical
records erroneously duplicated in the system when one patient is associated with more than one
medical record number, and is surprised that we don’t have a maintenance program to address
this. Mike King responded that we do not yet have a fully integrated EMR, and clean-up will
need to be done. Ms. Ryba commented that the map depicts “a lot of activity for FY 2014”.
Ms. Wigglesworth indicated that she will take comments from the Executive Team and
come back with a revised audit plan for committee approval.
Committee member Chiu asked why IT disaster recovery was not a priority. It was
pointed out that a comprehensive Business Continuity/Disaster Recovery audit was completed in
2011 and management had developed a five year action plan regarding the audit findings. Chair
Reeder suggested presenting a look-back of completed audits compared to past risk maps for the
committees review. Ms. Wigglesworth indicated that at the next meeting she will present
information regarding historical audits completed to ensure that past efforts are not duplicated
with the proposed FY14 audits.
C. Enterprise Risk Management and Policy Oversight
Ms. Wigglesworth handed out for review a potential Enterprise Risk Dashboard
indicating that her goal is not to create a dashboard with a lot of metrics but to capture key
organizational risks that will identify business and strategic risks. At the next meeting she will
present a more refined dashboard, for committee feedback. Committee members Chiu and
Sublett agreed to send Ms. Wigglesworth their ideas on other metrics should be included.
Committee member Ramy suggested traceability between metric indicators and
performance. Ms. Wigglesworth she is in the process of validating the current review and
approval process for administrative policies. It was recommend regarding policy oversight that
Ms. Wigglesworth bring back a summary of the current state to address “what is the process?”
and “what are we required to review?”
D. Corporate Compliance Scorecard
Ms. Wigglesworth reviewed the corporate compliance scorecard. She noted that the
Committee remains on track, meeting key performance indicators in all areas with the exception
of new managers receiving additional compliance training within 90 days of start date, which is
currently tracking at 90% of goal. Committee members suggested to Ms. Wigglesworth some
additional modifications and changes to the scorecard to be considered for the next fiscal year.
Page 6/395
Minutes: El Camino Hospital Board of Directors Corporate
Compliance/Privacy and Internal Audit Committee Meeting
of June 11, 2013
Draft: Subject to Compliance
Committee and Board of
Directors Consideration
-3- BN 13425146v2
V. ADJOURN TO CLOSED SESSION
Upon motion duly made by Committee member Sublett, seconded by Committee member
Chiu, and approved by a vote of six Committee members in favor, none opposed, the Open
Session of the meeting was adjourned to Closed Session at 4:45 p.m. pursuant to Gov’t Code
Section 54957.2 to consider and approve the Consent Calendar (the Closed Session minutes of
April 9, 2013), and pursuant to Gov’t Code Section 54956.9(d)(2) for two conferences with legal
counsel, and pursuant to Health and Safety Code Section 32106(b) for one conference with legal
counsel.
VI. CLOSED SESSION
The Committee completed its business of the Closed Session at 6:06 p.m.
VII. RECONVENE OPEN SESSION
The Committee reconvened to Open Session at 6:06 p.m.
PUBLIC COMMUNICATION
There were no comments.
VIII. CLOSED SESSION REPORTS
Reeder reported that the closed session minutes of the April 9, 2013 meeting were
approved by a vote of six Committee members in favor.
IX. CLOSING COMMENTS.
There being no further business, the meeting was adjourned at 6:07pm.
David Reeder
Chair, ECH Compliance/Privacy and
Internal Audit Committee
Attest as to the approval of the foregoing
minutes by the Corporate Compliance/Privacy
and Internal Audit Committee and by the
El Camino Hospital Board of Directors.
David Reeder
ECH Board Secretary
Page 7/395
Corporate Compliance
Date: September 16, 2013
To: Corporate Compliance/Privacy and Internal Audit Committee
From: Diane Wigglesworth
Re: Revisions to NPP and BAA
The U.S. Department of Health and Human Services (HHS) has recently moved to strengthen the
privacy and security protections for health information established under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA). Accordingly more stringent requirements
have been made to the HIPAA/HITECH rule. The new revisions will enhance patient’s privacy
protections, provide individuals new rights to their health information, and strengthen the
government’s ability to enforce the law. Many of the changes expanded requirements to
business associates and covered entities that receive protected health information such as
contractors and subcontractors.
On September 23, 2013 HHS will begin enforcing the revised HIPAA/HITECH rules. Attached
for information only are revisions the hospital has made to our Notice of Privacy Practice (NPP)
and Business Associates Agreement (BAA) in order to comply with the new regulations.
The revisions to the NPP have been highlighted in red. The hospital posts the NPP on the ECH
website, distributes it to new patients, and retains receipt of an acknowledgment.
The BAA was significantly modified and for ease of review I have included only the final
version. The changes to the BAA have expanded the reporting and security responsibilities of
the business associates and their subcontractors including increasing liability for HIPAA
violations. The hospital executes a BAA for all contractual arrangements that involves the
receipt or transmission of protected health information.
Page 9/395
1 BN 14429379v3
NOTICE OF PRIVACY PRACTICES Date of Adoption: August ___, 2013
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED
AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
If you have any questions about this Notice, please contact the El Camino Hospital Privacy
Officer, or designee, by dialing the main Hospital number at (650) 940-7300 or by leaving a
message on the Corporate Compliance Hotline at (650) 988-7733.
Each time you visit a hospital, physician, or other health care provider, a record of your visit is
made. Typically, this record contains your symptoms, examination and test results, diagnoses,
treatment, a plan for future care or treatment, and billing-related information (“protected health
information”). This Notice applies to all of the records of your care generated by the Hospital
whether made by Hospital personnel, contractors of the Hospital, or your doctor. Your doctor
may have different policies or notices regarding the doctor’s use and disclosure of medical
information created in the doctor’s office or clinic.
OUR RESPONSIBILITIES
We are required by law to maintain the privacy of your protected health information, to provide
you with a description of our privacy practices and legal duties with respect to your protected
health information and to notify affected individuals following a breach of unsecured protected
health information.
This Notice covers the privacy practices of all health care professionals, employees, contract
staff, students and volunteers for El Camino Hospital, including all of its specialty units located
on or off of its campus, such as Evergreen Dialysis Center, Rose Garden Dialysis Center,
Cardiopulmonary Wellness Center, Hospital Drive Radiology, Maternal Connections, etc.
Within this Notice, a reference to the Hospital may also include the independent and group
physician practices who provide services in the emergency room, radiology department,
laboratory, anesthesiology and other service areas.
When the Hospital provides health care to you, we share your protected health information with
these and other physicians as necessary to perform treatment, to obtain payment or to carry out
operational activities.
Whenever we use or disclose your protected health information, we are required to abide by the
terms of this Notice of Privacy Practices. Please sign and return at your earliest convenience
the “Acknowledgment of Receipt” form which will acknowledge your receipt of this Notice.
Page 11/395
2 BN 14429379v3
USES AND DISCLOSURES
A. How We May Use and Disclose Health Information About You (No Authorization Required)
For Treatment: We may use your protected health information to provide treatment or services
to you. We may disclose your protected health information to doctors, nurses, technicians,
medical students, or other Hospital personnel who are involved in taking care of you at the
Hospital. For example, a doctor treating you for a broken leg may need to know if you have
diabetes because diabetes may slow the healing process. Different departments of the Hospital
also may share your protected health information to coordinate the different things you may
need, such as prescriptions, lab work, meals, and x-rays.
We may also share protected health information with your designated primary care physician
(“PCP”) or other subsequent health care provider in order for him or her to treat you once you
are discharged from the Hospital. This information may be shared electronically, in a
restricted, secure format.
For Payment: We may use and disclose medical information about your treatment and services
to bill and collect payment from you, your insurance company, health plan or another third party
payer (“Plan”). For example, we may need to give your Plan information about your surgery so
they will pay us or reimburse you for the treatment. We may also inform your Plan about the
treatment you are going to receive to determine whether your Plan will cover it.
For Health Care Operations: We will also use your protected health information to assist in
running our operations. Members of the Medical Staff and/or a quality improvement team may
use information in your health record to assess the care and outcomes in your case and others
like it. The results will then be used to continually improve the quality of care for all patients we
serve. For example, we may combine medical information about many patients to evaluate the
need for new services or treatment. We may disclose information to doctors, nurses, and health
care students for educational purposes. And we may combine medical information we have
with that of other hospitals to determine where we can make improvements. We may remove
information that identifies you from this set of medical information to protect your privacy.
We may also use and disclose your protected health information:
To our business associates who we contract with to perform services;
To assess your satisfaction with our services;
To contact you as part of the Hospital’s fundraising efforts (except Behavioral Health
patients). You have the right to opt out of receiving any such communications ;
For population-based activities relating to improving health or reducing health care costs;
and
For conducting training programs or reviewing the competence of health care professionals.
To Business Associates: Some services are provided to us or on our behalf through contracts
with third parties (“Business Associates”). For example, we may disclose your protected health
Page 12/395
3 BN 14429379v3
information to a copy service we use when making copies of your health record or to a
consultant who performs utilization reviews for the Hospital. When these services are
contracted, we may disclose your protected health information to our Business Associates so
that they can perform the duties we have asked them to do or to bill you or your Plan for the
services rendered. To protect your protected health information, however, we require our
Business Associates to appropriately safeguard your information.
For Fundraising Activities (except Behavioral Health Patients): We may disclose limited
information about you (such as your name, address, telephone number and the dates you
received services at the Hospital) to raise money on behalf of the Hospital. This limited
disclosure permits contact with you in an effort to expand and support the health care services
we offer, the educational programs we provide to the community, and the research we conduct
to find cure for life-threatening diseases. If you are contacted by the El Camino Foundation, you
have the right to be excluded from further contact by making a written request to the El Camino
Hospital Foundation.
For Hospital Patient Directory (except Behavioral Health Patients): We may include certain
limited information about you in the Hospital patient directory while you are a patient at the
Hospital. The information may include your name, location in the Hospital, your general
condition (e.g., good, fair, etc.) and your religious affiliation. This information may be provided
to members of the clergy even if they do not ask for you by name and, except for religious
affiliation, to other people who ask for you by name. If you would prefer not to be listed in the
Hospital patient directory, please request the “Request to Withhold Public Release of
Information” form from the admission staff.
To Individuals Involved in Your Care or Payment for Your Care: Unless you instruct us
otherwise, we may, in our professional judgment, use or disclose your protected health
information to a family member, other relative, a friend or any other person identified by you who
is involved in your medical care or who helps pay for your care (including your Plan). In an
emergency situation or in the event of your incapacity, we may exercise our professional
judgment to determine whether a disclosure to a particular person is in your best interest. We
will disclose only the information that we believe is directly relevant to the person’s involvement
with your health care or payment for your care. In addition, we may disclose your protected
health information to an entity assisting in a disaster relief effort so that your family can be
notified about your condition, status and location.
For Research if Certain Conditions are Satisfied: We may use or disclose protected health
information for research purposes if we remove certain information that may directly identify you
such as your name, telephone number, Social Security number, medical record number and
account number. We may also disclose information to researchers when an institutional review
board (“IRB”) has reviewed the research proposal, established protocols to ensure the privacy
of your protected health information and has approved their research. Unless an IRB has
issued a waiver of authorization, we will almost always ask for your written permission
(“Authorization”) before a researcher will have access to your name, address or other
information that already reveals who you are. In certain cases, prior to commencement of a
study or prior to your enrollment as a subject in a study, your personal health information may
Page 13/395
4 BN 14429379v3
be disclosed without your Authorization on a limited basis to further the Hospital’s research
mission. For example, we may disclose medical information about you to people preparing to
conduct a research project – to help researchers identify patients with specific medical
conditions and/or to assess the viability of a research idea (subject recruitment and reviews
preparatory to research) – so long as the medical information they review does not leave the
Hospital.
For Organized Health Care Arrangement: El Camino Hospital and the independent and
group physician practices with which the Hospital are presenting you this Notice as a joint
Notice. Protected health information will be shared as necessary to carry out treatment,
payment and health care operations. Physicians and caregivers may have access to protected
health information in their offices to assist in reviewing past treatment as it may affect your
current treatment.
To Affiliated Covered Entity: Caregivers at other facilities may have access to protected
health information at their locations to assist in reviewing past treatment information as it may
affect your current treatment. Please contact the Privacy Officer, or designee, for further
information on the specific sites included in this affiliated covered entity.
As Required or Permitted by Law: We will use or disclose your protected health information if
we are required or permitted by law to do so, including the following:
Public Health Activities: We may disclose your protected health information for
authorized public health activities: to public health officials to prevent or control disease,
injury or disability; to the U.S. Food and Drug Administration (“FDA”) as required or
permitted by the FDA; and to report to your employer as required under laws addressing
work-related illnesses and injuries or workplace medical surveillance.
Victims of Abuse, Neglect or Domestic Violence: If we reasonably believe you are a
victim of abuse, neglect or domestic violence, we may disclose your protected health
information to a governmental authority, including a social services or protective services
agency, authorized by law to receive reports of such abuse, neglect or domestic
violence.
For Health Oversight Activities: We may disclose your protected health information to
a health oversight agency that oversees the health care system and is charged with
responsibility for ensuring compliance with the rules of government health programs
such as Medicare or Medicaid or licensing and similar authorities.
To Law Enforcement Officials: We may disclose your protected health information to
the police or other law enforcement officials in certain limited, allowable circumstances
or in compliance with a warrant, a court order or a grand jury or an administrative
subpoena.
For Legal Proceedings: We may disclose your protected health information in the
course of a judicial or administrative proceeding in response to: (1) a court order; (2) a
Page 14/395
5 BN 14429379v3
legally-valid order or warrant issued by a state or federal authority, administrative agency
or licensing board; and (3) a subpoena, discovery request, or other lawful process in a
third party action but only after efforts have been made to notify you that your protected
health information is being sought so that you can obtain an order protecting the
information requested.
Decedents: We may disclose your protected health information to a coroner, a medical
examiner or a funeral director.
Organ & Tissue Procurement: We may disclose your protected health information to
entities engaged in procurement, banking or transplantation of cadaveric organs, eyes or
tissue for purposes of facilitating donation and transplantation.
Health or Safety: We may use or disclose your protected health information to prevent
or lessen a serious and imminent threat to your health or safety or the health or safety of
others.
Specialized Government Functions: We may use and disclose your protected health
information to units of the government with special functions, such as the U.S. military,
the U.S. Department of State, under certain circumstances, and correctional institutions.
Worker’s Compensation: We may disclose your protected health information as
authorized by and to the extent necessary to comply with laws relating to workers’
compensation or other similar programs.
Limitations: There are special restrictions on the disclosure of health information
relating to HIV/AIDS status, mental health treatment, developmental disabilities, and
drug and alcohol abuse treatment. We comply with these restrictions in our use of your
protected health information.
B. Uses and Disclosures Requiring Your Written Authorization
Marketing Activities (Marketing Authorization): We must also obtain your written
authorization prior to using your protected health information to send you any marketing
materials (“Marketing Authorization”).
However, no Marketing Authorization is required for the following informational
communications (except Behavioral Health Patients): (1) information about health-related
products or services we provide; (2) information about services or products relating to your
treatment; (3) information about services or products for purposes of case management, or care
coordination, or to recommend alternative treatments, therapies, providers or care settings;
(4) to provide you with marketing materials in a face-to-face encounter; and (5) to give you a
promotional gift of nominal value.
Marketing, if authorized or informational communications may be sent to you by e-mail or by
regular mail using information you provide us at registration.
Page 15/395
6 BN 14429379v3
Highly Confidential Information: Federal and state laws require special privacy protections
for certain highly sensitive information about you (“Highly Confidential Information”), including
the subset of your protected health information that: (1) is maintained in psychotherapy notes;
and (2) relates to alcohol and drug abuse prevention, treatment and referral. For purposes
other than those permitted or required by law, we must obtain your written authorization in order
for us to disclose your Highly Confidential Information.
C. OTHER USES OF PROTECTED HEALTH INFORMATION.
Other uses and disclosures of protected health information not covered by this Notice or the
laws that apply to us will be made only with your written authorization. If you authorized us to
use or disclose your protected health information, you may revoke that authorization, in writing,
at any time. If you revoke your authorization, we will no longer use or disclose your protected
health information for the reasons covered by your written authorization. You understand that
we are unable to take back any uses or disclosures we have already made in reliance on the
authorization, and that we are required to retain our records of the care that we provided to you.
D. Reporting and Disclosure Duties.
We are required by law to notify you if there has been improper access to your
unsecured protected health information and there is a significant risk of financial,
reputational, or other harm.
HOW YOU CAN ACCESS AND CONTROL YOUR PROTECTED HEALTH INFORMATION
The following describes the actions you may take with respect to your protected health
information that we maintain.
Inspect and Copy: You may ask to inspect and to obtain a copy of your protected health
information that may be used to make decisions about you and your treatment so long as we
maintain this information in our records. Usually, this includes medical and billing records. Under
federal law, however, you may not inspect or copy the following: (1) psychotherapy notes;
(2) information compiled in reasonable anticipation of, or use in, legal proceedings; or
(3) information subject to a federal law that prohibits access to protected health information. We
may deny your request to inspect and copy in certain very limited circumstances. If you are
denied access to your protected health information, you may request that the denial be
reviewed in some situations. We will comply with the outcome of the review.
If you request a copy of your protected health information, we may charge a fee for the cost of
copying, mailing, or other supplies we use to fulfill your request. If you wish to make a request,
you may obtain a request form from, or submit your detailed request in writing, including the
protected health information you are requesting access to and the relevant dates, to the Health
Information Management Services Department.
Amendment: If you feel that your protected health information is incorrect or incomplete, you
may ask us to amend the information so long as the information is kept by or for the Hospital.
We may deny your request for an amendment and if this occurs, you will be notified of the
Page 16/395
7 BN 14429379v3
reason for the denial. If you wish to make a request, you may obtain a request form from, or
submit your detailed request in writing, to the Health Information Management Services
Department. You must include your reasons for the request.
Accounting of Disclosures: You may request an accounting of disclosures. This is a list of
certain disclosures we made of your protected health information for purposes other than
treatment, payment or health care operations during any time period prior to the date of your
request provided: (1) the period does not exceed six years or include any date before April 14,
2003; or (2) disclosures made for treatment, payment, health care operations and certain other
limited purposes will not be included. If you wish to make a request, you may obtain a request
form from, or submit your detailed request in writing, to the Health Information Management
Services Department.
The first accounting you request within a 12-month period is free of charge. For additional
accounting(s), we may charge you for the costs of providing the accounting(s). We will notify
you of the cost involved in advance; you may choose to withdraw your request at that time
before any cost is incurred.
Request Additional Restrictions: You may request a restriction or limitation on our use or
disclose of your protected health information for purposes of treatment, payment or health care
operations. You may also request a limit on your protected health information we disclose to
someone who is involved in your care or the payment for your care, like a family member or
friend. For example, you could ask that we not use or disclose information about a surgery that
you had. We are not required to agree to your request except if the restriction pertains to
payment or health care operations related to a service you have paid in full without any
Plan contribution. Even if disclosure is restricted, the Hospital may disclose if required
by law. If we do agree, we will comply with your request unless the information is needed to
provide you with emergency treatment. If you wish to make a request, you must submit your
detailed request in writing, to your care provider or to the Privacy Officer, or designee, using
the “Request to Restrict Use Or Disclosure of Protected Health Information” form
available at the Health Information Management Services department.
Request Confidential Communications: You may request that we communicate with you
about medical matters in a certain way or at a certain location. For example, you may ask that
we contact you at work or by U.S. Mail. We will accommodate reasonable requests for
confidential communications at alternative locations and/or via alternative means only if the
request is submitted in writing to your care provider or to the Privacy Officer and the written
request includes a mailing address where you will receive bills for services rendered by the
Hospital and related correspondence regarding payment for services. Please realize, we
reserve the right to contact you by other means and at other locations if you fail to respond to
any communication from us that requires a response. We will notify you in accordance with
your original request prior to attempting to contact you by other means or at another location.
A Paper Copy of This Notice: You may obtain a paper copy of this Notice, even if you have
agreed to receive this Notice electronically. You may request a copy of this Notice at any time.
You may also obtain a copy of this Notice at our web site www.elcaminohospital.org.
Page 17/395
8 BN 14429379v3
CHANGES TO THIS NOTICE
We reserve the right to change this Notice at any time and the revised Notice will be effective for
all of the protected health information we already have about you as well as any information we
receive in the future. The revised Notice will be effective for all protected health information that
we maintain as of the effective date of such revised Notice, even if we collected or received the
protected health information prior to the revised Notice’s effective date. The most current Notice
will be posted in the Hospital and will include the date of adoption. In addition, each time you
register at or are admitted to the Hospital for treatment or health care services as an inpatient or
outpatient, we will offer you a copy of the current Notice in effect. We will also post a copy of
the current Notice on our web site www.elcaminohospital.org.
COMPLAINTS
If you believe your privacy rights have been violated, you may file a complaint with the
Hospital’s Privacy Officer. To obtain information or be contacted by the Privacy Officer, or
designee, you may leave a message on the Corporate Compliance Hotline, or you may call
Administration at 650-940-7300. You may file a complaint by contacting the Secretary of the
U.S. Department of Health and Human Services. All complaints must be submitted in writing.
You will not be penalized for filing a complaint.
STATE SPECIFIC REQUIREMENTS
Many states, including California, have requirements for reporting including population-based
activities relating to improving health or reducing health care costs. Some states have separate
privacy laws that may apply additional legal requirements. If the California law is more stringent
than the federal law, the California law will preempt the federal law.
PRIVACY OFFICER
The Hospital Privacy Officer, or designee, may be reached by dialing the main Hospital number
at (650) 940-7300. Or you can leave a message on the Corporate Compliance Hotline (650)
988-7733 for a return call from the Privacy Officer, or designee.
Page 18/395
Separator Page
Attachment 1c - Business Associate Agreement - El
Camino Hospital Sept 2013.docx
Page 19/395
BN 14835735v2
HIPAA BUSINESS ASSOCIATE AGREEMENT
El CAMINO HOSPITAL
This HIPAA Business Associate Agreement (this “Agreement”) is effective as of the ___
day of _______ (the “Effective Date”), by and between ______________, a _______
___________ (“Contractor”) and El Camino Hospital, a California nonprofit public benefit
corporation (“ECH”, Contractor and ECH are referred to collectively as “parties” and
individually as a “party”). Terms used herein shall have the meanings assigned or referred to in
Schedule A of this Agreement.
RECITALS
A. Contractor and ECH have entered into that certain [INSERT TITLE OF
SERVICES AGREEMENT] (the “Services Agreement”) effective as of ________ __, _____,
pursuant to which Contractor has agreed to perform certain services for ECH (the “Services”).
B. In connection with the Services, ECH may need to disclose to Contractor, or
Contractor may need to create, receive, maintain or transmit on behalf of ECH, certain Protected
Health Information (“PHI”) and Electronic Protected Health Information (“Electronic PHI”).
ECH is a Covered Entity and, as a result of the Services Agreement, Contractor is a Business
Associate of ECH.
C. ECH and Contractor desire to enter into this Agreement to reflect their mutual
understanding of the use, disclosure and general confidentiality obligations of Contractor in
connection with the delivery of the Services, as well as for ECH and Contractor to comply with
(a) the requirements of the Administrative Simplification provisions of Title II, Subtitle F of the
Health Insurance Portability and Accountability Act of 1996, as amended by any other statute,
rule and/or regulation, including Division A, Title XIII of the American Recovery and
Reinvestment Act of 2009 (Pub. L. No., 111-5), otherwise known as the Health Information
Technology for Economic and Clinical Health Act (the “HITECH Act”), and the regulations set
forth in Title 45 of the Code of Federal Regulations (“45 C.F.R.”) Parts 160 and 164, subparts A
and E (the “Privacy Rule”), 45 C.F.R. Part 164, subparts A and C (the “Security Rule”) and the
HIPAA Omnibus Rule, 78 Fed. Reg. 5566-5702 (Jan. 25, 2013) (collectively, the “HIPAA
Rules”) and (b) other applicable laws including, but not limited to, (i) Confidentiality of Medical
Information Act of 1981, California Civil Code Sections 56 et seq. (General Patient Medical
Records); (ii) California Welfare & Institutions Code Sections 5328.6 and 5328.7 (Mental Health
Records); (iii) California Civil Code Section 1798.80 et seq. (Data Breach Notification); and (iv)
42 U.S.C. Sections 290dd-2 and 42 C.F.R. Part 2, Section 2.31 (Alcohol and Drug Abuse
Records) (together (b)(i) to (b)(iv) are referred to as “Other Privacy Rules”).
AGREEMENTS
NOW, THEREFORE, for adequate consideration as described in the Services Agreement
and this Agreement, the receipt and sufficiency which are hereby acknowledged by each party,
the parties mutually agree as follows:
Page 20/395
BN 14835735v2 2
1. Permitted Uses and Disclosures.
1.1 Permitted Uses. Except as otherwise limited by the terms of the Services
Agreement or this Agreement, Contractor may use or disclose PHI as necessary to perform the
Services set forth in the Services Agreement, as required by law, or [Insert any specific function
from the Services Agreement]__________.
1.2 Certain Further Disclosures. Contractor shall not use or further disclose PHI in a
manner that would violate 45 C.F.R. Part 164, subpart E if done by ECH, except that Contractor
shall be permitted to use and disclose PHI for the proper management and administration of
Business Associate, and to carry out the Contractor’s legal responsibilities, provided that such
disclosure either is required by law or Contractor obtains reasonable assurances from the person
to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only
as required by law or for the purpose for which it was disclosed to the person, and the person
agrees to notify Contractor of any instances of which it is aware in which the confidentiality of
the PHI has been breached.
1.3 Certain Data Aggregation. Data aggregation services, provided that Contractor
has received ECH’s prior written authorization to provide data aggregation services, and the
purpose of such data aggregation is to provide ECH with data analyses relating to the health care
operations of ECH.
1.4 De-Identification. De-identification of PHI on behalf of ECH, provided that
Contractor has received ECH’s prior written authorization to de-identify PHI, and such de-
identification conforms to the requirements of the HIPAA Rules.
2. Required Uses and Disclosures. Contractor is required to disclose PHI as required by
law, or to report violations of law to appropriate federal and state authorities, consistent with
45 C.F.R. § 164.502(j)(1). Before Contractor makes such a disclosure, Contractor shall provide
ECH with three (3) business days’ advance written notice. ECH shall pay all of the costs and
expenses incurred by ECH in connection with any attempt to prevent disclosure or limit the
scope of any such disclosure, and Contractor agrees that it will cooperate with and not
unreasonably interfere with the actions ECH takes in connection therewith.
3. Prohibited Uses and Disclosures.
3.1 Further Use and Disclosure. Contractor shall not use or further disclose the PHI
other than as permitted or required by this Agreement, or as required by law.
3.2 Fundraising and Marketing. Contractor shall not use or disclose PHI for
fundraising or marketing purposes, unless Contractor obtains the prior written authorization of
ECH and such use or disclosure is consistent with the requirements of 45 C.F.R. § § 164.514(f)
and 164.508(a)(3).
3.3 Certain Disclosure to Health Plans. Contractor shall not disclose PHI to a health
plan for payment or health care operations purposes if Contractor has received written notice
from the individual or ECH that the individual has requested this restriction and has paid out of
Page 21/395
BN 14835735v2 3
pocket in full for the health care item or service to which the PHI solely relates, as required by
45 C.F.R. § 164.522.
3.4 No Transfer for Remuneration. Contractor shall not directly or indirectly receive
remuneration in exchange for PHI, unless Contractor obtains the prior written authorization of
ECH.
3.5 No Offshoring. No PHI shall be transferred to, or stored on servers at, any
location outside of the United States.
4. Additional Obligations of Contractor.
4.1 Minimum Necessary. Contractor will, in its performance of the Services, make
reasonable efforts to use, disclose and request of ECH only the minimum amount of PHI
reasonably necessary to accomplish the intended purpose of the use, disclosure or request.
4.2 Information Safeguards. Throughout the term of this Agreement, Contractor shall
have in place appropriate administrative, technical and physical safeguards to protect the privacy
of PHI, and shall reasonably safeguard PHI (1) from any intentional or unintentional non-
permitted use or disclosure violative of the Privacy Rule and (2) to limit incidental uses or
disclosures made pursuant to an otherwise permitted or required disclosure.
4.3 Subcontractors and Agents. Contractor shall require its subcontractors and
agents, if any, to whom Contractor is permitted in writing by ECH to disclose PHI and whom
Contractor authorizes to receive, maintain or transmit PHI on behalf of Contractor, to provide
satisfactory assurances, as set forth in a written contract, that the subcontractor or agent agrees to
the same restrictions, conditions and safeguard obligations as apply to Contractor under this
Agreement. Contractor acknowledges that any failure of any subcontractor or agent of
Contractor to adhere to the requirements of this Agreement shall be deemed a breach of such
requirement by Contractor.
4.4 Compliance with Security Rule. Contractor agrees to implement appropriate
administrative, physical and technical safeguards to protect the confidentiality, integrity and
availability of any Electronic PHI that it creates, receives, maintains or transmits on behalf of
ECH. Contractor shall further (1) identify and respond to suspected or known security incidents;
(2) mitigate, to the extent practicable, the harmful effects of security incidents that are known to
Contractor; (3) document security incidents and their outcomes; and (4) report each security
incident and the aggregate number of security incidents to ECH, provided that such reports will
be provided only as frequently as the parties mutually agree, but no more than once per month.
4.5 Access. Contractor will, within ten (10) business days following ECH’s request,
make available to ECH or, at ECH’s direction, to an individual (or the individual’s personal
representative) for inspection and obtaining copies of, PHI about the individual that is in
Contractor’s custody or control, so that ECH may meet its access obligations under
45 C.F.R. § 164.524. If ECH instructs Contractor to respond on its behalf to a request for an
electronic copy of PHI, and the PHI that is the subject of the request is maintained by Contractor
electronically in one or more designated record sets, Contractor shall respond to such request in
accordance with 45 C.F.R. § 164.524(c)(2)(ii). Further, Contractor shall respond in accordance
Page 22/395
BN 14835735v2 4
with 45 C.F.R. § 164.524(c)(3)(ii) to requests for the transmission of copies of PHI to another
person designated by the requesting individual, if ECH instructs Contractor to respond on its
behalf to such request.
4.6 Amendment. Contractor will, upon receipt of written notice from ECH, promptly
amend, or at the request of ECH permit ECH access to amend, any portion of the PHI, so that
ECH may meet its amendment obligations under 45 C.F.R. § 164.526.
4.7 Record and Documentation of Disclosure. Contractor shall maintain a record of
and document all disclosures of PHI by Contractor permitted by the terms of the Agreement as
would be required for ECH to respond to a request by an individual for an accounting of
disclosures of PHI in accordance with 45 C.F.R. § 164.528. Such documentation shall include,
but not be limited to the date of the disclosure; the name and, if known, the address of the
recipient of the PHI; a brief description of the PHI disclosed; and the purpose of the disclosure or
a copy of the written request for disclosure, if any, under 45 C.F.R. § 164.502(a)(2)(ii) (relating
to a compliance investigation by the Secretary) or for one of the purposes set forth in
45 C.F.R. § 164.512. Contractor shall make such record available to ECH upon request.
4.8 Accounting. Within thirty (30) days of notice by or on behalf of ECH to
Contractor that ECH has received a request for an accounting of disclosures of PHI, Contractor
shall make available to ECH that information collected in accordance with Section 4.7 (“Record
and Documentation of Disclosure”) of this Agreement, to permit ECH to respond to the request
in accordance with 45 C.F.R. § 164.528.
4.9 Breach of Privacy Obligations. Contractor will report to ECH in writing any use
or disclosure of PHI not permitted by this Agreement, including the breach of unsecured PHI.
Unless a law enforcement delay applies pursuant to 45 C.F.R. § 164.412, Contractor will notify
ECH’s Privacy Officer not more than five (5) calendar days after Contractor discovers such non-
permitted use or disclosure, or breach of unsecured PHI. For purposes of this Agreement, a
breach of unsecured PHI is treated as discovered by Contractor on the first day on which such
breach becomes known to Contractor or, by excising reasonable diligence, would have been
known to Contractor. Contractor shall be deemed to have knowledge of a breach if the breach is
known, or by exercising reasonable diligence would have been known to any person (other than
the person committing the breach) who is an employee, officer or other agent of Contractor. The
notification provided by Contractor shall include, to the extent possible, the identification of each
individual whose unsecured PHI has been, or is reasonably believed by Contractor to have been,
accessed, acquired, used or disclosed during the breach. Contractor shall also provide ECH with
any other available information that ECH is required to include under 45 C.F.R. § 164.404(c) at
the time of the notification or promptly thereafter as information becomes available.
4.10 Audit and Inspection. Contractor will make its internal practices, books, and
records relating to its use and disclosure of PHI and Electronic PHI available to ECH and to the
Secretary to determine compliance with the HIPAA Rules. Contractor acknowledges and agrees
that its failure to provide ECH with access to such records shall constitute a material breach of
this Agreement and shall subject this Agreement to termination by ECH under Section 6.2.
4.11 Other Privacy Rules. Contractor shall comply with the Other Privacy Rules.
Page 23/395
BN 14835735v2 5
5. Obligations of ECH.
5.1 ECH shall notify Contractor of any limitation(s) in the Notice of Privacy Practices
of ECH under 45 C.F.R. § 164.520, to the extent that such limitation may affect Contractor’s use
or disclosure of PHI.
5.2 ECH shall notify Contractor of any changes in, or revocation of, the permission
by an individual to use or disclose his or her PHI, to the extent that such changes may affect
Contractor’s use or disclosure of PHI.
5.3 ECH shall notify Contractor of any restriction on the use or disclosure of PHI that
ECH has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such
restriction may affect Contractor’s use or disclosure of PHI.
5.4 ECH shall not require Contractor to use or disclose PHI in any manner that would
not be permissible under 45 C.F.R. Part 164, subpart E if done by ECH, except as permitted in
Section 1(b).
6. Term and Termination of Agreement.
6.1 Term. This Agreement shall be effective as of the Effective Date. It shall
terminate when the Services Agreement terminates or as provided in this Agreement.
6.2 Right to Terminate for Cause. Either party may terminate this Agreement if it
determines, in its sole discretion, that the other party has breached any material provision of this
Agreement and the breaching party has not cured the breach within the time specified by the
non-breaching party. A party may exercise its right to terminate this Agreement by providing the
other party five (5) calendar days’ written notice of termination, stating the breach of this
Agreement that provides the basis for the termination. Any termination pursuant to this Section
6(b) will be effective immediately upon the expiration of such five (5) day period or at such
other date specified in the notice of termination and shall terminate the Services Agreement,
unless expressly agreed otherwise by the parties.
6.3 Breach Pattern or Practice by Agent or Subcontractor. If Contractor knows of a
pattern of activity or practice of its agent or subcontractor that constitutes a material breach or
violation of the subcontractor’s obligation under its contract or other arrangement with
Contractor, Contractor shall take reasonable steps to cure the breach or end the violation, as
applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible.
6.4 Breach Pattern or Practice by ECH. Contractor shall provide written notice to
ECH of any pattern of activity or practice of ECH that Contractor believes constitutes a material
breach or violation of ECH’s obligations under the HIPAA Rules within five (5) business days of
discovery and shall meet with ECH to discuss and attempt to resolve the problem or end the
violation.
6.5 Amendment to Comply with Law. The Parties agree to take such action as is
necessary to amend this Agreement from time to time as is necessary to comply with the
Page 24/395
BN 14835735v2 6
requirements of the HIPAA Rules and any other applicable law, rules, or regulations that might
modify the terms and conditions herein.
6.6 Termination of this Agreement. Any and all rights of Contractor to use and
disclose any PHI as set forth herein shall terminate upon termination or other conclusion of this
Agreement. Any and all obligations of Contractor with respect to PHI shall continue for the
periods set forth in Section 6.7.
6.7 Obligations of Contractor Upon Termination.
6.7.1 Return or Destruction of PHI. Upon termination or other conclusion of
this Agreement, Contractor will (a) retain only that PHI which is necessary for Contractor to
continue its proper management and administration or to carry out its legal responsibilities;
(b) return to ECH or, if agreed to by ECH, destroy all PHI in whatever form or medium,
including all copies thereof and all data, compilations, and other works derived therefrom,
including any such works that allow identification of any individual who is a subject of PHI;
(c) require every subcontractor or agent to which Contractor has disclosed any PHI to return to
Contractor (so that Contractor may return it to ECH) or destroy all PHI in whatever form or
medium received from Contractor, including all copies thereof and all data, compilations, and
other works derived therefrom that allow identification of any individual who is a subject of PHI;
(d) certify on oath to Contractor that all such information has been returned or destroyed.; and
(e) Contractor will complete these obligations as promptly as possible, but not later than sixty
(60) calendar days following the effective date of the termination of this Agreement.
6.7.2 Continuing Obligations of Contractor. For as long as Contractor retains
Electronic PHI pursuant to Section 6.7.1 above, Contractor shall continue to use appropriate
safeguards and comply with 45 C.F.R. Part 164, subpart C, to any to prevent use or disclosure of
PHI other than as provided for in this Section 6.7;
6.7.3 Continuing Indemnification Obligation. Contractor’s obligations to
indemnify ECH and to protect the privacy and confidentiality of PHI, as provided in this
Agreement, will be continuous and will survive termination or other conclusion of this
Agreement or the Services Agreement.
7. Indemnification.
7.1 Indemnification of ECH. Contractor will defend, indemnify and hold harmless
ECH and its affiliates and each of their respective directors, officers, members, shareholders,
managers, partners, employees, agents, successors and assigns from and against any and all
claims, causes of action, suits, liabilities, demands, losses, damages, costs, proceedings or
expenses of all kinds, including costs, expenses, fines, amounts paid in settlements or judgments,
reasonable attorneys’ fees, witnesses’ fees, investigation expenses, and any expenses incident
thereto (collectively, “Losses”), arising out of or in connection with (a) any non-permitted use or
disclosure of PHI or breach of unsecured PHI by Contractor or any subcontractor or agent of
Contractor or (b) any breach of this Agreement by Contractor, or any breach of a business
associate agreement subcontractor or agent breach by any of a business associate agreement with
Contractor.
Page 25/395
BN 14835735v2 7
7.2 Indemnification of Contractor. ECH will defend, indemnify and hold harmless
Contractor and its directors, officers, shareholders, managers, partners, employees, agents,
successors and assigns from and against any and all Losses, arising out of any breach of this
Agreement (a) any non-permitted use or disclosure of PHI or breach of unsecured PHI by ECH
or any subcontractor or agent of Contractor or (b) any breach of this Agreement by ECH.
7.3 Indemnification Procedure. If any demand or claim is made or suit is commenced
against one of the parties (“Indemnitee”), written notice of such demand, claim or suit shall be
provided to the other party (“Indemnitor”), within three (3) business days of receipt. Failure to
give such notice within the time required shall not relieve Indemnitor of its obligations hereunder
except to the extent the failure of notice has prejudiced the defense of such claim. Indemnitor
shall defend a claim with counsel satisfactory to Indemnitee in Indemnitee’s reasonable opinion
and Indemnitee shall cooperate fully in such defense. No settlement by Indemnitor shall be
binding upon Indemnitee without Indemnitee’s prior written consent. Notwithstanding the
foregoing, if Indemnitor fails to assume its obligation to defend Indemnitee or if there is a
conflict of interest which prevents Indemnitor from assuming its obligation to indemnify
Indemnitee in accordance with this Section 7.3, Indemnitee may assume its own defense to
protect its interests and Indemnitor shall reimburse the Indemnitee on a monthly basis for any
expenses reasonably incurred by Indemnitee in connection with the investigation and defense of
any such claim.
8. Representations and Warranties of Contractor Regarding Electronic PHI Security
Standards. Contractor hereby represents and warrants to ECH that:
8.1 Administrative Safeguards. Contractor has, as of the Effective Date,
(a) implemented policies and procedures to prevent, detect, contain, and correct security
violations in accordance with the implementation specifications set forth at
45 C.F.R. § 164.308(a)(1)(ii); (b) identified a security official who is responsible for the
development and implementation of the policies and procedures required by 45 C.F.R. Part 164,
subpart C “Security Standards Electronic PHI for the Protection of Electronic PHI” (the
“Electronic PHI Security Standards”); (c) implemented policies and procedures to ensure
appropriate access to Electronic PHI by its employees in accordance with the implementation
specifications set forth in 45 C.F.R. § 164.308(a)(3)(ii), agents or representatives as provided
under 45 C.F.R. § 164.308(a)(4) and to prevent (in accordance with the implementation
specifications set forth in 45 C.F.R. § 164.308(a)(3)(ii)) its employees, agents or representatives
who should not have access under the standards set forth at 45 C.F.R. § 164.308(a)(4) from
obtaining access to Electronic PHI; (d) implemented policies and procedures for authorizing
access to Electronic PHI that are consistent with the requirements of 45 C.F.R. Part 164, Subpart
E “Privacy of Individually Identifiable Health Information” in accordance with the
implementation specifications set forth at 45 C.F.R. § 164.308(a)(4)(ii); (e) implemented a
security awareness and training program for all of its employees and agents (including its
directors and officers), in accordance with the implementation specifications set forth at
45 C.F.R. § 164.308(a)(5)(ii); (f) implemented policies and procedures to address “Security
Incidents” in accordance with the implementation specification set forth at
45 C.F.R. § 164.308(a)(6)(ii); and (g) established (and implemented as needed) policies and
procedures for responding to an emergency or other occurrence, including fire, vandalism,
system failure and natural disaster, that damages any system that may contain Electronic PHI, in
Page 26/395
BN 14835735v2 8
accordance with the implementation specifications set forth at 45 C.F.R. § 164.308(a)(7)(ii).
Contractor performs periodic technical and nontechnical evaluations in response to any
environmental or operational changes affecting the security of Electronic PHI, and Contractor
will use such evaluations to establish the extent to which Contractor’s administrative safeguards
meet the requirements of the Electronic PHI Security Standards.
8.2 Physical Safeguards. Contractor has, as of the Effective Date, (a) implemented
policies and procedures to limit physical access to its electronic information systems and the
locations in which such electronic information systems are maintained, in accordance with the
implementation specifications set forth at 45 C.F.R. § 164.310(a)(2); (b) implemented policies
and procedures that specify the proper functions to be performed, the manner in which those
functions are to be performed, and the physical attributes of the surroundings of a specific
workstation or class of workstation that can access Electronic PHI; (c) implemented physical
safeguards for all workstations that access Electronic PHI to restrict access to authorized users
only; and (d) implemented policies and procedures that govern (i) the receipt and removal of
hardware and electronic media that contain Electronic PHI into and out of a location, and (ii) the
movement of such Electronic PHI within each such location, in accordance with the
implementation specifications set forth at 45 C.F.R. § 164.310(e)(2).
8.3 Technical Safeguards. Contractor has, as of the Effective Date, (a) implemented
technical policies and procedures for electronic information systems that maintain Electronic
PHI to allow access only to those persons or software programs that have been granted access
rights as specified at 45 C.F.R. § 164.308(a)(4), in accordance with the implementation
specifications set forth at 45 C.F.R. § 164.312(a)(2); (b) implemented hardware, software, or
procedural mechanisms that record and examine activity in any information systems that contain
or use Electronic PHI; (c) implemented policies and procedures to protect Electronic PHI from
improper alteration or destruction, in accordance with the implementation specification set forth
at 45 C.F.R. § 164.312(c)(2); (d) implemented procedures to verify that a person or entity
seeking access to Electronic PHI is authorized to receive access to such Electronic PHI; and
(e) implemented technical security measures to guard against unauthorized access to any
Electronic PHI that is being transmitted over an electronic communications network, in
accordance with the implementation specifications set forth at 45 C.F.R. § 164.312(e)(2).
8.4 Policies and Procedures and Documentation Requirements. Contractor has, as of
the Effective Date, implemented reasonable and appropriate policies and procedures to comply
with the standards, implementation specifications or other requirements of the Electronic PHI
Security Standards, taking into account the factors specified at 45 C.F.R. § 164.306(b)(2)(i), (ii),
(iii) and (iv). Throughout the term of this Agreement, Contractor shall (a) maintain the policies
and procedures implemented to comply with the Electronic PHI Security Standards in written or
electronic form and (b) if an action, activity or assessment is required by the Electronic PHI
Security Standards to be documented, maintain a written or electronic record of the action,
activity, or assessment, in accordance with the implementation specifications set forth at
45 C.F.R. § 164.316(b)(2).
Page 27/395
BN 14835735v2 9
9. General Provisions.
9.1 Regulatory References. A reference in this Agreement to a section in the HIPAA
Rules means the section as in effect or as amended.
9.2 Data Ownership. Contractor acknowledges that it has no ownership rights with
respect to the PHI.
9.3 Confidentiality. Contractor shall cooperate with ECH to preserve and protect the
confidentiality of PHI accessed or used pursuant to the Agreement and shall not disclose or
testify about such information during or after the termination of the Agreement except as
required by law.
9.4 Amendment. Subject to the provisions of Section 9.6, below, the parties agree to
take such action as is necessary to amend this Agreement from time to time as is necessary for
compliance with the HIPAA Rules and any other legal requirement related to the use and
disclosure of health information.
9.5 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit
compliance with the HIPAA Rules. If any provision of this Agreement conflicts with the
provisions of the Master Service Agreement, the provisions in this Agreement shall be deemed to
control and such conflicting provision or part thereof shall be deemed removed and replaced with
the governing provision herein to the extent necessary to reconcile the conflict.
9.6 No Modification. No modification of this Agreement will be effective unless
made in writing and executed by a duly authorized representative of each party, except as
otherwise provided hereunder.
9.7 Assistance in Litigation or Administrative Proceedings. Contractor shall make
itself, and any subcontractors, employees or agents assisting Contractor in the performance of its
obligations under this Agreement, available to ECH at no cost to provide testimony in any
capacity in the event of litigation, administrative proceedings, or other legal action threatened,
commenced or contemplated against ECH, its directors, officers or employees based upon a
claimed violation of the HIPAA Rules or other federal or state law relating to security and
privacy, except where Contractor or its Subcontractor, employee or agent is a named adverse
party.
9.8 Audits; Inspection and Enforcement. Within ten (10) days of a written request by
ECH, Contractor and its agents or subcontractors shall permit ECH to conduct a reasonable
inspection of the facilities, systems, books, records, agreements, policies and procedures relating
to the use or disclosure of PHI pursuant to this Agreement for the purpose of determining
whether Contractor has complied with the terms and conditions contained herein. The fact that
ECH inspects, fails to inspect, or has the right to inspect does not relieve Contractor of its
responsibility to comply with this Agreement nor does it constitute acceptance of any practice,
modification of Contractor’s representations and warranties set forth in Section 8 or a waiver of
ECH’s rights under this Agreement. Contractor shall notify ECH in writing within ten (10) days
of receipt of any notice that Contractor has become the subject of an audit, compliance review, or
complaint investigation by the Office for Civil Rights or other similar state or federal agency.
Page 28/395
BN 14835735v2 10
9.9 Disclaimer. ECH makes no warranty or representation that compliance by
Contractor with this Agreement, the HIPAA Rules or any other state or federal security or
privacy law will be adequate or satisfactory for Contractor’s own purposes. Contractor is solely
responsible for all decisions made by Contractor regarding the safeguarding of PHI.
9.10 Counterparts; Facsimile/PDF Signatures. This Agreement may be executed in
two (2) or more counterparts, each of which shall be deemed an original and when taken together
shall constitute one (1) agreement. The parties agree that facsimile or PDF transmission of
original signatures shall constitute and be accepted as original signatures.
9.11 Notices. Any notices to be given hereunder shall be (a) in writing, (b) addressed
to the person and address set forth below (or to such other person or address as either party may
so designate from time to time), (c) deemed to have been given on the date of delivery if
transmitted by courier, or one (1) day following traceable delivery to a nationally recognized
overnight delivery service with instructions for overnight delivery if sent by such overnight
delivery service, and (d) transmitted by courier for hand delivery, or delivered by nationally
recognized overnight delivery service with instructions for overnight delivery:
If to Contractor:
Attn:
If to ECH: El Camino Hospital
2500 Grant Road
Mountain View, California 94040
Attention: CEO
9.12 Entire Agreement; Successors; and Assignment. This Agreement, the Services
Agreement and the attached Schedule constitute the entire understanding between the parties
with respect to the subject matter hereof. No party shall assign or otherwise transfer this
Agreement or any of its rights hereunder, or delegate any of its obligations hereunder, without
the prior written consent of the other party, provided that ECH shall be permitted, without the
consent of Contractor to assign or otherwise transfer this Agreement or any of its rights
hereunder: (a) upon the purchase or sale of all or substantially all of the assets or stock of ECH
or the transfer (by operation of law or otherwise) of the ownership or control of ECH, to the
purchaser of such assets or stock or the transferee of such interests or (b) to any affiliate of
Covered Entity. Subject to the foregoing, this Agreement and the rights and obligations set forth
herein shall inure to the benefit of, and be binding upon the parties, and each of their respective
successors, heirs and assigns.
9.13 Choice of Law. All issues and questions concerning the construction, validity,
enforcement and interpretation of this Agreement and the exhibits hereto shall be governed by,
and construed in accordance with, the laws of the State of California and the HIPAA Rules.
Page 29/395
BN 14835735v2 11
9.14 Joint Preparation. Each party (a) has participated in the preparation of this
Agreement; (b) has read and understands this Agreement; and (c) has been represented by
counsel of its own choice in the negotiation and preparation of this Agreement. Each party
represents that this Agreement is executed voluntarily and should not be construed against any
party solely because it drafted all or a portion hereof.
9.15 Severability. Whenever possible, each provision of this Agreement shall be
interpreted in such manner to be effective and valid under applicable law, but if any provision of
this Agreement is held to be invalid, illegal or unenforceable in any respect under any applicable
law or rule in any jurisdiction, such invalidity, illegality or unenforceability will not affect any
other provision in any other jurisdiction, but this Agreement will be reformed, construed, and
enforced in such jurisdiction as if such invalid, illegal or unenforceable provision had never been
contained herein.
9.16 Waiver. No waiver by any party, whether express or implied, or its rights under
any provision of this Agreement shall constitute a waiver of the party’s rights under such
provisions at any other time or a waiver of the party’s rights under any other provision of this
Agreement. No failure by any party to take any action against any breach of this Agreement or
default by another party shall constitute a waiver of a party’s right to enforce any provision of
this Agreement or to take any action against such breach or default or any subsequent breach or
default by the other party. To be effective any waiver must be in writing and signed by the
waiving party.
9.17 Survival. Section 6.7 (Obligations of Contractor Upon Termination), Section 7
(Indemnification), Section 9.3 (Confidentiality), Section 9.7 (Assistance in Litigation) and
Section 9.8 (Audits and Inspections) shall survive the termination of this Agreement.
Page 30/395
BN 14835735v2 12
IN WITNESS WHEREOF, the undersigned have caused this HIPAA Business
Associate Agreement to be duly executed and effective as of the Effective Date.
Contractor:
ECH:
EL CAMINO HOSPITAL, a California
nonprofit public benefit corporation
By: By:
Name: Name:
Its: Its:
Page 31/395
BN 14835735v2 13
Schedule A
1. The term “45 C.F.R.” has the meaning set forth in Recital C of this Agreement.
2. The term “Agreement” has the meaning set forth in the Preamble to this
Agreement.
3. The term “Business Associate” has the meaning set forth in 45 C.F.R. § 160.103.
4. The term “Contractor” has the meaning set forth in the Preamble to this
Agreement.
5. The term “Covered Entity” has the meaning set forth in 45 C.F.R. § 160.103.
6. The term “ECH” has the meaning set forth in the Preamble to this Agreement.
7. The term “Effective Date” has the meaning set forth in the Preamble to this
Agreement.
8. The term “Electronic PHI” has the meaning set forth in Recital B of this
Agreement.
9. The term “Electronic PHI Security Standards” has the meaning set forth in
Section 8.1 of this Agreement.
10. The term “HIPAA Rules” has the meaning set forth in Recital C of this
Agreement.
11. The term “HITECH Act” has the meaning set forth in Recital C of this
Agreement.
12. The term “Indemnitee” has the meaning set forth in Section 7.3 of this
Agreement.
13. The term “Indemnitor” has the meaning set forth in Section 7.3 of this
Agreement.
14. The term “Losses” has the meaning set forth in Section 7.1 of this Agreement.
15. The terms “party” and “parties” have the meaning set forth in the Preamble to this
Agreement.
16. The term “PHI” has the meaning set forth in Recital B of this Agreement.
17. The terms “Privacy Rule” and “Other Privacy Rules” have the meaning set forth
in Recital C of this Agreement.
18. The terms “Protected Health Information,” and “Electronic Protected Health
Page 32/395
BN 14835735v2 14
Information” (referred to in the Agreement as “PHI” and “Electronic PHI,” respectively) have
the meanings set forth in 45 C.F.R. § 160.103, limited to the information created, received,
maintained or transmitted by Contractor from or on behalf of ECH in connection with the
provision of the Services under the Services Agreement.
19. The term “Record and Documentation of Disclosure” has the meaning set forth in
Section 4.8 of this Agreement.
20. The term “Security Rule” has the meaning set forth in Recital C of this
Agreement.
21. The term “Services” has the meaning set forth in Recital A of this Agreement.
22. The term “Services Agreement” has the meaning set forth in Recital A of this
Agreement.
23. Other capitalized terms used but not defined herein shall have the respective
meanings given to such terms in the Privacy Rule or Security Rule.
23.1. The terms “electronic media,” “individual,” and “subcontractor” have the
meanings set forth in 45 C.F.R. § 160.103. The term “required by law” has the meaning set forth
in 45 C.F.R. § 164.103.
23.2. The terms “access,” “administrative safeguards,” “information system,”
“physical safeguards,” “security,” “security incident,” “security measures,” “technical
safeguards,” “user” and “workstation” have the meanings set forth in 45 C.F.R. § 164.304.
23.3. The terms “breach” and “unsecured PHI” have the meanings set forth in
45 C.F.R. § 164.402.
23.4. The terms “data aggregation,” “designated record set,” “health care
operations” and “marketing” have the meanings set forth in 45 C.F.R. § 164.501.
23.5. The term “de-identification” has the meaning set forth in the Standard in
45 C.F.R. § 164.514.
23.6. The term “use” means, with respect to PHI, the sharing, utilization,
employment, examination, analysis or application within Contractor.
23.7. The terms “disclose” and “disclosure” mean, with respect to PHI, the
release, transfer or providing access to or divulging to a person or entity not within Contractor or
ECH.
Page 33/395
Date: September 16, 2013
To: Corporate Compliance/Privacy and Internal Audit Committee From: Diane Wigglesworth
Re: Revisions to FY 2014 Committee Goals
Attached are the Governance Committee minutes from July 2, 2013 with recommendations
regarding committee goals. It was recommended that the Compliance committee provide further
specificity for the metrics. Highlighted in red are revisions made to the metrics to comply with
the governance recommendation for review and approval.
Page 35/395
Minutes of Special Meeting of the Governance Committee
July 2, 2013 Approved by the Committee on 9.3.13
Pending Board Review
EL CAMINO HOSPITAL
GOVERNANCE COMMITTEE OF THE BOARD
SPECIAL MEETING
Tuesday July 2, 2013
MINUTES
1. CALL TO ORDER/ROLL CALL
The Special Meeting of the Governance Committee of the Board of El Camino
Hospital (the “Hospital”) was called to order by John Zoglin at 5:30 pm on Tuesday,
July 2, 2013 in Conference Room A, El Camino Hospital, 2500 Grant Road,
Mountain View, California.
Roll call was taken. The Committee members present were John Zoglin, Julia
Miller, Gary Kalbach, and Mark Sickles. Cindy Murphy, Board Liaison, of El
Camino Hospital was also present. Pete Moran arrived at 5:45 pm. Patricia
Einarson, MD was absent. Executive Sponsor Tomi Ryba, CEO joined by telephone
conference call at 6:00pm, but was disconnected shortly after due to interrupted
cellular phone service.
2. CONFLICT OF INTEREST DISCLOSURES:
Mr. Zoglin asked if any Committee member had a conflict of interest regarding any
of the items on the agenda. No conflict was stated.
3. PUBLIC COMMENT:
There was no public comment.
4. CONSENT CALENDAR:
Action: A motion was made by Mr. Kalbach, seconded by Ms. Miller, and approved
by a vote of four committee members in favor, Mr. Moran and Dr. Einarson absent,
to approve the minutes of the June 4, 2013 Governance Committee meeting.
5. FY 2014 ALL COMMITTEE GOALS:
The committee members reviewed and discussed the FY 2014 Draft Goals submitted
by the Board Advisory committees. The members considered the committees’ stated
purposes, the specificity of the Draft Goals, the specificity of the metrics and the
timing of completion. The committee members also considered the status of
completion of the committees’ FY 2013 Goals and assessed whether or not the
committees’ Draft goals reflected a realistic volume of work. Finally, the committee
Page 36/395
Minutes of Special Meeting of the Governance Committee
July 2, 2013 Approved by the Committee on 9.3.13
Pending Board Review
considered whether the Draft Goals reflected any gaps in coverage of oversight or
unnecessary overlaps between the committees.
Action: A motion was made by Mr. Kalbach seconded by Ms. Miller and approved
by a vote of five committee members in favor, Dr. Einarson absent, to recommend
the Board approve the Draft goals as submitted by the Board Advisory Committees
with the following recommendations for the committees and the Board to consider:
1. Corporate Compliance and Audit Committee – Further specificity for the metrics.
2. Executive Compensation Committee – Further depth and development for Draft Goals #5 and
#7.
3. Finance Committee – In general, concern with timing as no goal is paced to be completed until
Q3.
a. Draft Goal #1 – Goal should be more specific.
b. Draft Goal #2 – Change to “Review and monitor financial implications (profitability)
of new business proposals.”
c. Draft Goal #4 – Change to “Educate the Board re the Budget development process.”
Also, consider completing earlier - maybe in Q2.
4. Investment Committee – Draft Goal #5 - Change metric to: “Provide executive
summary/dashboard that includes performance against budget and benchmarks.”
6. Quality, Patient Care, and Patient Experience Committee –
a. Draft Goal #1 – Seems unintentionally broad. The Committee might consider adding a
phrase (noted in bold) to the end of the sentence: “Review the hospital’s organizational goals and
scorecard and ensure that those metrics and goals are consistent with the strategic plan and set at
an appropriate level as they apply to the Quality, Patient Care, and Patient Experience
Committee.”
b. While important to the functioning of the committee, Draft Goals #3 and #6 seem more
like committee management than committee goals and should be recorded as important, but
probably removed as overall goals.
7. The major IT project is not currently assigned to any specific committee. The Board might
consider discussing how this project should be addressed in 2014, e.g. Board level only, Board
ad hoc Committee, or one or two committees take the lead as we did last year around the
continuum of care discussions.
6. DRAFT REVISIONS TO THE CORPORATE COMPLIANCE
COMMITEEE (“CCAC”) CHARTER
The committee members discussed the draft revisions to the CCAC charter, noting
that the revisions were related to IT security, risk management, and policy oversight.
Action: A motion was made by Mr. Moran, seconded by Mr. Kalbach and approved
by a vote of five members in favor, Dr. Einarson absent, to recommend that the
Board approve the Draft Charter Revisions for FY 2014 as submitted by the CCAC.
Page 37/395
Minutes of Special Meeting of the Governance Committee
July 2, 2013 Approved by the Committee on 9.3.13
Pending Board Review
Page 38/395
Separator Page
Attachment 2b - Goals for Compliance Committee
CCPIAC FY 14 - 7 31 13 (v2).doc
Page 39/395
Corporate Compliance/Privacy and Audit Committee
Revised Goals FY 2014
Purpose
The purpose of the Corporate Compliance/Privacy and Audit Committee (“Compliance and Audit Committee”) is to advise and assist the El Camino Hospital (ECH) Hospital Board of Directors (“Board”) in its exercise of oversight by monitoring the compliance policies, controls and processes of the organization and the engagement, independence and performance of the internal auditor and external auditor. The Compliance and Audit Committee assists the Board in oversight of any regulatory audit and in assuring the organizational integrity of ECH in a manner consistent with its mission and purpose.
Staff: Diane Wigglesworth, Director of Corporate Compliance
The Director, Corporate Compliance/Privacy and Audit Committee shall serve as the primary staff support to the Committee and is responsible for drafting the Committee meeting
agenda for the Committee Chairs consideration. Additional members of the executive team or outside consultants may participate in the Committee meetings upon the
recommendation of the Director, Corporate Compliance/Privacy and Internal Audit Committee and at the discretion of the Committee Chair.
Goals Timeline by Fiscal Year
(Timeframe applies to when the Board approves the recommended action from the Committee, if applicable.)
Metrics of Success Achieved
Review and evaluate Hospitals proposed FY 2014 Internal Audit Work Plan based on the current risk assessment for recommendation to Hospital Board.
Q2 2014 Committee Reviews FY 2014 Internal Audit Work Plan Developed by Staff in September and Recommends Plan to Board for Approval at October Board meeting.
Review FY: 2014 OIG Work Plan and evaluate suitability of Hospitals proposed response plan to the report.
Q3 2014 Committee Reviews Hospital’s Proposed Response Plan to OIG Work Plan in December and Recommends Plan to the Board for Approval at February Board Meeting.
Develop ERM Guidance for Board on Structure, Reporting and Governance Oversight
Q3- Q4 2014
Committee Recommends Process for Evaluation of ERM to the Board for Approval Not Later Than May 2014 Board Meeting.
Develop a Process for Oversight of New Policies and Changes to Existing Policies
Q4 2014 Committee Recommends Process for Policy Oversight to Board for Approval Not Later Than June 2014.
Page 40/395
Submitted by: John Zoglin, Chair, Corporate Compliance/Privacy and Compliance Committee Diane Wigglesworth, Executive Sponsor, Corporate Compliance/Privacy and Compliance Committee
Page 41/395
Corporate Compliance Scorecard FY 2013
El Camino Hospital
Key Performance Indicator Status
Current
Period Actual
Current Period
Percentage
YTD thru
Period 12
Prior Year
YTD thru
Period 12
Actual
YTD thru
Period 12
Percentage Goal
Corporate Compliance
Education June. 2013 June. 2013Jul. - Jun.
2012
Jul .- Jun.
2013Jul .- Jun. 2013
New employees receiving basic compliance training within 30
days of start date J 32 100% 100% 507 100% 100%
New management receiving additional compliance training
within 90 days of start date K 2 100% 33% 22 90% 100%
Audits June. 2013 June. 2013Jul. - May.
2012
Jul .- Jun.
2013Jul .- Jun. 2013
Internal Audits on Work Plan initiated within the agreed upon
timetable J 0 100% 100% 12 100% 100%
Internal Audit Corrective Action Plans implemented within
agreed upon timetable J 19 100% 85% 50 100% 95%
Hotline Reporting June. 2013 June. 2013Jul. - May.
2012
Jul .- Jun.
2013Jul .- Jun. 2013
Hotline calls or reported compliance concerns responded to
within 72 hours J 25 100% 95% 312 100% 95%
Investigation June. 2013 June. 2013Jul. - May.
2012
Jul .- Jun.
2013Jul .- Jun. 2013
Privacy breaches investigated and reported to CDPH within 5
days if appropriate J 4 100% 99% 25 100% 100%
Regulatory/clinical issues investigated and reported to CDPH
within 5 days if appropriate J 0 100% 100% 15 100% 100%
J Meets goal
K Within 10% of goal
L Greater than 10% from goalPage 43/395
FY 2014 Internal Audit Work Plan
& Historical Audits
Prepared by: Diane Wigglesworth, Director Corporate Compliance
Page 49/395
Executive Summary
An organizational full risk assessment was performed in May 2013 which considered a number of factors including the current business environment, risks common to the healthcare industry, and the feedback received from key members of leadership and the compliance committee.
To further narrow the list of potential audits, compliance along with executive leadership selected those believed to have a strong focus on identifying one or more of the following:
• Issues that could result in significant, adverse, or financial impact.
• Incidents of non-compliance with regulations which could result in fines and impair the hospital’s reputation.
• Issues that the organizations does not currently routinely monitor.
We structured the body of this report as follows:
• Risk Map – depicting the 26 highest rated risks based on assessment results and feedback, including identification of the risk areas covered by audits(s) planned for FY:2014.
• Work Plan – description of the objective of the audit, the ranking of the risk and projected timing.
• Risk Map of Completed Audits – detailing the key risks that were identified during past risk assessments and audited. Many of the risks were consistent from year to year as they are inherent to the industry and the hospital.
2 Page 50/395
Imp
ort
ance
Likelihood
LOW HIGH
LOW
H
IGH
Government Reimbursement on
Devices
Charge Capture and Verification
Data Integrity and Governance
Quality and Patient Safety
Medicare Compliance
Medical and LOS Management
EHR Implementation
Readiness
IT Disaster Recovery
Quadrant 1 Quadrant 2
Quadrant 3 Quadrant 4
Legend:
Risk area covered by audit(s) planned for FY2014
Risk areas for audits in subsequent years (unless new information or changes in circumstances raises the level of risk, warranting an earlier audit )
Licensure / Accreditation
ECH Policy Compliance
Clinical Coding / Documentation
Community Relations
Strategic Planning and
Budgeting IT Logical Security
Physician Contracting
HIPAA Compliance
Pharmacy Operations
Financial Controls
ICD-10 Readiness
CDM Accuracy /Maintenance
HR, Benefits, and Compensation
Clinical and Ancillary
Services
Medical Necessity Criteria
Payer Contract Management
Billing Accuracy on Transfers
FY 2014 Risk Assessment & Internal Audit Work Plan
The map below depicts the 26 highest rated risks based on survey results and feedback from interviews. The risks are plotted based on their individual importance to the business along with the likelihood that issues and/or improvement opportunities currently exist.
Duplicate Medical Records
3 Page 51/395
Internal Audit Work Plan – FY 2014 Listed below are the proposed schedule of internal audits. The number in the Quadrant column designates where the related risk was on the risk map. Audit Quadrant Proposed Start
Date Objective of Audit Report
Presented to Committee
Duplicate Medical Records
1 July 2013 Duplicate medical records occur when one patient is associated with more that one medical record number and are often erroneously created as a result of inaccurate data entry. The audit will include a review of potential duplicate medical records existing in key clinical systems (HBOC & HPF), review the effectiveness of internal controls for managing duplicate records.
Pharmacy Operations Review
2 September 2013
Evaluate the internal controls around purchasing, receiving, storing and distributing outpatient pharmacy medications. Review inventory management regarding the maintenance and reverse distribution process for medication inventory and reconcile revenue to expected receipts.
Warranty Replaced Manufacture Device Billing
1 October 2013 Evaluate if hospital is compliant with Medicare requirements for obtaining credits available from manufacturers for replaced medical devices and reporting the appropriate billing codes and charges to reflect the credits received.
Clinical Coding/ Documentation Accuracy
2 November 2013 A coding validation would be performed to verify appropriate documentation in the medical record along with completeness and accuracy of MS-DRG assignment.
4 Page 52/395
Internal Audit Work Plan – FY 2014
Listed below are the proposed schedule of internal audits. The number in the Quadrant column designates where the related risk was on the risk map.
Audit Quadrant Proposed Start Date
Objective of Audit Report Presented to Committee
Billing Accuracy for Transfers
3 January 2014 Validate accurate Medicare billing for an inpatient discharged when the patient is readmitted the same day to another hospital unless the readmission is unrelated or the patient’s discharge is assigned to one of the qualifying DRGs or the discharge is to home or home health agency within 3 days after discharge.
Internal Control Over Financial Reporting
3 February 2014 Test the internal controls that govern the financial reporting process. Validate processes around receivables, reconciliations, significant estimates/reserves, revenue recognition and other key income statement and balance sheet accounts or metrics.
Strategic Project Valuation Realization
2 April 2014 The audit would include a look back at some selected strategic projects that were approved by the ECH Board during the last two fiscal years and validate that the expected achievement of the strategic goals or return on investment for the approved project was realized.
Physician Contracting
1 May 2014 Consistent with prior years the objective of the review is to evaluate practices and processes surrounding physician contracting and review the effectiveness of internal controls to ensure proper documentation supports payments to physicians.
5 Page 53/395
Imp
act
to B
usi
nes
s
Vulnerability
LOW HIGH
LOW
H
IGH
Release of PHI
MS/DRG Coding
Denials Mgmt & Reporting
OR Charge Capture
Financial Controls
CDM
Clinical Trials
Physician Contracts
Key Contracts - LPCH
Quadrant 1 Quadrant 2
Quadrant 3 Quadrant 4
The map below depicts the audits completed in FY 2011 thru FY 2013. The audits with the highest risk areas are shown in Quadrant 1 and generally include those risks that are inherently high for the industry or are a known concern to ECH.
Legend:
Revenue Cycle –Sr. Center
District Insurance Program
Business Continuity Mgmt.
IT Vendor Performance
Mgmt.
Electronic Time and Attendance IT Asset
Management
Data Security Incident
Management
FY 2013 Audits
FY 2012 Audits
FY 2011 Audits
Every Year
Inpatient Coding
Radiology Revenue Cycle
Accounts Payable
BAA Contracts
Vendor Policy
Billing/ Documentation
CMS Billing
3 Year Summary of Completed Audits
6 Page 54/395
1
El Camino Hospital Fiscal Year 2014
Enterprise Risk Management Program Development Plan Diane Wigglesworth, Director Corporate Compliance 9/16/13
Page 56/395
2
• Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, creating a single view of all risks, designed to identify and anticipate potential events that may affect the entity, enhance risk response decisions, manage risk to be within its risk appetite, reduce operational surprises and losses and provide reasonable assurance regarding the achievement of entity objectives.
• When done correctly the board of directors and management have reasonable assurance that they
understand the extent to which the entity’s strategic and operations objectives are being achieved, and that the entity’s reporting is reliable and applicable laws and regulations are being complied with.
ERM Definition
Page 57/395
3
Enterprise Risk Management Program Development: Diane Wigglesworth & ELT
Deliverables September October November Due to Board
Identify Strategic, Operational and Regulatory Goals or Objectives That Align With The Hospitals Mission (annual and metric driven)
Understand Current Status
Draft to ELT
Draft to Compliance Committee
Revise as Needed
2nd Draft
Determine Risk Tolerance Levels for Each Goal (Board philosophy and risk appetite)
Draft to ELT Draft to Compliance Committee
Revise as Needed
2nd Draft
Risk Assessment & Measurement (develop process to ID external or internal risks to achieving objectives and determine impact )
Understand Current Status
Draft to ELT
Draft to Compliance Committee
Revise as Needed
2nd Draft
Risk Response & Action (Board & ELT to review risks and determine response: either avoiding, accepting, reducing or sharing risk )
Understand Current Status
Draft to ELT
Draft to Compliance Committee
Revise as Needed
2nd Draft
Risk Monitoring & Reporting (method of ongoing monitoring and establish roles and responsibilities)
Draft to ELT Draft to Compliance Committee
Revise as Needed
2nd Draft
ERM Program Development Plan
Page 58/395
4
PROCESS DEVELOPMENT CHECKLIST
Goals/Objective Set & Defined
Risk Philosophy (tolerance levels)
Developed
Risk Assessment & Measurement
Method
Risk Response & Actions Roles & Responsibilities
Established
Risk Monitoring
STRATEGIC GOALS Executive Sponsor Tomi
Levels Developed in Conjunction with
Planning Cycle
Approve Method of Assessment
• ELT reviews assessment
• CEO suggest response to Board as needed
Dir. Compliance reviews dashboard results with ELT & Compliance Board
OPERATIONAL GOALS Executive Sponsor Mick/Mike
Levels Developed in Conjunction with
Planning Cycle
Approve Method of Assessment
• COO or CFO review assessment and suggest response to ELT
Dir. Compliance reviews dashboard results with ELT & Compliance Board
EXTERNAL AND REGULATORY REPORTING REQUIREMENTS (CMS, JACHO, Meaningful Use/HITECH etc.)
Executive Sponsor Mick & ELT
(Managers to ID existing and new
requirements each year)
Levels Developed in Conjunction with
Planning Cycle
Approve Method of Assessment
• COO, CFO & CIO review assessment and suggest response to ELT
Dir. Compliance reviews dashboard results with ELT & Compliance Board
Deliverable • Targets Identified • 3 year goal
statement
• Set risk tolerance by type of goal
• Design business or clinical processes to effectively monitor and correct
• Identify external & internal risks to achieving objectives
• Determine impact • Set measurement
• Management reviews risks and determines appropriate response: avoiding, accepting, reducing, or sharing risk
• Monitor mitigation strategies
• Responsibilities set
• Method of ongoing monitoring established
• Pacing of Reports to Board
ERM Program: Proposed Processes
Page 59/395
Top Related