COMPLIANCE PLAN OF A HEALTHCARE FACILITY 1

Compliance Plan of a Healthcare Facility

Studentka

Oakland Community College

COMPLIANCE PLAN OF A HEALTHCARE FACILITY 2

CONTENTS:

Page

Abstract….....................................................................................................................................3

How Medical Compliance Plans Limit Liability....................................................................4-6

Basic Employee Standards of Conduct Relevant to Compliance.........................................6-7

HIPAA Requirements..................................................................................................................7

 Patient Responsibility........................................................................................................7

 Consent Forms...................................................................................................................8

 Informed and Implied Consent.........................................................................................8

 Release of Patient Information.........................................................................................9

 Use and Disclosure.......................................................................................................8-10

Explain Ramifications of HIPAA Violations...........................................................................10

Ten Course Terms......................................................................................................................11

Work Cited..................................................................................................................................12

LIST OF ILLUSTRATIONS:

Page

POLICY 6.5…..............................................................................................................................4

FORM 6.5......................................................................................................................................5

POLICY 3.15................................................................................................................................6

POLICY 11.7................................................................................................................................9
COMPLIANCE PLAN OF A HEALTHCARE FACILITY 3

Abstract

HIPAA (Health Information Portability and Accountability Act) was enacted on August 21, 1996

to improve the portability and accountability of health insurance coverage, combat waste, fraud

and abuse in health insurance and healthcare delivery. Once HIPAA was set into law, the United

States DHHS (Department of Health and Human Services) set about creating the first HIPAA

Privacy and Security Rules (HIPAA Journal, 2017). The Privacy Rule was enacted on April 14,

2003 and it defined PHI (Protected Health Information) while the Security Rule was legislated

on April 21, 2005 that presented three security safeguards; administrative, physical and technical

(HIPAA Journal, 2017). In order to better understand how HIPAA is applied to and used in

compliance plans I will explain how the medical compliance plan can limit liability, explain

basic employee standards of conduct, concisely discuss release of patient information, consent

forms, patient responsibility, informed and implied consent, use and disclosure, and lastly I will

clarify consequences of HIPAA violations.

COMPLIANCE PLAN OF A HEALTHCARE FACILITY 4

How Medical Compliance Plans Limit Liability

A medical compliance plan is a written document that complies with state and federal

regulations. The main objectives of the compliance plan are to fight fraud and abuse within the

medical practice through the support of policies and procedures. The policies and procedures

(P&P) manual should be easily accessible for employee’s and employers to reference at any

time. The P&P manual should be consistent, and the staff should have a good understanding of

the basics as well as the parts that apply to their daily job duties. The P&P manual should include

a code of conduct, mission statement, and policies that demonstrate the effort and commitment of

following the laws set in the facility. Medical compliance plans limit the internal risk of fraud

and abuse by staff and encourages staff to stay within the guidelines for providing a quality

standard of care. When or if fraud and abuse are detected in the workplace, a formal process

should be initiated to investigate the issue.

POLICY 6.5
POLICY: Structuring a Compliance Plan
{Practice Name} has established the following guidelines for structuring a compliance plan:
1. Policy Statement or Code of Conduct: Compliance officers of {Practice Name} will
conduct orientation and training sessions for all employees and providers.
2. Purpose of the Plan: {Practice Name} will comply with all governmental agencies and
their laws and regulations as well as practice policies and procedures.
3. Implementation and Scope: {Practice Name} will select a compliance officer and
identify employees who are exposed to potential regulatory issues, to include medical
record personnel, front desk personnel, office administrator, and clinical employees,
and all third parties.
4. Compliance Standards and Procedures: {Practice Name} will address the potential for
risk and exposure and establish preventative measure to avoid them. Employees are
assured confidentiality for reporting possible noncompliance to the compliance officer.
5. Internal Auditing and Monitors: As an indication of {Practice Name} commitment to
compliance, an outside party will review its billing, coding, and documentation at least
annually.
6. Training Program: {Practice Name} will educate current and new employees relative
to both the practice-specific compliance program and compliance in general
7. Discipline for Program Violators: {Practice Name} will ensure that all employees are
aware of the policy regarding potential violations of policies, standard, and regulations
that place the practice at risk for noncompliance.
COMPLIANCE PLAN OF A HEALTHCARE FACILITY 5

8. The compliance plan will be developed by representatives of all segments of the

practice, to include administration, billers and coders, as well as the physicians, nurses
and technicians.
Policy 6.5: Structuring a Compliance Plan – Chapter 6 page 186

The policy set in place can be used to conduct an internal audit to determine if compliance is

being met by the staff. Depending on the type of practice an audit is conducted by the state,

which the state has set disciplinary guidelines and will enforce standards that must be met. Civil

monetary penalties (CMPs) may be applied in situations where the service was not provided but

a bill was rendered or a service that was not medically necessary (Stanley, p.184). The CMPs

will be further discussed later in ramifications of HIPAA violations. Next, employees should

have access to a form to report suspected fraud and abuse. This type of form can be anonymous

or named.

FORM 6.5
Report of Suspected Fraud and Abuse
Description of possible violation: _____________________________________________
When did it occur? Provide exact dates, if possible: _______________________________
Who was involved? _________________________________________________________
How did you come to learn of this incident? ______________________________________
Do you have any evidence? __________________________________________________
Would you be willing to discuss it further and if so, how may we contact you? __________
Have you discussed this with anyone else? ______________________________________
Are you aware of anyone else who might have information? ________________________
Date: _________
Name (optional): ________________________________
Signature (optional): __________________________________
Form 6.5: Report of Suspect Fraud and Abuse – Chapter 6 p. 187

After the accused and the incident has been investigated, depending on the pending outcome

disciplinary actions may be taken which include oral warnings, written reprimands, probation,

demotion, temporary suspension, termination, and restitution of damages. An employer should

COMPLIANCE PLAN OF A HEALTHCARE FACILITY 6

designate a compliance officer who will be responsible for ensuring regular reviews and updates

of policies that have taken place and are being communicated and followed by the appropriate

staff. The compliance officer should have some background in reimbursement/billing and coding

in order to ensure the practice is following the accurate procedure codes and documentation of

services provided. To have P&Ps in place is of the utmost importance in order to limit or avoid

liability issues for the facility.

Basic Employee Standards of Conduct Relevant to Compliance

Every medical facility must function at the highest level of ethical standards, and

employees are to be expected to conduct themselves according to the business’ standards. A

policy code of ethics should be incorporated into the Employee Handbook (Stanley, p.40).

POLICY 3.15
POLICY: Code of Conduct
{Practice Name} is committed to honest and ethical behavior, and to conducting our business
with integrity. The practice of behaving honestly, ethically, and with integrity is an individual
responsibility. Each person makes decisions daily about how to conduct him- or herself in
going about work tasks. Each one is accountable for the actions taken.
The Code of Conduct is a vital part of how {Practice Name} achieves its mission and
vision.
Employees of {Practice Name} who breach this code of violating company policy, by
failing to meet highest standards of behavior, and by diminishing the integrity of the practice
will be cause for corrective action and subject do dismissal.
Corrective action procedures are documented in the Policy: Corrective Action.
Policy 3.15 Code of Conduct – Chapter 3 page 41

The quality of healthcare ethically speaking is not only important to yourself, but the healthcare

recipients, colleagues, employers, regulators and the general public. Behavior conduct is vital for

patient safety, because as an employee we are to advocate for processes that demonstrate and

support a safe environment for care of the recipient.

COMPLIANCE PLAN OF A HEALTHCARE FACILITY 7

HIPAA Requirements
Patient Responsibility
Patients have rights and responsibilities and it is the healthcare practices’

obligation to provide the patient with this paperwork as well as to have it posted up inside

the facility. Patient rights can include but not limited to the right to get a copy of their

medical record and the right to have their medical record kept private. Patients also have

the right to informed consent in treatments, the right to understand information about

their health coverage and what the coverage will provide for the patient, and patients

have a right to a rational choice of providers as well as their provider options. Patient

responsibility will include providing accurate and complete information about their health

background, such as past illnesses, hospitalizations, surgeries, medications, and any

information pertaining to their health.

Consent Forms
Consent forms are used to protect patients and healthcare providers against assault

and batter in the form of unwanted medical care. Typically, informed consent is the best

practice in order to protect the patient, but in emergency situations implied consent is the

best route. When implied consent does backlash and go to the court system, most often

when it is an emergency situation that modeled a life or death state, the court ruling will

more likely be in favor of the healthcare provider unless it caused a severe form of injury.

Informed and Implied Consent

Informed and implied consent from a patient or a patient’s guardian or medical

Power of Attorney (POA) regarding health care originated from a legal and ethical right.

Patient autonomy is a legal obligation in all 50 states that represents the core of informed

consent forms. It is essential for a practice to develop and implement P&P. When
COMPLIANCE PLAN OF A HEALTHCARE FACILITY 8

discussing what informed consent entails, it should be clear and allow for the following

elements; patient diagnosis, if known, nature of the decision and proposed treatment or

procedure, risks and benefits of the treatment or procedure, available and reasonable

alternatives, relevant risks, benefits, and uncertainties with the alternatives, assessment of

patient understanding and acceptation of the intervention by the patient.

Implied consent would be a patient granting permission without the formal

written agreement. Often this is experienced in an emergency situation, such as an elderly

being cared for by their children who do not know their parents’ wishes, so the

consequently choose the best option for survival.

Release of Patient Information

Release of information (ROI) in healthcare is critical to the quality of the

continuity of care provided to the patient (ahima.org). The Privacy Rule under HIPAA set

national standards to create protection for individual’s personal information as well as

their healthcare information. ROI has set boundaries for use and release of information

while establishing safeguards for healthcare providers to achieve. It ultimately will hold

any violator accountable with the civil and criminal penalties when any misconduct has

happened against the patients right to privacy.

Use and Disclosure

A key protection of HIPAA Privacy Rule is based on sound current practice that

PHI should not be used or disclosed when it is not necessary or does not serve a purpose

and necessary function. The minimum necessary standard is to enhance safeguards

against inappropriate access to PHI and it is important for a practice to implement their

own policies and procedures to reflect positive business practices and workforce.
COMPLIANCE PLAN OF A HEALTHCARE FACILITY 9

Policy 11.7: Access Rules – Chapter 11 Page 366

POLICY 11.7
There are some circumstances thatPOLICY:
are not Access Rules
protected by the Privacy Rule, such as research and
{Practice Name} has established access rules for granting access to protected health
information (PHI) through access to workstations, transactions, programs, processes, or
other mechanisms. Access authorization is the permission given to a person to have
specific access to information by the Practice Manager (PM), and it is required for any
new access and any change to access privileges. Access establishment and modification
is the technical process of creating the unique user access information. The access
protocols are as follows:
1. Business Office Access to Information Systems
a. Job Function: Billing Clerk
i. Application: Practice Management System
ii. Views: Claims
iii. Privileges
1. Create
2. Read
3. Write
iv. Access Internet
2. Scheduling/Registration
a. Job Function: Registrar
i. Application: Practice Management System
ii. Views: Scheduling
iii. Privileges
1. Create
2. Read
3. Write

clinical trials. For instance, under a waiver of the authorization requirement, as a limited data set

with a data use agreement, preparatory to research, and for research on the decedents’

information (PrivacyRuleandResearch.nih). A practice is highly advised to notify their patients

of this which would be part of the in-depth Notice of Privacy Practices of the organization.

Although, de-identified health information, as described in the Privacy Rule, is not PHI, and

therefore is not protected by the Privacy Rule (PrivacyRuleandResearch.nih).

Explain Ramifications of HIPAA Violations

A HIPAA violation occurs when either a covered entity (CE) or business associate failed

to comply with one or more provisions of the HIPAA Security, Privacy or Breach Notification

Rules (hippaone.com). The Office of Civil Rights (OCR) will try to resolve and guide the
COMPLIANCE PLAN OF A HEALTHCARE FACILITY
10

practice in fixing the areas that were issued a fine. A penalty can be issued in the amount of $100

to $50,000 per violation. There are four tiers in HIPAA violation penalty. The tiers range from

the CE did not know and could not reasonably have known about the breach, the CE knew or by

exercising reasonable diligence would have known, the CE acted with willful neglect and failed

to correct the problem within a 30 day time period and the CE acted with willful neglect and

failed to make a timely action of correction (hippaone.com). A few factors that are included are

how many patients were affected, what data was exposed and for the length of time it was

exposed.
COMPLIANCE PLAN OF A HEALTHCARE FACILITY
11

10 Course Terms
1. Every patient has information in their medical record that makes the individual

identifiable, so their file is protected health information, which should not be easily

accessible for unnecessary reasons.

2. The doctor needed informed consent in order for the patient to go into surgery for

removal of their lower left extremity.

3. A covered entity such as HIPAA has an obligation to protect certain health information

unless otherwise determined.

4. The doctors need to record information for the charge capture, or they will not be able to

send out bills for reimbursement from insurance companies.

5. The Electronic Clearing House allows electronic transfers, such as online billing, so

patients can submit payments for their current bills.

6. Use and disclosure should have meaningful use or else the patient information should

not be easily accessible for any reason.

7. The doctor could not charge for the appointments treatment and procedure because he

did not provide an Advanced Beneficiary Notice to the patient.

8. The health information technician learned the importance of unbundling in order to

receive a maximized payment.

9. The practice management system allows for proper scheduling and coordination between

physician and patient.

10. Without the resource-based relative value scale, CMS would not be able to determine

how much money medical providers should be paid.

COMPLIANCE PLAN OF A HEALTHCARE FACILITY
12

WORK CITED

HIM Body of Knowledge™. (n.d.). Retrieved from http://bok.ahima.org/

News and articles about HIPAA. (2017, October 18). Retrieved from
https://www.hipaajournal.com/

Privacy Policy. (n.d.). Retrieved from http://legal.hipaaone.com/privacyPolicy.html

Stanley, K. (2014). Policies and procedures for a successful medical practice. Chicago:

American Medical Association.