Professional Documents
Culture Documents
HCA 2300 Compliance Plan
HCA 2300 Compliance Plan
HCA 2300 Compliance Plan
Studentka
CONTENTS:
Page
Abstract….....................................................................................................................................3
HIPAA Requirements..................................................................................................................7
Patient Responsibility........................................................................................................7
Consent Forms...................................................................................................................8
Work Cited..................................................................................................................................12
LIST OF ILLUSTRATIONS:
Page
POLICY 6.5…..............................................................................................................................4
FORM 6.5......................................................................................................................................5
POLICY 3.15................................................................................................................................6
POLICY 11.7................................................................................................................................9
COMPLIANCE PLAN OF A HEALTHCARE FACILITY 3
Abstract
HIPAA (Health Information Portability and Accountability Act) was enacted on August 21, 1996
to improve the portability and accountability of health insurance coverage, combat waste, fraud
and abuse in health insurance and healthcare delivery. Once HIPAA was set into law, the United
States DHHS (Department of Health and Human Services) set about creating the first HIPAA
Privacy and Security Rules (HIPAA Journal, 2017). The Privacy Rule was enacted on April 14,
2003 and it defined PHI (Protected Health Information) while the Security Rule was legislated
on April 21, 2005 that presented three security safeguards; administrative, physical and technical
(HIPAA Journal, 2017). In order to better understand how HIPAA is applied to and used in
compliance plans I will explain how the medical compliance plan can limit liability, explain
basic employee standards of conduct, concisely discuss release of patient information, consent
forms, patient responsibility, informed and implied consent, use and disclosure, and lastly I will
regulations. The main objectives of the compliance plan are to fight fraud and abuse within the
medical practice through the support of policies and procedures. The policies and procedures
(P&P) manual should be easily accessible for employee’s and employers to reference at any
time. The P&P manual should be consistent, and the staff should have a good understanding of
the basics as well as the parts that apply to their daily job duties. The P&P manual should include
a code of conduct, mission statement, and policies that demonstrate the effort and commitment of
following the laws set in the facility. Medical compliance plans limit the internal risk of fraud
and abuse by staff and encourages staff to stay within the guidelines for providing a quality
standard of care. When or if fraud and abuse are detected in the workplace, a formal process
POLICY 6.5
POLICY: Structuring a Compliance Plan
{Practice Name} has established the following guidelines for structuring a compliance plan:
1. Policy Statement or Code of Conduct: Compliance officers of {Practice Name} will
conduct orientation and training sessions for all employees and providers.
2. Purpose of the Plan: {Practice Name} will comply with all governmental agencies and
their laws and regulations as well as practice policies and procedures.
3. Implementation and Scope: {Practice Name} will select a compliance officer and
identify employees who are exposed to potential regulatory issues, to include medical
record personnel, front desk personnel, office administrator, and clinical employees,
and all third parties.
4. Compliance Standards and Procedures: {Practice Name} will address the potential for
risk and exposure and establish preventative measure to avoid them. Employees are
assured confidentiality for reporting possible noncompliance to the compliance officer.
5. Internal Auditing and Monitors: As an indication of {Practice Name} commitment to
compliance, an outside party will review its billing, coding, and documentation at least
annually.
6. Training Program: {Practice Name} will educate current and new employees relative
to both the practice-specific compliance program and compliance in general
7. Discipline for Program Violators: {Practice Name} will ensure that all employees are
aware of the policy regarding potential violations of policies, standard, and regulations
that place the practice at risk for noncompliance.
COMPLIANCE PLAN OF A HEALTHCARE FACILITY 5
The policy set in place can be used to conduct an internal audit to determine if compliance is
being met by the staff. Depending on the type of practice an audit is conducted by the state,
which the state has set disciplinary guidelines and will enforce standards that must be met. Civil
monetary penalties (CMPs) may be applied in situations where the service was not provided but
a bill was rendered or a service that was not medically necessary (Stanley, p.184). The CMPs
will be further discussed later in ramifications of HIPAA violations. Next, employees should
have access to a form to report suspected fraud and abuse. This type of form can be anonymous
or named.
FORM 6.5
Report of Suspected Fraud and Abuse
Description of possible violation: _____________________________________________
When did it occur? Provide exact dates, if possible: _______________________________
Who was involved? _________________________________________________________
How did you come to learn of this incident? ______________________________________
Do you have any evidence? __________________________________________________
Would you be willing to discuss it further and if so, how may we contact you? __________
Have you discussed this with anyone else? ______________________________________
Are you aware of anyone else who might have information? ________________________
Date: _________
Name (optional): ________________________________
Signature (optional): __________________________________
Form 6.5: Report of Suspect Fraud and Abuse – Chapter 6 p. 187
After the accused and the incident has been investigated, depending on the pending outcome
disciplinary actions may be taken which include oral warnings, written reprimands, probation,
designate a compliance officer who will be responsible for ensuring regular reviews and updates
of policies that have taken place and are being communicated and followed by the appropriate
staff. The compliance officer should have some background in reimbursement/billing and coding
in order to ensure the practice is following the accurate procedure codes and documentation of
services provided. To have P&Ps in place is of the utmost importance in order to limit or avoid
policy code of ethics should be incorporated into the Employee Handbook (Stanley, p.40).
POLICY 3.15
POLICY: Code of Conduct
{Practice Name} is committed to honest and ethical behavior, and to conducting our business
with integrity. The practice of behaving honestly, ethically, and with integrity is an individual
responsibility. Each person makes decisions daily about how to conduct him- or herself in
going about work tasks. Each one is accountable for the actions taken.
The Code of Conduct is a vital part of how {Practice Name} achieves its mission and
vision.
Employees of {Practice Name} who breach this code of violating company policy, by
failing to meet highest standards of behavior, and by diminishing the integrity of the practice
will be cause for corrective action and subject do dismissal.
Corrective action procedures are documented in the Policy: Corrective Action.
Policy 3.15 Code of Conduct – Chapter 3 page 41
The quality of healthcare ethically speaking is not only important to yourself, but the healthcare
recipients, colleagues, employers, regulators and the general public. Behavior conduct is vital for
patient safety, because as an employee we are to advocate for processes that demonstrate and
HIPAA Requirements
Patient Responsibility
Patients have rights and responsibilities and it is the healthcare practices’
obligation to provide the patient with this paperwork as well as to have it posted up inside
the facility. Patient rights can include but not limited to the right to get a copy of their
medical record and the right to have their medical record kept private. Patients also have
the right to informed consent in treatments, the right to understand information about
their health coverage and what the coverage will provide for the patient, and patients
have a right to a rational choice of providers as well as their provider options. Patient
responsibility will include providing accurate and complete information about their health
Consent Forms
Consent forms are used to protect patients and healthcare providers against assault
and batter in the form of unwanted medical care. Typically, informed consent is the best
practice in order to protect the patient, but in emergency situations implied consent is the
best route. When implied consent does backlash and go to the court system, most often
when it is an emergency situation that modeled a life or death state, the court ruling will
more likely be in favor of the healthcare provider unless it caused a severe form of injury.
Power of Attorney (POA) regarding health care originated from a legal and ethical right.
Patient autonomy is a legal obligation in all 50 states that represents the core of informed
consent forms. It is essential for a practice to develop and implement P&P. When
COMPLIANCE PLAN OF A HEALTHCARE FACILITY 8
discussing what informed consent entails, it should be clear and allow for the following
elements; patient diagnosis, if known, nature of the decision and proposed treatment or
procedure, risks and benefits of the treatment or procedure, available and reasonable
alternatives, relevant risks, benefits, and uncertainties with the alternatives, assessment of
being cared for by their children who do not know their parents’ wishes, so the
continuity of care provided to the patient (ahima.org). The Privacy Rule under HIPAA set
their healthcare information. ROI has set boundaries for use and release of information
while establishing safeguards for healthcare providers to achieve. It ultimately will hold
any violator accountable with the civil and criminal penalties when any misconduct has
PHI should not be used or disclosed when it is not necessary or does not serve a purpose
against inappropriate access to PHI and it is important for a practice to implement their
own policies and procedures to reflect positive business practices and workforce.
COMPLIANCE PLAN OF A HEALTHCARE FACILITY 9
clinical trials. For instance, under a waiver of the authorization requirement, as a limited data set
with a data use agreement, preparatory to research, and for research on the decedents’
of this which would be part of the in-depth Notice of Privacy Practices of the organization.
Although, de-identified health information, as described in the Privacy Rule, is not PHI, and
to comply with one or more provisions of the HIPAA Security, Privacy or Breach Notification
Rules (hippaone.com). The Office of Civil Rights (OCR) will try to resolve and guide the
COMPLIANCE PLAN OF A HEALTHCARE FACILITY
10
practice in fixing the areas that were issued a fine. A penalty can be issued in the amount of $100
to $50,000 per violation. There are four tiers in HIPAA violation penalty. The tiers range from
the CE did not know and could not reasonably have known about the breach, the CE knew or by
exercising reasonable diligence would have known, the CE acted with willful neglect and failed
to correct the problem within a 30 day time period and the CE acted with willful neglect and
failed to make a timely action of correction (hippaone.com). A few factors that are included are
how many patients were affected, what data was exposed and for the length of time it was
exposed.
COMPLIANCE PLAN OF A HEALTHCARE FACILITY
11
10 Course Terms
1. Every patient has information in their medical record that makes the individual
identifiable, so their file is protected health information, which should not be easily
2. The doctor needed informed consent in order for the patient to go into surgery for
3. A covered entity such as HIPAA has an obligation to protect certain health information
4. The doctors need to record information for the charge capture, or they will not be able to
5. The Electronic Clearing House allows electronic transfers, such as online billing, so
6. Use and disclosure should have meaningful use or else the patient information should
7. The doctor could not charge for the appointments treatment and procedure because he
9. The practice management system allows for proper scheduling and coordination between
10. Without the resource-based relative value scale, CMS would not be able to determine
WORK CITED
News and articles about HIPAA. (2017, October 18). Retrieved from
https://www.hipaajournal.com/