Open Accessibility Menu
Hide

Corporate Compliance

The laws and rules that apply to the delivery of healthcare can be complex and confusing; therefore, we have established a compliance program to assist with the understanding and implementation of those laws and rules.

Susan Wade, Vice President and Compliance Officer 325-670-2844
Brad Thompson, Director of Risk Management, Corporate Compliance and Patient Experience
325-670-3177

To anonymously report an actual or potential compliance concern you can call the Compliance Hotline at 325-670-7676 or toll free at 877-445-7987

Medical Record Management

It is vital to patient care and compliance with Federal and State law that medical records contain current and accurate documentation. If you knew or should have known that the submitted claim was false, then the attempt to collect unearned money constitutes a violation.

Examples:

  • An endocrinologist billed routine blood draws as critical care blood draws. He paid $447,000 to settle allegations of upcoding and other billing violations.
  • A cardiologist paid $435,000 and entered into a 5-year Integrity Agreement with OIG to settle allegations that he knowingly submitted claims for consultation services that were not supported by patient medical records and did not meet the criteria for a consultation.

Anti-kickback

The fraud and abuse laws prohibit knowingly and willfully offering, paying, soliciting or receiving any money gifts, kickbacks, bribes, rebates or any other type of value or services in exchange for the referral of patients for which payment may be made by the federal or state government.

Examples:

  • Free or significantly discounted billing, nursing care, rent or other staff services
  • Payment for services in excess of Fair Market Value
  • Payment or other type of incentive when a patient is referred to Hendrick

Physician Self-Referral Act (“Stark Law”)

The federal Stark Law prohibits a physician from referring a Medicare or Medicaid eligible patient for the provision of Medicare or Medicaid payable designated health services by an entity with which the referring physician has a financial relationship, unless a permitted exception applies.

Examples:

  • Leasing medical office space for less than Fair Market value
  • Hospital and physician operate without a current written Service Agreement

Fraud, waste and abuse

Violation of federal and state laws concerning fraud and abuse can result in significant criminal and civil penalties, including imprisonment, fines, and damages. You must be vigilant in avoiding any conduct that could violate or even appear to violate these laws.

Examples:

  • Claiming reimbursement for items or services that were not provided as claimed
  • Failing to maintain sufficient documentation to establish that the services were ordered and performed

HIPAA

HIPAA is the United States Health Insurance Portability and Accountability Act of 1996. There are two sections to the Act. HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs. HIPAA Title II includes an administrative simplification section which deals with the standardization of healthcare-related information systems. In the information technology industries, this section is what most people mean when they refer to HIPAA. HIPAA establishes mandatory regulations that require extensive changes to the way that health providers conduct business and focuses on protecting PHI (Protected Health Information) such as patient names, diagnosis, addresses, birth dates or medical record numbers.

Examples

  • You have just left the office, and your nurse texts you that Mr. Smith is having a reaction to the medication you’ve just prescribed. Texting PHI without appropriate security is a significant risk. However, Hendrick offers software that allows physicians to securely receive and send messages.
  • Being overheard discussing PHI. Whether it’s leaving a detailed message on a patient’s answering machine or discussing test results with a patient in the waiting room, be aware of who else may be listening to your voice. Train your staff not to leave PHI in phone messages and not to discuss it within earshot of other patients or non-staff visitors. Encourage the use of private rooms for health discussions with patients as well as phone conversations that could involve PHI.
  • Encryption. The best way to protect devices such as thumb drives, tablets, and laptops from a breach is to have an IT professional encrypt the device. If the device is lost or stolen, this process makes it very difficult for an unauthorized person to access the data. When encrypted, a lost or stolen device does not have to be reported to the government as a breach of unsecured equipment—because you it was secured through encryption.

Social Media

When using social media consider the following guidelines to ensure you do not violate HIPAA regulations.

  • While you may be concerned about seeming unfriendly, limiting your social media interactions to friends and family members is prudent. This will protect you from having patients ask questions regarding their personal health on a public forum and help you to avoid disclosing the names of patients you treat.
  • Avoid talking about patients, even in general terms. Even if disclosure of PHI is unintentional it is still a violation of HIPAA.
  • Avoid posting photos of patients or anything that could be used to identify them (notes, lab results, etc.)
  • Periodically check your privacy settings, as they can change.
  • Never post anything that you would be uncomfortable reading re-printed in the newspaper. This can be a helpful test to take before you hit the ‘send’ button.

Examples:

  • An obstetrician vents her frustrations on her online blog, ridiculing the patients giving birth. Although the physician did not use patient names or any other identifying information in her post, two of the patients recognized themselves in the blog due to the detailed nature of the post and filed HIPAA complaints against the doctor and the practice.
  • An ED physician in Rhode Island was fired, lost her hospital medical staff privileges, and was reprimanded by the Rhode Island Board of Medical Licensure and Discipline for posting information about a trauma patient on her personal Facebook page. According to the Rhode Island Board of Medical Licensure and Discipline, “[She] did not use patient names and had no intention to -reveal any confidential patient information. However, because of the nature of one person’s injury … the patient was identified by unauthorized third parties. As soon as it was brought to [her] attention that this had occurred, [she] deleted her Facebook account.” Despite the physician leaving out all information she thought might make the patient identifiable, she apparently did not omit enough.