Practice Compliance Plan - Checklist

Compliance with Civil Monetary Penalty Provisions (for practicing compliance)

Civil monetary penalties are prescribed by law and assessed by the U.S. Department of Labor for certain violations of labor laws, rules and regulations. They are imposed on an individual or entity, not on a business or industry but rather on those individuals and entities who commit these specific violations. Click here to read more about what constitutes an offense that can result in civil monetary penalties being assessed against you as well as tips on how to avoid them!

Compliance with HIPAA Privacy and Security Standards (Including Notice of Privacy

The HIPAA Privacy and Security Standards, as well as any applicable state law equivalents, apply to healthcare providers, health plans, and other covered entities. These standards address individually identifiable health information (“IIHI”):

•   The use and disclosure of IIHI for treatment, payment, and operations;
•   Providing patients with notice of privacy practices;
•   Safeguarding the privacy of IIHI through security standards for electronically protected health information (“ePHI”); and
•   Reporting breaches involving unsecured ePHI.

Compliance with Requirements for receiving remuneration (Including HIPAA Transactions)

•   The purpose of this requirement is to ensure that all employees have been trained on their responsibilities regarding compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.
•   How to comply: You must provide training to every employee who will be handling Protected Health Information (PHI), whether as part of their job duties or not. The training must include information on the rules and regulations surrounding the use and disclosure of PHI under HIPAA's Privacy Rule. If a particular task requires knowledge about specific provisions in the Privacy Rule, then additional training would need to be provided for that task only.
•   What happens if you don't comply: If you fail to provide this training, your organization could face fines of up to $1 million for violations relating specifically to PHI privacy rights under HIPAA’s Administrative Simplification Rules (as outlined in Section II). In addition, you may need additional professional advice from legal counsel or auditors if there are any potential violations within your medical practice due to a lack of compliance with standards set forth by federal law — for example:
•   Failure By Not Providing Training For Employees Or Aiding Someone To Violate Their Privilege Of Confidentiality Could Result In Criminal Prosecution Or Civil Liability Action From Others Who Have Been Affected By Your Actions Such As Patients And Families Taping Themselves During A Session With You (e..g., Counseling) Due To Lack Of Awareness About How Serious These Matters Can Get For Anyone Involved...

Oversight of Third Party Vendors

As you evaluate your current compliance program and identify any gaps, it's important to consider third-party vendors as a potential source of fraud and abuse. Third-party vendors are often used in healthcare organizations because they can offer services that may not be available internally or at lower costs than if the service were provided by an in-house staff member. However, these relationships can also introduce risks as they do not always have the same level of oversight as employees. In addition, many healthcare providers do not require their third-party vendors to sign contracts outlining their responsibilities or expectations for how they will conduct business with the organization.

To reduce these risks and increase transparency into how your organization interacts with third parties:

•   Ensure that all vendors conducting business on behalf of your organization are required to sign a contract outlining their relationship with you;
•   Require that all contracts include appropriate indemnification language;

Appropriate Use of Health Care Benefits as a Factor in Employment Decisions

Employers may not use health care benefits as a factor in employment decisions. In addition, employers may not use the information on genetic tests or genetic services, or information on whether an employee is participating in a wellness program.

Educational Programs, Including Initial Training and Periodic Refresher Training

•   Initial training for new employees
•   Periodic refresher training for all employees

Training should include topics such as:

•   Conflicts of interest (including financial, professional, and personal)
•   Compliance with privacy laws
•   Compliance with civil monetary penalty provisions

(cMPs) of the False Claims Act, including: o The Anti-Kickback Statute (AKS) o The Stark Law o Physician Self-Referral Law (Stark II) o The Health Insurance Portability and Accountability Act (HIPAA), also known as “the Privacy Rule”

•   Technical aspects of billing and coding services

Routine Audits, Internal Monitoring, and Investigations.

While routine audits are conducted to ensure compliance with the company's code of conduct, policies, and procedures, internal monitoring is done to ensure compliance with privacy and security standards. Internal investigations are conducted when an employee makes an allegation of fraud or abuse.

A practice with appropriate training and policies to promote compliance will have less chance of issues arising.

•   Compliance training is important.
•   Policies and procedures are important.
•   Designated compliance officers are important.
•   Lines of communication are important, especially in the disciplinary enforcement process, which requires the involvement of designated compliance officers and communications with employees about their job performance in relation to compliance expectations and their rights under the Code.
•   Routine use of OG Exclusion Lists In the New Hire Process is also another way to promote compliance with the Code by ensuring that individuals who have been excluded from regulated trades or professions because they were found guilty of professional misconduct cannot work at your practice as a result of having been placed on one or more exclusion lists maintained by either Ontario Regulation 204/16 under its Professional Misconduct Regime or its Discipline Regime (the applicable regime).

Compliance is a vital part of being a healthcare provider and can help prevent an organization from being fined or having criminal charges brought against them.

Did we miss something what is your practice's strategy for compliance?