Corporate compliance plans. You have heard a lot about them, been to seminars, and read the trade press articles, but does your organization have one? If not, now is the time.

A corporate compliance plan is a program that can prevent and detect (inadvertent or intentional) violations of law. An effective plan demonstrates to the government that you have taken all reasonable steps to ensure that you and your employees comply with fraud and abuse rules. Think about it. That puts you several steps ahead if the government comes knocking at the door.

More than 2 years ago, the Office of Inspector General (OIG) issued the Compliance Program Guidance for Durable Medical Equipment, Prosthetics, Orthotics, and Supply Industry, which provided a blueprint for home care corporate compliance plans. Then, on December 28, 2000, Donna E. Shalala, then Secretary of the Department of Health and Human Services (HHS) published the “Standards for the Privacy of Individually Identifiable Health Information” (Privacy Rule) in the Federal Register.

The Privacy Rule is the first comprehensive federal regulation regarding health information and implements the privacy requirements contained in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In plain language, it means your organization will now be legally responsible for patients’ confidential medical information, and if an employee shares information about a specific patient and their health condition with someone else without that patient’s permission, you could face fines and even jail time. The best way to protect yourself and your business is through a compliance plan that makes clear to employees what violates the Privacy Rule.

The Privacy Rule’s compliance deadline is April 14, 2003. It sounds like a long time away, but because the rule has many implementation challenges, you should begin planning as soon as possible.

Know the Rules
The Privacy Rule, which emerged from HHS after it received over 50,000 comments, creates federal standards relating to the use and disclosure of protected health information (PHI), and patient rights to access and amend PHI.

PHI is individually identifiable health information that has been transmitted or maintained in any form or medium. The Privacy Rule makes all health information subject to its requirements, whether that information is in an electronic format, on paper, or even transmitted orally at the employee water cooler. It also applies to all patients, not just Medicare beneficiaries.

However, only health care providers that transmit PHI in an electronic form in a covered transaction are covered entities. That means if you only submit paper claims to the patient’s insurance carrier, you are exempt from the privacy rules.

Covered entities will face the following challenges as they begin to prepare for compliance:

• Developing policies and procedures to determine the minimum necessary information each department or job needs. You cannot use or share a patient’s entire medical record without specific justification.
• Obtaining and tracking patient consent. With a few limited exceptions, you must obtain prior consent to use or disclose PHI for treatment, payment, or other health care operations. This consent may be combined with other types of legal permission, such as informed consent for treatment or consent to assignment of benefits forms, if the PHI disclosure consent is visually and organizationally separate from the rest of the information on the form and is separately signed.
• Obtaining authorization forms and assuring compliance with particular authorizations. The Privacy Standards require the patient to authorize all PHI uses and disclosures unconnected to treatment, payment, or health care operations.
• Reconciling multiple consent/ authorization forms. A patient may end up signing multiple consent forms, particularly in situations where several providers in one setting treat him or her. If you are part of an organized health care arrangement, you may obtain a joint consent for use and disclosure of PHI. In cases of conflicting consents, use the more restrictive consent.
• Monitoring business associate relationships. The Privacy Standards require that covered entities ensure that their business associates (those who receive PHI in the course of providing services in the assistance to a covered entity) use appropriate safeguards by including requirements on how PHI will be handled in contracts with associates. Examples of business associates include consultants, auditors, and attorneys. You may need to review multiple relationships and monitor your business associates’ compliance with the contract’s requirements to protect your business.
• Changing medical records maintenance. The Privacy Standards may alter how you maintain your medical records so that you can document compliance with the standards’ minimum necessary information, PHI use disclosure, and patient access requirements.
• Providing privacy policy notice. If you have a direct treatment relationship with a patient, you must notify the patient of your company’s privacy practices in “plain language” by the date of the first service delivery (including services delivered electronically). The notice must also be available at the service delivery site for distribution upon request and posted in a prominent location.
• Meeting overall training requirements. You must complete training of your workforce on the Privacy Standards by April 14, 2003, the standards’ compliance date.
• Responding to individual rights. Your patients have three basic rights under the standards. They are:

1. Accessing. They may request access to their PHI wherever it appears in a designated record set, and you must grant or deny the request within 30 days.
2. Amending. They may request their PHI be amended, and you must either make the change or provide a basis for the denial.
3. Accounting. They may request an accounting of their PHI disclosures for a period of up to 6 years from the date of the request, and you must furnish the accounting within 60 days.

Rule Enforcement
HHS is responsible for investigating Privacy Rule violation complaints. These investigations can include a review of the covered entity’s pertinent policies, procedures, or practices, and the circumstances regarding any alleged noncompliant acts or omissions. Covered entities are required to maintain such records as necessary for HHS to determine whether they are in compliance with the Privacy Rule, and must cooperate with an HHS investigation or compliance review.

The Office of Civil Rights to HHS will enforce the rule. The Privacy Rule does not cover civil suits by individuals who allege their PHI rights were violated, but does include HHS penalties. HHS may punish knowing disclosure or obtaining of PHI done for malicious harm or personal or commercial gain with fines of up to $250,000 or prison terms of up to 10 years.

Compliance Management
Compliance plans and internal audits reduce the likelihood of potential law-breaking by clarifying to employees what is acceptable and legal. They enable management to detect early fraud or potential fraud, allowing you time to correct mistakes. They provide protection for the many gray areas of fraud and abuse regulations, such as the anti-kickback and physician referral rules. And they protect your company from allegations by former employees, where many OIG investigations originate.

Establishing a corporate compliance plan need not be a major initiative. Develop an implementation plan that will last at least a year. Identify which employees should be involved. Include billing, sales and marketing, delivery, and human resources. Implement the plan incrementally to fit your organization’s budget needs. Avoid “boiler plate” policies. You are better off not having a corporate compliance plan than using a generic plan.

Once you develop policies, develop training materials. You should be able to use many of your existing training tools for the corporate compliance plan. Establish an ongoing training schedule, especially for billing staff.

Audit your plan. Assure accountability and open communication. If you need help, seek the assistance of outside counsel. A successful and effective corporate compliance plan depends upon two critical items: Accurate written polices and well-trained employees. Anyone with a government receivable needs to make compliance part of their company’s culture and an integral part of the company’s operation.

Cara C. Bachenheimer, JD, is a specialist in health care legislation, regulations, and government relations at Epstein, Becker & Green in Washington, DC. She has worked at the American Association for Homecare and the Health Industry Distributors Association, and often speaks on industry- related legislation. Contact her at (202) 861-1825 or cbachenheimer@ebglaw.com.