Implemented September 2021

Compliance, Risk, Research, and OSHA Safety Team

Carolyn Coward- Chief Compliance OfficerKristen Bernero- Director, Risk & Patient Safety

Lindsey Altsheler- Manager, Risk and Patient SafetyDeborah Durbin- OSHA Healthcare Safety ManagerLeslie Laughrun- Administrative Director, Research

Rebecca Burrell- Compliance Coordinator

All about Compliance

What is a Compliance Program? Ensures compliance with the requirements of federal, state, and private payer

health care programs (Medicare, Medicaid) Ensures compliance with state and federal laws, rules, and regulations Oversees the prevention, detection, and resolution of instances of unethical

conduct Identifies and corrects weaknesses within the organization Provides education to employees, affiliates, students, and interns Conducts regular auditing and monitoring of processes to assess compliance Incorporates policies and procedures to provide prompt and thorough

investigations regarding perceived noncompliance Supports the development of immediate and appropriate corrective action plans

Why have a Compliance Program? It’s the right thing to do!

It’s mandated by the Federal government and the Office of Inspector General (OIG)

It outlines what workforce members need to know to comply with Federal and State laws, specifically with Medicare and Medicaid

To prevent, detect, and correct any wrongdoing

To mitigate risks to our organization

Our Compliance Program was implemented on 12/18/2002

What are the Key Elements for Standards of Conduct?

1. Compliance with the Law2. Anti-Kickback Statute, STARK and Anti-Trust3. Billing and Coding Standards4. Conflicts of Interest5. Confidentiality of Patient Information6. Environmental Health and Safety7. Asset Protection

Confidentiality:Not Just for Patients

MAHEC personnel have the responsibility to keep identifiable and financial information confidential for all persons who:

Visit and attend classes or seminars Attend appointments Participate in research studies or surveys or; Who come to MAHEC for clinical and/or administrative training

What happens at MAHEC, stays at MAHEC!

Confidentiality Statement

Given to employees, students, interns, and affiliates to sign when onboarding

I agree that I will NOT access my own and/or family members PHI, which includes billing information

I agree that I will not discuss patient or MAHEC business information with unauthorized persons

Do you have access to Allscripts or Dentrix? Access is restricted to authorized personnel via user login and passwords. Access within the Allscripts

Electronic Health Record (EHR) and Dentrix is restricted based on job title and need.

EHR and Dentrix user activity is monitored 24/7 by a software system called Protenus.

By using your login ID and password, you are certifying you are the person you say you are.

Allowing someone else to access, view and/or modify a patient’s record using your login and password is PROHIBITED and a VIOLATION of MAHEC’s security policies.

You are responsible for all activity under your login.

Copyright Law The copyright law protects “original works of authorship” that are fixed in a tangible form of expression Copyright is a legal protection that applies when no licenses are in place. Adherence to copyright rules and guidelines is the responsibility of each employee, student, affiliate, and intern.

What does Copyright law Protect?• Literary works• Musical, Dramatic, and Choreographic works• Pictorial, Graphic, and Sculptural works• Architectural works• Sound Recording• Motion Pictures and other Audiovisual works

What is not Protected under Copyright law?• Works that have not been fixed in a tangible form of expression, and works in the public domain

Please visit https://mahec.libguides.com/copyright or reach out to a MAHEC Librarian for any questions

All About HIPAA

What is HIPAA?

The most misspelled acronym in healthcare Health Insurance Portability and Accountability Act of 1996 Established to set national standards for health care transactions and code

sets, unique health identifiers, and security Intended to improve the health care system Includes the Privacy Rule, Security Rule, Enforcement Rule, Omnibus Rule,

HITECH Act, and Breach notification Rule

What are Rules? Things you don’t break Privacy Rule- WHAT TO PROTECT

Protects individually identifiable health information (PHI or ePH) Security Rule- HOW TO PROTECT

Sets standards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI) Enforcement Rule- WHAT HAPPENS IF YOU DONT

Contains provisions for compliance and investigations, imposition of civil money penalties for violations, and procedures for hearings

Omnibus Rule/ HITECH Act- ADDED TO INCLUDE AND SET STANDARDS FOR BUSINESS ASSOCIATES Implements several provision to the HITECH Act A part of the American Recovery and Reinvestment Act of 2009 Strengthens privacy and security for health information

Breach of Notification Rule- TELL ON YOURSELF Requires covered entities and their business associates to report breaches of unsecured PHI or ePHI

Privacy Rule Established national standards to protect medical records and PHI Applies to health plans, health care clearing houses, and health care providers

that conduct electronic health care transactions Requires all “workforce members” to receive initial and annual HIPAA training Requires administrative safeguards to protect PHI Set limits and conditions for the disclosures and use of PHI Gives patient’s rights over their health information

Students, interns, and affiliates are considered “workforce members” in the eyes of HIPAA

Security Rule Requires Administrative, Physical, and Technical safeguards for protecting

ePHI Requires yearly risk assessments Requires written policies and procedures to be created, implemented, and

reviewed Requires workforce training

This is why we have passwords, encryption, yearly risk analysis, HIPAA training, and workforce sanctions, and self monitoring measures like Protenus

What is PHI? Protected Health Information Name Dates (DOB, DOS, DOD, admission

date, discharge date, and exact age if over 89)

Social Security Number (SSN) Medical Record Number (MRN) Address Contact numbers (home, cell, work,

or fax) Email address

Health Plan beneficiary numbers Certificate or license numbers Any photo (not just the face) Web URL IP Address Finger or voice print Vehicle identifiers, serial numbers,

and license plate numbers Any other unique identifier or health

information that could identify who the patient is

What do I do when a HIPAA Violation or Breach Occurs?

Notify your supervisor Create an incident report

Incidents are reported through the MAHEC Intranet (if you have access)

If you do not have access to the MAHEC intranet, yoursupervisor will need to make the incident report for you

ORYou can reach out to Compliance at 828-257-4724 to report an incident

Compliance will conduct an investigation once the report is made. You may need to be interviewed as a part of the investigation process

HIPAA Questions? We’ve Got Answers!We are here for you!

Carolyn Coward- Chief Compliance Officer- 828-257-4409Rebecca Burrell- Compliance Coordinator-828-257-4724

Kristen Bernero- Director, Risk & Patient Safety- 828- 257-4415

Compliance Assistance Line- 257-4428Anonymous email to ChiefComplianceOfficer@mahec.net

(Access through the MAHEC Intranet dashboard)

All Compliance policies can be found on the MAHEC Intranet under the Corporate Compliance department. Please ask you supervisor about MAHEC policies if you do not have access to the intranet.

What is Research?“A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge”

How are Human Research Subjects Protected?Articulated in the “Common Rule”, the Federal Policy for the Protection of Human Subjects adopted by many Federal agencies in 1991.

https://www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/index.html

Who is/are Research Participants/Human Subjects?

“A living individual about whom an investigator (whether professional or student) conducting research: (i) Obtains information or biospecimens through intervention or interaction with the individual, and, uses studies, or analyzes the information or biospecimens; or (ii) Obtains, uses, studies, analyzes, or generates identifiable private information or identifiable biospecimens”

If for the purpose of a research study… Then…A researcher:

The research likely involves human subjects

• Interacts with a living individual• Asks them to take part in an intervention• Manipulates their environment• Collects identifiable information about them

The phrase ‘about whom’ is important. A human subject is the person that the information is about, not necessarily the person providing the information. Below are some examples to review to understand this.

If… Then…A researcher gathers information about newborns by asking mothers questions only about the babies

Only the babies are the human subjects

The researcher asks for information only about the mothers

Only the mothers are human subjects

The researcher asks the mothers what they think about their babies’ behavior

Only the mothers are human subjects

The researcher asks the mothers how the babies behave and what the mothers think about their babies’ behavior

Both are human subjects

Who Assures that Researchers Follow Federal Rules and Ethical Guidelines?

Office for Human Research Protections (OHRP)Part of US Department of Health and Human Services (DHHS)

Primary duty is the implementation of 45 CFR 46

Sets Regulations for Institutional Review Boards (IRBs)

What is an IRB? Institutional Review Boards (IRBs): Committee of members

with various backgrounds who review research studies to ensure they meet requirements for protection of human subjects.

Provide “determinations” back to the research teams.

Their main focus is to make sure that human subjects are being protected!

The Privacy Rule and Research The Privacy Rule is a part of the Health Insurance Portability and Accountability Act of 1996

(HIPAA)

Established the conditions under which Protected Health Information (PHI) may be used or disclosed by covered entities for research purposes

Established the means for how individuals will be informed of the uses and disclosures of their medical information for research purposes

The Rule allows researchers to obtain, create, use, and/or disclose individually identifiable health information.

Permits covered entities to use and disclose protected health information for research with or without the individual’s authorization (it depends!).

When is an Authorization NOT Required?

To use or disclose protected health information without authorization by the research participant, one of the following must apply:

Documented IRB or Privacy Board approval Data that is “Preparatory to Research” (e.g., data required in order to prepare a

research protocol to submit to an IRB) Research on PHI of Decedents: authorization required up until the 50th

anniversary of the person’s death Limited or De-identified Data Sets with a Data Usage Agreement

Who are Research Participants at MAHEC?How do we Protect Human Subjects at MAHEC?

Research at MAHEC may include any combination of MAHEC patients, non-patients, employees, learners, community members, etc.

Everyone at MAHEC has a responsibility to protect human subjects and their information. This is along the same lines as how MAHEC employees need to continuously protect patient health information!

Key Concepts: Health and/or research data sharing?

Data can only be shared with people listed on an IRB application (it's easy to add new people to the IRB as needed)

"Shared" means anyone the data are disclosed to: includes data viewing and is not limited to data transfers.

Some data can only be viewed and analyzed on secure platforms, this is the case with most Mission/HCA clinical data that researchers use in studies. People with access to raw data often need to agree to many stipulations and their work can be continuously audited.

Do not ever take a picture of such data on these secure platforms. Avoid using any kind of “snipping tool”. This is a common serious mistake made by researchers.

Additional steps are required if you hope to share data outside of MAHEC. You may need to engage in a formal “Data Use Agreement (DUA) with other organizations (like UNC Chapel Hill – Templates exist!).

These policies apply to both identified and de-identified data

Unapproved data sharing is a HIPAA/research compliance violation and must be reported to the MAHEC Compliance/Privacy Office

Key Concepts: Data Sharing continued

How to Work with Data Responsibly Don't share or show data to anyone

not participating in the project or on the IRB approval (as indicated)

Remember dates of birth and services, pictures, and 5 digit zip codes are PHI

Don't share research data via cell phone (e.g., texting images) or web conferencing tools

Don't remove data from the approved storage location

Don't store data on your local machine, non-encrypted USB, or on any unapproved Cloud-based services (no Google docs!)

Don't email research data, even within MAHEC

Don't reuse data for another study Don't delay in reporting unauthorized

data disclosure or misuse Any unapproved use or data sharing

should be reported to the IRB and Compliance office right away

Research Questions? We’ve Got Answers!

• Research Department:• research@mahec.net

• Compliance Office: • Rebecca Burrell 828-257-4724• Kristen Bernero 828- 257-4415

• IT Security Officer: • ITHelpdeks@mahec.net

We are all here to help you!

All About Risk Management

Risk Management 101 Risk Management’s role is to protect the

organization’s assets

Healthcare Risk Managers focus on reduction of harm to patients, staff members, and visitors within the organization

Risk Managers work to prevent incidents from occurring and to minimize the damages following an event

Risk Management

Operational

Clinical/ Patient Safety

Strategic

Financial

Human Capital

Legal/Regulatory

Technology

Hazard

Our role is to provide support and act as a resource for…YOU!

Ask us for help with: Documentation in the EHR Difficult patients or family members Safe practice recommendations Legal questions or concerns Disclosure of errors Any other questions or concerns – We’re here for YOU!

Risk Management @ MAHEC

Reporting An Incident To submit an Incident Report:

Log on to the MAHEC Intranet (mahec.net/intranet)

Look for Iris on the main dashboard Click on “I want to report an incident”

If you do not have access to the intranet, please report incidents to risk@mahec.net

Risk Management Wants to Know if…You Receive: A Subpoena or Court Order A Civil Summons/Complaint (lawsuit) Verbal or written complaint Any type of threat Certified mail Any requests for:

Deposition or “off the record” conversations with Attorneys or Law Enforcement

Records (from Attorneys, DSS, Law Enforcement, or Medicare/Medicaid) Patient conference or meeting Audits

Risk Questions? We’ve got answers!

Kristen Bernero, 257-4415Director, Risk & Patient Safetykristen.bernero@mahec.net

Lindsey Altsheler, 398-5923Manager, Risk & Patient Safetylindsey.altsheler@mahec.net

Adina Moscarelli, 771-3544Risk & Patient Safety Coordinatoradina.moscarelli@mahec.net

Email Risk at risk@mahec.net

All About OSHA Safety

What is OSHA Safety? Regulated by North Carolina state law Created and implemented by the federal government in 1970 Regulates and enforces standards/guidelines for employers to provide a safe work

environment for all workforce members

Includes:• Regulatory inspections• Fire, Weather, and Medical Emergencies• De-Escalation• Hazard Communication• Bloodborne Pathogens and Regulated Waste• Spill Contingency• Ergonomics

MAHEC uses plain language to alert of FIRE, TORNADO, ACTIVE SHOOTER, BOMB THREAT.

Clear, concise communication.

Emergency Response

• Alert others of the fireo Verbally at satellite clinics/officeso Manual fire alarm pull stations at Biltmore

Campus, Ridgefield and Westridge• Fire extinguishers available for incipient stage fires

only

Fire Response

Important Fire Response Acronyms

Fire Extinguisher UseIncipient Stage Fire Only

• You are never expected to use a fire extinguisher; they are strictly for voluntary use.

• Suitable for class A, B, and C fires such as ordinary combustibles, flammable liquids, or electrical equipment.

• Familiarize yourself with locations of fire extinguishers.

• To use, must be within 6-8 feet of the fire.

• Only approx. 35 seconds extinguishing time.

Emergency Evacuation

• Familiarize yourself with exit routesin your work area.

• Calmly exit the building as quickly as possible; leave personal belongings behind.

• Only close door behind you if it is to the area of the fire (fire containment).

• Proceed to the designated meeting area and check in with your supervisor.

• Remain with your team until you are given permission to re-enter the building from Safety/Facilities Management.

Natural DisastersSnow/Ice – Tornado – - Earthquake

• Snow/Ice – wear appropriate shoes for slippery conditions.

• Tornado – familiarize yourself with the Tornado Shelter for your work area; interior rooms away from windows.

• Earthquake – stay inside away from objects that can fall.

Call 828-257-4400 for weather related closure or delayed opening information

Medical EmergencyAED – Emergency Kits - Oxygen

• Medical Emergency Kits in all clinic areaso Medications (Narcan), Oxygen Masks, Ambu bags

• AEDs also found mounted in some areas.

• Report use of AEDs to Safety/Facilities for reporting and maintenance.

• Familiarize yourself with locations of emergency items.

Workplace Violence• Violence in healthcare differs from violence in

other industries.

• Patients may act aggressively due to their medical conditions or the medication they are taking or want to take. They may feel frustrated and angry as a result of their circumstances.

• Call 911 if you feel in danger. Have someone call Facilities (828-257-4411)

De-escalationMaintain behavior that helps diffuse anger:• Present a calm, caring attitude• Don’t match threats• Don’t give orders• Acknowledge the person’s feelings (for example. “I know

you are frustrated”)• Avoid any behavior that may be interpreted as aggressive

(for example, moving rapidly, getting too close, touching, or speaking loudly)

Active Shooter

HIDE• Remain silent & still• Silence cell phone• Lock and/or blockade

the door with furniture• Remain low & out of

view • Find something to use

as a weapon in case the assailant gains entry to your hiding place

EVACUATE• Plan your escape

route and evacuate• Leave belongings

behind• Help others escape• Warn people from

entering the building• Call 911 when you

are safe

FIGHT• As a last resort,

only if your life is in danger

• Act quickly with physical aggression

• Yell to startle• Improvise weapons

– (E.g. fire extinguisher, chair etc.)

HazCom - SDSStandardized 16-section format.• Section 4

First Aid• Section 6

Accidental Spill Response • Section 8

PPE• Section 9

Physical & Chemical Properties

Location: MAHEC Intranet>Policies and Documents>Safety Management>location

HazCom – Secondary Container Labeling

• All secondary containers MUST be labeled! Preference is not to use secondary containers

• Examples of secondary containers – cold sterilization and germicidal solutions or alcohol soaked gauze pads.

• Products may have more than one type of hazard; therefore, NFPA and HMIS labels are used.

HazCom – Secondary Container LabelingThe colors represent the following types of hazards:

BLUE – Health WarningRED – Flammability WarningYELLOW – Reactivity WarningWhite – Special Warnings

The numbers represent the degree of risk:

0 Minimal1 Slight2 Moderate3 Serious4 Extreme

HazCom – PictogramsPictograms must be on every label and SDS

Ob/Gyn:• Formalin

o Signal Word – Danger, Flammable, Corrosive• Monsels

o Signal Word – Warning, Health Hazards (organs)• Cidex OPA

o No signal word – not GHS dangerous, toxic if swallowed

Sim Center:• Isopropyl Alcohol

o Signal Word – Danger, Flammable• Ease Release 200

o Signal Word – Warning, Flammable aerosol• TC 1614 Parts A&B (epoxy resin)

o Signal Word – Warning, Flammable, Health Hazard (organ toxicity)

HazCom – Hazardous Chemicals

• Microorganisms that cause disease, transmitted only through infectious body fluids.

• Infectious body fluids include blood, semen, joint fluid, vaginal secretions, amniotic fluids, saliva in dental procedures, etc.

• Urine, feces and vomit are not considered biohazardous unless visible blood is present.

• Hepatitis B, Hepatitis C, HIV, and AIDS

Bloodborne Pathogens

Follow Universal Precautions: treat all human blood and certain body fluids as if they were known to be infectious for HIV, HBV and other

bloodborne pathogens. Do not recap, bend, or break needles hand to

hand Use medical devices with safety features built-in

(self-sheathing needles, retractable blade scalpel's)

Dispose of needles at point of origin Wear proper PPE to protect eyes, mouth, other

mucous membranes, non-intact skino Safety Glasses, Goggles, Face Shieldo Face mask/N-95o Gloves

BBP - Prevention

When a BBP Exposure Occurs

Immediately wash exposure site with soap and water. Flush splashes to nose or mouth with water.

Eyes can be irrigated with clean water, saline or sterile fluids.

Have Attending Provider order an exposure panel on source patient, immediately.

Report incident to Supervisor and Employee Health.

Go to designated treatment location (cannot be MAHEC).

Enter an Incident Report on the exposure in the Incident Reporting system on the Intranet.

Employee Health will provide additional instruction.

Liquid or semi-liquid blood or Other Potentially Infectious Materials (OPIM)

Items contaminated with blood or OPIM that if compressed would release these substances in a liquid or semi-liquid state

Items caked with dried blood or OPIM capable of releasing when handled

Contaminated sharps containing blood or OPIM

Regulated Waste

Soft Waste, or Red Bag waste, is for items such as bloody gauze, dressings, IV tubing, or visibly contaminated gloves.

All non-sharp items that are contaminated with blood or OPIM where there is a possibility of release during transport or handling, must be disposed of into a red bag.

Regulated Waste – Soft Waste

Sharp Waste consists of items such as needles, scalpel's, spent carpules, glass slides and/or hard contaminated plastics.

Any item that has been contaminated with blood or OPIM, and is capable of puncturing or lacerating skin, must be disposed of into sharps container.

• Never exceed fill line• Never reuse

Regulated Waste – Sharp Waste

Having a well supplied spill kit is essential for infectious management and chemical spill cleanup.

• If the spill is on a non-absorbent surface, pour bleach overthe area and allow it to sit for several minutes

• Lay paper towels (or other absorbent material) over the spill area waiting until the liquid is absorbed

• Remove absorbent materials and discard in a red bag• Change to a new pair of gloves and clean the area using

soap and water and/or a commercial product• Disinfect area with a hospital grade disinfectant• Discard gloves into a red bag and wash your hands with an

antibacterial soap

Spill Contingency Plan

Addresses the fit between people and their tools and work environments.

Risk Factors Repeating the same motion throughout the workday

Performing work in an awkward position

Using a great deal of force to perform a task (lifting patients)

Ergonomics

Ergonomics Musculoskeletal Disorders

Injuries or illnesses affecting the connective tissues of the body such as muscles, nerves, tendons, joints, cartilage, or spinal disks.

Preventive Measures

Frequent breaks and stretching

Proper lifting technique

Use proper body mechanics

Adjusting workstation (Ergo evaluations available)

Ergonomics - Proper Lifting

● Bend at the knees, keep back straight● Keep the weight as close to you as possible● Avoid extending arms or twisting● Team Lift

Bear SafetyDo not feed, pet or take selfie. Slowly walk away

and report to Facilities 828-257-4411

OSHA Questions? I’ve Got Answers!I am here for you!

Deborah Durbin- Healthcare OSHA Safety Manager- 828-257-2976

***Required attestation instructions on next slide***

Attestation Instructions Complete the attestation form on the next slide Send completed form to your onboarding supervisor

Failure to complete the attestation will result in delays and or termination ofyour learning experience.

Any questions regarding this training and attestation can be referred to the MAHEC Compliance Office at 828-254-4724.

Student, Intern, and Affiliate Compliance, HIPAA, Research, Risk Management, and OSHA Safety Training Attestation

I, ___________________________________________________, attest that I have completed the required Compliance, HIPAA, Risk Management, and OSHA Safety training module(Printed student, intern, and or affiliate name)

assigned on ______________________________.(Training date)

I understand the material contained in the training module and agree to comply with the guidelines outlined therein.

I understand that failure to follow these guidelines can result in immediate termination of any and all MAHEC privileges associated with the student learning experience.

Signature: ____________________________________________________________________________________ Date: ________________________(Student, intern, and or affiliate signature)

MAHEC department my learning experience will be with (check all that apply):

Behavioral Health Dental Family Medicine Internal Medicine OBGYN Pharmacy Research Simulation Center Talent Management

Any questions regarding this training and attestation can be referred to the MAHEC Compliance Office at 828-254-4724.