special meeting of the corporate compliance / privacy and ... › sites › default › files ›...

A copy of the agenda for the Special Committee Meeting will be posted and distributed at least twenty-four (24) hours prior to the

meeting. In observance of the Americans with Disabilities Act, please notify us at 650-988-7504 prior to the meeting so that we

may provide the agenda in alternative formats or make disability-related modifications and accommodations.

AGENDA Special Meeting of the Corporate Compliance /Privacy and Internal Audit Committee

of the El Camino Hospital Board

Thursday, May 21, 2015, 5:00 – 7:15 p.m.

El Camino Hospital, Conference Room F, ground floor

2500 Grant Road, Mountain View, California

Ramy Houssaini will participate via teleconference from the following address:

46 Rue de la Montagne Saint Genvieve 75005, Paris, France

John Zoglin will participate via teleconference from the following address:

Wyndham New York Hotel, 481 8th Avenue, New York, NY, 10001, US Purpose: The Corporate Compliance/Privacy and Internal Audit Committee is responsible for providing direction for both the

Corporate Compliance and Internal Audit programs at all locations of El Camino Hospital (ECH). Responsibilities include

providing oversight on compliance issues requiring executive-level interaction, assessing physician relationship risk as it relates

to compliance, reviewing HIPAA/Privacy laws as they relate to compliance and directing ECH on compliance strategies. The

Committee also serves as the ad-hoc mobilization team for any external investigations and/or actions. Further, additional

responsibilities include providing direction and oversight to ongoing internal audit activity and determining appropriate

organizational response in order to identify and mitigate organizational risk.

AGENDA ITEM PRESENTED BY

1. CALL TO ORDER/ROLL CALL Dennis Chu, Vice Chair,

Corporate Compliance

Committee

5:00 – 5:01 p.m.

2. POTENTIAL CONFLICT OF

INTEREST DISCLOSURES

Dennis Chu, Vice Chair,


Committee

5:01 – 5:02

3. PUBLIC COMMUNICATION Dennis Chu, Vice Chair,


Committee

5:02 – 5:07

4. REPORT ON BOARD ACTIONS Dennis Chu, Vice Chair,


Committee

5:07 – 5:12

5. CONSENT CALENDAR ITEMS

Any Committee Member may pull an item

for discussion before a motion is made.

Approval:

a. Minutes of Corporate Compliance

Meeting, March 19, 2015

Information:

b. Epic Documents

Dennis Chu, Vice Chair,


Committee

public

comment motion required

5:12 – 5:15

6. ENTERPISE RISK

ASSESSMENT AND MITIGATION

PLAN

ATTACHMENT 6

Mick Zdeblick,

Chief Operating Officermotion for

recommendation required

5:15– 5:45

Agenda: Special Meeting of the El Camino Hospital Corporate Compliance/Privacy and Internal Audit Committee May 21, 2015


7. PLAN FOR RESEARCHCOMPLIANCEATTACHMENT 7

Mick Zdeblick, Chief Operating Officer

motion for recommendation required

5:45 – 5:55

8. KEY PERFORMACE INDICATORSSCORECARD AND TRENDS

a. Memo, Scorecard, and Trend Graph

ATTACHMENT 8

Diane Wigglesworth, Compliance/ Privacy Officer

information 5:55 – 6:00

9. NEW ARTICLEa. OIG Practical Guidance For HealthcareGoverning Boards On ComplianceOversightATTACHMENT 9

Diane Wigglesworth, Compliance/ Privacy Officer


10. ADJOURN TO CLOSED SESSION 6:05

11. POTENTIAL CONFLICT OFINTEREST DISCLOSURES

Dennis Chu, Vice Chair, Corporate Compliance Committee

6:05 – 6:07

12. CONSENT CALENDARAny Committee Member may pull an itemfor discussion before a motion is made.


6:07 – 6:15

ApprovalClosed Session Minutes (3/19/15),Govt. Code Section 54957.2;

InformationConference with legal counsel –pending or threatened litigation –Gov’t. Code Section 54956(d)(2)

- Compliance and Privacy Logs - Internal Audit Follow Up

motion required

information

13. Conference with legal counsel – pendingor threatened litigation - Gov’t. CodeSection 54956.9(d)(2).- Discussion on IT Security

Greg Walton, Chief Information Officer


14. Conference with legal counsel – pendingor threatened litigation - Gov’t. CodeSection 54956.9(d)(2).- Report on Internal Audit Activity Programs

Diane Wigglesworth, Compliance/Privacy Officer


15. Health and Safety Code Section 32106(b)for a report involving health care facilitytrade secrets.- Discussion on Pacing Calendar



16. RECONVENE OPEN SESSIONTo report any required disclosures regardingpermissible actions taken during ClosedSession.


7:00

Agenda: Special Meeting of the El Camino Hospital Corporate Compliance/Privacy and Internal Audit Committee May 21, 2015


17. STATUS OF FY:15 COMMITTEEGOALSATTACHMENT 17



18. PROPOSED FUTURE FY:16COMMITTEE MEETING DATESATTACHMENT 18



19. COMMITTEE COMMENTS Dennis Chu, Vice Chair, Corporate Compliance Committee

7:10 – 7:15

20. ADJOURNMENT Dennis Chu, Vice Chair, Corporate Compliance Committee

7:15 p.m.

Upcoming Corporate Compliance Committee Meetings: June 10, 2015 (Joint Meeting of ECH Board and Corporate Compliance Committee 5:30 pm)

Attachment 5a - Compliance Open Minutes 03-19-15 (V2)

Draft.docx

Separator Page

Draft: Subject to

Compliance Committee

and Board of Directors

Consideration

Minutes of the Open Session

Corporate Compliance, Privacy and Internal Audit Committee Meeting

Thursday, March 19, 2015

El Camino Hospital, 2500 Grant Road, Mountain View, California

Conference Room G

1. Call to Order. The meeting of the Corporate Compliance, Privacy and Internal

Audit Committee (the “Committee”) was called to order by Vice Chair Dennis Chiu at 5:05 p.m.

Silent Roll Call.

Members Present: Dennis Chiu, Wes Alles, Christine Sublett, Sharon Anolik-Shakked,

and Ramy Houssaini (by phone).

Members Absent: John Zoglin

2. Potential Conflict of Interest Disclosures. Vice Chair Dennis Chiu asked if

there were any conflicts of interest on any of the items on the agenda. None was reported.

3. Public Communication. There were none.

4. Report on Board Actions. Diane Wigglesworth indicated that a Report on Board

Actions has been added to the agendas for all Board Committee meetings for the purpose of

reporting back on actions taken by the Hospital Board, especially those that might impact or be of

significant interest to the individual Committees. Vice Chair Chiu stated that there was a

particular red alert Quality issue addressed at the most recent Board meeting that he would report

on in closed session. He also noted that the Board discussed as part of the “Big Dot” focus one or

two Quality issues that Executive Leadership should concentrate on, and it was agreed that

leadership focus should be on patient centered care.

5. Consent Calendar. Vice Chair Chiu asked if anyone wished to remove any

items from the consent calendar. There were no requests to do so.

Motion: To approve the Minutes of January 15, 2015.

Movant: Sublett

Second: Anolik-Shakked

Ayes: Chiu, Alles, Sublett, Anolik-Shakked

Ayes by phone: Houssaini

Noes: None

Abstentions: None

Absent: Zoglin

Recused: None

Open Session Minutes: Corporate Compliance, Privacy

and Internal Audit Committee

March 19, 2015

Page 2

Enterprise Risk Assessment and Hospital Action Plan. Mick Zdeblick, COO, introduced

Michael Kearney, Partner and Jacqi Fifield, Senior Manager from Deloitte, the organization

chosen by the Committee to assist ECH in developing an Enterprise Risk Management program.

As part of this process, the Committee requested Deloitte conduct an enterprise wide risk

assessment. Based on executive and board interviews, Deloitte has identified a list of the top ten

internally focused risks to ECH (risk descriptions are contained in the Deloitte Assessment

presentation).

The risk assessment findings appear consistent with what the executive leadership team has

discussed during the year and also leverages the topics discussed at the most recent Board retreat.

Management is in the process of better understanding this assessment and evaluating

prioritization. The Committee is also interested in how this internally focused assessment will be

modified as our external views of enterprise risk are developed. The external view will be

developed when an off-site workshop is conducted in April at the Deloitte Greenhouse Lab in

San Jose. The initial top four risks addressed in a response by leadership were Physician

Strategy, Shift in Payor Mix, Pace of Change and Strategic Priorities. Once the external Lab

assessment is conducted in April with executive leadership the Committee will review

management’s re-prioritization of the most impactful identified risks. The next step will be to

work with Deloitte to develop a complete ERM program approach.

Discussion points included:

Understanding that the biggest risk of all is how the organization responds to an

unexpected crisis.

Integrate an ERM program into existing process. Goal is to identify what is in place, what

needs to be added, and determine the incremental steps needed to put into place actions to

address significant risk. The action plan doesn’t need to be metric driven.

Considering risk presented by our competitors.

The ERM program is Management’s responsibility, and the Board should provide

oversight of Managements process. Management and Board must be in alignment on risk

tolerance levels, and the Board has indicated a desire to know more about risk that would

have the most significant impact to brand or revenue, the Executive Leadership Team

will work with the Board to develop and receive reports annually.

Mick Zdeblick briefly introduced the X-box tool, a key strategic tool for assisting in addressing

internal risk.

As suggested by Ms. Wigglesworth at this time, it was agreed that the Committee would delay a

motion on the current Managements action plan submitted to the committee to a later date, when

the external assessment of the risk assessment has been completed and management has then

reviewed and reprioritized the top four risks again.

Representatives from Deloitte left the meeting at 6:00 p.m.



March 19, 2015

Page 3

6. Review of Committee Charter. No changes to the Charter were recommended.

No motion was taken.

7. Review of FY16 Committee Goals. A draft of the FY16 Corporate

Compliance/Privacy and Audit Committee Goals was reviewed. Following some discussion,

Members Anolik-Shakked and Houssaini both indicated they would like to see a quarterly

review of Enterprise Risk Management reporting tools and plan for continuous monitoring.

Member Anolik-Shakked recommended that the wording for Metrics of Success Achieved for

that goal be modified. Review of Enterprise Risk Management reporting tools and plans for

continuous monitoring is changed to read “committee reviews ERM reporting tools and

monitoring plan quarterly and then recommends a final version to the Hospital Board for

approval by March 2016.”

Motion: To approve all goals with the changes in wording as described for metrics of

success achieved for Enterprise Risk Management reporting tools and plan for continuous

monitoring.

Movant: Anolik-Shakked

Second: Sublett



Noes: None

Abstentions: None

Absent: Zoglin

Recused: None

Motion passed

Representatives from Deloitte left the meeting at 6:35 p.m.

8. Key Performance Indicators Scorecard and Trends. Ms. Wigglesworth

reviewed the metrics for February activity along with YTD Information. She reported that

numbers of compliance or privacy investigations have remained consistent over the last few

months. The organization has experienced only a few reportable breaches over the last few

months and the reportable privacy breaches to CDPH are trending down significantly compared

from the previous fiscal year. Due to some patient complaints there has been a slight increase in

the number of CDPH visits to the hospital in February. The hospital is awaiting the CDPH

reports from those visits, the statements of deficiencies that were issued were related to previous

year’s self-reported events by the hospital.

9. New Articles. Articles on EHR audits and the Anthem data breach were presented

and briefly discussed.



March 19, 2015

Page 4

10. Adjourn to Closed Session.

Motion: To move to close session at 6:15pm pursuant to Gov’t Code section 54957.2 to

consider and approve the consent calendar; pursuant to Gov’t Code Section 54956.9(d)

(2) for two conferences with legal counsel regarding IT Security and government audit

programs; and pursuant to Health and Safety Code Section 32106(b) for a report on the

pacing plan.

Movant: Sublett




Noes: None

Abstentions: None

Absent: Zoglin

Recused: None

Mr. Zdeblick left the meeting at 6:15 p.m.

11. Agenda Item 17 – Reconvene Open Session. Vice Chair Chiu reported that the

following actions were taken in closed session:

A. Motion to approve Consent Calendar items (Closed Session Minutes of January

15, 2015 meeting, the Compliance Activity Log (January - February 2015), and

Internal Audit Follow Up Table) were adopted by a unanimous vote of the

Members present (Chiu, Alles, Sublett, Anolik-Shakked, and Houssaini [by

phone].)

B. Motion to approve The FY15 Physician Arrangements Report was adopted by a

unanimous vote of the Members present (Chiu, Alles, Sublett, Anolik-Shakked,

and Houssaini [by phone].)

Motion: To adjourn to Open Session at 6:45 p.m.

Movant: Sublett


Ayes: Alles, Chiu, Sublett, Anolik-Shakked


Noes: None

Abstentions: None

Absent: Zoglin

Recused: None

Motion passed



March 19, 2015

Page 5

12. Agenda Item 18 – Status of FY15 Committee Goals and Development of FY16

Goals. Ms. Wigglesworth indicated that at the next meeting the committee would review the

Hospital risk mitigation plan for research compliance and an updated action plan based on the

revised enterprise-wide risk assessment that will be prepared in April to include external risks.

The committee’s review of both items will complete the committee goals for the fiscal year.

13. Agenda Item 19 – Committee Comments. Member Alles commented on his

concerns that the Deloitte risk assessment report may have been overstated, however it did make

him realize he has not been aware of some of the risks they brought attention to. It was pointed

out that we have had, up until now, primarily an inward focus on risk vs.an outward focus.

External risks were defined as things such as clinical programs, market issues such as the growth

of PAMF and Stanford, and ACA expansion of Medical. Ms. Wigglesworth expressed her

extreme appreciation to all the advisors on the Committee who continually provided

recommendation that have improved the compliance program over the last two years and look

forward to their ongoing support.

14. Agenda Item 20 – Adjournment.

Motion: To adjourn the meeting at 6:55 p.m.

Movant: Anolik-Shakked

Second: Alles



Noes: None

Abstentions: None

Absent: Zoglin

Recused: None

Motion passed

Attest as to the approval of the

foregoing minutes by the Governance

Committee and by the Board of

Directors of El Camino Hospital:

__________________________ ______________________________

John Zoglin, Chair Dennis Chiu

ECH Corporate Compliance ECH Board Secretary

Privacy and Internal Audit Committee

Attachment 5b - Epic Documents.pdf

Separator Page

Attachment 5b Memo - Epic Documents.docx

Separator Page

DATE: May 12, 2015 TO: Corporate Compliance/Privacy and Internal Audit Committee FROM: Susan Bukunt, Sr. Director iCare Operations Champion SUBJECT: Epic Documents BOARD ACTION: Possible Motion: That the Committee recommends that the Board

approve the Proposed Epic Documents

iCare Link: This new system gives us the ability to offer other organizations that have a relationship with a patient access to the patient medical record in a secured environment. iCare Link is a free web-based portal that will allow providers in physician offices, community clinics, and after-care facilities associated with the patient to view an online version of the patient's care within our organization. iCare Link will replace our current tool for sharing patient information, Pro Access. This tool can help organizations provide:

Transparent flow of information between physicians and other care providers. Streamlined process for external physicians to place referrals and orders to your

organization. Secure access to select patient information in our iCare data repository

eliminating the need for faxing of document

In order to enroll these organizations and be ready for the November go-live we will need signed indemnity agreements and applications back to us by August 28, 2015. The following iCare Link documents have been created to support enrolling organizations:

iCare Link Indemnity Agreement

iCare Link Terms and Conditions Access Agreement

iCare Link practice enrollment

MyCare: MyChart which we have renamed MyCare, is Epic’s patient portal, a customizable web application that gives patients easy access to their medical records.

Offering MyCare to patients can help strengthen the relationships they have with clinicians at our organization and give patient’s tools they can use to become better invested in their own health. The following are just some of the things patients can do using MyCare :

Schedule appointments

View and graph lab results

Request medication refills

Send messages to their physicians

View their children’s medical records

Pay bills

Patients will be required to sign a Terms & Agreement document when they log on attesting to appropriate use of the portal. Adults may grant access of their record to another person and parents may access their child record within the limitations of State laws. The following MyCare documents have been created to support patient portal access:

Terms and Conditions of MyCare

My Care Proxy Policy

My Care Adult Proxy Form

My Care Child Proxy Form

Care Everywhere: Care Everywhere Epic's interoperability platform, which can be used to exchange patient data with other healthcare institutions using Epic. Today, organizations are using Care Everywhere to exchange over eight million patient charts monthly. Care Everywhere helps us make sure that clinicians have the information they need to treat patients, both for planned transitions of care, such as referrals, and unplanned transitions of care, such as visits to the emergency department.

transition or visit such as, a scheduled procedure or test the system sends a query to other Epic organizations requesting patient clinical information. During an unplanned visit, user requests information from another organization. The information from the other system is brought into Epic at the point of care and is available locally within a clinician's workflow. After receiving the patient's information, physicians can review it and reconcile any discrete problems, allergies, and medications

retrieved by Care Everywhere with information in the patient’s iCare chart. Reconciled data becomes a permanent part of the patient’s chart and is used to drive clinical decision support. The following Care Everywhere documents have been created to support information received and requested from other organizations:

Care Everywhere Authorization

Revision to policy 1.10 release of patient information

Attachment 5b-1 iCare Link Indemnity Agreement

final.docx

Separator Page

El Camino Hospital iCare Link User Agreement

This El Camino Hospital iCare Link User Agreement ("Agreement") is made and entered into as of this _day of

_____________ 20___, or the date of last signature below, whichever is later, by and among ______________________________________________________________("Practice ") whose address is _____________________________________________________ and telephone contact:

__________________________________ ,and El Camino Hospital (“ECH”).

RECITALS:

WHEREAS, Practice is currently involved in the care and treatment of patients who have received care or treatment at El Camino Hospital, WHEREAS, the parties wish to state the terms and conditions under which Practice will be given access to a secure electronic database of El Camino Hospital owned patient information by which the Practice may obtain information regarding Practice patients' care and treatment at El Camino Hospital which is needed by Practice to provide further care to its patients. NOW, THEREFORE, in consideration of the mutual promises herein contained, El Camino Hospital and Practice agree as follows:

ARTICLE I

Section 1.1. The Program. El Camino Hospital maintains a secure electronic database of confidential patient information owned by El Camino Hospital, including but not limited to clinical and hospital treatment records, physician notes, laboratory and imaging records, patient demographic information, insurance and third-party payer information and other information regarding El Camino Hospital patients and proprietary information. This aforementioned information and the ICare Link software shall be collectively referred to as the "Program". El Camino Hospital reserves the right to modify or discontinue the Program or Practice's access to the Program or terminate this Agreement at any time for any reason. Section 1.2. Grant of Limited Use. Practice is granted the right to access the Program for the following sole and

limited purpose: Practice may obtain health information about care or treatment received by Practice's patients from El Camino Hospital which is necessary for Practice's current treatment of the patient for whom the information is sought. All other use of the Program is strictly prohibited. Any other patient information sought by Practice shall be obtained upon the patient's written authorization under standard patient information release practices and procedures of El Camino Hospital (depending upon records sought), and California law. Practice's access to the Program is subject to audit and review at any time by El Camino Hospital. Section 1.3. No Maintenance or Support to Program. No technical or administrative support shall be provided to Practice relative to its use of the Program.

ARTICLE II

Section 2.1. Practice Access. Program access is managed by the El Camino Hospital IT Security and Access Management Team ("IT Security Team"). Practice shall identify users whom it shall authorize to access the Program on its behalf ("User") under this Agreement and submit to El Camino Hospital an ICare Link Access Request Form for each User which Practice identifies on an Access Request Form submitted to El Camino Hospital.

Page I of 5

of 5

A confidential User ID and temporary password shall then be assigned to each User, by which such User may access the Program for the limited purposes stated in Section 1.2 herein. Section 2.2. Sharing of Passwords Prohibited. Practice shall protect the confidentiality of User IDs and passwords consistent with the requirements detailed in the attached Terms and Conditions of use and the Health Insurance Portability and Accountability Act of 1996 as amended (HIPAA) and shall not divulge such confidential IDs and/or passwords to any other persons. Practice shall be responsible for use of the password issued to its designated Users. Section 2.3. Notification of Compromised Password. In the event that a password assigned to a User is compromised or disclosed to a person other than the User, the Practice shall upon learning of the compromised password, immediately notify the El Camino Hospital IT Security Team (as set forth in Article VI, Section 6.3) so actions can be taken to limit access by that password and to issue a new password to the Practice User. Also see

notification required under Article IV, Section 4.3. Section 2.4. Practice Notification of Termination of Employment and Other Events Ending An Employee's Need

to Access the Program. Practice shall immediately notify the El Camino Hospital IT Security Team (as set forth in

Article VI, Section 6.3) in the event any Practice User ceases to be employed by or associated with the Practice,

experiences a change in job function such that User no longer requires access to the Program, or for any other reason that the Practice choses to no longer provide such person access to the Program on its behalf. Unless and

until the El Camino Hospital IT Security Team receives such notification, Practice shall remain responsible for

such User's actions in accessing the Program and using the information obtained thereunder. Section 2.5. Practice Training Requirement. Practice shall provide annual training to its Users on issues related to information security and patient confidentiality. Practice shall maintain written records evidencing such annual training and provide copies upon request to El Camino Hospital.

ARTICLE Ill

Section 3.1. Ownership. No rights to the Program or patient information contained therein are transferred to the Practice under this Agreement. Section 3.2. Accessing, Using, and Disclosing PHI.

a. Practice may only make paper copies of Program medical records which are necessary and essential for the sole purpose of the Practice's diagnosis, evaluation and treatment of a current patient. Such copies shall be maintained, protected and destroyed in the same manner as the Practice maintains, protects and destroys the medical records of Practice's patients.

b. Practice shall not use or disclose any medical records obtained from the Program for any purpose other than the diagnosis, evaluation, treatment a current patient and except as otherwise permitted in this

Agreement and as set forth in Article IV, Section 4.1 of this Agreement.

c. Practice may not make electronic copies of medical records or other documents contained in the Program.

d. Practice shall not rewrite or otherwise alter, destroy, circumvent or sabotage the Program or the electronic medical records and documents stored and maintained in the Program.

e. Practice shall not access, use or disclose any information contained in the Program for any purpose with the intent to negatively impact the competitive advantage of El Camino Hospital in the marketplace.

of 5

ARTICLE IV

Section 4.1. Medical Records Confidential. The parties recognize that the medical records maintained in the

Program are subject to various state and federal privacy laws and regulations including but not limited to HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH), and the California Confidentiality of Medical Records Information Act of 1981 pursuant to which El Camino Hospital and Practice are under an obligation to maintain the confidentiality of such records. Practice shall not disclose information from such records except to: a) other physicians and personnel under the direction of Practice who are participating in the treatment of the respective patients; b) entities involved in the payment or collection of fees for medical services rendered by Practice, provided that the patient in question has consented to such disclosure; c) to other persons or entities as to whom such disclosure is required by law; d) upon obtaining the patient's written consent. Practice may release paper copies of documents obtained from the Program that are maintained with Practice's own medical record of the patient. Section 4.2. Indemnification. Practice shall indemnify and defend and hold El Camino Hospital harmless from and against all claims, demands, suits, judgments, costs and expenses (including reasonable attorney's fees and court costs), if any, that may be made or taken against El Camino Hospital or incurred by El Camino Hospital as a result of a breach of this Agreement by Practice, its employees or agents and/or the acts or omissions of Practice, its employees or agents, including but not limited to any unauthorized access, use or disclosure of any Program information (which includes protected patient health information as defined in HIPAA ("PHI")) by Practice or Users or through passwords issued to Users. Section 4.3. Unauthorized Access, Use or Disclosure. If the Practice discovers an unauthorized access, use or

disclosure of PHI by Practice, any Practice User or as a result of a compromised ID & password issued to a User,

Practice shall as soon as possible but not later than two (2) calendar days following the discovery of such unauthorized acquisition, access, use or disclosure of PHI notify El Camino Hospital by telephone and in writing at

the telephone numbers and addresses set forth in Article VI, Section 6.3. Practice shall be considered to have

discovered such unauthorized activity as of the first day on which the unauthorized activity is known or, by exercising reasonable diligence, would have been known to the Practice. Such notice shall include identification of each individual whose unsecured PHI has been, or is reasonably believed by the Practice to have been accessed, acquired, or disclosed during such unauthorized activity. If El Camino Hospital determines the unauthorized activity by Practice or its agent or employee qualifies as a Breach (hereinafter defined) that triggers the HITECH breach notification requirements, then Practice will reimburse El Camino Hospital for all costs incurred by it related to notifying individuals affected by such Breach of the Breach. El Camino Hospital, at its sole discretion, shall make

the determination of whether or not the definition of "Breach" as set forth in the HITECH Act, 45 CFR §164.402, has been met. In addition, it shall be incumbent upon Practice to institute appropriate disciplinary actions against the agent(s) and or employee(s) responsible for the Breach. Upon request from El Camino Hospital, Practice shall provide evidence to El Camino Hospital of any disciplinary actions taken. In addition to disciplinary actions taken by Practice, El Camino Hospital may, at its sole discretion, and without prejudice to any of its rights against Practice as a result thereof, terminate this Agreement and terminate the access of Practice. Practice agrees to promptly and fully cooperate with El Camino Hospital in any investigation of suspected breach of patient confidentiality. Section 4.4. Additional Legal Remedies for Prohibited Acts. Should Practice or any contractor, agent, employee or Practice User access, use or disclose any data, patient information or other information stored or maintained in the Program for any purpose not authorized in this Agreement, El Camino Hospital may unilaterally and immediately terminate the access to the Program by Practice and seek such legal and/or equitable relief as each party deems appropriate.

ARTICLE V

Disclaimer of Warranties. EL CAMINO HOSPITAL MAKES NO REPRESENTATION, WARRANTY OR GUARANTY, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR PARTICULAR PURPOSE WITH REGARD TO THE PROGRAM SUPPLIED TO PRACTICE PURSUANT TO THIS AGREEMENT. SHOULD THE PROGRAM FAIL OR BE

of 5

INACCURATE, UNDER NO CIRCUMSTANCES SHALL EL CAMINO HOSPITAL BE LIABLE FOR ANY LOSS OF PROFITS TO PRACTICE OR FOR SPECIAL, CONSEQUENTIAL, EXEMPLARY OR ANY OTHER DAMAGES (ALL OF WHICH ARE HEREBY EXPRESSLY WAIVED BY PRACTICE AS PART OF THE CONSIDERATION FOR THIS AGREEMENT), EVEN IF EL CAMINO HOSPITAL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

ARTICLE VI

Section 6.1. No Assignment. Practice may not assign this Agreement. Section 6.2. Fees and Expenses. If El Camino Hospital brings any action at law or in equity, or pursues arbitration or mediation to enforce its rights under this Agreement or arising from access granted under this Agreement, it shall be entitled to reasonable attorney's fees, costs and expenses, in addition to any other remedy or relief to which such party may be entitled. Section 6.3. Notice

Notice referenced under this agreement shall be as follows:

Section 6.4. Termination. All privacy and confidentiality obligations established under this Agreement shall survive termination of this Agreement or access permitted under it.

Section 6.5. Entire Agreement, Governing Law, Jurisdiction, and Venue. This Agreement constitutes the complete understanding among the parties and incorporates all prior understandings among the parties on the subject of access to the Program. There are no promises or agreements, either oral or written, among the parties on this subject other than as set forth herein. No modification of this Agreement shall be binding unless the same is in writing and signed by the respective parties hereto. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to conflict of law principles. Each party consents to submit to the exclusive jurisdiction and venue of the federal and state courts within the State of California, County of Santa Clara and each party hereby consents to personal jurisdiction in such forum, for any action, suits or proceedings arising out of or relating to this Agreement.

Section 6.6. Signature Authority for Practice. . The individual executing this Agreement for and on behalf of Practice/Organization represents and warrants that (a) he or she has the actual authority to enter into this Agreement on behalf of the Practice/Organization, and (b) he or she is acting within the scope of his or her authority to enter into and execute the Agreement for and on behalf the Practice/Organization.

[Signature Page Follows]

For Report of potential privacy breaches/unauthorized use of the Program or patient information:

El Camino Hospital Privacy Officer

2500 Grant Road

Mountain View, CA 94040

[email protected]

650-940-7032

For Program use authorization and termination; password assignment, revocation or compromised password:

IT Security Team

[email protected]

650-962-5808

mailto:[email protected]

mailto:[email protected]

of 5

El Camino Hospital ICare Link User Agreement - Signature Page

PRACTICE:

By:

Signature/Authorized Legal Representative Date__________________________________ Printed Name:

El Camino Hospital: By: ___________________________ Date __________________________ ______________________________ Printed Name

Attachment 5b-2 iCare Link Terms Conditions Access

Agreement-final.doc

Separator Page

of 2

Terms & Conditions

of El Camino Hospital Epic CareLink Use

The privacy of a patient’s health and other confidential information is a right protected by

law and enforced by fines and criminal penalties. Safeguarding patient information is a

fundamental obligation for all persons accessing it. Your clicking on “I AGREE” at the

end of this statement will commit you to that obligation, and WILL be used as proof that

you understand and agree to the stated basic duties and facts regarding privacy and

protection of patient information.

Read it carefully.

Clicking on “I AGREE” indicates the following:

1. I agree to protect the privacy and security of patient information accessed through El

Camino Hospital EpicCareLink at all times.

2. I agree to a) access patient information to the minimum extent necessary for my assigned

duties and b) disclose such information only to persons authorized to receive it.

3. I agree that I understand the following:

a. EL CAMINO HOSPITAL (ECH) tracks all user IDs used to access EpicCare Link. Those

IDs enable discovery of inappropriate access to patient records.

b. Inappropriate access and/or unauthorized release of patient information will result in a

report to authorities charged with professional licensing, enforcement of privacy laws and

prosecution of criminal acts. I further understand and agree that inappropriate access and/or

unauthorized release of patient information may result in temporary and/or permanent

termination of my access to El Camino Hospital EpicCareLink.

c. That I will be assigned a User ID & a one-time use activation code. I agree to

immediately select and enter a new password known only to me. I understand I may change my

password at any time, and will do so based on El Camino Hospital EpicCareLink policy and/or

when prompted. I understand that I am to be the only individual using and in possession of my

confidential password. I am aware that the User ID and password are equivalent to my signature.

Also, I am aware that I am responsible for any use of El Camino Hospital EpicCare Link

utilizing my User ID and password. This includes data entered, viewed, printed or otherwise

manipulated. If I have reason to believe that my password has been compromised, I will report

this information to El Camino Hospital’s IT Security Team and I will also immediately change

my password. I understand that User IDs cannot be shared. Inappropriate use of my ID

(whether by me or anyone else) is my responsibility and exposes me to severe consequences.

of 2

4. I understand that patient information includes but is not limited to:

Any individually identifiable information in possession or derived from a provider of health care

regarding a patient's medical history, mental, or physical condition or treatment, as well as the

patients and/or their family members records, test results, conversations, research records and

financial information. (Note: this information is defined in HIPAA as “protected health

information.”) Examples include, but are not limited to:

- Physical medical and psychiatric records including paper, photo, video, diagnostic

and therapeutic reports, laboratory and pathology samples;

- Patient insurance and billing records;

- Centralized and/or department based computerized patient data and alphanumeric

radio pager messages;

Attachment 5b-3 iCare Link Practice Enrollment

Form.docx

Separator Page

of 2

Please complete the following form reading all directions where available to initiate enrolling your practice in iCare Link.

The directions contain specific information essential to expedite your enrollment. You will also be required to sign an

Indemnity Agreement to complete your enrollment. Thank you.

Section I: Practice Information:

Practice Name: ___________________________________________________________________________

Physician Name: (Last, First) ____________________ Physician NPI: ____________

Physician Specialty: ___________Physician Email: _____________________Physician Mobile: ____________

Office Phone: ___________________ Fax: _______________ Backline Phone: _________________________

Street Address ________________________ City: __________________State: __________ Zip: ___________

Office Manager Name: _____________Phone: ___________Office Manager mobile: _________

Office Manager Email: _____________________________________________________________

Number of Physicians, Nurse Practitioners and/or Physician Assistants_______________________

Number of Non-Provider Staff to be trained: _________________________________

Mailing address and/or additional office location addresses, other than primary location, if applicable:

___________________________________________________________________________________

Section 2: Electronic Medical Record (EMR) Status and Information:

We currently use an EMR. EMR Vendor & Version: _____________________________________________

We have chosen an EMR. EMR Vendor & Version: ____________________________Install Date: _______

We are in the process of choosing an EMR Vendor We do not plan to implement an EMR system

Member of IPECH Member of IPECH and signed up for ECW

___________________________________________________________________________________

Section 3: PC Operating System Information:

MD Computer Operating System___________________ Office Computer Operating System________________

iCare Link Enrollment Form

of 2

Section 4: Practice Providers: Please complete the following for each provider. All fields are required

Provider Name

M.I. Provider Last Name

Degree Specialty NPI Email Address (Required)

John M Example MD Int. Med. 0000012345 [email protected]

Section 5: Staff Users: Please list all Staff members (non-providers) requesting access to ProAccess

Staff First Name M.I. Staff Last Name Title Email Address (Required)

Ex: Jane K Doe Medical Assistant [email protected]

Section 6: User Administrator: Each practice must designate a candidate to be certified as the iCare Link User

Administrator. This person must be approved by the physician(s) of record. Please complete the following for the

User Administrator designee for your practice.

Name: _________________________________ Title: ____________________________________

Email: _________________________________________________________________________________

The section below must be completed by the provider signatory of record for this organization.

Provider Designation of User Administrator

I understand El Camino Hospital requires each organization to designate a person to be certified as the iCare Link User

Administrator who will be responsible for managing user accounts and ensuring privacy and security compliance. I

hereby designate the individual named in Section 6 as the iCare Link User Administrator for my organization.

Provider Signature: ___________________________________ Title: _____________________________________

Printed Name: ________________________________ Date: _____________________________________

Attachment 5b-4 MyCare Terms and Conditions of

MyCare.docx

Separator Page

1

EL CAMINO HOSPITAL

My Care Terms & Conditions By agreeing to these terms and conditions, I acknowledge that I am requesting El Camino Hospital to release my personal health information, including test results to my online personal health record and to grant me access to my online personal health record, including the ability to communicate with my health care team concerning my health information via the internet using the El Camino Hospital application, MyCare. I understand that my medical clinicians are prohibited by California law from releasing certain test results to me electronically and consequently I may not be able to access all of my health information online in MyCare. I understand that El Camino Hospital reserves the right to limit or discontinue my use of MyCare if I do not abide by these terms and conditions or at the sole discretion of El Camino Hospital.

Privacy and Security Policy El Camino Hospital considers the privacy of your health information to be one of the most important elements in our relationship with you. Our responsibility to maintain the confidentially of your health information is one that we take very seriously. The following notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review carefully: http://www.elcaminohospitalservices

Summary of Requirements

E-Messaging should never be used for urgent maters.

A valid and functional e-mail address must be provided.

Online ID and password should not be shared with anyone. Use of El Camino Hospital's MyCare is for accessing an individual’s health information or authorized access to health information of someone in my care.

Use of MyCare I understand that El Camino Hospital’s MyCare should never be used for urgent matters. I acknowledge the anticipated turnaround time for response to electronic messages is 1 to 2 business days. For all urgent matters that I believe may immediately affect my health or well-being, I will, without delay, contact my clinician by telephone, and/or go to the emergency department of a local hospital, and/or dial 911.

http://www.el/

2

I understand that my health care team may send me secure e-Messages via MyCare. These messages may contain information that is important to my health and medical care. It is my responsibility to monitor these messages. By entering my valid and functional email address, I have enabled El Camino Hospital to notify me of messages sent to my inbox. I understand that maintaining my current email contact information with El Camino Hospital’s MyCare is my responsibility and I will update my email address on MyCare as needed. I agree to not upload any attachments which violate any copyright laws, international or otherwise, or attach images which depict pornography or any material deemed in any manner illegal or unauthorized by state or federal laws or regulations and are not related to my own personal clinical care except for those for which I have legal proxy access. This agreement shall be construed in accordance with, and shall be governed by, the procedural and substantive laws of the State of California.

Online ID and Password I understand that I must create a unique MyCare Identification (ID) code and password to be used to access my health information. Inquiries and entries that I make will be logged with my identity. I understand that it is extremely important that I keep my MyChart ID and password completely confidential. If at any time I feel that the confidentiality of my password has been compromised, I will change it by going to the Password link on the website. I understand that El Camino Hospital takes no responsibility for and disclaims any and all liability or consequential damages arising from a breach of heath record confidentiality resulting from sharing or losing my password. If El Camino Hospital discovers that I have inappropriately shared my password with another person or that I have misused or abused MyCare privileges in any way, my participation in MyCare may be discontinued by El Camino Hospital without prior notice. I understand that I must not share my MyChart ID and/or Password with any other website, party, or vendor (for example, a mobile app or website that collects and displays health information). In doing so, I hold myself accountable for any interaction this has between MyCare and the 3rd party and do not hold El Camino Hospital liable for my personal information and/or patient information that is accessed by the 3rd party and what they do with this information.

Verification of Identity I understand that my enrollment is contingent on verification of my identity either in person or by comparing my signature provided on the Release of Information form with my signature in my health record.

Deactivation of My Account I understand that MyCare may be deactivated upon my request or at the discretion of El Camino Hospital for failure to meet these Terms and Conditions.

3

Disclaimer I understand that MyCare may not be available to me at all times due to unanticipated system failures, back-up procedures, maintenance, or other causes beyond the control of El Camino Hospital. Access is provided on an “as-is as-available” basis and El Camino Hospital does not guarantee that I will be able to access MyCare at all times. During times when MyCare is unavailable, other communication methods (e.g., telephone) should be used to contact El Camino Hospital or my clinician. I understand that El Camino Hospital takes no responsibility for and disclaims any and all liability arising from any inaccuracies or defects in software, communication lines, the virtual private network, the Internet or my Internet Service Provider (ISP), access system, computer hardware , or any other service or device that I used to access MyCare.

Attachment 5b-5 x xx MyCare Proxy Policy.doc

Separator Page

EL CAMINO HOSPITAL HEALTH INFORMATION MANAGEMENT SERVICES

POLICIES AND PROCEDURES

x.xx MyCare: Proxy Access

A. Coverage:

El Camino Hospital Personnel B. Reviewed/Revised: 02/15 C. Policy Summary:

All patient information is considered confidential. Information that identifies or potentially identifies a patient, or information about a specific patient, will not be disclosed unless authorized by law or by the patient / legal guardian.

This procedure ensures confidentiality of patient information and allows for limited information to be accessed by the patient's legal guardian or designated patient proxy via MyChart.

D. Procedure for requesting Adult Proxy access of Minor patient:

1. Parent, legal guardian or conservator can request Proxy access to a

minor's chart by completing a MyCare Child Proxy access form.

2. El Camino Hospital will validate the parent, legal guardian or conservatorship relationship of the minor patient.

3. Once validated and approved, a MyCare account will be created for proxy

use.

4. Limited access is granted based on the minor's age due to state and federal patient privacy regulations.

5. Proxy access of a minor patient will terminate when the minor patient turns

18 years of age.

Health Information Management Services Policies and Procedures

1.10 Emergency Release of Patient Information Page 2 of 2

E. Procedure for requesting Adult Proxy access of Adult patient:

1. A patient 18 years of age and older can designate a proxy by completing a MyCare Adult proxy form and a MyChart: Adult proxy release of protected health information authorization.

2. El Camino hospital will validate the patient's request and authorization.

3. Once validated and approved, a MyCare account will be created for proxy use.

4. The Authorization for Release of Protected Health Information is valid for

10 years from the date of patient signature unless otherwise specified. Proxy access will expire on the specified date of expiration if not renewed.

F. References:

California Hospital Association Consent Manual, 2013

Attachment 5b-6 iCare_MyCare_Adult Proxy final.docx

Separator Page

2500 Grant Road, Mountain View, CA 94040-4378

Telephone: (650)988-7462 │Fax: (650)988-8246

DRAFT Patient Label

MyChart: Adult Proxy Request Form

To request access to the MyChart record of an adult patient whose medical care you help manage, please complete this form. Both the patient and proxy representative must sign this form. In addition, the patient must authorize the release of records via MyChart by completing the authorization for "Adult Proxy Release of Information Authorization" form

Patient Information:

Patient Name:

Address:

City:

State: Zip:

Date of Birth:

Proxy Information:

Representative Name:

Address:

City:

State: Zip:

Phone:

Date of Birth:

Email address:

Your relationship to patient*:

Durable Power of Attorney Conservator Other:____________________ *Legal documents may be required to validate relationship, e.g., birth certificate, guardianship/ conservatorship appointment, durable power of attorney


Telephone: (650)988-7462 │Fax: (650)988-8246

DRAFT Patient Label

MyChart Terms and Conditions:

I understand that:

MyChart is intended as a secure online source of confidential medical information. If I share my MyChart ID and password with another person, that person may be able to view my or my child's health information, and health information about someone who has authorized me as a MyChart proxy.

It is my responsibility to select a confidential password, to maintain my password in a secure manner, and to change my password if I believe it may have been compromised in any way.

MyChart contains selected, limited medical information from a patient's medical record and does not reflect the complete contents of the medical record.

My activities within MyChart may be tracked by computer audit and that entries that I make may become part of the patient's medical record.

MyChart is provided by El Camino Hospital as a convenience to its patients. El Camino Hospital has the right to deactivate access to MyChart at any time for any reason.

MyChart is voluntary and I am not required to use MyChart or to authorize a MyChart proxy.

The authorization form may be revoked in writing at any time, except to the extent that the information has already been accessed. I must submit my revocation to El Camino Hospital.

Mail completed form to: El Camino Hospital - OR - Fax to: 650-988-8246 Attention: HIM Dept. (Medical Records) 2500 Grant Road Mountain View, CA 94040

By signing below, I acknowledge that I have read and understand the requirements for designating the person named above as my MyChart Proxy, thereby allowing them access to my MyChart medical record. __________________________________________________ _______________________ Signature of Patient or Healthcare Representative Date If signed by someone other than the patient, state your legal relationship to the patient: __________________________________________________ Relationship

OFFICE USE ONLY: Patient relationship verified by:________

Proxy access approved:

Yes No

Activation Letter Sent :

Yes No Date Sent:___________

Attachment 5b-7 iCare_MyCare_Child Proxy final.docx

Separator Page


Telephone: (650)988-7462 │Fax: (650)988-8246

DRAFT Patient Label

MyChart: Child Proxy Request Form

I hereby request El Camino Hospital (ECH) to provide access to the health information of the minor child listed below via MyChart. Please note the following age range limitations for MyChart. These age range limitations do not affect any legal right you have to access your child's record by other means. To request a paper copy of your child's record, please contact the HIM Department at 650-988-7462

If your child is age 0 – 11: You will be granted full access to your child's MyChart record.

If your child is age 12 – 17: You will be granted partial access to your child's MyChart record.

Once your child reaches age 18, you will no longer have access to your child's MyChart account unless the patient signs an adult proxy.

Patient Information:

Patient Name:

Address:

City:

State: Zip:

Date of Birth:

Proxy Information:

Your Name:

Address:

City:

State: Zip:

Phone:

Date of Birth:

Email address:

Your relationship to child*: Parent Legal Guardian Conservator Stepparent

*Legal documents may be required to validate relationship, e.g., birth certificate, guardianship/ conservatorship appointment


Telephone: (650)988-7462 │Fax: (650)988-8246

DRAFT Patient Label

MyChart Terms and Conditions:

I understand that:

MyChart is intended as a secure online source of confidential medical information. If I share my MyChart ID and password with another person, that person may be able to view my or my child's health information, and health information about someone who has authorized me as a MyChart proxy.

It is my responsibility to select a confidential password, to maintain my password in a secure manner, and to change my password if I believe it may have been compromised in any way.

MyChart contains selected, limited medical information from a patient's medical record and does not reflect the complete contents of the medical record.

My activities within MyChart may be tracked by computer audit and that entries that I make may become part of the patient's medical record.

MyChart is provided by El Camino Hospital as a convenience to its patients. El Camino Hospital has the right to deactivate access to MyChart at any time for any reason.

MyChart is voluntary and I am not required to use MyChart or to authorize a MyChart proxy.

The authorization form may be revoked in writing at any time, except to the extent that the information has already been accessed. I must submit my revocation to El Camino Hospital.

Mail completed form to: El Camino Hospital - OR - Fax to: 650-988-8246 Attention: HIM Dept. (Medical Records) 2500 Grant Road Mountain View, CA 94040

By signing below, I acknowledge that I have read and understand the requirements for accessing my child's medical record information online. I certify that I am the birth parent or legal guardian of the child listed above and that all information I have provided is correct. __________________________________________________ _______________________ Signature of Parent / Legal Guardian Date

OFFICE USE ONLY: Patient relationship verified by:________

Proxy access approved:

Yes No

Activation Letter Sent :

Yes No Date Sent:___________

Attachment 5b-8 iCare_CareEverywhere Auth final.docx

Separator Page


Telephone: (650)988-7462 │Fax: (650)988-8246

DRAFT Patient Label

iCare: CareEverywhere Authorization to Access Protected Health Information

Patient's Name:_______________________________________________________ Date of Birth: ______/____/______ Telephone: ____________________________

I authorize the following facility to access my El Camino Hospital (ECH) protected health information for treatment purposes:

Facility Name:

Address 1:

Address 2:

City: State: Zip:

Information Released:

I understand that the information to be released will include all information available in my electronic medical record and may include information relating to the diagnosis and/or treatment of mental illness, alcohol/drug abuse, AIDS, HIV test results, developmental disabilities, sexually transmitted diseases and genetic testing.

Expiration of Authorization:

Unless otherwise revoked, this authorization expires 1 year from the date of signature or as specified:______________________

Notice of Patient Rights:

I understand that: ● This authorization may be revoked in writing at any time, except to the extent that the information has already been accessed. I must submit my revocation to ECH.

● I may refuse to sign this authorization. Treatment, payment, enrollment, or eligibility for benefits will not be conditional upon this authorization being signed. ● Information released based on this authorization could be re-released by the recipient and may no longer be protected by federal law. However, California law prohibits the person receiving health information from further release without authorization unless required or permitted by law. ● I have a right to receive a copy of this authorization.

_____________________________________ ________________________

Patient Signature

Date

If signed by someone other than patient, indicate legal relationship (e.g. legal guardian):___________________________________________________________

Attachment 5b-9 Policy 1.10 Release of Patient

information_REVISED.doc

Separator Page

EL CAMINO HOSPITAL

HEALTH INFORMATION MANAGEMENT SERVICES

POLICIES AND PROCEDURES

1.10 Release of Patient Information for Treatment purposes [via fax, mail or secure health

information exchange.]

A. Coverage:

El Camino Hospital Health Information Management

B. Reviewed/Revised:

3/06, 03/08, 3/09, 5/10, 6/13, 01/15

C. Policy Summary:

All patient information is considered confidential. Information that identifies or

potentially identifies a patient, or information about a specific patient, will not be

disclosed unless authorized by law, patient, or when a clear medical emergency exists.

This procedure ensures confidentiality of patient information and allows information

needed for medical treatment purposes to be disclosed via fax, or secure electronic health

information exchange.

D. Procedure for release of records to a treating provider via fax or mail:

1. Records may be released to other medical facilities or healthcare professionals

upon receipt of a patient authorization or written request from the treating provider.

2. The patient authorization or written request can be faxed to Health Information

Management Services or the treating unit. Please note: After normal HIM business

hours, the Hospital Supervisor will respond to urgent release of information requests.

3. The request must be written on the requesting entities letterhead or fax coversheet,

must be addressed to El Camino Hospital and must contain the following:

a. Facility requesting the information, including their telephone number and

fax number.

b. Name of the physician treating the patient, if available.

c. Name of patient, date of birth, and information needed. The request must

be specific with regards to records and dates of services needed.

Formatted: Justified

Formatted: Justified, Indent: Left: 1",Numbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0.25" + Indent at: 0.5"

Formatted: Justified, Indent: Left: 1.5"

Formatted: Justified, Indent: Left: 1",Numbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0.25" + Indent at: 0.5"

Formatted: Indent: Left: 1"

Formatted: Indent: Left: 1", Numbered +Level: 1 + Numbering Style: 1, 2, 3, … + Startat: 1 + Alignment: Left + Aligned at: 0.25" +Indent at: 0.5"

Formatted: Indent: Left: 1.75"

Formatted: Numbered + Level: 4 +Numbering Style: a, b, c, … + Start at: 1 +Alignment: Left + Aligned at: 1.75" + Indentat: 2"

Health Information Management Services Policies and Procedures

1.10 Release of Patient Information for treatment purposes Page 2 of 2

4. 5. Health Information Management Services staff or treating unit will disclose only

information necessary for the continued treatment of the patient. For urgent requests,

patient information will be faxed to the treating provider. For non-urgent requests,

patient information will be mailed to the treating provider.

5. 6. Requests for releases of information will be filed in the legal medical record

which includes the following information:

a. Written request

b. IInformation disclosed.

c. Fax confirmation sheet.

E. Procedure for release of records to a treating provider via Care Everywhere:

El Camino hospital will routinely share a patient's protected health information for

continuity of care purposes to a treating facility. Protected health information will be

accessed by the treating facility via secure health information exchange in accordance

with El Camino Hospital's Notice of Privacy Practices.

El Camino Hospital will require that a patient authorization be obtained by the treating

facility prior to Behavioral Health records being accessed. Patient health information will

not be released via CareEverywhere if a patient has requested exemption from the secure

electronic health information exchange. This exemption will be documented in the

patient's legal medical record.

F. Procedure for release of records via EpicCare link:

Referring physicians who are not on ECH medical staff and who have signed an

EpicCare link access agreement will have the ability to view mutual electronic patient

healthpatient health information via a secure link on a mutual patient. A recorded

relationship between the patient and provider must be documented in the patient's legal

medical record before a provider can access the information.

Patient information will not be released via EpicCare link if a patient has requested

exemption from the secure health information exchange. This exemption will be

documented in the patient's legal medical record.

Formatted: Indent: Left: 0.75"




Formatted: Numbered + Level: 1 +Numbering Style: a, b, c, … + Start at: 1 +Alignment: Left + Aligned at: 1.75" + Indentat: 2"




Formatted: Indent: Left: 0.75", First line: 0.25"


Attachment 6 - ERM Assessment Report.pdf

Separator Page

Attachment 6a ERM Assessment Report.pdf

Separator Page

El Camino Hospital Enterprise Risk Management Assessment

2 Copyright © 2015 Deloitte Development LLC. All rights reserved. Strategic Risk Solutions | El Camino ERM Assessment | June 2015

Contents

ERM Capabilities and Approach 3

ERM Program Assessment Results 5

Enterprise Risk Assessment Results 8

Appendix A: Interview List 10

Appendix B: Healthcare Trends 12

Appendix C: ERM Program Assessment Results - Detail 17


The summary provides the highlights of the ERM journey and next steps. Enterprise Risk Journey

3

Begin to Build sustainable ERM

program Assessed ERM program and

capabilities and recommended next steps

Identified top risks What’s next? Conducted Enterprise Risk Assessment:

• Identified key risks from internalEl Camino perspective

• Identified key risks from externalperspective - healthcaredisruptions and trends

• Prioritized key risks and identified3 top risks

• Identify sponsors of top 3 risks to develop anddrive risk response strategies

• Develop objective criteria to monitor and evaluateprogress addressing top 3 risks

• Risk owners develop and implement risk responseaction plans

• Sustain ERM program – enhance/develop ERMprogram, report on progress addressing top risks,and identify/escalate potential top risks on ongoingbasis


Below is a summary of the project approach and outcomes.

ERM Project Approach - Overview

Sustainable ERM Program

ERM is an on-going, sustainable process:

Interviews

• Gathered potential risks fromDeloitte subject matterspecialists

• Conducted 14 interviews withboard and executivemanagement to gather internalperspectives on top risks andERM capabilities

Strategic Risk Lab

• Discussed emerging trends that areshaping the healthcare industry

• Identified key risks associated withthe trends

• Prioritized risks based on interviewsand emerging trends

Outcomes

• Identification of top 3 enterpriserisks and drivers

• Proposed recommendations andnext steps for building ERMprogram

Identify risks

Assess risks

Prioritize risks

Assign risk owners / develop risk response

Monitor and report

Assessment Results


During the interviews a number of consistent messages were communicated about ERM expectations and potential limitations of success.

ERM Program Assessment - What We Heard

Strong dependency on single partner may cause uncertainty around risk prioritization

ERM should raise awareness of significant risks to El Camino’s business

Board and executive leadership team do not fully understand importance of ERM in healthcare

Highest risks should be escalated to the board

Executive team and board should have robust risk discussions on a regular basis

Challenge in consolidating and tracking risks related to large number of independent physicians

Development of guiding risk principles can raise risk awareness and assign risk responsibility

ERM should facilitate proactive monitoring and communication on effectiveness and progress of key risk mitigation plans

Lack of accountability and ownership of risks exist

Market pressure on margins may limit reallocation of resources to key risks


1. Board receives reports regarding certain riskmanagement activities (e.g. compliance, financial,internal audit); however, the most significant risksare not consistently escalated and discussed withthe board.

2. Full board and Corporate Compliance Committeedo not receive a single, enterprise-wide report onkey risks to the organization and how they’remanaged.

3. Executive Advisory Committee (EAC) has variedknowledge on level of acceptable risk for ElCamino; board and EAC have not agreed on anacceptable level of risk.

4. Currently, departmental and organizationalperformance dashboards are used to informallyidentify and monitor certain risks (not key risks).

5. The organization does not currently have anefficient, standardized, and understood process toidentify, assess and manage prioritized keyenterprise risks.

6. Training on ERM overview planned for executiveteam and board

1. Develop a Management Risk Committee, consistingof key EAC members and key risk owners, that willoversee and manage key risks and ERM processand program; develop risk committee charter.

2. Clearly define risk roles and responsibilities for board,corporate compliance committee, EAC, ERM leader,management risk committee, and risk owners (e.g.oversight, management, monitoring, and reporting).

3. Educate EAC, management risk committee, and riskowners on risk management roles andresponsibilities.

4. Establish and clearly define corporate risk appetite /thresholds. Obtain approval from the board on therisk appetite to help executives allocate capital andresources and focus on El Camino’s most impactfulrisks.

5. Establish ERM framework to include risk governance,strategy, business and operating models, data,analytics, and technology.

6. Standardize ERM processes to identify, assess,prioritize, respond to, monitor, and report on keyrisks.

Current state and proposed recommendations for developing an ERM program at El Camino

ERM Program Assessment - Executive Summary

Current State of ERM Capabilities at El Camino Proposed Recommendations


Three top enterprise risks and associated drivers were identified through internal interviews and consideration of external emerging healthcare trends during a half-day Lab with executives (healthcare trends are described in Appendix B). Enterprise risks and drivers are interdependent requiring collaborative development and implementation of risk mitigation and response plans.

Risk Assessment - Top 3 Enterprise Risks

Business Model El Camino Hospital is not positioned to compete or thrive in

the evolving healthcare market

Limited scale and geography

Limited bandwidth

and resources

Physician Strategy

& Alignment Long-term viability of current physician

strategy

Strategy Execution Inefficient and / or

ineffective implementation of the

strategy

Key Risk #1

Long-term viability of

current physician strategy

Competing strategic priorities

Decrease in reimbursement

rates due to shift in payor mix

Mid-long term capital plan overlooks

opportunities of changing healthcare

environment

Lack of diversification in portfolio of

services

Independent physician

network make executing initiatives difficult

Key Risk #3

Key Risk #2 New and

existing competitors continue to

innovate at rapid pace

Tenuous PAMF

agreement / ownership by competition

Drivers

Linkages


Risk Assessment - Enterprise Risk Definitions

Risk Risk Description

Business Model

• As new and existing competitors continue to rapidly innovate in the quicklyevolving healthcare market, El Camino is not positioned to compete and thrivebecause its business model does not (1) address its limited scale andgeographical reach, (2) include a diversified portfolio of services, (3) have a viablelong term physician strategy

• Funding of El Camino’s business model overlooks potential opportunities tocompete and thrive: (1) mid to long term capital plan does not address limitedscale, geographical reach or diversified portfolio, and (2) drop in reimbursementrates due to shifting payor mix is not considered

Strategy Execution

• El Camino may not efficiently or effectively execute its strategy because (1)strategic priorities may not be well defined resulting in too many initiatives andoverlapping responsibilities and (2) people and/or resources are limited

Physician Strategy & Alignment

• Physician strategy and infrastructure (1) may place El Camino at risk of losing halfof its admissions if Sutter (a large competitor) decides Palo Alto MedicalFoundation (PAMF) should no longer partner with El Camino, and (2) relies on anindependent physician network that is disparate and creates difficulty in rolling outnew initiatives and systems, like EPIC

El Camino’s 3 enterprise risks as presented on slide 8 are described below.

Appendix A: Interview List


Listed below are the people interviewed during the ERM capability and enterprise risk assessment.

List of Interview Participants

Name Title

Neil Cohen, MD Chair of the El Camino Board of Directors

Tomi Ryba Chief Executive Officer

Kathryn Fisk Chief of Human Resources

Matt Harris Controller

Iftikhar Hussain Chief Financial Officer

Richard Katzman Chief Strategy Officer

Ken King Chief Administrative Services Officer

H. Malik Chief Information Security Officer

Eric Pifer Chief Medical Officer

Cheryl Reinking Chief Nursing Officer

Diane Wigglesworth Chief Compliance Officer

Greg Walton Chief Information Officer

Mick Zdeblick Chief Operating Officer

John Zoglin Chair of the Board Compliance Committee

Appendix B: Healthcare Trends


Eight potential healthcare trends were considered in identifying strategic risks to El Camino and are described over the next 3 slides.

Healthcare Trends


Healthcare Trends (continued)

Appendix C: ERM Program Assessment Results - Detail


Current capabilities and enhancement opportunities Strategy

Key Capabilities Currently in Place or Being Enhanced Proposed Recommendations Strategy

• Risk appetite has not been formally defined orestablished by the board and EAC has varied knowledgeon level of acceptable risk for El Camino

• Working with the third party to conduct enterprise riskassessment to identify key risks that can limit or enhanceEl Camino’s ability to achieve its strategies

• New and emerging risks and disruptions in externalenvironment are not currently factored into businessstrategy and competitive advantage; Strategic Risk Labto discuss potential disruptions and associated strategicrisks is scheduled for April

1. Risk Appetite:

- Educate board and executive leadership team onvalue and process for developing a corporate risk appetite

- Establish and clearly define corporate risk appetite / thresholds to help enable risk decisions at the right levels. Obtain approval from the board on the risk appetite to providing high-level direction to EAC on addressing risks and allocating capital and resources

2. Deploy a consistent and ongoing approach to challengethe business assumptions underlying El Camino’sstrategies and associated strategic risks

3. Develop an approach to monitor the external environmentto identify new and emerging strategic risks on anongoing basis


Current capabilities and enhancement opportunities Governance and Culture

Key Capabilities Currently in Place or Being Enhanced Proposed Recommendations Governance and Culture

• Board receives reports regularly, in conjunction with thespecific risk management activities (e.g. compliance,financial, and internal audit reports)

• Corporate Compliance/Privacy and Audit Committeereports to the board after each meeting including minutesand decisions made

• Full board and Corporate Compliance Committee do notreceive a single, enterprise-wide report on key risks tothe organization

• EAC reviews the performance dashboard andorganization goals on a monthly basis, additionally,compliance provides an update on an as needed basis

• Chief Operating Officer has been tasked with developingand facilitating an ERM program with the ChiefCompliance Officer

• Management Risk Committee to oversee and manageERM process does not currently exist

• Key risks to the organization have not been identifiedcollectively or assigned owners

• Board is enhancing risk culture by establishing an ERMprogram to identify, assess, manage, monitor, and reportenterprise risks

4. Develop risk management guiding principles

5. Clearly define risk roles and responsibilities for board,corporate compliance committee, EAC, ERM leader,Management Risk Committee, and risk owners; roles willaddress oversight, management, monitoring, andreporting of key risks

6. Develop Management Risk Committee, consisting of keyEAC members and key risk owners, who will oversee andmanage key risks and ERM process and program

7. Develop cadence for monitoring and reporting of keyrisks to EAC, compliance committee, and full board

8. Compliance committee should receive a comprehensiveview of key risks to the organization and oversee ElCamino’s progress on addressing those risks and theERM program

9. Educate:

- Board and corporate compliance committee on riskoversight roles and responsibilities

- EAC, Management Risk Committee, and risk owners on risk management roles and responsibilities


Current capabilities and enhancement opportunities Business and Operating Models

Key Capabilities Currently in Place or Being Enhanced Proposed Recommendations Business and Operating Models

• Currently EL Camino departmental and organizationalperformance dashboards are used to informally identifyand monitor certain risks (not necessarily key risks)

• Enterprise risk framework is not developed or approvedby EAC and Board

• El Camino is working with a third party to conduct anenterprise risk assessment to identify, assess, and prioritize key risks to El Camino’s strategies

• El Camino does not have a process to identify andescalate new and emerging key risks on an ongoingbasis

• The organization does not currently have an efficient,standardized, and understood process to manageprioritized key enterprise risks

• Training on overview of ERM planned for EAC and board

• Separate processes are in place to address certain risks(e.g. business continuity plan, financial)

10.Standardize ERM processes to identify, assess, prioritize,and respond to key risks

11.Conduct an enterprise risk assessment (ERA) on anannual basis (e.g., risk register, risk rating criteria,interviews, prioritization)

12.Assign key risks to executive risk owners to develop riskresponse plans

13.Conduct ERM training for risk owners on roles andresponsibilities, including managing, monitoring, andreporting on key risks

14.Deploy a consistent and ongoing approach to proactivelyidentify significant new or emerging strategic risks


Current capabilities and enhancement opportunities Risk Monitoring, Reporting & Analytics

Key Capabilities Currently in Place or Being Enhanced Proposed Recommendations Risk Monitoring, Reporting, & Analytics

• Currently El Camino department and organizationalperformance dashboards are used to identify and monitorcertain risks (not all key risks)

• The organization does not currently have an efficient,standardized, and understood process to monitor andreport on prioritized key enterprise risks

• Not all key risks to the organization are currentlymeasured

• Currently, there is compliance monitoring in place toidentify physician compensation

15.Standardize ERM process to monitor and report on keyrisks

16.Develop cadence for monitoring and reporting of keyrisks to EAC, compliance committee, and full board

17.Build ERM reporting dashboards with content / detail(e.g. most impactful component risks, exposure, appetite,response strategies, and monitoring) to supportoversight, management, and monitoring of key risks

18.Conduct ERM training for risk owners on roles andresponsibilities, including managing, monitoring, andreporting on key risks

19.Enhance reporting with sensing insights on emergingrisks / trends and key risk indicators as capabilitiesimprove

20.Deploy additional technology / tools to enable efficientrisk reporting or identification of emerging risks

Attachment 7 Memo - Clinical Research Overview and

Risk Mitigation Plan final.docx

Separator Page

1

DATE: May 12, 2015 TO: Corporate Compliance/Privacy and Internal Audit Committee FROM: Mick Zdeblick, Chief Operating Officer SUBJECT: Clinical Research Overview and Risk Mitigation Plan BOARD ACTION: Possible Motion: That the Committee recommends that the

Board approve the Proposed Clinical Research Plan

El Camino Hospital Management began a process to assess clinical research at the hospital and developed a focus group to establish a mission statement, principles, operational goals and a risk mitigation plan that will support clinical research at ECH. Management also engaged Duke Cancer Network to provide an assessment of the current infrastructures and processes supporting clinic research conducted at the hospital. Based on the Duke assessment report, best practice recommendations, and advisory from the focus group the following recommendations have been proposed. El Camino Hospital Mission To be an innovative, publicly accountable and locally controlled comprehensive health care organization that cares for the sick, relieves suffering, and provides quality, cost competitive services to improve the health and well-being of our community. People and Technology: We will capitalize on the unique talents of the people in our organization and new technologies to provide a comprehensive array of services. Our organization will be efficient, effective, and grounded in our values of public community accountability and compassionate care. El Camino Hospital Research Mission Research at ECH is dedicated to the pursuit of outstanding clinical research that benefits our community and optimizes patient care. Therefore, our research programs must improve the scope of our clinical services, compassionate care, or relate specifically to the Triple Aim of quality, service, and affordability.

Our Research Principles

To constantly improve our knowledge and innovation in research for the

benefit of the community we serve.

To align with the most advanced medical development entities to bring new management modalities to healthcare.

To help develop the most effective and safest therapies for the future.

To offer new therapies that provides our patients with diagnostic and therapeutic options that would not otherwise be available in a community setting.

To balance the risk of supporting a portfolio of clinical research with the benefit for the community we serve.

Operate within a clear statement of principles as required by federal and state regulations.

Maintain, communicate and operate within clearly established policies and procedures that support our principles and ensure patient safety and compliance in research.

Balance access to investigational protocols for our patients, participation in cutting edge clinical research for our physicians and operating within a fiscally sustainable research model to ensure long term financial health of ECH.

Operating Goals

1. El Camino Hospital Research Focus:

o Clinical Research (not basic science, discovery based or public health).

o Clinical Disciplines (FY15 Focus – Reassess Annually):

Heart & Vascular Institute Cancer Imaging Lung Nursing Quality Projects

o Clinical Research Phase: Our focus is on Phase II and Phase III research (not pre-clinical or Phase I/IV).

Pre-Clinical (e.g. Lab Based) Phase I: (e.g. Safety trials, 1st in Man) Phase II: (e.g. FDA approved, change in use, efficacy trials) Phase III: (e.g. 1st time combination of protocols,

performance against a gold standard). Phase IV (e.g. Post Market follow-up)

ECH

Focus

2. We will use strategic partnerships to advance clinical research within our

community. (e.g. Parkinson’s Institute).

3. Clinical Research Organizational Structure: Create a centralized clinical research office within the hospital and insource critical elements to provide proper oversight of operations and risk management. Major responsibilities of the Clinical Research Department:

o Operational oversight for ECH clinical study activation, monitoring and closeout.

o Develop Clinical Research policy and procedures, as well as educational programs for all levels of the organization.

o Conduct feasibility assessments to determine scientific merit and financial impact of new and ongoing clinical research.

Utilize the Service Line Structure for Clinical Relevance and Alignment with Mission, Strategy recommendations.

Form a Clinical Research Review Committee: Chair: COO, Staffed by Director of Clinical Research, Membership: CMO, COO, CNO, CFO, CSO, Director/Manager Nursing Leadership, Compliance, Legal.

Allocate funds to support non-standard of care resource requirements per specific research endeavors, e.g. cover the loss of the trial (if necessary and strategically aligned).

o Partner with ECH stakeholders to ensure research billing compliance.

o Develop quality assurance strategy for monitoring/internal audit of protocol and billing compliance in coordination with ECH Corporate Compliance Officer, Finance and IRB.

o On an ongoing basis, assess clinical research staffing and technology needs to meet the principles and goals of the organization.

Risk Mitigation Plan for Research Compliance

1. Collaborate with the IRB to continue their objectivity in the protection of human subjects participating in research, while developing a repository of all research activities at ECH that will be leveraged by the organization to create an integrated approach to clinical research compliance.

Clinical Research Department and IRB to establish process, templates and communication lines that will ensure consistency between legal contracts and patient consenting documents and identify opportunities to streamline the study activation and monitoring process.

2. Implement Epic’s medical record and billing system (branded “iCare” at

ECH) that includes a research billing module and ensures appropriate process and procedures are in place to manage complex research billing compliance issues.

3. Assess hospital conflict of interest policy and process to ensure transparency to patients and objectivity in our research.

4. Develop hospital Subject Injury policy and procedure that provides ethical and risk appropriate treatment for injuries resulting from participation in clinical research.

5. Implement an internal audit strategy to identify and mitigate clinical research compliance risk.

Simulate FDA audit for protocol compliance and data integrity.

Clinical Research Billing audits for Medicare/research billing compliance

6. Transition Clinical Trial Management System to ECH to manage the full clinical research portfolio for regulatory and billing purposes.

Attachment 8 - Key Performance Indicators Scorecard

and Trends.pdf

Separator Page

Attachment 8a Memo - Compliance KPI Scorecard April

2015.doc

Separator Page


Date: May 12, 2015

To: Corporate Compliance/Privacy and Audit Committee

From: Diane Wigglesworth, Director Corporate Compliance

Re: Corporate Compliance Program Activity

Attached are the metrics for April activity along with YTD information. The number of compliance

or privacy investigations has remained consistent over the last few months and is trending overall

higher than the previous fiscal year. This is due in part to issues brought forth as a result of the Epic

implementation compared to current organizational processes. The hospital has experienced only a

few reportable breaches over the last few months and the numbers are trending down significantly

compared from the previous fiscal year.

CMS initiated a visit in April as a follow up to a self-reported event by the hospital to CDPH.

The hospital is awaiting the results of that visit but does not expect and adverse outcome.

Attachment 8b KPI Scorecard as of April 2015.xlsx

Separator Page

Corporate Compliance Scorecard FY15El Camino Hospital

Key Performance Indicator

FY:15

Current

Month

Current Year

Actual

Prior Year

Actual

Core Elements

Policies and Procedures Apr. 2015Jul - Apr

FY:2015

Jul - Apr.

FY: 2014

Number of reported instance when policies not followed 2 38 35

Number of disciplinary actions due to Investigations 0 9 16

Education and Training Apr. 2015Jul - Apr

FY:2015

Jul - Apr.

FY: 2014

Percentage of new employees trained within 30 days of start date 100% 100% 100%

Investigations Apr. 2015Jul - Apr

FY:2015

Jul - Apr.

FY: 2014

Total number of investigations 13 154 119

Investigations open 0 0 0

Investigations closed 13 154 119

Hotline concerns substantiated 0 23 22

Hotline concerns not substantiated 3 9 22

Average number of days to investigate concerns 5 5 5

Reporting Trends Apr. 2015Jul - Apr

FY:2015

Jul - Apr.

FY: 2014

Anti-Kickback/Stark 5 36 19

EMTALA 0 2 5

HIPAA Reports 11 108 135

HIPAA Security Breaches 0 0 1

Billing or Claims 6 34 18

Conflict of Interest 0 0 0

Reported Events to CMS Apr. 2015Jul - Apr

FY:2015

FY:14

Actual

Number of total events self reported by ECH 0 0 0

Number of self reported events followed up by CMS 1 1 0

CMS initiated visits (separate from ECH self reported events) 0 0 4

Number of statement of deficiencies issued to ECH 0 0 30

Number of Actual Sanctions, fines or penalties 0 0 $ -

Reported Events to CDPH Apr. 2015Jul - Apr

FY:2015

FY:14

Actual

Number of total regulator events self reported by ECH 1 5 10

Number of self reported events followed up by CDPH 0 8 6

Number of total privacy breaches self reported by ECH 0 18 46

CDPH initiated visits (separate from ECH self reported events) 0 19 6

Number of statement of deficiencies issued to ECH 0 6 5

Number of Actual/Realized Sanctions, fines or penalties 0 0 $ 100.00

Monitoring and Audit Findings Apr. 2015Jul - Apr

FY:2015

FY:14

Actual

Total number of Audit Findings 22 42 36

Number of findings identified has high severity 7 15 6

Monitoring and Audit Findings Apr. 2015Jul - Apr

FY:2015

FY:14

Actual

Number of Open Liability Claims 12 12 8

Number of Open Liability Lawsuits 8 8 4

1 of 1

Attachment 8c KPI Trend Graph.pdf

Separator Page

Attachment 9 OIG Practical-Guidance-for-Health-Care-

Boards-on-Compliance-Oversight.pdf

Separator Page

Practical Guidance forHealth Care Governing Boards

on Compliance Oversight



Office of Inspector General,U.S. Department of Health and Human Services

Association of Healthcare Internal Auditors

American Health Lawyers Association

Health Care Compliance Association

About the OrganizationsThis educational resource was developed in collaboration between the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA), the Health Care Compliance Association (HCCA), and the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS).

AHIA is an international organization dedicated to the advancement of the health care internal auditing profession. The AHLA is the Nation’s largest nonpartisan, educational organization devoted to legal issues in the health care field. HCCA is a member-based, nonprofit organization serving compliance professionals throughout the health care field. OIG’s mission is to protect the integrity of more than 100 HHS programs, including Medicare and Medicaid, as well as the health and welfare of program beneficiaries.

The following individuals, representing these organizations, served on the drafting task force for this document:

Katherine Matos, Senior Counsel, OIG, HHS

Felicia E. Heimer, Senior Counsel, OIG, HHS

Catherine A. Martin, Principal, Ober | Kaler (AHLA)

Robert R. Michalski, Chief Compliance Officer, Baylor Scott & White Health (AHIA)

Daniel Roach, General Counsel and Chief Compliance Officer, Optum360 (HCCA)

Sanford V. Teplitzky, Principal, Ober | Kaler (AHLA)

Published on April 20, 2015.

This document is intended to assist governing boards of health care organizations (Boards) to responsibly carry out their compliance plan oversight obligations under applicable laws. This document is intended as guidance and should not be interpreted as setting any particular standards of conduct. The authors recognize that each health care entity can, and should, take the necessary steps to ensure compliance with applicable Federal, State, and local law. At the same time, the authors also recognize that there is no uniform approach to compliance. No part of this document should be taken as the opinion of, or as legal or professional advice from, any of the authors or their respective agencies or organizations.

Introduction 1

Expectations for Board Oversight of Compliance Program Functions 2

Roles and Relationships 6

Reporting to the Board 9

Identifying and Auditing Potential Risk Areas 11

Encouraging Accountability and Compliance 13

Conclusion 15

Bibliography 16

Table of Contents

1

Introduction

Previous guidance1 has consistently emphasized the need for Boards to be

fully engaged in their oversight responsibility. A critical element of effective

oversight is the process of asking the right questions of management to

determine the adequacy and effectiveness of the organization’s compliance

program, as well as the performance of those who develop and execute that

program, and to make compliance a responsibility for all levels of management.

Given heightened industry and professional interest in governance and

transparency issues, this document

seeks to provide practical tips for

Boards as they work to effectuate

their oversight role of their

organizations’ compliance with State

and Federal laws that regulate the

health care industry. Specifically,

this document addresses issues

relating to a Board’s oversight and

review of compliance program functions, including the: (1) roles of, and

relationships between, the organization’s audit, compliance, and legal

departments; (2) mechanism and process for issue-reporting within an

organization; (3) approach to identifying regulatory risk; and (4) methods of

encouraging enterprise-wide accountability for achievement of compliance goals

and objectives.

1 OIG and AHLA, Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors (2003); OIG and AHLA, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors (2004); and OIG and AHLA, Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors (2007).

A critical element of effective oversight is the process of asking

the right questions....

2

Expectations for Board Oversight of Compliance Program Functions

A Board must act in good faith in the exercise of its oversight

responsibility for its organization, including making inquiries to ensure:

(1) a corporate information and reporting system exists and (2) the reporting

system is adequate to assure the Board that appropriate information relating to

compliance with applicable laws will come to its attention timely and as a matter

of course.2 The existence of a corporate reporting system is a key compliance

program element, which not only keeps the Board informed of the activities of

the organization, but also enables an organization to evaluate and respond to

issues of potentially illegal or otherwise inappropriate activity.

Boards are encouraged to use widely recognized public compliance

resources as benchmarks for their organizations. The Federal Sentencing

Guidelines (Guidelines),3 OIG’s voluntary compliance program guidance

documents,4 and OIG Corporate Integrity Agreements (CIAs) can be used as

baseline assessment tools for Boards and management in determining what

specific functions may be necessary to meet the requirements of an effective

compliance program. The Guidelines “offer incentives to organizations to reduce

and ultimately eliminate criminal conduct by providing a structural foundation

from which an organization may self-police its own conduct through an effective

compliance and ethics program.”5 The compliance program guidance documents

were developed by OIG to encourage the development and use of internal

controls to monitor adherence to applicable statutes, regulations, and program

requirements. CIAs impose specific structural and reporting requirements to

2 In re Caremark Int’l, Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).

3 U.S. Sentencing Commission, Guidelines Manual (Nov. 2013) (USSG),

http://www.ussc.gov/sites/default/files/pdf/guidelines-manual/2013/manual-pdf/2013_Guidelines_

Manual_Full.pdf.

4 OIG, Compliance Guidance,

http://oig.hhs.gov/compliance/compliance-guidance/index.asp.

5 USSG Ch. 8, Intro. Comment.

http://www.ussc.gov/sites/default/files/pdf/guidelines-manual/2013/manual-pdf/2013_Guidelines_Manual_Full.pdf



3

promote compliance with Federal health care program standards at entities that

have resolved fraud allegations.

Basic CIA elements mirror those in the Guidelines, but a CIA also includes

obligations tailored to the organization and its compliance risks. Existing CIAs

may be helpful resources for Boards seeking to evaluate their organizations’

compliance programs. OIG has required some settling entities, such as health

systems and hospitals, to agree to

Board-level requirements, including

annual resolutions. These

resolutions are signed by each

member of the Board, or the

designated Board committee, and

detail the activities that have been

undertaken to review and oversee

the organization’s compliance with

Federal health care program and

CIA requirements. OIG has not

required this level of Board involvement in every case, but these provisions

demonstrate the importance placed on Board oversight in cases OIG believes

reflect serious compliance failures.

Although compliance program design is not a “one size fits all” issue,

Boards are expected to put forth a meaningful effort to review the adequacy

of existing compliance systems and functions. Ensuring that management is

aware of the Guidelines, compliance program guidance, and relevant CIAs is a

good first step.

One area of inquiry for Board members of health care organizations

should be the scope and adequacy of the compliance program in light of the

size and complexity of their organizations. The Guidelines allow for variation

according to “the size of the organization.”6 In accordance with the Guidelines,

6 USSG § 8B2.1, comment. (n. 2).

Although compliance program design is not a “one size fits

all” issue, Boards are expected to put forth

a meaningful effort....

4

OIG recognizes that the design of a compliance program will depend on the

size and resources of the organization.7 Additionally, the complexity of the

organization will likely dictate the nature and magnitude of regulatory impact

and thereby the nature and skill set of resources needed to manage and

monitor compliance.

While smaller or less complex organizations must demonstrate the

same degree of commitment to ethical conduct and compliance as larger

organizations, the Government recognizes that they may meet the Guidelines

requirements with less formality and fewer resources than would be expected

of larger and more complex organizations.8 Smaller organizations may meet

their compliance responsibility by “using available personnel, rather than

employing separate staff, to carry out the compliance and ethics program.”

Board members of such organizations may wish to evaluate whether the

organization is “modeling its own compliance and ethics programs on existing,

well-regarded compliance and ethics programs and best practices of other

similar organizations.”9 The Guidelines also foresee that Boards of smaller

organizations may need to become more involved in the organizations’

compliance and ethics efforts than their larger counterparts.10

Boards should develop a formal plan to stay abreast of the ever-changing

regulatory landscape and operating environment. The plan may involve periodic

updates from informed staff or review of regulatory resources made available to

them by staff. With an understanding of the dynamic regulatory environment,

Boards will be in a position to ask more pertinent questions of management

7 Compliance Program for Individual and Small Group Physician Practices, 65 Fed. Reg. 59434, 59436 (Oct. 5, 2000) (“The extent of implementation [of the seven components of a voluntary compliance program] will depend on the size and resources of the practice. Smaller physician practices may incorporate each of the components in a manner that best suits the practice. By contrast, larger physician practices often have the means to incorporate the components in a more systematic manner.”); Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289 (Mar. 16, 2000) (recognizing that smaller providers may not be able to outsource their screening process or afford to maintain a telephone hotline).


9 Id.

10 Id.

5

and make informed strategic decisions regarding the organizations’ compliance

programs, including matters that relate to funding and resource allocation.

For instance, new standards and reporting requirements, as required by

law, may, but do not necessarily, result in increased compliance costs for an

organization. Board members may also wish to take advantage of outside

educational programs that provide them with opportunities to develop a better

understanding of industry risks, regulatory requirements, and how effective

compliance and ethics programs operate. In addition, Boards may want

management to create a formal education calendar that ensures that Board

members are periodically educated on the organizations’ highest risks.

Finally, a Board can raise its level of substantive expertise with respect

to regulatory and compliance matters by adding to the Board, or periodically

consulting with, an experienced regulatory, compliance, or legal professional.

The presence of a professional with health care compliance expertise on

the Board sends a strong message about the organization’s commitment

to compliance, provides a valuable resource to other Board members, and

helps the Board better fulfill its oversight obligations. Board members are

generally entitled to rely on the advice of experts in fulfilling their duties.11

OIG sometimes requires entities under a CIA to retain an expert in compliance

or governance issues to assist the Board in fulfilling its responsibilities under

the CIA.12 Experts can assist Boards and management in a variety of ways,

including the identification of risk areas, provision of insight into best practices

in governance, or consultation on other substantive or investigative matters.

11 See Del Code Ann. tit. 8, § 141(e) (2010); ABA Revised Model Business Corporation Act, §§ 8.30(e), (f)(2) Standards of Conduct for Directors.

12 See Corporate Integrity Agreements between OIG and Halifax Hospital Medical Center and Halifax Staffing, Inc. (2014, compliance and governance); Johnson & Johnson (2013); Dallas County Hospital District d/b/a Parkland Health and Hospital System (2013, compliance and governance); Forest Laboratories, Inc. (2010); Novartis Pharmaceuticals Corporation (2010); Ortho-McNeil-Janssen Pharmaceuticals, Inc. (2010); Synthes, Inc. (2010, compliance expert retained by Audit Committee); The University of Medicine and Dentistry of New Jersey (2009, compliance expert retained by Audit Committee); Quest Diagnostics Incorporated (2009); Amerigroup Corporation (2008); Bayer HealthCare LLC (2008); and Tenet Healthcare Corporation (2006; retained by the Quality, Compliance, and Ethics Committee of the Board).

6

Roles and Relationships

Organizations should define the interrelationship of the audit, compliance,

and legal functions in charters or other organizational documents. The

structure, reporting relationships, and interaction of these and other functions

(e.g., quality, risk management, and human resources) should be included as

departmental roles and responsibilities are defined. One approach is for the

charters to draw functional boundaries while also setting an expectation of

cooperation and collaboration among those functions. One illustration is the

following, recognizing that not all entities may possess sufficient resources to

support this structure:

The compliance function promotes the prevention, detection, and

resolution of actions that do not conform to legal, policy, or business

standards. This responsibility includes the obligation to develop

policies and procedures that provide employees guidance, the creation

of incentives to promote employee compliance, the development of

plans to improve or sustain compliance, the development of metrics to

measure execution (particularly by management) of the program and

implementation of corrective actions, and the development of reports

and dashboards that help management and the Board evaluate the

effectiveness of the program.

The legal function advises the organization on the legal and

regulatory risks of its business strategies, providing advice and counsel

to management and the Board about relevant laws and regulations that

govern, relate to, or impact the organization. The function also defends

the organization in legal proceedings and initiates legal proceedings

against other parties if such action is warranted.

The internal audit function provides an objective evaluation of

the existing risk and internal control systems and framework within an

organization. Internal audits ensure monitoring functions are working as

intended and identify where management monitoring and/or additional

7

Board oversight may be required. Internal audit helps management (and

the compliance function) develop actions to enhance internal controls,

reduce risk to the organization, and promote more effective and efficient

use of resources. Internal audit can fulfill the auditing requirements of

the Guidelines.

The human resources function manages the recruiting, screening,

and hiring of employees; coordinates employee benefits; and provides

employee training and development opportunities.

The quality improvement function promotes consistent, safe, and

high quality practices within health care organizations. This function

improves efficiency and health outcomes by measuring and reporting

on quality outcomes and recommends necessary changes to clinical

processes to management and the Board. Quality improvement is

critical to maintaining patient-centered care and helping the organization

minimize risk of patient harm.

Boards should be aware of, and evaluate, the adequacy, independence,13

and performance of different functions within an organization on a periodic

basis. OIG believes an organization’s Compliance Officer should neither be

counsel for the provider, nor be subordinate in function or position to counsel

or the legal department, in any manner.14 While independent, an organization’s

counsel and compliance officer should collaborate to further the interests

of the organization. OIG’s position on separate compliance and legal functions

reflects the independent roles and professional obligations of each function;15

13 Evaluation of independence typically includes assessing whether the function has uninhibited access to the relevant Board committees, is free from organizational bias through an appropriate administrative reporting relationship, and receives fair compensation adjustments based on input from any relevant Board committee.

14 See OIG and AHLA, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors, 3 (2004) (citing Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8,987, 8,997 (Feb. 23, 1998)).

15 See, generally, id.

8

the same is true for internal audit.16 To operate effectively, the compliance,

legal, and internal audit functions should have access to appropriate

and relevant corporate information and resources. As part of this effort,

organizations will need to balance any existing attorney-client privilege with

the goal of providing such access to key individuals who are charged with

the responsibility for ensuring compliance, as well as properly reporting and

remediating any violations of civil, criminal, or administrative law.

The Board should have a process to ensure appropriate access to

information; this process may be set forth in a formal charter document

approved by the Audit Committee of the Board or in other appropriate

documents. Organizations that do not separate these functions (and some

organizations may not have the resources to make this complete separation)

should recognize the potential risks of such an arrangement. To partially

mitigate these potential risks, organizations should provide individuals serving

in multiple roles the capability to execute each function in an independent

manner when necessary, including through reporting opportunities with the

Board and executive management.

Boards should also evaluate and discuss how management works together

to address risk, including the role of each in:

1. identifying compliance risks,

2. investigating compliance risks and avoiding duplication of effort,

3. identifying and implementing appropriate corrective actions and decision-making, and

4. communicating between the various functions throughout the process.

16 Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8,987, 8,997 (Feb. 23, 1998) (auditing and monitoring function should “[b]e independent of physicians and line management”); Compliance Program Guidance for Home Health Agencies, 63 Fed. Reg. 42,410, 42,424 (Aug. 7, 1998) (auditing and monitoring function should “[b]e objective and independent of line management to the extent reasonably possible”); Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289, 14,302 (Mar. 16, 2000).

9

Boards should understand how management approaches conflicts or

disagreements with respect to the resolution of compliance issues and how

it decides on the appropriate course of action. The audit, compliance, and

legal functions should speak a common language, at least to the Board and

management, with respect to governance concepts, such as accountability,

risk, compliance, auditing, and monitoring. Agreeing on the adoption of certain

frameworks and definitions can help to develop such a common language.

Reporting to the Board

The Board should set and enforce expectations for receiving particular

types of compliance-related information from various members of management.

The Board should receive regular

reports regarding the organization’s

risk mitigation and compliance

efforts—separately and

independently—from a variety of key

players, including those responsible for

audit, compliance, human resources,

legal, quality, and information

technology. By engaging the

leadership team and others deeper

in the organization, the Board can

identify who can provide relevant

information about operations and operational risks. It may be helpful and

productive for the Board to establish clear expectations for members of the

management team and to hold them accountable for performing and informing

the Board in accordance with those expectations. The Board may request the

development of objective scorecards that measure how well management is

executing the compliance program, mitigating risks, and implementing

corrective action plans. Expectations could also include reporting information

on internal and external investigations, serious issues raised in internal and

external audits, hotline call activity, all allegations of material fraud or senior

management misconduct, and all management exceptions to the organization’s



risk mitigation and compliance efforts....

10

code of conduct and/or expense reimbursement policy. In addition, the Board

should expect that management will address significant regulatory changes and

enforcement events relevant to the organization’s business.

Boards of health care organizations should receive compliance and risk-

related information in a format sufficient to satisfy the interests or concerns

of their members and to fit their capacity to review that information. Some

Boards use tools such as dashboards—containing key financial, operational and

compliance indicators to assess risk, performance against budgets, strategic

plans, policies and procedures, or other goals and objectives—in order to strike

a balance between too much and too little information. For instance, Board

quality committees can work with management to create the content of the

dashboards with a goal of identifying and responding to risks and improving

quality of care. Boards should also consider establishing a risk-based reporting

system, in which those responsible for the compliance function provide reports

to the Board when certain risk-based criteria are met. The Board should

be assured that there are mechanisms in place to ensure timely reporting

of suspected violations and to evaluate and implement remedial measures.

These tools may also be used to track and identify trends in organizational

performance against corrective action plans developed in response to

compliance concerns. Regular internal reviews that provide a Board with a

snapshot of where the organization is, and where it may be going, in terms of

compliance and quality improvement, should produce better compliance results

and higher quality services.

As part of its oversight responsibilities, the Board may want to consider

conducting regular “executive sessions” (i.e., excluding senior management)

with leadership from the compliance, legal, internal audit, and quality functions

to encourage more open communication. Scheduling regular executive sessions

creates a continuous expectation of open dialogue, rather than calling such a

session only when a problem arises, and is helpful to avoid suspicion among

management about why a special executive session is being called.

11

Identifying and Auditing Potential Risk Areas

Some regulatory risk areas are common to all health care providers.

Compliance in health care requires monitoring of activities that are highly

vulnerable to fraud or other violations. Areas of particular interest include

referral relationships and arrangements, billing problems (e.g., upcoding,

submitting claims for services not rendered and/or medically unnecessary

services), privacy breaches, and quality-related events.

The Board should ensure that

management and the Board have

strong processes for identifying risk

areas. Risk areas may be identified

from internal or external information

sources. For instance, Boards and

management may identify regulatory

risks from internal sources, such

as employee reports to an internal

compliance hotline or internal audits.

External sources that may be used to

identify regulatory risks might include

professional organization publications, OIG-issued guidance, consultants,

competitors, or news media. When failures or problems in similar organizations

are publicized, Board members should ask their own management teams

whether there are controls and processes in place to reduce the risk of, and to

identify, similar misconduct or issues within their organizations.

The Board should ensure that management consistently reviews and

audits risk areas, as well as develops, implements, and monitors corrective

action plans. One of the reasonable steps an organization is expected to take

12

under the Guidelines is “monitoring and auditing to detect criminal conduct.”17

Audits can pinpoint potential risk factors, identify regulatory or compliance

problems, or confirm the effectiveness of compliance controls. Audit results

that reflect compliance issues or control deficiencies should be accompanied by

corrective action plans.18

Recent industry trends should also be considered when designing risk

assessment plans. Compliance functions tasked with monitoring new areas

of risk should take into account the increasing emphasis on quality, industry

consolidation, and changes in insurance coverage and reimbursement. New

forms of reimbursement (e.g., value-based purchasing, bundling of services

for a single payment, and global payments for maintaining and improving the

health of individual patients and even entire populations) lead to new incentives

and compliance risks. Payment policies that align payment with quality

care have placed increasing pressure to conform to recommended quality

guidelines and improve quality outcomes. New payment models have also

incentivized consolidation among health care providers and more employment

and contractual relationships (e.g., between hospitals and physicians). In

light of the fact that statutes applicable to provider-physician relationships are

very broad, Boards of entities that have financial relationships with referral

sources or recipients should ask how their organizations are reviewing these

arrangements for compliance with the physician self-referral (Stark) and anti-

kickback laws. There should also be a clear understanding between the Board

and management as to how the entity will approach and implement those

relationships and what level of risk is acceptable in such arrangements.

Emerging trends in the health care industry to increase transparency can

present health care organizations with opportunities and risks. For example,

the Government is collecting and publishing data on health outcomes and

quality measures (e.g., Centers for Medicare & Medicaid Services (CMS) Quality

Compare Measures), Medicare payment data are now publicly available (e.g.,

17 See USSG § 8B2.1(b)(5).

18 See USSG § 8B2.1(c).

13

CMS physician payment data), and the Sunshine Rule19 offers public access to

data on payments from the pharmaceutical and device industries to physicians.

Boards should consider all beneficial use of this newly available information. For

example, Boards may choose to compare accessible data against organizational

peers and incorporate national benchmarks when assessing organizational risk

and compliance. Also, Boards of organizations that employ physicians should

be cognizant of the relationships that exist between their employees and other

health care entities and whether those relationships could have an impact on

such matters as clinical and research decision-making. Because so much more

information is becoming public, Boards may be asked significant compliance-

oriented questions by various stakeholders, including patients, employees,

government officials, donors, the media, and whistleblowers.

Encouraging Accountability and Compliance

Compliance is an enterprise-wide responsibility. While audit, compliance,

and legal functions serve as advisors, evaluators, identifiers, and monitors of

risk and compliance, it is the responsibility of the entire organization to execute

the compliance program.

In an effort to support the concept

that compliance is “a way of life,” a Board

may assess employee performance in

promoting and adhering to compliance.20 An

organization may assess individual, department, or facility-level performance

or consistency in executing the compliance program. These assessments

can then be used to either withhold incentives or to provide bonuses

19 See Sunshine Rule, 42 C.F.R. § 403.904, and CMS Open Payments,

http://www.cms.gov/Regulations-and-Guidance/Legislation/National-Physician-Payment-Transparency-

Program/index.html.

20 Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289, 14,298-14,299 (Mar. 16, 2000).

Compliance is an enterprise-wide

responsiblity.

http://www.cms.gov/Regulations-and-Guidance/Legislation/National-Physician-Payment-Transparency-Program/index.html


14

based on compliance and quality outcomes. Some companies have made

participation in annual incentive programs contingent on satisfactorily meeting

annual compliance goals. Others have instituted employee and executive

compensation claw-back/recoupment provisions if compliance metrics are

not met. Such approaches mirror Government trends. For example, OIG is

increasingly requiring certifications of compliance from managers outside the

compliance department. Through a system of defined compliance goals and

objectives against which performance may be measured and incentivized,

organizations can effectively communicate the message that everyone is

ultimately responsible for compliance.

Governing Boards have multiple incentives to build compliance programs

that encourage self-identification of compliance failures and to voluntarily

disclose such failures to the Government. For instance, providers enrolled

in Medicare or Medicaid are required by statute to report and refund any

overpayments under what is called the 60 Day Rule.21 The 60-Day Rule requires

all Medicare and Medicaid participating providers and suppliers to report and

refund known overpayments within 60 days from the date the overpayment is

“identified” or within 60 days of the date when any corresponding cost report

is due. Failure to follow the 60-Day Rule can result in False Claims Act or

civil monetary penalty liability. The final regulations, when released, should

provide additional guidance and clarity as to what it means to “identify” an

overpayment.22 However, as an example, a Board would be well served by

asking management about its efforts to develop policies for identifying and

returning overpayments. Such an inquiry would inform the Board about how

proactive the organization’s compliance program may be in correcting and

remediating compliance issues.

21 42 U.S.C. § 1320a-7k.

22 Medicare Program; Reporting and Returning of Overpayments, 77 Fed. Reg. 9179, 9182 (Feb. 16, 2012) (Under the proposed regulations interpreting this statutory requirement, an overpayment is “identified” when a person “has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the overpayment.”) disregard or deliberate ignorance of the overpayment.”); Medicare Program; Reporting and Returning of Overpayments; Extensions of Timeline for Publication of the Final Rule, 80 Fed. Reg. 8247 (Feb. 17, 2015).

15

Organizations that discover a violation of law often engage in an internal

analysis of the benefits and costs of disclosing—and risks of failing to disclose—

such violation to OIG and/or another governmental agency. Organizations

that are proactive in self-disclosing issues under OIG’s Self-Disclosure Protocol

realize certain benefits, such as (1) faster resolution of the case—the average

OIG self-disclosure is resolved in less than one year; (2) lower payment—OIG

settles most self-disclosure cases for 1.5 times damages rather than for double

or treble damages and penalties available under the False Claims Act; and

(3) exclusion release as part of settlement with no CIA or other compliance

obligations.23 OIG believes that providers have legal and ethical obligations to

disclose known violations of law occurring within their organizations.24 Boards

should ask management how it handles the identification of probable violations

of law, including voluntary self-disclosure of such issues to the Government.

As an extension of their oversight of reporting mechanisms and

structures, Boards would also be well served by evaluating whether compliance

systems and processes encourage effective communication across the

organizations and whether employees feel confident that raising compliance

concerns, questions, or complaints will result in meaningful inquiry without

retaliation or retribution. Further, the Board should request and receive

sufficient information to evaluate the appropriateness of management’s

responses to identified violations of the organization’s policies or Federal or

State laws.

Conclusion

A health care governing Board should make efforts to increase its

knowledge of relevant and emerging regulatory risks, the role and functioning

of the organization’s compliance program in the face of those risks, and

the flow and elevation of reporting of potential issues and problems to

23 See OIG, Self-Disclosure Information,

http://oig.hhs.gov/compliance/self-disclosure-info.

24 See id., at 2 (“we believe that using the [Self-Disclosure Protocol] may mitigate potential exposure under section 1128J(d) of the Act, 42 U.S.C. 1320a-7k(d).”)

http://oig.hhs.gov/compliance/self

16

senior management. A Board should also encourage a level of compliance

accountability across the organization. A Board may find that not every

measure addressed in this document is appropriate for its organization, but

every Board is responsible for ensuring that its organization complies with

relevant Federal, State, and local laws. The recommendations presented in this

document are intended to assist Boards with the performance of those activities

that are key to their compliance program oversight responsibilities. Ultimately,

compliance efforts are necessary to protect patients and public funds, but the

form and manner of such efforts will always be dependent on the organization’s

individual situation.

BibliographyElisabeth Belmont, et al., “Quality in Action: Paradigm for a Hospital Board-Driven Quality Program,” 4 Journal of Health & Life Sciences Law. 95, 113 (Feb. 2011).

Larry Gage, Transformational Governance: Best Practices for Public and Nonprofit Hospitals and Health Systems, Center for Healthcare Governance (2012).

Tracy E. Miller and Valerie L. Gutmann, “Changing Expectations for Board Oversight of Healthcare Quality: The Emerging Paradigm,” 2 Journal of Health & Life Sciences Law (July 2009).

Tracy E. Miller, Board Fiduciary Duty to Oversee Quality: New Challenges, Rising Expectations, 3 NYSBA Health L.J. (Summer/Fall 2012).

Lawrence Prybil, et al., Governance in Nonprofit Community Health Systems: An Initial Report on CEO Perspectives, Grant Thornton LLP (Feb. 2008).

Attachment 9 - Best Practices Article.pdf

Separator Page

Attachment 9 Memo - Practical Guidance for Governing

Boards May 2015.doc

Separator Page


Date: March 11, 2015



Re: Practical Guidance for Health Care Governing Boards On Compliance Oversight

Daniel Levinson, Inspector General of the OIG, introduced this educational resource for health care

governing Boards at the April 2015 annual Health Care Compliance Association Institute that I

recently attended. Mr. Levinson emphasized that compliance is an enterprise wide responsibility.

Compliance, audit, and legal functions serve as advisors and monitor risk while compliance remains

the responsibility of the entire organization under the Board's oversight.

Of the recommendations in this document there are three items I believe the compliance committee

should consider to further enhance the Hospital's Compliance program.

1. Board members should be periodically educated on their oversight responsibilities and the

organization's highest risks.

2. Board should consider scheduling regular executive sessions with Compliance and Legal to

encourage open and continuous communication.

3. Board should recommend the development an objective scorecard as part of management’s

annual performance review that measures how well management is executing the

compliance program, mitigating risks, and implementing corrective actions.

.

Attachment 9 OIG Practical-Guidance-for-Health-Care-

Boards-on-Compliance-Oversight.pdf

Separator Page





Office of Inspector General,U.S. Department of Health and Human Services

Association of Healthcare Internal Auditors

American Health Lawyers Association

Health Care Compliance Association

About the OrganizationsThis educational resource was developed in collaboration between the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA), the Health Care Compliance Association (HCCA), and the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS).

AHIA is an international organization dedicated to the advancement of the health care internal auditing profession. The AHLA is the Nation’s largest nonpartisan, educational organization devoted to legal issues in the health care field. HCCA is a member-based, nonprofit organization serving compliance professionals throughout the health care field. OIG’s mission is to protect the integrity of more than 100 HHS programs, including Medicare and Medicaid, as well as the health and welfare of program beneficiaries.

The following individuals, representing these organizations, served on the drafting task force for this document:

Katherine Matos, Senior Counsel, OIG, HHS

Felicia E. Heimer, Senior Counsel, OIG, HHS

Catherine A. Martin, Principal, Ober | Kaler (AHLA)

Robert R. Michalski, Chief Compliance Officer, Baylor Scott & White Health (AHIA)

Daniel Roach, General Counsel and Chief Compliance Officer, Optum360 (HCCA)

Sanford V. Teplitzky, Principal, Ober | Kaler (AHLA)

Published on April 20, 2015.

This document is intended to assist governing boards of health care organizations (Boards) to responsibly carry out their compliance plan oversight obligations under applicable laws. This document is intended as guidance and should not be interpreted as setting any particular standards of conduct. The authors recognize that each health care entity can, and should, take the necessary steps to ensure compliance with applicable Federal, State, and local law. At the same time, the authors also recognize that there is no uniform approach to compliance. No part of this document should be taken as the opinion of, or as legal or professional advice from, any of the authors or their respective agencies or organizations.

Introduction 1

Expectations for Board Oversight of Compliance Program Functions 2

Roles and Relationships 6

Reporting to the Board 9

Identifying and Auditing Potential Risk Areas 11

Encouraging Accountability and Compliance 13

Conclusion 15

Bibliography 16

Table of Contents

1

Introduction

Previous guidance1 has consistently emphasized the need for Boards to be

fully engaged in their oversight responsibility. A critical element of effective

oversight is the process of asking the right questions of management to

determine the adequacy and effectiveness of the organization’s compliance

program, as well as the performance of those who develop and execute that

program, and to make compliance a responsibility for all levels of management.

Given heightened industry and professional interest in governance and

transparency issues, this document

seeks to provide practical tips for

Boards as they work to effectuate

their oversight role of their

organizations’ compliance with State

and Federal laws that regulate the

health care industry. Specifically,

this document addresses issues

relating to a Board’s oversight and

review of compliance program functions, including the: (1) roles of, and

relationships between, the organization’s audit, compliance, and legal

departments; (2) mechanism and process for issue-reporting within an

organization; (3) approach to identifying regulatory risk; and (4) methods of

encouraging enterprise-wide accountability for achievement of compliance goals

and objectives.

1 OIG and AHLA, Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors (2003); OIG and AHLA, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors (2004); and OIG and AHLA, Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors (2007).

A critical element of effective oversight is the process of asking

the right questions....

2

Expectations for Board Oversight of Compliance Program Functions

A Board must act in good faith in the exercise of its oversight

responsibility for its organization, including making inquiries to ensure:

(1) a corporate information and reporting system exists and (2) the reporting

system is adequate to assure the Board that appropriate information relating to

compliance with applicable laws will come to its attention timely and as a matter

of course.2 The existence of a corporate reporting system is a key compliance

program element, which not only keeps the Board informed of the activities of

the organization, but also enables an organization to evaluate and respond to

issues of potentially illegal or otherwise inappropriate activity.

Boards are encouraged to use widely recognized public compliance

resources as benchmarks for their organizations. The Federal Sentencing

Guidelines (Guidelines),3 OIG’s voluntary compliance program guidance

documents,4 and OIG Corporate Integrity Agreements (CIAs) can be used as

baseline assessment tools for Boards and management in determining what

specific functions may be necessary to meet the requirements of an effective

compliance program. The Guidelines “offer incentives to organizations to reduce

and ultimately eliminate criminal conduct by providing a structural foundation

from which an organization may self-police its own conduct through an effective

compliance and ethics program.”5 The compliance program guidance documents

were developed by OIG to encourage the development and use of internal

controls to monitor adherence to applicable statutes, regulations, and program

requirements. CIAs impose specific structural and reporting requirements to

2 In re Caremark Int’l, Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).

3 U.S. Sentencing Commission, Guidelines Manual (Nov. 2013) (USSG),

http://www.ussc.gov/sites/default/files/pdf/guidelines-manual/2013/manual-pdf/2013_Guidelines_

Manual_Full.pdf.

4 OIG, Compliance Guidance,


5 USSG Ch. 8, Intro. Comment.




3

promote compliance with Federal health care program standards at entities that

have resolved fraud allegations.

Basic CIA elements mirror those in the Guidelines, but a CIA also includes

obligations tailored to the organization and its compliance risks. Existing CIAs

may be helpful resources for Boards seeking to evaluate their organizations’

compliance programs. OIG has required some settling entities, such as health

systems and hospitals, to agree to

Board-level requirements, including

annual resolutions. These

resolutions are signed by each

member of the Board, or the

designated Board committee, and

detail the activities that have been

undertaken to review and oversee

the organization’s compliance with

Federal health care program and

CIA requirements. OIG has not

required this level of Board involvement in every case, but these provisions

demonstrate the importance placed on Board oversight in cases OIG believes

reflect serious compliance failures.

Although compliance program design is not a “one size fits all” issue,

Boards are expected to put forth a meaningful effort to review the adequacy

of existing compliance systems and functions. Ensuring that management is

aware of the Guidelines, compliance program guidance, and relevant CIAs is a

good first step.

One area of inquiry for Board members of health care organizations

should be the scope and adequacy of the compliance program in light of the

size and complexity of their organizations. The Guidelines allow for variation

according to “the size of the organization.”6 In accordance with the Guidelines,


Although compliance program design is not a “one size fits

all” issue, Boards are expected to put forth

a meaningful effort....

4

OIG recognizes that the design of a compliance program will depend on the

size and resources of the organization.7 Additionally, the complexity of the

organization will likely dictate the nature and magnitude of regulatory impact

and thereby the nature and skill set of resources needed to manage and

monitor compliance.

While smaller or less complex organizations must demonstrate the

same degree of commitment to ethical conduct and compliance as larger

organizations, the Government recognizes that they may meet the Guidelines

requirements with less formality and fewer resources than would be expected

of larger and more complex organizations.8 Smaller organizations may meet

their compliance responsibility by “using available personnel, rather than

employing separate staff, to carry out the compliance and ethics program.”

Board members of such organizations may wish to evaluate whether the

organization is “modeling its own compliance and ethics programs on existing,

well-regarded compliance and ethics programs and best practices of other

similar organizations.”9 The Guidelines also foresee that Boards of smaller

organizations may need to become more involved in the organizations’

compliance and ethics efforts than their larger counterparts.10

Boards should develop a formal plan to stay abreast of the ever-changing

regulatory landscape and operating environment. The plan may involve periodic

updates from informed staff or review of regulatory resources made available to

them by staff. With an understanding of the dynamic regulatory environment,

Boards will be in a position to ask more pertinent questions of management

7 Compliance Program for Individual and Small Group Physician Practices, 65 Fed. Reg. 59434, 59436 (Oct. 5, 2000) (“The extent of implementation [of the seven components of a voluntary compliance program] will depend on the size and resources of the practice. Smaller physician practices may incorporate each of the components in a manner that best suits the practice. By contrast, larger physician practices often have the means to incorporate the components in a more systematic manner.”); Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289 (Mar. 16, 2000) (recognizing that smaller providers may not be able to outsource their screening process or afford to maintain a telephone hotline).


9 Id.

10 Id.

5

and make informed strategic decisions regarding the organizations’ compliance

programs, including matters that relate to funding and resource allocation.

For instance, new standards and reporting requirements, as required by

law, may, but do not necessarily, result in increased compliance costs for an

organization. Board members may also wish to take advantage of outside

educational programs that provide them with opportunities to develop a better

understanding of industry risks, regulatory requirements, and how effective

compliance and ethics programs operate. In addition, Boards may want

management to create a formal education calendar that ensures that Board

members are periodically educated on the organizations’ highest risks.

Finally, a Board can raise its level of substantive expertise with respect

to regulatory and compliance matters by adding to the Board, or periodically

consulting with, an experienced regulatory, compliance, or legal professional.

The presence of a professional with health care compliance expertise on

the Board sends a strong message about the organization’s commitment

to compliance, provides a valuable resource to other Board members, and

helps the Board better fulfill its oversight obligations. Board members are

generally entitled to rely on the advice of experts in fulfilling their duties.11

OIG sometimes requires entities under a CIA to retain an expert in compliance

or governance issues to assist the Board in fulfilling its responsibilities under

the CIA.12 Experts can assist Boards and management in a variety of ways,

including the identification of risk areas, provision of insight into best practices

in governance, or consultation on other substantive or investigative matters.

11 See Del Code Ann. tit. 8, § 141(e) (2010); ABA Revised Model Business Corporation Act, §§ 8.30(e), (f)(2) Standards of Conduct for Directors.

12 See Corporate Integrity Agreements between OIG and Halifax Hospital Medical Center and Halifax Staffing, Inc. (2014, compliance and governance); Johnson & Johnson (2013); Dallas County Hospital District d/b/a Parkland Health and Hospital System (2013, compliance and governance); Forest Laboratories, Inc. (2010); Novartis Pharmaceuticals Corporation (2010); Ortho-McNeil-Janssen Pharmaceuticals, Inc. (2010); Synthes, Inc. (2010, compliance expert retained by Audit Committee); The University of Medicine and Dentistry of New Jersey (2009, compliance expert retained by Audit Committee); Quest Diagnostics Incorporated (2009); Amerigroup Corporation (2008); Bayer HealthCare LLC (2008); and Tenet Healthcare Corporation (2006; retained by the Quality, Compliance, and Ethics Committee of the Board).

6

Roles and Relationships

Organizations should define the interrelationship of the audit, compliance,

and legal functions in charters or other organizational documents. The

structure, reporting relationships, and interaction of these and other functions

(e.g., quality, risk management, and human resources) should be included as

departmental roles and responsibilities are defined. One approach is for the

charters to draw functional boundaries while also setting an expectation of

cooperation and collaboration among those functions. One illustration is the

following, recognizing that not all entities may possess sufficient resources to

support this structure:

The compliance function promotes the prevention, detection, and

resolution of actions that do not conform to legal, policy, or business

standards. This responsibility includes the obligation to develop

policies and procedures that provide employees guidance, the creation

of incentives to promote employee compliance, the development of

plans to improve or sustain compliance, the development of metrics to

measure execution (particularly by management) of the program and

implementation of corrective actions, and the development of reports

and dashboards that help management and the Board evaluate the

effectiveness of the program.

The legal function advises the organization on the legal and

regulatory risks of its business strategies, providing advice and counsel

to management and the Board about relevant laws and regulations that

govern, relate to, or impact the organization. The function also defends

the organization in legal proceedings and initiates legal proceedings

against other parties if such action is warranted.

The internal audit function provides an objective evaluation of

the existing risk and internal control systems and framework within an

organization. Internal audits ensure monitoring functions are working as

intended and identify where management monitoring and/or additional

7

Board oversight may be required. Internal audit helps management (and

the compliance function) develop actions to enhance internal controls,

reduce risk to the organization, and promote more effective and efficient

use of resources. Internal audit can fulfill the auditing requirements of

the Guidelines.

The human resources function manages the recruiting, screening,

and hiring of employees; coordinates employee benefits; and provides

employee training and development opportunities.

The quality improvement function promotes consistent, safe, and

high quality practices within health care organizations. This function

improves efficiency and health outcomes by measuring and reporting

on quality outcomes and recommends necessary changes to clinical

processes to management and the Board. Quality improvement is

critical to maintaining patient-centered care and helping the organization

minimize risk of patient harm.

Boards should be aware of, and evaluate, the adequacy, independence,13

and performance of different functions within an organization on a periodic

basis. OIG believes an organization’s Compliance Officer should neither be

counsel for the provider, nor be subordinate in function or position to counsel

or the legal department, in any manner.14 While independent, an organization’s

counsel and compliance officer should collaborate to further the interests

of the organization. OIG’s position on separate compliance and legal functions

reflects the independent roles and professional obligations of each function;15

13 Evaluation of independence typically includes assessing whether the function has uninhibited access to the relevant Board committees, is free from organizational bias through an appropriate administrative reporting relationship, and receives fair compensation adjustments based on input from any relevant Board committee.

14 See OIG and AHLA, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors, 3 (2004) (citing Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8,987, 8,997 (Feb. 23, 1998)).

15 See, generally, id.

8

the same is true for internal audit.16 To operate effectively, the compliance,

legal, and internal audit functions should have access to appropriate

and relevant corporate information and resources. As part of this effort,

organizations will need to balance any existing attorney-client privilege with

the goal of providing such access to key individuals who are charged with

the responsibility for ensuring compliance, as well as properly reporting and

remediating any violations of civil, criminal, or administrative law.

The Board should have a process to ensure appropriate access to

information; this process may be set forth in a formal charter document

approved by the Audit Committee of the Board or in other appropriate

documents. Organizations that do not separate these functions (and some

organizations may not have the resources to make this complete separation)

should recognize the potential risks of such an arrangement. To partially

mitigate these potential risks, organizations should provide individuals serving

in multiple roles the capability to execute each function in an independent

manner when necessary, including through reporting opportunities with the

Board and executive management.

Boards should also evaluate and discuss how management works together

to address risk, including the role of each in:

1. identifying compliance risks,

2. investigating compliance risks and avoiding duplication of effort,

3. identifying and implementing appropriate corrective actions and decision-making, and

4. communicating between the various functions throughout the process.

16 Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8,987, 8,997 (Feb. 23, 1998) (auditing and monitoring function should “[b]e independent of physicians and line management”); Compliance Program Guidance for Home Health Agencies, 63 Fed. Reg. 42,410, 42,424 (Aug. 7, 1998) (auditing and monitoring function should “[b]e objective and independent of line management to the extent reasonably possible”); Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289, 14,302 (Mar. 16, 2000).

9

Boards should understand how management approaches conflicts or

disagreements with respect to the resolution of compliance issues and how

it decides on the appropriate course of action. The audit, compliance, and

legal functions should speak a common language, at least to the Board and

management, with respect to governance concepts, such as accountability,

risk, compliance, auditing, and monitoring. Agreeing on the adoption of certain

frameworks and definitions can help to develop such a common language.

Reporting to the Board

The Board should set and enforce expectations for receiving particular

types of compliance-related information from various members of management.



risk mitigation and compliance

efforts—separately and

independently—from a variety of key

players, including those responsible for

audit, compliance, human resources,

legal, quality, and information

technology. By engaging the

leadership team and others deeper

in the organization, the Board can

identify who can provide relevant

information about operations and operational risks. It may be helpful and

productive for the Board to establish clear expectations for members of the

management team and to hold them accountable for performing and informing

the Board in accordance with those expectations. The Board may request the

development of objective scorecards that measure how well management is

executing the compliance program, mitigating risks, and implementing

corrective action plans. Expectations could also include reporting information

on internal and external investigations, serious issues raised in internal and

external audits, hotline call activity, all allegations of material fraud or senior

management misconduct, and all management exceptions to the organization’s



risk mitigation and compliance efforts....

10

code of conduct and/or expense reimbursement policy. In addition, the Board

should expect that management will address significant regulatory changes and

enforcement events relevant to the organization’s business.

Boards of health care organizations should receive compliance and risk-

related information in a format sufficient to satisfy the interests or concerns

of their members and to fit their capacity to review that information. Some

Boards use tools such as dashboards—containing key financial, operational and

compliance indicators to assess risk, performance against budgets, strategic

plans, policies and procedures, or other goals and objectives—in order to strike

a balance between too much and too little information. For instance, Board

quality committees can work with management to create the content of the

dashboards with a goal of identifying and responding to risks and improving

quality of care. Boards should also consider establishing a risk-based reporting

system, in which those responsible for the compliance function provide reports

to the Board when certain risk-based criteria are met. The Board should

be assured that there are mechanisms in place to ensure timely reporting

of suspected violations and to evaluate and implement remedial measures.

These tools may also be used to track and identify trends in organizational

performance against corrective action plans developed in response to

compliance concerns. Regular internal reviews that provide a Board with a

snapshot of where the organization is, and where it may be going, in terms of

compliance and quality improvement, should produce better compliance results

and higher quality services.

As part of its oversight responsibilities, the Board may want to consider

conducting regular “executive sessions” (i.e., excluding senior management)

with leadership from the compliance, legal, internal audit, and quality functions

to encourage more open communication. Scheduling regular executive sessions

creates a continuous expectation of open dialogue, rather than calling such a

session only when a problem arises, and is helpful to avoid suspicion among

management about why a special executive session is being called.

11

Identifying and Auditing Potential Risk Areas

Some regulatory risk areas are common to all health care providers.

Compliance in health care requires monitoring of activities that are highly

vulnerable to fraud or other violations. Areas of particular interest include

referral relationships and arrangements, billing problems (e.g., upcoding,

submitting claims for services not rendered and/or medically unnecessary

services), privacy breaches, and quality-related events.

The Board should ensure that

management and the Board have

strong processes for identifying risk

areas. Risk areas may be identified

from internal or external information

sources. For instance, Boards and

management may identify regulatory

risks from internal sources, such

as employee reports to an internal

compliance hotline or internal audits.

External sources that may be used to

identify regulatory risks might include

professional organization publications, OIG-issued guidance, consultants,

competitors, or news media. When failures or problems in similar organizations

are publicized, Board members should ask their own management teams

whether there are controls and processes in place to reduce the risk of, and to

identify, similar misconduct or issues within their organizations.

The Board should ensure that management consistently reviews and

audits risk areas, as well as develops, implements, and monitors corrective

action plans. One of the reasonable steps an organization is expected to take

12

under the Guidelines is “monitoring and auditing to detect criminal conduct.”17

Audits can pinpoint potential risk factors, identify regulatory or compliance

problems, or confirm the effectiveness of compliance controls. Audit results

that reflect compliance issues or control deficiencies should be accompanied by

corrective action plans.18

Recent industry trends should also be considered when designing risk

assessment plans. Compliance functions tasked with monitoring new areas

of risk should take into account the increasing emphasis on quality, industry

consolidation, and changes in insurance coverage and reimbursement. New

forms of reimbursement (e.g., value-based purchasing, bundling of services

for a single payment, and global payments for maintaining and improving the

health of individual patients and even entire populations) lead to new incentives

and compliance risks. Payment policies that align payment with quality

care have placed increasing pressure to conform to recommended quality

guidelines and improve quality outcomes. New payment models have also

incentivized consolidation among health care providers and more employment

and contractual relationships (e.g., between hospitals and physicians). In

light of the fact that statutes applicable to provider-physician relationships are

very broad, Boards of entities that have financial relationships with referral

sources or recipients should ask how their organizations are reviewing these

arrangements for compliance with the physician self-referral (Stark) and anti-

kickback laws. There should also be a clear understanding between the Board

and management as to how the entity will approach and implement those

relationships and what level of risk is acceptable in such arrangements.

Emerging trends in the health care industry to increase transparency can

present health care organizations with opportunities and risks. For example,

the Government is collecting and publishing data on health outcomes and

quality measures (e.g., Centers for Medicare & Medicaid Services (CMS) Quality

Compare Measures), Medicare payment data are now publicly available (e.g.,

17 See USSG § 8B2.1(b)(5).

18 See USSG § 8B2.1(c).

13

CMS physician payment data), and the Sunshine Rule19 offers public access to

data on payments from the pharmaceutical and device industries to physicians.

Boards should consider all beneficial use of this newly available information. For

example, Boards may choose to compare accessible data against organizational

peers and incorporate national benchmarks when assessing organizational risk

and compliance. Also, Boards of organizations that employ physicians should

be cognizant of the relationships that exist between their employees and other

health care entities and whether those relationships could have an impact on

such matters as clinical and research decision-making. Because so much more

information is becoming public, Boards may be asked significant compliance-

oriented questions by various stakeholders, including patients, employees,

government officials, donors, the media, and whistleblowers.

Encouraging Accountability and Compliance

Compliance is an enterprise-wide responsibility. While audit, compliance,

and legal functions serve as advisors, evaluators, identifiers, and monitors of

risk and compliance, it is the responsibility of the entire organization to execute

the compliance program.

In an effort to support the concept

that compliance is “a way of life,” a Board

may assess employee performance in

promoting and adhering to compliance.20 An

organization may assess individual, department, or facility-level performance

or consistency in executing the compliance program. These assessments

can then be used to either withhold incentives or to provide bonuses

19 See Sunshine Rule, 42 C.F.R. § 403.904, and CMS Open Payments,

http://www.cms.gov/Regulations-and-Guidance/Legislation/National-Physician-Payment-Transparency-

Program/index.html.

20 Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289, 14,298-14,299 (Mar. 16, 2000).

Compliance is an enterprise-wide

responsiblity.



14

based on compliance and quality outcomes. Some companies have made

participation in annual incentive programs contingent on satisfactorily meeting

annual compliance goals. Others have instituted employee and executive

compensation claw-back/recoupment provisions if compliance metrics are

not met. Such approaches mirror Government trends. For example, OIG is

increasingly requiring certifications of compliance from managers outside the

compliance department. Through a system of defined compliance goals and

objectives against which performance may be measured and incentivized,

organizations can effectively communicate the message that everyone is

ultimately responsible for compliance.

Governing Boards have multiple incentives to build compliance programs

that encourage self-identification of compliance failures and to voluntarily

disclose such failures to the Government. For instance, providers enrolled

in Medicare or Medicaid are required by statute to report and refund any

overpayments under what is called the 60 Day Rule.21 The 60-Day Rule requires

all Medicare and Medicaid participating providers and suppliers to report and

refund known overpayments within 60 days from the date the overpayment is

“identified” or within 60 days of the date when any corresponding cost report

is due. Failure to follow the 60-Day Rule can result in False Claims Act or

civil monetary penalty liability. The final regulations, when released, should

provide additional guidance and clarity as to what it means to “identify” an

overpayment.22 However, as an example, a Board would be well served by

asking management about its efforts to develop policies for identifying and

returning overpayments. Such an inquiry would inform the Board about how

proactive the organization’s compliance program may be in correcting and

remediating compliance issues.

21 42 U.S.C. § 1320a-7k.

22 Medicare Program; Reporting and Returning of Overpayments, 77 Fed. Reg. 9179, 9182 (Feb. 16, 2012) (Under the proposed regulations interpreting this statutory requirement, an overpayment is “identified” when a person “has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the overpayment.”) disregard or deliberate ignorance of the overpayment.”); Medicare Program; Reporting and Returning of Overpayments; Extensions of Timeline for Publication of the Final Rule, 80 Fed. Reg. 8247 (Feb. 17, 2015).

15

Organizations that discover a violation of law often engage in an internal

analysis of the benefits and costs of disclosing—and risks of failing to disclose—

such violation to OIG and/or another governmental agency. Organizations

that are proactive in self-disclosing issues under OIG’s Self-Disclosure Protocol

realize certain benefits, such as (1) faster resolution of the case—the average

OIG self-disclosure is resolved in less than one year; (2) lower payment—OIG

settles most self-disclosure cases for 1.5 times damages rather than for double

or treble damages and penalties available under the False Claims Act; and

(3) exclusion release as part of settlement with no CIA or other compliance

obligations.23 OIG believes that providers have legal and ethical obligations to

disclose known violations of law occurring within their organizations.24 Boards

should ask management how it handles the identification of probable violations

of law, including voluntary self-disclosure of such issues to the Government.

As an extension of their oversight of reporting mechanisms and

structures, Boards would also be well served by evaluating whether compliance

systems and processes encourage effective communication across the

organizations and whether employees feel confident that raising compliance

concerns, questions, or complaints will result in meaningful inquiry without

retaliation or retribution. Further, the Board should request and receive

sufficient information to evaluate the appropriateness of management’s

responses to identified violations of the organization’s policies or Federal or

State laws.

Conclusion

A health care governing Board should make efforts to increase its

knowledge of relevant and emerging regulatory risks, the role and functioning

of the organization’s compliance program in the face of those risks, and

the flow and elevation of reporting of potential issues and problems to

23 See OIG, Self-Disclosure Information,

http://oig.hhs.gov/compliance/self-disclosure-info.

24 See id., at 2 (“we believe that using the [Self-Disclosure Protocol] may mitigate potential exposure under section 1128J(d) of the Act, 42 U.S.C. 1320a-7k(d).”)

http://oig.hhs.gov/compliance/self

16

senior management. A Board should also encourage a level of compliance

accountability across the organization. A Board may find that not every

measure addressed in this document is appropriate for its organization, but

every Board is responsible for ensuring that its organization complies with

relevant Federal, State, and local laws. The recommendations presented in this

document are intended to assist Boards with the performance of those activities

that are key to their compliance program oversight responsibilities. Ultimately,

compliance efforts are necessary to protect patients and public funds, but the

form and manner of such efforts will always be dependent on the organization’s

individual situation.

BibliographyElisabeth Belmont, et al., “Quality in Action: Paradigm for a Hospital Board-Driven Quality Program,” 4 Journal of Health & Life Sciences Law. 95, 113 (Feb. 2011).

Larry Gage, Transformational Governance: Best Practices for Public and Nonprofit Hospitals and Health Systems, Center for Healthcare Governance (2012).

Tracy E. Miller and Valerie L. Gutmann, “Changing Expectations for Board Oversight of Healthcare Quality: The Emerging Paradigm,” 2 Journal of Health & Life Sciences Law (July 2009).

Tracy E. Miller, Board Fiduciary Duty to Oversee Quality: New Challenges, Rising Expectations, 3 NYSBA Health L.J. (Summer/Fall 2012).

Lawrence Prybil, et al., Governance in Nonprofit Community Health Systems: An Initial Report on CEO Perspectives, Grant Thornton LLP (Feb. 2008).

Attachment 17 - Status of Compliance Committee FY 15 Goals.doc

Separator Page

Corporate Compliance/Privacy and Audit Committee

Goals FY 2015

Purpose

The purpose of the Corporate Compliance/Privacy and Audit Committee (“Compliance and Audit Committee”) is to advise and assist the El Camino Hospital (ECH) Hospital Board of Directors (“Board”) in its exercise of oversight by monitoring the compliance policies, controls and processes of the organization and the engagement, independence and performance of the internal auditor and external auditor. The Compliance and Audit Committee assists the Board in oversight of any regulatory audit and in assuring the organizational integrity of ECH in a manner consistent with its mission and purpose.

Staff: Diane Wigglesworth, Director of Corporate Compliance

The Director, Corporate Compliance/Privacy and Audit Committee shall serve as the primary staff support to the Committee and is responsible for drafting the Committee meeting

agenda for the Committee Chairs consideration. Additional members of the executive team or outside consultants may participate in the Committee meetings upon the

recommendation of the Director, Corporate Compliance/Privacy and Internal Audit Committee and at the discretion of the Committee Chair.

Goals Timeline by Fiscal Year

(Timeframe applies to when the Board approves the recommended action from the Committee, if applicable.)

Metrics of Success Achieved

Review and evaluate Hospitals proposed FY 2015 Internal Audit Work Plan based on the current risk assessment.

Q1 2015 - Completed

Committee Reviews FY 2015 Internal Audit Work Plan Developed by Staff in August and provides report to the Board – Board Approved 9/2014.

Participate in staff developed education session regarding Government Audit Programs. (i.e. MIC, MAC, ZPIC and RAC)

Q2 2015 - Completed Committee to receive education by 12/31/14.

Completed at November 13, 2014 meeting

Review Enterprise-Wide Risk Assessment and action plan for identified risks and validate the top four risks under each domain.

Q3 – Q4 2015 - Completed Committee Reviews ERM Risk Assessment and approves Hospital’s action plan for identified risks and recommends plan to the Board for approval in March 2015 (possible delay for Hospital Board review until May or June 2015)

Review and evaluate Hospital’s risk mitigation plan for Research Compliance.

Q4 2015 - Completed Committee presents risk mitigation plan to the Board by June 2015.

Submitted by: John Zoglin, Chair, Corporate Compliance/Privacy and Compliance Committee Diane Wigglesworth, Executive Sponsor, Corporate Compliance/Privacy and Compliance Committee

Attachment 18 Memo - Proposed FY 2016 Meeting

Dates.doc

Separator Page


Date: March 11, 2015



Re: Proposed FY 2016 Committee Meeting Dates

Proposing the following meeting dates for the next fiscal year:

August 20, 2015

September 24, 2015

November 19, 2015

January 21, 2016

March 17, 2016

May 19, 2016

.