WWW.THESIS.DISLIB.INFO
FREE ELECTRONIC LIBRARY - Online materials, documents
 
<< HOME
CONTACTS



Pages:     | 1 |   ...   | 3 | 4 || 6 |

«CALL TO ORDER Ms. Emily A. Youssouf Adoption of Minutes December 4, 2014 Ms. Emily A. Youssouf • INFORMATION ITEMS Audits Update Mr. Chris A. ...»

-- [ Page 5 ] --

Overview of HHC’s Policies and Procedures Designed to Prevent Fraud Waste and Abuse HHC’s policies and procedures designed to prevent and detect fraud, waste, and abuse 2)

include, without limitation, the following:

–  –  –

 HHC Guide to Compliance at the New York City Health and Hospitals Corporation HHC’S Corporate Compliance Plan The overall breadth of HHC’s Corporate Compliance Program (the “Program”) is best 3) reflected in its Corporate Compliance Plan (the “Plan”). Specifically, the Plan outlines and explains the structural and operational elements of the Program, highlighting HHC’s development and/or adoption of written policies and procedures covering compliance, including, without limitation, HHC’s Operating Procedure 50-1 - Corporate Compliance Program (“OP 50-1”), which details the structure of the Program; HHC’s Principles of Professional Conduct (“POPC”), which establishes HHC’s prohibition of fraudulent billing and other improper business practices; and HHC’s A Guide to Compliance at the New York City Health and Hospitals Corporation (“Guide to Compliance”)2, which provides a summary of important compliance issues and compliance standards and expectations at HHC. The Plan, OP 50-1, the POPC, and the Guide to Compliance may all be accessed through HHC’s Intranet under the Office of Corporate Compliance (“OCC”) at http://compliance.nychhc.org/, or by way of HHC’s public website at http://www.nyc.gov/html/hhc/html/about/About-PublicInfoCompliance.shtml. You may also contact your local Network Compliance Officer or the OCC

- by phone at (646) 458-7799 or by e-mail at COMPLIANCE@nychhc.org - to obtain copies of the same.

The Plan also underscores HHC’s commitment to routinely identify potential areas of corporate risks and vulnerabilities, and to perform self-evaluations and audits of its operations and practices, which are required under New York’s mandatory compliance program regulations.3

HHC Operating Procedure 50-1

As evidenced by its internal operating procedures,4 HHC has implemented a Program 4) that satisfies the mandatory provider compliance program regulations promulgated by the New York State Department of Social Services.5 Additionally, the Program also adopts the principles set forth in the United States Sentencing Commission 2013 Federal Sentencing Guidelines pertaining to effective compliance and ethics programs. The Program is responsible for, among other things, aggressively identifying, directing, and addressing corporate-wide and local compliance activities and concerns. The following are some key

highlights of the Program:

–  –  –

 the appointment of a Corporate Compliance Officer (“CCO”) charged with the oversight and implementation of the Program;

 the creation of an annual Corporate Compliance Work Plan (“Work Plan”) designed to proactively address compliance vulnerabilities;

 the institution of a confidential process and toll-free hotline (1-866-HELP-HHC) to receive complaints;

 the implementation of corporate-wide training and education regarding corporate compliance issues;

 the requirement that the CCO report, at least quarterly, HHC compliance activities to the Chairperson of the Board of Directors (“BOD”), the Chairperson of the Audit Committee of the BOD, and HHC’s President and Chief Executive;

 the requirement that all HHC workforce members report violations of OP 50-1, as well as of all applicable laws, rules, codes and regulations (collectively “Laws”), to the CCO;

 the investigation of allegations regarding: (i) violations of applicable Laws and HHC OP 50-1; and (ii) allegations of intimidation and retaliation; and  the prohibition of intimidation and retaliation against any person who, acting in good faith, engages in the Program.

HHC’s Principles of Professional Conduct (“POPC”)

5) The POPC is a guide to direct HHC employees to conduct official business in an ethical

and lawful manner. Some examples of violations of professional conduct are:

 improper billing practices;

 accepting gifts from a vendor;

 inappropriate patient referrals;

 breaches of patient confidentiality; and  failure to adhere to HHC policies concerning patient care.

HHC’s Guide to Compliance

6) The Guide to Compliance defines the terms compliance, fraud, waste, and abuse. The Guide to Compliance also describes the goals of HHC’s Program, the consequences of noncompliance with applicable Laws and internal policies, and the responsibilities of each employee with regard to compliance. In addition to the foregoing, the Guide to Compliance

provides information regarding the following compliance subjects:

–  –  –

Certification of DRA Requirements completed

7) Senior Assistant Vice President and Chief Corporate Compliance Officer Wayne A.

McNulty certified, through OMIG’s website, HHC’s compliance with the DRA on December 29,

2014. Specifically, Mr. McNulty certified that HHC has written policies for all employees, including management, and any contractor or agent of the entity, that provide detailed information about the Federal False Claims Act, remedies for false claims and statements, and state laws pertaining to civil or criminal penalties for false claims and statements and that these





policies:

 address whistleblower protections under the Federal False Claims Act and state laws;

 address the role of the Federal False Claims Act and state laws in preventing and detecting fraud, waste, and abuse in Federal health care programs; and  provide detailed provisions regarding the entity's policies and procedures for detecting and preventing fraud, waste, and abuse.

8) Mr. McNulty also certified that HHC has an employee handbook that includes: (i) a specific discussion of the state and federal laws covering fraud, waste and abuse and the False Claims Act; (ii) a specific discussion of the rights of employees to be protected as whistleblowers; and (iii) a specific discussion of the entity's policies and procedures for detecting fraud, waste, and abuse Report on HHC’s Compliance with the HIPAA Security Rule Risk Analysis III.

Requirements Overview Pursuant to Health Insurance Portability and Accountability Act of 1996 (“HIPAA” or 1) the “Act”) and it implementing regulations found at 45 CFR Parts 160 and 164, “The Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”) HHC is required to ensure that it implements a risk assessment program the purpose of which is to prevent, detect, contain, and correct security violations affecting electronic protected health information (“EPHI”).6 “Security Standards for the Protection of Electronic Protected Health Information” (the “Security Rule”) found at 45 CFR Part 160 and Part 164, Subparts A and C. was adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Security Rule is all about implementing effective risk management to adequately and effectively protect EPHI. The assessment, analysis, and management of risk provides the foundation of a covered entity’s Security Rule compliance efforts, serving as tools to develop and maintain a covered entity’s strategy to protect the confidentiality, integrity, and availability of EPHI See also, generally, 18 NYCRR Part 521.

AUDIT COMMITTEE OF THE

HHC BOARD OF DIRECTORS

–  –  –

Security Rule Requirements

2) The Security Rule requires that covered entities, such as HHC, perform periodic technical and non-technical evaluations of applications that access, house or transmit EPHI. More specifically, HHC is required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI that is accessed, stored or transmitted by HHC’s systems and applications and is required, at minimum, to conduct periodic technical and nontechnical evaluations of those systems and applications to establish the extent to which HHC's security policies and procedures meet the requirements of the Security Rule.7 Performance of Risk Analysis

3) Pursuant to the Security Rule at 45 CFR Section 164.308(a)(1)(ii)(A), HHC is required as

to each of its applications and systems that possess EPHI to do the following:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

4) To meet the risk analysis requirements under the Security Rule, HHC is required to conduct an accurate and thorough risk analysis of the vulnerabilities and potential risks to the confidentiality, integrity, and availability of EPHI of each of the systems and applications used by HHC.8 The required risk analysis is an assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the EPHI held by HHC and the likelihood of that risk’s occurrence9 and its use is considered a foundational first step in identifying and implementing physical, administrative and technical safeguards that comply with and carry out the standards and implementation specifications required in the Security Rule.

5) In its risk analysis of its applications and systems, HHC must (1) demonstrate that it has evaluated the risks associated with a specific application or system that use, store or transmit EPHI; and (2) document that it has established all of the safeguards (technical, physical and administrative) that would reasonably serve to protect the information that is exchanged along its network. 10

–  –  –

Conducting and Inventory of Systems and Applications that House EPHI

6) As part of the risk analysis process, is required to, among other things: (1) inventory all systems and applications used by HHC that access and house EPHI; and (2) classify those systems and applications by their level of risk.

7) While it is required that HHC conduct a risk analysis of its applications and systems, there are numerous methods of performing this analysis and the Security Rule does not prescribe a specific methodology that HHC must follow, recognizing instead that methods will vary dependent on the size, complexity, and capabilities of the organization.11 With regard to performing a risk analysis, there is no single method or best practice that assures compliance with the Security Rule.12 Notwithstanding this fact, National Institute Standards Technology (“NIST”) SP 800-30 provides examples of steps that might be applied to a risk analysis process.13

8) Regardless of the methodology used, a risk analysis must at the minimum incorporate the following eight steps to satisfy the Security Rule: (i) identify the scope of the analysis; (ii) gather data; (iii) identify and document potential threats and vulnerabilities. (iv) assess current security measures; (v) determine the likelihood of threat occurrence; (vi) determine the potential impact of threat occurrence; (vii) determine the level of risk; and (viii) identify security measures and finalize documentation.14

HHC’s Compliance Status with Security Rule Risk Analysis Requirements

With regard to HHC’s compliance with the Security Rule risk analysis requirements, the 9) OCC has found, in pertinent part, that: (i) the inventory of the HHC information systems and applications that access, house, or transmit EPHI is a work in progress and therefore is not comprehensive at this juncture; and (ii) although HHC’s Enterprise Information Technology Services (“EITS”) has taken numerous and significant measures to enhance and maintain the confidentiality, integrity, and security of HHC’s information systems including the formation of an information governance and security program, the implementation of security controls, and the performance of a formal risk analysis on a handful of its applications, it appears that further http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf Department of Health and Human Services Office of Civil Rights (“OCR”) Guidance on Risk Analysis Requirements under the HIPAA Security Rule found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf accessed on 2/9/15.

National Institute of Standards and Technology (NIST), is a federal agency that publishes guidelines relevant to the HIPAA Security Rule. See NIST 800 Series of Special Publications (SP) – specifically, SP 800-30 - Risk Management Guide for Information Technology Systems at http://www hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance html.. Although only federal agencies are required to follow guidelines set by NIST, the guidelines represent the industry standard for good business practices with respect to standards for securing e-PHI.

OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule, supra, note 31.

AUDIT COMMITTEE OF THE

HHC BOARD OF DIRECTORS

–  –  –

measures must be taken by EITS to fully satisfy the extensive risk analysis and implementation measures required under the Security Rule.

Recommendations

10) Based on the foregoing, OCC is recommending that the following measures be taken by

HHC’s Enterprise Technology Information Services:

 Identify and inventory, as a priority and no later than within 30-days, all HHC systems and applications that access, house or transmit EPHI;

 Provide a written schedule that will specify date(s), over an 12-month period, by which all inventoried HHC systems and applications that access, house or transmit EPHI will have a completed risk analysis;



Pages:     | 1 |   ...   | 3 | 4 || 6 |


Similar works:

«BOSTON UNIVERSITY INTERNATIONAL POLITICAL ECONOMY CAS IR 390/PO 329 FALL 2013 TR 9:30-11:00 A.M. CAS 221 STROM THACKER OFFICE: CAS 115, 705 Commonwealth Avenue EMAIL: sthacker@bu.edu TELEPHONE: 617.358.6218 COURSE WEB SITE: http://www.bu.edu/sthacker OFFICE HOURS: Mondays, 11:00a.m. 1:00p.m.; & by appt. OBJECTIVES: This course introduces students to the study of international political economy (IPE). It addresses the reciprocal, interactive relationship between politics and economics in the...»

«David Jobber • Geoff Lancaster Selling and Sales Management 8th edition Selling and Sales Management We work with leading authors to develop the strongest educational materials in business and marketing, bringing cutting-edge thinking and best learning practice to a global market. Under a range of well-known imprints, including Financial Times Prentice Hall, we craft high-quality print and electronic publications that help readers to understand and apply their content, whether studying or at...»

«Globalization, Competition and Growth in China This book explores the current state of globalization, competition and growth in China, presenting much new work and new thinking on a wide range of important issues. China has produced an economic miracle since the late 1970s in its transition from a planned to a market economy. This remarkable economic performance was brought about by an open-door policy and gradual integration with the world economy, culminating in China’s admission into the...»

«COUNTY FINANCE MANUAL 2008 REVISION Revised June 2008 Page 1 FOREWARD The 2008 revision of the County Finance Manual is the product of a joint effort between the Office of Examiners of Public Accounts, the Association of County Commissions of Alabama (ACCA) and the Association of County Administrators of Alabama (ACAA). Contributors to this project have worked for almost a year to produce a new and improved manual that includes important financial updates and revisions, and expands the manual...»

«Making A Field Change? Tap Into PATHFINDER Database fields are always being increased in size to accommodate changes in business volume such as customer numbers, invoice numbers, PO numbers, etc. New interfaces are going to be created between traditional applications and e-commerce. What files and programs will be affected? How will you begin to answer these questions? With PATHFINDER, you have the tools needed to implement the enhancements successfully with minimal disruption. In fact, this...»

«HOME OCCUPATION PERMIT REQUIREMENT (Title 17.228.200 of the Sacramento City Code) If you plan to conduct a business out of a residence in the City of Sacramento, you must obtain a Home Occupation Permit. The application fee for the permit is $154.00. A home occupation is a secondary use, not the primary use of the residence. The intent of regulating home occupations is to reduce the impact of the business on the surrounding neighborhood and to insure compliance with applicable City codes. NOTE:...»

«Frankfurt School – Working Paper Series No. 110 Moralische Gefühle als Grundlage einer wohlstandschaffenden Wettbewerbsordnung: Ein neuer Ansatz zur Erforschung von Sozialkapital und seine Anwendung auf China by Carsten Herrmann-Pillath Februar 2009 Sonnemannstr. 9 – 11 60314 Frankfurt am Main, Germany Phone: +49 (0) 69 154 008 0 Fax: +49 (0) 69 154 008 728 Internet: www.frankfurt-school.de Moralische Gefühle als Grundlage einer wohlstandschaffenden Wettbewerbsordnung: Ein neuer Ansatz...»

«SOMERVILLE UNION SQUARE STRATEGIC AND COMMUNITY BENEFITS PLAN FINAL REPORT APRIL 2016 Acknowledgements: City of Somerville Michael Glavin, Executive Director of OHCD, OSPCD George Proakis, Director of Planning Brad Rawson, Director of Transportation Sunayana Thomas, Senior Economic Development Planner Melissa Woods, Senior Planner Mike Feloney, Director of Housing Alex Bob, Sustainable Neighborhoods Initiative Coordinator Kelly Donato, Director of Special Projects, Housing As well as former...»

«Sustainability and the ‘Struggle for Existence’: The Critical Role of Metaphor in Society’s Metabolism TIM JACKSON Centre for Environmental Strategy University of Surrey, Guildford, Surrey, GU2 5XH, UK. Email: t.jackson@surrey.ac.uk ABSTRACT This paper presents a historical examination of the influence of the Darwinian metaphor ‘the struggle for existence’ on a variety of scientific theories which inform our current understanding of the prospects for sustainable development. The first...»

«MINUTES Finance, Procurement and Property Committee DATE TIME 10.30 a.m. Monday 16 March 2009 VENUE Room G-04, Ground Floor, 169 Union Street Minutes of the proceedings of the meeting of the Finance, Procurement and Property Committee held at 169 Union Street, London, SE1 OLL on Monday 16 March 2009.PRESENT Councillor Ed Butcher (Chair) Councillor Brian Coleman Councillor Maurice Heaster Councillor Darren Johnson Councillor Navin Shah Ms Valerie Shawcross IN ATTENDANCE Mr David Cartwright...»

«AAPS Planning Education Toolkit: The Informal Economy Appendix A: Informal Economic Sector Livelihood Profiles Street Vendors (by Sally Roever) Home-based Workers (by Shalini Sinha) Waste Pickers (by Sonia Dias) Livelihood Profile: Street Vendors Sally Roever Introduction Street vendors are an integral component of urban economies around the world. As distributors of affordable goods and services, street vendors provide consumers with convenient and accessible retail options and form a vital...»

«May 2009 Curriculum Vita JOHN DOUGLAS WILSON PERSONAL INFORMATION Office Address: Department of Economics Michigan State University Marshall-Adams Hall East Lansing, MI 48824 Office Phone: (517) 432-3116 E-Mail Address: Wilsonjd@msu.edu Home Address: 1858 Cimarron Drive Okemos, MI 48864 Home Phone: (517) 347-2684 Marital Status: Married, two children EDUCATION Brown University, 1971-1975, A.B., Magna Cum Laude. Major Field: Economics-Applied Math. M.I.T., 1975-1979, Ph.D. Major Field:...»





 
<<  HOME   |    CONTACTS
2017 www.thesis.dislib.info - Online materials, documents

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.