Mandatory (Medicaid) Compliance Program Office of compliance & audit service New York is the first state to implement Mandatory Medicaid Compliance Program requirements. Effective October 1, 2009 New York State healthcare organizations for which Medicaid constitutes $500,000 or more of the provider’s annual business operations (considered “substantial” and defined as ordering, providing, billing or claiming $500,000 or more from Medicaid in a twelve-month period), must have an “effective” compliance program and certify on an annual basis that the compliance program meets related statutory requirements. The effective compliance program requirement is also applicable to any New York State provider subject to the provisions of Articles 28 or 36 of the New York Public Health Law or Articles 16 or 31 of the New York Mental Hygiene Law, regardless of the amount of Medicaid business. The Deficit Reduction Act of 2005 (“DRA”, 42 USC §1396a(a)(68)) requires entities with $5.0 million or more in annual Medicaid payments (in a Federal fiscal year) to establish written policies and procedures informing and educating their employees, contractors, and agents about Federal and State false claim acts and whistleblower protections. First in the nation with a mandatory compliance program. Federal government and state requirements are different. New York State is more stringent. Mandatory (Medicaid) Compliance Program

Mandatory (Medicaid) Compliance Program – cont’d Office of compliance & audit service The New York Mandatory Medicaid Compliance Program requirements are a result of New York Social Services Law §363-d and New York State Codes, Rules and Regulations Title 18, Part 521 (“Provider Compliance Programs” or “Part 521”).  Part 521 defines the entities to which the requirements apply (“covered providers”) and mandates that each covered provider’s compliance program include the following eight elements (as included in §521.3(c)): It is important to note that the Part 521 requirements are more stringent than previous voluntary guidelines and specify that the compliance program must be effective. 1. Policies and Procedures 5. Discipline 2. Compliance Officer 6. Auditing and Monitoring/Risk Area Identification 3. Training and Education 7. Non-Retaliation 4. Communication 8. Reporting and Response Admin policies and procedures. P&P on detecting/preventing fraud, waste and abuse in Healthcare (LD0070) Continuous Training Compliance Newsletter – Monthly tool to educate and communicate issues. Allows our staff to learn from other organizations to prevent negative outcomes Consistent, consistent, consistent Ensuring proper operational, financial and compliance outcomes/ monitoring occurs in collaboration with process owners (individual departments) Tools available to staff to report issues, compliance helpline, email, phone, SharePoint site communication tool. We provide feedback to the reporter, on the result of an investigation (anonymous reporters are given a unique identifier to allow them to follow-up through the helpline. Non-retaliation – Code of Conduct. Code lays out the responsibilities of our workforce from a compliance standpoint Mandatory (Medicaid) Compliance Program – cont’d

Sample Elements of SBUH’s Compliance Program Office of compliance & audit service 1. Policies and Procedures - Code of Conduct, Administrative Policies and Procedures Interim Chief Compliance Officer – John W. Ruth, MBA, RHIA Training and Education - New Employee Orientation, Annual Re-Certification, Focused Training and Special Requests Communication - Anonymous Compliance Helpline (1-866-623-1480), or direct contact with our Interim Chief Compliance Officer 631-638-2366. Discipline - Action taken is appropriate and consistent with collective bargaining agreements, federal, state and local laws. Auditing and Monitoring/Risk Area Identification - Continuous monitoring/auditing initiatives, collaborative assessment of organizational control activities. Reporting and Response - Investigations of compliance concerns and corrective action plans Non-Retaliation - To promote the reporting of known or suspected violations SBUH has adopted a code of non-retaliation for individuals who in “good faith” provide information they believe or perceive to be true. Admin policies and procedures. P&P on detecting/preventing fraud, waste and abuse in Healthcare (LD0070) Eileen Denzel Continuous Training Compliance Newsletter – Monthly tool to educate and communicate issues. Allows our staff to learn from other organizations to prevent negative outcomes Consistent, consistent, consistent Ensuring proper operational, financial and compliance outcomes/ monitoring occurs in collaboration with process owners (individual departments) Tools available to staff to report issues, compliance helpline, email, phone, SharePoint site communication tool. We provide feedback to the reporter, on the result of an investigation (anonymous reporters are given a unique identifier to allow them to follow-up through the helpline. Non-retaliation – Code of Conduct. Code lays out the responsibilities of our workforce from a compliance standpoint Sample Elements of SBUH’s Compliance Program

Office of compliance & audit service Guidance has been available since the late 1990s in the form of the Office of the Inspector General’s (“OIG”) voluntary “Compliance Program Guidance” publications in the Federal Register. The OIG’s guidance recommends specific compliance program elements and identifies certain key risk areas which should be addressed by the compliance programs of healthcare providers. The United States Federal Sentencing Guidelines (“Sentencing Guidelines”), Chapter 8, Part B (§8B2.1, “Effective Compliance and Ethics Program”) outline specific factors considered by the Federal government when establishing organizational penalties or sanctions following instances of criminal conduct. The Sentencing Guidelines address overall “effectiveness” factors (e.g., organizational culture, governance and oversight, communication, training and remediation) evaluated to determine whether an organization’s compliance program is adequately designed to prevent, detect and respond to criminal conduct.  The Sentencing Guidelines provide the Federal government with standards for the determination of organizational culpability and establishment of sanctions, but meeting the compliance program “effectiveness” criteria can be a significant mitigating factor for organizations in the unfortunate situation of facing penalties as a result of criminal conduct Office of the Inspector General is a federal agency. Provides voluntary guidance. Is responsible for enforcing the rules and protecting Medicare, Medicaid and other programs of the Department of Health and Human Services. Federal Sentencing Guidelines provides the framework for the voluntary guidance. FSG list 7 (NYS has 8) elements which are taken into consideration when determining the sentencing. The Federal government looks to see if an organization has an effective program based on the 7 elements. Compliance Programs

Fraud, Waste and Abuse Definitions Office of compliance & audit service There are both Federal and New York State statutes relating to the filing of False Claims and protection offered to Whistleblowers who report False Claims. They protect against Fraud, Waste and Abuse. Fraud includes obtaining a benefit through intentional misrepresentation or concealment of material facts Waste includes incurring unnecessary costs as a result of deficient management, practices, or controls Abuse includes excessively or improperly using government resources Many Federal and State laws which protect against Fraud, Waste and Abuse. The federal false claims act has been around since 1863 (Lincoln Law). It was amended in the Mid 80’s (Department of Defense pays $500 for a hammer), 90’s and 2000’s. There has been a lot more focus on fraud, waste and abuse detecting, prevention and deterrence in recent history. Fraud, Waste and Abuse Definitions

Federal and State False Claims Act ( FCA ) Office of compliance & audit service FEDERAL LAWS Federal False Claims Act (31 USC §§3729-3733) Anti-Kickback Statute (42 USC § 1320a-7b(b) Physician Self-Referral Law (42 USC § 1395nn) Exclusion Statute (42 USC § 1320a-7) Civil Monetary Penalties Law (42 USC § 1320a-7a)  NEW YORK STATE LAWS CIVIL AND ADMINISTRATIVE LAWS New York False Claims Act (State Finance Law §§187-194) Social Services Law, Section 145-b, and 145 CRIMINAL LAWS Social Services Law, Sections 145, 145c, and 366-b Penal Law Article 175, 176 and 177 WHISTLEBLOWER PROTECTION Federal False Claims Act (31 U.S.C. §3730(h)) New York State False Claim Act (State Finance Law §191) New York State Labor Law, Section 740, and 741 Many Federal and State laws which protect against Fraud, Waste and Abuse. The federal false claims act has been around since 1863 (Lincoln Law). It was amended in the Mid 80’s (Department of Defense pays $500 for a hammer), 90’s and 2000’s. There has been a lot more focus on fraud, waste and abuse detecting, prevention and deterrence in recent history. Federal and State False Claims Act ( FCA )

Fraud Enforcement and Recovery Act of 2009 (FERA) Office of compliance & audit service On May 20, 2009, the Fraud Enforcement and Recovery Act of 2009 ("FERA") was signed into law. It includes the most significant amendments to the FCA since the 1986 amendments. Section 4 of the FERA has major significance for health care providers and managed care plans, and all Medicaid providers. This section, “Clarifications to the False Claims Act to Reflect the Original Intent of the Law”: Redefined terms such as “claim”, and “obligation” . Expands the anti-retaliation provisions from only employees to include “contractors and agents” who “act to stop one or more violations.” This provision could protect contracted physicians in a government-funded managed care plan, for example, who took action to stop false reporting or illegal denial of services by the plan. Fraud Enforcement and Recovery Act of 2009 (FERA)

Office of compliance & audit services The New York State Governmental Accountability, Audit and Internal Control Act of 1987 (Internal Control Act) required State agencies and other organizations to promote and practice good internal control and to provide accountability for their activities. The New York State Division of Budget’s Policy and Reporting Manual Item B-350, Governmental Internal Control and Internal Audit Requirements: Describes internal control responsibilities to be performed by all state agencies Requires all state agencies to certify each year that they are in compliance with these internal control requirements and the Internal Control Act. Internal control is defined as: the integration of the activities, plans, attitudes, policies, systems, resources and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its objectives and mission. Internal control is focused on the mission of the organization, and this mission must be kept in mind when evaluating the appropriateness of specific internal control practices. Internal Controls

Internal Controls Types of Controls Office of compliance & audit services Types of Controls Detective Controls are designed to detect errors or irregularities that may have occurred. For example, reviews of performance, reconciliations, physical inventories and audits. Corrective Controls are designed to prevent the recurrence of errors. They begin when improper outcomes occur and are detected and keep the "spotlight" on the problem until management can solve the problem or correct the defect. For example budget variance reports. Preventive Controls are designed to keep errors or irregularities from occurring. For example, standards, policies and procedures, segregation of duties, authorization and approval levels. For a control objective to be effective, compliance with it must be measurable and observable. Internal controls provide reasonable assurance that an organization meets established objectives and goals. Internal Controls

Gifts and Entertainment Office of compliance & audit service The State of New York, Commission on Public Integrity, in Advisory Opinion No. 08-01 has adopted the term “nominal value.” Stony Brook University Hospital has not defined Nominal Value with a dollar limit. Nominal value is considered such a small amount that acceptance of an item of nominal value could not be reasonably interpreted or construed as attempting to influence a State employee. Items of insignificant value, as, for example, a regular cup of coffee or a soft drink, are considered nominal. Nominal value would not include a meal nor would it include an alcoholic beverage. If you have any questions regarding this slide, please feel free to contact the Interim Chief Compliance Officer, John W. Ruth at 638-2366 or e-mail at John.Ruth@stonybrookmedicine.edu Gifts and Entertainment

Confidential Compliance Helpline 1 866 - 623 - 1480 Office of compliance & audit service Confidential Compliance Helpline 1 866 - 623 - 1480 https://www.compliance-helpline.com/sbuh.jsp 24 hours per day / 7 days per week English / Spanish If you wish to report an issue of non-compliance please contact the Interim Chief Compliance Officer, John Ruth, at 8-2366, John.Ruth@stonybrookmedicine.edu,or call the Corporate Compliance Helpline, which is available 24 hours a day, seven days a week. Reports can be made anonymously or by name. No Hospital representative will be disciplined or subjected to retaliatory actions because he or she made a report in good faith. Helpline Information