1. Transportation Provider Compliance Training

2. Fraud, waste and Abuse (FWA)

3. FWA Training Purpose
We are all responsible for preventing and reporting suspected cases of Fraud, Waste, and Abuse (FWA) without fear of punishment
Training will give you basic information necessary to understand what FWA is and what your obligations are if you suspect it is happening
By looking out for FWA, we protect Federal funding given to Medicaid and Medicare programs for NEMT

4. Agenda Centers for Medicare and Medicaid Services (CMS)
What is FWA: Laws and Regulations
MTM’s Quality and Compliance Department
HIPAA, PHI, and DUA

5. CMS
Centers for Medicare and Medicaid Services, also referred to as CMS:
An agency within the US Dept. of Health and Human Services
Responsible for several health care programs and rules regarding FWA that must be followed by MTM, First Tier, Downstream and Related Entities
Providers, drivers and office staff

6. MTM and CMS MTM partners with Medicare and Medicaid clients
Clients are required by CMS to conduct FWA training with:
Transportation Providers
Drivers
Office Staff
As MTM clients are regulated by CMS, so are MTM employees and its subcontractors (transportation providers)
Documentation of annual FWA training must be maintained and available to CMS and MTM clients when requested

7. FWA: What is Fraud?
An intentional deception or misrepresentation made by a person with knowledge that deception could result in unauthorized benefit to himself or another person
Includes any act that constitutes fraud under applicable Federal and State laws

8. FWA: What is Waste?
Overutilization of services or other practices that result in unnecessary costs
Generally not caused by criminally negligent actions but rather misuse of resources

9. FWA: What is Abuse?
Defines ways that, either directly or indirectly, result in unnecessary costs to the Medicare or Medicaid Program
Reimbursement for unnecessary services or services that fail to meet professionally recognized standards for healthcare

10. FWA Laws and Regulations
Suspected violations of:
False Claims Act; 31 U.S.C. §3729
Law prohibits incorrect claims from being submitted to Medicare and Medicaid
Stark Law
Law was written to prevent doctors and other clinicians from referring patients to their own practices (physician self-referral)
Anti-Kickback Statute
Law keeps doctors, hospitals and other clinicians from offering or receiving kick-backs for referring patients to certain practices
False Claims Act applies to our TP’s
Stark Law – will generally not affect operations of MTM or providers
Anti Kickback Statute - This law applies to our operations to the extent that transportation providers may not offer incentives (kickbacks) to members for requesting to ride with them.

11. FWA Laws and Regulations
Acts defined in 18 U.S.C. - HITECH Act of which widened scope of privacy and security protections available under HIPAA
Health Insurance Portability and Accountability Act (HIPAA)
State-specific laws and regulations that address Medicaid/Medicare FWA - Laws that a state implements that are more strict than the federal privacy law
State-specific laws and regulations that address Medicaid/Medicare FWA - We would know about these from our contract, and would be required to pass the requirements through to our TPs in their service agreements. 

12. FWA: Your Obligations
Comply with all policies and procedures developed and amended by MTM in relation to FWA
Acknowledge that payments made to you consist of Federal and State funding
You may be held civilly/criminally liable for non-performance or misrepresentation of FWA services
Immediately refer all suspected or confirmed FWA to MTM’s Quality and Compliance department

13. Examples of Member FWA Lending insurance card to another person
Changing, forging, or altering:
Prescriptions
Medical records
Referral forms
Lending insurance card to another person
Identity theft
Using NEMT for non-medical services
Misrepresenting eligibility status
Resale of medications to others
Medication stockpiling
Doctor shopping
Use a story as an example

14. Resolution Options for Member FWA
Add a note to member’s file advising MTM for future trips
Add member’s name to a list of frequent abusers
Trip requests will be monitored and managed to prevent potential future FWA
Report issue to MTM's client liaison, who will determine the best way to report to other entities

15. Examples of Provider FWA
Falsifying credentials
Billing for services not rendered
Inappropriate billing
Double billing
Fraudulent billing
Collusion among providers
Falsifying information submitted through prior authorization or other mechanism to justify coverage

16. Resolution Options for Provider FWA
MTM's investigations specialists will determine which, if any, of the following actions are appropriate
Recover trip cost
Provide education
Make recommendation for an audit of trip records
Establish Corrective Action Plan (CAP)
Disciplinary action
Dismissal from MTM network of providers

17. Who is Responsible for Identifying FWA?
MTM Employees
Board of Directors
Transportation Providers
Drivers
Office Staff

18. Who Monitors FWA at MTM?
Potential cases reported to MTM’s Quality and Compliance department
Quality Investigation Specialist investigates each reported incident
Note results of investigation in member’s file
FWA reported against Transportation providers, drivers, and office staff are handled in the same manner
MTM reports incidents of FWA to clients on a monthly basis

19. Report all cases of suspected FWA to MTM immediately
Preventing FWA
Preventing FWA before it happens is critical
Transportation providers should report incidents of FWA they suspect to MTM’s Quality Management department immediately
Report all cases of suspected FWA to MTM immediately

20. Preventing FWA
MTM staff are diligent and watch carefully for signs of potential FWA
Deny a trip if it seems “suspect”
Push trip request up internal chain of command to Team Lead
Contact client and get their guidance
Report suspicious activity to Quality Management department for investigation

21. Reporting FWA Contact MTM’s Quality Management department
Try to include all pertinent information:
Subject of FWA
Subject ID information
FWA description
Any other important information

22. Corporate Compliance Hotline
MTM has a Compliance Hotline to report unethical or illegal behavior in an anonymous and confidential manner
Types of issues that may be reported to the hotline include inappropriate billing practices, falsified credentialing documentation, violations of HIPAA or informational security standards, or other unethical or illegal practices

23. FWA Reporting Protections
Whistleblowers offered protection against retaliation under the False Claims Act
Employees discharged, demoted, harassed, or otherwise discriminated against for reporting FWA are entitled to protection under the False Claims Act

24. FWA Conclusion Training has given you:
Knowledge about what FWA is and why it is important to identify cases of suspected FWA
Tools necessary to feel confident in reporting suspected FWA without fear of reprisal
Understanding of why MTM requires training
Knowledge that everyone is responsible for reporting FWA
Knowledge that preventing FWA is critical—stop it before it happens

25. Health insurance portability and accountability act (HIPAA)

26. HIPAA Privacy Rule
Ensures consistent protection nationwide for all health information
Imposes restrictions on use and disclosure of Protected Health Information (PHI)
Gives people greater access to their own medical records
Provides people with more control over health information

27. Compliance date for Security Standards was April 20, 2005
HIPAA Background
Enacted by Congress in 1996
Department of Health and Human Services (HHS) implemented final Privacy Rule on April 14, 2003
Compliance date for Security Standards was April 20, 2005
HITECH Act of 2009 widened scope of privacy and security protections available under HIPAA

28. Protected Health Information (PHI)
PHI is individually identifiable health information that is:
Transmitted or maintained in electronic media
Transmitted or maintained in any other form or medium
When an MTM member, agency, or health provider gives personal information to MTM, that information becomes PHI

29. Examples of PHI Name or address SSN or other ID number
Medicaid/ Medicare number
Physician Notes
Billing Information
Any information that might connect health information to an individual

30. HITECH Act
HITECH Act promotes the adoption and meaningful use of health information technology

31. HIPAA Expectations Use or disclose PHI only for work related purposes
Exercise reasonable caution to protect PHI under your control
Understand and follow MTM privacy policies
Report potential HIPAA violations to MTM’s Quality and Compliance department

32. Use or Disclosure of PHI
HIPAA's privacy rule covers how we can use or disclose PHI
Designed to minimize careless or unethical disclosure
PHI can’t be used or disclosed unless it is permitted or required by the Privacy Rule

33. Use vs. Disclosure PHI is used when it is:
PHI is disclosed when it is:
Shared
Examined
Released/transferred
Applied
Accessed in any way by any one outside entity holding information
Analyzed

34. Use or Disclosure of PHI
Payment: Various activities of healthcare and healthcare related providers (such as you) to obtain payment or be reimbursed for services
Treatment: Management of healthcare and related services that includes coordination among healthcare providers
Healthcare Operations: Certain administrative, financial, legal and quality improvement activities of covered entity necessary to run its business and to support core functions of Treatment and Payment
These do not apply to MTM operations

35. Use or Disclosure of PHI
Transportation Providers permitted to use or disclose PHI for:
Scheduling trip information
Confirming special needs or adaptive equipment
Incidental use such as talking to a facility or medical provider

36. Minimum Necessary
Use or disclosure of PHI should be limited to minimum amount of health-related information necessary to accomplish intended purpose of use or disclosure
MTM has developed policies and procedures to make sure least amount of PHI is shared
If you have no need to review PHI, then stop!

37. Data Use Agreement (DUA)

38. Data Use Agreement DUA
The Data Use Agreement (DUA) is an agreement between MTM, MTM’s clients, and MTM’s subcontractors
This agreement states that all information obtained by transportation providers including PHI will remain confidential and will be disposed of properly

39. Data Use Agreement DUA
DUA applies to all MTM employees, transportation providers, and drivers who have access to confidential client information

40. Transportation Provider Responsibilities
Transportation provider will secure access to all clients’ confidential information and ensure that it is only used in a manner that is approved under the DUA
Transportation provider is required to secure any form of paper documentation that contains client PHI
Transportation provider is required to secure mobile devices by a PIN number or equivalent security that contains client PHI

41. Transportation Provider Responsibilities
Transportation providers will establish appropriate penalties against any member of its workforce that violates the sharing of client information
Responsible for compliance with sending and destroying of confidential information

42. Transportation Provider Responsibilities
Transportation providers will deliver written certification of compliance when requested
Upon termination, the transportation provider is required to retain documentation pursuant to contractual obligations

43. Transportation Provider Responsibilities
Transportation providers will designate a person to implement the security requirements of the DUA

44. Transportation Provider Responsibilities
Transportation providers assure that their employees/drivers are only provided information as needed to complete job requirements
Transportation providers must have and maintain a list of employees/drivers, and their signatures, titles, and the date they agreed to the terms of the DUA

45. Transportation Provider Responsibilities
Transportation providers will adhere to the policies and procedures relating to the use of confidential information as set forth in the DUA, the Business Associate Agreement and the Medical Transportation Service Agreement

46. Transportation Provider Responsibilities
All data transferred and communicated will be through secure systems
A completed ‘DUA Agreement’ is required and maintained with MTM
A completed ‘DUA Authorized User List’ is maintained and regularly updated for users accessing data

47. What is a Breach of the DUA?
Any incident where PHI is used in an unsecure or unauthorized manner
Accessing client information that is not job related
Sharing client information over social media, text, or screen shots
Disposing of trip sheets in the trash of a public place

48. What is a Breach of the DUA and HIPAA?
Lending your mobile device that contains client information
ing or storing client information in the cloud in an unsecured manner

49. If a Breach is Suspected
Transportation providers will cooperate fully with MTM in investigating any breach of confidential information
Transportation providers have no more than 24 hours after discovery of a breach to report the event or breach of the security policy to MTM

50. DUA Guidelines DUA is effective on the date of execution
All DUA users must be on the authorized user list
The DUA ends upon termination of the Service Agreement with the exception of retention provisions

51. DUA Guidelines
MTM may immediately terminate the Service Agreement in the event of a material violation of the DUA
MTM may immediately terminate the Authorized User of the DUA Agreement in the event of a material violation

52. Maintaining Privacy: Written
Keep information in a folder during business hours and locked drawer after hours
Shred documents containing PHI after use
Keep a minimal amount of information in hard copy format
Do not leave documents unattended at printer

53. Maintaining Privacy: Telephone
Leave minimal information necessary on voice mail or answering machines regarding confirmation of trips, or ask member to return call to confirm

54. Maintaining Privacy: Faxes
Always include a cover sheet that:
States it is a confidential document
Gives a contact if fax is received in error
Spells out HIPAA (confidentiality) language
Verify fax number before sending

55. Maintaining Privacy: Email
s containing PHI must be sent securely
Follow all directions for secured
Do not enter any PHI in subject line

56. Maintaining Privacy: Workstation/Vehicle
Always lock access to computer with a password and use privacy notice
Remove documents containing PHI from copiers and printers ASAP
Keep PHI in a folder or upside down during working hours
Remove PHI from desk or vehicle and place in locked drawer at end of work day
Do not discuss PHI in public areas

57. Cell Phone Best Practices
Use a device pin, or password
Install and/or enable encryption to your device
Remote wipe capability for lost or stolen devices
Disable use of file sharing applications
Keep your software up to date
Use adequate security to send or receive health information over public Wi-Fi networks

58. Protecting PHI
Verify identity and authority of person requesting before releasing PHI
Transmit PHI by telephone only when it can not be overheard
When leaving messages, limit information left to member’s name, a request to return call and your name/telephone number

59. Misuse of PHI
Misuse of PHI can result in civil and criminal sanctions:
Civil Penalties: Up to $25,000/year for inadvertent violations; $250,000 for willful neglect; $1.5 million for repeated or uncorrected violations
Criminal Penalties: Up to $250,000 fine and prison sentence up to 10 years for deliberate violations
Sanctions by DHHS
Other penalties related to not meeting contractual obligations

60. Example of Misuse of PHI
A South Dakota medical student took home copies of 125 patients’ psychiatric records to work on a research project
He disposed of material in a dumpster of a fast food restaurant, where they were found by a newspaper reporter

61. Reporting Misuse of PHI
Report incidents of accidental or intentional disclosure to your supervisor and MTM
No adverse action will be taken against anyone who reports in good faith violations or threatened violations of Privacy Rule, Security Rule or related policies

62. Breach of ePHI
Breach is unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of information
HITECH Act promotes the adoption and meaningful use of health information technology

63. Example of Breach of ePHI
Theft of 6 hard drives at an insurance company’s training facility, including images from computer screens containing data that was encoded but not encrypted

64. Breach Notification
Notice to individual of breach of his/her PHI is required under the HITECH Act
Breaches involving PHI of more than 500 persons in one circumstance must be immediately reported to DHHS by covered entity
Will be posted on DHHS site
Business Associates must report security breaches to covered entity
DHHS = Department of Health and Human Services

65. Enforcement of Privacy and Security
Office of Civil Rights has enforced Privacy Rule since 2003
CMS has enforced Security Rule since 2005
As of July 27, 2009 DHHS has delegated enforcement of both rules to Office of Civil Rights

66. HIPAA Resources CMS – Center for Medicare and Medicaid Services
Office of Civil Rights
US DHHS – Department of Health and Human Services

67. HIPAA Glossary
Business Associate: Person or entity that performs certain functions or activities that involve use or disclosure of PHI on behalf of, or provides services to a covered entity
Protected Health Information: Individually identifiable health information
Minimum Necessary Information: Current practice is that PHI should not be used or disclosed when not necessary to satisfy a purpose or carry out a function

68. Resources Report Fraud, Waste and Abuse:
Corporate Compliance Hotline Number: (855)
Corporate Compliance Web Link:
Report Information Security Issues:
Phone: (636)

69. Please complete the Assessment following this training

70. Questions?

71. Thank you for your active participation!