1. SAINT THOMAS HEALTH CORPORATE RESPONSIBILITY PROGRAM Doing the right thing…. and doing things right! Revised 1-4-16

2. Learning Objectives Upon completion of the Corporate Responsibility learning module, the new associate should be able to: State examples of expected behaviors at STH as referenced in the Standards of Conduct. Explain the False Claim Act as it relates to fraud and abuse. Participant should be able to discuss penalties and protection under the federal and state act. Explain and adhere to the gratuities and gifts policy. Identify and adhere to the requirements of HIPAA-HITECH Privacy Rule. Identify and adhere to the requirements of Security Rule. Explain your role in the Corporate Responsibility Program to detect and report suspected compliance issues. Determine who to contact if there is a compliance concern.

3. Standards of Conduct  We are expected to follow the Ethical and Religious Directives for Catholic Health Care Services – by promoting dignity of all, caring for all and contributing to the good of the community.  We are expected to deliver Clinically Excellent and Safe Patient Care – by participating in a culture of High Reliability.  We are expected to comply with Laws and Regulations – by following all laws and regulations applicable to the work area i.e. Medicare, TJC, HIPAA.  We are expected to contribute to a Model Community – by treating all persons fairly, honestly and with dignity.  We are expected to be honest and fair in business conduct – by acting in the best interest of our patients and ministry. Reference: Standards of Conduct SP-13 Corporate Responsibility Program SP-12

4. What is Medicare Fraud?  It is fraud when Medicare is intentionally billed for services or supplies the patient never received. Medicare loses billions of dollars to fraudulent claims every year.  What are some examples of Medicare fraud?  A healthcare provider bills Medicare for a service or medication the patient was never given.  A supplier bills Medicare for equipment that the patient never received. It is illegal to submit claims for payment to Medicare or Medicaid that you knew or should have known are false or fraudulent.

5. What is Medicare Abuse? Abuse describes practices that result in unnecessary costs to the Medicare Program and are not consistent with the goals of providing patients with services that are medically necessary, meet professionally recognized standards, and are priced fairly. Examples of Medicare abuse include:  Billing for services that are not medically necessary  Charging excessively for services or supplies Abuse can result in waste of healthcare resources.

6. Improper Payments Intentional Deception Bending the RulesInefficiencies Mistake Error Waste Abuse Fraud Improper payments, or payments that were not earned and should not have been made, can result from an array of activities ranging from simple or careless mistakes to intentional deception. Examples: Incorrect Medically Improper BillingBilling for services Coding unnecessary practices (suchor supplies that serviceas, upcoding)were not provided

7. Healthcare Fraud, Waste and Abuse Why is Compliance Important? In Fiscal Year 2015, the Medicare improper payment rate was 12.1 percent, representing $43.3 billion. In other words, during one year, the government paid an extra $43.3 billion in healthcare costs that it should not have paid. Source: https://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring- Programs/Medicare-FFS-Compliance-Programs/CERT/index.html?redirect=/CERT

8. False Claim Act The False Claim Act (FCA) is a Federal Law and Tennessee State Law and protects the government from being overcharged or sold substandard goods or services. It makes it a crime for any person or organization to knowingly make a false record or file a false claim with the government (i.e. Medicare or Medicaid) for payment. Civil penalties of $5,500-$11,000 per claim plus damages may be imposed and entities or individuals may also face criminal penalties. Protection Under the FCA  Employees are protected from being fired, demoted, threatened, or harassed by their employer for filing a FCA lawsuit with the government or providing information in good faith.  Associates are urged to report any wrongdoings to the Corporate Responsibility Office or Management without fear of retaliation. We will investigate and address any inappropriate behavior at Saint Thomas.

9. Compliance with Laws and Regulations We must operate in accordance with all applicable laws and regulations in order to maintain the integrity of our system.  Accurate charging/billing  Ensure charges are appropriate  Ensure charges are medically necessary  Ensure charges are in accordance with billing guidelines  Ensure charges are for the correct patient  Accurate and reliable documentation  Only document services that have been provided to the patient

10. STH Gifts Policy Saint Thomas has a policy regarding gifts that must be followed by all associates.  Gifts from Patients  Associates may not solicit or accept money, gift cards, or personal gratuities or gifts from patients.  Associates may accept perishable items of modest value, such as a floral arrangement, box of cookies, candy or similar food items that are shared within the department.  Individuals who wish to present a gift of money should be referred to the Saint Thomas Health Foundation.  Gifts from Vendors  Associates may not solicit or accept gifts from vendors.  Associates may accept items of minimal value, such as pens, notepads, mugs, “reminder” items with company logo that are commonly distributed. Any questions regarding acceptable gifts should be directed to the Corporate Responsibility Office. Reference: Gifts and Gratuities Policy SP-19

11. HIPAA Overview In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to improve the efficiency and effectiveness of the healthcare system. Key Objectives:  Help manage healthcare information,  Protect the privacy of patients’ health information, and  Protect the security of patients’ health information. HIPAA has recently been updated to include the Health Information Technology for Economic and Clinical Health Act (HITECH), which requires healthcare organizations to notify the government and the individual of any “breach” of their protected health information (PHI). A breach is an inappropriate access, use or disclosure of PHI. Reference: Privacy Compliance Plan SP-06

12. Privacy Rule: PHI The HIPAA Privacy Rule requires us to safeguard Protected Health Information (PHI), which includes information that can identify a person that relates to their health condition, health care, or payment for health care. Examples of PHI:  Name  Address  Date of Birth  Social Security Number  Diagnosis  Identifying photograph  Zip Code  E-mail address  Telephone number  Medical Record number  Patient Account number

13. HIPAA is Common Sense  If you need to know patient information to perform your job, access to this information is permitted.  If you do not need to know the information to perform your job and you access confidential patient information, including your own or that of a friend or family member, access is not permitted and can result in disciplinary action. Access to confidential patient information is allowed if you follow the simple “NEED TO KNOW” rule: When patient information is used, accessed or disclosed inappropriately it is considered a breach. All Privacy/HIPAA breaches must immediately be reported to the Corporate Responsibility Office.

14. Properly Discarding PHI Place you should discard PHI: All paper containing PHI or other confidential information should only be placed in a CINTAS “Shred Bin” located throughout the facilities. Places you should NOT find or discard PHI: Trash or garbage containers Recycle containers Reference: Safeguard of PHI HIPAA-03

15. Use of Passcode When a patient is admitted to the hospital they are given a “passcode”. The patient can share their passcode with anyone to whom they wish to have their PHI disclosed.  When you get a call, request the patient’s passcode.  If the passcode is provided, give only the minimum requested information.  If no passcode is provided, ask the patient for permission to provide information.  Under circumstances when the patient is not able to communicate, the nursing staff may use professional judgment in the best interest of the patient. Reference: Use and Disclosure to Family Members #52.

16. Cell Phones, Social Media & Internet Reference: Technology and Social Media HR-II-16 Dress Code HR-II-05 Social Media Usage, Internet Usage and E-Mail  Internet usage is monitored and is to be used for business purposes only.  Do not download any unauthorized program to hospital computers as this can introduce a virus that could be damaging to our system. Please call the Help Desk for assistance.  Never share PHI or confidential information on social media outlets such as Facebook, Twitter, Instagram, etc. Use of Cell Phones  The use of personal cell phones is limited to break areas only.  Personal cell phones are not to be used while performing job duties unless it is Saint Thomas business.  Personal cell phones may not be used to take pictures in the work area. If a clinical photo is needed, please arrange to utilize a facility/department camera.

17. E-mail Security If you need to send an e-mail containing patient information or other confidential information outside of the Saint Thomas Network in order to do your job, you must take the following step to encrypt it. This “secures” the information and ensures it is only viewable by the recipient.  You can encrypt an email by simply adding -phi- or -secure- to the subject line of your email.  Whichever word you decide to use, you must have the dashes before and after the word, just as it appears here. The words are not case sensitive. Example 1Example 2 Reference: Electronic Mail “E-Mail” ITS

18. Key Learning Points  Accessing information that you do not “NEED TO KNOW” to do your job.  Misusing, disclosing or altering confidential information without proper authorization.  Disclosing your sign-on and/or password to another person.  Using another person’s sign-on and/or password.  Leaving a secured application unattended.  Attempting to access a restricted area.  Allowing an unauthorized person to handle or have access to files that contain PHI or confidential Information.  Using a personal cell phone in a work area or taking pictures in a patient care area.  Accessing your own PHI or that of friends, family, co-workers, VIPs, ex-spouses, etc. IMPORTANT: Please avoid the following behaviors: Engaging in these behaviors can result in disciplinary action up to and including termination.

19.  Breach of protected health information  Conflict of interest  Inappropriate gifts, entertainment and gratuities  Fraud, waste or abuse  Stealing or misuse of assets  Identity theft  Improper disclosure or use of confidential information  Patient information on social media  Taking pictures with cell phone Reporting Compliance Issues or Concerns Compliance is everyone’s responsibility! You are obligated to report the below issues if you have knowledge or suspect they have occurred: Values Line: 1-800-707-2198 www.AscensionHealthValuesLine.orgwww.AscensionHealthValuesLine.org  Call the Values Line if you feel your concerns cannot be communicated through your manager or the Corporate Responsibility Office.  Calls are answered by an outside company, 24 hours a day/7 days a week.  All calls are confidential and may be made anonymously.  Calls will not be recorded or traced.  All information will be thoroughly investigated.

20. Cynthia Figaro – Corporate Responsibility Officer/ Corporate Privacy Officer Jennifer Hannagan – System Director of Corporate Compliance Theresha Armstrong – Corporate Compliance Coordinator Ryan West – Corporate Compliance Coordinator Compliance is doing the right thing…and doing things right. Who Can You Call? 615-284-5484 Cynthia Figaro