2016 compliance training - meded.ucsd.edu · 2016 compliance training - standards of business...
Post on 15-Oct-2020
5 Views
Preview:
TRANSCRIPT
2016 Compliance Training- Standards of Business Conduct
- Fraud, Waste and Abuse
- Conflict of Interest
- HIPAA
- Information Security
- Ethical Conduct
1
Medical Student Orientation
Revision: July 24, 2016
Introduction
• Members of the University of California community share a commitment
to the highest ethical, legal, and professional standards in
furtherance of our mission of patient care, teaching, research and public
service.
• We recognize that we hold the University in trust for the people of the
State of California.
Standards of
Business Conduct
Ethical Values and Conduct
3
Applicability
• The UC Code of Conduct (“Code”) applies to everyone who is a “member” of the UC Health Sciences workforce including: faculty, house staff, medical students, health professional trainees, employees, and volunteers.
• http://healthsciences.ucsd.edu/compliance
• This Code is intended to be complimentary to the specific policies, procedures, Bylaws and rules enacted by the UC San Diego Health System and the University of California’s Statement of Ethical Values:
• http://www.ucop.edu/ethics-compliance-audit-services/
• A summary of the Code’s 12 standards follows.
Code of Conduct: 12 Standards
1. Ethical Principles
2. Individual Responsibility & Accountability
3. Respect for Rights & Dignity of Others
4. Respect for Privacy
5. High Standards of Patient Care
6. Medical Necessity
7. Accurate Billing / Financial Records
8. Avoidance of Conflict of Interest or Commitment
9. Ethical Conduct of Clinical Trials & Research
10. Maintenance & Preservation of Accurate Records
11. Comply with Laws & Prevent Improper Referrals, Kickbacks and Influences on Clinical Decisions
12. Government Investigations
Reporting Violations
• Any suspected violations of the
Code or Standards of Ethical
Conduct should be reported.
• How to Report: You may make a
report to a supervisor, the
Compliance Officer or
anonymously to the UC
confidential hot line.
• The University will, if requested, make
every reasonable effort to keep
confidential the identity of anyone
reporting a suspected violation;
except if doing so would effectively
prevent the University from
conducting a full and fair investigation
of the allegations.
Who to report concerns to:
•Supervisor
•Chief Compliance Officer
•Human Resources (HR)
•Internal Audit
•UC Legal Counsel
•UC Whistleblower Hot Line
1-800-403-4744 (24 hours)
http://www.ucop.edu/uc-whistleblower
Non-Retaliation Policy
• University employees are prohibited from retaliating against an employee who has made a good-faith report or refused to obey an illegal order, even if the allegation ultimately proves to be without merit.
• UC will, however, pursue disciplinary actions against any member who is shown to have knowingly filed a false report.
For further reading:
University of California policies and FAQs regarding reporting and
investigation of suspected improper governmental activities.
Whistleblower Policy
Whistleblower Protection Policy
http://www.ucop.edu/uc-whistleblower/policies-training/
Enforcement
• The UC Code of Conduct will be enforced!
• Corrective and disciplinary actions will be taken in response to violations.
• Everyone is expected to cooperate fully with any internal investigation undertaken.
• Disciplinary actions will be determined in accordance with applicable University policies and procedures.
• UC may make appropriate disclosures to governmental agencies.
Fraud, Waste and
Abuse TrainingAnnual training is required
9
Objectives
• Provide information on UC’s whistleblower and non-retaliation policies
• Explain how to report a concern and your role in bringing forth concerns
• Explain the scope of fraud, waste, and abuse
• Provide information on laws pertaining to fraud, waste, and abuse
University of California – Whistleblower Policy
• UC faculty and staff are encouraged to bring forward concerns about possible improper governmental activity directly to their supervisor, department head, locally designated official or any university administrator. In order to provide employees with multiple avenues for bringing forth concerns of possible wrongdoing, the UC Whistleblower Hotline was established.
• The hotline is independently operated to allow for calls or web-based reporting from faculty, staff and students on an anonymous basis. The hotline relays the reported concerns to appropriate university officials for processing. This hotline is staffed seven days a week, 24 hours per day and is capable of receiving reports in a number of different languages.
• The university-wide toll-free number is 1-800-403-4744. Web-based reports can be made by accessing: http://universityofcalifornia.edu/hotline
• Concerns may also be reported to:
• State Auditor Whistleblower Hotline: 1-800-952-5665
• California Attorney General Hotline: 1-800-952-5225
Why does UC need whistleblower policies?
• UC values ethical and lawful conduct.
• Policies are designed to:
• Encourage timely, safe and honest reporting of alleged wrongs without
fear of retaliation
• Ensure a consistent and timely institutional response
What happens next?
• Once fraud, waste, or abuse is detected and reported, the concern will
be investigated and non-compliant behavior corrected.
• Where investigation confirms the existence of non-compliant behavior, a
corrective action plan will be developed. Corrective action plans will vary
depending on the facts and circumstances.
• Non-compliant behavior may be subject to any of the following: training, re-
training, disciplinary action, termination, or other appropriate action under the
circumstances.
What types of activities should be reported?
• Here are examples of potential fraud, waste and abuse:
• Medical record documentation does not support the billed service
• Billing for a service that is not medically necessary
• Billing for a service that was not performed – either at all, or in the manner
documented
• Billing for a health service that did not meet standards of quality care
• Service violates other Federal Regulations, such as Stark or the Anti-
Kickback Statute
• Knowingly concealing or knowingly and improperly avoiding the return of an
overpayment in a timely manner
• Research misconduct or the misuse of University funds / resources
Laws
Federal and State Laws related
to False Claims & Whistleblower
Protection
15
California Whistleblower Protection Act
• California Government Code requires every state agency (including the
UC) to annually distribute to its employees a message from the
California State Auditor that provides an explanation of the California
Whistleblower Protection Act.
• The UC distributes this information to all employees electronically. Refer
to the UC Whistleblower web-site for information about the California
State Auditor’s program.
False Claims Act (FCA)
• It is illegal to submit claims for payment to Medicare or Medicaid or any other
government payer that you know, or should know, are false or fraudulent.
• FCA imposes civil and/or criminal penalties for anyone who knowingly submits
or causes the submission of a false claim to the government for payment.
• Penalties
• Civil Liability:
• Possible treble damages – 3x the amount of the false claim – and a
mandatory civil penalty of $5,500 to $11,000 per false claim.
• Can also be liable for the costs of bringing the FCA action
• Criminal Liability:
• If convicted, an individual may be fined, imprisoned, or both.
Anti-Kickback Statute
The Anti-Kickback Statute:
• Provides civil and criminal penalties for individuals and entities that knowingly and willfully offer, pay, solicit, or receive remuneration in order to induce business reimbursed (whole or in part) under a federal health care program.
• Prohibited conduct includes remuneration intended to induce:
• Referrals, or
• The purchasing, leasing, ordering or arranging for any good, facility, service, or item paid for by a federally-funded health care program.
Penalties:
• Fine of up to $25,000, imprisonment up to five (5) years, or both.
The Stark Law(Physician Self-Referral Law)
The Stark Law:
• Prohibits a physician from making a referral for certain designated health
services to an entity in which the physician (or a member of his or her
family) has an ownership / investment interest or with which he or she has
a compensation arrangement.
Penalties:
• Non-payment of Medicare claims; obligation to refund
• Civil monetary penalties (CMPs) of up to $15,000 per violation
• CMPs of up to $100,000 for entering into a circumvention scheme
Exclusion Statute
• OIG may exclude providers from participation in Federal health care programs
for: Medicare or Medicaid fraud; patient abuse or neglect; felony convictions for
other health care related fraud, theft, or financial misconduct; felony convictions
for unlawful manufacture, distribution, prescription, or dispensing controlled
substances.
• No Federal health care program payment may be made for any item or service
that:
• Has been furnished by an individual or entity excluded from participation in a
federal health care program, or
• Has been furnished at the medical direction or prescription of a physician (or
other authorized person) who is excluded from participation in a federal health
care program.
• Employers are responsible for screening professionals and staff for exclusion
status
HIPAA
Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191)
“HIPAA”:
• Created greater access to health care insurance, protection of privacy of
health care data, and promoted standardization and efficiency in the
health care industry.
• Describes safeguards to prevent unauthorized access to protected
health care information.
• As an individual who has access to protected health care information,
you are responsible for adhering to HIPAA.
• HIPAA contains other enforcement provisions. Under HIPAA, health care
fraud is a criminal offense.
Consequences
There are potential penalties and consequences of committing Fraud,
Waste or Abuse. Actual consequences depend on the violation.
• Civil Money Penalties
• Criminal Conviction / Fines
• Civil Prosecution
• Imprisonment
• Loss of provider’s medical license
• Exclusion from Federal and State health care programs
UC consequences:
• Disciplinary action up to and including termination of employment.
In Summary: Promote an Ethical Culture
Personal accountability:
• Do the right thing for the right reasons – even if it is more difficult to do.
• Ask questions!
• Report concerns – with confidence that issues will be investigated and
actions taken.
UC Policy (G-39) provides whistleblower protection for reporting false
claims and other acts of misconduct
• Retaliation is prohibited against any employee who reports wrong doing in
good faith (“reasonable belief”); even if ultimately it is proven to be without
merit.
Conflict of Interest
24
Purpose
• Educate employees to recognize a conflict of interest, to understand the
University of California’s conflict of interest policies, and to be aware of
the related Federal / State laws and regulations.
• Inform employees about the risks associated with drug and medical
device representatives interactions.
• Protect physicians, staff and the University from potential civil, criminal
investigations.
UCSD Health and its physicians and staff have a unique opportunity to advance
patient care through collaboration with health care companies.
There is nothing unethical about having a relationship with industry. To safeguard
objectivity in patient care, research and teaching, financial interests and vendor
activities need to be carefully managed to avoid improper inducements, whether real
or perceived.
What is a “Conflict of Interest” (COI)?
A Conflict of Interest is a situation in which financial or other personal
considerations may compromise or have the appearance of compromising
an employee’s professional judgment in administration, management,
teaching, research or any other professional activities.
• In health care, it often arises in the context of purchasing, prescribing,
research, and investments.
As a University of California employee you have a Conflict of Interest if you
(or a family member) have a financial interest in a decision you make or
participate in making on behalf of the University.
Conflicts of interest involve the abuse, actual or potential, of the trust people
have in others.
What are the risks of a potential Conflict of Interest?
• Appearance of impropriety – influence on clinical decisions and drug /
device prescribing on teaching, research, patient care / trust, and purchasing
decisions
• Compromise integrity – scientific studies & publications
• Conflict of time commitment and effort
• Failure to recognize the UC intellectual property & interests
• Improper channeling of funds (research and other funds)
• Misuse of UC facilities, resources, funds and personnel
• Violations can be costly:
• Civil monetary penalties (up to $5,000 per violation), misdemeanor
criminal penalties, exclusion from federal health care programs, loss of
job, license, career impact, adverse publicity…
• University policy does not permit indemnification and defense where an
employee engages in intentional illegal activity.
How do conflicts arise?
1. You have a material financial interest (personal or private);
2. You participate in, influence, or make the decision, in your official duties
/ responsibilities as a UC employee; and
3. The decision is going to materially affect your financial interest.
• All three components are required to have a conflict under the
California PRA laws.
PRA = California Political Reform Act
Examples of Potential Conflicts
• Anti-Kickback Statute – You admit or refer patients to an entity in exchange for
money, discounts or other referrals to you.
• Stark Law – You refer patients to an outside entity in which you have a financial
interest.
• False Claims Act – You submit a professional fee claim for payment for services
which were not provided.
• California PRA – You recommend a product and are on the company’s board of
directors.
• University Policy – You fail to disclose financial interests in a research project.
• UC Policy for Sponsored Research: “Disclosure of Financial Interests & Management of
Conflict of Interest Related to Sponsored Projects”, stipulates that an Investigator (any
UC employee responsible for the design, conduct, or reporting of a sponsored project at
UC) may be required to disclose significant personal financial interests related to that
project.
What types of decisions are exempt from PRA
Conflict of Interest Rules?
These activities are
not violations of PRA: Examples
Teaching Decisions Selecting texts or other educational materials
Patient Care Decisions A doctor’s decisions with respect to a specific patient’s
course of treatment
Disclose financial interests to the patient (consent
form)
UCSD Health policy MCP 750.2, Clinical COI
Personal Study /
Research
Personal decision to pursue course of study or research
Other UC rules apply to disclosure of financial
interests for research
PRA = California Political Reform Act
UCSD Health policy site, http://mcpolicy.ucsd.edu
Consent for Surgery or Special Procedure, http://forms.ucsd.edu
What are ways to mitigate a Conflict of Interest?
Disclose &
Recuse
Disclose the conflict: Failure to do so may be
considered a crime in some circumstances.
Recuse: Abstain from purchasing & formulary
decisions; and avoid making, participating in, or
influencing business decisions.
Remove the
Financial
Interest
- Sell stock on the public market
- Promptly return unused gift
- Donate unused gift to the University (e.g., put fruit
basket in public area for enjoyment of staff & public)
How to Disclose COI & Other Financial Interests
• Disclosure Forms:
• Research grants and clinical trials: 700-U form
• Clinical service agreements: 700-U form
• Annual disclosure of outside professional activities (APM 025 / APM 671)
• Prior Approval for Category I activities (Academic Faculty)
• Disclosure to Others:
• Conflict of Interest Office
• Health System Pharmacy & Therapeutics (P&T) committee
• Patients -- via the consent form for anesthesia, surgery and other procedures
• Purchasing and Procurement Offices
• Intellectual Property &Technology Transfer
• CME event learners (disclose partial support from industry)
• Publications (disclose partial support from industry of other grants)
Health Care Vendor
Relationships
University of California Policy which
supplements UC’s Conflict of
Interest Policies
Physician Payments Sunshine Act
33
University of California –
Policy on Health Care Vendor Relationships
Purpose:
• Avoid appearance of undue influence on health care decisions
• Avoid perception of product endorsement
• Protect patient privacy
• Ensure that vendors are aware of and follow UC San Diego Health System
policies and procedures that relate to vendor activities
Policy highlights:
• Prohibits vendor gifts provided to individuals
• Prohibits branded items with company logos in all UC San Diego Health
System sites.
• Vendors may provide: Branded patient education materials if necessary for
unique patient education purposes, but materials should be free of all product
bias.
UC Health Care Vendor Relations Policy (HCVR)
• Vendors may provide:
• Honoraria & related expenses (FMV) for legitimate services
• Refreshments & materials at sponsored CME seminars
• Items at a discount or free as part of a University contract or a research project
• Samples for UC’s free clinics
• Limited product for evaluation / education purposes
• Patient assistance programs through UCSD Health Pharmacy
• Product education to professional staff (marketing)
UC Health Care Vendor Relations Policy
Privacy Considerations
Vendors must
• Register with RepTrax for vendor credentialing http://www.reptrax.com
• Review UCSD Health’s policies for vendors
• Submit immunization credentials
• Review training requirements for clinical support vendors
• Wear the facility specific “Reptrax” vendor ID badge
• Have scheduled appointments
• Only be in non-clinical areas
Vendors may enter patient care areas, if:
• Pre-registered and requested by a UC representative
• Providing a specific health support service, e.g., servicing equipment
Vendors are subject to patient confidentiality provisions
• Certain activities require a HIPAA Business Associate Agreement (BAA) prior
to sharing data with the vendor.
Examples of Risks with Industry
Relationships
1. Gifts: Vendor provides free food, free drug samples, other patient-use products,
entertainment, even small items, such as pens & notepads – directly to individuals.
2. Vendor sponsored CME & Speakers Bureau: Potential for bias, preferentially promoting
the vendor’s products, “off-label” marketing; or receiving excessive payments for
education / CME activities
3. Vendor paid consulting fees: Risk of sham agreements
4. Ghostwriting: Risk of biased presentations, publications
5. Research funding and grants: Potential for study bias
6. Preceptorships: Potential for disguised marketing opportunity
7. Kickbacks: Money, fees, commissions, credits, gifts or gratuities
Be aware that payments and other transfers of value from
industry to teaching physicians and teaching hospitals must be
reported by industry to CMS under the federal “Open Payments
Law”.
Federal Open Payments Law“Physician Payments Sunshine Act”
Government is enforcing the Open Payments Law:
• Physician Payments Sunshine Act: (1) Creates transparency around financial relationships of
manufacturers, physicians and teaching hospitals; (2) Requires annual reports of payments or
other transfers of value made from industry to physicians and teaching hospitals to CMS; (3)
Increases public awareness of financial transactions with industry.
• Payment data is available to the public, http://www.cms.gov/openpayments/index.html
What should Teaching Physicians do?:
• Become familiar with the information that will be reported by industry
• Keep records of all agreements, payments and other transfers of value received from applicable
manufacturers.
• Register to review reported information before it becomes publicly available. Ensure that
information submitted about you is correct, and dispute information which is not accurate. You can
register online at https://www.cms.gov/OpenPayments/Program-Participants/Physicians-and-
Teaching-Hospitals/Registration.html.
• Review the AMA and CMS fact sheets for physicians
Resources
• UCSD Health – Medical Staff Bylaws & Health System Policies (MCPs)
• Intra-net: http://mcpolicies.ucsd.edu
• UCSD Health Sciences Compliance Program
• Code of Conduct, Billing Guidance, Research Compliance, Privacy
• http://healthsciences.ucsd.edu/compliance
• UCSD Conflict of Interest
• Policy (PPM 200-13, COI) and Disclosure Requirements
• http://blink.ucsd.edu/sponsor/coi/index.html
• UCSD Human Research Protection Program (HRPP)
• http://irb.ucsd.edu/
• University of California – Ethics, Compliance & Audit Services
• http://www.ucop.edu/ethics-compliance-audit-services
Resources
• UCSD Gift Processing, http://blink.ucsd.edu/sponsor/gift-processing/
• UCSD COI Office, http://coi.ucsd.edu
• UCSD OCGA – Contract & Grant Administration,
http://blink.ucsd.edu/sponsor/ocga/
• UCSD Health Sciences Business Contracting, http://healthsciences.ucsd.edu
• UCSD General Counsel Office – to seek legal advice prospectively,
http://www.ucop.edu/general-counsel/
• UCSD Continuing Medical Education, http://cme.ucsd.edu
• UCSD Campus Procurement & Contracts, http://procurement.ucsd.edu
University Policies Related to Vendors
• University of California:
• PP031208, Policy on Health Care Vendor Relationships & FAQs
• http://healthsciences.ucsd.edu/compliance/vendors
• UC Policy & Guidelines Regarding Acceptance of Gifts and Gratuities by Employees
• UCSD Health Policies, http://mcpolicy.ucsd.edu
• 14, Business Associate Agreements
• 410.1, Renting or leasing of equipment from outside vendors
• 428.1, Loaned Equipment
• 550.1, Vendor Policy and Guidelines
• 750.2, Clinical Conflict of Interest
• UCSD Campus
• PPM 523-9, Vendor – Employee Relationships http://adminrecords.ucsd.edu/ppm/docs/523-9.html
• Office of Continuing Medical Education (OCME): FAQs – Commercial Support, ACCME Standards, https://cme.ucsd.edu/faq_accreditation.html
Privacy & Information Security
Training
42
Objectives
• Understand what information must be protected under state and federal privacy laws
• Understand your role in maintaining privacy and security of protected health information (PHI)
• Understand patient rights regarding access, use and disclosure of medical information
• Understand your role with adhering to data security standards and responsibility for reporting incidents
• Understand the consequences for non-complianceThis training module satisfies Federal laws which mandate workforce privacy / security training at the time of hire and UC policy for annual privacy training.
Who must complete privacy / security training
at UCSD?Anyone who works with or may see health, financial, or confidential information with personal identifiers
Anyone who uses a computer or electronic device to store and/or transmit personal or health information. Examples:
• Medical Center / Medical Group / Health Science employees
• Schools of Medicine / Pharmacy employees
• Health professions students and trainees
• Campus staff who work in clinical areas
• Volunteers (including Volunteer Clinical Faculty)
• Students who work in patient care areas
• Research staff and investigators
• Accounting, Payroll and Benefits staff
• Other independent contractors with access to UC’s personal / health information who assist UCSD employees with their job
Privacy &
Security LawsFederal and State laws
The following list is not inclusive of all
federal and state privacy laws.
45
Federal Privacy Laws
Law Description
HIPAA Health Insurance Portability and Accountability Act of 1996 to make
health insurance more efficient and portable; establishes privacy
rights, standards to protect privacy and information security. HIPAA’s
laws also address Code Sets and Transaction Standards.
HITECH Health Information Technology for Economic and Clinical Health
(HITECH, 2013) implements enforcement and oversight of HIPAA,
privacy enhancements and added false claims and penalties.
GINA Genetic Information Nondiscrimination Act of 2008 (GINA) protects
job applicants, current and former employees and trainees from
discrimination based on their genetic information.
PCI Payment Card Industry Standards – address credit card data
security.
FERPA Family Educational Rights & Privacy Act protects the privacy of
student education records.
California Privacy Laws
Law Description
Confidentiality of
Medical
Information Act
(CMIA)
CMIA prohibits disclosure of “medical information” without
prior authorization unless permitted by law. “Medical
Information” means any individually identifiable information
in the possession of or derived from a provider of health
care regarding a patient’s medical history, mental or
physical condition, or treatment. [Cal. Civil Code 56.05(g)),
56.10]
Personally
Identifiable
Information (PII) (AB1298, SB541)
Data Protection / Breach Notification. Prevent unlawful or
unauthorized access to protected information and breach
notification to individuals of any reasonable suspicion of a
compromise of that protection. [Cal. Civil Code 1798.29]
Information
Practice Act
(IPA)
Limits the collection, maintenance, and distribution of
personal information by state agencies. Right to review your
personal information in state agency records.
[Cal.Civ.Code.1798-1798.78]
Personally Identifiable Information (PII)DefinitionPII is a category of sensitive personal information that includes an individual’s name (first name or initial and last name) in combination with any one or more of the following:
• Social Security number (SSN)
• Driver’s license number or State-issued Identification Card number
• Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account.
• Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional)
• Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records)
If this information is stored electronically, it must be protected from unauthorized
access. Best practice: Encrypt PII data.
Protected Health Information (PHI)Definition
PHI is any personal or health information UCSD creates or maintains in the
course of providing treatment, obtaining payment for services, or while
engaged in health care operations including teaching and research activities.
Examples of PHI include:
• Name, address, social security number, date of birth/death, dates of service
• Medical records, test results, treatment plans, appointment reminders
• Billing records, referral authorizations, health insurance information
• After visit summaries
• Photographs and images, e-mail and web-addresses
To view a complete list of HIPAA’s 18 PHI identifiers, http://healthsciences.ucsd.edu/compliance/
To the patient: All Information is Confidential!
• Patient Personal Information
• Patient Financial Information
• Patient Medical Information
• Written, Spoken, Electronic PHI
• Patient Information may be accessed, used, viewed or disclosed
only to do your job.
Requirements before PHI is Used or Disclosed
In order for UCSD to use or disclose PHI:
• The University must give each patient a “Notice of Privacy Practices” that:
• Describes how the University may use and disclose the patient’s protected health information (PHI) and
• Advises the patient of his/her privacy rights
• The University must attempt to obtain a patient’s signature acknowledging receipt of the Notice, except in emergency situations. If a signature is not obtained, the University must document the reason.
• The University must provide privacy / security training to its workforce.
• To view UC San Diego Health’s “Notice of Privacy Practices”, http://health.ucsd.edu/hipaa.html
Access to Protected Health Information (PHI)
• Patient information is confidential and shall not be accessed or viewed
other than for the sole purpose of performing employment duties and
responsibilities
• Accessing a medical record, including your own or that of a family
member or friend, without a work purpose is a violation of UCSD
policy
• UCSD monitors electronic access to PHI to assure compliance
• Violations are subject to disciplinary action up to and including
termination as well as individual fines.
• Patients may request access to their medical record via MyUCSDChart
or by contacting Health Information Management (Medical Records) for
a copy of their record.
• http://health.ucsd.edu/patients/Pages/medical-records
You may…
• Look at a patient’s PHI only if you need to do so for your job
• Use a patient’s PHI only if you need to do so for your job
• Disclose a patient’s PHI to others only when it is necessary for others to do their job
• You must… Limit your access, use and disclosure of PHI to the minimum necessary information needed to perform your job.
PHI may be Used and Disclosed for “T.P.O.”
Treatment
• We may use and disclose medical information about a patient to health
system doctors, nurses, technicians, students or providers who are involved
in the patient’s care
Payment
• We may use and disclose medical information about the patient so that
treatment and services received may be billed and payment may be
collected – subject to the minimum necessary standard
Operations
• We may use and disclose medical information for teaching, medical staff
peer review, legal purposes, internal auditing, to conduct customer service
surveys, and general business management – subject to the minimum
necessary standard
Other Permitted Uses and Disclosures
• To avert serious threat to
health and safety
• For organ and tissue
procurement, reimplantation, or
banking purposes
• To military command authorities
about armed forces patients
• To workers’ compensation
programs
• For public health disclosures
• For government oversight
activities
• To law enforcement, for certain
activities
• To coroners, medical examiners
and funeral directors
• For national security and
intelligence activities
• To correctional institutions about
inmates
• For certain legal proceedings,
lawsuits and other legal activities
• To business associates with a
written business associate
agreement (BAA)
Other Permitted Uses & Disclosures of PHI• Appointment reminders – but take care to avoid leaving messages on voice-mail
or answering machines which disclose sensitive information.
• To provide treatment alternatives
• To provide limited information about named patients (inpatient directory)
• To assist other individuals involved in the patient’s care (e.g., family, friends, etc.),
if determined to be in the patient’s best interest.
• For disaster relief efforts
• For research – with UCSD HRPP / IRB study approval and subject’s signed
consent & signed HIPAA Authorization to use PHI for Research (or IRB waiver)
• For fundraising – with opt-out notices and limited to certain demographic
information. Honor patient requests to “opt-out” of donation solicitations.
• To business associates (third parties) – who provide a service involving access to
PHI data with a signed UC Business Associate Agreement
Business Associate Agreements (BAA)How to obtain a BAA…
• Notify UCSD Health Purchasing or the UCSD Contracting Office if a
third-party provides a service to UCSD involving access to UCSD’s PHI
• Generally, UC’s approved BAA template must be used.
• BAA contracts may only be executed (signed) by individuals with
signature authority, e.g., Purchasing, Contracting.
• BAA agreements are typically signed as a separate agreement to the
purchase order, MOU, or other contractual agreements.
• Prior to the release of PHI to a third party, ensure that:
• BAA has been fully executed (signed) by authorized signers:
• View the list of signed BAAs on UCSD Health Purchasing’s site,
http://supplychain.ucsd.edu/purchasing
• HIPAA Security “risk assessment” is documented and any issues addressed.
Marketing: The Sale of PHI is Prohibited!• “Sale of PHI” is prohibited by law unless it meets an exception or
there is a valid prior patient written authorization.
• “Sale of PHI” means a disclosure of PHI where the covered entity (UCSD Health)
or business associate directly or indirectly receives remuneration from (or on
behalf of) the recipient of the PHI in exchange for the PHI.
• HIPAA exempts certain disclosures for:
• Public health purposes
• Research - where the remuneration received is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI
• Treatment and payment purposes
• Merger or change of control purposes
• UCSD Health (UCSDH) providers may recommend treatment or describe
services provided by UCSDH or UCSDH’s provider network. These
communications are not considered marketing under the HIPAA Privacy Rule.
Policy: MCP 12.2, Uses and Disclosures of PHI for Marketing, http://mcpolicy.ucsd.edu
All Other Uses of PHI Require the Patient’s
Written Authorization
HIPAA has very specific requirements for the written authorization. It must:
• Describe the PHI to be released
• Identify who may release the PHI
• Identify who may receive the PHI
• Describe the purposes of the disclosure
• Identify when the authorization expires (date)
• Be signed and dated by the patient / patient representative
Generally a HIPAA authorization expires one year from the signature date –unless indicated otherwise.
Examples of Circumstances when Patient
Authorization is Required
• Medical Records:
• For the use and disclosure of medical information or records when that
information is being provided / sent to someone other than the patient.
• Disclosure of PHI to the employer, lawyer, accountant requires the patient’s
written authorization.
• Fundraising
• For the use and disclosure of a patient’s PHI, other than limited demographic
information and name of treating department / doctor.
• Media Communications:
• For the use and disclosure of PHI to the media or news releases
• Marketing and Other Products:
• For the use and disclosure of a patient’s PHI to pharmaceutical or medical
device companies, non-profit organizations, etc.
61
Authorization Form for Release of PHIAvailable from: http://forms.ucsd.edu (form D818)
HIPAA: Patient Specific Privacy RightsNotice of Privacy Practices
• Right to request restriction of PHI uses and disclosures. Restrictions
should not be granted by faculty or staff without consulting the Privacy
Officer.
• Right to request confidential forms of communications (e.g., mail to the
P.O. Box not street address, no messages on answering machines, etc).
• Right to access and receive a copy of their medical record.
• Right to receive an accounting of the disclosures of their PHI.
• Right to request amendments to their medical record.
• Right to request NO disclosure to payers regarding services paid-in-full at
the time of service with written notice.
• Right to avoid unwanted fundraising solicitations.
• Right to receive a Notice of Privacy Practices, http://health.ucsd.edu
Information
SecurityGood Computing & Data Practices
63
Federal / State Privacy & Security Laws
Providers of health care are required to implement administrative, physical and technical safeguards to:
• Ensure the confidentiality, integrity, and availability of protected health information the covered entity creates, receives, maintains or transmits
• Protect against reasonably anticipated threats or hazards to the security or integrity of such information (45 CFR 164.306)
• Safeguard patient medical information from unauthorized or unlawful access, use or disclosure
• Implement policies and procedures to prevent, detect, contain, and correct security violations (45 CFR 164.308)
Privacy / Security: Safeguards & Reminders
• Keep office(s) secured
• Encrypt (AES-256) and password protect your computer and portable media. Use strong, complex passwords or a passphrase.
• Backup your electronic information
• Run anti-virus, anti-spam, anti-spyware software
• Keep laptops, disks, back-up tapes, USBs secure
• encrypted & locked up!
• Lock your computer session: Windows key + L
• Report privacy complaints & security incidents promptly!
• Do not leave computers or patient documents or research records in your car (even if it is locked) to avoid the risk of theft and breach notifications!
UCSD personnel /students are expected to adhere to these email computing practices:
• Send Secure: Identify messages containing restricted information by adding Secure: at the beginning of the email’s subject line and to encrypt any attachments containing HIPAA information or personally identifiable information. To learn more about email encryption, refer to: http://Blink.ucsd.edu
• Monitoring: UCSDH has the right to scan UCSD emails for unencrypted sensitive information in outbound emails and email attachments. To avoid potential email transmission delay, send secure:
• Adhere to HIPAA’s minimum necessary standard (least necessary). Avoid sending sensitive information via email.
• Use UCSDH’s secure email portal, MyUCSDChart, to emails to our patients• Register mobile devices in UCSDH’s managed device program, e.g., smart-phones,
personal laptop/computer. Go to: http://hsmdm.ucsd.edu from the mobile device. • Only use UCSDH provided email accounts when conducting UCSD business.• Auto-forwarding or redirecting your UCSD email to a personal email account is not
permitted.• When you leave UCSD, be aware that your current email account will be closed upon
separation, transfer out of UCSDH, retirement, or other change in status.
66
E-Mail: Good Computing Practices to Protect the Privacy/Security of Identified Data
• Footer: Include a privacy footer to notify email recipients of confidential information. Refer to MCP 18.1, Email for sample wording.
• Privacy breach?: Report misdirected or misaddressed emails containing HIPAA information to the UCSDH Privacy Office via: hscomply@ucsd.edu
• Phishing: Report suspected phishing or “phony” emails to abuse@ucsd.edu and delete the email. Do not click on suspicious links or respond to requests to send your password, reset your password, transmit a SSN or credit card number via email. Reputable businesses will never ask for this information by email! Call the UCSDH Help Desk (T: 619.543.7474) for assistance if you suspect a compromised computer.
• Record retention: Email is considered a temporary record and should only be retained until the administrative use ceases, typically one year (or less) unless notified by UC legal counsel to retain email records, e.g., litigation request to preserve e-records.
• Use strong/complex passwords. Do not share user passwords or tamper with emails of others.
67
E-Mail: Good Computing Practices to Protect the Privacy/Security of Identified Data
Good Computing Practices:
Passwords
Use cryptic passwords that can’t be easily guessed
Avoid using a dictionary word or a person’s name
Use long passwords (more than 8 characters), mixed upper and lower
case, symbols and numbers – or a passphrase.
Protect your passwords – don’t write them down
Never share your passwords
Good Computing Practices:
Workstation Security
Physically secure your area and data when unattended
Secure your files and portable equipment – including memory / USB
flash drive (USB stick)
Secure laptop computers with a lockdown cable
Never share your access code, card or key
Lock your screen or log-off from restricted systems promptly
Good Computing Practices:
Portable Device Security
• Don’t collect electronic information that you do not need
• Don’t keep confidential data on portable devices, unless it is absolutely necessary
• Encrypt laptops and other portable media containing restricted information
• Back-up portable device data to a secure UCSD Health server
• Erase (sanitize) devices before disposal or recycling
• Password protect smart-phones
• Activate function “find my device”, if available
• Encryption is a process that renders electronic information unusable, unreadable or
indecipherable. HITECH law advises using AES-256 FIPS approved encryption methods.
To learn more: http://blink.ucsd.edu and HHS.gov’s “Guidance to Render Unsecured Protected Health
Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” at
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
Other Good Practices:
Data Management & Paper Records
• Don’t collect information that you do not need
• Reduce the number of places where you retain restricted data
• Redact (delete) unneeded personal identifiers & other sensitive data
• Lock-up paper records with restricted, sensitive information
• Do not leave restricted information in your car – even if it is locked!
• Check conference rooms after meetings; remove sensitive information
• Purge data responsibly once the need for it has expired
• Cross-shred (confetti pieces) or use secure locked shred-bins
• Use fax cover sheets, verify the fax number and documents to be faxed prior to sending. Promptly report misdirected faxes to the Privacy Office.
• Avoid leaving sensitive information on voice-mail or answering machines where other individuals may hear the message.
Breaches
Definition and examples
Timely reporting & notification
Sanctions and penalties
Policies
72
What is a Breach?General Definition & Examples
Breach - The unauthorized acquisition of, access to, viewing of, use or
disclosure of personally identifiable information or HIPAA protected health
information (PHI) that violates state or federal privacy laws.
Regardless of the information format, e.g., electronic, paper, verbal, web
Regardless of the reason, e.g., deliberately, or unintentional, accidental
Exceptions exist for secured data meeting certain criteria, such as encryption or confetti shredded materials
Examples:
Hacked or compromised computer or network
Misdirected fax; misaddressed email; or misaddressed U.S. mail
Misdirected documents (e.g., released in error to someone else)
Snooping (unauthorized access to or viewing or restricted information)
Web-posting of restricted information (YouTube, PDFs, PPTs, XLS files)
Lost or stolen devices, e.g., laptops, USB drives, other storage media
Report Privacy & Security BreachesPromptly!
UC policy states that any unauthorized access, use (including
viewing) or disclosure of a patient’s personal or health
information is a violation of law and a violation of UC policy ---
and must be immediately reported promptly.
UC Business & Financial Bulletin, IS-3 Policy
http://policy.ucop.edu/
Reporting Procedures
and Breach Notifications
In the event of a breach, notify the UCSD Health Privacy Office promptly!
Preferably the same day that you become aware of an incident
The Privacy Office will provide assistance with incident investigation, risk
assessment and breach notification procedures to the affected individuals
and other regulatory agencies .
State & Federal laws require that affected individuals be notified of a
breach involving personally identifiable information
Privacy Office
Tel: 858-657-7487
Penalties & Sanctions
Corrective Actions
• If an incident represents a violation of policy or of state / federal laws, the
University will apply corrective and disciplinary actions and other sanctions
in accordance with UC policy up to and including dismissal -- termination of
employment.
State / Federal Privacy Penalties
• Office for Civil Rights (OCR) and the State may assess fines and civil
penalties against health care providers, business associates and individuals
• Penalties range from $2,500 - $250,000 per occurrence (or higher),
depending on the circumstances. Repeat violations and violations for
financial gain are assessed higher penalties.
• Violations may also be reported to an individual’s medical licensing board
• California law permits civil suits against the individual
Privacy & Information Security Policies UC San Diego Health’s policies
• Policy (MCP) web-site (intra-net), http://mcpolicy.ucsd.edu
• Privacy & Information Security: MCP 1-25, MCP 210.1
• Notice of Privacy Practices, http://health.ucsd.edu/hipaa/Pages/hipaa.aspx
• Privacy forms, http://forms.ucsd.edu (intra-net)
• Authorization for Release of PHI, Designation of Personal Representative, Request for Record Amendment / Addendum, Fax Cover Sheet, Email Consent Form, …
• UCSD Campus
• PPM 135-3, Electronic Communication Policy (ECP)
• Blink: Network Security: Minimum Standards
• UC HIPAA Policies & Business Finance Policy IS-3, http://policy.ucop.edu
Summary
• State and Federal privacy laws require that personally identifiable information including protected health information (PHI) must be protected.
• As a University of California workforce member, you are responsible to protect the privacy and security of information entrusted to you. Follow safeguards to prevent unauthorized viewing of PHI, or the loss or theft of information.
• Understand and respect patient privacy rights. Call the Privacy Office if you have questions.
• Understand your responsibility to promptly report incidents.
• There are consequences for violations and non-compliance.
Questions?
Information Security 619-543-7474
(or internally: 3-HELP)
Privacy Office 858-657-7487
University of California
Hot Line
800-403-4744
Callers may be confidential or ask to
remain anonymous. Hot Line is staffed
24/7.
Who to call for help or more information…
General Compliance Briefing -
Ethical Values & Conduct
For University of California employees and workforce members
80
Objectives
By the end of this briefing, you will have learned:
• About expectations and obligations with respect to your University
employment
• How the University’s ethical values and standards of ethical conduct apply
to your work life
• How to report potential instances of non-compliance and fraud
• About the UC Whistleblower Protection Policy
This briefing includes fictional scenarios which demonstrate the value of
ethical awareness and compliance while helping you evaluate appropriate
responses to situations similar to those you may experience while working
at the University.
Statement of Ethical ValuesAdopted by The Regents of the University of California, May, 2005
Members of the University of California community are committed to the highest ethical
standards in furtherance of our mission of teaching, research and public service. We recognize
that we hold the University in trust for the people of the State of California. Our policies,
procedures, and standards provide guidance for application of the ethical values stated below
in our daily life and work as members of this community.
• We are committed to:
• Integrity. We will conduct ourselves with integrity in our dealings with and on behalf of the University.
• Excellence. We will conscientiously strive for excellence in our work.
• Accountability. We will be accountable as individuals and as members of this community for our ethical conduct and for compliance with applicable laws and University policies and directives.
• Respect. We will respect the rights and dignity of others.
Additional Reading: Statement of Ethical Values (213k PDF)http://www.ucop.edu/ethics-compliance-audit-services/_files/stmt-stds-ethics.pdf
Standards of Ethical Conduct
Adopted by The Regents of the University of California, May, 2005
All members of the University community , including The Regents, Officers of The Regents, faculty and other academic personnel, staff, students, volunteers, contractors, agents and others associated with the University are expected to abide by these Standards of Ethical Conduct:
1. Fair Dealing2. Individual Responsibility and Accountability3. Respect for Others4. Compliance with Applicable Laws and Regulations5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance6. Conflicts of Interest or Commitment7. Ethical Conduct of Research8. Records: Confidentiality/Privacy and Access9. Internal Controls10. Use of University Resources11. Financial Reporting12. Reporting Violations and Protection from Retaliation
Pursuit of the University of California mission of teaching, research and public service requires a
commitment to ethical conduct by all. The Standards of Ethical Conduct reflect our belief in ethical, legal and
professional behavior in all of our dealings inside and outside the University.
Your Employment Obligations
As an employee of the University of California, it is important that you:
Know the applicable laws, regulations and policies that affect your
employment responsibilities
Understand the Statement of Ethical Values and Standards of Ethical
Conduct and University policies and procedures related to your employment
responsibilities
Ensure your actions are consistent with the Statement of Ethical Values and
Standards of Ethical Conduct
Report potential instances of non-compliance and fraud
Understand your rights and responsibilities under the UC Whistleblower
Protection Policy
Ethics and Compliance at the University:Principles & Practices
Ethics and compliance are not new to the University of California. Many
University locations, divisions and the faculty already have longstanding
ethical codes of their own, as well as "Principles of Community" addressing
our shared commitment to respect each others’ roles, diverse backgrounds
and personal responsibilities. Ethical and compliant practices are core to
the University and its mission of teaching, research and public service.
The purpose of this briefing is to raise continued awareness of University’s
Statement of Ethical Values and Standards of Ethical Conduct and to
convey University employment obligations with respect to ethical and
compliant behavior. The purpose is not to teach University policy but to
familiarize University employees with important ethics and compliance
information, issues and resources.
University of California’sFraud Risk Management Program
Being an employee of the University of California invests us as stewards of the public trust. We
have a unique mission of research, education and public service to the citizens of California,
and during these difficult financial times we must be vigilant to assure that resources are
protected and used wisely.
Fraud can be defined as any intentional act or omission designed to deceive others, resulting
in the victim suffering a loss and/or the perpetrator achieving a gain.
Understanding what fraud is and what types of programs are in place at UC to prevent or
detect fraud is a key element of everyone’s job description. Proactively, UC leadership has
decided to establish fraud risk management programs at each location. Typically the program
includes policies, procedures, increased education and training, awareness campaigns, and
audit and monitoring activities, and may be integrated within the campus or laboratory’s
internal audit, ethics and compliance risk, or risk services programs. However, oversight of the
program should remain at the highest level – typically at the campus or laboratory’s ethics and
compliance risk committee.
The following scenarios provide an insight into fraud awareness and establish a foundation for
fraud management. Utilizing the confidential and anonymous Whistleblower Hotline to report
potential instances of fraud, waste and abuse is a key step in preserving UC’s resources.
Scenario: Andrei’s Print Problem
Andrei is a manager in a newly established
unit and is responsible for selecting and
purchasing all the office equipment for the
unit. After narrowing his selection to two
vendors with similar products and pricing, he
learns that one of the vendors offers a free
printer for bulk purchases. Feeling inspired
by the prospect of a free printer, he focuses
his efforts on this company and ends up
negotiating a large discount. Given the
discount he negotiated, as well as all his
extra efforts on this project, Andrei feels
justified in accepting the printer for his home
office. However, he isn’t sure if it would be
appropriate to do so per UC policy.
Should Andrei accept the free printer for his home
office? (You may select more than one option.)
A. No. There are laws and University policies that prevent acceptance of a
significant gift from a vendor and participating in decisions to award
business to that vendor.
B. Yes. Since the University has not increased his compensation in two
years, he should be able to keep the printer as compensation.
C. Yes. It would be inappropriate to turn down such a gift.
D. No. Accepting the printer is a conflict of interest.
Feedback Text
The best answers are A and D. Proceed to next page to read a discussion of this scenario.
Discussion: Andrei’s Printer Problem
The following Standards of Ethical Conduct apply:
4. Compliance with Applicable Laws and Regulations
5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance
6. Conflicts of Interest or Commitment
Andrei may not accept the printer because it is a violation of conflict of
interest laws and the University’s gift policy. If you have questions about
whether or not a gift may be accepted, you should ask your supervisor or
your location’s COI Coordinator, or call 1-800-403-4744
Scenario: Favor for Frank
Associate Director of Facilities Teresa retired last
year and Director of Facilities Dave needed the
position filled quickly. Rather than publicly posting
the position, Dave contracted with Frank, his
former co-worker from a previous job. Dave knew
that Frank had the basic qualifications for the
position and wanted to work for the UC system.
Meanwhile, several employees in the department
were hoping to be considered for the position and
planned to apply when it was posted. The position
was not posted until twelve months later and by
that time Frank had acquired the experience to
fulfill the job requirements. Frank was hired from a
limited pool of applicants that included two long
term staff members.
Which of the following are true statements? (You may select more than one option.)
A. It is unfair for Director Dave to bypass the appropriate channels to fill an open position by contracting with a former colleague.
B. Hiring for University jobs must follow relevant laws and University policies regarding open recruitment.
C. It was appropriate for Dave to contract with Frank because Dave wanted the position filled quickly and did not want to go through the normal recruitment process.
D. University values encourage fair dealing and honest interaction between management and staff in the recruitment and promotion process.
Feedback Text
The best answers are A, B, and D. Proceed to next page to read a discussion of this scenario.
Discussion: Favor for FrankThe following Standards of Ethical Conduct apply:
• 1. Fair Dealing
• 2. Individual Responsibility and Accountability
• 4. Compliance with Applicable Laws and Regulations
• 5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance
• 10. Use of University Resources
Bypassing the normal recruitment procedures is unfair to both internal staff seeking
promotional opportunities and to external candidates interested in working for the University.
Failing to go through the formal application process violates University policies that require
open recruitment in most cases, and may also violate federal regulations. Furthermore, a
University position is a resource and should be allocated to the best qualified candidate in a
pool of qualified candidates.
If you have questions about whether or not human resources policies are being violated, you
should ask your supervisor or the Human Resources department at your location.
Scenario: Ingrid’s Interests
Ingrid is a budget officer in the School
of Engineering. She would like to serve
on a committee that will select a
company to provide consulting
services to the School of Engineering.
Ingrid’s husband works for one of the
companies bidding on the work.
However, he won't be working on the
proposal, and if his company wins the
bid, he wouldn't be part of the
consulting job.
Which of the following statements are true?
A. Ingrid's participation in a decision that involves her husband’s company violates
University policy and state law.
B. Because Ingrid’s husband’s company could benefit as a result of the decision,
Ingrid’s interests could be compromised in a number of ways.
C. Even if the bidding process means that the lowest bidder gets the consulting
job, Ingrid's involvement in the decision could be regarded as unfair by the
participants, creating the appearance of a conflict of interest.
D. All of the above
Feedback Text
The best answer is D. Proceed to next page to read a discussion of this scenario.
Discussion: Ingrid’s Interests
The following Standards of Ethical Conduct apply:
1. Fair Dealing
5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance
6. Conflicts of Interest or Commitment
• Even though the process requires selection of the lowest bid, and Ingrid’s husband will not
personally gain if his company were selected, Ingrid has a financial interest in the University’s
decision to select a consulting vendor and may not participate in any way in the decision. While
she receives no direct income from her husband’s company, Ingrid’s community property
interest in her husband’s salary is enough to constitute a conflict. She would also have a conflict
of interest if the other individual in this scenario were a registered domestic partner, rather than
her husband.
• As long as Ingrid has an interest in the decision, she has a conflict of interest and may not
participate. Even if the result of the process is that the lowest bidder gets the contract, Ingrid
could be liable for civil and criminal penalties, because she would have violated the conflict of
interest provisions of the Political Reform Act, which applies to all University employees.
Scenario: Cliff’s Consulting
Cliff is a junior faculty member in the History
department who was recently hired to teach
multiple sections of his specialty, Greek history.
Cliff is also a talented web designer, and to make
extra money, he recently entered into an outside
consulting agreement with a company to design its
website. The extra work is keeping him up very
late at night, and to meet the company deadlines,
he also uses many of his office hours to work on
the website. Cliff is so tired that he is barely able to
stay focused when lecturing. His students have
been complaining that he is falling behind with
grading, and his colleagues have also expressed
concern about his lack of participation in
department meetings.
Should Cliff continue with his consulting arrangement while still a full-time employee of the University? (You may select more than one option.)
A. No. Cliff should make sure his outside interests do not interfere with his University responsibilities.
B. No. Cliff is not being respectful to his students and colleagues.
C. Yes. Cliff is probably just tired from having to teach so many sections of Greek history.
D. No. Cliff is misusing University resources to work on outside activities for personal gain.
Feedback Text
The best answers are A, B, and D. Proceed to next page to read a discussion of this scenario.
Discussion: Cliff’s Consulting
The following Standards of Ethical Conduct apply:
• 3. Respect for Others
• 6. Conflicts of Interest or Commitment
• 10. Use of University Resources
While University employees may be able to hold outside jobs and enter into outside consulting agreements, Cliff’s primary problem in this scenario is that his outside interests are affecting his duties as a University employee. Because he is not fully participating in teaching/learning opportunities, either as a lecturer and as a colleague, he is not demonstrating respect for his colleagues and students. He is also misusing University time and resources for personal gain.
If you have questions about whether or not an outside professional activity is appropriate, you should ask your supervisor or the Academic Personnel office.
Scenario: Grant Shell Games
Jessie is a researcher paid 100% on a grant fund
in a small laboratory that is struggling to stay
funded. Meredith, the principal investigator of the
lab, asks Jessie to stop working on the project in
order to work on a proposal which will help keep
the lab afloat financially. Hayden, the departmental
manager, notices that Jesse has been assisting
with developing the proposal materials and inquires
about the situation. Jessie confides that he is
concerned that the workload associated with
generating the proposal for the new project is
preventing him from completing the work on the
grant from which he is actually being paid.
Which of the following statements related to this scenario are true?
A. As long as Jessie is getting the work done on the project he is paid from,
it is OK to work on the new grant proposal.
B. If Jessie’s time is charged 100% to the current grant and he is also
working on a grant proposal, he and his supervisor Meredith are causing
the grant to be falsely reported to the federal government.
C. Internal controls may need to be strengthened to timely prevent or detect
inaccurate charges.
D. The situation involves an allegation of wrongdoing so Hayden should
contact the Locally Designated Official (LDO).
Feedback Text
The best answers are B, C, and D. Proceed to next page to read a discussion of this scenario.
Discussion: Grant Shell GamesThe following Standards of Ethical Conduct apply:
2. Individual Responsibility and Accountability
4. Compliance with Applicable Laws and Regulations
9. Internal Controls
11. Financial Reporting
12. Reporting Violations and Protection from Retaliation
With the acceptance of research grants by the University comes a responsibility to use the research funds for
the purpose for which they were intended. Research grants are critical to the University’s mission and should
not be misused or abused. Each employee in this scenario must exercise responsibility and accountability to
assure that grants are charged only for time actually worked and within the approved program for that grant.
In this scenario, Hayden has detected possible improper salary charges to a grant fund. She should discuss
the situation with Meredith, the principal investigator, and make sure the salary charges are corrected while
the proposal work is underway. She should also ask that, going forward, Meredith tell her in advance when
she is redirecting her staff’s work assignments so that she may allocate salary charges appropriately. If
improper salary charges were found and Meredith is not willing to correct the error, Hayden has the
responsibility to consult with her location’s Locally Designated Official (LDO), the person who administers the
Whistleblower Policy. Such reports are treated confidentially by the University, and those who make them are
protected from retaliation.
Scenario: Surly Sue
Gretchen and Sue work together in the financial
aid office. When Gretchen is forced to
reschedule a meeting, Sue gets upset an yells at
Gretchen for not giving her more notice. This is
not the first time that this has happened. Sue
has a well-known temper and has yelled at
Gretchen before. Gretchen is uncomfortable
around Sue and nervous about not doing
anything to upset Sue. Gretchen has asked Sue
not to yell but it still happens. Gretchen reported
the situation to their supervisor, who brushed her
off and told her to get a thicker skin. Gretchen
avoids Sue and their work product suffers for it.
What should Gretchen do? (You may select more than one option.)
A. Confront Sue in an angry manner.
B. Report Sue through the UC Whistleblower Hotline.
C. Be more accommodating to Sue and avoid interaction with her when possible.
D. Report her concerns to HR and/or Labor Relations.
Feedback Text
The best answers are B and D. Proceed to next page to read a discussion of this case study.
Discussion: Surly SueThe following Standards of Ethical Conduct apply:
• 1. Fair Dealing
• 2. Individual Responsibility and Accountability
• 3. Respect for Others
• 5. Compliance with Applicable University Policies, Procedures and Other Forms of Guidance
• 12. Reporting Violations and Protection from Retaliation
UC employees are expected to act in a respectful manner in all dealings with co-workers
and the public at large. Sue’s outbursts are unacceptable and Gretchen was right to talk
to their supervisor about it. The supervisor had a responsibility to do something about the
complaint and failed. In this situation, Gretchen should use alternate means of reporting
Sue, including , but not limited to, calling the UC Whistleblower Hotline, reporting Sue to
Human Resources, Labor Relations, their supervisor’s supervisor, and/or her Locally
Designated Official (LDO).
The “Wall Street Journal Test”
While the previous case studies demonstrate specific violations of the Standards of Ethical Conduct, not all situations are as clear-cut. There are some activities that, while legal and not explicitly prohibited by University policy, may not pass what is known as the “Wall Street Journal Test”. That is, if what you are doing were to appear on the front page of the newspaper, would you feel proud of your actions?
The easiest way to stay out of a trouble spot is to ask yourself in these situations, "Would I want to read about this in the newspaper or online?"
Other questions you might ask include:
How would I explain what I'm doing to my family?
What would my supervisor or colleagues think about what I’m doing?
Would talking about this at a non-University social event make me feel embarrassed or uncomfortable?
Am I uneasy when I hear about colleagues doing this?
Reporting Improper Activities
• Illegal activities and significant policy violations should always be
reported in accordance with applicable laws and policies.
• The University is committed to responsible evaluation of all reports of
violations of the Standards of Ethical Conduct and/or alleged improper
activities on the part of members of the University community.
• The University has established processes for reporting and investigating
any suspected wrongdoing, including an anonymous hotline people are
encouraged to use if they don't feel comfortable bringing the matter
forward openly.
• An individual who is made aware of an improper act should consult with
someone at a higher level of authority or with the Locally Designated
Official (LDO) to determine how to handle the matter.
UC Whistleblower Hotline (anonymous/confidential)
(800) 403-4744 or http://universityofcalifornia.edu/hotline
Decision-Tree for Reporting Compliance Concerns
Reporting Contact Information
Locally Designated Officials (LDO)http://www.ucop.edu/uc-whistleblower/campus-resources/index.html
Campus Ethics and Compliance Officers (CECO)http://www.ucop.edu/ethics-compliance-audit-services/compliance/campus-ethics-
and-compliance-officers.html
Campus Counselhttp://www.ucop.edu/ogc/campuscounsel.html
Chief Compliance and Audit Officer Sheryl Vacca
510-987-9090 or sheryl.vacca@ucop.edu
UC Whistleblower Hotline (anonymous/confidential) 800-403-4744 or http://universityofcalifornia.edu/hotline
UC Campus Climate Reporting
https://ucsystems.ethicspointvp.com/custom/ucs_ccc/default.asp
Reminder: Your Employment Obligations
• As this briefing has shown, it is critical that all members of the University
community:
• Know the applicable laws, regulations and policies that affect your
employment responsibilities
• Understand the Statement of Ethical Values and Standards of Ethical
Conduct and University policies and procedures related to your employment
responsibilities
• Ensure your actions are consistent with the University Statement of Ethical
Values and Standards of Ethical Conduct
• Report potential instances of non-compliance and fraud
• Understand your rights and responsibilities under the UC Whistleblower
Protection Policy
UC San Diego Health
Compliance Program
T: 858.657.6488
http://Healthsciences.ucsd.edu/compliance
Julie Colasacco, Interim Chief Compliance / Privacy Officer
jcolasacco@ucsd.edu
Mark Neu, Director, Compliance/Privacy Program
maneu@ucsd.edu
Ken Wottge, Chief Information Security Officer
kwottge@ucsd.edu
• The protection of health and other confidential information is a right protected by law and enforced by fines, criminal penalties as well as UCSD policy. Safeguarding confidential information is a fundamental obligation for all employees, clinical faculty, house staff, students and volunteers.
• I understand and acknowledge that:1. I shall protect the privacy and security of confidential information at all times, both during and after my
employment /training with the University of California has terminated. 2. I agree to (a) access, use, or view confidential information to the minimum extent necessary for my
assigned duties; and (b) disclose such information only to persons authorized to receive it.3. I understand that UCSDH tracks user activity in electronic health records. Inappropriate access to
restricted patient, employee or student records is a violation of UC policy and law, subject to sanctions. 4. Inappropriate access and/or unauthorized release of protected information will result in disciplinary
action, up to and including termination of employment, and will result in a report to authorities charged with professional licensing, enforcement of privacy laws and prosecution of criminal acts. Federal and State authorities may levy penalties to individuals or providers of healthcare of $2,500 -$25,000 per violation.
5. User IDs and passwords must not be shared. Inappropriate use of my ID (whether by me or anyone else) is my responsibility and exposes me to severe consequences.
• Print Name: _______________________/ Sign: _________________/ Date: ____________
111
Confidentiality StatementPrint & Sign Form. Return to
the UCSD Medical Student
Affairs Office
I have read UCSD Health’s Privacy and Information Security training materials and confidentiality statement and agree to abide by UCSD Health policy, UCSD/UC policy, and Federal / State privacy and information security laws.
• Print name: _______________________________
• Department name:____________________ / UCSD
• UCSD Employee ID number: ___________________<if known>
• UCSD Student ID number: ___________________
• Non-UCSD workforce member ID: ______________
• Indicate the 2-digit birth month (MM) and last 4 letters of your last name.
112
Training CertificatePrint & Sign Form. Return to
the UCSD Medical Student
Affairs Office
UC San Diego Health - Compliance Training
Although no single course can adequately address all potential ethical and
compliance dilemmas you might face as an important member of the
University community, we hope that the information provided in this briefing
will better equip you to make the right decisions and to act in an ethical and
compliant manner. Thank you for your participation.
You may now close the course window.
top related