September 3, Dear Provider:

Transcription

1 September 3, 2014 Dear Provider: As a contractor with Centers for Medicare & Medicaid Services (CMS), Arkansas Blue Cross and Blue Shield are required by the regulations to develop and maintain a compliance program and provide annual training to all firsttier, downstream and related entities (FDRs). Providers are considered first tier entities because there is a direct contract for Medicare Services between Arkansas Blue Cross and each provider. Annual training should be completed by not only the provider, but the provider s staff who has any contact (indirect or direct) with Medicare beneficiaries, including billing. Compliance training should be completed by December 31, 2014 or within 90 days of hire for any new employees. The OIG has issued guidance with reference to effective compliance programs for specific health care providers and can be found at The Federal Register Notice CMS-4124-FC, CMS clarifies that the training and communication requirements apply to all entities with which we partner. In the event that your organization does not have Compliance Training in place, Arkansas Blue Cross has created a Medicare Compliance Training Program to meet CMS training requirements and has made this training available on AHIN and has been made available as a pdf at under Resources. Arkansas Blue Cross has a deep commitment to conducting business ethically, honestly and in compliance with the law. This commitment is why we expect everyone with whom we do business, including FDRs to also do business ethically, honestly and in compliance with the law. In order to continue to serve our customers in a manner that reflects the highest level of integrity and ethical business conduct, we ask that you take a moment, as a valued business partner, to review our Code of Conduct on our website at and our Code of Business Ethics at These documents provide you with important information regarding Arkansas Blue Cross business integrity, ethics and compliance standards of conduct and how to detect, prevent, report and correct fraud, waste and abuse. All training documents, including a copy of the training materials and training logs must be retained by your organization for 10 years, in accordance with CMS record retention guidelines. No documentation should be returned to Arkansas Blue Cross at this time. All documentation is subject to random audit by Arkansas Blue Cross or may be requested as part of a Compliance Program Audit by CMS or CMS designees. If you have any questions regarding this letter, referenced documents, training requirements, please refer to the Frequently Asked Questions slide in the training, contact your Network Development Representative or the Regulatory Compliance Office at regulatorycompliance@arkbluecross.com Thank you for your time, Sonya Wooderson, RN, BSN Regulatory Compliance Project Manager

2 FAQ s for Annual Medicare Compliance Training for Providers Do all contracted providers have to complete the Annual Medicare Compliance Training for Providers? No, only contracted providers that provide services to our Medi-Pak Advantage PFFS/PPO/HMO and Medi-Pak Rx PDP members Does the contracted provider with Arkansas Blue Cross need to be the only one completing Annual Compliance Training for Providers? No. Although the provider is contracted with Arkansas Blue Cross, it is the providers responsibility to ensure that all staff serving the Medicare Beneficiaries complete the training. This includes, front office, lab techs, nurses, billing and any other ancillary staff. All new hires must also complete the training within 90 days of hire and annually thereafter. Does any documentation need to be return to Arkansas Blue Cross? No. At the end of the training module provided on the website and on AHIN, there is a training log. Each individual who has completed the training will need to sign and date the training log. However, you will need to retain a copy of the training materials and completed training log for your records for 10 years. In the event you are audited by either CMS, Arkansas Blue Cross Blue Shield or designee, you may be asked to provide copies of training materials and training log as evidence that annual compliance training was completed for the year in which you are being audited. As the Provider, we currently have only one Medicare beneficiary, do we still need to complete the training? Yes. You are required by CMS to complete the annual training if you are providing any service to a Medicare Beneficiary. We have already completed this for another insurer we are contracted with or we have completed the Annual Medicare Compliance Training provided by CMS. Must we take this training provided by Arkansas Blue Cross? No. You and your staff must take the Annual Compliance Training from one source, one time per year. However, the Annual Compliance Training must meet the CMS Compliance Training Requirements.

3 2014 Medicare Compliance Training for Providers At the conclusion of this training, an individual authorized to represent your organization must retain a copy of this training and completed employee training logs on file for 10 years. You may be asked to present these material in the event of an audit by Arkansas Blue Cross Blue Shield, Centers for Medical Services (CMS) or CMS designee.

4 Course Content Overview What Rules Must Arkansas Blue Cross Blue Shield Medicare Advantage (MA) and Part D (PDP) First Tier and Downstream Entities (vendors) Comply with? Key Elements of a Compliance Program Policies and Procedures Protecting Personal Health Information (PHI) Chapter 4 Advanced Directive Requirements Training Resources Log & Certificate of Completion

5 Introduction Training Requirements Arkansas Blue Cross Blue Shield has contracted with the Centers for Medicare & Medicaid Services (CMS) to offer Medicare Advantage (MA) and Part D (PDP) benefits to Medicare enrollees. As part of those contracts, Arkansas Blue Cross requires their employees who have direct or indirect involvement with the Medicare programs to complete a Compliance training course. Federal Register Notice CMS-4124-FC, CMS clarifies that the training and communication requirements apply to all First Tier, Downstream, and Related Entities (FDRs) First Tier is defined as any entity that enters into a written arrangement acceptable to CMS with a Medicare Advantage Organization (MAO) or Prescription Drug Plan (PDP) that provides administrative or health care services to Medicare eligible individuals under the Medicare Advantage (Part C) or PDP (Part D) program. Providers are considered First Tier Entities Arkansas Blue Cross is making this training available in the event you do not have your own Medicare Compliance Training program established.

6 Overview of Medicare Regulations and Changes Regulations Prior to January 1, 2009, MA and Part D plan sponsors operated their required compliance programs, and providers operated their voluntary compliance programs in parallel. However, times have changed. In December 2007, CMS published new Medicare Advantage (MA) and Part D (PDP) regulations that became effective January 1, 2009 Among other changes, these regulations require Medicare Advantage (MA) and Part D (PDP) Plan Sponsors such as Arkansas Blue Cross Blue Shield to apply their training requirements and effective lines of communication to those entities we partner with that provide services in the MA and Part D programs Those entities include providers who have contracted with Arkansas Blue Cross Blue Shield to provide services to our Medi-Pak Advantage PFFS/PPO/HMO and Medi-Pak Rx PDP members

7 Changes in Regulations Overview of Medicare Regulations and Changes New regulations at 42CFR Parts 422 and 423 require, in part, that a Plan Sponsor (Arkansas Blue Cross Blue Shield) attests that it will: Develop an effective compliance plan that incorporates measures to detect, prevent, and correct fraud, waste and abuse Establish effective lines of communication between the compliance officer, members of the compliance committee, and the Sponsor s employees, managers, and directors Apply these training and communication requirements to all entities with which they contract to provide benefits or services, also known as FDRs (first tier, downstream, and related entities)

8 Overview of Medicare Regulations and Changes Rules Arkansas Blue Cross Blue Shield Must Comply With As a Medicare contractor, we must comply with numerous regulations and guidance's. Most of those regulations and guidance documents can be found on the CMS website: Centers for Medicare & Medicaid Services (CMS): The CMS website contains a number of links which will take you to the regulations, guidance documents, manuals and other useful information.

9 Overview of Medicare Regulations and Changes Rules Arkansas Blue Cross Blue Shield Must Comply With Arkansas Blue Cross and its First Tier, Downstream and Related Entities (FDRs) must comply with all applicable Medicare laws and regulations. Through our contractual arrangements with the Centers for Medicare & Medicaid Services (CMS), Arkansas Blue Cross has agreed to adhere to all Medicare laws and regulations. Arkansas Blue Cross is also required to insure that its First Tier, Downstream and Related Entities (FDRs) also adhere to all applicable Medicare laws and regulations. The Centers for Medicare & Medicaid Services (CMS) regulations outline their expectations and Arkansas Blue Cross utilizes these regulations to develop our health plan operations, workflows, and internal processes to ensure we meet our contractual requirements Arkansas Blue Cross s First Tier, Downstream and Related Entities (FDRs) must also ensure processes are in place to comply with regulations and develop applicable policies and procedures

10 Key Elements of Compliance Program According to the Centers for Medicare & Medicaid Services (CMS) the key elements of an effective compliance program are: 1. Written policies and procedures (including Code of Conduct) 2. Designation of a Compliance Officer, Compliance Committee, and High Level Oversight 3. Effective Training and Education 4. Effective Lines of Communication 5. Enforcement of standards through well-publicized disciplinary guidelines 6. Internal monitoring and auditing Seven Key Elements 7. Procedures for ensuring prompt responses to compliance issues CMS requires Plan Sponsors to have written Standards of Conduct. One way that Arkansas Blue Cross satisfies this requirement is through our Code of Conduct.

11 Key Elements of Compliance Defined 1. Written Policies & Procedures All Sponsors are required to have a comprehensive plan to detect, correct and prevent fraud, waste and abuse and should include: The Code of Conduct and related policies that reflect Arkansas Blue Cross s commitment to integrity, ethical conduct and legal/regulatory compliance A few of the policies you can find within Arkansas Blue Cross s Code of Conduct are: Conflict of Interest Arkansas Blue Cross Blue Shield Assets Gifts and Entertainment Control, Accounting and Reporting Information Protection and Privacy Communications and Fair Disclosure Written policies, procedures and standards of conduct should clearly state the commitment to comply with all applicable statutory, regulatory and Medicare program requirements. Policies and Procedures should acknowledge the day-to-day risks and identify and respond to the risk areas

12 Key Elements of Compliance Defined I. Written Policies & Procedures (including Code of Conduct) Arkansas Blue Cross s Code of Conduct is included in this training under Resources and or can be viewed on our website at Our Code of Conduct sets expectations for our employees and those whom we contract to understand and comply with all laws, regulations and policies concerning our business. We are committed to integrity, conducting ourselves in a legal, ethical manner and doing business with health care professionals, entities, agents and vendors who are equally committed to adhering to our Code of Conduct. To support our mutual commitment, all organizations including FDRs- who provide services related to our Medicare Advantage (MA) and Part D (PDP) Plans must know and comply with our Code of Conduct. CMS also requires sponsors and their FDRs have policies and procedures in place to ensure compliant and ethical conduct. While Arkansas Blue Cross cannot provide a Code of Conduct or policies and procedures for you to adopt as your own, or help you develop and implement your own compliance program, the following resources should provide assistance to you regarding provider specific compliance program OIG Compliance Program for Individual and Small Group Physician Practices The American Medical Association (AMA) publishes several regulatory compliance resources on its Web site

13 Key Elements of Compliance Defined II. Compliance Officer and Compliance Committee Arkansas Blue Cross has designated a Compliance Officer and a Compliance Committee specifically for the Medi-Pak Advantage and Med-Pak Rx Compliance. Our Compliance Officer is responsible for ensuring compliance with the program requirements and for overseeing the Compliance Committee. The Compliance Committee advises the Compliance Officer and assists in implementing the compliance program. Arkansas Blue Cross Blue Shield Shirl Welch, Director of Regulatory and Marketplace Compliance office: (501) regulatorycompliance@arkbluecross.com Confidential Ethics, FWA and Compliance Hot Line

14 Key Elements of Compliance Defined III. Disciplinary Guidelines Upon the conclusion of any potential non-compliance, fraud, waste or abuse investigation, the Compliance Office shall recommend to management appropriate corrective and disciplinary actions as warranted. All corrective actions shall: Be tailored to address the misconduct identified Provide structure with timeframes Be detailed in a written agreement Be documented and monitored to ensure the entity satisfactorily implements the corrective action Disciplinary actions for employees can range from oral or written warnings, mandatory retraining and up to and including termination based on disciplinary criteria set forth in the corporate administrative manual. For first tier and downstream entities, actions may include monetary or other actions as provided for in the relevant contract, up to and including termination of the contract.

15 Key Elements of Compliance Defined IV. Auditing and Monitoring Arkansas Blue Cross Audit Programs includes: Program Risk Assessment Arkansas Blue Cross Blue Shield maintains a Medicare Part C & Part D program risk assessment as an ongoing tool for prioritizing program initiatives and to assist in the ongoing maintenance of the Auditing and Monitoring Plan. Management considers a wide range of factors when assessing program risk including, but not limited to, new regulations, changes to existing regulations, industry trends and developments, and areas of focus from the Centers for Medicare and Medicaid Services (CMS). Risks identified through the process are categorized and ranked to help management prioritize efforts. Auditing and Monitoring Activities The Medicare Parts C & D Compliance Officer coordinates both internal and external resources to implement the Auditing and Monitoring Plan. Auditing and monitoring activities are conducted as required to ensure CMS requirements and Arkansas Blue Cross Blue Shield policies and procedures are properly followed. Corrective action plans are developed and implemented in areas where processes do not meet those requirements. External Entity Oversight Arkansas Blue Cross Medicare Part C & D Program is also subject to audits from external parties such as the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG). Corrective action plans for any deficiencies or findings reported during external audits will be developed and implementation will be monitored to ensure processes are strengthened and regulations are followed.

16 Key Elements of Compliance Defined V. Responding to Detected Offenses Suspected Violations of the: compliance program federal and state statutes rules and regulations any other types of misconduct Will be investigated by the Arkansas Blue Cross Regulatory Compliance Officer or designee Reporting Obligation If you know of, or reasonably suspect, a misappropriation of Arkansas Blue Cross assets or any other violation of law, ethical or business policies you must report the matter It is the obligation of every employee and individual working on Arkansas Blue Cross s behalf who knows of or reasonably suspects a violation of Arkansas Blue Cross s Code of Conduct to promptly report it Report may be oral or written, and made to: Confidential Fraud Hotline at Online through the secured Fraud and Abuse link at By contacting the Arkansas Blue Cross Regulatory Compliance Officer

17 Key Elements of Compliance Defined V. Responding to Detected Offenses Non-Retaliation Arkansas Blue Cross will not discriminate or retaliate against anyone who, in good faith, reports potential violations of laws or regulations, the Code of Conduct, or other company policies. Open communication of issues and concerns without any fear of retribution is vital to the success of the Code of Conduct. In addition, employees are protected by federal law against any retaliation for taking action under the federal False Claims Act. Arkansas Blue Cross requires our FDRs to adhere to a non-retaliation policy that provides protection to employees who report suspected or actual compliance violations. Developing Corrective Action Initiatives Reports of suspected misconduct will be investigated and if a violation of applicable law or regulation is found to exist, Arkansas Blue Cross will take steps to correct the problem which may include: Development of a corrective action initiative, or, if material, Immediate referral to criminal and/or civil law enforcement authorities Disclosure to Arkansas Blue Cross senior management and the appropriate governmental authority, where appropriate Reporting to the Government Arkansas Blue Cross shall report to appropriate governmental authorities, such as the Centers for Medicare & Medicaid Services (CMS) and the Department of Health & Human Services Office of Inspector General (OIG), credible information of material violations of the law by Arkansas Blue Cross, subcontractors, providers or enrollees for a determination as to whether any criminal, civil, or administrative action may be appropriate

18 Policies and Procedures Conflict of Interest Conflicts of interest can arise if you have a direct or indirect financial, business or personal involvement with a current or potential supplier, competitor, customer, or employee of Arkansas Blue Cross In addition, outside financial or business involvement by members of your immediate family, or by persons with whom you have a close personal relationship, may create a possible conflict of interest for you. As an individual working on Arkansas Blue Cross s behalf: You must not take part in any transaction in which you have a personal interest if there is, or might appear to be, a conflict between your interest and the interests of Arkansas Blue Cross You must not take part in any business transaction in which you have a personal interest if your participation is in any way related to information you received, or a relationship you developed, as an employee or director You should not show preferential treatment to any provider or supplier regardless of their relationship with Arkansas Blue Cross. If you become aware of a situation involving preferential treatment to providers or suppliers, you should notify the Arkansas Blue Cross Regulatory Compliance Officer immediately. Each provider or entity that contracts with Arkansas Blue Cross will require its managers, officers and directors responsible for the administration or delivery of Medicare Advantage (MA) and Part D (PDP) benefits to sign a conflict of interest statement, attestation, or certification at the time of hire and annually thereafter certifying that the manager, officer or director is free from any conflict of interest in administering or delivering Medicare benefits.

19 Policies and Procedures OIG/GSA Exclusion Review Office of Inspector General (OIG) and General Services Administration (GSA) Exclusion Review Arkansas Blue Cross will not knowingly hire any individual or contract with any person or entity for it Medicare program who has been convicted of a criminal offense related to health care or who is listed by a federal agency as debarred, excluded, or otherwise ineligible for participation in a federal health care program Arkansas Blue Cross will review the Department of Health & Human Services Office of Inspector General (OIG) and General Services Administration (GSA) exclusion lists at monthly to ensure that its Medicare employees and subcontractors are not included on such lists If Arkansas Blue Cross learns that an employee or contracted provider is on an OIG/GSA list, Arkansas Blue Cross will notify the individual and remove the individual from any work directly or indirectly related to Federal healthcare programs. Arkansas Blue Cross will also take appropriate corrective actions. If Arkansas Blue Cross learns that an individual is charged with a criminal offense related to health care or proposed for exclusion or debarment, the individual shall be removed from direct responsibility for or involvement in all such Medicare activities until resolution of such charges or proposed debarment or exclusion Provider agrees, warrants and represents to Arkansas Blue Cross that the Provider currently hold and throughout the duration of the Agreement shall maintain all local, state or federal authorizations, licenses, certifications, permits, accreditations including but not limited to unrestricted eligibility to participate as a Provider in all state and federal programs (including Medicare). The Provider further warrants and represents that neither Provider nor any employee or agent of Provider is or has been barred, suspended or restricted from participation in Medicare or any other state or federal program. Provider hereby agrees to notify Arkansas Blue Cross immediately in the event of loss, restriction, suspension or voluntary surrender of any such action.

20 Policies and Procedures Record Retention Unless specific conditions apply, all relevant Medicare Part C & D records will be maintained for 10 years from the end of the final contract period or completion of an audit, whichever is later CMS has authority under section 1860D 12(b)(3)(c) of the Act and (e)(2) and (e)(2) to inspect and audit any books, contracts, and records of a Medicare Advantage (MA) and Part D (PDP) programs its first tier, downstream, and related entities that pertain to any aspect of services performed, reconciliation of benefit liabilities, and determination of accounts payable under the contract or as the Secretary may deem necessary to enforce the contract All records created in the course of business are the property of Arkansas Blue Cross and will be maintained in compliance with all legal, regulatory, and/or government contract requirements Only official records should be retained and they should be accurate and complete

21 Policies and Procedures Anti-Kick Back It is Arkansas Blue Cross s policy to strictly comply with all laws that regulate government contracting. You must not offer, give, request, or receive anything of value for free or below fair market price in connection with the sale or recommendation of, or referral to, any benefit plan, product or service paid partly or fully by any government program. Anti-Kick Back provides criminal and civil penalties for individual or entities that knowingly and willfully offer pay, solicit, or receive remuneration in order to induce or reward business payable (or reimbursement) under the Medicare or other Federal health care programs 42 U.S.C. section b(b) An individual or entity convicted of an AKS violation(s) may be excluded from participation in the Medicare and other Federal health care programs, subject to civil monetary penalties, and/or sentenced to prison. Examples of provider activity that may constitute a AKS violation Taking money from pharmaceutical representatives in exchange for promising to prescribe that company s drug over others Only referring Medicare patients to one physical therapy practice, in exchange for receiving money from that practice for such referrals

22 Policies and Procedures False Claims Act Prohibits knowingly presenting (or causing to be presented) a false or fraudulent claim for payment or approval Prohibits knowingly making or using (or causing to be made or used) a false record or statement material to a false or fraudulent claim 31 U.S.C. sections Prohibits knowingly concealing, improperly avoiding, or decreasing an obligation to pay money to the government Persons or entities liable under the FCA may pay a civil penalty of up to $11,000 per false claim, plus three times the amount of damages sustained by the government. In addition, the OIG may exclude such individual or entities from participation in the Medicare and other federal health care programs Examples of provider activity that may constitute a FCA violation are: Billing for services that were not rendered Up-coding billing for a service that was not rendered simply because the coding generates more income than the correct billing for the service that was actually rendered Making a false statement, or the submission of false claims, is among the government s highest fraud and abuse concerns. Such actions can also result in criminal prosecution, up to 5 years imprisonment and/or a fine of up to $250,000 per individual,$500,000 per organization.

23 Policies and Procedures Protecting Individually Identifiable Health Information (PHI): High Level Overview of the HIPAA Privacy & Security Rules The HIPAA Privacy and Security Rules protect Individually Identifiable Health Information, referred to as Protected Health Information (PHI), held or transmitted by a Covered Entity (Health Care Professionals, Health Plans, Health Care Clearinghouses) and their Business Associates (entities that complete certain functions on the Covered Entity s behalf, such as Medicare subcontractors) PHI includes information that identifies the individual or could reasonably be used to identify the individual. PHI is information, including demographic data, which relates to the: Individual s past, present or future physical or mental health or condition; Health care provided to the individual; or Past, present, or future payment for health care provided to the individual. The HIPAA Privacy Rule protects all PHI in any form or media, whether electronic, paper or oral. The HIPAA Security Rule applies only to electronic PHI (e-phi). In general, this rule requires a Covered Entity to adopt additional safeguards for e-phi ensuring the confidentiality and availability of all it creates, receives, uses, maintains, or transmits. The Health Information Technology for Economic and Clinical Health (HITECH) Act expands certain HIPAA Privacy and Security requirements to cover Business Associates and to provide individuals with additional rights to access and control the use of their PHI, among other things.

24 Policies and Procedures Protecting Individually Identifiable Health Information (PHI): High Level Overview of the HIPAA Privacy & Security Rules All of the elements of PHI could not be displayed here, however an example of some elements used either alone or if combined in a way that would allow an individual to be identified are below: Zip code alone would not be PHI, but this data element combined with address and phone number would be PHI. This is because the combination of these data elements could be used to identify an individual. Birth date alone would not be PHI, but coupled with SSN and claim numbers could result in identification of an individual and would be considered PHI. Social Security Number (SSN) alone would be PHI as this data element can be used to identify an individual. **Please note: The information provided on PHI is intended as a general description of applicable rules. Variations, exceptions and qualifications to the general rules may be recognized in the rules but are not outlined here. When in doubt, or if a particular fact or circumstance presented in a given cause are not precisely aligned with a general rule referenced here, please contact the Arkansas Blue Cross Privacy Office or Legal Department for clarification.

25 Policies and Procedures Protecting Individually Identifiable Health Information (PHI): Additional Requirements Safeguarding Protected Health Information Members of the workforce must employ the appropriate administrative, technical and physical safeguards to protect the privacy of protected health information. Use & Disclosure of Information: PHI Confidential information cannot be disclosed to others without the individual s written authorization except for the purposes of treatment (providing care), payment (claim payment) or health plan operations (examples include, but are not limited to: audits and fraud and abuse detection). Minimum Necessary When collecting, accessing, using or disclosing PHI, or when requesting PHI to perform job functions, members of the workforce must make reasonable efforts to limit the use and disclosure to the minimum necessary to accomplish the intended purposes of the use or request. Verification Members of the workforce must follow Arkansas Blue Cross s procedures to verify the identity of a person requesting PHI and the authority of any such person to have access to PHI. Notice of Privacy Practices: Individuals must receive and have access to a Notice of Privacy Practices which describes how their health information may be used or disclosed by Arkansas Blue Cross and what individual rights they have in relation to this information. Individual Privacy Rights The HIPAA Privacy Rule provides individuals with certain rights related to their PHI. These rights include: they can have access to their PHI; request amendment to their PHI; obtain an accounting of disclosures of their PHI; request restrictions on the use and disclosure of their PHI; and request alternate means of communicating with them, such as sending materials to an alternative address or location; and lodge a complaint if they believe there has been a violation of their privacy rights

26 Policies and Procedures Protecting Individually Identifiable Health Information (PHI): Additional Requirements Protecting Individually Identifiable Health Information (PHI) If you believe that a privacy or security breach or violation occurred due to any act or omission of Arkansas Blue Cross and Blue Shield or its employees, you should immediately report the same to the Arkansas Blue Cross and Blue Shield Privacy Office at the following address and telephone number: Arkansas Blue Cross Blue Shield Privacy Office PO Box 3216 Little Rock, AR Toll free : Local: Fax: office: (501) Instances of potential non-compliance with the Privacy & Security Rules, HITECH Act and Arkansas Blue Cross's Privacy Policies and Procedures will be investigated and appropriate disciplinary action will be taken as needed.

27 Chapter 4 - Benefits and Beneficiary Protections MA Obligation on Providing Information on Advance Directives CMS requires that MA programs comply with certain requirements regarding Advance Directives. Advance Directives are basically documents signed by or on behalf of a patient or member that address certain end of life decisions. Advance Directives are also sometimes called Living Willis or Health Care Proxies. Advance Directives express the patient s or member s wishes about end of life choices and direct whether certain actions be taken or not be taken, as the case may be, to preserve and prolong life. Under Arkansas law, the rules around Advance Directives are contained in the Arkansas Rights of the Terminally Ill and Permanently Unconscious Act, which is found at Ark Code Ann et seq.

28 Advance Directive As a Plan Sponsor, Arkansas Blue Cross is required to maintain policies and procedures governing Advance Directives and also to educate its members and the community about Advance Directives. One of the ways that Arkansas Blue Cross insures that its members are given information about Advance Directives is to require that its network providers comply with Arkansas law on Advance Directives and provide information to their patients are required by law. Arkansas Blue Cross also maintains policies and procedures that dictate how it complies with Advance Directives requirements imposed on it as a Plan Sponsor. 27

29 Resources Arkansas Blue Cross Blue Shield Code of Conduct Statement of Principles Arkansas Blue Cross strives to maintain a professional environment that considers ethics and compliance an integral part of all of our business decisions. Standard 1: At a Minimum, Ethical Professionalism Requires Legal Compliance. For this reason, we must conduct Enterprise business in accordance with all applicable laws, regulations, and contractual obligations at all times Standard 2: Report Data Truthfully and Accurately. We must each take special care to ensure that information is recorded and reported accurately and honestly. Standard 3: Follow Enterprise Record Retention Policies. We must each ensure that all business records are retained in accordance with our Company s record retention policies. Standard 4: Protect Confidential Information. We must each protect the integrity of confidential information at all times. Standard 5: Avoid Conflicts of Interest. We must each ensure that we do not engage in activities that conflict with, or are otherwise incompatible with, our responsibilities as Company employees. Standard 6: Don't Offer or Accept a Bribe or Kickback. We must not accept favors from potential business partners in exchange for your business decisions, and we must not offer favors to potential customers in return for business.

30 Resources Arkansas Blue Cross Blue Shield Code of Conduct Statement of Principles Standard 7: Always Remember That The Government Is a Unique Customer. We will conduct our government business with the highest degree of integrity and honesty. Standard 8: Compete Ethically and Fairly. We must take special care to avoid engaging in anticompetitive activities or unfair trade practices. Standard 9: Treat Government Investigations As Serious Matters. We will cooperate with all government investigations and reasonable requests for information. Standard 10: Safeguard Company Assets. Company employees should not use Company assets for personal reasons unless they receive specific prior approval from their supervisor. Standard 11: Don't Engage In Improper Political Activities. Because our Company s ability to participate in political activities is constrained by federal, state and local law, all organizational political activity must be cleared by the Company s Legal Department. Standard 12: Recognize That The Company s Greatest and Most Valuable Asset Is Its Workforce. Our Company is committed to maintaining a safe and professional working environment for all of its employees, and to ensuring that all employees are treated with fairness, dignity and respect.

31 Thank you for completing the Medicare Compliance Training for Providers from Arkansas Blue Cross Blue Shield. By taking this training, you have met Arkansas Blue Cross and CMS s annual training requirement for Medicare Advantage and Part D PDP Providers and their staff, and have assisted us in meeting our plan sponsor requirements. Please retain a copy of the training materials, training logs and completion certificate for 10 years. This documentation may be requested for review in the event of an audit by Arkansas Blue Cross and Blue Shield or Compliance Program Audit by CMS or CMS designee.

32 Resources Federal Agencies Office of Inspector General Phone: HHS-TIPS ( ) Fax: OIG Fraud Hotline: Mail: Office of inspector General HHS TIPS Hotline P.O. Box S Washington, DC Medicare Drug Integrity Contractor (MEDIC) Health Integrity, LLC Phone: (877) 7SafeRx ( ) Web: *The MEDIC is a CMS-contracted entity charged with investigation of potential fraud, waste, and abuse matters.

33 Medicare Compliance Training Log This certifies that the named individual(s) below have satisfactorily completed Medicare Compliance Training for Providers as required by 42 CFR sections and By signing I also understand it is my personal responsibility to comply with the requirements of such standards. Printed Name Signature Date Training Completed