Job Description For the Chief Compliance Officer
The chief compliance officer (CCO) will work closely with and have liaison reporting to the UC Davis Health System chief medical officer (CMO) the UC Davis Medical Center director, the director of internal audit, and the UC Davis locally designated official (currently, the Assistant Executive Vice Chancellor). For compliance department budget and personnel management, the CCO reports to the CMO.
The CCO also reports annually to the regents through the University of California Vice President for Clinical Services or his/her designee, and coordinates the activities at UC Davis with those at the other medical campuses.
The CCO serves as the focal point for compliance activities. The CCO needs to be a person of high integrity, and any other duties the CCO has should not be in conflict with the compliance goals. Coordination and communication are the key functions of the CCO with regard to planning, implementing, and monitoring the compliance program.
The CCO is highly placed in the health system so that he or she can exercise independent judgment without fear of reprisal, and so that employees will know that bringing a problem to that person's attention is not a wasted exercise.
The CCO is a high-level official with direct access to:
- leadership for the medical school, medical group, and hospital
- all senior management
- legal counsel, both internal and external
- the UC Davis Health System CEO (the dean of the UC Davis School of Medicine)
Job duties include:
- overseeing and monitoring the implementation of the compliance program
- reporting on a regular basis to the governing body and leadership (medical group, medical school, and hospital), CEO and compliance committee on the progress of implementation, and assisting these components in establishing methods to improve efficiency and quality of services, and to reduce the vulnerability to fraud, abuse, and waste
- periodically revising the program in light of changes in the needs of the organization, and in the law and policies and procedures of government and private payer health plans
- developing, coordinating, and participating in a multifaceted educational and training program that focuses on the elements of the compliance program, and seeks to ensure that all appropriate employees and management are knowledgeable of, and comply with, pertinent federal and state standards
- ensuring through purchasing that independent contractors and agents who furnish medical services to the health system are aware of the requirements of the compliance program with respect to coding, coverage, billing, and marketing, among other things
- ensuring through the human resources office, the dean's office, the purchasing department and the credentialing office that the Cumulative Sanction Report and GSA Excluded Parties System have been checked with respect to all employees, medical staff, and independent contractors
- coordinating internal compliance review and monitoring activities, including periodic reviews of departments
- responding to government investigations and queries as the principal point of contact
- independently investigating and acting on matters related to compliance, including the flexibility to design and coordinate internal investigations (e.g., responding to reports of problems, 'hot-line' calls, or suspected violations) and any resulting corrective actions with all health system departments, providers and sub-providers, agents and, if appropriate, independent contractors; and
- developing policies and programs that encourage managers and employees to report suspected fraud and other improprieties without fear of retaliation
As the CCO, the incumbent has responsibility for:
- implementing written policies, procedures, and standards of conduct
- establishing a compliance committee
- developing effective lines of communication
- enforcing standards through well publicized disciplinary guidelines and developing policies addressing dealings with sanctioned individuals
- conducting periodic risk assesments and response plans
- conducting internal monitoring and auditing
- responding promptly to detected offenses, developing corrective action, and reporting findings to the government via established channels
The CCO and his or her designees have the authority to review all documents and other info rmation that are relevant to
compliance activities, including, but not limited to, research data, patient records, billing records, and records concerning the marketing efforts of the health system, and all arrangements with other parties, including employees, professionals on staff, research sponsors, insurers, non-health system health care providers, independent contractors, suppliers, and agents, etc. This enables the CCO to review contracts and obligations (seeking the advice of legal counsel, where appropriate) that may contain referral and payment issues that could violate the anti-kickback statues, as well as the physician self-referral prohibition and any other legal or regulatory requirements.
In addition, the CCO will be copied on the results of all internal audit reports and will work closely with key managers to identify aberrant trends in the coding and billing areas. The CCO should ascertain patterns that require a change in policy and forward these issues to the compliance committee to remedy the problem. The CCO will have full authority to stop the processing of claims that he or she believes are problematic until the issue in question has been resolved. The UC Office of the President corporate compliance policy lists further corrective and disciplinary actions within the CCO's authority.
This position reports to the UC Davis Health System HIPAA Committee and the UC Davis provost, as well as to the UC systemwide privacy officer.
The privacy officer oversees all ongoing activities related to development, implementation, maintenance of, and adherence to UC Davis policies and procedures covering privacy of and access to protected health information (PHI) in compliance to federal and state laws and health system privacy practices.
The privacy officer ensures that periodic risk assessments and ongoing monitoring of key elements of the privacy program are monitored; including privacy notice, consent, authorization, business partner agreements/practices, minimum necessary information, disclosure, including
- Provides development guidance and assists in the identification, implementation, and maintenance of organization information privacy policies and procedures in coordination with senior management the HIPAA committee, and UC Office of the President.
- Serves in a leadership role for the HIPAA Committee's activities.
- Performs initial and periodic information privacy risk assessments and conducts related ongoing compliance monitoring activities in coordination with UC Davis's other compliance and operational assessment functions.
- Works with legal counsel and management, key departments, and committees to ensure the organization has and maintains appropriate privacy and confidentiality consent, authorization forms, and information notices and materials reflecting current organization and legal practices and requirements.
- Oversees, directs, delivers, or ensures delivery of initial privacy training and orientation to all employees, volunteers, medical and professional staff, contractors, alliances, business associates, and other appropriate third parties.
- Participates in the development, implementation, and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed.
- Establishes with management and operations a mechanism to track access to protected health information, within the purview of the organization and as required by law and to allow qualified individuals to review or receive a report on such activity.
- Works cooperatively with HIM and other applicable organization units in overseeing patient rights to inspect, amend, and restrict access to protected health information when appropriate.
- Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization's privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel.
- Ensures compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization's workforce, extended workforce, and for all business associates, in cooperation with Human Resources, administration, and legal counsel as applicable.
- Initiates, facilitates and promotes activities to foster information privacy awareness within the organization and related entities.
- Serves as a liaison to, the UC Davis IRB and assists in the development of appropriate IRB policies and procedures. Also serves as the information privacy liaison for users of clinical and administrative systems.
- Reviews all system-related information security plans throughout the organization's network to ensure alignment between security and privacy practices, and acts as a liaison to the information systems department.
- Works with all organization personnel involved with any aspect of release of protected health information, to ensure full coordination and cooperation under the organization's policies and procedures and legal requirements
- Maintains current knowledge of applicable federal and state privacy laws and accreditation standards, and monitors advancements in information privacy technologies to ensure organizational adaptation and compliance.
- Serves as information privacy consultant to the organization for all departments and appropriate entities.
- Cooperates with the Office of Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations.
- Works with administration, legal counsel, and other related parties to represent the organization's information privacy interests with external parties (state or local government bodies) who undertake to adopt or amend privacy legislation, regulation, or standard.
- Represents UC Davis with the UC Office of the President, and general counsel.
- Coordinates with appropriate UC Davis departments and units to ensure timely development and implementation of corrective action plans in response to monitoring deficiencies and complaints.
This position reports to the UC Davis Health System HIPAA Committee and the UC Davis provost, as well as to the UC Office of the President security officer.
The security officer oversees all ongoing activities related to development, implementation, maintenance of, and adherence to UC Davis policies and procedures covering security of and access to protected health info rmation (PHI) in compliance to federal and state laws and health system security practices.
The security officer ensures that periodic risk assessments and ongoing monitoring of key elements of the security program are monitored.
- Leads in the development and enforcement of information security policies and procedures, measures and mechanisms to ensure the prevention, detection, containment, and correction of security incidents
- Ensures that security standards comply with statutory and regulatory requirements regarding health information
- Ensures that security policies are maintained that include: administrative security, personnel security, physical safeguards, technical security, and transmission security
- Assures that appropriate documentation exists of response of the institution to the addressable portions of the security rule
- Ensures that security procedures are maintained that include: evaluation of compliance with security measures; contingency plans for emergencies and disaster recovery; security incident response process and protocols; testing of security procedures, measures and mechanisms, and continuous improvement; and security incident reporting mechanisms and sanction policy
- Ensures that appropriate security measures and mechanisms are in place to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards, including, when appropriate: integrity controls, authentication controls, access controls, encryption, and abnormal condition alarms, audit trails, entity authentication, and event reporting
- Oversees on-going security monitoring of UC Davis information systems, including: periodic information security risk assessments; functionality and gap analyses to determine the extent to which key business areas and infrastructure comply with statutory and regulatory requirements; and review of new information security technologies and counter-measures against threats to information or privacy
- Oversees training programs, periodic security awareness reminders, and periodic security audits
- Serves as an institutional resource regarding matters of informational security
- Cooperates with CMS, other legal entities, and organization officers in any compliance reviews or investigations
- Works with administration, legal counsel, and other related parties to represent the organization's information security interests with external parties (state or local government bodies) who undertake to adopt or amend security legislation, regulation, or standard
- Represents UC Davis with the UC Office of the President, and general counsel
- Coordinates with appropriate UC Davis departments and units to ensure timely development and implementation of corrective action plans in response to monitoring deficiencies and complaints