HMC's employee Code of Conduct is summarized in the "Integrity at Work" handbook. It includes information on:

• Documentation, Coding & Billing
• Business Ethics
• Confidentiality & Security

Harborview is committed to following all laws, rules, and policies that affect us.

Washington State has a very strict "Ethics in Public Service" law. Each employee at Harborview is individually responsible for their actions related to this law.

Harborview's Compliance Office can help you decide if certain actions would violate the law. Three major aspects of this law are worth taking a closer look at: Use of State & County Resources, Conflict of Interest, and Accepting Gifts.

Use of State & County Resources:

Public property (telephones, computers, email, internet, etc.) may be used for personal purposes only if:

• It is on a limited, occasional basis
• There is no cost to the state or county
• The use is short
• The use does not interfere with official duties
• The use does not compromise the security or integrity of public information or software

Use of state and county resources are not allowed:

• For political purposes, or
• For your own business purposes, including using work phones, email and the internet
• Office supplies should not be used for personal needs

Conflict of Interest:

State ethics laws state employees may not have a conflict of interest where their loyalty to HMC conflicts with their loyalty to an outside company or interest.

• For example, if you plan to consult or take a second job with a company that sells medical supplies to HMC, and you are in a position to decide whether or not HMC buys from this company, there is a possible conflict of interest.
• Prior approval is required for outside work- whether paid or not- if it stems from, could conflict with, or may be related to your work at HMC.
• Do not endorse or take an official position on any product on behalf of HMC without approval from administration.

Accepting Gifts:

Healthcare regulations and the Washington State Ethics in Public Service Act address receiving gifts in the course of doing business.

As state employees, Harborview employees should not accept gifts for themselves or family members when accepting the gift could influence (or could appear to influence) the decisions you are making. The value of any gift received by a state employee is limited to $50 for a single gift, or $50 over the year from a single source.

When employees are making purchases or contracting decisions, there are additional restriction; please check with the Compliance Office.

Vendor sponsorship of meals is not allowed at HMC. Employees may not receive tickets from vendors to attend HMC fundraising events (Gala, Golf Classic).

Do not accept cash gifts from patients. There are many ways for grateful patients and families to say thank you to Harborview. Please refer patients and families to the HMC Development Office at 206-543-7421. The HMC Development Office handles all donations to HMC.

The Federal False Claims Act (FCA) is a powerful tool for enforcing federal laws. The FCA prohibits HMC or HMC providers from submitting false claims for reimbursement. Washington State has a law that is very similar to the Federal False Claims Act (RCW 74.09). A violation of the FCA can result in civil penalties ($5,500-$11,000 per claim) and damages of up to three times the amount of any overpayment based on the false claim.

Although the FCA requires that the organization or provider have knowledge that he or she is submitting a false claim, the definition of knowledge is very broad and includes:

• Actual knowledge that the information is false;
• Deliberately ignoring the truth or falsity of the information; or
• Acting recklessly about the truth or falsity of the information.

In terms of Coding & Billing Services you should think about the following:

• All services must be ordered by the provider and completed according to those orders.
• Services must be written in the medical record before a bill is sent out.
• Use the correct code for the service.
• Document Teaching Physician presence when billing for resident services.

Both the Federal False Claims Act and the state law (RCW 43.70) provide protections against employer retaliation of an employee who reports fraud to the government. Under the FCA, an individual (called a "relator") may bring a False Claims suit on behalf of the government. For example, an employee who has reported a concern to their employer and feels the issue has not been taken seriously may ultimately choose to go to the government. If the government recovers money from the provider alledgedly committing fraud, the relator may receive a portion of the recovered dollars.

It is especially important that all Harborview providers and staff understand the billing rules that apply to their practice or activities. Our policies require that any employee who has a question or concern about a coding or billing practice must raise the issue or question with a supervisor, operational leader, or the Compliance Office. In addition, you may contact the Compliance Helpline at (206) 744-3897. The Compliance Office enforces policies that prohibit retaliation against anyone who reports a concern in good faith.

Harborview cooperates with legally authorized government investigations into compliance matters. If a government investigator contacts you, please notify the Compliance Office at (206) 744-9073, to learn what steps to follow.

Never lie or make false or misleading statements to any government investigator.

Another important piece of our Compliance program is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This federal law has a privacy and a security component. Below are some reminders of the main aspects of this law.

Patient Confidentiality

• HMC staff may use a patient's Protected Health Information (PHI) for treatment, payment, and certain healthcare operations without specific authorization.
• Every patient receives our "Notice of Privacy Practices" which details their rights and our obligations.
• Usually, we must get patient permission when using or sharing information for non-healthcare purposes (e.g. attorneys, employers, etc.).

Protected Health Information (PHI)

All information that identifies a patient (including, but not limited to: name, medical record number, addresses, and social security number, etc.) must be kept confidential and secure. This includes computer records, paper records, and oral communication.

If you are not currently providing treatment for a patient then you follow the "Minimum Necessary Rule". This rule states that when using or disclosing PHI, HMC must take reasonable efforts to limit PHI use to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

You may only use Protected Health Information on a "need to know basis." The information you are looking at must be needed to do your job at HMC. Looking at anyone else's medical record for personal reasons or without a work-required need to do so is not allowed. Accessing family, significiant other, neighbor, or co-worker's records is not permitted, nor is accessing celebrity/VIP records unless required to perform your job.

Those who are treating a patient may access and use all available information to provide care to the patient. You do not follow the "Minimum Necessary Rule."

You may also share information with the patient's other providers without authorization. Specifically, to treat a patient, no authorization is needed if you are sharing information with a Referring/Consulting Physician/Provider. Other examples include the Puget Sound Blood Center, organ donation agencies, and L&I (Worker's Compensation).

What about sharing information with Law Enforcement? Law enforcement may be able to receive information they request about a patient. Federal and state laws both speak to this topic. In order to help staff, it is the policy at HMC to re-direct all law enforcement requests for PHI to the Nursing Supervisor or the Privacy Officer.

Sharing information with the family & friends of a patient is different. When the patient is awake ask them before you share information with family and friends. When the patient is unconscious, we use our best judgement. Ask yourself: is the person involved with the care and treatment of our patient? If it is a large group of family and friends encourage one family member to be the spokesperson for the group. This will allow us to contact the right person, as well as for the family and friends to know who to contact for updates on the patient.

HIPAA also addresses Information Security. Our information security policies require you to:

• Log off from the computer anytime you leave it.
• Never share your user ID (login) or password.
• Don't install or download unauthorized software on any HMC workstation/computer.
• Do not save PHI on your local PC hard drive - instead, save it to a network server.
• Do not copy PHI or transport PHI on a thumb or pen drive without prior approval by your supervisor.
• Remember: Use an encrypted thumb drive.
• Report security incidents and problems to (206) 543-7012 or to the Privacy Officer.

If you need to transport PHI, please discuss this with your manager. Any time you transport PHI, it must be secured and kept physically safe at all time. You are responsible for any PHI that is carried around or removed from HMC.

PHI and Email

Privacy standards must be followed when emailing patient information. Patient information may be sent via email as long as these requirements are met:

• the email transmission is sent using WebPine for security
• the email must contain the minimum amount of patient information necessary to meet the recipient's needs
• personal health information must not be used in the subject line of the email
• the patient information is not emailed outside of UW Medicine or its affiliates

UW Medicine affiliates include:

• @u.washington.edu
• @uwpn.org
• @uwp.washington.edu
• @cumg.washington.edu
• @seattlecca.org
• @fhcrc.org
• @psbc.org
• @med.va.gov
• @seattlechildrens.org

This is the text that should be in your email footer:

The above email may contain patient identifiable or confidential information. Because email is not secure, please be aware of associated risks of email transmission. If you are a patient, communicating to a UW Medicine Provider via email implies your agreement to email communication; see http://www.uwmedicine.org/Global/Compliance/EmailRisk.htm?

The information is intended for the individual named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited.? Please notify the sender by reply email, and then destroy all copies of the message and any attachments. See our Notice of Privacy Practices at www.uwmedicine.org.

Email may not be automatically forwarded.

The UW Email Standard states: "UW Medicine workforce members are not permitted to set their University of Washington email accounts to forward automatically to non-University of Washington email accounts, i.e. personal email accounts such as AOL, Comcast, Hotmail, Yahoo, etc."

PHOTOGRAPHY and VIDEOGRAPHY

Photographs and videos of staff may not be taken without their expressed consent. For privacy purposes, photos, videos, etc., of any kind are not to be taken or allowed to be taken of our patients, or within patient-care waiting areas, without the expressed and documented permission of the patient(s). Staff, physicians and residents must be aware that hospital Administration must grant authorization allowing for photographs, videos, and other media, to be taken anywhere inside the hospital premises.

Follow all HMC and UW Medicine photography, video and HIPAA policies.

1. Seek Administration's approval for photographs, videos, etc., you, your staff or your department, take on hospital premises.
2. Ensure that all staff involved have consented to having their pictures or videos taken.
3. Obtain patient's authorization and consent to have their pictures taken.
4. If you need guidance, contact your manager, the Privacy Officer, and Community Relations.

HMC has an active compliance program. Audits are conducted to make certain that all laws and policies are being followed. We also hold training to update staff on current rules and laws. Complaints and compliance concerns are responded to and corrected as necessary. Please see the HMC Intranet for more details on HMC's compliance program.

The compliance office answers questions about:

• Billing/Coding Rules
• Medicare/Medicaid Rules
• Privacy & Security
• Ethics/Conflicts of Interest
• Government Investigations

• HMC's Compliance Officer is Jacquie Zehner.
• The Compliance Helpline is (206) 744-3897.

To find Compliance policies & procedures see HMC's Administrative Policy and Procedure Manual (APOP). For UW Medicine Privacy and Security Policies (HIPAA) go to HMC's intranet and follow the link to the UW Medicine Privacy and Security Policies webpage.

Anyone may contact the Compliance Office directly or through our anonymous reporting systems.

Anonymous reports are taken:

• By phone via the Compliance Helpline at (206) 744-3897
• By mail at HMC Box 359754

Every employee at Harborview is expected to follow these laws, rules and policies, and to support HMC compliance efforts. Additionally:

• Employees are to report their "good-faith" belief of, or concern about, a possible compliance problem.
• The Compliance Office enforces policies that prohibit retaliation against anyone who reports a concern in good faith.

        Any person found to be non-compliant with the HMC Code of Conduct, policies and procedures, or regulatory laws will be subject to disciplinary actions:

• Job related discipline/corrective action
• Fines - you can be personally fined and/or create fines for HMC
• Loss of job
• Criminal charges, including jail time

• Ask your supervisor
• Call the Compliance Office, Scott Desmond: (206) 744-9065
• Call the Privacy Officer, Bekki Sanchez: (206) 744-9003
• Call the Compliance Helpline: (206) 744-3897
• Visit HMC's Compliance intranet site at https://hmcweb.washington.edu/compliance

Congratulations, you have completed the reading portion of Module 1.

Next, click on "Take the Quiz" at the bottom of this screen. Make sure you hit the Submit button at the bottom of the quiz when you are done. If you do not submit your quiz then you will not be shown as completed.

Once you are finished with the quiz, you will be directed to Module 2.