Music City KIDNEY CARE ALLIANCE, LLC
CORPORATE COMPLIANCE PLAN

Adopted by the Board of
Managers on:_________

Music City KIDNEY CARE ALLIANCE, LLC
CORPORATE COMPLIANCE PLAN

  1. Purpose.
    Music City Kidney Care Alliance, LLC (the “ESCO”) is a Delaware limited liability company that is organized to provide a platform for participation in the Medicare Comprehensive ESRD Care Model (“CEC Model”) demonstration project. The ESCO is committed to conducting its activities in compliance with all federal, state and local laws and regulations and in conformance with the highest standards of business integrity. The policies, standards and procedures outlined herein reflect the dedicated commitment of the ESCO’s Board of Managers to complete compliance with legal, regulatory and ethical standards. This Corporate Compliance Plan (the “Compliance Plan”) is designed to assist ESCO’s Participants (including Participant-Owners and Participant Non-Owners), ESCO Partners, members of the ESCO Board of Managers, and ESCO Provider/Suppliers achieve these objectives by establishing a general overall framework for conducting activities with integrity and accountability. In particular, this Compliance Plan is established in order to prevent, detect and correct non-compliance with requirements related to the CEC Model. While this Compliance Plan cannot address every possible issue that may arise in the connection with ESCO’s services, it does provide the overall policies and standards to guide all to whom the Compliance Plan applies.
  2. Definitions.
    • CEC Model – The Comprehensive ESRD Care Model demonstration project created by CMS under authority granted by section 1115A of the Social Security Act.
    • Contractor – All other persons or entities who have entered a contract with the ESCO including, without limitation, any provider, supplier, facility or practitioner who provides medical items or services to persons covered under ESCO’s participation agreement with CMS and entities or persons who provide administrative, management or similar services to the ESCO whether by contract or subcontract.
    • ESCO – Music City Kidney Care Alliance, LLC, an ESRD seamless care organization. The CEC Model requirements provide that the ESCO be a legal entity that is recognized and authorized under applicable State, Federal, or Tribal law; identified by a TIN; and formed by ESCO participant owners, who must include the following: (1) at least one dialysis facility and (2) at least one nephrologist/nephrology group practice not employed by the dialysis facility, with the opportunity for other eligible Medicare-enrolled providers or suppliers to be owners, including physicians and non-physician practitioners, but excluding DMEPOS suppliers, ambulance suppliers, and drug/device manufacturers. The ESCO and its participants, including participant owners and participant non-owners, must agree to become accountable for the quality, cost and overall care of ESCO beneficiaries and to comply with the terms and conditions of the CEC Model Participation Agreement.
    • ESCO Partner – Individuals or entities that have contracted with the ESCO or ESCO Participants, but are not ESCO Participants. ESCO Partners are not eligible to be ESCO Participants because they do not have a Medicare-enrolled TIN and/or have not contracted with the ESCO to be bound by the CEC Model Participation Agreement.
    • ESCO Provider/Supplier – An individual or entity that (1) is a Medicare-enrolled provider or supplier other than a DMEPOS supplier; (2) is identified by an National Provider Identifier or CMS Certification Number or is in the process of applying for a National Provider Identifier or CMS Certification Number; and, (3) bills or will bill for items and services it furnishes to Medicare fee-for-service beneficiaries under a Medicare billing number assigned to a tax identification number of an ESCO Participant, in accordance with applicable Medicare regulations. All ESCO Providers/Suppliers must be included on the ESCO’s tax identification number/National Provider Identifier list submitted to CMS on an annual basis and must be required by the ESCO Participant to comply with applicable terms and conditions of the CEC Model Participation Agreement.
    • Manager – A member of the ESCO’s Board of Managers.
    • Participant – An individual ESCO provider/supplier or a group of multiple ESCO Providers/Suppliers all billing under the same Medicare-enrolled tax identification number that, together with other ESCO Participants, agrees to become accountable for the quality, cost, and overall care of the ESCO beneficiaries and to comply with the terms and conditions of the CEC Model Participation Agreement. Participants may be Participant-Owners or Participant Non-Owners.
    • Participant Non-Owner – An individual ESCO provider/supplier or a group of multiple ESCO providers/suppliers all billing under the same Medicare-enrolled TIN that does not have an ownership stake in the ESCO, but has a contractual relationship with the ESCO that requires the individual or group to comply with the terms and conditions of the CEC Model Participation Agreement.
    • Participant-Owner – An individual ESCO provider/supplier or a group of multiple ESCO providers/suppliers all billing under the same Medicare-enrolled tax identification number that (1) has an ownership stake in the ESCO, (2) is a signatory to the CEC Model Participation Agreement, and (3) assumes a minimum portion of the liability for shared losses (“downside risk”) as specified by CMS and agrees that CMS may recover such shared losses. In addition, all dialysis facilities and nephrologists/nephrologist group practices participating in the ESCO must be Participant-Owners.

III. Introduction
The ESCO has designed and implemented a comprehensive compliance program that establishes various compliance procedures and structures, and sets forth the Code of Conduct that apply to all of the ESCO’s Participants, Managers and applicable ESCO Partners and ESCO Provider/Suppliers and all individuals associated with the ESCO are expected to follow in their employment or course of dealings with the ESCO or when providing services for the ESCO (the “Compliance Program”). Failure to comply can have serious consequences for the ESCO and for any employee or agent of the Participant, Manager or applicable ESCO Partner or Provider/Supplier who does not comply. Remedial action will be taken in the event of non-compliance with this Compliance Plan. Should a Corrective Action Plan (CAP) be issued, the Medical Management and Quality Committee is responsible to review, address, and create an internal action plan. The ESCO’s Board of Managers reviews and adopts the Compliance Plan, policies and procedures and the Code of Conduct.

  1. Overview.
    This Compliance Plan has been developed based, in part, on the seven (7) key elements that have been consistently identified by the federal government as being very important to the effectiveness of a compliance program. In addition, this Compliance Plan includes specific policies related to the ESCO’s participation in the CEC Model demonstration project. Aspects of both the seven (7) key elements as well as the specific policies have been adapted to the unique nature of the ESCO and its activities related to the CEC Model.
    The key elements are:
    • written policies, procedures and standards promoting a commitment to compliance and that describe the expectations as to the code of conduct;
    • a designated Compliance Officer who has responsibility for operating the compliance program and reporting to the ESCO Board of Managers on the ESCO’s compliance with applicable laws;
    • regular, effective education and training of Participants, Managers, and applicable Partners and Provider/Suppliers;
    • lines of communication and communication processes to ensure effective confidential communication of potential issues to those who are responsible for ensuring the ESCO’s compliance;
    • publicized disciplinary mechanisms to enforce standards and deter noncompliant activity and promote good faith participation in the compliance program;
    • effective evaluation and monitoring techniques including audits and the like designed to monitor compliance and identify potential compliance risks; and
    • procedures, systems and policies for responding to compliance issues and for corrective action and preventative measures.
    Each of these seven (7) elements is described in greater detail below.
  2. Element 1: Written Compliance Policies, Procedures and Standards
    • The Code of Conduct – The ESCO’s Code of Conduct and this Compliance Plan are at the core of the ESCO’s Compliance Program. They will be made available on the ESCO’s website. Copies of the Code of Conduct may be obtained from the ESCO Compliance Officer. The Code of Conduct is attached to this Compliance Plan as Exhibit A.
    • Policies and Procedures – In addition to the ESCO’s Code of Conduct and this Compliance Plan, the ESCO may develop and implement formal, written Compliance Policies and Procedures to describe in more detail existing ESCO compliance processes and procedures to further demonstrate the ESCO’s commitment to compliance. Attached as Exhibit B is a description of various laws that are especially pertinent to an organization such as the ESCO. The ESCO must comply with these laws at all times.
    • The ESCO Board of Managers will meet at least annually to discuss and approve any changes, if necessary to these or any other Compliance Program documents.
  3. Element 2: Oversight of the Compliance Program
    • The ESCO has designated a Compliance Officer who oversees the operations of the Compliance Program. The ESCO’s Compliance Officer will oversee all day-to-day aspects of the ESCO’s compliance program and will be responsible for ensuring that education and training is provided regarding various aspects of ESCO’s compliance activities. The Compliance Officer is also responsible for developing policies and procedures designed to ensure compliance and to monitor whether the ESCO is, in fact, meeting its obligations. The Compliance Officer will regularly report to the Board of Managers on the progress regarding the ESCO’s ongoing compliance with applicable laws. The Compliance Officer will provide background information in order that the Board of Managers exercises oversight regarding the implementation and effectiveness of the compliance program.
    • The ESCO Board of Managers has the ultimate responsibility and oversight of the ESCO’s compliance activities. As such, the ESCO Board of Managers will approve any substantive changes to the Compliance code of Conduct or the Compliance Plan. In addition, it will receive periodic reports from the Compliance Officer as to the operation of the compliance Program, as well as to the investigation and resolution of any material compliance issues that may arise.
    • The Medical Management and Quality Committee is chaired by the ESCO Chief Medical Officer (CMO) and includes the ESCO Compliance Officer and ESCO Participants, Partners and Provider/Suppliers as determined. The committee reports to the ESCO Board of Managers and oversees the ESCO’s quality and compliance reviews, addresses and resolves quality and compliance issues, facilitates the peer review process to investigate cases of potentially suboptimal care and addresses a Corrective Action Plan (CAP) issued by CMS. The Medical Management and Quality Committee meets as necessary.

VII. Element 3: Education and Training
The Compliance Officer is responsible for ensuring that the Code of Conduct, quality measures and the Compliance Plan are made accessible to all ESCO’s Participants, Managers and applicable ESCO Partners and Provider/Suppliers. In addition, as noted above, the Board of Managers will receive specific training in order that the Managers effectively exercise oversight over the ESCO’s Compliance Program. Parties who have entered into a participation agreement will be provided with a copy of this Compliance Plan and related Compliance Program materials and will be contractually committed to adhering to applicable laws and regulations. Such parties will, however, be deemed to have met the education and training standards of the ESCO if they certify that they have met the fraud, waste and abuse certification requirements required for enrollment in the Medicare Program. Periodic training will be provided that all remain fully equipped to ensure complete compliance with the legal and ethical responsibilities. These training refreshers will occur at least on an annual basis and more frequently as deemed appropriate by the Compliance Officer or the ESCO Board of Managers. The Compliance Officer will maintain a record of completion of training.

VIII. Communication Processes Including Hotline
Entities such as the ESCO are subject to numerous federal and state laws and regulations. Therefore, it is vitally important for all Participants, Managers, ESCO Partners and Provider/Suppliers to be vigilant regarding compliance within this complex legal and financial system. Accordingly, it is the responsibility and expectation of all to report concerns regarding suspected noncompliance.
To assist and facilitate in the confidential identification of potential compliance issues, the ESCO has established mechanisms for private communication of potential compliance issues. These mechanisms include:
• a confidential hotline (to be set up once ESCO signs participation agreement) by which any person (including any ESCO Member, Manager, Partner or Provider/Supplier) may report any issue on an anonymous basis, although s/he may also feel free to identify himself or herself if s/he prefers so that we can ask additional questions to aid in our resolving the issue; and
• open communication with the Compliance Officer whose duty it is to ensure total compliance by the ESCO. At any time, any ESCO Participant, Manager, ESCO Partner or Provider/Supplier may seek clarification or advice from the Compliance Officer with regard to the Compliance Program or any compliance questions or issues. Questions and responses will be documented by the Compliance Officer or designee.
It is the policy of the ESCO that good faith participation in the compliance program, including the reporting of any suspected noncompliance or other issue, will not result in retaliation against the participant. Individuals shall not be intimidated or retaliated against in response to their good faith adherence to this compliance program.
The Compliance Officer will maintain a record of reports of violations of the Compliance Program and its Code of Conduct or of relevant law and regulations received by the Compliance Officer. A summary report will be furnished periodically to the Medical Management and Quality Committee and the ESCO Board of Managers.

  1. Well-Publicized Disciplinary Measures
    All ESCO Participants, Managers and applicable ESCO Partners and Provider/Suppliers are expected to adhere to the Code of Conduct and to follow the principles of this Compliance Plan. Also, as noted above, it is an expectation of all that they report compliance issues and identify illegal or unethical behavior. Failure to comply with this requirement can result in disciplinary actions. The type and severity of the disciplinary action will depend on the particular facts and circumstances but serious deviations from these requirements can result in possible termination of the relationship with a party. It is the policy of the ESCO that it will institute timely, consistent and effective enforcement of the standards described in this Compliance Plan. Disciplinary or remedial action may include:
    • Failure to perform any obligation or duty required relating to compliance with the ESCO Compliance Program or applicable laws or regulations;
    • Failure to detect non-compliance with applicable policies and legal requirements and the ESCO Compliance Program where reasonable diligence would have led to the discovery of any violations or problems; and
    • Issuance of a Corrective Action Plan (CAP) by CMS.
    If the Compliance Officer concludes, after an appropriate investigation, that the Code of Conduct or applicable laws or regulations have been violated, then the compliance Officer will inform the Medical Management and Quality Committee and the ESCO Board of Managers as appropriate. Appropriate discipline, remedial process and disciplinary actions up to and including termination of participation in the ESCO, will be taken.
  2. System For Routine Monitoring and Identification of Compliance Risks
    Ongoing monitoring and auditing are critical to a successful compliance program. The Compliance Officer will periodically review aspects of the ESCO’s operations especially in areas that have been identified by government enforcement agencies as potentially problematic for entities engaged in contracting under the CEC Model. A particular area of focus will be the ESCO’s compliance with its regulatory and contractual commitments under the CEC Model.
    • Tracking New Developments – The Compliance Officer, or a designee, will ensure that all relevant publications issued by government or third-party payers regarding compliance rules and protocols are reviewed and appropriately implemented focusing in particular on rules, regulations and guidance as to the operation of the ESCO.
    • Quality and Compliance Reviews – Along with the Medical Management and Quality Committee, the ESCO Compliance Officer will ensure to the extent possible appropriate quality and compliance reviews are conducted. Such reviews will be conducted on a sampling, census or other basis. Reviews may include, but are not limited to: quality reviews of medical charts; data extraction and analysis based on applicable quality measures; patient satisfaction or other surveys. Feedback and education will be provided as appropriate and if needed.
    In conjunction with the Medical Management and Quality Committee, the ESCO Compliance Officer will also see that other compliance reviews are periodically conducted of ESCO operations to ensure continued compliance with regulatory requirements. Such reviews may include:
    • Reviews of the processes for submitting required certifications to Medicare to ensure accuracy and completeness;
    • Reviews of the processes for using or distributing shared savings dollars for compliance with the regulatory requirements and the methodology established by the ESCO Board of Members; and
    • Reviews to ensure that ESCO participants have been appropriately checked against government exclusion lists or are otherwise appropriately licensed and credentialed.
  3. Responding to Detected Noncompliance
    Any report received will be treated very seriously and will be thoroughly investigated. If upon review it is determined that the ESCO have been noncompliant in some regard, the ESCO will promptly take all appropriate actions required under the circumstances. The actual response will vary depending on the unique circumstances but in all cases there will be steps taken to ensure future compliance. Incidences of suspected misconduct related to payment from Medicare or related to services provided under that program will result in a timely inquiry into the conduct. In some cases, the ESCO may be required to voluntarily self-report the matter to an appropriate authority. The ESCO will promptly take such steps.
    • Investigation, Corrective Action and Responses to Suspected Violations – whenever a compliance problem is uncovered, regardless of the source, the Compliance Officer will first conduct a thorough investigation. Based on the results of the investigation, the Compliance Officer will work with the Medical Management and Quality Committee to ensure appropriate and effective corrective action is implemented, as appropriate
    • Any corrective action and response implemented must be designed to ensure that the violation or problem does not re-occur, or reduce the likelihood that it will re-occur.

XII. A Shared Commitment By All
The ESCO’s compliance with its legal duties depends on the actions of each and every Participant, Manager, ESCO Partner and Provider/Supplier. The consequences of noncompliance can be extremely serious and the ESCO cannot afford for even one individual to jeopardize the future of the ESCO by not taking their responsibility seriously. Those in a managerial or supervisory role have a special responsibility to ensure that those who they are responsible for fully understand and completely adhere to this Compliance Plan. The Board of Managers must take an active lead in promoting compliance. All have a unique responsibility for the ESCO’s compliance with the law and together we can ensure that the ESCO’s mission will continue into the future with the highest of standards.

XIII. Questions/Resources
If you have any questions, please do not hesitate to contact your supervisor or the following that has overall responsibility for this Compliance Plan:
Chris Lovell
Compliance Officer
(615) 342-0526
Chris.Lovell@dciinc.org
In addition, if you believe there may be a situation that possibly violates the law, the Code of Conduct or this Compliance Plan, please leave a message on the ESCO’s anonymous hotline.

EXHIBIT A
CODE OF CONDUCT

The ESCO’s Commitment to Legal and Ethical Conduct
Purpose of the Code of Conduct:
This Code of Conduct has been adopted by the ESCO’s Board of Managers as part of ESCO’s Compliance Plan in order to provide standards by which all Participants, Managers and applicable ESCO Partners and Provider/Suppliers will conduct themselves. The ESCO is fully committed to full compliance with all federal, state and local laws and regulations. Its activities shall be conducted at all times in conformance with the highest standards of business integrity. Individual conduct must be in a manner that protects and promotes integrity and enhances the ESCO’s ability to achieve its organizational mission. This Code of Conduct is intended to serve as a guide to help all to whom it applies make sound ethical and legal decisions during their day-to-day activities so the ESCO achieves the level of compliance required by law.
The standards and principles contained in this Code of Conduct apply to all Participants, Managers, as well as applicable ESCO Partners and Provider/Suppliers. The ESCO Board of Managers fully embraces the concepts contained herein and have formally adopted this Code of Conduct as the policy of the ESCO. Failure to comply can have serious consequences for the ESCO and for those who do not comply.
Compliance with Laws and Regulations
The ESCO shall operate in accordance with high legal, moral, and ethical standards and with all applicable laws, regulations, and standards.
The ESCO will not tolerate false statements to a government agency or other payor. Deliberate misstatements to government agencies or other payors will be grounds for disciplinary action.
The ESCO will not pay physicians or health care providers for referral of clients, or accept payments for referrals we make.
The ESCO will ensure that all reports or other information required by any federal, state, or local government agency are filed timely, accurately, and in conformance with the applicable laws and regulations.
The ESCO will not engage, either directly or indirectly, in any corrupt business practice, including bribery, kickbacks or payoffs, intended to induce, influence, or reward favorable decisions of any client, contractor, vendor, government personnel, or anyone in a position to benefit the ESCO in any way.
The ESCO will not participate in surveys conducted by a competitor, nor survey competitors concerning competitively sensitive topics such as prices for goods and services or physician services, terms of contracts, employment contracts, terms of equipment, supply or service contracts and joint bidding or joint venture arrangements.
The ESCO will undertake its activities in a manner that puts the best interests of its patients ahead of any financial or business motivation.
The ESCO will at all times honor its patients’ freedom to choose the healthcare provider of the patient’s choosing.
The ESCO will not hire or contract with any individual or entity who is currently excluded, suspended, debarred, or otherwise ineligible to participate in the federal health care programs or has been convicted of a criminal offense related to the provision of health care items or services and has not been reinstated in the federal health care programs after a period of exclusion, suspension, debarment, or ineligibility.
The ESCO will conduct itself in an ethical manner compliant with all relevant laws and regulations and correct wrongdoing.
The ESCO has a responsibility to report any activity by any Participant, Manager, ESCO Partners or Provider/Supplier that appears to violate applicable laws, rules, regulations, accreditation standards and standards of medical practice, Federal healthcare conditions of participation, or this Code of Conduct.

EXHIBIT B
All Participants, Managers and applicable ESCO Partners and Provider/Suppliers are expected to know the basic laws and regulations that apply to the ESCO and its participants. If you have questions, such questions should be promptly directed to the Compliance Officer. All are also expected to know and follow the ESCO policies and procedures and to utilize its processes and systems in accordance with those policies and procedures.
Suspected violations of law or ESCO policy must be promptly reported.

  1. ESCO Compliance Policies.
    A. Compliance With CEC Project Requirements. The ESCO is a participant in the CEC Model and as such is subject to various laws, regulations and guidelines related to that demonstration program. The CEC Model imposes various requirements on those participating in this innovative program. The following list, while not exhaustive, details a number of the requirements that the ESCO and all its contractors must adhere to at all times:
    • Compliance with all standards and requirements related to any legal waivers granted by CMS pursuant to its authority granted under section 1115A of the Social Security Act;
    • Adherence to the governance structure requirements contained in CMS’ Request For Applications, as may be amended by CMS from time to time;
    • A prohibition against restricting beneficiary access to necessary care;
    • Honoring a beneficiary’s freedom to choose their provider of service;
    • Development and implementation of a quality assurance strategy designed to prevent suboptimal care;
    • A prohibition against overutilization, underutilization or cost shifting; and
    • Compliance with the terms and conditions of the CEC Model Participation Agreement.
    B. HIPAA and Confidentiality/Privacy Issues. The Health Insurance Portability and Accountability Act (HIPAA) set the national standard for maintaining the confidentiality of protected health information (PHI) and/or electronic protected health information (ePHI). All medical and financial information must be treated as confidential. Medical records, treatments, conditions and personal affairs should only be discussed or shared with the attending physician, with persons authorized to receive such information, and with others who require access to the information to perform their duties. Only those who require specific information to furnish care, perform quality control activities, bill or collect charges for services, or furnish other administrative services are permitted access to that PHI unless authorized under the law or by a particular patient. This requires that all contractors take reasonable measures to protect the confidentiality of PHI, whether that information is presented in oral, written or electronic form.
    The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 adds to the requirements of HIPAA in protecting certain information. The HITECH Act imposes data breach notification requirements for unauthorized uses and disclosures of “unsecured PHI.” In general, the act requires that patients be notified of any such unsecured breach. Notification is triggered for unsecured breaches that occur either externally or internally. HITECH may impose significant penalties for any breach that is determined to involve “willful neglect.”
    C. Fraud and Abuse Laws. Federal laws, and many state laws, prohibit persons or entities from paying or receiving a kickback or other improper inducement to or from anyone for the referral of a patient or for the purchase of healthcare products or services. Such laws apply not only to physicians and other healthcare providers, but also to all types of referral sources, such as hospitals, nursing home, case managers, workers’ compensation attorneys, and other individuals in a position to influence referrals or purchases. They cover:
    • The offer or payment of a kickback or other improper inducement to secure referrals; and
    • The request or receipt of an improper payment in exchange for agreement to purchase a healthcare product or service from a particular vendor or contractor.
    Improper payments or inducements can take many forms. In addition to cash, kickbacks and inducements can include, but are not limited to:
    • Above fair market value lease payments to a referral source (or free or below fair market value lease payments from a referral source);
    • Loans to referral sources with below market interest rates or other terms that do not meet commercial lending standards;
    • Professional services contracts for more services than are needed or at rates in excess of fair market value; and
    • Excessive gifts or entertainment.
    Improper inducements may be indirect—for example, a payment or concession made to a third party with the expectation that it will be passed on to a referral source. Even the mere offer of a kickback or improper inducement could be a violation of law and could subject you and ESCO to criminal prosecution.
    Federal law also prohibits the use of gifts or other financial benefits to induce a Medicare patient to receive care.
    D. Conflicts of Interests. Managers and employees should avoid conflicts, as well as the appearance of conflicts between their private interests and the interests of the ESCO.
    A conflict of interest occurs if a business of personal relationship with another person or entity interferes with your ability to perform your duties for the ESCO in an objective manner.
    E. Excluded Persons or Entities. The ESCO will not employ or contract with any person or entity that is “excluded” from participation in any governmental payment program by the Office of Inspector General (“OIG”) or any comparable list of debarred or “excluded” providers issued by any other governmental agency with authority over the ESCO. In addition, ESCO will conduct periodic checks of the OIG’s list of excluded parties.
  2. Quality Assurance Program.
    The ESCO is dedicated to providing, through its participating providers’ high quality, cost-efficient care to ESRD beneficiaries. Accordingly, the ESCO has adopted a quality assurance strategy; the goal of which is to protect ESRD beneficiaries and ensure that they receive all necessary services for the care of their medical condition. This strategy includes review of clinical data to guard against the under-utilization and promote the furnishing of high quality care within the context of the innovative approach inherent in the CEC Model. Data extract information will be provided to the Medical Management and Quality Committee for review.
    Peer Review Process – The peer review approach ensures that the Medical Management and Quality Committee recognizes structural or procedural issues that may have contributed to suboptimal clinical outcomes. In this approach, the committee must look to identify changes to those structures and processes—or suggest new ones, to reduce the risk of such errors occurring in the future. This peer review approach is to evaluate medical errors in the context in which they occurred and to determine whether changes in the system of care can reduce the risk of future errors and poor clinical outcomes.
    The Medical Management and Quality Committee has oversight and manages the:
    • Evaluation of issues
    • Opportunities for constructive change
    • Key individuals to establish a dialogue with regarding the opportunities
    • Proposals of change
    • Determination of relative costs and benefits, cross-functional impacts and feasibility of proposals
    The following measures will be reviewed:
    • Fistula First data against the CMS-wide strategy to achieve 65% arterial venous fistula (AVF) utilization,
    • Decrease in catheter placement to <20% of in-center patient population, • In-center hemodialysis patient survey focused on preventative care prior to beginning dialysis, • Medication management impact comparing lab results over a three month period of time. The measures listed above will be reviewed at the following frequency: • Fistula First data will be reviewed over a rolling three-month time period quarterly, • Decrease in catheter placement will be reviewed over a three-month time period quarterly, • Patient survey results will be conducted within the first two weeks of in-center treatment and results reviewed quarterly, • Medication management lab results will span three months and be reviewed quarterly The process will include the following steps: • The Medication Management and Quality Committee will set standing quarterly meetings. • One week prior to the meetings, reports will be generated on a clinic level and provided to the committee pre-meeting review. • Minutes will be recorded at each meeting. • The Compliance Officer is responsible to ensure reports are forwarded and facilitates the discussion covering all four reviews. • Issues identified will be assigned an owner and delivery date for action. • Proposals of change require full Committee agreement. The ESCO Compliance Officer will maintain documentation of peer review cases investigated. III. Corrective Action Plan (CAP) Process
    The Medical Management and Quality Committee is responsible for a Corrective Action Plan (CAP) issued by CMS. The Committee is responsible to provide insight on possible causes of errors, communicating the CAP progress to the ESCO Board of Managers and others as determined, developing strategies and making all decisions on the planning, implementation and evaluation of corrective actions. The severity of the CAP will determine the disciplinary actions of the individual participants that caused the CAP. Action plan steps will include education and monitoring. Disciplinary actions will be tied to the severity of the CAP including possible termination with consideration of impact to shared savings distribution.
    The Medical Management and Quality Committees process to address a CAP involves the six phases below;
    1. Report Analysis – Review report issued by CMS to have clarify of problem(s). Review policies and procedures, quality reports, characteristics, and other essential information determined to support analysis.
    2. Program Analysis – Review the findings of the report analysis to determine the most upstream causes to which the errors are attributed (root cause analysis).
    3. Corrective Actions – Based on Report and Program Analysis results, determine the corrective actions to be implemented. These may include but are not limited to:
    o Changes to policies and procedures
    o Training
    o Changes in management system and tools
    o Creation of management tools
    4. Implementation – Develop an implementation schedule for each corrective action plan initiative. The implementation schedule should identify major tasks, key personnel responsible for each activity, timeline for each action including completion dates, and monitoring to completion.
    5. Evaluation – Determine means and method to evaluate and assess improvements against the cause for the CAP. Assign ownership for reporting on a monthly basis to committee.
    6. Disciplinary Actions stemming from issuance of a CAP by CMS will vary from shared savings reduction to immediate termination.
    o First citing by CMS will warrant shared savings reduction of 20%
    o Second citing by CMS will result in 100% shared savings reduction
    o Failure to implement corrective action plan will result in 100% shared savings reduction
    o Third citing by CMS is automatic termination
    o Intent to falsify documents, results, outcomes, and/or CAP will result in immediate termination
    Additional circumstances of a participant termination are based on five (5) quality measures;
    • Preventive Health
    • Chronic Disease Management
    • Care Coordination and Patient Safety
    • Patient and Caregiver Experience
    • Patient Quality of Life
  3. Antitrust Compliance Plan
    The Antitrust Compliance Plan is designed to establish safeguards against improper exchanges of prices or other competitively sensitive information among competing participants that could facilitate collusion and reduce competition in the provision of services outside the ESCO. A policy is attached as Exhibit C that is approved by the ESCO Board of Managers addressing antitrust (the “Antitrust Policy”). Training of this policy is mandatory for all ESCO Participants, Managers and applicable ESCO Partners and Provider/Suppliers on an annual basis. Additionally, on an annual basis the Participants, Managers and applicable ESCO Partners and Provider/Suppliers are required to take an antitrust training course with certification of completion and certification that conduct has been as defined in the Code of Conduct and the Antitrust Policy.
    The ESCO Board of Managers will attest in writing to CMS that the ESCO will not use its market leverage to raise its commercial reimbursement rates to levels significantly disproportionate to growth in Medicare reimbursement rates.
  4. Remedial Processes
    In the event that an ESCO Participant, Manager, ESCO Partner or Provider/Supplier is out of compliance with the requirements of the CEC Model, Medicare regulations, CAP, and/or is otherwise not adhering to ESCO policies and procedures, remedial action will be taken by the ESCO Board of Managers to rectify the noncompliant behavior. The remedial process will be a tiered approach that utilizes the most appropriate remedy for the specific circumstances. These remedial steps will be included in the participation agreement between the ESCO and the participants. While the remedial steps are designed to be graduated in their approach, the ESCO will apply the remedial action most appropriate under the circumstances up to and including expulsion.
    Steps will include:
    1. Verbal review with Medical Director
    2. Written review and action plan
    3. Holding shared savings
    4. Termination

    EXHIBIT C
    Music City Kidney Care Alliance, LLC
    POLICY DESCRIPTION – Communications with Competitors Concerning Prices, costs of Service and other Competitively Sensitive Topics

EFFECTIVE DATE:
APPROVED BY: ESCO Board of Managers
PURPOSE: Antitrust violations may subject the ESCO to severe civil and criminal monetary fines, civil liability for treble damages and injunctions that could expulse the ESCO from participation in the Medicare Comprehensive ESRD Care (CEC Model) demonstration project. Antitrust violations may also subject individual employees to imprisonment, personal liability, and substantial monetary fines. The ESCO Code of Conduct therefore requires not only compliance with the law but avoidance of activities which, though not illegal, may pose unnecessary risks of litigation, government investigation, or injury to the ESCO reputation. The following limitations on information exchanges with Competitors are designed both to aid compliance with antitrust laws and protect the competitive and financial interests of ESCO Participants, Managers and applicable ESCO Partners and Provider/Suppliers.
POLICY: Each ESCO Participants, Managers and applicable ESCO Partners and Provider/Suppliers shall comply with the following:
1. Prohibited Communications – ESCO Members, Managers and Provider/Suppliers shall not communicate with a Competitor, either directly or through other employees, medical staff, consultants or other third parties about the following:
a. Prices charged for goods or services, including physician services
b. Costs of goods, supplies, equipment, or services, including physician services
c. Employee salaries, wages, or benefits, compensation policies, staffing policies, employment contracts or severance agreements
d. Terms of managed care contracts
e. Terms of commercial contracts
f. Terms of equipment, supply or service contracts
g. Allocation among competitors of customers, services or territories
h. Exclusion of any existing or potential competitor or supplier from the market
i. Joint bidding or joint venture arrangements
These topics are referred to in this policy as Competitively Sensitive Topics. An exception to the above is with the legal advice from the Legal Counsel for the ESCO.
2. Permissible Communications – There are many legitimate business reasons to communicate with Competitors. This policy is not designed to prohibit communications with Competitors concerning, but not limited to:
a. Medical treatment
b. Physician credentialing and privileging
c. Development of Electronic Health Records (EHR) databases
d. Improvement of patient quality of care
e. General trends in the healthcare industry
f. Non-business matters
Even when discussing permissible topics, however, ESCO Participants, Managers and applicable ESCO Partners and Provider/Suppliers must still abide by requirements to protect privileged, proprietary or confidential information as set forth in the Code of Conduct.
3. Surveys – ESCO Participants, Managers and applicable ESCO Partners and Provider/Suppliers may not survey competitors concerning Competitively Sensitive Topics listed under Prohibited Communications, nor participate in such surveys conducted by a Competitor. Any requests to participate in outside party surveys regarding pricing, costs, compensation or employee benefits are to be communicated to the ESCO Legal Counsel.
Definitions –
For purposes of this policy, a “Competitor” is any person or entity that provides products or services that are similar to, or are viable alternatives to, products and services provided by participating ESCO participants. A “Competitor” may also be a person or entity that competes for supplies, labor, equipment contracts or other inputs that affect costs to the ESCO.
For purposes of this policy, “Communicating” with Competitors includes providing or receiving documents, sending or receiving letters, memos, emails, text messages, engaging in phone or personal conversations, or participating in meeting or seminars to include trade association meetings or industry conferences.

PROCEDURE NO: 101

ISSUED BY: Compliance Officer

DATE ISSUED:

Code of Conduct
PURPOSE:
The Code of Conduct has been adopted by the Music City Kidney Care Alliance Board of Managers as part of the Music City Kidney Care Alliance Compliance Program. The Code of Conduct provides standards by which all Contractors, Managers and Members will conduct themselves. Its activities shall be conducted at all times in conformance with the highest standards of business integrity. Individual conduct must be in a manner that protects and promotes integrity and enhances the Music City Kidney Care Alliance’s ability to achieve its organization mission. The Code of Conduct serves as a guide to help all to whom it applies make sound ethical and legal decisions during day-to-day activities so the Music City Kidney Care Alliance achieves the level of compliance required by law.

SUPPORTIVE DATA:
The standards and principals contained in this Code of Conduct apply to all Contractors, Managers and Members. It is a requirement of all Contractors, Managers and Members to fully adhere to the Compliance Program and Code of Conduct.

POLICY:
1. Compliance with Laws and Regulations
The Music City Kidney Care Alliance shall:
a. operate in accordance with high legal, moral and ethical standards and with all applicable laws, regulations and standards.
b. not tolerate false statements to a government agency or other payor. Deliberate misstatements to government agencies or other payors will be grounds for disciplinary action according to the policy.
c. not pay physicians or health care providers for referral of clients, or accept payments for referrals made.
d. ensure that all reports or other information required by any federal, state, or local government agency are filed timely, accurately, and in conformance with the applicable laws and regulations.
The Music City Kidney Care Alliance will not engage, either directly or indirectly, in any corrupt business practice; including bribery, kickbacks or payoffs intended to induce, influence, or reward favorable decisions of any client contractor, vendor government personnel, or anyone in a position to benefit the Music City Kidney Care Alliance in any way.
The Music City Kidney Care Alliance will undertake its activities in a manner that puts the best interests of its patients ahead of any financial or business motivation.
The Music City Kidney Care Alliance will at all times honor its patients’ freedom to choose the healthcare provider of the patient’s choosing.
The Music City Kidney Care Alliance will not hire or contract with any individual or entity that is currently excluded, suspended, debarred, or otherwise ineligible to participate in the federal health care programs or has been convicted of a criminal offense related to the provision of health care items or services and has not been reinstated in the federal health care programs after a period of exclusion, suspension, debarment, or ineligibility.

PROCEDURE NO: 102

ISSUED BY: Compliance Officer

DATE ISSUED:

BACKGROUND SCREENING
PURPOSE:
Music City Kidney Care Alliance’s promotion of high levels of ethical and lawful conduct require that it adopt this policy and procedure to avoid the participation and retention of officers, directors, volunteers, student interns and certain contracting vendors who have been excluded from participation in federal healthcare programs or who have criminal convictions that would disqualify them from employment or association with Music City Kidney Care Alliance.

SUPPORTIVE DATA:
Statutes, regulations and guidance adopted or authorized by the United States
government prohibit federal health care programs from paying persons or entities
who have been excluded from participation in federal health care programs for any item
or services furnished, ordered or prescribed by an excluded individual or entity. The
Office of Inspector General (OIG) also has authority to impose civil monetary penalties against a healthcare provider who knows or should have known that an excluded
individual or entity performed services on behalf of the healthcare provider.

POLICY:
1. Participating providers are responsible for the background screening of employees, officers, directors, volunteers, student interns, and certain contractors, agents who perform billing, coding or patient care functions on behalf of Music City Kidney Care
Alliance and certain vendors. The screening is to ensure that they are not ineligible to perform services for Music City Kidney Care Alliance. Background checks shall be completed prior to any work being performed and monthly thereafter. Background checks shall at a minimum include review of the SAM exclusion database and state Medicaid exclusion register. No employee, contractor, or vendor may begin their employment or assignment until they have passed the OIG Screen.

  1. Participating providers’ employees, officers, directors, volunteers, students interns,
    and certain contractors and vendors will immediately disclose to their immediate supervisor and to the Music City Kidney Care Alliance Compliance Officer any debarment, exclusion, suspension, conviction, criminal plea (including a plea in the nature of no contest or diversion), existing proceeding, pending proceedings, final adjudications or other events that renders him or her ineligible or may result in him or her becoming ineligible to participate in any federal, state, or local health care program.
  2. Persons who do not pass the initial screening process will not be allowed to perform
    any activity on behalf of Music City Kidney Care Alliance in any capacity.
  3. Persons, or vendors who were previously excluded from Federal Health Care Programs and have met all the requirements to get the exclusion lifted, must be approved on an individual basis by the Participating Provider and the Music City Kidney Care Alliance Compliance Officer.

PROCEDURE NO: 103

ISSUED BY: Compliance Officer

DATE ISSUED:

DISCIPLINARY ACTIONS
PURPOSE:
To establish a disciplinary policy for participating providers of the Music City Kidney Care Alliance who fail to comply with the Music City Kidney Care Alliance Compliance Program and/or policies and procedures.

SUPPORTIVE DATA:
Music City Kidney Care Alliance established a Compliance Program and policy and procedures. Music City Kidney Care Alliance will take disciplinary action against a Contractor, Manager, Member, or anyone acting on behalf of the Music City Kidney Care Alliance who fails to act in accordance with the Compliance Program, Code of Conduct, all applicable federal and state laws and/or policies and procedures. Disciplinary action will range from a verbal warning to termination of participating in the Music City Kidney Care Alliance. The severity of the disciplinary action will be determined by the Board of Managers upon the recommendation of the Music City Kidney Care Alliance Compliance Officer.
All suspected offenses or failures to detect must be reported immediately to the Music City Kidney Care Alliance Compliance Officer. No disciplinary action shall be taken against a Contractor, Manager or Member for compliance-related offenses without first obtaining the approval of the Board of Managers and Music City Kidney Care Alliance Compliance Officer.

POLICY:
1. Disciplinary actions for violations of (a) Compliance Program, (b) Code of Conduct, (c) Policies and Procedures will be imposed only after an investigation and determination of the violation in accordance with policy.
2. There will not be retaliation against any Contractor, Manager or Member who reports, or submits a good faith complaint in accordance with policy. A false compliant, or report submitted may be subject to disciplinary action.
3. Disciplinary actions for violations of the Compliance Program, Code of Conduct, and/or Policies and Procedures will be determined by the Board of Managers.
4. Violation of certain aspects of the Compliance Program, Standards of Conduct, or Corporate Policy and Procedures may constitute a criminal offense under federal or state laws. Any Contractor, Manager or Member who violates such a criminal law may expect Music City Kidney Care Alliance to provide information concerning the violation to appropriate law enforcement personnel and to cooperate with any law enforcement investigation or prosecution.
5. Further, violations may constitute violations of professional ethics and be grounds for professional discipline. Any Contractor, Manager or Member subject to professional ethics guidelines and/or professional discipline should expect the Board of Managers to report such violations to appropriate licensure/accreditation agencies and to cooperate with any professional investigation or disciplinary proceedings.

PROCEDURE NO: 105

ISSUED BY: Compliance Officer

DATE ISSUED:

Reporting Compliance Issues
PURPOSE:
Ensure Music City Kidney Care Alliance provides a mechanism for Contractors, Managers and Members to communicate compliance-related concerns or issues or to report a known or a suspected compliance-related violation.

SUPPORTIVE DATA:
Healthcare faces an array of regulations including False Claims Act; federal and state anti-kick back and fraud and abuse laws; federal and state self-referral laws, including the federal Stark law; federal and state privacy laws, including HIPAA and Security. Music City Kidney Care Alliance Contractors, Managers and Members must comply with all federal, state, local laws and regulations, and policy and procedures that apply to Music City Kidney Care Alliance healthcare operations and business dealings.

Areas of concern include, but are not limited to, business ethics: inappropriate relationships, conflicts of interest, receipt or distribution of gifts and gratuities. (i.e. physician receiving remuneration in exchange for referrals, offering gifts to patients in excess of prescribed OIG limitations)

All Music City Kidney Care Alliance Contractors, Managers and Members are required to promptly report all known or suspected compliance-related violations and are encouraged to report any concerns or issues that are known or suspected to be
related to compliance. The reporting requirements outlined in this policy are supported by the Music City Kidney Care Alliance Compliance Program, Code of Conduct and Policies and Procedures and by federal and state laws and regulations, including HIPAA privacy and security, Stark, and fraud and abuse laws.

POLICY:
Reporting Violations:
All Music City Kidney Care Alliance Contractors, Managers and Members are required to promptly report all known or suspected compliance-related violations of any federal or state statute or regulation, all known or suspected violations of any written directive from a governmental agency or department; including those related to Medicare, Medicaid (or its equivalent) and all other federal or state health care programs, or all known or suspected violations of any Music City Kidney Care Alliance policies and procedures. Anyone made aware of a violation is responsible for ensuring it is immediately reported to the Music City Kidney Care Alliance Compliance Officer. Procedures to report are:
a) Telephone – Call the Compliance Hotline (999-999-9999) to report a concern or violation. This is a dedicated, toll-free telephone number and voice mailbox available 24 hours/7days a week. The Compliance Hotline is designed so that neither the name of the caller or the telephone number displays thus ensuring confidentiality.
b) Writing – Written correspondence is to be mailed to the attention of the Music City Kidney Care Alliance Compliance Officer. The address is 1633 Church Street, Suite 400, Nashville, TN 37203. For email correspondence, address to Chris.Lovell@dciinc.org Sending an email may not provide anonymity to the sender because the senders’ email address will display.

Anonymity
Music City Kidney Care Alliance Compliance Officer will take reasonable precautions to maintain the confidentiality of an individual, if requested, who reports a compliance concern or violation to the extent possible and permitted by law. Anyone who improperly violates an individual’s right to confidentiality or anonymity in connection with a reported incident will be subject to disciplinary action, up to and including termination from the Music City Kidney Care Alliance.

Failing to Report a Violation or Condoning a Violation
Any Music City Kidney Care Alliance Contractor, Manager or Member who fails to report a suspected or actual violation as outlined in this policy will be subject to disciplinary action, up to and including termination from the Music City Kidney Care Alliance.

Reprisals/Unfounded Accusations
Reprisals are prohibited against anyone who reports a suspected or actual compliance violation. Music City Kidney Care Alliance encourages its Contractors, Managers and Members to make a good-faith report of a suspected or actual violation. Music City Kidney Care Alliance reserves the right to investigate a person who makes an alleged unfounded accusation for the purpose of harassment or revenge if there is reason to believe this occurred.

Investigation
Investigations will be followed in accordance with Music City Kidney Care Alliance policy and procedure on compliance investigations.

Logging System
A log will be maintained by the Music City Kidney Care Alliance Compliance Officer to record all reported issues related to compliance or privacy. The log will include the nature of any investigation and the results. The issues reported will be reported on a regular basis to the Music City Kidney Care Alliance Board of Members.

PROCEDURE NO: 106

ISSUED BY: Compliance Officer

DATE ISSUED:

Compliance Investigation
PURPOSE:
Music City Kidney Care Alliance Compliance Officer will investigate all compliance concerns to detect possible violations in applicable laws, regulations, guidelines and policies and procedures.

SUPPORTIVE DATA:
As defined in the Hospital Guidance, an effective compliance program must include
(1) the development of a system to respond to allegations of improper/illegal
activities and
(2) the investigation and remediation of identified systemic problems.
Upon receipt of any known or suspected compliance related violation(s) or the receipt of any concerns or issues that are known or suspected to be related to compliance,
Music City Kidney Care alliance Compliance Officer will perform an investigation of the reported violation(s).

POLICY:
1. Music City Kidney Care Alliance Compliance Officer will investigate all
compliance-related concerns in a timely manner.
2. Music City Kidney Care Alliance Compliance Officer will make a preliminary,
good faith inquiry into all reported allegations to determine whether further review
should be conducted.
3. Music City Kidney Care Alliance Compliance Officer will conduct an internal
review of allegations reported..
4. Music City Kidney Care Alliance Compliance Officer will develop a plan of investigation.
5. Music City Kidney Care Alliance Compliance Officer will document investigation methods and findings in logging system. Music City Kidney Care Alliance Compliance Officer will retain and maintain all supporting documentation.
a. If the investigation does not substantiate the concern, documentation
regarding the investigation will be filed. Once complete, documentation is filed for a minimum of six years.
b. When a compliance violation is found to exist, all documentation related to
the investigation will be kept in an “open” file until a corrective action plan and any
related monitoring are complete and documented within the appropriate logging
system.
c. All documents related to the investigation and the information in the logging system will be retained for a minimum of six years after the investigation is complete.
6. Music City Kidney Care Alliance Compliance Officer will report compliance
matters to the Music City Kidney Care Alliance Board of Members bi-annually.
7. Retaliation for good faith reporting or discussing of a compliance-related
concern will not be tolerated.
8. Music City Kidney Care Alliance Compliance Officer determines when to close
an investigation.

PROCEDURE NO: 107

ISSUED BY: Compliance Officer

DATE ISSUED:

CEC Project Requirements
PURPOSE:
The Music City Kidney Care Alliance is a participant in the CEC Model and as such is subject to various laws, regulations and guidelines related to that demonstration project.

SUPPORTIVE DATA:
The CEC Model imposes various requirements on those participating in the innovative program. The following list, while not exhaustive, details a number of the requirements that the Music City Kidney Care Alliance Contractors, Managers and Members must adhere to at all times.

POLICY:
1. Compliance with all standards and requirements related to any legal waivers granted by MCS pursuant to its authority granted under section 1115A of the Social Security Act.
2. Adherence to the governance structure requirements contained in CMS’ Request for Applications, as may be amended by CMS from time to time.
3. A prohibition against restricting beneficiary access to necessary care.
4. Honoring a beneficiary’s freedom to choose their provider of service.
5. Development and implementation of a quality assurance strategy designed to prevent suboptimal care.
6. A prohibition against overutilization, underutilization or cost shifting.
7. Compliance with the terms and conditions of the CEC Model Participation Agreement

PROCEDURE NO: 108

ISSUED BY: Compliance Officer

DATE ISSUED:

Fraud Waste and Abuse
PURPOSE:
Federal laws and state laws prohibit persons or entities from paying or receiving a kickback, or other improper inducement to or from anyone for the referral of a patient or for the purchase of healthcare products or services.

SUPPORTIVE DATA:

POLICY:
Such laws apply not only to physicians and other healthcare providers, but also to all types of referral sources; such as hospitals, nursing homes, case managers, workers’ compensation attorneys and other individuals in a position to influence referrals or purchases. They cover:
a) The offer or payment of a kickback or other improper inducement to secure referrals and
b) The request or receipt of an improper payment in exchange for agreement to purchase a healthcare project or service from a particular vendor or contractor.
Improper payments or inducements can take many forms. In addition to cash, kickbacks and inducements can include, but are not limited to:
a) Above fair market value lease payments to a referral source (or free or below fair market value lease payments from a referral source)
b) Loans to referral sources with below market interest rates or other terms that do not meet commercial lending standards
c) Professional services contracts for more services than are needed or at rates in excess of fair market value
d) Excessive gifts or entertainment
Improper inducements may be indirect; for example, a payment or concession made to a third party with the expectation that it will be passed on to a referral source. Even the mere offer of a kickback or improper inducement could be a violation of law and could subject Music City Kidney Care Alliance Contractors, Managers and Members and the Music City Kidney Care Alliance to criminal prosecution.
Federal law also prohibits the use of gifts or other financial benefits to induce a Medicare patient to receive care.

PROCEDURE NO: 201

ISSUED BY: Compliance Officer

DATE ISSUED:

Introduction HIPAA
PURPOSE:
Provide an introduction to HIPAA concepts and definitions. Also, to establish a uniform point of reference for the language used relating to protected health information under the HIPAA regulations.

SUPPORTIVE DATA:
The Health Insurance Portability and Accountability Act of 1996 mandated that the
United States Department of Health and Human Services draft and publish comprehensive regulations to standardize the process for electronic transmission of claims and payment throughout the health care industry and to create federal
protection for the privacy and security of health information. F Kidney Care
Alliance has adopted these policies and procedures as part of its compliance with
the Health Insurance Portability and Accountability Act and specifically the “Privacy
Rule” (hereinafter “HIPAA” or “Privacy Rule”). HIPAA is the first set of comprehensive federal laws and regulations designed to protect patient privacy and security in their protected health information (hereinafter “PHI”). The Health Information Technology
for Economic and Clinical Health (HITECH) provisions contained within the American Recovery and Reinvestment Act (ARRA) of 2009 require HIPAA covered entities and business associates to address and incorporate breach notification as an integral part of their HIPAA systems, Policies and Procedures, and training. This ruling was effective September 23, 2009.

On January 25. 2-13. The Department of Health and Human Services (“HHS”)
formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”).

State laws that address confidentiality, privacy, or security of PHI and governing a
Music City Kidney Care Alliance location apply unless HIPAA is stricter.

POLICY:
Definitions:
Authorization: An authorization is a written document signed by a patient, or patient’s representative giving permission to a provider to disclose PHI for a purpose other than treatment, payment or health care operations. An authorization must contain 9 elements to be valid; specific description of information to be disclosed including dates, the name or other specific identification of the entity/person making the request, the purpose of the request, the entity/person name to whom the PHI is being requested from, an expiration date/event, a statement of the patient’s right to revoke and how, a statement that information used or disclosed may be subject to re-disclosure, a statement regarding conditioning or not the patient’s care if not signed, patient, or patient’s representative signature and date.
Breach: The acquisition, access, use or disclosure of protected health information in a manner not permitted under HIPAA Privacy is presumed to be a breach unless the covered entity or BA “demonstrates that there is a low probability that the PHI has been comprised based on a risk assessment”. OCR established four primary factors that covered entities and business associates must consider as part of this risk assessment. At a minimum each factor must be assessed to constitute a risk assessment under the Final Rule.

  1. The nature and extent of the protected health information involved, including the types of identifies and the likelihood of re-identification.
    OCR advises that covered entities and business associates need to consider this factor in light of the type of protected health information involved, including its level of sensitivity. Covered entities must pay special attention to types of information that could be used to harm the patient or further unauthorized recipient’s own interests. For example, the impermissible use or disclosure of information about sexually transmitted diseases could be used to harm the reputation of a patient. If the impermissibly used or disclosed information included financial information, such as credit card numbers of social security numbers, a greater likelihood of identity theft or fraud against the patient exists.
  2. The unauthorized person who used the protected health information or to whom the disclosure was made.
    Covered entities and business associates must consider who impermissibly received protected health information. To the extent this person or entity is not known, a covered entity or business associate should assume this factor weighs in favor of there being a greater than a low probability that the data has been compromised. When the person or entity is another covered entity or otherwise subject to the Privacy Rule, such as a physician, there is a lower probability that the protected health information has been or will be further compromised. This factor must also be weighed in light of the likelihood of re-identification discussed above. If a limited data set were impermissibly obtained by a third party, the likelihood that the protected health information is compromised could depend on the person or entity’s ability to re-identify the protected health information. OCR provides the example of the impermissible disclosure of service dates and accompanying diagnoses to an employer. The employer could review attendance logs and tie the data back to a particular employee, whereas it is less likely a person or entity without such a special relationship could do so. Disclosure to the employer in this example would increase the probability of the protected health information being compromised.
  3. Whether the protected health information was actually acquired or viewed.
    If PHI is not actually acquired or viewed, but rather only an opportunity to acquire or view the information existed, this factor weighs in favor of there being a low probability that the protected health information has been compromised. OCR provides the example of a stolen computer that was later recovered, and forensic analysis of the data stored on the computer reveals that the protected health information contained on the computer was never accessed or viewed. In this instance, there would have only been an opportunity to acquire or view the protected health information. Contrast this scenario with a batch of hardcopy medical records intended for the patient, but accidentally mailed to the wrong person by the covered entity. If the envelope is returned to the covered entity unopened, the likelihood the protected health information was acquired or viewed is low. If the envelope returned had been opened or not returned at all, the covered entity would need to assume that the protected health information was actually acquired or viewed.

The extent to which the risk to the protected health information has been mitigated.
Mitigation upon the impermissible use or disclosure of protected health information might include obtaining satisfactory assurances that the information will not be further used or disclosed, such as through a confidentiality agreement, or that it will be destroyed. This factor must be closely considered in relation to the second factor discussed above. OCR discusses the fact that impermissible uses or disclosure to certain entities–such as a business associate, employee, or other covered entity—can more reasonably be considered mitigated upon receipts of satisfactory assurances that the information in question will not be further used or disclosed or will be destroyed, than impermissible uses or disclosures to an unrelated third party with no obligation to comply with the Privacy Rule.

Business Associate: A person or entity who, on behalf of Music City Kidney Care Alliance, performs a function involving the use or disclosure of individually identifiable health information from Music City Kidney Care Alliance, but other than in the capacity as a Contractor, Manager or Member of the Music City Kidney Care Alliance.

Covered Entity: A covered entity is a health plan, health care clearinghouse, or health care provider. Music City Kidney Care Alliance is a health care provider.

Designated Record Set (DRS): A group of records, electronic or paper, maintained by Music City Kidney Care Alliance that are used to make decisions about the patient. A designated record set includes medical and billing records. The designated record set also includes records requested or received by Music City Kidney Care Alliance from another health care provider or professional and that become a part of the Music City Kidney Care Alliance record.

Disclosure: When Music City Kidney Care Alliance provides PHI to persons or entities outside of Music City Kidney Care Alliance.

Health Care Provider: A provider of medical or health services who furnishes, bills, or is paid for health care in the normal course of business.

Healthcare Operations: Any of the following activities of the covered entity to the extent that the activities are related to covered functions: (1) conducting quality assessment and improvement activities , population-based activities, and related functions that do not include treatment; (2) reviewing the competence or qualifications of health care professionals, evaluating practitioner, provider, and health plan performance, conduction training programs where students learn to practice or improve their skills as health-care providers, training of non-health-care professionals, accreditation, certification, licensing, or credentialing activities, (3) underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits; (4) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (5) business planning and development , such as conduction cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and (6) business management and general administrative activities of the entity.

Health Information: Any information whether oral or recorded in any form that is
created or received by the clinic and relates to past, present or future health or condition of the patient.

Individually Identifiable Health Information: A subset of protected health information, including demographic information created or received by the clinic. It relates to the past, present or future physical or mental health condition that identifies the individual or where there is reasonable basis to believe the information can be used to identify the individual.

Limited Data Set: Information from which “facial” identifiers have been removed. Specifically, as it relates to the individual or his/her relatives, employers or household members, all of the following must be removed in order for health information to be a “limited data set” as defined in the Privacy Regulation issued under HIPAA:
•Names
•Street Addresses (other than town, city, state, zip code)
•Telephone Numbers (Home, work, cell, pagers and fax)
•E-mail Addresses
•Social Security Numbers
•Medical Records Numbers
•Health Plan Beneficiary Numbers
•Account Numbers
•Certificate License Numbers
•Vehicle Identifiers and Serial Numbers (including license plates)

Device Identifiers and Serial Numbers
•URL’s
• IP Addresses
•Biometric Identifiers (including finger and voice prints)
•Full face photos (or comparable images)

The health information that may remain in the information disclosure includes:
•Dates of Admission, Discharge, Service, DOB and DOD
•City, State, Zip Code
•Ages (including years, months, days and/or hours)

Note: This information is still protected PHI under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.

Minimum Necessary: The Privacy Rule stipulates that covered entities limit the amount of information disclosed to the minimum necessary to achieve the specified goal. This requirement would not apply if the disclosure were required by law, authorized by the individual, or for treatment purposes.

Payment: (1) The activities undertaken by (i) a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or (ii) a health-care provider or health plan to obtain or provide reimbursement of the provision of healthcare; and (2) the activities relate to the individuals to whom the health care is provided and include, but are not limited to (i) claims, (ii) risk adjusting amounts due based on enrollee health status and
demographic characteristics; (iii) billing, claims management, collection activities, obtaining payment under a contract of reinsurance (including stop-loss insurance) and related health-care services with respect to medical necessity, coverage under a health plan , appropriateness of care, or justification of charges; (v) utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and (vi) disclosure to consumer reporting agencies of any of the following PHI relating to collection of premiums or reimbursement: (a) name and address; (b) date of birth; (c) social security number; (d) payment history; (e) account number; (f) name and address of the health-care provider or health plan.

Protected Health Information (PHI): Protected Health Information means any information, whether oral or recorded, in any form or medium: (1) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (2) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Social Network Site: A website that provides a virtual community for people interested in a particular subject or to just “hang out” together. Communication may be through voice, chat, instant messaging, blogs, and/or video conference.

Treatment: The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient’ or the referral of a patient for health care from one health care provider to another.

Unsecured Protected Health Information (PHI): PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology.

Use: When Music City Kidney Care Alliance internally uses PHI.

Workforce: Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a clinic, is under the direct control of the clinic, whether or not they are paid by the clinic. In addition, independent contractors of Music City Kidney Care Alliance who perform a substantial portion of their contracted activities at the clinic may be deemed by Music City Kidney Care Alliance to be members of its workforce if they receive Music City Kidney Care Alliance’s standard HIPAA training and education and execute the appropriate confidentiality agreement agreeing to abide by Music City Kidney Care Alliance’s HIPAA policies and procedures.

PROCEDURE NO: 202

ISSUED BY: Compliance Officer

DATE ISSUED:

Confidentiality of Protected Health Information (PHI)
PURPOSE:
Ensure that Music City Kidney Care Alliance handles each patient’s health information in a manner that maintains confidentiality of the information as required by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009.

SUPPORTIVE DATA:
The Medicare ESRD Interpretive Guidelines require the written consent of the patient,
or of an authorized person acting on behalf of the patient, for release of medical
record information not provided by law.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes a
floor of safeguards to protect the confidentiality of patient health information (PHI). It
sets boundaries on the use and release of health records; establishes safeguards that
providers must achieve to protect health information; limits release of information to
the minimum necessary to meet the purpose of the disclosure and holds violators accountable, with civil and criminal penalties that can be imposed when patient’s privacy rights have been violated.

POLICY:
All PHI will be strictly confidential and will be shared only with those who have a “need to know” for business/treatment purposes and information will only be shared in a secure area. “Need to know” is defined as the medical information necessary for one to perform one’s specific job responsibilities adequately.

Request for Alternate Confidential Communications
1. Patients may request that they receive communications from the facility at an alternate location or by alternate means, regardless of the protected health information involved.
2. As health care providers, we are required to accommodate reasonable requests by the patients for alternate communications and may not require the individual to explain the basis for the request.
3. The Music City Kidney Care Alliance location must determine if the request is reasonable solely based upon the administrative difficulty of complying with the request.
4. The Music City Kidney Care Alliance location will require the patient to provide the request in writing.

Reasonable Safeguards
The privacy regulations were not designed to restrict the performance of patient care but rather to protect PHI. The regulations permit certain incidental disclosures of PHI that cannot be reasonably prevented and that are limited in nature and occur as a result of normal business practices. Incidental disclosure is permissible only to the extent that the Music City Kidney Care Alliance location has applied reasonable safeguards to try and prevent unnecessary disclosure of the information and applied the minimum necessary standard to any information disclosed. However, an incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is a violation of the Privacy Rule. Example: If a staff nurse is overheard talking to a physician about another patient but the nurse made reasonable efforts to avoid being overheard and reasonably limited the information shared, an incidental disclosure resulting from such a conversation is permissible under the Rule. This provision should alleviate concerns that common practices, such as the use of sign-in sheets (with just the patient’s name), and calling out names in the waiting room will violate the Rule. So long as the information disclosed is appropriately limited, the Privacy Rule is not violated. The use of de-identified information whenever possible is a good privacy practice. (Ex: Using a coded system for the patient name on charts that may be viewed by other patients.)

Verbal Communications
Protected health information may be disclosed by way of verbal communication and verbal PHI is subject to the same protection as written PHI. Verbal communication
that involves PHI should take place only in a secure location away from casual hearing from persons who do not have a “need to know” for job responsibilities. HIPAA regulations state that health care providers must put into place “reasonable safeguards” to protect the privacy of PHI. Examples of such are:
1. Nurse’s station- Patient information will only be discussed in a location away from
the hearing of patients, family members, or employees who do not have a “need to know” for their job responsibilities.
2. Reception areas will be protected using reasonable safeguards from casual listening by family members in the waiting room or visitors in the clinic.
3. Incoming/Outgoing phone calls into the unit for the purpose of giving or receiving information will be protected from casual listening by other patients. Phones will
not have extensions and lines where persons without a need to know can eavesdrop.
4. Music City Kidney Care Alliance workforce will not listen to voice mail via speaker phone without first ensuring that it is a private setting.
5. PHI is not to be discussed outside of clinical areas (e.g. elevators, hallways, parking lots, etc.).

Verbal Communications with Family or Friends
Music City Kidney Care Alliance location must have specific permission when possible from the patient to disclose protected health information to family or friends.

  1. Verbal Communications with the Patient Present: If the patient is present for,
    or is available prior to the communication, the facility may disclose the protected
    health information to a family member or friend if it:
    a. asks the patient’s permission; or
    b. provides the patient with the opportunity to object; or
    c. reasonably assumes from the surrounding circumstances and professional judgment that the patient does not object.
    2. Verbal Communications When Patient Not Present: If the patient is not
    present, is incapacitated, or is in an emergency situation, the facility may disclose
    the protected health information to a family member or friend if it:
    a. uses professional judgment to determine whether the disclosure is in the best
    interests of the patient; or
    b. only notifies the family members or friends with respect to a patient’s location, condition or death. (Example: It is acceptable to notify an adult child that their
    parent has been sent to the emergency room from the dialysis unit)

Appointment Reminders or Calling a Patient’s Home:
Leaving messages for patients should have the same considerations as verbal communications in that you must have the patient’s permission to leave verbal communications with family members, friends or on an answering machine. Without permission, leave a name and telephone number only when calling a patient.

Other Considerations in Verbal Communications with family and friends:
1. Verbal communications with family and friends under the above conditions do not require clinics to document such disclosures.
2. Clinics are not required to verify the identity of relatives or other individuals involved in the care. The patient’s voluntary involvement or inclusion of the family member or friend is sufficient.
3. Disclose only the protected health information that is directly relevant to the family member or friend’s involvement with the patient.
4. Use professional judgment when disclosing health information if it is suspected that a patient is a victim of domestic violence and that a person seeking information about the patient may have abused the patient. If it is believed the information could cause the patient harm, the information is not required to be disclosed.
5. Verbal consent is sufficient for the purposes of disclosure of verbal communication to family and friends.

Written Communications
Written communications that identify an individual and is used in the care of the patient, other than the medical record, that are protected include but are not limited to:
1. sign-In sheets if they have any information on them other than the patient’s name;
2. posting on chalk boards/white boards/bulletin boards with any individually
identifiable PHI including patient names;
3. appointment reminders for patients;
4. patient schedules; and
5. copies of PHI made at the photocopy machine.

Electronic PHI
PHI stored or transmitted electronically will be protected to the same extent as PHI in verbal or written form. The Privacy Rule makes no distinction between any information to be protected except for psychotherapy notes. Electronic safeguards that will be in effect in regard to PHI stored or transmitted electronically are as follows:
1. Music City Kidney Care Alliance workforce will have an individual user ID and a confidential personal password to log on to computers, portals and to the electronic patient information.
2. These passwords shall be treated as confidential and will not be shared with others, including other members of the Music City Kidney Care Alliance workforce, family or friends.

Reference: U.S. Department of Health and Human Services Office for Civil Rights, Standards for Privacy of Individually Identifiable Health
Information 45 CFR Parts 160 and 164, August 14, 2002, Sections 164.522, 164.502A, 164.530C, 164.522B, 164.501, 164.510B,
164.502H
Medicare Interpretive Guidelines V245, V246
Policy and Security Policies and Procedures: A Resource Document DRAFT Version 1.0. Workgroup for Electronic Data
Interchange.

PROCEDURE NO: 203

ISSUED BY: Compliance Officer

DATE ISSUED:

Accounting of Disclosure of PHI
PURPOSE:
To provide the patient with an accounting of disclosures of their protected health information (PHI) for Music City Kidney Care Alliance locations.

SUPPORTIVE DATA:
HIPAA Privacy regulations give an individual the right, with certain exceptions, to get an accounting of disclosures of his PHI made by a health care organization. This means that the Music City Kidney Care Alliance location is required to track any disclosures of PHI made other than treatment, payment, and health care operations in the event this information is requested.

POLICY:
An individual patient has the right to request an accounting of all disclosures of his/her PHI if a disclosure was for a purpose other than treatment, payment, and health care operations.

Exceptions:
Disclosures for the purposes of treatment, payment or health care operations are excluded from the tracking and accounting requirements. Other disclosures that are excluded are disclosures made:
1. prior to the date of the rule,
2. to law officials or correctional institutions,
3. for facility directories,
4. to the individual,
5. for national security or intelligence purposes,
6. to person’s involved in the patient’s care, or
7. after an authorization has already been signed by the patient.

Temporary Suspension of the Right to Accounting
A temporary suspension of the right to accounting of disclosures is allowed for health care oversight agencies or law enforcement officials under these conditions:
1. The agency or official must submit to the clinic a statement that indicates that the accounting of disclosure will impede an investigation that involves the individual in question.
2. The statement must include a time frame for the exclusion period.
3. The statement may be oral, but in that case the temporary suspension is limited to 30 days unless appropriate written documentation is submitted within 30 days.
4. Although the accounting is not being released during this time, tracking should continue for future release.

Time:
1. Patient’s may request an accounting of disclosures for a period of up to 6 (six) years prior to the date of the request.
2. Patient’s may actually request an accounting for a shorter period of time, such as one year.
3. Disclosures made prior to the compliance date of the Privacy Rule, April 2003, are excluded from this requirement.

Requirements for Accounting:
1. All accounting of disclosure of PHI will be tracked by the Music City Kidney Care Alliance Compliance Officer.
2. The following items will be recorded on each disclosure:
a. date of the disclosure,
b. patient Name addressed in the disclosure,
c. recipient of Information,
d. address of the recipient,
e. description of the records sent,
f. reason for the disclosure,
g. category of disclosure, and
h. person who released the disclosure.
3. Recurring disclosures to the same individuals that have a regular interval or an authorization with multiple disclosures may have a summary entry.
4. The summary entry requires all information as described above for the first
disclosure, plus an indication of periodic interval (monthly, weekly, etc) and the date
of last disclosure.

Cost
The Music City Kidney Care Alliance Compliance Officer will determine if a cost will be charged for the reproduction of medical records as based on state laws.

Documentation of Accounting
Music City Kidney Care Alliance is required to document and retain the documentation of the accounting of disclosures given to patients. Music City Kidney Care Alliance will meet this requirement by:
1. having the patient sign and date a document as confirmation receipt of the accounting;
2. including a copy of the accounting of disclosures in the patient’s medical record; and
3. including the name and title of the Music City Kidney Care Alliance workforce giving the patient the accounting.

Reference: U.S. Department of Health and Human Services Office for Civil Rights, Standards for Privacy of Individually Identifiable Health Information 45 CFR Parts 160 and 164, August 14, 2002, Sections 164.528A, 164.528B, 164.528C

PROCEDURE NO: 204

ISSUED BY: Compliance Officer

DATE ISSUED:

Minimum Necessary
PURPOSE:
Ensure access to, request for, or the use and disclosure of a patient’s Protected Health Information (PHI) is based on a minimum necessary standard.

SUPPORTIVE DATA:
The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today. It is based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. The Privacy Rule’s requirement for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity.

POLICY:
Minimum Necessary Standard
When disclosing Protected Health Information (PHI), reasonable efforts must be made to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure, or request.

  1. The minimum necessary standard does not apply the following:
    • Disclosure to or requests by a health care provider for treatment purposes.
    • Disclosure to the individual who is the subject of the information.
    • Uses or disclosure made pursuant to an individual’s authorization.
    • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
    • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
    • Uses of disclosures that are required by other law.
  2. The minimum necessary standard does apply the following:
    • Uses and disclosures for payment and health care operations.
    • All other uses, disclosures, and request of individually identifiable information.

Relationship between the Minimum Necessary Standard and Workforce Roles:
Music City Kidney Care Alliance workforce is defined as Contractors, Managers and Members and other persons whose conduct, in the performance of work with Music City Kidney Care Alliance is under the direct control of the Music City Kidney Care Alliance whether or not they are paid.

Limits of Access:
Music City Kidney Care Alliance shall put in place reasonable processes to limit the electronic access of personnel who are permitted to access PHI to that PHI which is necessary to perform their job functions.

Reliance on Position of Status of Requestor:
If it is reasonable under the circumstances, then Music City Kidney Care Alliance is permitted to rely on a request from one of the requestors named below as establishing the minimum necessary PHI that must be disclosed:
a. Public officials who are requesting PHI in accordance with the requirement of 45
CFR § 164.512 for the performance of public health, health oversight, law enforcement, or specialized government functions, if the public official represents that the information requested is the minimum amount necessary to perform the function.
b. Another Covered Entity
c. A professional who is a member of the workforce of the Covered Entity of a
Business Associate of the Cover Entity, and who is requesting the information to provide professional services to the Covered Entity, providing the professional represents that the information requested is the minimum necessary to perform the function.

Music City Kidney Care Alliance Workforce PHI to be Accessed Conditions of Access
Music City Kidney Care Alliance Contractors, Managers and/or Members shall have access to the entire electronic record of patient’s that there is a direct, or indirect association through care.

Disclosures To and Authorizations From Patients
There is not a requirement to limit the minimum necessary disclosures of PHI to a patient who is the subject of the PHI. Disclosures authorized by the patient (pursuant to a valid authorization) are exempt from the minimum necessary requirements. Authorizations meeting the requirements received from third parties directing to release PHI is not subject to the minimum necessary standard.

Requests for PHI
Limit a request to only the reasonably necessary information when requesting PHI from another healthcare provider or health plan, or clearinghouse on a routine or recurring basis.

Reference: U.S. Department of Health and Human Services Office for Civil Rights, Standards for Privacy of Individually Identifiable Health Information 45 CFR Parts 164.502(b) and 164.514(d)

Leave a Reply