Lesson 2 of 1
In Progress

Compliance at the Workplace…Lesson

January 6, 2019

What is Compliance?

Compliance is defined as the act of conforming, acquiescing, or yielding. It is a state of being in accordance with established guidelines or specifications. Compliance ensures that organizations are abiding by both industry regulations and government legislation, including state and federal laws. Compliance programs efforts are designed to establish a culture within healthcare facilities that promotes prevention, detection, and resolution of instances of conduct that do not conform to Federal and State laws; as well as the hospital’s ethical and business policies as established in policies and procedures. Compliance is a prevalent business concern to healthcare organizations in the US, due to an ever-increasing number of regulations that require healthcare industries to be vigilant about maintaining a full understanding of their regulatory compliance requirements. The goal of a Compliance Program is to ensure health care facilities operates in accordance with laws and regulations. Healthcare facilities are required to maintain and follow regulatory compliance. Regulatory compliance is an organization’s adherence to laws, regulations, guidelines and specifications relevant to its business, and noncompliance will often result in violations which are punishable and can result in federal fines. 

Learning Objectives and Purpose

After finishing this course, the CNAs will be able to:

  • Define regulatory compliance
  • Be able to discuss the goals of compliance programs
  • Be able to understand your role in compliance and being ethical 
  • Be able to identify and report compliance violations
  • Be able to handle compliance questions and concerns


What is an effective compliance program?

The Centers for Medicare & Medicaid Services (CMS) requires that health care facilities implement and maintain an effective compliance program for its Medicare Parts C and D plans. An effective program should have several avenues where employees can report compliance concerns

An effective compliance program should:

  • Articulate and demonstrate an organization’s commitment to legal and ethical conduct.
  • Provide guidance on how to handle compliance questions and concerns.
  • Provide guidance on how to identify and report compliance violations.

An effective compliance program fosters a culture of compliance, ethics, and integrity within an organization and, at a minimum:

  • Prevents, detects, and corrects non-compliance
  • Is fully implemented and is tailored to an organization’s unique operations and circumstances
  • Has adequate resources
  • Promotes the organization’s standard of conduct
  • Establishes clear lines of communication for reporting non-compliance.

An effective compliance program is essential to prevent, detect, and correct Medicare non-compliance as well as fraud, waste, and abuse.



There are seven core elements every compliance program must include. CMS requires that an effective compliance program must include these seven core elements.

  1. Written Policies, Procedures, and Standards of Conduct

These articulate facilities commitment to comply with all applicable federal and state standards and describe compliance expectations according to the Principles of Responsibility.

  1. Compliance Officer, Compliance Committee, and High-Level Oversight

Health Care Facilities must designate a compliance officer and a compliance committee that will be accountable and responsible for the activities and status of the compliance program, including issues identified, investigated, and resolved by the compliance program. Senior management must be engaged and exercise reasonable oversight of the compliance program.

  1. Effective Training and Education

This covers the elements of the compliance plan as well as the prevention, detection, and reporting of fraud, waste, and abuse. This training and education should be tailored to the different responsibilities and job functions of employees.

  1. Effective Lines of Communication

Health Care Facilities must establish effective lines of communication that are accessible to all employees. In addition, these lines must ensure confidentiality, and provide methods for anonymous and good-faith reporting of compliance issues without fear of retaliation.

  1. Well-Publicized Disciplinary Standards

Health Care Facilities must enforce standards through well-publicized disciplinary guidelines.

  1. Effective System for Routine Monitoring, Auditing, and Identifying Compliance Risks

Health Care Facilities must conduct routine self-monitoring and auditing of their operations to evaluate compliance with CMS requirements, as well as the overall effectiveness of the compliance program.

  1. Procedures and System for Prompt Response to Compliance Issues

Health Care Facilities must use effective measures to respond promptly to non-compliance and undertake appropriate corrective action to employees who are non-compliant to the program.



As an employee, how do you know what’s expected of you in a specific situation?

Every employee should be familiar to their facility’s Principles of Responsibility which will explain the expectations of the employee’s code of conduct. The Principles of Responsibility presents compliance expectations and the principles and values by which the facility operate. Every employee has a responsibility to report violations and suspected non-compliance. The Principles of Responsibility should also explain how to report suspected non-compliance in each individual facility.

Every employee must conduct him or herself in an ethical and legal manner. This is simply about doing the right thing. All employees must;

  • Act fairly and honestly.
  • Adhere to high ethical standards at the workplace.
  • Comply with all applicable laws, regulations, and CMS requirements.
  • Report suspected violations.

Ethics: Do the Right Thing!



The Principles of Responsibility is the formal code of conduct established by a Health Care Facility that all employees are expected to adhere to. The Principles of Responsibility should emphasizes the importance of honesty, integrity, and ethical behavior at the workplace.

What is the role of the Principles of Responsibility?

The Principles of Responsibility provides guidance over ten sections.

  1. Do the Right Thing
  2. Respect Confidentiality, Privacy, and Security-This focus on complying with and meeting confidentiality, privacy, and security laws, regulations, and expectations.
  3. Focus Resources on Member and Patient Care-focuses on fraud, waste, and abuse prevention and detection.
  4. Support Community Involvement
  5. Protect Facility’s Assets and Information
  6. Protect Health Care Facility’s Reputation
  7. Treat One Another with Dignity and Respect-focuses on the work environment at the facility with diversity, workplace safety, environmental sustainability, fostering a harassment-free environment, and non-retaliation principles. The facility should not tolerate intimidation, retaliation or harassment and should focus at workplace safety and encourage employees to report work-related injuries and environmental hazards.
  8. Avoid Conflicts of Interest
  9. Meet Government Expectations and Cooperate with Government Inquiries
  10. Speak Up if You Have Any Questions or Concerns-Employees should feel free to speak up. A good compliance reporting must establish guidelines that have a non-retaliation policy and the ability to report anonymously to an established Compliance Hotline. Employees must be able to report potential compliance issues to or discuss questions with their immediate supervisor, HR, compliance officer, or union steward or representative if your company’s have one.


How can Nurse Assistants use the Principles of Responsibility?

The Nurse Assistants must the Principles of Responsibility as a guide to ensure that compliance is integrated into the work they do every day taking care of patients at the bedside. The Principles of Responsibility applies to all employees including Nurse Assistants. They are our rules of the road. Nurse Assistants should refer to the Principles of Responsibility whenever they need guidance on what’s appropriate at work or when their instincts say something’s not quite right.

Non-compliance for Health Care Facilities

Non-compliance is conduct that doesn’t conform to the law, federal health care program requirements, or an organization’s ethical and business policies. All Health Care Facilities are mandated to be compliant with CMS guidelines and must establish programs to prevent, detect, and correct non-compliance. Failure to follow Medicare program requirements and CMS guidance can lead to serious consequences including:

  • Health Care Facilities can get their CMS contract terminated
  • Criminal penalties
  • Exclusion from participation in all federal health care programs
  • Civil monetary penalties.


Non-compliance for employees

Health Care Facilities must have disciplinary standards for non-compliant behavior. As a Nurse Assistant, every action you take potentially affects you, your co-workers, your patients, and your employer’s reputation. When you follow your facility’s compliance standards, you provide better quality care, protect your patients, your colleagues, your job, and your employer’s name. Employees who engage in non-compliant behavior may be subject to mandatory training or re-training, disciplinary action, termination and/or license loss. Disciplinary action will vary from facility to facility. For example, if an employee backdates a document, a manager can determine the level of discipline necessary.

Reporting Compliance Concerns

Compliance issues relate to laws, regulations, and policies that direct how employees must provide services at the workplace without conflicts. When issues go unresolved, they can affect an employee’s work performance, his or her relationships with co-workers, and ability to provide outstanding care to his or her patients. Ultimately, everyone can suffer. Your goal as an employee should be to resolve the issue efficiently before it escalates and causes harm. Your supervisor (charge nurse), or another local manager are usually the best resources to contact with your compliance concerns. He or she will understand the situation and be able to address it effectively. If you’re new to the organization, ask your manager or supervisor who you should contact if he or she isn’t available.

Your local compliance officer or hospital compliance officer is a resource for more complex issues and concerns, such as if your concern involves your immediate supervisor. To locate your local compliance resource, you can consult your Human Resources or ask your manager to introduce you. Some facilities have an established Compliance Hotline for employees to report noncompliance issues anonymously. Remember, if you report a regulatory compliance or fraud issue in good faith, you’ll be protected. Your input is important to your organization and you can report confidentially and anonymously by using the Compliance Hotline if available for your organization. Health Care Facilities employees are covered by the whistleblower protections in the federal False Claims Act and other federal and state whistleblower laws.


What is HIPAA (Health Insurance Portability and Accountability Act)?

HIPAA is a federal law that protects and enhances the rights of consumers by providing access to their health information and preventing inappropriate use of that information. HIPAA privacy regulations require every Health Care Facility to provide its members and patients with a Notice of Privacy Practices (NPP). HIPAA created greater access to health care insurance, protection of privacy of health care data, and promoted standardization and efficiency in the health care industry.

HIPAA safeguards help prevent unauthorized access to protected health care information. As a Nurse Assistant, you will have access to protected health care information, and you must comply with HIPAA. For more information, visit http://www.hhs.gov/ocr/privacy on the Internet.

Damages and Penalties

Violations may result in Civil Monetary Penalties. In some cases, criminal penalties may apply.


A former hospital employee pleaded guilty to criminal HIPAA charges after obtaining protected health information with the intent to use it for personal gain. He was sentenced to 12 months and 1 day in prison.

The NPP (Notice of Privacy Practices) describes how health plan and medical (and dental) health information may be used and disclosed, and how members and patients can get access to their own information. Health Care Facilities have the responsibility to not only protect the privacy of private health information (PHI), but must also inform patients about their rights and legal duties with respect to their PHI and notify them if there is a breach of their PHI.

As a Nurse Assistant, you should be aware of the risks to protecting confidential information and adapt measures to minimize them. You should secure areas that contain medical records or other confidential information at all times.

To minimize risk:

  • If you don’t have a job-related reason to enter a secure area, don’t enter.
  • If you see the door open to a secure area, close it and report it to your supervisor.
  • If an unauthorized person is in a secure area, approach them and offer help.
  • If you unlock something, lock it when you’re finished with your task.


Personal Computers and Laptops

Workstations are high-risk areas when it comes to confidential information. Others shouldn’t be able to see the information on your monitor while you’re working. As a Nurse Assistant, there are things you can do to minimize the risks and protect confidential information.

To minimize risk:

  • Lock your computer screen when you’re away from your workstation.
  • Use a privacy screen on your computer if it’s in view of other people.
  • Secure documents and approved electronic media (DVDs, CDs, thumb drives, etc.) in a locked drawer when not in use.
  • Don’t let anyone use your user ID and password.


Shared Resources

Fax machines, printers, filing cabinets, and photocopiers pose a risk to confidential information. In these busy environments, it’s easy for someone to pick up a document they are not intended to see.

To minimize risk:

  • When you fax patient information, double-check the recipient’s number.
  • Use a cover sheet that contains a confidentiality statement.
  • Take your master copies with you after copying them.
  • Promptly pick up faxes and copies from the tray.

Shared Confidential Information

HIPAA minimum necessary requirements state that when you access, use, or disclose PHI, only access, use, or disclose the minimum necessary information to accomplish the intended purpose.

To minimize risk:

When working with confidential information, determine the least amount you need, and work with that. If you’re unsure, check with your supervisor or manager. Also, purge copies of unneeded sensitive information when done by putting them into a shredder.


Information disposal

Be sure to dispose of confidential information properly.

To minimize risk:

  • Follow national, regional, and local policies to dispose of both paper and electronic confidential information.
  • Use designated document destruction bins to dispose of PHI in paper form and other confidential information.
  • If you discover confidential information where it shouldn’t be, report the incident to your supervisor immediately.
  • Don’t use paper from the workplace, printed PHI, or confidential information to make scrap paper or confetti.


What is considered confidential information?

Confidential information (oral, written, or electronic) includes protected health information (PHI), personal information in any format, and payment card information.


Protected Health Information (PHI)

For information to be considered PHI, it must meet all of the following conditions:

  1. The information is created, received, or maintained by a health provider or health plan.
  2. The information is related to health care or payment for that health care.
  3. The information identifies a member or patient, or there is enough information to be able to identify the individual.


Personal Information

Personal information is any information about an individual maintained by an organization, including any information that can be used to distinguish or trace an individual’s identity. Personal information can include PHI but is also more broadly defined.

Employment-related personal information is personal information when used for any employer human resources purpose such as recruitment, compensation, benefit management, or performance management.

Some states, including California, require notification to regulators and affected individuals when their sensitive personal (non-PHI) information is compromised.


Why should I protect confidential information?

As a Nurse Assistant, you can make a difference. By minimizing privacy risks, you can keep confidential information safe. If in doubt of what you should do, your manager and your compliance officer are there to help. By doing your part to minimize risk in your work environment and reporting when things aren’t right, you can help avoid costly incidents.



What is phishing?

Most Nurse Assistants will have access to a company’s email for work communication. As a Nurse Assistant, you must be aware that Cyber-attacks against health care organizations are on the rise. The most commonly used attack, with the highest degree of success, is masked as a well-constructed email.

This technique is called “phishing” and is intended to bait a person into clicking on a malicious link or attachment and providing personal and financial information. Clicking a link can also download “ransomware” that locks information from access. A successful attack can lead to network breaches, loss of sensitive data or even a halt to online operations.

As a CNA, you can follow the following steps to guide you in identifying an unsafe email.

  1. Look for the IT warning.
  2. Roll over the sender’s name.
  3. Roll over the link to see the destination URL.



Fraud is knowingly and willfully executing, or attempting to execute, a scheme or artifice to defraud any health care benefit program, or to obtain, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by, or under the custody or control of, any health care benefit program.

Examples of fraud include:

  • Knowingly billing for services not furnished or supplies not provided, including billing Medicare for appointments that the patient failed to keep
  • Billing for non-existent prescriptions
  • Knowingly altering claim forms, medical records, or receipts to receive a higher payment.



Waste is the extravagant, careless, or needless use of a company’s or government funds. Waste includes overusing services, or other practices that result in unnecessary costs to the company (or the government). Waste is generally not associated with criminally negligent actions, but rather with simple carelessness.



Abuse includes actions that may, directly or indirectly, result in unnecessary costs to a company (or the government). Abuse involves payment for items or services when there is not legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment.


Nurse Assistant’s responsibilities

As a Nurse Assistant, you play a vital part in preventing, detecting, and reporting potential fraud, waste, and abuse.

  1. You must comply with all applicable statutory, regulatory, and other government requirements.
  2. You have a duty to the government to report any compliance concerns, and suspected or actual violations that you may be aware of.
  3. You have a duty to follow the Principles of Responsibility.
  4. You have a duty to stay informed about policies and procedures in your company.



What are some guidelines to follow to prevent fraud, waste, and abuse?

  • Look for suspicious activity.
  • Conduct yourself in an ethical manner.
  • Ensure accurate and timely data
  • Ensure to coordinate with other payers, if applicable.
  • Keep up-to-date with policies and procedures, the Principles of Responsibility, laws, regulations, and CMS guidance.
  • Verify all information provided to you.

Who should report fraud, waste, and abuse?

Everyone must report suspected instances of fraud, waste, and abuse. The Principles of Responsibility clearly states this obligation. The federal government mandates your company to not retaliate against you for making a good faith effort in reporting.

Don’t be concerned about whether it’s fraud, waste, or abuse. Just report any concerns to your compliance department. It is the responsibility of the compliance department to investigate and make the proper determination.



What does it mean to do the right thing?

Know the Rules of the Road

Know your job’s scope and limitations, and follow the rules of the road — the Principles of Responsibility and your company’s policies and procedures. Stay informed about new or modified policies and procedures. Work with your manager if there are policy changes or a change to your job role as a Nurse Assistant.

Know the Road Hazards

Be prepared by knowing the risks in your work environment, such as physical risks, security risks, privacy and security risks, and fraud, waste, and abuse risks. Your awareness will help in detection and reporting.


Check your work. Take personal accountability and ownership by following the established work process and doing your job well. Before exchanging information, such as sending an email, or handing an after discharge paperwork to a patient, be sure the information will go to the intended recipient. If you work with PHI, make sure you appropriately use, access, and disclose it. For example, when you print anything that has patient information, be sure to go to the printer and pick it up.


Speak up! Report fraud, waste, abuse, and any other compliance concerns that you encounter. Remember, you have several options for reporting compliance concerns. Know your compliance resources; if you need to report something, knowing who to report to will save you time and effort. Report a compliance concern to local management whenever possible. Check with your company to see if a Compliance hotline is available where you can also report anonymously.


What are the minimum necessary principles for using confidential information? (HIPPA)

Follow minimum necessary principles for using confidential information:

  • If you don’t need confidential information to complete a task, don’t access it.
  • If specific information is requested, such as a list of specific patients or a person’s name, send only that.
  • If you need to reply to or forward an email or text message, remove all non-essential PHI from the message before you send it.



What information should I include in a compliance report?

When reporting concerns, having complete information will make it easier for your manager or compliance officer to evaluate the situation and take immediate action.

At a minimum, be prepared to answer the five W’s:

  • Who’s involved?
  • What happened?
  • When did it happen?
  • Where did it happen?
  • Why did it happen?

If you don’t have all of the information, report as much as you can.


Should I have a compliance conversation with my supervisor?

Unfortunately, this course cannot anticipate every compliance-related situation you may face at your workplace. That’s why it’s important to have a conversation with your supervisor about your compliance accountabilities. Remember, policies and procedures will vary from one institution to the other and it is very important for every employee to be familiar with his or her company’s current policies and procedures. Having a compliance conversation now will create awareness of your principles and responsibilities and information you need to meet your compliance expectations. That is now not to get fired.