Corporate Compliance Program
Corporate Commitment
The Arc New York, New York City Chapter (d/b/a AHRC, New York City) is committed to establishing and maintaining the highest standards of ethical conduct related to its business and operational practices. These practices include billing and payment operations, governance, mandatory reporting, credentialing and other risk areas identified by the agency. AHRC NYC is also committed to promoting communication practices that are open, honest, direct, constructive and positive and believes that when these practices are in place our compliance program is strong.
AHRC NYC has established a Corporate Compliance Program that serves as the basis on which a strong, ethical corporate culture of compliance to laws and regulations rests. This program is outlined in this document and in the AHRC NYC Policy and Procedure Manual, and is embodied in the AHRC NYC Code of Conduct, which must be reviewed and signed by all AHRC NYC employees and the board of directors on an annual basis.
This Corporate Compliance Program is established for the entire AHRC NYC organization, including its employees, contractors, agents, affiliates, the Board of Directors and certain volunteers. This Corporate Compliance Program will benefit not only the members of the AHRC NYC community, but those governmental and private agencies doing business with AHRC NYC, as well as the general public.
AHRC NYC’s Chief Executive Officer (CEO), Chief Legal Officer (CLO) and Vice President, Corporate Compliance (VPCC), the organization’s Corporate Compliance Committee and the Board Committee on Compliance and Ethics make every effort to establish and implement systems which enhance each employee’s ability to understand and adhere to the complex laws and regulations that govern our business. The VPCC reports to the Chief of Staff (COS) and has unimpeded access to the CEO and Board of Directors, works in concert with the CLO and provides the CEO with regular updates on compliance activities. In addition, the VPCC reports to the Board of Directors regularly through the Board Committee on Compliance and Ethics, and at least annually to AHRC NYC’s Board of Directors.
General Expectations
AHRC NYC strives to ensure that all aspects of care of people supported, as well as business conduct, are performed in compliance with its mission and vision statement as well as policies, procedures, standards and applicable governmental laws, rules and regulations. AHRC NYC expects all staff to adhere to the highest ethical standards and to promote ethical behavior. Anyone whose behavior is found to violate ethical standards may be subject to disciplinary actions.
Prevention of Fraud, Waste, and Abuse
It is the policy and practice of AHRC NYC to detect and prevent fraud, waste and abuse in all programs and services in accordance with the Federal False Claims Act (31 U.S.C. §§ 3729 – 3733), the Federal Program Fraud Civil Remedies Act (31 USC §§3801-3812), the New York State False Claims Act (State Finance Law §§187-194) and other New York State laws related to false statements or claims and employee protections against retaliation.
Accurate Claims Submission
AHRC NYC is committed to prompt, complete and accurate billing of all services. The organization and its employees, independent contractors and agents must not make or submit any false or misleading entries on any bills or claim forms. No employee, independent contractor or agent will engage in any such prohibited acts, even at the direction or suggestion of another person employed by AHRC NYC, including any manager.
The following policies in the AHRC NYC Policy & Procedure Manual relate to this section:
• Corporate Compliance Program Policy
• False Claims Act Policy
• Policy on Reporting Possible Compliance Violations, Whistleblower and Non-Retaliation
Responsibilities
Creating and maintaining a corporate culture of compliance and ethics is the responsibility of every person in the AHRC NYC workforce, volunteers and the Board of Directors. Specifically:
All personnel, Board members and certain volunteers are responsible for:
• Knowing and following the Compliance Program and related policies (e.g. Code of Conduct, Employee Handbook) and attending training regarding those policies;
• Reporting any violations of these policies as described in this Compliance Program;
• Cooperating in any investigations of reported violations; and
• Cooperating with any corrective actions taken to prevent future violations.
AHRC NYC managers, supervisors and executives are responsible for:
• Responding to reports of Compliance Program suspected violations effectively and in a timely manner, which includes mandatory notification to the VPCC;
• Ensuring that personnel within their scope of supervision are acting consistently within the scope of this Corporate Compliance Program;
• Monitoring potential compliance issues within the scope of their authority;
• Communicating to all staff under their supervision that they must comply with the provisions outlined in this Corporate Compliance Program;
• Encouraging open communication among those persons under their supervision regarding compliance with the organization’s policies;
• Ensuring that personnel under their supervision attend mandatory training on this Compliance Program and on other pertinent policies; and
• Addressing compliance issues in employee evaluations if these are a concern.
AHRC NYC’s Board of Directors is responsible for:
• Complying with the applicable AHRC NYC Code of Conduct and with Federal, State and local statutes and regulations that pertain to the duties and actions of Boards of Directors;
• Providing support and guidance to agency executives by exercising the proper amount of care in their governance process; this includes exercising general oversight with respect to corporate officers and conducting adequate follow-up inquiries into any circumstances and/or information that causes (or could cause) a significant compliance risk to the organization. The Board of Directors must conduct or cause to initiate an inquiry until such time as their concerns are satisfactorily addressed and favorably resolved; and
• Ensure that the Board’s Compliance and Ethics Committee is effectively engaged with management and the VPCC with respect to ongoing activities of the Corporate Compliance Program.
This Corporate Compliance Program is created in response to Federal and State laws (NY SSL 363-d subd. 2, and 18 NYCRR Section 521.3 (c)), and reflects the seven (7) mandated elements set forth in these laws.
The following policies in the AHRC NYC Policy & Procedure Manual relate to this section:
• Corporate Compliance Program Policy
• Policy on Compliance Education and Training.
Element One: Written standards, policies and procedures to prevent and detect criminal conduct and that describe compliance expectations embodied in a code of conduct.
AHRC NYC maintains written policies and procedures, both at the organization and department level, which outline all compliance expectations. The VPCC is responsible for monitoring and ensuring that the agency Policy & Procedure manual is kept up-to-date.
The AHRC NYC Policy and Procedure Manual, Employee Handbook, Human Resources Policies, Finance Department Policies, Information Privacy and Information Security Policies incorporate all mandatory requirements of a comprehensive compliance program. The organization communicates its code of conduct, compliance standards and policies through required training initiatives for all staff, certain volunteers and the Board of Directors. Independent contractors receive copies of the AHRC False Claims Act Policy which includes information about how to contact the VPCC to report potentially non-compliant activity as well as whistleblower protections against retaliation.
AHRC NYC has policies in place which address non-intimidation and non-retaliation for participating in the compliance program and/or reporting suspicion of non-compliant activities. In addition, as required by law, training on non-retaliation and non-intimidation is provided as part of the initial and annual Compliance and HIPAA training.
The False Claims Act (and all related state and local laws and regulations) prohibits discrimination by AHRC NYC against an employee, contractor or agent for taking lawful actions in furtherance of an action under the False Claims Act. Under the False Claims Act, any employee, contractor or agent who is discharged, demoted, harassed, or otherwise discriminated against because of lawful acts in furtherance of an action under the False Claims Act is entitled to all relief necessary to make the employee, contractor or agent whole. Moreover, we will not retaliate against any employee, volunteer, contractor or agent for reporting, or intimidate any employee, volunteer, contractor or agent into not reporting any potential compliance concern, to any government entity, as described in our anti-retaliation policy.
Whistleblower Protections
If an employee, volunteer, independent contractor, or employee of a vendor witnesses, learns of, or is asked to participate in potential non-compliant activities that are in violation of AHRC NYC Compliance requirements, the person must contact his/her immediate supervisor or the VPCC.
The identity of reporters will be safeguarded to the fullest extent possible and will be protected against intimidation into not reporting and retribution in accordance with state and federal whistleblower protections. Report of any suspected violation must not result in any retribution. Any intimidation of or threat of reprisal against a person who acts pursuant to his or her compliance responsibilities under the plan is acting against this compliance policy. Discipline, including termination of employment, will result if such intimidation or reprisal is proven.
The following policies in the AHRC NYC Policy & Procedure Manual relate to this section:
• Corporate Compliance Program Policy
• Policy on Reporting Possible Compliance Violations, Whistleblower, Non-Intimidation and Non-Retaliation
• Policy on Compliance Education and Training
• Corporate Compliance Program Policy
• False Claims Act Policy
• Documentation of Compliance Activities
Element Two: Designation of a corporate compliance officer, vested with the responsibility for the day-to-day operation of the compliance program.
Designation of a Vice President, Corporate Compliance
AHRC NYC will designate the Vice President, Corporate Compliance to serve as the corporate compliance officer and be responsible for the day-to-day operation of the Corporate Compliance Program and for fostering an environment of compliance. The VPCC oversees and monitors the development and implementation of the organization’s compliance policies, the achievement and maintenance of compliance standards, including audits, training, and the investigation and response to compliance complaints/reports. The VPCC reports to the Chief of Staff and has unimpeded access to report to the CEO and the Board of Directors. The VPCC oversees the activities of all compliance staff, either directly (corporate compliance staff) or indirectly (department compliance staff).
All program departments have a department compliance staff member who is responsible for compliance activities within their department. These department compliance staff members meet regularly with the VPCC and are dually supervised by the program department head and the VPCC.
The duties of the VPCC include, but are not limited to, the following:
• Develops and coordinates written policies and procedures regarding compliance issues.
• Develops and updates the organization’s policy and procedure manual, in coordination with other senior staff members.
• Serves as staff liaison to the AHRC NYC Board of Directors’ Compliance and Ethics Committee.
• Chairs the organization’s Corporate Compliance Committee.
• Oversees the ongoing internal auditing and monitoring of compliance with regulatory requirements, standards and policies, including documentation and billing of claims made to federal, state and private payers for reimbursement. Also assists with coordination of any external compliance and regulatory reviews.
• Coordinates the development of the Annual Risk Assessment and Compliance Plan.
• Reviews, acts upon, and documents any and all reported compliance issues, concerns, or questions.
• Ensures the provision of annual compliance training for all staff, managers, and members of the Board of Directors.
• Investigates other concerns as needed or when assigned by the Agency-Wide Corporate Compliance Committee; the Board of Directors or senior management.
• Coordinates and assists in any needed discipline or enforcement actions related to compliance.
• Maintains oversight of the agency Record Management Program with respect to record storage and retention.
• Ensures there are proper systems in place to refund any overpayments to Medicaid, Medicare and other payers, and to provide timely reporting of compliance matters and findings to the NYS DOH, CMS & the Office of the Medicaid Inspector General, as appropriate.
• Serves as the agency privacy officer and oversees the HIPAA/FERPA program.
Corporate Compliance Program
The agency-wide Corporate Compliance Committee is chaired by the VPCC. The full membership of the Corporate Compliance Committee may include, but not be limited to, the following:
• Department & Corporate Compliance staff
• CEO
• Chief of Staff
• Chief Program Officer
• Chief Financial Officer
• Chief Legal Officer
The committee shall meet on a schedule that meets the annual requirements set forth in Social Services law.
Compliance and Ethics Committee of the Board of Directors
The Board Compliance and Ethics Committee will meet no fewer than three times per year. The VPCC is the principal staff liaison to this committee. The Committee is chaired by a board member designated by the President of the Board of Directors. The role of the Compliance and Ethics Committee is included in the Bylaws of AHRC NYC and delineated in detail in the committee charter.
The following policies in the AHRC NYC Policy & Procedure Manual relate to this section:
• Corporate Compliance Program Policy
• Documentation of Compliance Activities
Element Three: Training and education of all affected people on compliance issues, expectations and the compliance program.
As part of the Corporate Compliance Program, all members of the AHRC NYC community (Board of Directors, staff, certain volunteers, and contractors) have unimpeded access to the Corporate Compliance Program, and information on all appropriate laws, rules, regulations, policies and procedures that affect each member’s actions on behalf of AHRC NYC. Regular and ongoing training is provided, as is information on any new developments relevant to the member’s actions on behalf of AHRC NYC.
The VPCC, in concert with Staff Training, is responsible for the development and provision of all compliance training.
The Board of Directors receives compliance training annually at one of its quarterly meetings and receives ongoing education through the Compliance and Ethics Committee of the Board.
As part of their initial orientation, all new employees receive a corporate compliance and HIPAA/FERPA training session by corporate and departmental compliance staff prior to starting work in their position.
All existing employees receive training on compliance, HIPAA & Code of Conduct at least annually. Participation in these training sessions is mandatory and is tracked by Staff Training, who in turn provide training reports to the VPCC.
Additional training sessions may be held at the request of the Board, the VPCC, CPO, CLO or the CEO as the need arises to address changes in compliance, state or federal laws and regulations, or because of a specific compliance matter.
Compliance training topics include, but are not limited to:
• Legal authority for compliance
• Prohibitions against submitting a claim for services when documentation of the service does not exist
• Duty to report non-compliant conduct
• Code of Conduct
• Introduction to the structure of and positions involved in compliance at the organization-wide and department level
• Internal communications channels (e.g., the compliance hotline, access to the VPCC and compliance staff, etc.)
• Organizational compliance requirements and procedures for reporting problems and concerns
• Individual accountability for reporting suspected non-compliance
• The False Claims Act
• Explanation of fraud, waste & abuse
• The non-retaliation and non-intimidation policy for reporting made in good faith, and whistle blower protections
• HIPAA/eHIPAA/FERPA and state privacy/confidentiality laws
• Requirements for billing and documentation of services, including a prohibition against signing for the work of another person and alterations to records
Finally, an annual Compliance & Ethics Awareness Campaign is conducted during the National Compliance & Ethics Awareness Week, the purpose of which is to raise awareness of AHRC NYC’s commitment to ethical behavior in the workplace and the AHRC NYC compliance hotline, and a reminder that all staff, volunteers and the Board of Directors are responsible for compliance and ethical behavior.
The following policies in the AHRC NYC Policy & Procedure Manual relate to this section:
• Policy on Compliance Education and Training
• HIPAA Training for Staff.
Element Four: Communication lines to the compliance officer which are accessible to all people associated with AHRC NYC to allow compliance issues to be reported.
The AHRC NYC Compliance Program includes communication lines to the VPCC that are accessible to all employees and people associated with AHRC NYC, including people supported and their families or advocates, staff, managers and Board of Directors members, to promote the reporting of compliance concerns. These lines include a mechanism for anonymous and confidential good faith reporting of potential compliance issues as they are identified. Employees and persons associated with AHRC NYC must report any observations of suspected fraud, waste or abuse to the VPCC, either directly through the hotline (or other communication, e.g., meetings) or through department compliance staff, department heads, a member of the Board of Directors, or a member of executive staff.
Allegations are reported to the VPCC who will inform the appropriate executive and, if necessary, the CEO. The VPCC will conduct or oversee a full review of the concern and will log the report of potential and actual wrongdoing and all actions taken in response.
The following policies in the AHRC NYC Policy & Procedure Manual relate to this section:
• Corporate Compliance Program Policy
• False Claims Act Policy
• Policy on Reporting Possible Compliance Violations, Whistleblower and Non-Retaliation
• Compliance Education & Training
Element Five: Employee incentives and disciplinary policies to encourage good faith participation in AHRC NYC’s Compliance Program.
AHRC NYC performs background checks on all potential workforce members, volunteers and board members to screen for any conduct inconsistent with an effective compliance & ethics program.
Disciplinary policies encourage good faith participation in the Compliance Program by all people associated with AHRC NYC. The policies include but are not limited to those that articulate expectations for reporting compliance issues and for assisting in their resolution.
Actions that could result in disciplinary action include, but are not limited to:
• Violating a law, regulation, accreditation standard or policy whether intentionally or unintentionally
• Failing to report suspected or observed wrongdoing
• Participating in wrongful conduct
• Encouraging, directing, facilitating, permitting or covering up wrongful conduct, either actively or passively, including willful neglect
• Coercing, intimidating or otherwise preventing or attempting to prevent another person from reporting suspected wrongdoing
• Directly or indirectly retaliating against a person who has reported wrongdoing or has participated in an investigation
• Refusing to participate in an investigation of a report of suspected wrongdoing
• Refusing or repeatedly failing to attend mandated compliance training
• Non-compliance with supervisory directives related to addressing compliance issues
Employees who fail to comply with AHRC NYC’s compliance policy standards, or who have engaged in conduct that has the potential of impacting AHRC NYC’s status as a reliable, honest and trustworthy service provider will be subject to disciplinary action, up to and including termination. Any disciplinary actions will be documented.
The following policies in the AHRC NYC Policy & Procedure Manual relate to this section:
• Corporate Compliance Program Policy
• Discipline Policy for Non-Compliant Behavior
• HIPAA Complaints & Breaches
Element Six: A system for routine identification of compliance risk areas, including monitoring and auditing to detect criminal conduct.
The following activities are conducted to ensure routine identification of compliance risk areas:
• Corporate compliance staff conduct ad hoc audits as requested by senior management or the VPCC, or when a significant issue is found that needs further investigation.
• Each department compliance personnel perform ongoing audits of their programs and reports any significant findings to the VPCC during their scheduled monthly meetings or as needed (department head, department compliance staff, and VPCC meet at least monthly).
• Each department completes an annual risk assessment which includes a review of the past year’s compliance activities and issues and from that generates a department compliance plan looking forward to the next year. This occurs in the fourth quarter of each calendar year and are provided to the VPCC no later than December 1st each year.
• The VPCC prepares an annual risk assessment and compliance plan which outlines risk areas and how they will be addressed in the coming year.
• The VPCC periodically evaluates the effectiveness of the agency’s Corporate Compliance Program.
The following policies in the AHRC NYC Policy & Procedure Manual relate to this section:
• Corporate Compliance Program Policy
• Policy on Auditing and Compliance Reviews
• Documentation of Compliance Activities
• Policy on Internal Investigations
Element Seven: System for responding to compliance issues when raised, for reporting, investigating and correcting problems
• All “out of compliance” findings, regardless of the origin, are followed up on. This may entail voids, disclosures, corrections, training and/or disciplinary actions for involved staff.
• AHRC NYC has a system in place whereby all compliance staff (corporate or department) fill out a Compliance Incident Form when a compliance-related potential incident or finding has occurred. This form is used to track the progress and final disposition of the incident.
• The VPCC ensures all matters are tracked.
• Investigations are conducted, if necessary, as assigned by the VPCC. Primarily either the corporate compliance or departmental compliance staff conducts the investigation under the auspices of the department head and the VPCC.
• In addition, AHRC NYC has a compliance hotline which is checked daily by the VPCC, AVP for Quality or designee. All calls are responded to within 24 hours either by the VPCC or the appropriate person in the HR or quality department, depending upon the nature of the concern. If the call indicates a potential compliance issue, it is treated the same way as any other potential compliance matter.
If criminal conduct is suspected, all reasonable steps are taken to appropriately respond, including consultation with the CLO, CEO and the authorities, to prevent further risk of criminal conduct, including making any necessary modifications to the agency’s Corporate Compliance Program.
The following policies in the AHRC NYC Policy & Procedure Manual relate to this section:
• Corporate Compliance Program Policy
• Policy on Internal Investigations
• Responding to Government Investigations
• Documentation of Compliance Activities
• Policy on Auditing and Compliance Reviews
Additional Responsibilities under the AHRC NYC Corporate Compliance Program
HIPAA/FERPA Compliance
It is the policy of AHRC NYC to ensure the privacy and security of the health and service information of each person who receives supports from AHRC NYC. To support this commitment, AHRC NYC ensures that the appropriate steps are taken to properly identify and secure each person’s protected health information, as required under the HIPAA/HITECH Privacy and Security rules, and other applicable federal, state, and local laws and regulations. Students in the education services run by AHRC NYC are covered by the Family Educational Rights and Privacy Act (FERPA).
The privacy officer for the agency is either the VPCC or a staff person qualified and designated by the Vice President, Corporate Compliance. For students, the privacy officer works closely with the Education Department compliance officer when reviewing privacy concerns for students in AHRC NYC education services.
The security officer for the agency is either the Associate Vice President for Information Technology or a staff person designated by the AVP of IT, in consultation with the VPCC and senior management. For students, the security officer works closely with the Education Department compliance officer when reviewing security concerns for students in AHRC NYC education services.
The VPCC has overall responsibility for the HIPAA/FERPA program at AHRC NYC.
AHRC NYC has outlined its entire HIPAA/FERPA program in a series of policies and procedures in the AHRC NYC Policy and Procedure Manual:
• HIPAA General Purpose, Scope and Identification of Protected Health Information
• HIPAA Privacy Officer Designation and Responsibility
• HIPAA Security Officer Designation and Responsibility
• HIPAA Training for Staff
• HIPAA Notice of Privacy Practices
• HIPAA Privacy Safeguards and Confidentiality
• HIPAA Use and Disclosure of Protected Health Information
• HIPAA Security Safeguards
• HIPAA Complaints and Breaches
• HIPAA Use of PHI for Marketing and Fundraising
• Interoffice Communication of the Confidential Information of People Supported
• Systems Access for Consultants and Temporary Employees
• Electronic Systems Usage
• Electronic Systems Security
• Electronic Systems Physical Security
• Electronic Systems Passwords
• Policy on Remote Access, EPHI and Student Records
• Use of Portable and Remote Computer Devices
• Internet and E-Mail Policies and Procedures
• Workplace E-Mail and Voicemail Etiquette
• Social Media Policy
• Portable Electronic Devices and EPHI Security
In addition, the Privacy and Security team meet quarterly to review issues and concerns with the Privacy and Security practices.
Record Management System
The AHRC NYC VPCC is responsible for the oversight and management of the agency’s Record Management System.
AHRC NYC requires each department to establish a policy, procedure and schedule (described below) for the retention and destruction of its paper records that is in accordance with local, state and federal regulations as well as the guidelines established by the AHRC NYC compliance department. At a minimum, each department’s schedule must contain the following information:
• Document name and/or number.
• Whether the document is confidential either by law, regulation, or agency directive.
• Period for which the document is to be maintained on-site.
• General location of onsite documents (e.g., Mayflower day program site, storage room).
• Period for which the document is to be maintained offsite at the designated AHRC NYC record storage company (if applicable).
• Total period the document is to be maintained.
All files maintained onsite must be placed in a commercial-grade cabinet, safe from water or any other potentially damaging elements. Confidential files containing Protected Health Information must be contained in locked file cabinets, desks, closets or file rooms (including mechanical keys, ID swipes or electronic keypad systems). AHRC NYC has controls in place through Administrative Services for mechanical and electronic access management.
AHRC NYC maintains a contract with an offsite document storage company, with oversight by the Vice President, Corporate Compliance. Documents must be stored based on each department’s Record Retention and Destruction Policy, Procedure and Schedule. Each department is responsible for maintaining a record of stored documents, date sent and storage tracking information.
At least once in a calendar year, each department will be responsible for the destruction of records in accordance with its Record Retention/Destruction Schedule. The documents must be destroyed in an appropriate manner, i.e., confidential records are shredded. Confidential records must be destroyed with knowledge by the department head or his/her designee. The department must retain documentation of each record destroyed and inform the VPCC or her/his designee.
The following policy in the AHRC NYC Policy & Procedure Manual relates to this section
• Policy on Record Retention and Destruction
Management of the AHRC NYC Policy and Procedure Manual
Agency-wide policies are included in AHRC’s Policy and Procedure Manual which is found on the Agency’s intranet portal. Department heads are responsible for ensuring that their staff adheres to all policies and procedures.
Creation of new agency-wide policies and modifications to old ones are overseen by the VPCC who ensures that all policies and procedures have undergone proper review and are in keeping with directions established by the CEO and the Board of Directors. The review and approval procedures are outlined in the AHRC NYC Policy and Procedure Manual.
As policies are revised and the Policy and Procedure Manual is updated, the previous versions of the policies are maintained by the senior policy consultant in a shared Policy Archive folder within the Administration/Compliance directory.
In addition, every policy in the Policy Manual must be reviewed by the content experts on a tri-annual basis. On an annual basis, the senior policy consultant will identify all agency policies which have not been reviewed and/or updated within the last 3 years. He/she will send copies of these policies each month to the content experts, e.g., the Finance Policies to the CFO, the HR policies to the Vice President of Workforce Development and Talent Acquisition, the Compliance Policies to the VPCC, etc. The content experts will be responsible for review and revision of each of these policies. The senior policy consultant will receive the revisions and will ensure that the revision or review date will be included in the policy header to ensure that the review process is documented.
The following policy in the AHRC NYC Policy & Procedure Manual relates to this section
• Policy on Policy Approval and Review