Health Information Exchanges (HIEs): The Impact of HIPAA and the HITECH Act December 4, 2009

1
Health Information Exchanges (HIEs) The Impact
of HIPAA and the HITECH Act December 4, 2009

• Linda M. Kinney, MHA
• Care Share Health Alliance
• Alicia Gilleskie, Esq.
• Smith, Anderson, Blount, Dorsett, Mitchell
  Jernigan, L.L.P.
• David Kirby,
• KirbyIMC.com
• Dial 1-866-740-1260 Passcode 8618356

2
Webinar Logistics

• If you have problems accessing the audio or
  visual portion of this webinar call
  919-861-8355
• All lines will be muted during the presentation
• To ask a question during the Questions Answers
  section
• Unmute press 7
• Mute press 6
• Please provide us with feedback about the webinar
  by completing the post-webinar survey

3
Webinar Overview

• Introduction to Care Share Health Alliance
  Linda Kinney
• Presentation Alicia Gilleskie and Dave Kirby
• Background on Health Information Exchanges,
  HIPAA and the HITECH Act
• The Impact of HITECH on Health Information
  Exchanges
• Risk management issues to consider
• Question Answer Session moderated by Linda
  Kinney

4

• Introduction
• Linda Kinney

5
What is Care Share Health Alliance?

• Care Share is an independent, statewide resource
  that brings people together to improve the health
  of low-income, uninsured persons.
• We do this by supporting the development of
  Collaborative Networks, building collaboration
  between providers and strengthening the safety
  net.
• We provide technical assistance around building
  collaboration, program development, capacity
  building, evaluation, business process
  assessment, and community-wide planning.
• For more information visit www.CareShareHealth.or
  g

6
Collaborative Networks and Data Sharing
The goals of Collaborative Networks and
collaboration between providers is to Improve
access and the delivery of services Reduce
duplication Facilitate effective and efficient
utilization of services Maintain quality of
care To do this effectively collaborative
partners must share information with each other.
Including electronic health information.
7

• Presentation
• Alicia Gilleskie and Dave Kirby

8
Health Information Exchanges (HIEs) The Impact
of HIPAA and the HITECH Act

• Presentation
• Background on Health Information Exchanges,
  HIPAA and the HITECH Act
• The Impact of HITECH on Health Information
  Exchanges
• Risk management issues to consider

9
Health Information Exchanges (HIEs)

• What is a Health Information Exchange?
• Improved Collaboration
• Allows transparency for treatment, care
  coordination, quality assessment and improvement
  activities, such as case management, outcome
  evaluations, development of clinical guidelines
• Emerging HIEs in NC
• NC is a pioneer state in HIE implementation

10
Health Information Technology for Economic and
Clinical Health Act (HITECH)

• What is HITECH?
• Enacted as part of the American Recovery and
  Reinvestment Act of 2009
• Expansive changes to HIPAA aimed at encouraging
  the sharing of electronic health information
• Provides funding assistance and incentives to
  encourage implementation of electronic health
  records (EHRs)

11
Key Traditional HIPAA Privacy/Security Elements
Related to HIEs
D
12
The HIPAA Privacy Rule- key HIE elements

• Permission and requirements to disclose PHI
• Uses and disclosures via an HIE are still covered
  under the Privacy Rules set of permitted and
  required uses and disclosures. HITECH has new
  requirements to disclose electronically to
  patients
• Mitigation of Harm
• Mitigating harm from an impermissible
  use/disclosure is still a requirement that is in
  effect and covers non-permitted disclosures/uses
  via HIE. HIEs introduce more risk that if not
  neutralized will lead to more harm to be
  mitigated. New Notice of Breach provisions in
  HITECH more specifically address one form of
  harm.

D
13
The HIPAA Privacy Rule- key HIE elements

• Accounting of disclosures
• Providing an accounting of a limited list of
  disclosures (e.g. public health case reporting)
  to the patient upon request is still a
  requirement. A new HITECH element requires
  accounting of e-disclosures for treatment,
  payment and operations. Most HIE disclosures are
  likely to require an accounting. Some forms of
  HIEs do this automatically or avoid the need for
  accounting by being the patients agent.
• Provision of designated record set to patients.
  
• This requirement is still in effect and is
  extended with a specific HITECH requirement to
  transmit ePHI to patients (likely via an HIE)
• Required public good disclosures (e.g. public
  health reportable conditions)
• These disclosure requirements are still in effect
  and some forms are required to be done
  electronically (likely via an HIE) under HITECH.

D
14
HIPAA Security Rule key HIE elements

• Use of encryption on open networks
• Most HIEs are designed to operate on open
  networks. This requirement in the Security Rule
  compels the use of encryption. New HITECH
  requirements make use of encryption attractive
  for all PHI data flows and data stores
  especially in HIEs.
• Audit log collection and use
• This requirement is still present and EHR
  interactions with HIEs will likely mean that more
  use and review will be needed to be done to
  manage the increased risks to confidentiality.

D
15
HIPAA Security Rule key HIE elements

• Security incident management
• This requirement to report and respond to
  security incidents will be especially important
  in an HIE environment to reducing harm and
  maintaining public confidence in HIE. There will
  likely be more occasions when many organizations
  will be involved in responding to one incident.
• Data integrity
• This requires that there be protections against
  loss/corruption of PHI. This becomes more
  challenging in an HIE environment where new data
  arrives routinely from a variety external
  sources.
• Data access management
• This requirement to limit access is more
  challenging to meet in an HIE environment where
  there are more people with changing access rights
  over shorter periods of time. Person-oriented HIE
  models let patients define the rules for sharing
  across organizations.
  

D
16
HIPAA Security Rule key HIE elements

• Contingency management
• Availability of data in an HIE is critical and
  especially difficult for federated model HIEs
  (where the data is retained in the originating
  organizations). So, contingency management at
  provider sites (where the data will be until
  requested) will be harder and more important.

D
17
Other HIE-related laws

• NC State Law Notice of breach (NC ITPA 2005)
• This law would apply to breaches as part of the
  typical HIEs operations. One would expect more
  breaches in an active HIE. This applies to any
  business or government agency in NC including ASP
  EHR operations, web-based PHR operators, HIE
  operators.
• Other Special regulations covering drug and
  alcohol treatment records, and mental health
  records (42 CFR Part 2), Red Flags, FERPA
• These laws apply to an HIE environment when the
  contributing entities are covered. Observing each
  law in an entity-oriented HIE environment will
  require more work. Somewhat less work in a
  person-oriented HIE (where the patient agent is
  controlling the data.)

D
18
A Sampling of HITECH provisions and their
Potential Effects on HIEs
19
HITECH Act

• Changes to HIPAA
• Expanded Responsibilities and Liability for
  Business Associates
• Breach Notification
• Enforcement
• Penalties
• Restrictions
• Accounting of Disclosures
• Sale of PHI
• Meaningful use of EHR
• Will HITECH encourage or hinder the sharing of
  electronic health information?

20
Business Associates

• Definition of Business Associate (BA)
• A person who, on behalf of a Covered Entity
  (CE) performs a function or activity involving
  the use or disclosure of PHI (excluding members
  of the CEs workforce).
• Business Associate Agreement (BAA)
• Written contract with CE governing the use and
  disclosure of PHI and protection of privacy
  rights
• Include certain specific provisions required
  under HIPAA Privacy and Security Rules

21
Business Associates

• Contractors or other non-workforce members doing
  work for CE where work involves use/disclosure of
  Protected Health Information (PHI)
• A CE can be a business associate of another CE
• HITECH clarifies that organizations such as HIEs,
  Regional Health Information Organizations (RHIO)
  and eRx gateways that provide data transmission
  of PHI, that require routine access to PHI are
  BAs and must enter into BAAs with the CE

22
Expanded Role and Liability for Business
Associates

• Explanation Business Associate compliance with
  BAAs become a direct requirement of HIPAA.
  Expanded oversight role by Business Associates.
• Effective date 2/17/2010
• Key Effects on HIEs Non-compliance may
  constitute direct violation of HIPAA and BAA,
  posing risk of double liability

23
HIPAA Security Rule Compliance

• Explanation Today, BAs are contractually
  responsible for compliance with the mini HIPAA
  Security Rule. BAs become responsible for
  complying with the full HIPAA Security Rule.
• Effective date 2/17/2010
• Key Effects on HIEs All parties to HIE (covered
  entities and business associates) may be bound by
  the HIPAA Security Rule Standards (required or
  addressable)
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• HIPAA Security Rule organizational requirements,
  policies, procedures and documentation
  requirements

24
Breach Notification

• Explanation Breach notification provisions apply
  to CEs and BAs. CE obligation to notify each
  individual whose unsecured PHI has been, or is
  reasonably believed to have been, accessed,
  acquired, used or disclosed as a result of the
  breach. BAs required to notify CEs following BAs
  discovery of a breach of unsecured PHI.
• Key issues what constitutes a breach and
  unsecured PHI
• Effective date (already past) 9/23/2009
• Key Effects on HIEs Increased time spent by all
  parties analyzing whether breach notice
  obligation triggered and how to notify.
• Upside for patient privacy
• Downside for compliance coordination among parties

25
Breach Notification

• CE Notice Requirements
• Recipients
• Notify affected individuals whose PHI has been or
  is reasonably believed to have been breached
• Timing
• Without unreasonable delay, but in no event later
  than 60 days following discovery (unless it would
  impede a criminal investigation)
• Content
• What happened
• Types of unsecured PHI
• What CE is doing to investigate the breach,
  mitigate harm, protect against further breaches
• Contact procedures for affected individuals,
  including toll-free number, email address,
  website or postal address

26
Breach Notification under HITECH

• BA Notice Requirements
• Recipients
• Notify CE to which the breached information
  relates
• Timing
• Without unreasonable delay but no later than 60
  days following the BAs discovery of the breach
• Content
• Identify affected individuals to the extent
  possible and other information available to BA

27
Enforcement

• February 17, 2009 State attorneys general
  authorized to bring civil actions to enforce
  HIPAA violations
• Attorneys general bringing civil actions under
  HIPAA must give DHHS opportunity to intervene
• February 17, 2010 HIPAA criminal enforcement
  provisions apply to individuals
• Criminal fines and jail time for intentional
  violations
• U.S. Department of Justice investigates and
  prosecutes criminal violations
• February 17, 2011 DHHS must formally investigate
  complaints where preliminary investigation
  indicates potential violation of HIPAA due to
  willful neglect
• Key Effects on HIEs Potential deterrent effect
  on individual misconduct may lessen oversight
  burden of entities participating in HIEs. On the
  other hand, enforcement will increase, making
  attention to compliance a priority.

28
Greater Penalties

• Civil Penalties
• Previously, civil monetary penalties (CMPs)
  limited to 100 per violation, not to exceed
  25,000 for identical violations during a
  calendar year
• Key Effects on HIEs Money talks. These will
  hit home for covered entities and business
  associates participating in HIEs.

Violation categorySection 1176(a)(1) Each violation All such violations of an identical provision in a calendar year
(A) Did Not Know 100 50,000 1,500,000
(B) Reasonable Cause 1,000 50,000 1,500,000
(C)(i) Willful Neglect Corrected 10,000 50,000 1,500,000
(C)(i) Willful Neglect Not Corrected 50,000 1,500,000
29
Self-pay episode disclosure restrictions -Section
13405(a).

• Explanation People who have health insurance
  sometimes pay for care out of pocket in order to
  protect their privacy. Some providers have had a
  history of nonetheless reporting these self-pay
  episodes to payers- thwarting that privacy need.
  This new restriction requires covered entities
  not to disclose data (electronic or paper) from
  such self-pay episodes if a patient requests
  this.
• Effective date 2/17/2010 no regulations
• Likely key effects on providers
• Most providers wont change disclosure policy,
  but will likely want to revisit how they document
  and implement requests to restrict disclosures
  (as required in the Privacy Rule)
• For providers who allow access to records by
  payer-based case managers (e.g. hospitals),
  efforts will have to be made to segregate
  self-pay data.
• In EHRs, as data is reused in various functions,
  segregation of self-pay data may be challenging.
  (e.g. allergy data collected in a self-pay
  episode)
• Definition of episode of care will need
  attention.

D
30
Accounting of Treatment, Payment, Operations
(TPO) Electronic Disclosures- Section 13405(c )

• Explanation The HIPAA Privacy Rule has long
  required that a list of non-TPO disclosures be
  reported to the patient upon request (i.e.
  provided date, recipient, content description,
  purpose). The new requirement adds that all
  electronic disclosures by EHR-using CEs and BAs
  made for TPO purposes going back 3 years also be
  reported to the patient upon request. Covered
  Entities can either report for BAs or direct
  patients to BAs for supplemental reports.
• Effective Date For those who have an EHR on
  1/1/09, accounting starts 1/1/2014 For those who
  acquire EHR after 1/1/09, accounting starts
  1/1/11 or when EHR is acquired, whichever is
  later. HHS can delay a couple of years if
  desired. Expect regulations 7/2010.
• Likely key effects on providers
• e-TPO disclosures are common (e.g. to payers,
  referrals) and will become much more common as
  people approach meaningful use objectives.
• Collecting the data may not be much of an
  additional burden most CEs would want the log
  of accounting data for their own use.
• HHS will make regs on which data goes into the
  accounting. (about 7/10)
• BA Agreement and process adjustments. (Will you
  do the accounting for BA work or will the BA?)

D
31
Selling PHI - Section 13405(d )

• Explanation CEs and BAs who receive direct or
  indirect remuneration for providing PHI to third
  parties must have patient authorization (HIPAA
  style). The issue being addressed with this
  requirement is that the prior restrictions in
  HIPAA on PHI sale were thought to still allow too
  much sale of PHI outside of patient expectations.
  CE/BA can receive remuneration disclosures for
  public health (limited), research (limited),
  treatment, CE sale to CE, payment of BA, patient.
  Some HHS leeway to define other exceptions.)
• Effective Date No later than 2/17/2011 HHS
  regs by 8/17/2010,
• Likely key effects on providers
• Most providers not affected
• Revisit of practices related to BAs, research,
  public health.

D
32
Patient right of electronic access to ePHI-
Section 13405(e)

• Explanation HIPAA Privacy Rule established a
  federal right to patient access to PHI (the
  designated record set) under virtually all
  circumstances. This ARRA provision adds a right
  for the patient to obtain an e-PHI copy from
  EHR-using CE or direct that the CE transmit
  e-PHI copy directly to patient-chosen entity or
  person. (e.g. Send my ePHI to my PHR). CE
  charges limited to labor costs. Note that this
  right is separate from the meaningful use of EHR
  objectives that require engaging patients and
  families with HIT.
• Effective Date No regs explicitly called for
  No explicit date found likely 2/17/10
• Likely key effects on providers
• transmit may mean transmit- not hand a CD or
  thumb drive copy.
• Support extent for interfaces to recipients (e.g.
  HealthVault, Google Health, iHealthRecord, Keas
  and lots of others) not clear.
• This requirement is a key incentive to use
  patients as pivots for sharing data generally.
• Potential for abuse e.g. marketers becoming
  valid recipients without informed consent of
  patient.
• Identifying patients (e.g. keeping PHR
  identifier)

D
33
Meaningful use (MU) of EHR- Sec Medicare
4101(ambulatory), 4102 (hospitals), 4013,4104,
Medicaid 4201

• Explanation A large scale (17B, 600M in NC)
  incentive program to encourage EHR/PHR usage.
  Typical provider (e.g. physician, NP, PA) gets
  45K-60K in form of Medicaid/Medicare bonus
  reimbursement for 1)meaningful use of certified
  EHR, 2) HIE, reporting on MU. 70 recommended
  objectives spread over 5 years in these areas
  Engaging patients and families (PHRs etc),
  improving care coordination, ensuring adequate
  privacy and security, improving population and
  public health, improving quality, safety,
  efficiency and reducing health disparities.
• Effective Date Incentive payments are per year
  with a lot of front loading starting in 2011 (to
  2015). Some chance of penalties for non-MUser
  Medicare providers after 2015. Draft regs
  12/09.
• Likely key effects on providers
• Serious money serious challenge Much more
  electronic communication with patients.
• Cant do it alone (especially the HIE part)
• Private payers will likely follow suit (i.e.
  condition payment on EHR/PHR usage)
• Very complicated careful planning required.
• Other programs (Regional Extension, State HIE
  Collaborative, EHR loan) support.

D
34
Risks of HIEs and Related HITECH Considerations
35
HIE Challenges and Risks

• Maintaining Purity of Database Contents
• Integrity, right to use and disclose,
  confidentiality
• Multiple data sources
• Multiple party access
• Need to conduct data flow compliance analysis
• Ensuring appropriate BAAs are in place
• User education

36
HIE Challenges and Risks

• HITECH
• Potential double jeopardy for BAs
• Increased operational duties and liability
  exposure under a new, complex operational scheme
• Risk of poisoning the well and using data
  provided by third parties without proper
  authorization

37
Distribution of Security Risks

• The issue
• The typical provider focuses primarily on
  security for its internal operations and
  considers risk to itself. (e.g. risk of
  inappropriate use/disclosure of PHI, uptime of
  the system, local data integrity issues)
• In an HIE security risks are distributed across
  the HIE users.
• The risk sharing model must satisfy each party
  (e.g. hospital, physicians, payers, patients,
  public health, researchers) or they wont
  participate fully (or at least resist
  participating).
• Making security cost-benefit tradeoffs that
  satisfy everyone in the sharing system is harder
  than making tradeoffs that only have to satisfy
  you.
• Likely key impacts on providers
• Concerns about PHI confidentiality, integrity,
  and availability will need to be revisited with
  this new sharing model in which disclosures are
  frequent and automatic.
• Need for auditable standards in the HIE and at
  the connected parties systems.

D
38
Size and dynamism of the routine data sharing
community

• The issue
• Typical HIE will have a large and dynamic
  community of information providers and
  recipients. (e.g. hospitals, physicians,
  patients, payers, researchers, public health).
• Consider the challenge of managing registration,
  authentication, access audits, and authorizations
  among the members of this large and dynamic
  group.
• How will access changes be made when
  practitioners are no longer eligible for access
  (retired, quit, fired). How will changes in the
  legal competence of individuals affect access?
• Just to make things interesting you cant
  depend on having a compulsory universal health
  identifier.
• Likely key impacts on providers
• There will be new external ids (of patients,
  other providers) for each provider to keep and
  use.
• Providers will likely have to register/de-register
  staff for access to external data.

D
39
Use of comprehensive longitudinal patient record
(CLR)

• The issue
• Having all of the relevant historical data about
  a person accessible for care, research, personal
  use is the core attraction for an HIE.
• But, having this CLR also raises the risk of
  inappropriate disclosure.
• Data shared via an HIE may be used over longer
  times and for purposes not expected by the data
  originator. The limits on time and usage today
  help manage the risk of data being used for
  purposes for which it is not suitable/permitted.
  
• Having the data in one place means that
  availability depends on that place being up and
  on being connected to the inquiring party. Having
  data spread (as in a federated model) requires
  that a lot of places be up at the same time to
  satisfy some inquiries.
• What happens when an HIE/storage facility goes
  out of business?
• Likely key impacts on providers
• Need to focus business process on dependence of
  CLR availability
• Need to determine medical/legal acceptability of
  data.

D
40
Changes in amount and effects of erroneous data
being shared.

• The issue Well functioning HIEs spread data
  quickly whether it is true or not. Errors come
  from two main sources
• - Accident
• usually human error
• right data wrong patient mismatch is a typical
  error (Factoid About .1 to 1 of patient record
  selection operations that precede data entry
  select the wrong patient)
• Small environments (typical medical practice)
  with a lot of context and personal knowledge of
  patients help to keep this problem down.
• -Fraud, Medical ID Theft
• To obtain services without paying
• To hide conditions
• To obtain money for services not rendered
• HINs will likely exacerbate the level of
  erroneous data due to the relative distance
  (in time, space, context) of the provider from
  the user of the data.
• Likely key impacts on providers
• Need to consider which data will be taken to be
  actionable and which requires corroboration.
• Need to consider how to inform the community when
  previously shared data is found to be incorrect.

D
41
Changing (HITECH and beyond) environment of laws,
standards, and regulations

• The issue
• . There is a large and growing set of public
  policies (i.e. laws and regulations) related to
  health information security and privacy. Notably,
  enforcement of privacy and security measures was
  strengthened in HITECH.
• Generally they are meant
• to protect the person who is the subject of the
  information from misuse of their information by
  others (third party disclosure laws),
• to help make amends if the information is
  misused, and
• to assure that the person has reasonable access
  to the data.
• There are also growing set of laws,
  regulations, standards, and other incentives that
  incite providers to engage in more routine
  electronic information sharing.
• Likely key impacts on providers
• They will more frequently have to actively manage
  these risks and anticipate and respond to public
  policy changes.
• Providers may choose to bet that more consumer
  protections/rights will emerge.

D
42
Risks of failing to engage in routine information
exchange

• The issue
• Lets wait until the dust settles is a less
  attractive option than it has been historically.
  Waiting risks loss of incentive payments, penalty
  impositions, various forms of non-compliance
  actions or business disadvantages.
• Likely key impacts on providers
• Providers will be less able to respond to privacy
  and security issues in data sharing by not
  sharing the data because of general concerns
  about risk.
• Waiting to pursue adopting the various privacy
  and security elements in ARRA/HITECH has
  significant risks.

D
43
Approaches to Managing Risks in HIE
44
Managing Risks of HIE Participation

• Fair Allocation of Risk under Data Access
  Agreements
• Cyber Insurance
• Different policy types
• Privacy liability coverage may cover damages and
  claims related to privacy breaches, breaches of
  specific privacy laws and regulations, such as
  HIPAA.
• Security liability coverage may cover damages and
  claims arising out of computer attacks caused by
  failures of security including theft of client
  information, identify theft, negligent
  transmission of computer viruses and denial of
  service liability.

45
Managing Risks of HIE Participation

• Relatively new type of insurance with potentially
  high premiums application process for policies
  may be long and detailed
• Obtaining a policy when participating in HIE
• May be contractual requirement under HIE
  participation agreement
• May be a good business decision dependent on
  type of system and risks of misuse or
  unauthorized access
• Potential Coverage Under Existing Policies
• Standalone cyber-insurance policy may not be
  necessary.
• Cyber-liability endorsement to a CGL or EO
  policy may work

46
Adjust existing security measures

• In anticipation of this new environment
• Review and update your HIPAA-required risk
  analysis.
• Likely key typical provider changes and tasks
• Review and update staff training on security,
  sanction policy
• Review and update your contingency plan
• Consider the reliability/capacity of your
  broadband connection.
• Assure unique accounts, robust passwords and no
  account sharing
• Note that affordable and useful insurance is
  likely to require that you have a robust security
  program. These requirements may affect your
  security program.
• Setup to capture, retain, and review access logs
  start periodic reviews.

D
47
Shifting/reducing risks

• In anticipation of this new environment
• Consider how risk (to PHI confidentiality,
  availability, and integrity) are distributed
  among you, your peers, BAs, patients in a routine
  e-sharing environment. BAs are now covered
  directly by ARRA explore how this shifts risks.
• Likely key typical provider changes and tasks
• Consider HIE governance elements that affect risk
  distribution. How will bad actors be managed?
  What would happen if you were a bad actor?
• Educate patients about their role in security
  and where your role ends.
• Consider cyber-insurance for some costs
  associated with new risks (e.g. breach notice
  costs). Recognize that affordable insurance will
  likely come with obligations to run a secure
  environment.
• Consult your attorney about the shift in your
  general business risk and malpractice risks.

D
48
Collaborating with peers

• In anticipation of this new environment
• Determine who your key partners will be and how
  to work with them in new or existing forums.
  Make/adjust forums if needed.
• Likely key typical provider changes and tasks
• Formulate projects in these forums that focus on
  
• Issues that require group consensus (e.g. HIE
  governance issues)
• Issues that are solved more easily via
  group-generated information/support (e.g.
  generation of check lists. Model RFPs, training
  on security/privacy).
• Consider how to minimize the time delay in action
  normally associated with reaching consensus with
  peers on an issue.
• NC has many useful peer-based forums NCHICA,
  CareShare, NCPHIT Committee, NCALHD, HWTFs HIT
  Collaborative, others.

D
49
Working with the public

• In anticipation of this new environment
• Determine when to approach your patients on this
  change and via what means.
• Likely key typical provider changes and tasks
• Aiding patients in understanding your data
  sharing policies.
• Helping patients understand how you share data
  with them electronically and the best form of
  partnership to make that sharing productive.
• Prepare how you will interact with patients
  about accounting of disclosure requests,
  self-pay restriction requests, providing e-copies
  of various PHI collections, notice of breach.

D
50
Online Resources

• Key HHS web site
• http//healthit.hhs.gov - see, especially,
  links labeled Meaningful Use - for a list of
  the meaningful use objectives recommendations.
• Privacy and Security - for key documents
  related to HITECH and HIPAA PS elements.
• NCHICA
• httpwww.nchica.org - links to tools and
  collaboration opportunities.
• HIPAA FAQs
• http//www.hhs.gov/ocr/privacy/hipaa/faq/index.ht
  ml - question and answer format

51

• Questions Answers
• Un-mute press 7
• Mute press 6
• Name
• Type of Organization
• (free clinic, hospital, health center,)
• County
• Be brief

52
Contact Information

• Alicia A. Gilleskie
• Smith, Anderson, Blount, Dorsett,
• Mitchell Jernigan, LLP
• 919-821-6741
• agilleskie_at_smithlaw.com

Dave Kirby Kirby Information Management
Consulting, LLC
919-272-1157 Dave_at_KirbyIMC.com
mdarrow_at_CareShareHealth.org Care Share Health
Alliance www.CareShareHealth.org 919-861-8355