In defining "meaningful use" through the creation of criteria, CMS balanced competing considerations to propose a definition that best ensures reform of health care and improved healthcare quality. The definition also encourages widespread EHR adoption, promotes innovation, and avoids imposing excessive or unnecessary burdens on healthcare providers, while at the same time recognizing the short time-frame available under the HITECH Act for providers to begin using certified EHR technology.

This workshop will involve participants in discussions concerning the 23 objectives and measures to be implemented during the three stages of meaningful use implementation and the implications for privacy and security policies, procedures, and business processes. The objective will be to publish an informational whitepaper and supporting document for Academic Medical Center business, privacy, and information security leaders to guide informed decision-making.

Click here for further details on the workshop deliverables and agenda.

ARRA Effects on AMC Privacy & Security
Now that much of the regulatory dust on the ARRA has settled, what effects should AMC privacy and security leaders expect to have to deal with? Which are most important and urgent and why? While many of the conference topics will cover specific ARRA-based issues in depth, this plenary talk will give an overview and perhaps help you choose your sessions more thoughtfully.

Session Objectives:

• List at least three areas in which ARRA will affect the typical AMC's Privacy and Security program
• List at least two urgent effects of ARRA Privacy & Security changes on AMCs

Quiz the Regulator
We’ve assembled a panel of regulators in the area of health privacy and security. Ask them what you wish. Tell them what you need. They’ll say what they can.

Session Objectives:

• Describe at least one late-breaking regulatory change in the area of Privacy and Security
• Describe at least one area in which AMCs need greater clarity from regulators

Session Objectives:

• Describe at least two new items of interest in the areas of Privacy and Security for AMCs
• Describe at least two new items of interest in your own AMC
  

Stop, Thief! How AMCs are Handling Compliance with Identity Theft & the Red Flags Rule
AMCs are required to comply with state and federal “Identity Theft” statutes requiring the safeguarding of personal, medical and financial information which could provide a thief with the tools needed to steal the person’s identity and finances. Additionally, medical identity theft carries with it a host of problems not only for the patient but also the AMCs in the integrity of their medical records and potential patient safety outcomes. At the same time, AMCs must comply with the FTC’s “Red Flags” rule with similar security requirements. Panelists and participants will discuss recommendations for policies and procedures and other compliance tactics for these requirements.

Session Objectives:

• Discuss policies and procedures required and/or suggested for AMCs
• Describe various processes suggested for compliance
• Evaluate tools, techniques, and best practices employed by AMCs
• Discuss issues noted by AMCs in working through compliance

Responding to the Breach Notification Requirements
AMCs are now required to notify patients and regulators when certain breaches of unsecured PHI occur. AMCs must determine when PHI is considered “unsecured” and determine whether the “harm threshold” has been met, requiring notification of a breach. AMCs must coordinate with Business Associates in meeting the new requirements.

Session Objectives:

• Discuss compliance with federal and state requirements, including the use of separate and combined processes
• Discuss the ways AMCs are handling the “harm threshold” provision (determination of significant risk of financial, reputational, or other harm to the individual)
• Evaluate organizational responsibilities
• Discuss projected compliance costs
  

New & Improved Policies: The HITECH Shuffle
The HITECH Act provides new and modified regulation of privacy and security of PHI. These changes will necessitate some new policies, as well as amendments to existing policies. AMCs will need to determine what changes need to be made, and prioritize to address the policy revisions based upon effective dates in the new regulations, the lead time required to implement changes, and the degree of readiness of the various systems and processes of each AMC.

Session Objectives:

• Discuss the changes which need to be made to existing policies
• Discuss the new policies which must be created

For Sale by Owner: PHI for Sales & the Impact on AMCs
The HITECH Act provides a prohibition on direct or indirect receipt of remuneration in exchange for PHI unless the covered entity has obtained an authorization. There are certain exceptions to this prohibition which, in some instances, may change the way data is handled and shared.

Session Objectives:

• Discuss the “what data”, “how”, “when” and “for what” of data sales
• Explain if AMCs get more “business” or less stemming from this new provision
• Describe what processes have been established by AMCs to comply with the rules
• Discuss how the trend toward increased data mining being handled
• Explain how the push toward more intensive and widespread sharing of PHI is affected
• Describe some of the remuneration issues, such as accounting for the sale and any implications under the Anti-Kickback statute
  

Do You Really Need to See That? Changes in the Minimum Necessary Requirement
AMCs are required to disclose only the minimum necessary PHI, or to limit disclosures to limited data sets. New guidance on what constitutes “minimum necessary” is forthcoming.

Session Objectives:

• Discuss the overall impact new definitions or guidance will have on AMCs in the form of: new policies, limited data sets and de-identified data
• Describe the new processes being used to determine what to disclose and best practices
  

Brave New World for Business Associates: A New Landscape for Business Associate Relationships
Business Associates are now subject to many of the requirements formerly enforced only against covered entities. AMCs must determine how HITECH modifies the relationship with Business Associates.

Session Objectives:

• Discuss the compliance responsibilities for Business Associates and how these affect AMCs, and evaluate whether there will be more or fewer Business Associates that AMCs will be dealing with
• Discuss new contractual obligations for Business Associate Agreements, changes that may be required, and suggestions for templates
• Evaluate the processes to implement new Business Associate requirements, including acceleration of notification and information flow-through for AMCs

New Cops on the Beat: The New Enforcement Landscape after HITECH
The HITECH Act makes several major modifications to the enforcement players in the privacy and security world. AMCs will need to address these changes in their approaches and processes for compliance. This session will Examine the new, more stringent environment with opportunity for increased enforcement activity including: new rights of suit; new “enforcers" (State AGs and individual patients); combining privacy/security enforcement in OCR; and incentives for OCR and patient “victims.”

Session Objectives:

• Discuss changes AMCs will make in regard to risk management, guarding against “willful neglect” and soliciting patient awareness and help
• Describe AMC processes for preventing, detecting and mitigating inappropriate actions, including rules of behavior, training, system tools and alerts, capturing wrongful disclosures for the TPO accounting requirement, sanction policy changes and new issues with Business Associates
  

Free-for-All & Late-Breaking Issues
A facilitated group discussion about pressing issues facing AMCs in compliance and governance issues.

Comparative Effectiveness Research
ARRA contains $1.1 billion for comparative effectiveness research (CER), which compares treatments and strategies to improve health. This information is essential for clinicians and patients to decide on the best treatment. It also enables our nation to improve the health of communities and the performance of the health system. Funding includes the development and use of clinical registries, clinical data networks, and other forms of electronic health data that can be used to generate or obtain outcomes data. Who owns this data? How will it be managed? What are the security and privacy challenges?

Session Objectives:

• Describe CER as outlined in ARRA and the possible role for AMCs
• Discuss security and privacy challenges CER will present
• Identify strategies for developing a CER program with the current privacy and security requirements
  

Privacy: What Does It Mean with Electronic Data?
The HITECH Act charges the Department of Health and Human Services with providing new guidance for de-identification best practices. How does this new guidance affect how medical researchers de-identify data for study? How are existing de-identified datasets affected? What “force” does this guidance have in practice in AMCs?

Session Objectives:

• Describe HITECH guidance for de-identification
• Discuss how this affects research and existing datasets
• Identify strategies being developed by AMCs

EHRs, PHRs, HIEs & Beyond
One goal of ARRA is to seek to develop a health information infrastructure that supports population health research. How will this goal be met? How are the Department of Health and Human Services and the National Institutes of Health helping? Which opportunities for medical researchers to use HIEs, EHRs and PHRs will appear, and when? How are these opportunities shaped by privacy and security needs? Will the clinical care data environment support the clinical research needs?

Session Objectives:

• Describe the opportunities and challenges presented by EHRs, PHRs and HIEs
• Discuss the differences between operational and research data in these environments
• Identify what privacy and security strategies will need to be addressed
  

Mobile Computing: Extending Functionality & Reach of Research
Clinical trials are an essential step in bringing important life-saving drugs to market. Mobile computing is helping clinical trial sponsors capture more reliable patient reported outcomes data and reduce drug development costs by giving patients better tools for sharing information about their experiences during clinical trials. Greater flexibility for data capture and delivery also presents greater security challenges. How are researchers managing their security and privacy obligations in a growing mobile environment?

Session Objectives:

• Discuss how mobile computing is currently being used in healthcare and how this could be extended to research
• Describe security and privacy issues that mobile computing presents
• Identify options that will enable institutions to prepare for the privacy and security requirements of mobile computing
  

Cloud Computing & Clinical Research: What are We Handing Over?
As tools like Amazon EC2 open up new opportunities to meet the growing computational needs of research, how can institutions and researchers make sure they are meeting the security and privacy requirements? What do powerhouse pharma shops like Pfizer and Eli Lilly see as the future of cloud computing and how will they protect their intellectual property in an environment they don’t control? Who really is responsible and in control in a virtual environment?

Session Objectives:

• Describe how cloud computing is currently being utilized for research
• Explore the privacy and security responsibilities and challenges
• Identify strategies AMCs should consider when moving to this environment
  

Community Healthcare & the Future of Clinical Trials
The Army of Women is a community-driven research agenda to recruit healthy women to participate with breast cancer researchers to challenge the scientific community to expand its current focus to include breast cancer prevention research conducted on healthy women. In this new model of patient recruitment, how will the global data collected be managed and shared securely? Will patient privacy be as much of an issue in this new model? How will this melding of molecular and clinical data impact the way we capture and define a medical record?

Session Objectives:

• Examine the concept of community healthcare and its role in clinical trials
• Discuss privacy and security challenges this environment presents
• Identify strategies AMCs might employ to reuse and leverage this data
  

What Can the CTSA Initiatives Teach Us?
As the Clinical and Translational Science Awards (CTSA) moves into its fourth year, what have the participants learned about managing security and privacy in collaborative research environments? Are there policies and guidance others should look to as healthcare, driven by ARRA, moves to a more collaborative community based model?

Session Objectives:

• Identify where the CTSA program is driving AMCs
• Describe how the CTSA is addressing security and privacy considerations for collaborative environments
• Discuss the tools and resources being developed by the CTSA program or sites

Late-Breaking Issues
A facilitated group discussion about emerging research issues.

Encryption: A Safe Harbor from Breach Reporting
State and federal regulations prompt AMCs to consider a holistic approach to encryption. What was once a transmission control domain, encryption now provides a safe harbor from breach reporting when employed as an access control for data at rest. Laptop computers, removable media, on-line databases and system backups containing identifiable information are at risk, and the Notice of Breach provisions in ARRA and emerging state identity theft laws provide new incentives to re-think encryption policy and process. Will this incentive result in mass changes or will the costs and logistics inherent to encryption deployment and support continue to outweigh the benefits? What price will AMCs pay for mine-free safe harbors? Attendees will explore this cryptic topic.

Session Objectives:

• Discuss strategies for implementing and maintaining a holistic encryption program
• Explain how to employ encryption in a risk-based fashion
• Describe the pitfalls and operational considerations inherent to deploying encryption

Providing ePHI to Patients:  Right of Access and Health Information Technology
ARRA requires the provision of electronic protected health information (ePHI) to patients upon request. How will AMCs satisfy this new requirement and manage patient expectations? What are the "hidden"
liabilities to be aware of from a security perspective? From a privacy perspective?  How can the requisite provisions be used to improve relationships between patients and their providers, and empower patients to take a more active role in their healthcare? This session will examine these points and more.

Session Objectives:

• Discuss how providing ePHI to patients can enhance physician/patient relations
• Describe the requirements for providing ePHI to patients
• Describe methods of providing ePHI to patients
• Identify inherent liabilities in providing ePHI to patients
• Identify key objectives in providing ePHI to patients

Is Your Electronic Health Record Certified?
ARRA requires electronic health record (EHR) certification for organizations to obtain the millions of dollars in incentives for early EHR adoption and to avoid penalties. Does your EHR meet Certification Commission for Health Information Technology (CCHIT) standards? How will the shift to certified EHRs affect security programs and practices at AMCs? Which parts of an AMC’s many systems represent the EHR? Will a new emphasis by CCHIT on component certification help or hurt? Will AMCs pursue certification for home-grown systems or replace them? Attendees will help develop consensus on what's in scope and what's not.

Session Objectives:

• Explain what certification means and doesn't mean
• Discuss the effects on security programs and practices
• Explain how to define a home-grown EHR
  

Ten Information Technology Security Requirements for Certified EHRs
This session will cover relevant general information pertaining to ARRA, HITECH, Meaningful Use, certified EHRs, and what information technology security features must be met to meet the meaningful use objectives of a certified EHR, which allows an entity to qualify for federal stimulus funds. Discussion will center in detail on the ten IT security components that must be in place to qualify as a meaningful user. We will wrap up this session with the latest news pertaining to how the federal government will attempt to verify audit compliance with the requirements for meaningful use/certified EHR.

Session Objectives:

• Describe how IT security relates to the “meaningful use” definition, certified EHRs, and ARRA stimulus funding
• Identify the ten security requirements that must be met in order to be a “meaningful user”
• Discuss how the federal government plans to audit or obtain assurance for entities claiming to be "meaningful users"

Risk Assessment & Management in the HIPAA/ARRA Era
Risk assessment is part science and part art, a blending of the objective and subjective. How are AMCs approaching risk assessment? Are they using tools based on actuarial data and statistical processes to calculate loss expectancies, or are they using frequency/severity grids and generalizing? Which would Copernicus and Monet choose respectively? How do AMCs use the data to make risk acceptance, management and avoidance decisions? Now the ARRA requires HHS to issue annual guidance on technical safeguards. Will this guidance result in new processes for risk assessment and management? What proactive opportunities exist for the AMC community from a best practices standpoint? Attendees will gain an appreciation of the increasing emphasis on audit and help identify community best practices.

Session Objectives:

• Describe the general methods of risk assessment
• Discuss their pros and cons
• Explain how to use risk assessment data to manage risk
• Describe emerging best practices for implementing annual HHS security guidance

Late-Breaking Topics
A facilitated group discussion about the latest security issues and concerns.

Payment Card Industry Compliance & Other Unusual Acts
The Payment Card Industry (PCI) Data Security Standard is perhaps the most onerous checklist-oriented edict ever devised. Assuming that most AMCs have undergone initial PCI compliance exercises in a risk-appropriate manner, it is now prudent to develop a strategy to maintain and document compliance, essentially putting the program on cruise control. But , now individual credit card companies and banks are requiring the submission of additional information, "registration" fees, legal opinions and compliance evidence. How will AMCs manage these aspects across hundreds of merchant accounts, disparate business lines and in multiple states? Will organizations choose to satisfy these one-off requirements through the same personnel and processes they employ for PCI compliance? This session will explore these things and offer strategies, solutions and experiences to complete and maintain PCI compliance and manage emergent requirements.

Session Objectives:

• Discuss strategies and tips for maintaining, documenting and reporting compliance
• Explain how to deal with emerging requirements
  

Phishing: What Happens When the Bait is Taken?
All AMCs receive waves of phishing e-mails that solicit user IDs, passwords and other personal information. Recognizing that awareness is the linchpin to combating this threat, it helps when users understand what happens when they take the bait, provide their credentials and compromise their accounts - or worse. This session will take attendees through the step-by-step process as services are compromised and exploited, mailboxes are turned into spam zombies, AMCs are blacklisted on the Internet, and IT staff clean up the mess.

Session Objectives:

• Explain the mechanics of a phishing exploit
• Discuss why users take the bait
• Describe phishing countermeasures