2004 AMC Conference

Monday, June 28
Plenary Session	Key Issues in the Administration of HIPAA From three distinct academic medical centers, we will address challenges and opportunities for the implementation of HIPAA Privacy and Security and discuss best practices in the following areas: relationships with business associates, clinical research, security, training and the HIPAA compliance program. Session Objectives: Identify next steps toward the implementation of HIPAA Security. Describe the process for establishing a HIPAA compliance program. Describe the relationship between HIPAA and research. Panelists: Carole Klove, RN, JD (Stanford), Panel Leader Charles Foskey, MBA (UNC) Eric Klavetter, JD (Mayo Clinic)
Administrative Track	Operations Interruptions and Business Continuity This panel will address real world approaches to and experiences with planning to minimize interruptions in the operation of business critical information systems and how to keep business processes flowing in the event interruptions cannot be avoided. Session Objectives: Explain the scope of business continuity planning. Establish a process for merging business and technology staffs into a coherent whole for business continuity planning. Practice an orderly recovery if interruptions occur anyway. Panelists: Ken Lobenstein, JD (Continuum Health), Panel Leader James Murphy, MSIS, CISSP, GSEC (UNC Health Care System)
Clinical Track	Formal Agreements We will discuss preparation of formal agreements required by HIPAA, including authorizations, Notice of Privacy Practices (NPPs) and Business Associate Agreements (BAAs), and the process of implementing use of these forms and execution by the appropriate parties. We will discuss issues associated with the requirements of the documents and the related HIPAA provisions, and compliance with these provisions. Session Objectives: Identify the components and requirements of authorizations, NPPs and BAAs. Implement the use and execution of authorizations, NPPs and BAAs. Identfiy issues associated with the requirements associated with authorizations, NPPs and BAAs. Panelists: Sissy Holloman, JD (UNC Hospitals), Panel Leader Elizabeth Gallagher, JD, MPH (Wake Forest University Baptist Medical Center)
Research & Education Track	Education of Students in Medical Training Programs About Privacy and Security How will AMCs change education programs for healthcare professionals to accommodate HIPAA? Session Objectives: Discuss current practices regarding teaching of medical students. Describe the challenges peculiar to teaching medical students in an academic environment. Explain how AMCs have changed their teaching methods to accommodate HIPAA. Panelists: Mike Walker, PhD (Wake Forest University Baptist Medical Center), Panel Leader Linda Goodwin, RN, BC, PhD (Duke) Patrick Ober, MD (WFUBMC)
Administrative Track	Training The panel will present how their AMC has developed, delivered and administered its HIPAA training for both the Privacy and Security Rules or, alternatively, how it plans to meet the Security Rule training requirement. Each panelist will highlight the successes and difficulties of her institution's training program and what training is planned for the future. The panel will discuss how other state and federal regulations, if any, impacted HIPAA training. Finally, the panel will consider what each AMC may have done differently to effect HIPAA compliance via training and education. Questions will be taken from the audience and the panelists will roundtable answers. Session Objectives: Discuss what training is required by the Privacy and Security Rules and what other AMCs are doing to meet these requirements. Benchmark your institution's training programs against those offered by other AMCs. Comprehend the complexities of providing training at AMCs and how to avoid the most common pitfalls of administering and tracking HIPAA training programs. Panelists: Esther Henry, JD (University of Colorado), Panel Leader Sharon Budman, MS (University of Miami) Rebecca Hutton, JD (University of Wisconsin) Leslie Pfeffer (Indiana Univ.-Purdue Univ.)
Clinical Track	Access Protocol and Review This session explores how AMCs are provisioning access to their electronic systems, how they are helping ensure that the "minimum necessary" requirement from the Privacy Rule and the authorization requirement from the Security Rule are being met, and how AMCs are implementing the requirement for access review (a.k.a log review) from the Security Rule. There will also be a discussion of how other regulations/standards are driving activity in this area (e.g. JCAHO information management plans). Session Objectives: Describe how some AMCs are managing the implementation of access establishment, modification and termination to their systems in compliance with the Security Rule. Discuss how some AMCs are managing the implementation of the authorization requirement in the Security Rule and how the implementation helps with meeting the Privacy Rule's "minimum necessary" requirement. Explain how some AMCs are managing the implementation of elements of other regulations/standards that affect this area. Panelists: George Brenckle, PhD (University of Pennsylvania), Panel Leader Eric Klavetter, JD (Mayo Clinic)
Tuesday, June 29
Plenary Session	An Update on HIPAA from HHS Learn more about the U.S. Department of Health and Human Services' plans for HIPAA and how the Office of Civil Rights is handling enforcement of the HIPAA Privacy Rule. Session Objectives: Describe guidance that clarifies parts of the Privacy Rule. Discuss HHS' upcoming plans for research guidance and identify other areas where guidance is needed. Receive an update on OCR's enforcement efforts. Lora Kutkat, MPH (NIH)
Plenary Session	Operations: Implementing PHI Uses and Disclosures How will AMCs build operations that respect the HIPAA restrictions on internal uses and clinical disclosures? How will AMCs deal with disclosing protected health information (PHI) to family and friends? Session Objectives: Describe the ways in which PHI may be used or disclosed. Discuss the challenges for AMCs associated with uses and disclosures. Identify some solutions to those challenges as suggested by the panel. Panelists: Russell Opland, MPH (University of Pennsylvania), Panel Leader Joy Grosser (University of California) Maria Pekar, MBA, JD (Loyola University)
Administrative Track	Security Management Security management in a decentralized Academic Medical Center environment hinges on the establishment of an effective governance structure with defined roles and responsibilities that support the development and promulgation of an information security program meaningful to all members of the organization. The information security function must effectively address security threats to minimize risk to the confidentiality, integrity and availability the organization's information resources and supporting infrastructure. This session will highlight strategies and approaches employed by three institutions. Session Objectives: Identify strategies and approaches to best manage security in the decentralized AMC environment. Analyze security risk and develop effective risk managment solutions to minimize loss expectancies. Develop an organized approach to HIPAA Security compliance measurement, gap analysis, gap closure and ongong evaluation of safeguards to ensure compliance. Panelists: Lee Olson (Mayo Clinic), Panel Leader Chip Nimick, GSEC (University of Rochester) Eric Schmidt (Indiana University)
Research & Education Track	Research Databases This panel is to talk about how HIPAA has impacted the use of research databases - use of existing clinical and research data for studies, development of research databases for future research, etc. Session Objectives: Identify what data are covered by HIPAA and what are not. Explain the overlap between HIPAA and the Common Rule. List steps taken by AMCs to continue database research work in light of multiple applicable regulations. Panelists: Lawrence Muhlbaier, PhD (Duke), Panel Leader Cindy Boyer, RN, PhD (Mayo Foundation)
Administrative Track	Future Security Issues This panel will look at the topic of how to identify, evaluate, and protect against security threats. It will explore recent threats in traditional paper and computing environments. It will also explore how to approach new technologies, including mobile computing issues. Session Objectives: List the security threats to prepare for. Evaluate the risks of particular security threats. Compare models for addressing future known and unknown threats. Panelists: Lauren Steinfeld, JD (University of Pennsylvania), Panel Leader Ken Lobenstein, JD (Continuum Health Partners) Lee Olson (Mayo Clinic) John Parmigiani, MS (QuickCompliance)
Clinical Track	Sanctions How are AMCs using the sanction requirements to deter privacy and security breaches? How is mitigation for a breach being handled? Session Objectives: Describe the difficulties related to sanctioning employees and faculty members consistently although they ave different grievance processes. Explain appropriate sanctions for HIPAA offenses. Discuss self-disclosure and the importance of mitigating fines and settlements. Panelists: Britt Crewse, CPA, MBA, MHS (Duke), Panel Leader Sandra Meyer (Mayo Clinic)
Research & Education Track	Research Use of Identified and Deidentified Data How are AMCs changing their approaches to using protected health information and de-identified data in research? Will there be a notable shift to de-identified data? Will IRB waivers be common or rare? Session Objectives: Explain how AMCs are changing their approaches to using PHI and de-identified data in research. Discuss the uses of de-identified and identifiable patient data in research and how statistical de-identification is accomplished by an AMC, including some of the advantages and disadvantages. Describe what is expected of the investigator using PHI in research and the IRB's role. Panelists: Judith Beach, PhD, JD (Quintiles), Panel Leader John Falletta, MD (Duke)
Administrative Track	Security Operations Challenges Some HIPAA Security Rule requirements for safeguarding PHI are particularly challenging for Academic Medical Centers. Their distributed environments, limited resources and need to share data for purposes other than TPO present special challenges. This panel will focus on a few of the areas from prior sessions likely to be difficult for AMCs to address. Discussion among panel members will stimulate questions and suggestions from the session audience. Session Objectives: Determine what Rule requirements are the most demanding in certain AMC environments. List the weaknesses and strengths of technical, policy and training solutions to mitigate risk. Explain how to balance these components to achieve viable solutions. Panelists: James McNamee, PhD (University of Maryland), Panel Leader Matt Kramer, GSEC (University of Maryland)
Clinical Track	Future Privacy Issues What future issues in the area of privacy are AMCs anticipating? Session Objectives: Discuss the impact of a nationally integrated medical record on patient trust. Recognize that consumerism in healthcare will include confidentiality. Identify strategies to demonstrate competency in guarding patient privacy that will ensure patient trust. Panelists: Eric Klavetter, JD (Mayo Clinic), Panel Leader John Parmigiani, MS (QuickCompliance) Vince Sheehan (Indiana University)
Research & Education Track	Privacy and Security Policy Influences from non-HIPAA Sources There are a number of regulatory constraints (state, federal and others) on the research enterprise beyond HIPAA. This panel will explore the overlapping, or even conflicting requirements of these mandates in the current and future settings. Session Objectives: Recognize the non-HIPAA security and privacy requirements that co-exist in the research environment. Explain where these requirements are in conflict and/or present a special problem for those responsible for supporting the research enterprise. Identify some strategies and approaches that AMCs are applying to the problem. Panelists: James Murphy, MSIS, CISSP, GSEC (UNC Health Care System), Panel Leader John Falletta, MD (Duke)
Wednesday, June 30
Plenary Session	Key Issues in Research This panel will present issues in research under the HIPAA Privacy Rule as experienced by the AMCs represented on the panel and how these issues were analyzed and resolved. Issues will include how the AMCs integrated the Privacy Rule with the Common Rule in their IRB review process, the ramifications under the Privacy Rule when the researcher is part of the Covered Entity, the effects of hybrid entity status on research and the sharing of data for research, and the use of de-identified and limited data set information for research. Panelists will also discuss what they would have done differently or plan to change regarding the research policies and procedures at their institutions. Anticipated issues regarding research under the Security Rule will also be discussed briefly. Session Objectives: Identify several key issues posed by the Privacy Rule for research. Compare you institution's resolution of research issues with those of other AMCs. Evaluate options for resolving common research issues under the Privacy Rule. Panelists: Rebecca Hutton, JD (University of Wisconsin), Panel Leader Shelley Bizila, CIP (Indiana University-Pursue University Indianapolis) Cheryl Calogerakis, MHA (Wake Forest University Baptist Medical Center)
Administrative Track	Securing Communication of PHI HIPAA sets particular addressable requirement for PHI transmitted electronically. The panel will review these requirements and present a variety of technical and policy-based approaches to addressing them. Discussion among panel members will stimulate questions and suggestions from the session audience. Session Objectives: Identify security and privacy risks inherent in all communication methods and list the extra risks incurred by using electronic transmission. Describe what techical means organizations can use to securely communicate PHI data through EDI, e-mail or other means. State the limitations of relying on policy to acheive compliance. Panelists: James McNamee, PhD (University of Maryland), Panel Leader Richard Gadsden (Medical University of South Carolina) Joy Grosser (University of California)
Clinical Track	Auditing for Privacy Compliance This panel will address the key components needed for an effective privacy compliance audit program. The speakers will share first-hand experiences in developing, communicating and implementing an audit process, including - who is involved in the audit process, what will be audited, how the audit will be conducted and the timeframes for conducting the audits. Session Objectives: Identify the key components needed for an effective privacy compliance audit process. Describe one possible methodology for developing and implementing a privacy compliance program in an AMC environment. List the common challenges when auditing for privacy compliance. Panelists: Mariann Yeager, MBA (Emerson Strategic Group), Panel Leader Marcia Gonzales, JD (Indiana University)
Research & Education Track	Clinical Trials Data Management For decades academic centers have focused heavily on basic research with much less attention to clinical research. With a prior history that emphasized the individual and his/her funding of basic lab research infrastructure, the traditional approach to clinical research in academia has mirrored this segmented, small-business model rather than a more efficient institution-wide approach. This distributed approach to clinical research has lead to duplication of effort, inability to capitalize on economies of scale, and data systems of various quality and security. This session will focus on approaches to assessing institutional quality and privacy risks associated with a distributed process of data use and management, and discuss various approaches to developing solutions that incorporate centralized standards and oversight while supporting local use and management. Session Objectives: Identify the potential privacy risks inherent in the traditional academic approach to clinical research. Describe an approach to assessing research infrastructure needs for management of data. Discuss trends in academia that are focused on improved support of the research enterprise and privacy protection. Panelists: Gregg Fromell, MD (University of Pennsylvania), Panel Leader Cindy Boyer, RN, PhD (Mayo Foundation)