1

Creating Learning Communities: Interactive Case Studies Addressing

Privacy, Security and Communication Issues

Moderated by Brian Lane, Vice President, Market Development, AHA Solutions, Inc.

HCCA Compliance Institute 2007

Pre-Conference Session 4/22/07; 1:00–4:00pm

Objective

To create an interactive networking opportunity for all attendees to discuss and learn about compliance issues, challenges and solutions from healthcare industry experts as well as your peers.

2

Agenda1:00 – 1:10 Welcome & Introductions1:10 – 1:20 Overview of Current Compliance Issues from AHA Perspective1:20 – 1:45 Digital Healthcare Challenges

Ali Pabrai, President, ecfirst.com, home of the HIPAA Academy1:45 – 2:10 Ideas on How to Manage Incident and Claims Information

Clare Bello, President, VCM2:10 – 2:35 Compliance Issues Pertaining to Applicant Screening

Stefan Keller, President, Certiphi Screening, Inc.2:35 – 2:50 Break2:50 – 3:15 Compliance Surrounding Wireless Applications

John Curin, Senior Managing Consultant, Burwood Group, Inc.3:15 – 3:40 Compliance Issues pertaining to Communications and Networks

Bill Paschall, Director Healthcare Applications, AT&T3:40 – 4:00 Follow up topics, questions and discussions

Q&A and Wrap-up

Overview of Current Compliance Issues from an AHA Perspective

3

The American Hospital Association

• Founded in 1898, national not-for-profit organization

• Nearly 5,000 institutional members + 37,000 individual members

• Represents and serves all types of hospitals, healthcare networks, and their patients and communities through:• Advocacy• Education• Collaborations with State and Metro

hospital associations

AHA Strategy Map 2007-2009

4

AHA Solutions, Inc. – Who We Are• Mission: Find quality products & services to help hospitals run better• For-profit subsidiary of the AHA for over 25 years• Profits go back to the AHA to further the mission/vision/advocacy• Exclusive rights to award the AHA endorsement• Focus areas guided by Advisory Panels and include:

– Information Technology– Human Resources– Employee Benefits– Patient Flow– Revenue Cycle Management – Risk Management

The AHA Endorsement signifies that a product or service has passed our tests for quality and that the vendor behind it meets our strict criteria for quality, stability and customer service.

Digital Healthcare Challenges

Ali Pabraiecfirst.com, home of the HIPAA AcademyChairman and CEOpabrai@ecfirst.com949.260.2030

5

Ali Pabrai - President, ecfirst.com•Uday Ali Pabrai, CISSP (ISSAP, ISSMP), CSCS, is the chief executive of ecfirst.com, an Inc. 500 business and an organization exclusively endorsed by the American Hospital Association (AHA). A highly sought after information security and regulatory compliance expert, he has successfully delivered solutions on healthcare information technologies to organizations across the United States.

•Author of The Art of Information Security, he developed a unique security methodology called, BizShieldTM: The Seven Steps to Enterprise SecurityTM.

•Mr. Pabrai also established the industry’s first certification program on HIPAA - Certified HIPAA Professional (CHP) and Certified HIPAA Security SpecialistTM (CHSSTM). He recently launched the Certified Security Compliance SpecialistTM (CSCSTM) program.

•Mr. Pabrai’s clients have included hundreds of hospitals, long term care facilities, Microsoft, Kemin, Pella, Intuit, Principal Financial, U.S. Naval Surface Warfare Center, U.S. Defense Intelligence Agency, U.S. Department of Veteran Affairs, as well as numerous federal, state and county governments.

Digital Healthcare Challenges• Technology

• Too many servers• Too many applications• Too many PCs to maintain and manage• Mobility of devices is rapidly increasing• Storage demands are increasing fast• Highly specialized technical skills required• Serious lack of redundancy

• Compliance & Security• HIPAA• State regulations• Attacks on perimeter, wireless, and client-side

6

Typical Priorities

• Technology• “Thin is In”• Bring the complexity to the data center• Reduce the number of servers

• Virtualization• Blade servers

• Plan for multi-tier storage architecture

Typical Priorities, cont.• Compliance & Security

• Achieve and maintain HIPAA compliance• Implement integrated security capabilities• Secure facilities, servers, clients, wireless• Deploy Single Sign-On (SSO) and context management

solutions• Activate auditing and monitoring capabilities• Build and test contingency plans• Update security policies• On-going security training & awareness

7

For a complimentary copy of Get Compliant. Get Secure!, email your testimonial to:

E: Pabrai@ecfirst.comP: 949.260.2030

Questions

1. What is your key compliance challenge?2. What are your plans for an alternate data center?3. Any serious malicious software attacks in last 12 months?4. Is storage management becoming a serious issue?5. What are your plans for sustained development of skills for your IT

staff?

8

Ideas on How to Manage Incident and Claims Information

Clare M. Bello, EsquireVCMCo-Founder, President & Chief Executive OfficerClare.Bello@vcm-llc.com412.281.8680

Clare M. Bello, Esquire - President, VCM• Clare M. Bello, Esquire is the co-founder, President and Chief Executive Officer of VCM, LLC

located in Pittsburgh, PA. VCM is a claims and litigation management company designed to address claims management issues for healthcare facilities in the alternative risk transfer market.

• Clare has led VCM from a regional claims & litigation management company to a national company taking the lead in the healthcare claims management industry. She has lectured in national programs aimed at the healthcare alternative risk market and is certified with the Commonwealth of Pennsylvania as an instructor of continuing education courses for insurance professionals.

• Clare holds a law degree from the Duquesne University School of Law. She managed an active law practice in the Commonwealth of Pennsylvania for over a decade before beginning her corporate career with VCM. Prior to co-founding VCM, Clare’s practice was focused in insurance regulatory law and providing professional liability litigation defense.

• Clare is a member of the AHA, ASHRM, HFMA, CIC DC, SCCIA, PLUS and VCIA as well as remaining an active member of her state of local legal bar association organizations.

9

The Power of Information• Claim Information – what can you learn?

• Trending• Financials• Exposures or concerns

• What can trigger a claim audit?• Due Diligence• High Claim Payments• High legal fees

• How often should an audit be performed?

• What the audit should cover?

• What can we learn from audit results?

Audit Case Study• Initial Audit Findings:

• Defense costs average more than $100,000 for defense through discovery

• More than 60% of litigated files settle after discovery but before trial

• Implementation:• New Litigation Guidelines• Active management role by claims professional• Early resolution tools.

• Long Term Results:• Defense costs reduced by 10%-20% (over 3 yrs)• File Duration is reduced• Early resolution maintains costs while offering fair resolutions

10

Questions

1. How often should a claim audit be performed?2. How can you measure the success of the implementation of audit

recommendations over time?3. Is the need for a claim audit different between commercial

coverage and alternative risk transfer programs? How?4. If claims are managed through in-house claims department – how

do you utilize the claim audit?5. With early resolution programs – are the settlement or liability

payments reduced?

Compliance Issues Pertaining to Applicant Screening

Stefan KellerCertiphi Screening, Inc.Presidentskeller@certiphi.com888.260.1370, x 2003

11

Stefan Keller - President, Certiphi Screening, Inc.• Stefan E. Keller is president of Certiphi Screening, Inc., a member of the Vertical Screen

family of applicant screening companies. Certiphi provides background screening and fingerprint collection, occupational health screening and DOT compliance services exclusively to the healthcare industry. Certiphi’s applicant screening services are the only applicant screening services endorsed by the American Hospital Association, and Certiphi was recently selected by the Association of American Medical Colleges for its medical student criminal background check program.

• Stefan has been with Certiphi since 1991, and oversees all aspects of its operations, including sales and marketing, compliance, and client relations. He has particular expertise in legal, operational, and technological issues related to applicant screening. Stefan has addressed many industry groups on the topic of applicant screening, and has contributed expert commentary to both industry trade publications and educational materials.

• Prior to joining Vertical Screen, Stefan worked as an editor and investigative reporter for Cox Newspapers and Tribune Media Services in Florida. He received his B.A. degree in Organizational Communication from the University of Central Florida.

The ProblemHealthcare Organization with Locations in Multiple States

• Applicant Screening Handled Differently by Each Location• Different parameters for which applicants got screened• Different parameters for what records got checked• Different HR tracking systems – no communication• No corporate oversight or ability to audit

• Compliance Problems• Needed to ensure consistency in screening for JCAHO• Needed policy for screening employees, residents, volunteers,contractors• Needed to ensure compliance with state-specific screening laws• HIPAA issues because hospital was doing it’s own drug screening

12

The Solution• Corporate Established Base Screening Guidelines

• Who should be screened – based on job performed• What should be checked – criminal records, sex offenders, verify

education• Outsourced drug testing process

• Screening Program Adjusted for Each Location Based On:• Type of services offered (LTC) and state requirements• Hiring process and staffing needs• Department of Transportation (Shuttle busses)

• Certiphi System Tied Hospital Screening Data Together• Prevented rejected applicants from hopping within health system• Gave corporate oversight tool to monitor & audit screening

For more information, please contact Stefan Keller at:

Certiphi Screening, Inc.1105 Industrial HighwaySouthampton, PA 18966

888.260.1370, x 2003www.certiphi.com

13

Compliance Surrounding Wireless Applications

John CurinThe Burwood Group, Inc.Senior Managing Consultantjcurin@burwood.com312.327.4616

John Curin, Senior Managing Consultant, Burwood Group, Inc.• John Curin joined Burwood Group in November of 2001, and is currently a Senior

Managing Consultant with the organization. He has over 8 years of experience in strategic technology design and architecture development in complex IT environments spanning the healthcare, legal, financial services, manufacturing, retail and technology markets.

• During his time at Burwood, Mr. Curin has been involved in the full life-cycle of technology deployments to client organizations, including: Facilitated assessment efforts, Strategic design and architecture road mapping, Managed implementation, Development of support models and Operations efficiencies.

• In the area of Information Security, Mr. Curin has lead efforts to align business risk goals to IT controls and governance at a number of Burwood Group’s clients. In addition to security and risk assessment, he has helped a number of organizations adopt security frameworks such as COBIT, as well as manage to rigorous regulatory and compliance objectives such as Sarbanes-Oxley, HIPAA and PCI.

• Mr. Curin currently holds the following technical certifications: Cisco Certified Network Professional; Cisco Certified Network Associate; and Cisco Certified Internetworking Expert Written.

14

HIPAA-Compliant Wireless OverviewHIPAA-Compliant Wireless Focus: The Security Rule• Technical Safeguards (controlling logical access to protected data)

• Authentication• Encryption• Access Controls

• Physical Safeguards (controlling physical access to protected data)• Secure Access Points• Benefits of a “light weight” architecture

• Administrative Safeguards (defining policy and procedure)• Published Terms and Conditions• Provides wireless networks that pass internal audit standards• Mapped to access authorization procedures

Complimentary to the Privacy Rule

Campus LAN

Hospital Guest

LightweightAP

Controller

Computer on Wheels

Firewall

Internet

LWAPP Tunnel

Open Auth

Encrypted Auth

Medical Untrusted

Network Core

Medical Trusted

Guest Untrusted

Guest Trusted

NACPosture Assessment and

Access Control

HIPAA-Compliant Wireless Design

WPA SecurityMultiple EAP types

Supported

Guest Firewall

Access Control

Guest NACT&C

• Authentication and Encryption• Access Controls

• Guest Access and Administrative Controls

15

Questions1. Has providing guest internet access to patients and visitors been

identified as a priority for your organization? 2. Has wireless security, or lack thereof, been identified in previous

security or HIPPA compliance audits? 3. Has anyone looked at wireless Voice over IP for either traditional

telephony or nurse call systems? 4. Has anyone implemented or considered active RFID?

Beyond Compliance, Preparedness

Bill PaschallAT&TDirector Healthcare Applicationswp7895@att.com512.421.8777

16

Bill Paschall, Director Healthcare Applications, AT&T• Since July 2006, Bill Paschall has been the Director of Healthcare Applications for AT&T, Inc.

(Southwest) in Austin, TX. He has over 23 years experience in healthcare and received his degree in Business Management from Oral Roberts University in Tulsa, OK.

Bill’s experience includes scrubbing in as a surgical technician in the operating room, Administrator of a medical clinic in Pensacola, FL, medical device and capital equipment sales for the ENT and Ophthalmic specialties in CA and NV, and Product Development and Marketing for medical solutions integrating with video in St. Louis, MO. He has nine years of experience in Digital Medicine (Telemedicine) that includes sales, product design, system integration in the western US, and Director of Sales nationwide for a medical software company.

Now with AT&T, Inc. (Southwest), Bill assists AT&T Sales and Marketing in the Government, Education, & Medical (GEM) vertical in understanding healthcare trends and issues and develops and implements solutions to address the needs of AT&T customers. He supports medical groups and healthcare providers in establishing or expanding healthcare programs. He provides expertise in real time and store-and-forward medical applications and networks which integrate and distribute patient information leveraged with AT&T products and services to drive healthcare effectiveness and efficiency. Bill also delivers presentations on E-Medicine and Integrated Healthcare.

For National Security and Emergency Preparedness (NS/EP)

• Government Emergency Telecommunications Service (GETS)• Emergency access and priority processing in the local and long distance

segments in an emergency• Telecommunications Service Priority (TSP)

• Priority Wireline telecom network restoration• NS/EP provider with a TSP assignment is assured of receiving full

attention by the service vendor before non-TSP • Wireless Priority Service (WPS)

• Priority cellular network access for NS/EP requirements on a call-by-call priority basis.

• http://www.ncs.gov/services.html• Fill out application, get help from NCS, get a sponsor

17

Telemedicine Compliance: Real Time & Store and Forward

• Clinical Devices/Peripherals must pass all standard medical equipment regulations and compliance standards: UL 601, FDA 510K, etc.

• REAL Time/Video Conferencing: • Medical Device or Business Tool?

• Computers: • Medical Device or Business Tool?

• Store and Forward/Image Management Software: FDA 510K?• State of Alaska: FDA submission

Questions1. Does the NCS program cover all my phones?2. I heard that I had to have a congressman as a sponsor, is that true?3. What if AT&T or Cingular does not provide my telecommunications

services?4. Can you help me fill out these forms?5. How do you ensure proper color on Video for Telemedicine

consults?

18

AHA-Endorsed Partner Presentations at HCCAPartners Speaking in General Session Monday, 4/23:-Clare M. Bello-Shawn Eldridge-Handouts available

Exhibiting:-Visit Certiphi at Booth # 607-Visit AHA Solutions at Booth # 609

Upcoming Events• Free Web cast sponsored by our endorsed partner, IronportProtect PHI in Email: AHA Endorsed Secure MessagingMay 1, 2007; 2:00 pm EST/11:00 am PST

• Uday Ali Pabrai, Security+, CISSP, CSCS, Chief Executive Officer, Ecfirst.com

Network Security and Data ProtectionNational Council of State Boards of Nursing, Portland, OregonMay 15, 2007

• AT&T/AHA Solutions RHIOs Web castMay 22, 2007;12:00-1:30 CST

To receive more information on our FREE educational events, please provide us with your business card!

19

Questions? Comments?

Thank you for participating in our session!

For more information on AHA Solutions, Inc., please visit: www.aha-solutions.org

For more information about the AHA, please visit: www.aha.org

Thank you!

20

The AHA Endorsement signifies that a product or service has passed our tests for quality and that the vendor

behind it meets our strict criteria for quality, stability and customer service.