mailing: 2440 east tudor road pmb 1143 aehn board of ... · hitrust requirements in process, review...
TRANSCRIPT
Mailing: 2440 East Tudor Road PMB 1143Anchorage, AK 99507
Physical: 4000 Old Seward Hwy, Suite 203 (907) 770-2626
AeHN BOARD OF DIRECTORS
Paul Sherry President, AeHN Health Policy Strategist, Alaska Native Tribal Health Consortium
Ken Osterkamp Vice-President, AeHN State Director, AARP Alaska
Chris Emond Treasurer, AeHN Director of Treasury Alaska Communications
Carl J. Kegley Secretary, AeHN IT Alaska Senior Director, Banner Health
Karen Perdue President/CEO, Alaska State Hospital and Nursing Home Association
Jeff Davis President, Premera Blue Cross Blue Shield
Melinda Rathkopf, MD Allergy, Asthma and Immunology Center of Alaska
William Streur Commissioner State of AK, DHSS
Jan Harris Vice Provost for Health Programs University of Alaska
Jerome List, MD President, Alaska EHR Alliance Alaska Ear, Nose and Throat
Nancy Merriman Executive Director Alaska Primary Care Assoc.
Mark Williams Director of Telehealth & Outreach Providence Health & Services, Alaska
Susan Yeager Director, Alaska VA Healthcare System
AeHN Board of Directors Meeting May 21, 2014
11:30 AM to 1:00 PM
Location: AeHN Conference Room, 4000 Old Seward, Suite 203
Dial in: 1‐424‐203‐8400 Access Code: 239155#
Business Agenda
1. Call to Order/Paul Sherrya. Welcome and Introductionsb. Approval of Agendac. Approval of Minutes ( 04‐16‐2014)
2. Standing Reports:a. President's Report/Paul Sherryb. Treasurer’s Report/Chris Emondc. Executive Director's Report/Rebecca
Madisond. REC Report/Dave Peterse. State Status Report/Paul Cartland
3. Privacy and Security Update/Carolyn Heyman‐LaynePolicy review: 2.000, 2.200, 2.300, 2.400, 3.100, 4.200
4. AeHN Proposed Budget 20155. Strategy Map / Paul Sherry6. Notice of Regular Meeting – June 18, 2014
AeHN Conference Room7. Adjournment
1
PG 1PG 3
PG 11
PG 22
PG 27
PG 44PG 90
PG 100
Alaska eHealth Network
Page 2 of 2
Action Items required: May 21, 2014
Section 1: Call to Order
o Motion to approve the Agenda
o Motion to approve the minutes of April 16, 2014
Section 2: Standing Reports
o Motion to approve Presidents Report
o Motion to approve Treasurers Report
o Motion to approve Executive Director’s report
Section 3: Other Reports
o Motion to approve Policies:2.000, 2.200, 2.300, 2.400, 3.100, 4.200
o Motion to approve 2015 Proposed Budget
2
AeHN Board of Directors Meeting AeHN Conference Room, 4000 Old Seward Hwy, Suite 203, Anchorage
Wednesday, April 16, 2014 11:30 p.m.- 1:30 p.m.
Alaska eHealth Network –Board of Directors Meeting Minutes Page 1 of 3 April 16, 2014
Board Members Present A Davis, Jeff – Premera BC/BS P Osterkamp, Ken - AARP Ad Hoc: A Harris, Jan – University of AK (NV) P Rathkopf, Melinda MD P Madison, Rebecca Executive Director P Williams, Mark - Providence A Perdue, Karen – ASHNHA (Proxy-C Beemer) T Heyman-Layne, Carolyn AeHN (P-NV) T Kegley, Carl - Banner Health P Sherry, Paul - ANTHC T Yesmant, Claudette - Recorder T List, Jerome, MD – AEHRA A Streur, Bill - DHSS (Proxy - Paul Cartland) T Yeager, Susan – Dept. of Veterans Affairs P Emond, Chris - Alaska Communications T Merriman, Nancy - APCA P=Present / T=Teleconference / A=Absent / NV=Non-voting Member (Quorum = 7 Voting Members or Member Proxies) Guests Present (P) Carney, Darcy CCG (P-NV) (P) Hall, Rich - ANTHC (P) Cartland, Paul DHSS – Proxy B Streur
(P) Peters, Dave AeHN (P-NV) (T) Hartman, Sara - FCC (P) Jensen, Chad LaTouche Pediatrics (P) Cogan, Suzanne – Orion Health (T) Beemer, Connie ASHNHA – Proxy K Perdue (P) Montgomery, Kent – Orion Health Supporting Documents:
TIME AGENDA ITEM – Presenter/Discussion Consensus/Action
11:33 am
CALL TO ORDER a. Welcome and Introductions
President Sherry welcomed all attendees. Having determined that a quorum was present, President Sherry called the meeting to order at 11:33am. b. Approval of Agenda President Sherry presents a brief review of the agenda for today’s meeting. There was a motion by Mark Williams to approve the amended agenda, seconded by Ken Osterkamp. Motion approved.
Motion to approve agenda passed
3
Page 2 of 3
c. Approval of Minutes President Sherry gave an overview of the meeting minutes from 03/19/2014. There were no changes/edits recommended.
There was a motion by Chris Emond to approve the meeting minutes from 03/19/2014, seconded by Ken Osterkamp. Motion approved.
1. President’s Report (Paul Sherry) President Sherry reports that the officers continued to work on the evaluation process for the Executive Director and will discuss the final review during the Executive Session at the end of this meeting. There was a motion by Paul Cartland to approve the President’s Report, seconded by Connie Beemer.
2. Treasurer’s Report (Chris Emond) Chris Emond gives the Statement of Financial Position report as of February 28, 2014. Cash and money market accounts total $323,282.95. A review of the Statement of Activities ending February 28, 2014 shows a net income of $588,622.73. Enhancements to the financial reports continue to be made. A forecast for HIE Operations will be included next month. There was a motion by Mark Williams to approve the Treasurer’s Report, seconded by Paul Cartland. 3. Executive Directors Report (Rebecca Madison) Rebecca Madison presented the Executive Directors’ report. 1. Financial: Continue to complete State of Alaska deliverables; $3,261,276 of $4,608,528. Continuing to review and complete required monthly grant and contractor reports. 2. DSM: Working with Orion to beta test and implement DSM v2; developing migration plan from v1 to v2. 3. HIE: Fairbanks Cancer Center and Providence are the two highest priorities at this time. ANTHC and South Peninsula are next to onboard. Mt. Edgecumbe/SEARHC may onboard sooner due to their EHR readiness. 4. REC: Continues to sign on providers for MU services. 5. Privacy and Security: Risk Assessment – Futaris review of policies and contracts completed, audit of policy compliance begun, evaluation of HiTrust requirements in process, review of Orion Health Security Plan and policies begun, next phase will include a review of participant compliance, LaTouche Pediatrics will be the pilot site for the first participant audit, scheduled in May is scheduled to do an on-site survey of AeHN in April. Total Opt-Outs received = 29. 6. Resources: No cost extension application for approximately $1.2M accepted and approved. There was a motion by Chris Emond to approve the Executive Directors’ report, seconded by Ken Osterkamp. Motion approved. Update on REC Activities ( Dave Peters) Dave Peters reports the No Cost Extension paperwork was received on 3/26/2014 approving the extension. Clinical Workgroup Report (Melinda Rathkopf, MD) Melinda reports that the 4/9/2014 meeting was used as a practice run for her upcoming talk at Providence Grand Rounds scheduled for 4/25/2014. Clinical Workgroup is working on defining their role.
Motion to approve meeting minutes passed Motion to approve President’s report passed Motion to approve Treasurer’s report passed Motion to approve Executive Director’s report passed
4
Page 3 of 3
State Report (Paul Cartland)
Paul Cartland gives the State of Alaska report. He states that representatives from the Centers for Medicare and Medicaid Services (CMS) will be on-site June 4-5, 2014. 4. Privacy and Security (Carolyn Heyman-Layne) Carolyn Heyman-Layne reports that the Privacy and Security Workgroup meeting is scheduled to meet on 4/17/2014. There will be six policies to review before passing them to the Policy Review committee. The policies will be brought to the 5/21/2014 Board meeting. 5. ORION Health – Services and Product Update: (Suzanne Cogan and Kent Montgomery): Suzanne Cogan, Vice President of Sales and Kent Montgomery, Client Relationship Manager from ORION Health presented the Orion HIE Roadmap and client relationship strategy. PowerPoint slides are attached to minutes. 6. Strategy Map (Paul Sherry): President Sherry is leaving the draft Strategy Map open for additional review and comments, with the intent of getting formal approval in advance of the annual meeting in November. 7. Executive Session: The board entered into Executive Session for personnel matters at 1:00 p.m. and reconvened in regular session at 1:30 p.m. 8. Executive Director Compensation: Ken Osterkamp moved to approve an award of a 10% performance bonus for 2014 to the Executive Director to be paid in the first paycheck paid after June 30, 2014. The Board intends to establish a new compensation profile, including an incentive component, effective for FY2015. Motion seconded by Chris Emond. Motion approved. 9. Adjournment: The Board meeting adjourned at 1:35 p.m.
Respectfully submitted by: C. Yesmant
5
Copyright © 2002‐2011 Orion Health group of companies | All rights reserved
Alaska eHealth NetworkBoard of Directors Meeting
Orion Health
April 16, 2014Suzanne Cogan‐Vice President, Sales & Client Relationships
Kent Montgomery –Client Relationship Manager Company Overview
Orion Health
Page 3 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Orion Health and Alaska eHealth Network
• Alaska was Orion’s first SaaS (Software‐as‐a‐Service) client– November 2010
– AeHN Leadership helped to define and drive the product offering
• Alaska is the leading “Marquee” client for Orion– New and potential clients are asking for AeHN best practices
– Professional journals seek out successful programs to share the secrets and how‐tos
• Orion and AeHN partnership– Renewed commitment and thought leadership to one of Orion’s premier
clients
– Numerous beta tests and programs have been initiated at AeHN
– AeHN will be key leader in Solution Adoption Services rollout and will be involved in the Clinical Consulting program
– User group leadership
Page 4 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Orion Health Overview
Enable a better healthcare future through pioneering use of information technology and knowledge creation
• Privately‐held 20‐year old company dedicated to healthcare information integration for better population health management
• Established first comprehensive, national longitudinal patient record in New Zealand in 1995
• $150M USD Revenue per annum
• 1000+ Customers, 5 continents, 30 countries
• 45+ large Health Information Exchange deployments globally
• Auckland, NZ (global HQ); Santa Monica (US head office), Boston, Scottsdale (US R&D)
• 1,100 Staff
1,000
Page 5 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Orion Health – US Year in Review
• 95% YOY growth in North American revenue
• 70% YOY employee growth in US
• 40% YOY growth in statewide health information exchange (HIE) customers
• 200% YOY growth in private HIE customers which includes Accountable Care Organizations (ACOs)
• New US office locations
– R&D center in Scottsdale, AZ
– Raleigh, NC; Nashville, TN
• New product launches: Open Platform; Clinical Referrals
1,000
Page 6 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Orion Health Solution SuitesOrion Health has three distinct solution groups with specific strategies, markets, consumers and benefits:
Orion Health products are can be further defined in terms of Groups, Solutions, and Modules.
6
Copyright © 2002‐2011 Orion Health group of companies | All rights reserved
Page 8 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
US Collaborative Care customers
HEALTH SYSTEM AND PAYER ORGANIZATIONS
• Catholic Health Initiatives, CO• Greenville Health System, SC• Highmark BCBS, PA• Huntsville Hospital, AL• KeyHIE, PA• Lahey Clinic, MA• Lehigh Valley Health Network, PA• Mary Washington Healthcare, VA • MS Medicaid• Ochsner Health System, LA• Rush Health, IL• Scottsdale Health Partners, AZ• Sutter Health, CA• St. Luke’s, PA• St Vincent’s Medical Center, FL• St. Francis Care, CT• Western Connecticut Health Network, CT
• Walgreens
HEALTH SYSTEM AND PAYER ORGANIZATIONS
• Catholic Health Initiatives, CO• Greenville Health System, SC• Highmark BCBS, PA• Huntsville Hospital, AL• KeyHIE, PA• Lahey Clinic, MA• Lehigh Valley Health Network, PA• Mary Washington Healthcare, VA • MS Medicaid• Ochsner Health System, LA• Rush Health, IL• Scottsdale Health Partners, AZ• Sutter Health, CA• St. Luke’s, PA• St Vincent’s Medical Center, FL• St. Francis Care, CT• Western Connecticut Health Network, CT
• Walgreens
PUBLIC ORGANIZATIONS• Alaska eHealth Network (AeHN), AK
• District of Columbia, DC• State of Idaho HIE, ID• Inland Empire HIE, CA• Louisiana Health Care Quality Forum, LA
• Maine HealthInfoNet, ME• The Massachusetts Health Information Highway (The HIway)
• Minnesota‐ Community Health Information Collaborative (CHIC)
• New Hampshire Health Information Organization, NH
• Nevada HIE (NV‐HIE)• New Mexico Health Information Collaborative, NM
• North Carolina DHHS, NC• North Dakota, ND• North Texas Accountable Healthcare Partnership, TX
PUBLIC ORGANIZATIONS• Alaska eHealth Network (AeHN), AK
• District of Columbia, DC• State of Idaho HIE, ID• Inland Empire HIE, CA• Louisiana Health Care Quality Forum, LA
• Maine HealthInfoNet, ME• The Massachusetts Health Information Highway (The HIway)
• Minnesota‐ Community Health Information Collaborative (CHIC)
• New Hampshire Health Information Organization, NH
• Nevada HIE (NV‐HIE)• New Mexico Health Information Collaborative, NM
• North Carolina DHHS, NC• North Dakota, ND• North Texas Accountable Healthcare Partnership, TX
Page 9 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
International Collaborative Care customers
CANADA• Alberta Health Services, AB• New Brunswick Department of Health, NB• Quebec Department of Health, QC• Saskatchewan Department of Health, SK• The Northwest Territories, NT• Ministry of Health & Long Term Care, ON• Newfoundland & Labrador Centre for Health Information, NL
CANADA• Alberta Health Services, AB• New Brunswick Department of Health, NB• Quebec Department of Health, QC• Saskatchewan Department of Health, SK• The Northwest Territories, NT• Ministry of Health & Long Term Care, ON• Newfoundland & Labrador Centre for Health Information, NL
Asia• Singapore Ministry of Health, Singapore• Bumrungrad International Hospital, Thailand• Franco‐Vietnamese Hospital, Vietnam
Asia• Singapore Ministry of Health, Singapore• Bumrungrad International Hospital, Thailand• Franco‐Vietnamese Hospital, Vietnam
EUROPE• Greater Glasgow NHS Trust, Scotland• IB Salut, Palma, Spain• Health and Social Care Northern Ireland (HSCNI), Northern Ireland
EUROPE• Greater Glasgow NHS Trust, Scotland• IB Salut, Palma, Spain• Health and Social Care Northern Ireland (HSCNI), Northern Ireland
AUSTRALIA• NSW Health, Sydney, NSW• Hunter New England Local Health District, NSW • Dept. of Health & Ageing PCEHR, Australia
NEW ZEALAND• Canterbury District Health Board
AUSTRALIA• NSW Health, Sydney, NSW• Hunter New England Local Health District, NSW • Dept. of Health & Ageing PCEHR, Australia
NEW ZEALAND• Canterbury District Health Board
Page 10 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
What the Analysts are Saying
ChilmarkOrion Health is arguably the largest provider of healthcare interoperability globally and a major HIE vendor in the U.S. ”
“
KLAS
Orion Health’s easy‐to‐use solutions and applications improve patient care and clinical decision making by enabling the exchange of healthcare information among disparate systems and providing integrated health data in a single, unified view.
“
”
May 2013, IDC Health Insights
#HI240928
Customers comment that Orion Health’s integration tools are flexible when it comes to accessing a wide variety of data sources, and the interfaces are configurable. Additionally, they report that Orion Health is an excellent partner and very responsive to customer suggestions.
“
”Page 11 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
How did Orion do?
HIE Market Overview and Orion’s Position
Orion Health
Page 13 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
HIE Technology Market in the US
• Current market size: $558M*• Expected to reach $878M by 2018 (CAGR of 9.5%)• Driven by:
• Change in reimbursement paradigm – need to reduce costs• Meaningful Use incentives• Growth by affiliation rather than acquisition
• Private HIE market larger than public market in 2013, with a projected CAGR of >10% over next 5 years
• 2013 HIMSS Analytics report: 50% of physicians surveyed indicated they were joining an HIE
• Payers increasingly part of the HIE fabric– Partnering with leading providers to share data and improve care coordination– Acquisitions of HIE technology by United, Aetna, Humana
*Source: Healthcare IT News, March 14, 2014
7
Copyright © 2002‐2011 Orion Health group of companies | All rights reserved
Page 14 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Population Health Management Components
Macro Level: Population
Micro Level: Patient
ClaimsData
ClinicalData
Collaborative Care Model
Page 16 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
The Six A’s of Collaborative Care
Page 18 • Copyright © 2012 Orion Health™ group of companies • All rights reserved
ParsingValidationTransformationRoutingAcknowledgements
Privacy FilteringSecurity FilteringIndex LookupsNotification Routing
User ManagementPatient RecordBI and AnalyticsDirect MessagingImage Viewing
Portal Applications Health Pathways
Patient CohortPopulation HealthTasks for Clinicians
Data Repository HIE Module
CCD ExchangeNotificationsPrivacy & ConsentRecord Locator
Normalization
NormalizationSemanticsCode Set Mapping
MPI
DemographicsPatientsProviders
DemographicsEncountersLabs, RadsAllergies, DiagnosisDocumentsMedicationsProblems, Procedures
HL7, CCD, SSO, XDS
Data WarehouseClinical DataFinancial & Payer DataPopulation Analytics Enterprise Analytics
Clinical Portal Patient Portal
Clinical SummarySecure MessagingHealth LibraryCircle of Care
Portal Applications
Tasks for Patient Self Care
Healthcare Providers Patients and Families
Disparate Sources of Patient Data (e.g. HIE, EHR, Payors)
Healthcare Service Bus
Acquisition
Aggregation Analytics
Access
Action
Organizational Changes
Orion Health
Page 20 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Client Relationship Management
• In 2013, Orion changed its approach to existing accounts– Client Relationship Managers (CRMs) were realigned to focus on HIE
clients, their growth, their future plans
– Orion CRM “owns” the account, post implementation
• CRM introduced at kickoff
• At go live, CRM takes over ownership of the account
• Quarterly reviews and weekly updates with the client
• Updates to Orion leadership bi‐monthly
• Key escalation point for account issues
Page 21 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Solution Adoption Services
Combining key capabilities and applying our marketplace experience to deliver an
exceptional and comprehensive program aimed at simplifying participant connection to the
Orion Health core solution
8
Copyright © 2002‐2011 Orion Health group of companies | All rights reserved
Page 22 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Solution Adoption Services
How Solution Adoption fits Into Implementation Project
Solution Installation• Initial environment build• Configuration• Solution Hardening• UAT
Solution Adoption• Governance consulting• Participant engagement• Site roll‐out• Change management
Page 23 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
SAS Team focus
• Focused client‐specific technical teams
• Project management
• Fully documented specifications for participant readiness
• Participant assistance services available
– HL7 interfaces
– XDS and XDR feeds
– CCD parsing
– Single Sign On integration
– Testing and migration
• Ongoing connection monitoring
Page 24 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Process Overview
Page 25 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Process Overview cont’d
Page 26 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Client Benefits
• SAS team improves execution of participant onboarding for clients
• SAS integrates and operates in conjunction with PSG (Professional Services Group) implementation, improves results and speed of final solution
• Continuity in personnel drives both consistency and efficiency
• Management of Change Requests and data conversion to eliminate blocking issues will speed execution
• Bundled services to create better defined offering for client decisions
Page 27 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Solution Adoption Leadership Team
Training, workflow re‐engineering and UAT assistance
HL7, XDS.binterfaces, CCD parsing
Architecture tools, quality assurance and library maintenance
DSM installs, certificate management, XDR connections and change control
Project Managementwork orders and scheduling
John NebergallVice President
9
Copyright © 2002‐2011 Orion Health group of companies | All rights reserved
Products and Roadmap
Orion Health
Page 29 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Orion Product Update
• Patient Portal 4.x• EMR Lite Strategy
Page 30 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Key Features
Secure User Invitation and Registration
Circle of Care ‐ Patient Representatives
View, Download and Transmit Health Information
Secure Messaging using Direct standard
Automatic Patient Education Resources
Activity History
View Appointments
Shared Files
Automatic Logoff
MU2 Certification (April 2014)
Patient Portal 4.0 Features
Page 32 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
12 month Roadmap – Subject to Change
Notifications
Lab Results
Discrete Data e.g. Problems, Encounters and Demographics
April 2014
• User Invitation and Registration• Patient Reps• View, Download and Transmit C‐CDA• Secure Messaging using Direct standard• Automatic Patient Education Resources• Activity History• Appointment Viewing• Shared Files • Automatic Logoff
• MU2 CERTIFICATION COMPLETED
Clinical Workflow Suite Integration
Consent Management
3rd Party Web Integration
4.0 Releases
Circle of Care
Messaging
Page 33 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
EMR Lite Update
• Orion had already begun development work on the next version of EMR lite
• To include MU2 certification• With the numerous EMR vendors available, Orion has decided to stop development on its EMR Lite product
• Orion will partner with the following EMR vendors• Practice Fusion• Greenway• Athena Health
Page 34 • Copyright © 2013 Orion Health™ group of companies • All rights reserved
Product Roadmap
• Twelve Month Roadmap– Open Healthcare Platform
• APIs and tooling to enable 3rd parties to develop and deploy applications
– Predictive and retrospective analytics (Johns Hopkins grouper population health analysis, LACE readmission risk score, ACO reports, HEDIS reports)
– DSM v2 General Availability
– CCD/CCDA automation
– Patient Portal enhancements
– Care coordination enhancements
– Various core system enhancements
• Beyond Twelve Months– Precise medicine enabled by “big data” ingestion (device data, genomics,
proteomics) and access to real‐time clinical data
10
As of Feb 28, 2014 As of Mar 31, 2014 Variance
ASSETS
Current Assets
Bank Accounts
1000 Checking - Wells Fargo 174,901.10 145,156.78 (29,744.32)
1020 Wells Fargo - Market Rate Savings 25,004.24 25,005.30 1.06
1025 Wells Fargo - High Yield Savings 125,072.75 195,088.17 70,015.42
Total Bank Accounts 324,978.09 365,250.25 40,272.16
Accounts Receivable
1050 Accounts Receivable 350,365.00 311,357.00 (39,008.00)
Total Accounts Receivable 350,365.00 311,357.00 (39,008.00)
Other current assets
1100 Grant Receivable
1110 Grant receivable - ONC REC 196,479.58 244,927.47 48,447.89
Total 1100 Grant Receivable 196,479.58 244,927.47 48,447.89
1200 Deposit - Lease 16,454.31 16,454.31 -
Total Other current assets 212,933.91 261,381.80 48,447.89
Total Current Assets 888,277.00 937,989.05 49,712.05
TOTAL ASSETS 888,277.00 937,989.05 49,712.05
LIABILITIES AND EQUITY
Liabilities
Current Liabilities
Accounts Payable
2000 Accounts Payable 141,338.98 179,626.30 38,287.32
Total Accounts Payable 141,338.98 179,626.30 38,287.32
Credit Cards
2520 WFB - CC Madison (4258) 3,898.55 7,103.10 3,204.55
Total Credit Cards 3,898.55 7,103.10 3,204.55
Other Current Liabilities
2100 Accrued Leave 41,834.82 46,550.85 4,716.03
2105 Accrued payroll 58,675.89 58,675.89 -
2150 Payroll Tax Payable 1,715.81 2,569.57 853.76
2170 Medical Insurance Payable 3,702.21 3,702.21 -
2180 Dental Insurance Payable 202.67 171.17 (31.50)
2450 Due to SaaS Provider 83,333.33 83,333.33
Total Other Current Liabilities 106,131.40 195,003.02 88,871.62
Total Current Liabilities 251,368.93 381,732.42 130,363.49
Total Liabilities 251,368.93 381,732.42 130,363.49
Equity
3400 Retained Earnings 48,066.27 48,066.27 -
Net Income 588,841.80 508,190.36 (80,651.44)
Total Equity 636,908.07 556,256.63 (80,651.44)
TOTAL LIABILITIES AND EQUITY 888,277.00 937,989.05 49,712.05
Alaska eHealth Network
Statement of Financial PositionAs of March 31, 2014
11
Jul 2013 Aug 2013 Sep 2013 Oct 2013 Nov 2013 Dec 2013 Jan 2014 Feb 2014 Mar 2014 Total Income
4025 Grant Revenue 239,183.48 234,754.53 203,145.86 152,912.72 124,395.72 159,833.64 106,716.34 197,899.19 126,657.98 1,545,499.46
4060 Participant Fees (HIE) 4,266.00 27.00 144.00 25.00 63,022.00 15,352.00 82,836.00
4060.1 Allocated Participant Fees - - - -
4200 Donations 10.00 500.00 323.12 833.12
4250 Misc.Income 185.26 1,307.24 (1,307.24) 185.26
4300 State Contract Rev 29,000.00 60,020.00 29,000.00 288,250.00 29,000.00 29,000.00 33,900.00 293,350.00 29,000.00 820,520.00
4411 Interest Earnings 8.62 34.46 11.68 11.68 10.55 16.48 93.47
Total Income 272,459.48 294,986.79 232,145.86 441,315.34 155,237.42 187,563.08 203,650.02 491,582.86 171,026.46 2,449,967.31
Expenses
4490 General Office 2,485.38 9,416.40 1,806.62 6,089.44 5,553.06 637.42 7,577.48 8,459.43 5,398.02 47,423.25
4600 Facilities 4,031.15 8,441.56 763.56 5,295.54 4,675.00 5,537.63 5,075.01 5,100.20 5,106.18 44,025.83
5050 Human Resources 29.95 2,850.00 2,879.95
5100 Payroll Expenses 68,328.56 64,717.52 66,452.31 65,977.22 66,775.66 62,645.38 63,520.96 63,790.76 69,320.39 591,528.76
5200 Professional Fees 192,698.90 212,317.82 157,414.25 101,734.91 81,839.74 63,315.89 70,134.89 123,749.53 79,367.20 1,082,573.13
5300 Tech Services - Ops. 525.56 2,193.66 1,891.16 1,354.16 3,306.66 829.16 349.20 192.30 1,464.46 12,106.32
5400 HIE Participant Exp. 11,725.00 11,725.00
5500 Travel 4,023.49 5,039.53 6,992.82 1,981.35 1,347.69 7,488.30 5,086.30 7,073.58 4,578.32 43,611.38
5510 Training/Staff Education 600.00 775.00 225.00 3,110.00 4,710.00
7400 Equipment/Furniture 22,657.00 (630.00) 22,027.00
Total Expenses 272,122.99 313,851.49 258,577.72 186,057.62 162,867.81 140,453.78 151,743.84 208,590.80 168,344.57 1,862,610.62
Net Operating Income 336.49 (18,864.70) (26,431.86) 255,257.72 (7,630.39) 47,109.30 51,906.18 282,992.06 2,681.89 587,356.69
Other Income
7590 HIE Acquisition Reimbursement 83,333.33 83,333.33 83,333.35 83,333.33 83,333.33 83,333.33 83,333.33 83,333.33 666,666.66
Total Other Income 83,333.33 83,333.33 83,333.35 83,333.33 83,333.33 83,333.33 83,333.33 83,333.33 - 666,666.66
Other Expenses
7600 AK HIE Service (SAAS) 83,333.33 83,333.35 82,638.83 82,638.83 82,638.83 82,638.83 82,638.83 82,638.83 83,333.33 745,832.99
Total Other Expenses 83,333.33 83,333.35 82,638.83 82,638.83 82,638.83 82,638.83 82,638.83 82,638.83 83,333.33 745,832.99
Net Other Income - (0.02) 694.52 694.50 694.50 694.50 694.50 694.50 (83,333.33) (79,166.33)
Net Income 336.49 (18,864.72) (25,737.34) 255,952.22 (6,935.89) 47,803.80 52,600.68 283,686.56 (80,651.44) 508,190.36
Alaska eHealth Network
Statement of Activities - All Classes Summary by MonthJuly 2013 - March 2014
12
Jul 2012 Aug 2012 Sep 2012 Oct 2012 Nov 2012 Dec 2012 Jan 2013 Feb 2013 Mar 2013 Apr 2013 May 2013 Jun 2013 Total Income
4025 Grant Revenue 66,067.05 72,664.64 69,923.98 82,317.68 60,733.25 76,945.17 65,249.08 104,756.02 104,107.12 72,625.32 77,996.36 95,115.39 948,501.06
4060 Participant Fees (HIE) (2,600.00) 32,301.25 29,701.25
4070 Vendor Services Revenue 750.00 750.00
Reimbursed (750.00) (750.00)
4200 Donations 805.00 11,218.50 3,185.00 6,499.47 21,707.97
4250 Misc.Income (375.00) 250.00 1,250.00 1,125.00
4300 State Contract Rev 25,250.00 20,000.00 87,750.00 30,000.00 28,000.00 20,000.00 20,000.00 20,000.00 20,000.00 20,000.00 20,000.00 74,070.00 385,070.00
4410 Workshop Income - REC 500.00 500.00
Total Income 89,897.05 103,383.14 161,358.98 151,118.40 88,733.25 98,195.17 85,249.08 124,756.02 124,107.12 92,625.32 97,996.36 169,185.39 1,386,605.28
Expenses
4490 General Office 1,662.03 5,839.81 1,747.75 2,039.96 5,607.75 742.05 2,033.92 6,741.97 4,744.93 5,789.71 5,514.20 5,481.84 47,945.92
4600 Facilities 3,154.00 3,604.47 3,714.55 4,037.85 3,749.58 4,877.84 3,640.30 3,736.84 3,846.14 3,760.24 3,869.21 3,892.26 45,883.28
4800 Workshops & Events 7,820.00 16,201.16 627.90 1,200.00 50.00 25,899.06
5010 Interest/Other Fees - -
5050 Human Resources 86.40 395.00 375.00 75.00 375.00 1,306.40
5070 Education/Scholarship 750.00 750.00
5100 Payroll Expenses 13,716.90 72,174.08 77,639.76 73,742.72 64,900.85 66,885.07 64,945.41 65,046.09 66,372.23 68,322.24 65,839.98 123,219.65 822,804.98
5200 Professional Fees 17,455.68 13,525.00 19,230.34 99,048.82 65,010.01 40,127.03 18,087.63 54,440.29 53,346.38 30,314.22 22,365.50 51,469.00 484,419.90
5300 Tech Services - Ops. 1,929.00 209.00 77.95 602.99 3,584.00 2,893.29 5,225.50 4,446.64 2,860.50 1,472.00 8,582.71 2,464.50 34,348.08
5500 Travel 3,048.89 1,322.87 5,596.16 3,403.07 2,292.75 8,360.83 3,159.23 1,623.63 3,138.45 5,429.59 5,165.08 10,270.14 52,810.69
5510 Training/Staff Education 975.00 405.00 1,380.00
Total Expenses 48,872.90 97,070.23 124,207.67 183,250.41 145,772.84 123,886.11 97,166.99 137,610.46 135,283.63 115,888.00 111,741.68 196,797.39 1,517,548.31
Net Operating Income 41,024.15 6,312.91 37,151.31 (32,132.01) (57,039.59) (25,690.94) (11,917.91) (12,854.44) (11,176.51) (23,262.68) (13,745.32) (27,612.00) (130,943.03)
Other IncomeqReimbursement 891,436.00 892,500.00 36,897.34 1,820,833.34
7700 In-kind Revenue 3,546.44 3,722.54 5,126.16 3,642.02 4,836.34 3,298.07 2,845.46 2,448.65 3,108.46 3,688.07 5,757.89 1,621.73 43,641.83
Total Other Income 3,546.44 3,722.54 5,126.16 3,642.02 896,272.34 3,298.07 2,845.46 2,448.65 3,108.46 3,688.07 898,257.89 38,519.07 1,864,475.17
Other Expenses
7600 AK HIE Service (SAAS) (303,686.00) 892,436.00 83,333.33 83,333.33 475,833.33 286,897.33 1,518,147.32 pServices 3,546.44 3,722.54 5,126.16 3,642.02 4,836.34 3,298.07 2,845.46 2,448.65 3,108.46 3,688.07 5,757.89 1,621.73 43,641.83
Total Other Expenses (300,139.56) 3,722.54 5,126.16 3,642.02 897,272.34 3,298.07 2,845.46 2,448.65 86,441.79 87,021.40 481,591.22 288,519.06 1,561,789.15
Net Other Income 303,686.00 - - - (1,000.00) - - - (83,333.33) (83,333.33) 416,666.67 (249,999.99) 302,686.02
Net Income 344,710.15 6,312.91 37,151.31 (32,132.01) (58,039.59) (25,690.94) (11,917.91) (12,854.44) (94,509.84) (106,596.01) 402,921.35 (277,611.99) 171,742.99
Alaska eHealth Network
Statement of Activities - All Classes Summary by MonthJuly 2012 - June 2013
13
REC - Core REC - Direct
Total REC Restricted
2. OPR - HIE
3. OPR - Unallowable TOTAL
Income
4025 Grant Revenue 338,557.51 1,206,941.95 1,545,499.46 1,545,499.46
4060 Participant Fees (HIE) - 82,836.00 82,836.00
4060.1 Allocated Participant Fees - (45,134.44) 45,134.44 -
4200 Donations - 510.00 323.12 833.12
4250 Misc.Income - 185.26 185.26
4300 State Contract Rev - 820,520.00 820,520.00
4411 Interest Earnings - 93.47 93.47
Total Income 338,557.51 1,206,941.95 1,545,499.46 859,010.29 45,457.56 2,449,967.31
Expenses
4490 General Office 35,653.72 650.00 36,303.72 10,099.47 1,020.06 47,423.25
4600 Facilities 34,173.32 34,173.32 9,852.51 44,025.83
5050 Human Resources 2,137.50 29.95 2,167.45 712.50 2,879.95
5100 Payroll Expenses 150,608.34 275,983.76 426,592.10 164,936.63 591,528.76
5200 Professional Fees 74,714.69 904,183.54 978,898.23 58,184.00 44,437.50 1,081,519.73
5300 Tech Services - Ops. 8,925.93 8,925.93 3,180.39 12,106.32
5400 HIE Participant Exp. - 11,725.00 11,725.00
5500 Travel 15,373.76 25,094.70 40,468.46 4,196.32 44,664.78
5510 Training/Staff Education 450.00 1,000.00 1,450.00 3,260.00 4,710.00
7400 Equipment/Furniture 16,520.25 16,520.25 5,506.75 22,027.00
Total Expenses 338,557.51 1,206,941.95 1,545,499.46 271,653.57 45,457.56 1,862,610.62
Net Operating Income - - - 587,356.72 - 587,356.69
Other Income
7590 HIE Acquisition Reimbursement - 666,666.66 666,666.66
Total Other Income - - - 666,666.66 - 666,666.66
Other Expenses
7600 AK HIE Service (SAAS) - 745,832.99 745,832.99
Total Other Expenses - - - 745,832.99 - 745,832.99
Net Other Income - - - (79,166.33) - (79,166.33)
Net Income - - - 508,190.39 - 508,190.36
Alaska eHealth Network
Statement of Activities - Summary by ClassJuly 2013 - March 2014
14
REC - Core REC - Direct Total REC Restricted 2. OPR - HIE
3. OPR - Unallowable TOTAL
Income
4025 Grant Revenue - -
4026 Grant Revenue - Deposits 374,378.26 1,027,885.61 1,402,263.87 1,402,263.87
4027 Grant Receivable Adjustments (35,820.75) 179,056.34 143,235.59 143,235.59
Total 4025 Grant Revenue 338,557.51 1,206,941.95 1,545,499.46 - - 1,545,499.46
4060 Participant Fees (HIE) - 82,836.00 82,836.00
4060.1 Allocated Participant Fees - (45,134.44) 45,134.44 -
4200 Donations - 510.00 323.12 833.12
4250 Misc.Income - 185.26 185.26
4300 State Contract Rev - 820,520.00 820,520.00
4411 Interest Earnings - 93.47 93.47
Total Income 338,557.51 1,206,941.95 1,545,499.46 859,010.29 45,457.56 2,449,967.31
Expenses
4490 General Office - -
4102 Office Supplies 5,858.81 5,858.81 1,864.53 200.00 7,923.34
4105 Software and License 443.16 443.16 1,147.72 1,590.88
4110 Outreach & Marketing 18,961.17 650.00 19,611.17 2,822.15 22,433.32
4115 Bank Charges/Fees 8.71 8.71 70.46 47.74 126.91
4450 Printing/Copies/Photos 1,920.31 1,920.31 640.12 2,560.43
4461 Frieght 8.55 8.55 8.55
4462 Postage 1,709.03 1,709.03 797.88 2,506.91
4470 Taxes/Licenses/Fees 30.00 30.00 10.00 40.00
4500 Insurance - G/L 4,310.98 4,310.98 1,437.00 5,747.98
4505 Insurance - WC 2,403.00 2,403.00 801.00 3,204.00
4700 Food Other - 508.61 772.32 1,280.93
Total 4490 General Office 35,653.72 650.00 36,303.72 10,099.47 1,020.06 47,423.25
4600 Facilities - -
4620 Facilities Rent/Lease 30,336.08 30,336.08 8,573.37 38,909.45
4680 Utilities 184.48 184.48 61.50 245.98
4682 Telephone/Internet 3,652.76 3,652.76 1,217.64 4,870.40
Total 4600 Facilities 34,173.32 - 34,173.32 9,852.51 - 44,025.83
5050 Human Resources 2,137.50 29.95 2,167.45 712.50 2,879.95
5100 Payroll Expenses - -
5110 Technical Staff (27,659.76) 223,191.33 195,531.57 58,276.56 253,808.13
5120 Administrative Staff 137,883.70 24,991.82 162,875.52 68,959.49 231,835.01
5170 Benefits 179.28 215.60 394.88 386.52 781.40
5170.1 Retirement - Co. Contrib. (2,561.03) 1,545.79 (1,015.24) 1,477.79 462.55
5170.2 Health Insurance 17,968.92 3,090.04 21,058.96 19,325.44 40,384.40
5170.3 Paid Leave 7,581.61 7,581.61 6,930.16 14,511.77
5170.4 Self Pay Vision 440.00 440.00 180.00 620.00
Company Contributions - Retirement 8,783.28 2,475.00 11,258.28 11,258.28
Total 5170 Benefits 32,392.06 7,326.43 39,718.49 28,299.91 - 68,018.40
5180 Payroll Taxes 7,992.34 20,474.18 28,466.52 9,400.67 37,867.22
Total 5100 Payroll Expenses 150,608.34 275,983.76 426,592.10 164,936.63 - 591,528.76
Alaska eHealth Network
Statement of Activities - Detail by ClassJuly 2013 - March 2014
15
REC - Core REC - Direct Total REC Restricted 2. OPR - HIE
3. OPR - Unallowable TOTAL
Alaska eHealth Network
Statement of Activities - Detail by ClassJuly 2013 - March 2014
5200 Professional Fees - - -
5210 Legal 3,881.39 3,881.39 17,604.11 21,485.50
5215 Accounting & Auditing 40,950.82 40,950.82 13,650.31 54,601.13
5220 Project Management - 14,750.00 14,750.00
5225 Project Communications 6,148.67 6,148.67 2,667.08 8,815.75
5235 Other Consulting Services 5,000.00 5,000.00 862.50 44,437.50 50,300.00
5240 HIT/EHR Consulting Services 6,858.81 899,183.54 906,042.35 906,042.35
5245 Privacy & Security 16,875.00 16,875.00 6,075.00 22,950.00
5250 Contract Emp Services - 2,575.00 2,575.00
Total 5200 Professional Fees 74,714.69 904,183.54 978,898.23 58,184.00 44,437.50 1,081,519.73
5300 Tech Services - Ops. - -
5310 Desktop Support 5,843.99 5,843.99 1,948.01 7,792.00
5320 Online Hosting Fees 2,241.94 2,241.94 952.38 3,194.32
5360 Website Design & Maintenance 840.00 840.00 280.00 1,120.00
Total 5300 Tech Services - Ops. 8,925.93 - 8,925.93 3,180.39 - 12,106.32
5400 HIE Participant Exp. - -
5410 Participant Training - 11,725.00 11,725.00
Total 5400 HIE Participant Exp. - - - 11,725.00 - 11,725.00
5500 Travel - -
5520 Trans/Lodging/Other 13,182.26 19,154.46 32,336.72 2,982.32 35,319.04
5525 Per Diem 1,896.50 4,947.00 6,843.50 1,214.00 8,057.50
5527 Misc Travel Expense 993.24 993.24 993.24
5528 Conference Registration 295.00 295.00 295.00
Total 5500 Travel 15,373.76 25,094.70 40,468.46 4,196.32 - 44,664.78
5510 Training/Staff Education 450.00 1,000.00 1,450.00 3,260.00 4,710.00
7400 Equipment/Furniture - -
7420 Equip/Furn < $5K 16,520.25 16,520.25 5,506.75 22,027.00
Total 7400 Equipment/Furniture 16,520.25 - 16,520.25 5,506.75 - 22,027.00
Total Expenses 338,557.51 1,206,941.95 1,545,499.46 271,653.57 45,457.56 1,862,610.62
Net Operating Income - - - 587,356.72 - 587,356.69
Other Income
7590 HIE Acquisition Reimbursement - 666,666.66 666,666.66
Total Other Income - - - 666,666.66 - 666,666.66
Other Expenses
7600 AK HIE Service (SAAS) - 745,832.99 745,832.99
Total Other Expenses - - - 745,832.99 - 745,832.99
Net Other Income - - - (79,166.33) - (79,166.33)
Net Income - - - 508,190.39 - 508,190.36
16
Actual Budget Variance Income
4060 Participant Fees (HIE) 82,836.00 165,600.00 (82,764.00)
4060.1 Allocated Participant Fees - -
4065 Participant Fees (DSM) 6,750.00 (6,750.00)
4200 Donations 833.12 41,616.00 (40,782.88)
4250 Misc.Income 185.26 185.26
4300 State Contract Rev 820,520.00 761,000.00 59,520.00
4411 Interest Earnings 93.47 93.47
Total Income 904,467.85 974,966.00 (70,498.15)
Expenses
4490 General Office -
4102 Office Supplies 2,064.53 5,400.00 (3,335.47)
4105 Software and License 1,147.72 1,147.72
4110 Outreach & Marketing 2,822.15 10,800.00 (7,977.85)
4115 Bank Charges/Fees 118.20 118.20
4420 Dues/Subscription 900.00 (900.00)
4450 Printing/Copies/Photos 640.12 1,800.00 (1,159.88)
4462 Postage 797.88 900.00 (102.12)
4470 Taxes/Licenses/Fees 10.00 10.00
4500 Insurance - G/L 1,437.00 378.00 1,059.00
4505 Insurance - WC 801.00 936.00 (135.00)
4700 Food Other 1,280.93 9,000.00 (7,719.07)
Total 4490 General Office 11,119.53 30,114.00 (18,994.47)
4600 Facilities -
4620 Facilities Rent/Lease 8,573.37 13,950.00 (5,376.63)
4680 Utilities 61.50 1,080.00 (1,018.50)
4682 Telephone/Internet 1,217.64 1,350.00 (132.36)
Total 4600 Facilities 9,852.51 16,380.00 (6,527.49)
5050 Human Resources 712.50 712.50
5100 Payroll Expenses -
5110 Technical Staff 58,276.56 84,600.00 (26,323.44)
5120 Administrative Staff 68,959.49 85,500.00 (16,540.51)
5170 Benefits 386.52 66,060.00 (65,673.48)
5170.1 Retirement - Co. Contrib. 1,477.79 1,477.79
5170.2 Health Insurance 19,325.44 19,325.44
5170.3 Paid Leave 6,930.16 6,930.16
5170.4 Self Pay Vision 180.00 180.00
Total 5170 Benefits 28,299.91 66,060.00 (37,760.09)
5180 Payroll Taxes 9,400.67 2,376.00 7,024.67
Total 5100 Payroll Expenses 164,936.63 238,536.00 (73,599.37)
5200 Professional Fees -
5210 Legal 17,604.11 22,500.00 (4,895.89)
5215 Accounting & Auditing 13,650.31 11,250.00 2,400.31
5220 Project Management 14,750.00 13,500.00 1,250.00
5225 Project Communications 2,667.08 2,667.08
5235 Other Consulting Services 45,300.00 13,500.00 31,800.00
5245 Privacy & Security 6,075.00 6,075.00
5250 Contract Emp Services 2,575.00 2,575.00
Total 5200 Professional Fees 102,621.50 60,750.00 41,871.50
Alaska eHealth Network
OPR - HIE plus Unallowable - Budget vs.ActualJuly 2013 - March 2014
17
Actual Budget Variance
Alaska eHealth Network
OPR - HIE plus Unallowable - Budget vs.ActualJuly 2013 - March 2014
5300 Tech Services - Ops. -
5310 Desktop Support 1,948.01 9,000.00 (7,051.99)
5320 Online Hosting Fees 952.38 2,250.00 (1,297.62)
5360 Website Design & Maintenance 280.00 280.00
Total 5300 Tech Services - Ops. 3,180.39 11,250.00 (8,069.61)
5400 HIE Participant Exp. -
5410 Participant Training 11,725.00 11,725.00
Total 5400 HIE Participant Exp. 11,725.00 - 11,725.00
5500 Travel -
5520 Trans/Lodging/Other 2,982.32 17,000.00 (14,017.68)
5525 Per Diem 1,214.00 4,250.00 (3,036.00)
5527 Misc Travel Expense 900.00 (900.00)
Total 5500 Travel 4,196.32 22,150.00 (17,953.68)
5510 Training/Staff Education 3,260.00 3,260.00
7400 Equipment/Furniture -
7420 Equip/Furn < $5K 5,506.75 5,506.75
Total 7400 Equipment/Furniture 5,506.75 - 5,506.75
Total Expenses 317,111.13 379,180.00 (62,068.87)
Net Operating Income 587,356.72 595,786.00 (8,429.28)
Other Income
7590 HIE Acquisition Reimbursement 666,666.66 666,666.66
Total Other Income 666,666.66 - 666,666.66
Other Expenses
7600 AK HIE Service (SAAS) 745,832.99 749,997.00 (4,164.01)
Total Other Expenses 745,832.99 749,997.00 (4,164.01)
Net Other Income (79,166.33) (749,997.00) 670,830.67
Net Income 508,190.39 (154,211.00) 662,401.39
18
Actual Budget Variance Income
4025 Grant Revenue 533,871.00 (533,871.00)
4026 Grant Revenue - Deposits 374,378.26 374,378.26
4027 Grant Receivable Adjustments (35,820.75) (35,820.75)
Total 4025 Grant Revenue 338,557.51 533,871.00 (195,313.49)
Total Income 338,557.51 533,871.00 (195,313.49)
Expenses
4490 General Office -
4102 Office Supplies 5,858.81 19,503.00 (13,644.19)
4105 Software and License 443.16 443.16
4110 Outreach & Marketing 18,961.17 14,625.00 4,336.17
4115 Bank Charges/Fees 8.71 8.71
4450 Printing/Copies/Photos 1,920.31 9,747.00 (7,826.69)
4461 Frieght 8.55 8.55
4462 Postage 1,709.03 2,439.00 (729.97)
4470 Taxes/Licenses/Fees 30.00 30.00
4500 Insurance - G/L 4,310.98 1,125.00 3,185.98
4505 Insurance - WC 2,403.00 2,835.00 (432.00)
Total 4490 General Office 35,653.72 50,274.00 (14,620.28)
4600 Facilities -
4620 Facilities Rent/Lease 30,336.08 25,650.00 4,686.08
4680 Utilities 184.48 3,060.00 (2,875.52)
4682 Telephone/Internet 3,652.76 2,025.00 1,627.76
Total 4600 Facilities 34,173.32 30,735.00 3,438.32
4800 Workshops & Events 2,394.00 (2,394.00)
5050 Human Resources 2,137.50 2,137.50
5100 Payroll Expenses -
5110 Technical Staff (27,659.76) (27,659.76)
5120 Administrative Staff 137,883.70 184,221.00 (46,337.30)
5170 Benefits 179.28 69,633.00 (69,453.72)
5170.1 Retirement - Co. Contrib. (2,561.03) (2,561.03)
5170.2 Health Insurance 17,968.92 17,968.92
5170.3 Paid Leave 7,581.61 7,581.61
5170.4 Self Pay Vision 440.00 440.00
Company Contributions - Retirement 8,783.28 8,783.28
Total 5170 Benefits 32,392.06 69,633.00 (37,240.94)
5180 Payroll Taxes 7,992.34 7,992.34
Total 5100 Payroll Expenses 150,608.34 253,854.00 (103,245.66)
5200 Professional Fees 1,053.40 1,053.40
5210 Legal 3,881.39 3,881.39
5215 Accounting & Auditing 40,950.82 17,550.00 23,400.82
5225 Project Communications 6,148.67 6,148.67
5235 Other Consulting Services 107,478.00 (107,478.00)
5240 HIT/EHR Consulting Services 6,858.81 9,747.00 (2,888.19)
5245 Privacy & Security 16,875.00 16,875.00
Total 5200 Professional Fees 75,768.09 134,775.00 (59,006.91)
5300 Tech Services - Ops. -
5310 Desktop Support 5,843.99 18,000.00 (12,156.01)
5320 Online Hosting Fees 2,241.94 6,750.00 (4,508.06)
Alaska eHealth Network
REC Core Budget vs.ActualJuly 2013 - March 2014
19
Actual Budget Variance
Alaska eHealth Network
REC Core Budget vs.ActualJuly 2013 - March 2014
5360 Website Design & Maintenance 840.00 2,439.00 (1,599.00)
Total 5300 Tech Services - Ops. 8,925.93 27,189.00 (18,263.07)
5500 Travel -
5520 Trans/Lodging/Other 12,128.86 18,000.00 (5,871.14)
5525 Per Diem 1,896.50 4,500.00 (2,603.50)
5527 Misc Travel Expense 900.00 (900.00)
5528 Conference Registration 295.00 295.00
Total 5500 Travel 14,320.36 23,400.00 (9,079.64)
5510 Training/Staff Education 450.00 11,250.00 (10,800.00)
7400 Equipment/Furniture -
7420 Equip/Furn < $5K 16,520.25 16,520.25
Total 7400 Equipment/Furniture 16,520.25 - 16,520.25
Total Expenses 338,557.51 533,871.00 (195,313.49)
Net Operating Income - - -
Other Income
7700 In-kind Revenue - -
Total Other Income - - -
Other Expenses
7710 In-kind Expense - Donated Services - -
Total Other Expenses - - -
Net Other Income - - -
Net Income - - -
20
Actual Budget Variance Income
4025 Grant Revenue 1,188,513.00 (1,188,513.00)
4026 Grant Revenue - Deposits 1,027,885.61 1,027,885.61
4027 Grant Receivable Adjustments 179,056.34 179,056.34
Total 4025 Grant Revenue 1,206,941.95 1,188,513.00 18,428.95
Total Income 1,206,941.95 1,188,513.00 18,428.95
Expenses
4490 General Office -
4102 Office Supplies 1,125.00 (1,125.00)
4110 Outreach & Marketing 650.00 76,500.00 (75,850.00)
4450 Printing/Copies/Photos 900.00 (900.00)
4462 Postage 2,700.00 (2,700.00)
Total 4490 General Office 650.00 81,225.00 (80,575.00)
5050 Human Resources 29.95 4,500.00 (4,470.05)
5100 Payroll Expenses -
5110 Technical Staff 223,191.33 232,038.00 (8,846.67)
5120 Administrative Staff 24,991.82 24,991.82
5170 Benefits 215.60 93,744.00 (93,528.40)
5170.1 Retirement - Co. Contrib. 1,545.79 1,545.79
5170.2 Health Insurance 3,090.04 3,090.04
Company Contributions - Retirement 2,475.00 2,475.00
Total 5170 Benefits 7,326.43 93,744.00 (86,417.57)
5180 Payroll Taxes 20,474.18 20,474.18
Total 5100 Payroll Expenses 275,983.76 325,782.00 (49,798.24)
5200 Professional Fees -
5235 Other Consulting Services 5,000.00 5,000.00
5240 HIT/EHR Consulting Services 899,183.54 697,500.00 201,683.54
Total 5200 Professional Fees 904,183.54 697,500.00 206,683.54
5300 Tech Services - Ops. -
5360 Website Design & Maintenance 2,250.00 (2,250.00)
Total 5300 Tech Services - Ops. - 2,250.00 (2,250.00)
5500 Travel -
5520 Trans/Lodging/Other 19,154.46 54,000.00 (34,845.54)
5525 Per Diem 4,947.00 5,400.00 (453.00)
5527 Misc Travel Expense 993.24 993.24
Total 5500 Travel 25,094.70 59,400.00 (34,305.30)
5510 Training/Staff Education 1,000.00 17,856.00 (16,856.00)
Total Expenses 1,206,941.95 1,188,513.00 18,428.95
Net Operating Income - - -
Net Income - - -
Alaska eHealth Network
REC Direct Budget vs.ActualJuly 2013 - March 2014
21
Alaska eHealth Network Dashboard as of 3/31/2014
Financial:
Objective: Balanced budget with consistent monthly income that supports HIE for all Alaskans; measurement is positive income and expenses within budget
Notes: Revenue stable, AeHN services expanding
(3,000,000.00)
(2,000,000.00)
(1,000,000.00)
-
1,000,000.00
2,000,000.00
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
Month
AeHN Income
FY12
FY13
FY14
-
20,000.00
40,000.00
60,000.00
80,000.00
100,000.00
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Month
HIE Operations Expense
FY12
FY13
FY14
$0.00
$50,000.00
$100,000.00
$150,000.00
$200,000.00
$250,000.00
$300,000.00
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Month
REC Expense
FY12
FY13
FY14
04/15/2014 Page 1 of 3
22
Alaska eHealth Network Dashboard as of 3/31/2014
Direct Secure Messaging:
Objective: Increase Meaningful Use of EHRs through exchange of data via DSM; measurement is number of providers implementing and number of providers using.
Notes: Over 20,000 messages sent monthly; DSM continues to grow
Health Information Exchange:
Objective: Increase Meaningful Use of EHRs through increased HIE use; measurement is number of users by facility and community
Notes: 8 hospitals signed; 11 hospitals reviewing contracts; over 400 individual users
Help Desk:
Objective: Timely resolution of help desk issues; measurement is volume/type of calls and time to resolution
Notes: System down time = 0.000%
0
5000
10000DSM Users by Month
Apr 2014 (n=4,650)
FY12 FY13 FY14
0
200
400
600
Hosp Amb SOA Other
Active DSM Users (n=1,708)
Mar-14 Mar-14
0
5
10
Qtr 4 '13 Qtr 1 '14 Qtr 2 '14 Qtr 3 '14
Hospitals
0
200
400
600
Qtr 4 '13 Qtr 1 '14 Qtr 2 '14 Qtr 3 '14
Providers
0
100
200
300
LOGIN ISSUES ERROR TRAINING OTHER
Help Desk Calls (n=295)
Mar-14 Apr-14
04/15/2014 Page 2 of 3
23
Alaska eHealth Network Dashboard as of 3/31/2014
Regional Extension Center:
Objective: Meet REC grant goals by 4/2014; measurement is M1 (contract) % of goal and rank, M2 (certified EHR implemented) % of goal and rank, M3 (MU stage 1) % goal and rank
Notes: Goals for M1 and M2 have been met. M3 target must be met by October if provider is to reach M3 by April 2015.
Update as of 9/16/2013
Percent of Goal (n=538)
% Change Since Last
Month
Overall National Rank (n=62)
Overall Increase
Grant Milestones Mar ‘14 Apr ‘14 Mar ‘14 Apr ‘14 M1 – Contract 124% 126% 2.0% 20 18 +2 M2 – EHR Go-Live 107% 109% 2.0% 32 25 +7 M3 – MU Stage 1 61% 65% 5.0% 55 56 -1
State of Alaska Contract:
Objective: Meet SOA deliverables on time; measurement is deliverables, time and revenues
Notes: Continue to address deliverables. Amendment #3 is fully completed and invoiced.
Contract Amendment
Status Note
#3 (n=44) Completed 41 $34,090 All deliverables submitted, reworking Future
#4 (n=19) Completed 14 $971,435 High priority items remaining are Lab Pilot, MDN, and DSM Upgrades. Late 3 $115,000
Future 2 $50,000 #5 (n=37)
Completed 8 $1,963,750 High priority items are ELR, VacTrAK, BioSense and DSM v2 implementation.
Late Future 29 $1,474,252
#6 (n=5)
Completed 5 $39,000 Late Future
Privacy and Security:
Objective: Ensure patient confidentiality
Total Opt-Outs: 31 (24 Fairbanks, 7 Anchorage)
Event Reported Resolved Time to Resolution Privacy Complaints 0 NA NA Security Issues in Audit 5 5 Corrected Event Attempted Successful Resolution Breach Attempts 0 NA
04/15/2014 Page 3 of 3
24
AeHN Executive Director Report
Apr 16, 2014 to May 21, 2014
1) HIE:
a) Continue to meet weekly with State HIT Coordinator to review issues related to the AeHN/SOA contract; Amendment 3 is completed and billed; Amendment 4 and 5 dates under revision
b) State Reportables: i) ELRs (electronic lab reporting - hospitals) – first successful test achieved, in queue –
Providence, ANMC, FMH and SPH ii) BioSense (syndromic surveillance -hospitals) – first successful test achieved, in queue –
Providence; ANMC, FMH and SPH iii) VacTrAK (immunizations – hospitals and eligible providers) – two successful tests, in queue –
LaTouche, Providence, ANMC, FMH, SPH, CPGH, and other ambulatory entities c) EHR Lite – looking for alternatives, Orion now supports three products Practice Fusion,
Greenway and Athena Health d) Patient Portal – implementation to be completed by end of May, testing will begin with a few
pilot sites e) 8 hospitals signed, 11 hospitals reviewing contract, onboarding started with South Peninsula
Hospital, Wrangell, Petersburg, Providence (includes 4 hospitals), Mt Edgecombe, Central Peninsula General Hospital and Alaska Native Medical Center (includes KANA and SCF)
2) Privacy and Security/Risk Assessment
a) Risk Assessment – Penetration tests showed no vulnerabilities b) Futaris contract – completed AeHN and LaTouche audits; Futaris will report on findings and next
phase of HiTrust certification at the next board meeting
3) Resources a) No current cash flow issues and adequate staffing b) REC grant ends in April 2015, balanced budget will require increased revenues through
additional HIE contracts and fees for other provider services
4) Direct Secure Messages a) Over 4,600 active mailboxes; key usage includes State of Alaska/provider PHI transfers and C-
CDA transfers for referrals b) NATE and VA certificates implemented cleanup of old accounts in process c) Working with Orion Health to beta test and implement DSM v2; migration plan from v1 to v2
5) Lab Pilots a) State Lab – one final issue to address before closure (MDN), waiting for Orion Health
6) Policies and Procedures
a) On-going work to review and implement procedures for AeHN operations b) PSC Workgroup has moved to quarterly meetings
ED Report Page 1 of 2 25
AeHN Executive Director Report
Apr 16, 2014 to May 21, 2014
7) Financial:
a) State Deliverables - $3,261,276 of $4,608,528 b) Developing fee for service and other revenue streams c) Completed required monthly grant and contractor reports
8) Meetings
a) Weekly SOA meeting with HIT Coordinator, weekly with PH b) Weekly onboarding meeting with: 19 onboarding clients c) Biweekly ONC Grantee meetings d) Weekly Orion for status on UAT testing, system upgrades, and DSM concerns
WORKGROUP UPDATES
Clinical and Informatics – No updates since last board meeting.
Privacy, Security, and Compliance - No updates since last board meeting.
ED Report Page 2 of 2 26
Alaska HIT Monthly Status Report Reporting Period: Week of May12th State HIT Coordinator: Paul Cartland
Deliverable Summary: Current (for regular AeHN deliverables) Approved (all approved deliverables have been removed from the tracking table below)
56 of 89
Late 32 of 33
Legend Conditionally Approved Rejected or Late
Schedule
Deliverable has been conditionally approved: may just need to make adjustments or changes and provide an updated deliverable to State that addresses comments
Deliverable has been rejected: revised submission of deliverable is needed or the deliverable is late for submission
Regular AeHN/DHSS Contract Deliverables Contract Amendment #
Deliverable #
Deliverable Name Status Contract Due Date
State Deliverable Review Status
Conditionally Approved/ Rejected Updates Due Date
Needs AeHN Board Approval
Comments
3 3 Copies of Applications for Funding Opportunities
Within 5 business days of submission
• As of 2/18/2013 IT Planning office has not received any copies of applications for funding opportunities
4 3 Message Delivery Notification (MDN)
10/31/2012 Late • Never received DTF for deliverable, MDN that has been implemented is not what was requested by State
4 5 Lab Pilot Wrap Up
12/31/2012 Late • Lab Pilot has not completed
4 7A Statewide HIE Survey: finalized survey script
11/30/2012 Late • If deliverable was completed DTF was never submitted for approval by DHSS
4 7B Statewide HIE Survey: delivery of survey results from interviews with a minimum of 500 provider
1/31/2013 Late • If deliverable was completed DTF was never submitted for approval by DHSS
Alaska HIT Project Monthly Status Report – Week of May12, 2014 1 - of - 17
27
Regular AeHN/DHSS Contract Deliverables Contract Amendment #
Deliverable #
Deliverable Name Status Contract Due Date
State Deliverable Review Status
Conditionally Approved/ Rejected Updates Due Date
Needs AeHN Board Approval
Comments
organizations and all in state hospitals
5 1 Master Provider Index: HIE interface design, develop and implement an interface between the DHSS MPI and the HIE
12/31/2013 Late
5 2B Pass through to Orion Health: payable upon a valid invoice from Orion
9/30/2013 Late
5 3 DSM Version 2 (2013 Version)
6/30/2013 Late
5 5A Populate CDR via DSM: implement capability to capture data from DSM CCD attachments
6/30/2013 Late
5 5B Populate CDR via DSM: Orion Health develop capability to capture data from CCD attachments routed via DSM
6/30/2013 Late
5 5C Populate CDR via DSM: $15,000 per EHR for up to 10 EHRs
6/30/2013 Late
5 5D Populate CDR via DSM: AeHN create data validation and quality compliance to ensure data is correctly captured and incorporated into CCDs
9/30/2013 Late
5 6A Medicaid Claims Data into CDR: Create Data Mapping from MMIS DW to Orion CDR
12/31/2013 Late
Alaska HIT Project Monthly Status Report – Week of May12, 2014 2 - of - 17
28
Regular AeHN/DHSS Contract Deliverables Contract Amendment #
Deliverable #
Deliverable Name Status Contract Due Date
State Deliverable Review Status
Conditionally Approved/ Rejected Updates Due Date
Needs AeHN Board Approval
Comments
5 6B Medicaid Claims data into CDR: create a one-time historical data load from MMIS DW to populate CDR
12/31/2013
Late
5 6C HIE Enterprise MPI (EMPI will be loaded with Medicaid patient demographics, patient and any cross-reference identifiers
3/31/2014 Late
5 6D As new AK MMIS becomes operational the HIE will be able to receive regular claims feeds from Medicaid environment
3/31/2014 Late
5 7B Biosense Connectivity: Coordinate hospital on-boarding schedule
8/30/2013 Late
5 8A Blue Button: Develop Blue Button import/export functionality in HIE
11/30/2013 Late
5 8B Blue Button: Integrate MyAlaska patient authentication into the HIE for Blue Button download and PHR access
2/28/2014 Late
5 8C Blue Button: Synchronize the HIE EMPI with DHSS’s MCI
2/28/2014 Late
5 8D Blue Button: Integrate with AeHN patient communication plan
3/31/2014 Late
Alaska HIT Project Monthly Status Report – Week of May12, 2014 3 - of - 17
29
Regular AeHN/DHSS Contract Deliverables Contract Amendment #
Deliverable #
Deliverable Name Status Contract Due Date
State Deliverable Review Status
Conditionally Approved/ Rejected Updates Due Date
Needs AeHN Board Approval
Comments
5 9 Orion Health disease management module: Supporting obesity, diabetes care and cardiovascular disease
3/31/2014 Late
5 10A HIE Acceptance survey of public awareness: pre-roll out survey results statewide
8/1/2013 Late
5 10B HIE Acceptance survey of public awareness: post-roll out survey results statewide
2/1/2014 Late
5 11A Privacy & Security: security certification
8/1/2013 Late
5 11B Privacy & security: HIE certification
2/1/2014 Late
5 12 Consent management: update clinical portal to allow 3 options for consumers (opt-in, opt-out, opt-out partial)
6/30/2013 Late
5 13B Orion Health maintenance contract
3/29/2014 Late • One half (½) of payment was approved 10/8/2013
5 14A Business Intelligence: Purchase license and install system
1/31/2014 Late
5 14B Business Intelligence: Test and implement
2/28/2014 Late
5 14C Business Intelligence: Develop and implement 2 analytic reports
3/31/2014 Late
6 1 Assessment of AeHN & DPH infrastructure for current HIT/Data exchange landscape as
9/30/2013 Late
Alaska HIT Project Monthly Status Report – Week of May12, 2014 4 - of - 17
30
Regular AeHN/DHSS Contract Deliverables Contract Amendment #
Deliverable #
Deliverable Name Status Contract Due Date
State Deliverable Review Status
Conditionally Approved/ Rejected Updates Due Date
Needs AeHN Board Approval
Comments
it relates to Public Health
6 3 Summarized Document
11/30/2013 Late
Alaska HIT Project Monthly Status Report – Week of May12, 2014 5 - of - 17
31
Re-Occurring AeHN/DHSS Contract Deliverables Contract Amendment #
Deliverable #
Deliverable Name
Status Contract Amendment Due Date
State Deliverable Review Status
Conditionally Approved / Updates / Due Date
Needs AeHN Board Approval
Comments
3 R-1 Annual Budget Update
Due in May each year
• Initial budget was approved 5/31/2013
3 R-2 Quarterly Budget
Quarterly within 15 calendar days of the end of each quarter
• In March 2014 it was determined that the financial updates provided at each AeHN Board meeting would be considered the quarterly budget update deliverable
• Have not received any quarterly budgets since the original budget was approved in May 2013
• Initial budget was approved 5/31/2013, quarterly budgets can begin September 2013
3, 5, 6 R-3, R-8 Weekly Status Report including transactions by provider type for Direct service
Weekly on Mondays
• AeHN continues to work with DHSS to submit and revise weekly status reports as necessary
• DHSS continues to receive weekly status reports
• DHSS IT Planning office requested that weekly status report contain HIE on-boarding information/matrix
• AeHN weekly reports have been received by DHSS inconsistently, not usually received weekly. DHSS reminded AeHN of the weekly status report
• Continue to receive weekly status report
• Received a combined report on 1/21/2013 for the weeks ending 1/11 and 1/18. Status report does not include DSM metrics.
• Did not receive weekly status report for week of 12/24/2012. Status report does not include DSM metrics needed for ONC reporting.
• Received weekly status report for week of 12/10/2012. Status report
Alaska HIT Project Monthly Status Report – Week of May12, 2014 6 - of - 17
32
Re-Occurring AeHN/DHSS Contract Deliverables Contract Amendment #
Deliverable #
Deliverable Name
Status Contract Amendment Due Date
State Deliverable Review Status
Conditionally Approved / Updates / Due Date
Needs AeHN Board Approval
Comments
does NOT include DSM metrics needed for ONC reporting.
• Weekly status report has not been received from AeHN since early August.
• Weekly status report for week of Aug 1-8 was received on Monday 8/6/2012
• Weekly status report for week ending 7/20/2012 was received on 7/23/2012 however the only updates in the report were the DSM metrics.
• Weekly status report for week ending 7/13/2012 was received late on 7/17/2012. Comments were sent back to AeHN regarding this status report on 7/20/2012.
• Weekly status report for week ending 7/6/2012 was received late on 7/11/2012; status reports are due on Mondays. Additionally status report was not complete.
• Weekly status report for week ending June 29 was not received. Email was sent to AeHN on 7/5/2012 requesting status of weekly status report, no response received from AeHN.
3 R-4 DSM Directory for Alaska's Master Provider Directory
Weekly • IT Planning office has not received weekly DSM directory since May 2013.
• Continue to receive weekly spreadsheets of DSM Directory
• Received an Excel spreadsheet with DSM directory on 1/21/2013.
• Format needed to be electronically submitted to Alaska's Master Provider Index is still being determined
3 R-5 Workgroup Weekly • DHSS received updated
Alaska HIT Project Monthly Status Report – Week of May12, 2014 7 - of - 17
33
Re-Occurring AeHN/DHSS Contract Deliverables Contract Amendment #
Deliverable #
Deliverable Name
Status Contract Amendment Due Date
State Deliverable Review Status
Conditionally Approved / Updates / Due Date
Needs AeHN Board Approval
Comments
Schedule and roster Updates
workgroup rosters in March 2014 • 10/1/2013 – Have not received any
updates
3 R-6 Workgroup Reports to Contractor Board of Directors
Monthly • DHSS continues to not receive any updates
• 10/1/2013 – Have not received any updates
3 R-7 Project Plan Updates
Weekly • DHSS continues to not receive any updates
• 10/1/2013 – Have not received any updates
Alaska HIT Project Monthly Status Report – Week of May12, 2014 8 - of - 17
34
Critical Active Issues Summary - Current Reporting Period and Unresolved from Prior Reporting Period(s) ID Date Project Title Description Discussion Comments Status Trend Resolution 20 11/2/2011 HIE Governance AeHN
Corrective Action Plan (CAP)
The DHSS Commissioner has requested AeHN develop a CAP to address the findings of the HIE Assessment performed by Cognosante
CAP is due to State by 12/2/2011
• 5/14/14: deliverable status has not changed since April report
• 4/8/2014 - currently there are 32 deliverables that are late.
• 3/10/2014 - currently there are 26 late deliverables. DHSS has approved several deliverables for payment without receiving DTFs.
• 1/6/2014 - currently there are 30 late deliverables from contract amendments 1 - 6. There are 46 approved deliverables. There are 13 delivreables not yet submitted by AeHN.
• 10/1/2013 - Currently there are 25 late deliverables from contract amendments #3 - #5. There are 45 approved deliverables from contract amendments #3 - #5. There are 15 deliverables which have not yet been submitted and are due at a future date from contract amendments #3 - #5. There are 5 re-occurring deliverables that are considered late or the IT Planning office has never received.
• 8/20/2013 - Contract amendment #6 was signed • 8/19/2013 - Contract amendment #6 has been sent
to AeHN for signatures • 5/24/2013 - Contract amendment #5 has been
signed by State & AeHN • 4/29/2013 - State and AeHN are still discussing
contract amendment • 4/15/2013 - State and AeHN have agreed to a new
contract amendment following the contract re-negotiations between AeHN and Orion Health. Contract Amendment with State and AeHN will include HIE Phase 2 activities and should be completed and signed shortly.
• 2/19/2013 - continue to receive weekly status reports and now DSM Provider Directory reports on a weekly basis. Currently there are 24 late deliverables (4 of these had been conditionally approved but have long since past their resubmission due dates).
• 1/22/2013 - now receive weekly status report on a more regular basis but other deliverables have not been submitted. Currently there are 20 late deliverables and 4 Conditionally Approved deliverables that have not been re-submitted within 10 business days of the DTF being returned to AeHN.
• 12/13/2012 - improving trends in deliverables from
Active No Change
Alaska HIT Project Monthly Status Report – Week of May12, 2014 9 - of - 17
35
ID Date Project Title Description Discussion Comments Status Trend Resolution AeHN; HIT office is working closely with AeHN to ensure deliverables are satisfactory; there are still 17 late deliverables, 4 that have been withdrawn by AeHN for re-submission, 1 conditionally approved, and 5 not yet submitted.
• 9/26/2012 - improving trend in deliverables from AeHN, 5 deliverables have been approved, 3 are conditionally approved and 1 has been rejected. AeHN Executive Director has provided an updated timeline for when deliverables will be sent to DHSS
• 8/29/2012 - most contract amendment deliverables have either been rejected or have been conditionally approved without updated submissions sent to HIT Program Office. Paul Cartland is working with AeHN's new Executive Director, Rebecca Madison to determine priority of deliverables and updated submission dates.
• 8/7/2012 - 12 deliverables have been rejected without a 2nd updated deliverable having been submitted, 2 deliverables have been rejected and 2nd versions are due later in August, 7 deliverables have been conditionally approved but State has not received any updated documents addressing State's comments (1 of these is not due back to State until next week), 21 deliverables are late, 1 deliverable is in review with State, 2 deliverables are due at either future dates or due dates were not identified in contract amendment
• 7/30/2012 - 12 deliverables have been rejected without a 2nd updated deliverable having been submitted, 1 deliverable was rejected but a 2nd updated deliverable has been submitted, 7 deliverables have been conditionally approved with no updated documents provider to address State comments, 19 deliverables are considered late, 3 deliverables are in review with State, 5 deliverables are due at either future dates or due dates were not identified in contract amendment
• 6/29/2012- Two of the three deliverables required under contract amendment 3 were rejected and the other was conditionally approved. Fifteen deliverables are being reviewed. An additional eight are past due for delivery.
• 5/30/2012- AeHN continues to submit weekly reports. There are concerns with sustainability plans and privacy/security standards.
• 5/2/2012 - AeHN is submitting weekly status reports and is participating in a weekly meeting with HIT
Alaska HIT Project Monthly Status Report – Week of May12, 2014 10 - of - 17
36
ID Date Project Title Description Discussion Comments Status Trend Resolution Program office to discuss the status report, updates and any issues or concerns
• 1/30/2012 - State has not approved AeHN's CAP, State and AeHN continue to work together along with Deloitte technical assistance to reach a point with AeHN's CAP that it can be approved
• 12/21/2011 - State requested that AeHN staff meet with State and Cognosante to develop action items from the CAP review.
• 12/2/2011 - State received AeHN's CAP and will review.
46 1/22/2013 HIE Governance PMP on AeHN staff
AeHN does not currently have a PMP certified staff person.
AeHN does not currently have a PMP certified staff person. This is a requirement in the contract between DHSS and AeHN.
• 4/8/2014 - Anticipated AeHN staff member will be PMP certified by October 2014
• 10/1/2013 - No known change from April comment • 4/15/2013 - no updated provided by AeHN • 1/22/2013 - IT Planning office is unsure what AeHN
is doing about hiring a PMP certified staff person.
Active No Change
47 1/22/2013 HIE Governance Privacy & Security Officer on AeHN staff
AeHN has not been able to hire a privacy and security officer for their staff.
DHSS is concerned because AeHN has not been able to hire a Privacy & Security officer for their staff. This is a critical area of concern for the HIE and is needed before moving to a production status.
• 10/1/2013 - No known change from June comment • 6/10/2013 - AeHN Executive Director is acting as the
Privacy & Security office at this time • 4/15/2013 - no updated provided by AeHN • 1/22/2013 - AeHN has posted a combined Privacy &
Security Office and Data Quality position. The IT Planning office is concerned that AeHN will not be able to find a person with these two skill sets and both these areas are areas of concern and really need to have two separate individuals employed.
Active No Change
49 4/29/2013 HIE Governance Direct Secure Messaging (DSM) Solution current & version 2013
The DSM solution Orion has implemented for Alaska does not meet the needs for State of AK. State has been requesting for months for changes which have not been implemented, these include: group mailboxes, quality email connectivity, reporting by role, and other functionalities.
Orion has recently proposed a new version: 2013 DSM but this version doesn't fulfill all of the state's requests and may even be a step backwards for some functionality.
• 3/10/2014 - DSM V2 beta testing is not progressing. Orion Health has started to conduct meetings with beta testing entities but Orion appears to be working in a silo and not listening to their customers demands.
• DSM V1 continues to have issues that require entire system reboots, latest issues have been related to emails not sending or being received and issues with DSM settings not being saved
• 2/3/2014 - DSM V2 beta testing is not progressing due to lack of Orion support
• 1/6/2014 - Alaska is participating in DSM V2 beta testing, so far functionality in DSM V2 is significantly less and will not meet needs for participants
Active Worsening
Alaska HIT Project Monthly Status Report – Week of May12, 2014 11 - of - 17
37
ID Date Project Title Description Discussion Comments Status Trend Resolution • 10/1/2013 - No known change since September
comment • 9/13/2013 - Orion Health presented a modified plan
for DSM version 2, this modified plan will most likely not work for Alaska because it does not allow for HISP to HISP communication so users of the current DSM solution will not be able to communicate with users on version 2.
• 8/19/2013 - Still waiting for final details and updates about DSM version 2 and exact date this can be implemented and how Orion will address DHSS concerns with solution
• 6/10/2013 - Orion Health DSM version 2 will not be available for email migration until October 2013. This date is not satisfactory for DHSS and has been rejected. AeHN and DHSS are researching mitigation strategies.
• 4/29/2013 - Orion has been telling AeHN and State for weeks that they will provide dates for when Version 2013 could be implemented in Alaska and continues to avoid providing a date and answer the States concerns about 2013 version.
Alaska HIT Project Monthly Status Report – Week of May12, 2014 12 - of - 17
38
Risk Report Summary ID Date Project Title Description Comments Status Severity Probability Impact Strategy 11 12/31/2011 HIE
Governance
Insufficient Funds for Corrective Action Plan
If AeHN is not sufficiently staffed or funded to support the demands of the corrective action plan they will not be able to meet the expectations set in the AeHN/State contract, the Corrective Action Plan, nor other stakeholder expectations.
• 10/1/2013 - No change since September comment
• 9/13/2013 - no update provided by AeHN
• 6/10/2013 - AeHN Executive Director is filling roles until AeHN can hire staff
• 4/29/2013 - Status of a data quality person and a privacy/security staff person has not changed
• 4/15/2013 - AeHN still has not hired a Data Quality person nor a Privacy/Security staff person.
• 1/22/2013 - AeHN has increased staffing; however, AeHN has not hired a Data Quality person nor a Privacy Security staff person and currently has this posted as a single position. The IT Planning office is concerned that these are two critical positions needed and it will be difficult to fill this position combine these two skill sets.
• 12/13/2012 - HIT Office is monitoring staffing
• 9/26/2012 - new AeHN ED has increased staffing through hiring and contracting with third parties.
• 8/29/2012 - New AeHN ED, Rebecca Madison started in early August. Doris Yanis-House has agreed to stay on with
Active 2 - Significant; affecting all performance and budgets
1 - High; will occur (100%)
3 - Moderately Controllable
The Alaska HIT Program office works to supply templates, documentation, assistance and guidance as practical. AeHN prioritizes CAP word appropriately; some HIE program activities may be delayed as a result of focus on Direct implementation and corrective action plan activities.
Alaska HIT Project Monthly Status Report – Week of May12, 2014 13 - of - 17
39
ID Date Project Title Description Comments Status Severity Probability Impact Strategy AeHN as a contract employee to assist with DSM, unsure about Joe Furrer's employment status with AeHN. AeHN continues to struggle with staffing and funds.
• 7/30/2012 - AeHN Executive Director, Bill Sorrells last day was 7/20/2012. The new AeHN ED doesn't start until Aug. 8th. The other two HIE staff: Joe Furrer and Doris Yanis-House have also submitted their resignation letters and will be gone from AeHN by middle of August.
• 5/1/2012 - Due to the CAP for AeHN REC pressure on AeHN as an organization has increased. AeHN is still understaffed and funded. State HIT Program Office developed an HIE Staffing Comparison that was presented to the AeHN Board for discussion.
• 2/29/2012 - The HIT Program office and technical assistance contractor Deloitte continue to work with AeHN regarding their CAP submission.
• 1/30/2012 - HIT Program office and AeHN meet the week of January 2nd to discuss gaps in AeHN's CAP submission. A matrix was provided to AeHN regarding gaps and
Alaska HIT Project Monthly Status Report – Week of May12, 2014 14 - of - 17
40
ID Date Project Title Description Comments Status Severity Probability Impact Strategy strategies were discussed. HIT Program office is still concerned about AeHN's CAP since it has not yet been approved by State and has requested further technical assistance from Deloitte.
• 12/31/2011 - HIT Program office and AeHN are scheduled to meet in early January to discuss action steps necessary for the corrective action plan.
34 4/29/2013 HIE Governance
Direct Secure Messaging (DSM) Current and Version 2013
If Orion Health cannot implement a Direct solution that meets the States requirements and needs the State may have to find HISP services with another vendor.
• 3/10/2014 - Alaska continues to beta test DSM V2, V2 will not meet functionality needs as it has been presented by Orion. DSM V1 is experiencing system issues: emails not sending/receiving, MDNs inconsistently working, settings not saving
• 1/6/2014 - Alaska is beta testing DSM V2, V2 is not currently meeting functionality needs
• 10/1/2013 - No change since September comment
• 9/13/2013 - Orion Health presented to AK a modified DSM version 2 plan which will most likely not work for Alaska because it does not allow for HISP to HISP communication.
• 6/10/2013 - Orion health's DSM solution version 2 will not be ready for implementation until
Active 1 - High; probably project failure
2 - Expected; could occur (75%)
2 - Largely Uncontrollable
Mitigation Strategy - If Orion Health cannot provide a solution that meets the needs State will need to identify another vendor to provide Direct/HISP services.
Alaska HIT Project Monthly Status Report – Week of May12, 2014 15 - of - 17
41
ID Date Project Title Description Comments Status Severity Probability Impact Strategy October 2013, this delivery date has been rejected by State. AeHN and State are developing mitigation strategies.
• 5/3/2013 - Orion Health's DSM solution continues to be unstable: there is a timestamp issue where emails are being sent at a certain time but when received the timestamp on the email reflects a future date/time; at least one State user's DSM User ID disappeared - it was restored but only after system wide shutdown occurred
• 4/29/2013 - Orion Health continues to be unable to meet the States needs for DSM and are unable to provide accurate dates for when they might be able to provide a solution that meets the States needs
36 1/16/2014 HIE Governance
Orion Health Communications
Orion Health has significantly poor communications not only internally to their organization but also with their customers.
• 3/10/2014 - Orion communications continue to be poor
• 1/16/2014 - example of poor communications: Alaska has been asking Orion Health about when the patient portal would be first implemented, Alaska has been asking Orion Health for a date for weeks only to find out from North Dakota customer that Orion Health demoed the
Active 2 - Significant; affecting all performance and budgets
2 - Expected; could occur (75%)
2 - Largely Uncontrollable
Alaska will continue to monitor. DHSS recommended to AeHN that this be logged in a risk register with Orion Health if one is available.
Alaska HIT Project Monthly Status Report – Week of May12, 2014 16 - of - 17
42
ID Date Project Title Description Comments Status Severity Probability Impact Strategy version 4.0 of the Patient Portal to them and plan to roll it out for ND weekend of 1/18/2014.
• Another example of poor internal communication: Orion Health assigned resources to work with Alaska on developing public health interfaces, there were separate resources for the different interfaces, Alaska provided URLs for Orion Health to use to connect to BizTalk for all the interfaces but this information was not communicated internally to all Orion Health resources working on the various interfaces.
Alaska HIT Project Monthly Status Report – Week of May12, 2014 17 - of - 17
43
2.000 Introduction to Internal Security Policies v3 Page 1 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
2.000IntroductiontoInternalSecurityPoliciesPolicySummary
As such, AeHN has adopted a series of Security Policies to comply with theresponsibilitiesoutlinedintheSecurityRuleoftheHealthInsurancePortabilityandAccountability Act of 1996 (HIPAA). This policy provides the general terms andprovisionsthatapplytoalloftheSecurityPolicies,alongwiththedefinedtermsandacronymsthatareusedtherein.
Purpose The Alaska eHealth Network (AeHN) is committed to protecting the privacy andsecurity of the protected health information (PHI) contained in the systems itoversees. This policy reflects AeHN’s commitment to appropriately use andphysicallyprotectEPHI.
Scope/ApplicabilityThis policy is applicable to all AeHN workforce members that manage, control,access, useordiscloseprotectedhealth information for anypurposes. TheAeHNworkforce includesWorkforceMembers and other paid staff, contractors, agents,and vendors. This policy’s scope includes all protected health informationcontained on AeHN equipment, or otherwise accessible by the AeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.
RegulatoryCategory,Type,LegalRegulatoryReference45CFR§164.306Securitystandards:Generalrules.(a)Generalrequirements.Coveredentitiesmustdothefollowing:(1)Ensuretheconfidentiality,integrity,andavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits.(2)Protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation.(3)ProtectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredundersubpartEofthispart.(4)Ensurecompliancewiththissubpartbyitsworkforce.
AS18.23.310Confidentialityandsecurityofinformation.
(a)Thedepartmentshallestablishappropriatesecuritystandardstoprotectthetransmission and receipt of individually identifiable information contained in thesystemestablishedunderAS18.23.300.Thestandardsmust
(1)includecontrolsoveraccesstoandcollection,organization,andmaintenanceofrecordsanddatathatprotecttheconfidentialityoftheindividualwhoisthesubjectofahealthrecord;
Formatted: Font: Italic
Formatted: Font: Bold
Formatted: Font: Italic
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
44
2.000 Introduction to Internal Security Policies v3 Page 2 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
(2) includeasecureandtraceableelectronicauditsystem for identifyingaccesspointsandtrails;
(3)meetthemoststringentapplicablefederalorstateprivacylawgoverningtheprotectionoftheinformationcontainedinthesystem.
(b) A person may not release or publish individually identifying healthinformationfromthesystemforpurposesunrelatedtothetreatmentorbillingofthepatientwhoisthesubjectoftheinformation.Useordistributionoftheinformationforamarketingpurposeisstrictlyprohibited.
(c)Thedepartmentshallestablishproceduresforapatientwhoisthesubjectofahealthrecordcontainedinthesystem
(1)tooptoutofthesystem;(2)toconsenttothedistributionofthepatient'srecordscontainedinthesystem;(3) tobenotifiedofaviolationof the confidentialityprovisions requiredunder
thissection;(4) on request to the department, to view an audit report created under this
sectionforthepurposeofmonitoringaccesstothepatient'srecords.;7AAC166.030;7AAC166.040;7AAC166.900;45CFR160;45CFR164(PartsAandC)
PolicyAuthority/Enforcement
AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) areresponsibleformonitoringandenforcementoftheAeHNInternalSecurityPoliciesandProcedures.
RelatedPolicies&ProceduresPolicyNumber
ProcedureNumber
Policy/ProcedureTitle
2.100 ConsumerOptOutElectionPolicy 2.101 ConsumerOptOutElectionProcedure2.200 AdministrativeSafeguardsPolicy 2.201 SecurityManagementProcessProcedure 2.202 RiskAnalysisProcedure 2.203 RiskManagementProcedure 2.204 EmployeeSanctionsProcedure 2.205 InformationSystemActivityProcedure 2.206 AssignedSecurityResponsibilityProcedure 2.207 WorkforceSecurityProcedure 2.208 AuthorizationandSupervisionProcedure 2.209 WorkforceClearanceProcedure 2.210 TerminationProcedure 2.211 InformationAccessManagementProcedure 2.212 AccessAuthorizationProcedure
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
Formatted: Font: +Headings (Cambria), 11 pt, Italic
Formatted: Font: Italic
45
2.000 Introduction to Internal Security Policies v3 Page 3 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
2.213 AccessEstablishmentandModificationProcedure 2.214 SecurityAwarenessandTrainingProcedure 2.215 SecurityRemindersProcedure 2.216 ProtectionfromMaliciousSoftwareProcedure 2.217 Log‐inMonitoringProcedure 2.218 PasswordManagementProcedure 2.219 SecurityIncidentProcedure 2.220 ContingencyPlanProcedure2.300 PhysicalSafeguardsPolicy 2.301 WorkstationUseProcedure 2.302 WorkstationSecurityProcedure 2.303 DeviceandMediaControlsProcedure 2.304 AccountabilityProcedure2.400 TechnicalSafeguardsPolicy 2.401 AccessControlProcedure 2.402 UniqueUserIdentificationProcedure 2.403 AutomaticLogoffProcedure 2.404 EncryptionandDecryptionProcedure 2.405 AuditControlsProcedure 2.406 IntegrityProcedure 2.407 PersonorEntityAuthenticationProcedure 2.408 TransmissionSecurityProcedure2.600 BreachNotificationPolicy 2.601 BreachNotificationProcedure3.100 HIPAAPrivacyPolicy 3.101 Use,DisclosureandPrivacyRightsProcedure Renewal/Review
This policy is to be reviewed annually to determine if the policy complies withcurrent HIPAA Security regulations and to ensure that it incorporates all recentdevelopments inAeHNpolicies, procedures, activities, equipment and technology.In the event that significant related legal, regulatory or organizational changesoccur,thepolicywillbereviewedandupdatedasneeded.
Policy
I. GeneralPolicyRequirements:
A. Annual Review. AeHN will annually review all Internal Security Policies andProcedures to determine if they complywith currentHIPAA Security regulations,applicable Alaska law and AeHN contractual obligations. In the event thatsignificantrelatedlegal,regulatoryororganizationalchangesoccur, thepolicywillbereviewedandupdatedasneeded.
46
2.000 Introduction to Internal Security Policies v3 Page 4 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
B. FormatofPHI.AeHNusesthesoftware‐as‐a‐servicemodelforthetransmissionandstorage of PHI. Although AeHN does not have PHI directly contained on its owninformationsystems,itisthestewardforsuchinformationheldbycontractorsandinacentraldatarepository. For thatreason,AeHNmustcontinuetocomplywiththesepoliciesandproceduresanytimeitishandlingPHI,inanyformat.
C. Workforce Access. AeHNWorkforceMemberswill not directlymanage or accessPHIonaregularbasis,butsomeWorkforceMemberswillhavetheabilitytodosowhen necessary. This requires such Workforce Members to comply with allresponsibilities of a health information exchange under HIPAA. No employee ofAeHNis tohaveaccess toPHI through theHIE,except forpurposesofauditingorperformingaudit functions, andother legalobligationsof theorganization. AeHNprimarilyfacilitatesthesecuretransferofPHIfromoneEHRtoanotherEHR.
D. Application to AeHN Workforce, Not Other Participants. These policies andproceduresapply to theAeHNworkforcemembers and the informationused anddisclosedbyAeHN.Theymayreferenceandrequirecollaborationwithparticipants,butdonotapplydirectlytoparticipantsintheHIE.Theguidelinesforparticipationand privacy and security responsibilities for participants are outlined in theExternalHIEPrivacy,SecurityandCompliancePolicyandrelatedproceduresfoundat4.200etseq.
II. SecurityStandards:
A. AdministrativeSafeguards. Administrativesafeguardsshallbeusedtomanagethe selection, development, implementation and maintenance of securitymeasurestoprotectPHIandtomanagetheconductofAeHN’sworkforcefortheprotectionofandauthorizedaccess toPHI. AeHN’sAdministrativeSafeguardsPolicy is found at 2.200 and the procedures enacted thereunder are found at2.201etseq. ThoseproceduresfollowthegeneralorderoftheAdministrativeSafeguardprovisionsintheHIPAASecurityRule.
B. Physical Safeguards. Physical Safeguards are to be made in order to protectAeHN’s electronic information systems, related buildings and equipment fromnaturalandenvironmentalhazardsandunauthorizedintrusion.Procedureswillbe implemented either directly or through AeHN vendors that limit physicalaccess to electronic information systems and the facility or facilities inwhichsuchsystemsarehoused,while still ensuring that properauthorizedaccess isallowed. AeHN’s Physical Safeguards Policy is found at 2.300 and theprocedures enacted thereunder are found at 2.301 et seq. Those proceduresfollow the general order of the Physical Safeguard provisions in the HIPAASecurityRule.
47
2.000 Introduction to Internal Security Policies v3 Page 5 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
C. TechnicalSafeguards.TechnicalSafeguardsshallbemaintainedthatprotectPHIand control access to assure that such systems are accessed only by thoseindividualsorsoftwareprogramsthathavebeengrantedaccessrights.AeHN’sTechnical Safeguards Policy is found at 2.400 and the procedures enactedthereunder are found at 2.401 et seq. Those procedures follow the generalorderoftheTechnicalSafeguardprovisionsintheHIPAASecurityRule.
D. Breach Notification. A policy and procedures for breach notification shall bemaintained to ensure that breaches are adequately and appropriatelyaddressed. AeHN’sBreachNotificationPolicyisfoundat2.600andtheBreachNotificationProcedureisfoundat2.601.
GlossaryAS AlaskaStatutesAeHN AlaskaeHealthNetwork–thedesignatedHIEfortheStateofAlaskaBAA BusinessAssociateAgreementCFR CodeofFederalRegulationsDSM DirectSecureMessagingED ExecutiveDirectorEPHI ElectronicProtectedHealthInformationHIE AeHNHealthInformationExchangeHIPAA HealthInsurancePortabilityandAccountabilityActof1996PA ParticipantAgreement‐TheAgreementexecutedbetweenanentity
orindividualandAeHNthatdefinesthetermsofusefortheHIE.Participant AnentityorindividualthathasenteredintoaParticipantAgreement
withAeHN.PHI ProtectedHealthInformation‐Informationthatismaintainedinany
formormediumthat:o IscreatedorreceivedbyaHIPAACoveredEntityorBusiness
Associate,oranyotherUseroftheHIE;ando Relatestothepast,present,orfuturephysicalormental
healthconditionofanindividual;theprovisionofhealthcaretoanindividual;orthepast,present,orfuturepaymentfortheprovisionofhealthcaretoanindividual;and Thatidentifiestheindividual;or Withrespecttowhichthereisareasonablebasisto
believetheinformationcanbeusedtoidentifytheindividual.
o DoesnotincludeeducationrecordscoveredbytheFamilyEducationalRightsandPrivacyAct,asamended,20U.S.C.1232g;oremploymentrecordsheldbyanentityinitsroleasemployer.
SaaS SoftwareasaServicePSO PrivacyandSecurityOfficer
48
2.000 Introduction to Internal Security Policies v3 Page 6 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
UserIDs UniqueUserIdentifiers
2.000 Introduction to Internal Security Policies
APPROVED BY: AeHN Board
ADOPTED: 7/20/2011 v1REVISED: 02/20/2013 v2REVISED: 05/31/2013 v3
REVISED:
49
2.000 Introduction to Internal Security Policies v3 Page 1 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
2.000IntroductiontoInternalSecurityPoliciesPolicySummary
As such, AeHN has adopted a series of Security Policies to comply with theresponsibilitiesoutlinedintheSecurityRuleoftheHealthInsurancePortabilityandAccountability Act of 1996 (HIPAA). This policy provides the general terms andprovisionsthatapplytoalloftheSecurityPolicies,alongwiththedefinedtermsandacronymsthatareusedtherein.
Purpose The Alaska eHealth Network (AeHN) is committed to protecting the privacy andsecurity of the protected health information (PHI) contained in the systems itoversees. This policy reflects AeHN’s commitment to appropriately use andphysicallyprotectEPHI.
Scope/ApplicabilityThis policy is applicable to all AeHN workforce members that manage, control,access, useor discloseprotectedhealth information for anypurposes. TheAeHNworkforce includesWorkforceMembers and other paid staff, contractors, agents,and vendors. This policy’s scope includes all protected health informationcontained on AeHN equipment, or otherwise accessible by the AeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.
RegulatoryCategory,Type,LegalRegulatoryReference45CFR§164.306Securitystandards:Generalrules.(a)Generalrequirements.Coveredentitiesmustdothefollowing:(1)Ensuretheconfidentiality,integrity,andavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits.(2)Protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation.(3)ProtectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredundersubpartEofthispart.(4)Ensurecompliancewiththissubpartbyitsworkforce.
AS18.23.310Confidentialityandsecurityofinformation.
(a)Thedepartmentshallestablishappropriatesecuritystandardstoprotectthetransmission and receipt of individually identifiable information contained in thesystemestablishedunderAS18.23.300.Thestandardsmust
(1)includecontrolsoveraccesstoandcollection,organization,andmaintenanceofrecordsanddatathatprotecttheconfidentialityoftheindividualwhoisthesubjectofahealthrecord;
50
2.000 Introduction to Internal Security Policies v3 Page 2 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
(2) includeasecureandtraceableelectronicauditsystem for identifyingaccesspointsandtrails;
(3)meetthemoststringentapplicablefederalorstateprivacylawgoverningtheprotectionoftheinformationcontainedinthesystem.
(b) A person may not release or publish individually identifying healthinformationfromthesystemforpurposesunrelatedtothetreatmentorbillingofthepatientwhoisthesubjectoftheinformation.Useordistributionoftheinformationforamarketingpurposeisstrictlyprohibited.
(c)Thedepartmentshallestablishproceduresforapatientwhoisthesubjectofahealthrecordcontainedinthesystem
(1)tooptoutofthesystem;(2)toconsenttothedistributionofthepatient'srecordscontainedinthesystem;(3) tobenotifiedofaviolationof the confidentialityprovisions requiredunder
thissection;(4) on request to the department, to view an audit report created under this
sectionforthepurposeofmonitoringaccesstothepatient'srecords.7AAC166.030;7AAC166.040;7AAC166.900;45CFR160;45CFR164(PartsAandC)
PolicyAuthority/Enforcement
AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) areresponsibleformonitoringandenforcementoftheAeHNInternalSecurityPoliciesandProcedures.
RelatedPolicies&ProceduresPolicyNumber
ProcedureNumber
Policy/ProcedureTitle
2.100 ConsumerOptOutElectionPolicy 2.101 ConsumerOptOut ElectionProcedure2.200 AdministrativeSafeguardsPolicy 2.201 SecurityManagementProcessProcedure 2.202 RiskAnalysisProcedure 2.203 RiskManagementProcedure 2.204 EmployeeSanctionsProcedure 2.205 InformationSystemActivityProcedure 2.206 AssignedSecurityResponsibilityProcedure 2.207 WorkforceSecurityProcedure 2.208 AuthorizationandSupervisionProcedure 2.209 WorkforceClearanceProcedure 2.210 TerminationProcedure 2.211 InformationAccessManagementProcedure 2.212 AccessAuthorizationProcedure
51
2.000 Introduction to Internal Security Policies v3 Page 3 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
2.213 AccessEstablishmentandModificationProcedure 2.214 SecurityAwarenessandTrainingProcedure 2.215 SecurityRemindersProcedure 2.216 ProtectionfromMaliciousSoftwareProcedure 2.217 Log‐inMonitoringProcedure 2.218 PasswordManagementProcedure 2.219 SecurityIncidentProcedure 2.220 ContingencyPlanProcedure2.300 PhysicalSafeguardsPolicy 2.301 WorkstationUseProcedure 2.302 WorkstationSecurityProcedure 2.303 DeviceandMediaControlsProcedure 2.304 AccountabilityProcedure2.400 TechnicalSafeguardsPolicy 2.401 AccessControlProcedure 2.402 UniqueUserIdentificationProcedure 2.403 AutomaticLogoffProcedure 2.404 EncryptionandDecryptionProcedure 2.405 AuditControlsProcedure 2.406 IntegrityProcedure 2.407 PersonorEntityAuthenticationProcedure 2.408 TransmissionSecurityProcedure2.600 BreachNotificationPolicy 2.601 BreachNotificationProcedure3.100 HIPAAPrivacyPolicy 3.101 Use,DisclosureandPrivacyRightsProcedure Renewal/Review
This policy is to be reviewed annually to determine if the policy complies withcurrent HIPAA Security regulations and to ensure that it incorporates all recentdevelopments inAeHNpolicies, procedures, activities, equipment and technology.In the event that significant related legal, regulatory or organizational changesoccur,thepolicywillbereviewedandupdatedasneeded.
Policy
I. GeneralPolicyRequirements:
A. Annual Review. AeHN will annually review all Internal Security Policies andProcedures to determine if they complywith current HIPAA Security regulations,applicable Alaska law and AeHN contractual obligations. In the event thatsignificantrelatedlegal,regulatoryororganizationalchangesoccur,thepolicywillbereviewedandupdatedasneeded.
52
2.000 Introduction to Internal Security Policies v3 Page 4 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
B. FormatofPHI.AeHNusesthesoftware‐as‐a‐servicemodelforthetransmissionandstorage of PHI. Although AeHN does not have PHI directly contained on its owninformationsystems,itisthestewardforsuchinformationheldbycontractorsandinacentraldatarepository. For thatreason,AeHNmustcontinuetocomplywiththesepoliciesandproceduresanytimeitishandlingPHI,inanyformat.
C. Workforce Access. AeHNWorkforceMemberswill not directlymanage or accessPHIonaregularbasis,butsomeWorkforceMemberswillhavetheabilitytodosowhen necessary. This requires such Workforce Members to comply with allresponsibilities of a health information exchange under HIPAA. No employee ofAeHNis tohaveaccess toPHI throughtheHIE,except forpurposesofauditingorperformingaudit functions, andother legalobligationsof theorganization. AeHNprimarilyfacilitatesthesecuretransferofPHIfromoneEHRtoanotherEHR.
D. Application to AeHN Workforce, Not Other Participants. These policies andprocedures apply to theAeHNworkforcemembers and the informationused anddisclosedbyAeHN.Theymayreferenceandrequirecollaborationwithparticipants,butdonotapplydirectlytoparticipantsintheHIE.Theguidelinesforparticipationand privacy and security responsibilities for participants are outlined in theExternalHIEPrivacy,SecurityandCompliancePolicyandrelatedproceduresfoundat4.200etseq.
II. SecurityStandards:
A. AdministrativeSafeguards. Administrativesafeguardsshallbeusedtomanagethe selection, development, implementation and maintenance of securitymeasurestoprotectPHIandtomanagetheconductofAeHN’sworkforcefortheprotectionofandauthorizedaccess toPHI. AeHN’sAdministrativeSafeguardsPolicy is found at 2.200 and the procedures enacted thereunder are found at2.201etseq. ThoseproceduresfollowthegeneralorderoftheAdministrativeSafeguardprovisionsintheHIPAASecurityRule.
B. Physical Safeguards. Physical Safeguards are to be made in order to protectAeHN’s electronic information systems, related buildings and equipment fromnaturalandenvironmentalhazardsandunauthorizedintrusion.Procedureswillbe implemented either directly or through AeHN vendors that limit physicalaccess to electronic information systems and the facility or facilities inwhichsuch systemsarehoused,while still ensuring thatproperauthorizedaccess isallowed. AeHN’s Physical Safeguards Policy is found at 2.300 and theprocedures enacted thereunder are found at 2.301 et seq. Those proceduresfollow the general order of the Physical Safeguard provisions in the HIPAASecurityRule.
53
2.000 Introduction to Internal Security Policies v3 Page 5 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
C. TechnicalSafeguards.TechnicalSafeguardsshallbemaintainedthatprotectPHIand control access to assure that such systems are accessed only by thoseindividualsorsoftwareprogramsthathavebeengrantedaccessrights.AeHN’sTechnical Safeguards Policy is found at 2.400 and the procedures enactedthereunder are found at 2.401 et seq. Those procedures follow the generalorderoftheTechnicalSafeguardprovisionsintheHIPAASecurityRule.
D. Breach Notification. A policy and procedures for breach notification shall bemaintained to ensure that breaches are adequately and appropriatelyaddressed. AeHN’sBreachNotificationPolicyisfoundat2.600andtheBreachNotificationProcedureisfoundat2.601.
GlossaryAS AlaskaStatutesAeHN AlaskaeHealthNetwork–thedesignatedHIEfortheStateofAlaskaBAA BusinessAssociateAgreementCFR CodeofFederalRegulationsDSM DirectSecureMessagingED ExecutiveDirectorEPHI ElectronicProtectedHealthInformationHIE AeHNHealthInformationExchangeHIPAA HealthInsurancePortabilityandAccountabilityActof1996Participant AnentityorindividualthathasenteredintoaParticipantAgreement
withAeHN.PHI ProtectedHealthInformation‐Informationthatismaintainedinany
formormediumthat:o IscreatedorreceivedbyaHIPAACoveredEntityorBusiness
Associate,oranyotherUseroftheHIE;ando Relatestothepast,present,orfuturephysicalormental
healthconditionofanindividual;theprovisionofhealthcaretoanindividual;orthepast,present,orfuturepaymentfortheprovisionofhealthcaretoanindividual;and Thatidentifiestheindividual;or Withrespecttowhichthereisareasonablebasisto
believetheinformationcanbeusedtoidentifytheindividual.
o DoesnotincludeeducationrecordscoveredbytheFamilyEducationalRightsandPrivacyAct,asamended,20U.S.C.1232g;oremploymentrecordsheldbyanentityinitsroleasemployer.
SaaS SoftwareasaServicePSO PrivacyandSecurityOfficerUserIDs UniqueUserIdentifiers
54
2.000 Introduction to Internal Security Policies v3 Page 6 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013
2.000 Introduction to Internal Security Policies
APPROVED BY: AeHN Board
ADOPTED: 7/20/2011 v1REVISED: 02/20/2013 v2REVISED: 05/31/2013 v3
REVISED:
55
2.200 Administrative Safeguards V3 Page 1 of 8 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
2.200AdministrativeSafeguardsPolicy
PolicySummaryAlaska eHealth Network (AeHN) ensures the confidentiality, integrity andavailabilityofitsinformationsystemscontainingPHIbyimplementingappropriateand reasonable policies, procedures and controls to prevent, detect, contain, andcorrect security violations. AeHN’s administrative safeguards include a securitymanagementprogrambasedonformalandregularprocessesforriskanalysisandmanagement,sanctionpoliciesfornon‐compliance,andinformationsystemactivityreview.
All AeHN workforce members are responsible for appropriately protecting PHImaintained on the Alaska HIE information systems. AeHN management isresponsible for ensuring the confidentiality, integrity and availability of all PHImaintainedontheAlaskaHIEinformationsystems.
Purpose ThispolicyreflectsAeHN’scommitmenttoensuretheconfidentiality,integrity,andavailabilityofitsinformationsystemscontainingPHIbyimplementingpoliciesandprocedurestoprevent,detect,contain,andcorrectsecurityviolations.
Scope/Applicability
This policy is applicable to all AeHN workforce members that manage, control,access, useor discloseprotectedhealth information for anypurposes. TheAeHNworkforce includes employees and other paid staff, contractors, agents, andvendors.Thispolicy’sscopeincludesallprotectedhealthinformationcontainedonAeHNequipment,orotherwiseaccessiblebytheAeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.
RegulatoryCategory,Type,LegalRegulatoryReference Implementpoliciesandprocedurestoprevent,detect,contain,andcorrectsecurityviolations.
Administrative Safeguards, Standard,AS18.23.300 et seq.; 7AAC166.010; 7AAC166.030;7AAC166.040;7AAC166.050;7AAC166.900;45CFR164.308(a)
PolicyAuthority/Enforcement
AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) areresponsibleformonitoringandenforcementofthispolicy.
56
2.200 Administrative Safeguards V3 Page 2 of 8 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
RelatedPolicies&Procedures
Number Standard2.201 SecurityManagementProcess2.202 RiskAnalysis2.203 RiskManagement2.204 EmployeeSanctions2.205 InformationSystemActivityReview2.206 AssignedSecurityResponsibility2.207 WorkForceSecurity2.208 Authorizationand/orSupervision2.209 WorkforceClearanceProcedure2.210 TerminationProcedures2.211 InformationAccessManagement2.212 AccessAuthorization2.213 AccessEstablishmentandModification2.214 SecurityAwarenessandTraining2.215 SecurityReminders2.216 ProtectingfromMaliciousSoftware2.217 Log‐InMonitoring2.218 PasswordManagement2.219 SecurityIncidentProcedures2.220 ContingencyPlan
Renewal/Review
ThispolicyistobereviewedannuallytodetermineifthepolicycomplieswithcurrentHIPAASecurityregulationsandtoensurethatitincorporatesallrecentdevelopmentsinAeHNpolicies,procedures,activities,equipmentandtechnology.Intheeventthatsignificantrelatedlegal,regulatoryororganizationalchangesoccur,thepolicywillbereviewedandupdatedasneeded.
Policy
I. SecurityManagementProcess
A. Integrity and Confidentiality of PHI. AeHN makes active strides to protect theintegrity and confidentiality of PHI information managed on behalf of providerorganizations participating in the statewide health information exchange. Theseactivities include, but are not limited to the use of identity protected storage,networkstorage,systemaccesslogging,physicalprotectionsandsecurity,andusereducation.
57
2.200 Administrative Safeguards V3 Page 3 of 8 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
B. Best Practices. AeHN actively enforces compliance with HIPAA regulations byutilizingandrequiringtheuseof‘bestpractice’securitymeasures,including,butnotlimited to, utilizing mandatory network login, strong password discipline,workstationsecurity,protectednetworkstorageandphysicalsecurity.
C. Privacy and Security Officer. AeHN is committed to ensuring the privacy andsecurityofPHIthatitmanagesonbehalfofitsparticipatingproviderorganizations.Inorder tomanage the facilitationand implementationof activities related to theprivacy and security of PHI, AeHN will appoint and maintain an internal PSOposition. The PSO will serve as the focal point for security compliance‐relatedactivitiesandresponsibilities,as listed in theAeHNpoliciesandprocedures. If,atany point, a PSO is not maintained as a separate position, the AeHN ExecutiveDirectorshallserveasthePSO.
II. EmployeeandWorkforceManagement
A. CompliancewithPoliciesandProcedures. AeHNworkforcememberswillcomplywithallapplicableAeHNsecuritypoliciesandprocedures. Compliance ismandatedtoensuretheconfidentiality,integrityandavailabilityoftheAlaskaHIEinformationsystems.
B. TrainingandAwareness. AeHNworkforcememberswill understand andbeawareof allapplicableAeHNsecuritypoliciesandprocedures.AeHNwillprovideregulartrainingandawarenessforworkforcemembersonAeHNsecuritypoliciesandprocedures.
C. Sanctions Procedures. AeHNwill establish formal, documented procedures for applyingappropriate sanctions against workforce members who do not comply with its securitypoliciesandprocedures.
D. Enforcement of Policies and Procedures. AeHN actively controls EPHI and educates itsworkforcemembersinEPHIsecuritybyanyofthefollowing:
1. AeHNwill demonstrate its commitment to enforce HIPAA regulations and secureEPHI information by establishing a PSO who will be charged with the ongoingprocessofestablishing,maintainingandupdatingHIPAArules,policies,proceduresandguidelines.
2. TheAeHNPSOwillaggressivelyenforceHIPAAguidelinesandproceduresandwillactivelyintroducenewproceduresinthefaceofrapidlychangingtechnology.
3. TheAeHNPSO andworkforcememberswillmeet at least semi‐annually to auditexisting procedures and technology to ensure that HIPAA regulations are beingactivelyenforced.
4. TheAeHNPSOisresponsibleforestablishingtrainingguidelinesforeachrespectiveAeHN workforce member specifically with regards to the types and amount oftraining required to meet HIPAA regulations. Training for each person may be
58
2.200 Administrative Safeguards V3 Page 4 of 8 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
combined and presented in a group setting, or otherwise available in a formatdeemedappropriatebythePSO.
E. BasicSecurityTraining. Despite the fact thatallAeHNworkforcememberswillnothave
regular access tooraday‐to‐dayneed tohandleEPHI, allAeHNworkforcememberswillreceiveinitialandannualtraininginandwillfollowbaselineinformationsecuritypolicies.Thiswillinclude,butnotbelimitedto,passworduseanddiscipline,useofnetworkstorageandworkstationlocking.
F. PromotionofHIPAAPoliciesandProcedures. TheEDandPSOwill activelypromoteandenforceHIPAApoliciesandprocedurestoAeHNworkforcemembers.
III. RiskAnalysis&RiskManagement
A. Annul Auditing. All AeHN HIPAA procedures must undergo formal risk managementauditingatleastyearly.
B. Annual Risk Analysis. AeHN, or an independent 3rd party, shall annually conduct a riskanalysis(“RiskAnalysis”)thatwill,ataminimum:
1. IdentifyandprioritizethethreatstotheAlaskaHIEinformationsystemscontainingEPHI.
2. Identify and prioritize the vulnerabilities of the Alaska HIE information systemscontainingEPHI.
3. Identify and define the security measures used to protect the confidentiality,integrity,andavailabilityoftheAlaskaHIEinformationsystemscontainingEPHI.
4. IdentifythelikelihoodthatagiventhreatwillexploitaspecificvulnerabilityontheAlaskaHIEinformationsystemcontainingEPHI.
5. Identifythepotentialimpactstotheconfidentiality,integrity,andavailabilityoftheAlaskaHIEinformationsystemscontainingEPHIifagiventhreatexploitsaspecificvulnerability.
6. Any report compiled will include all statistical and technology references toformulaterecommendations.
7. Judgments used in AeHN’s Risk Analysis, such as assumptions, defaults, anduncertainties,shouldbeexplicitlystatedanddocumented.
C. DistributionofRiskAnalysisResults.Asappropriate,theAeHNPSOandmanagementwill
share results of the Risk Analysis with the AeHN Board of Directors and the Audit andComplianceCommittee.
D. Review of Information Systems Activity. The AeHN PSO or assigned AeHN workforcememberwillregularlyreviewrecordsofactivityoninformationsystemscontainingEPHI.
IV. AccessandAuthorization‐Internal
59
2.200 Administrative Safeguards V3 Page 5 of 8 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
A. PositionAuthority. Individual jobdescriptions forAeHNworkforcememberswill be thebasisfordefiningaccessauthorityandthespecificinformationsystemcontentthatwillbeaccessible. The nature and extent of access to the Alaska HIE information systemscontainingEPHIwillbebasedonanongoingriskanalysisprocess.Ataminimum,theriskanalysiswillconsiderthefollowingfactors:
1. Theimportanceoftheapplicationsrunningontheinformationsystem2. ThevalueorsensitivityoftheEPHIontheinformationsystem3. The extent to which the information system is connected to other information
systems
B. Need for Access. Access to the Alaska HIE information systems containing EPHIwill beauthorizedonlyforproperlytrainedAeHNworkforcemembershavingalegitimateneedforspecificinformationinordertoaccomplishjobresponsibilitiesasdefinedinindividualjobdescriptions. Job descriptionswill be reviewed at least annually to validate necessity ofaccesstosomeorallEPHImaintainedintheAlaskaHIEinformationsystems.
C. Limitation on Authorization. AeHN workforce members will not access the Alaska HIEinformation systems containing EPHI for which they have not been given properauthorization. NoemployeeofAeHNis tohaveaccess toPHI throughtheHIE,except forpurposes of auditing or performing audit functions, or other legal obligations of theorganization.AeHNwillensurethatallworkforcememberswhohavetheabilitytoaccessthe Alaska HIE information systems containing EPHI are appropriately authorized orsupervised. AeHNwillmaintainadocumentedprocessforauthorizingappropriateaccesstotheAlaskaHIEinformationsystemscontainingEPHI.Thiswillinclude:
1. AdefinitionofrolesbasedonindividualAeHNworkforcejobdescriptions.2. AsummaryofauthorizedcategoriesofEPHIcontent thatcanbeaccessedbyeach
role.3. An annual review of roles and authorized categories of access to EPHI to be
conductedaspartoftheongoingriskanalysisprocess.
D. WorkforceScreeningandTermination.AeHNworkforcememberswillbescreenedduringthehiringprocesstoidentifypossibleareasofriskwhichwillbevettedbeforeretentioninapositionthatrequiresaccesstoEPHI.AeHNwillsustainaformal,documentedprocessforterminatingaccesstoEPHIwhentheemploymentofaworkforcememberends,ortheneedtoaccessEPHIotherwiseterminates.
E. Confidentiality Agreements. All AeHN workforce members who access the Alaska HIEinformation systems containing EPHIwill sign a confidentiality agreement inwhich theyagree not to provide or discuss EPHI or confidential information with unauthorizedpersons. Confidentiality agreements will be reviewed and signed annually by AeHNworkforcememberswhoaccesstheAlaskaHIEinformationsystemscontainingEPHI.
60
2.200 Administrative Safeguards V3 Page 6 of 8 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
V. Access&Authorization–ExternalorParticipatingSiteWorkforceMembers
AeHN will have a formal, documented process for establishing, documenting, reviewing, andmodifyingaccesstotheAlaskaHIEinformationsystemscontainingEPHI.Theprocesswillbebasedon AeHN and the Participating Organizations’ access authorization policy. At a minimum, theprocessmustinclude:
A. Access Establishment. Procedure for establishing different levels of access to the AlaskaHIEsystemscontainingEPHI.
B. Access Documentation. Procedure for documenting levels of access established to theAlaskaHIEinformationsystemscontainingEPHI.
C. Access Review. Procedure for regularly reviewingAeHN and ParticipatingOrganizationsworkforce member access privileges to the Alaska HIE information systems containingEPHI.
D. Access Modification. Procedure for modifying AeHN and Participating Organizationsworkforce member access privileges to the Alaska HIE information systems containingEPHI.
E. Access Termination. Procedure for terminating AeHN and Participating Organizationworkforce members’ access privileges to the Alaska HIE information systems containingEPHI.
VI. InformationSecurity
A. SecurityReminders. AeHNwillmakecertain thatallof itsworkforcemembers, includingthosewhoworkremotely,areregularlyremindedofinformationsecurityrisksandhowtofollow AeHN security policies. Additionally, workforce members will be provided withinformation aboutAeHN security procedures andhow to use theAlaskaHIE informationsystemsinwaysthatminimizepossiblesecurityrisks.
B. Maintenance of Security. AeHN will ensure that the confidentiality, integrity, andavailability of EPHI on the Alaska HIE information systems is maintained when itsinformationsystemsareaccessedbythirdparties.Beforethirdpartypersonsaregrantedaccess to the Alaska HIE information systems containing EPHI, a risk analysis will beperformed.Afterasuccessfulriskanalysis,accessbythirdpartypersonstotheAlaskaHIEinformation systems containing EPHI will be allowed only after an agreement has beensigneddefiningthetermsforaccess.
C. RiskDetection. AeHNmust be able to effectively detect and preventmalicious software,particularly viruses, worms and malicious code. AeHN will develop, implement, and
61
2.200 Administrative Safeguards V3 Page 7 of 8 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
regularly review a formal, documented process for guarding against, detecting, andreportingmalicioussoftwarethatposesarisktoitsinformationsystemsanddata.
VII. PasswordsandLog‐In
A. MonitoringLog‐In. AeHNwilldevelop, implement,andregularlyreviewa formalprocessformonitoring log‐in attempts and reporting discrepancies. Access to all theAlaskaHIEinformationsystemswillbeviaasecurelog‐inprocess.
B. Password Safeguards. AeHN will develop, implement, and regularly review a formalprocessforappropriatelycreating,changingandsafeguardingpasswordsusedtovalidateauser’sidentityandestablishaccesstoitsinformationsystemsanddata.
VIII. SecurityIncidents
A. SecurityIncidentResponse.AeHNwillalsomaintainadocumentedprocessforquicklyandeffectively detecting and responding to security incidents that may impact theconfidentiality, integrity, or availability of the Alaska HIE information systems. At aminimum,AeHN’sPSOwillensurethat:
1. All actions taken are intended tominimize the damage of a security incident andpreventfurtherdamage.
2. Onlyauthorizedandappropriately trainedAeHNemployeesareallowedaccess toaffected information systems in order to respond to or recover from a securityincident.
3. Allactionstakenarecarefullydocumented.
B. Security Incident Monitoring. AeHN will maintain a mechanism for quantifying andmonitoringthetypes,volumesandcostsofsecurityincidents.Thisinformationwillbeusedtoidentifytheneedforimprovedoradditionalsecuritycontrols.AeHN’sPSOisauthorizedto investigate any and all alleged violations of AeHN security policies, and to takeappropriateactiontomitigatetheinfractionandapplysanctionsaswarranted.
IX. DisasterRecovery&Backup
A. Emergency Response. AeHN will have a formal process for both preparing for andeffectively responding to emergencies and disasters that damage the confidentiality,integrityoravailabilityofitsinformationsystems.ThiswillincludecoordinationwithourSaaSvendortoensurethatithasappropriatedisasterrecoveryandbackupproceduresinplace.
B. Backup Plan. AeHN, independently or through its SaaS vendor, must have a formal,documentedbackupplanforitsinformationsystems.Ataminimum,theplanmust:
1. Identifyinformationsystemsandelectronicmediatobebackedup.
62
2.200 Administrative Safeguards V3 Page 8 of 8 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
2. Provideabackupschedule.3. Identifywherebackupmediaarestoredandwhomayaccessthem.4. Outlinerestorationprocedures.5. Identify who is responsible for ensuring the backup of information systems and
electronicmedia.
C. Data Restoration. Restoration procedures for the Alaska HIE electronic media andinformation systems containing EPHI must be regularly tested to ensure that they areeffectiveandthattheycanbecompletedwithinthetimeallottedintheAlaskaHIE’sdisasterrecoveryplan.
D. Data Retention. The retention period for backup of EPHI on the AlaskaHIE informationsystemsandelectronicmediaandanyrequirements forarchivecopiestobepermanentlyretainedmustbedefinedanddocumented.
E. Disruption Analysis. Risk analysis should be used to determine and document themaximumamountof lossthatmayoccurifbackupoftheAlaskaHIEinformationsystemsand electronic media is disrupted. Such analysis should be used to determine if allappropriateandreasonablemeasuresarebeingusedtobackuptheAlaskaHIEinformationsystemsandelectronicmedia.
2.200 Administrative Safeguards Policy
APPROVED BY: AeHN Board
ADOPTED: 7/20/2011 v1REVISED: 02/20/2013 v2REVISED: 05/31/2013 v3
REVISED:
63
2.300 Physical Safeguards V3 Page 1 of 4 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
2.300PhysicalSafeguardsPolicy
PolicySummary
AlaskaeHealthNetwork(AeHN)facilities,workstationsandstorageareasmustbeaccessedandusedonlyforauthorizedpurposes. WorkforcemembersmustnotuseAeHNfacilities,workstationsorequipmenttoengageinanyactivitythatiseitherillegalunderlocal,state,federal,orinternationallaworisinviolationofAeHNpolicy.AccesstotheAlaskaHIEPHImustbecontrolledandauthenticated.
Purpose ThispolicyreflectsAeHN’scommitmenttoappropriatelyuseandphysicallyprotectPHI.
Scope/Applicability
ThispolicyisapplicabletoallAeHNworkforcemembersthatmanage,control,access,useordiscloseprotectedhealth information foranypurposes. TheAeHNworkforce includesemployees and other paid staff, contractors, agents, and vendors. This policy’s scopeincludes all protected health information contained on AeHN equipment, or otherwiseaccessiblebytheAeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.
RegulatoryCategory,Type,LegalRegulatoryReference
Implement policies and procedures to limit physical access to its electronic informationsystemsand the facilityor facilities inwhich theyarehoused,while ensuring thatproperlyauthorizedaccessisallowed.
Physical Safeguards, Standard, AS 18.23.300 et seq.; 45 CFR 164.310; ; 7 AAC166.010;7AAC166.030;7AAC166.040;7AAC166.050;7AAC166.900
PolicyAuthority/Enforcement
AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) areresponsibleformonitoringandenforcementofthispolicy.
RelatedPolicies&Procedures
Standard NumberWorkstationUse 2.301WorkstationSecurity 2.302DeviceandMediaControls 2.303Accountability 2.304
Formatted: Indent: Left: 0", Hanging: 0.5"
64
2.300 Physical Safeguards V3 Page 2 of 4 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
Renewal/ReviewThis policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations and to ensure that it incorporates all recent developments in AeHN policies, procedures, activities, equipment and technology. In the event that significant related legal, regulatory or organizational changes occur, the policy will be reviewed and updated as needed.
Policy
I. UseofAeHNProperty.AeHNfacilities,workstations,equipmentandstoragewillbeusedonly
for authorized purposes: to support the educational, clinical, administrative, and otherfunctionsofAeHN.Suchusedemonstratesrespectforintellectualproperty,ownershipofdata,securitycontrols,andindividuals'rightstoprivacy.
A.Workstations
1. All workforce members who use AeHN workstations will take all reasonableprecautionstoprotecttheconfidentiality,integrity,andavailabilityofPHI.
2. Workforce members will not use AeHN facilities, workstations, equipment orstorage toengage inanyactivity that iseither illegalunder local, state, federal,orinternationallaworisinviolationofAeHNpolicy.
3. AccesstoallAeHNworkstationscontainingPHIwillbecontrolledwithausernameandpasswordoranaccessdevicesuchasatoken.
4. AeHNworkstationscontainingPHIwillbephysicallylocatedinsuchamannerastominimizetheriskthatunauthorizedindividualscangainaccesstothem.
B.DeviceandMediaControlandAccountability
1. It is the policy of AeHN that no PHI is to be stored on any media within AeHN for any purpose. No employee of AeHN is to have access to PHI through the HIE, except for purposes of auditing or performing audit functions, or other legal obligations of the organization. AeHN primarily facilitates the secure transfer of PHI from one EHR to another EHR.
2. PHI located on the Alaska HIE information systems or electronic media will beprotected against damage, theft, and unauthorized access. This includes both PHIreceived by the Alaska HIE and created within the Alaska HIE. PHI must beconsistentlyprotectedandmanagedthroughitsentirelifecycle,fromoriginationtodestruction.
65
2.300 Physical Safeguards V3 Page 3 of 4 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
3. AeHNwillregularlyconductaformal,documentedprocessthatensuresconsistentcontrol of all electronic media and information systems containing PHI that iscreated,sent,receivedordestroyedbytheAlaskaHIE.
4. All Alaska HIE information systems and electronic media containing PHI will belocated and stored in secure environments that are protected by appropriatesecurity barriers and entry controls. The level of these controls should becommensurate with identified risks to the electronic media and informationsystems. AllAlaskaHIE informationsystemsandelectronicmediacontainingPHIwillbedisposedofsecurelyandsafelywhennolongerrequired.
5. WorkforcemembersshoulduseonlyAeHNapprovedandtrackedelectronicmediatostorePHI.PHIwillnotbestoredonAeHNworkforcememberhomecomputers.
6. AeHNemployeesandaffiliateswhomoveelectronicmediaorinformationsystemscontainingPHIareresponsibleforthesubsequentuseofsuchitemsandwilltakeallappropriate and reasonable actions to protect them against damage, theft, andunauthorizedaccess.
C.DataBackupandStorage
1. Backup of PHI onAlaskaHIE information systems and electronicmedia, togetherwith accurate and complete records of the backup copies and documentedrestoration procedures, will be stored in a secure remote location, at a sufficientdistance from AeHN facilities to escape damage from a disaster at AeHN. ThisprocessmaybecarriedoutinaHIPAAcompliantmannerbyAeHN’sSaaSvendor.
2. AeHNwillconfirmthatthevendorhasenactedbackupandrestorationproceduresfortheAlaskaHIEelectronicmedia,andinformationsystemscontainingPHIwillberegularly tested to ensure that they are effective and that they can be completedwithinareasonableamountoftime.
3. TheretentionperiodforbackupofPHIontheAlaskaHIEinformationsystemsandelectronic media and any requirements for archive copies to be permanentlyretainedwill be defined and documented by AeHN or the vendor responsible forsuchbackup.
66
2.300 Physical Safeguards V3 Page 4 of 4 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013
2.300 Physical Safeguards Policy
APPROVED BY: AeHN Board
ADOPTED: 7/20/2011 v1 REVISED: 02/20/2013 v2 REVISED: 05/31/2013 v3
REVISED:
67
2.400TechnicalSafeguardsV3Page1of5 OriginallyAdopted07/20/2011 RevisionAdopted05/31/2013
2.400TechnicalSafeguardsPolicy
PolicySummary
AlaskaeHealthNetwork(AeHN)mustpurchaseandimplementinformationsystemsthat comply with AeHN’s Technical Safeguards policy. Alaska HIE informationsystems must support a formal process for granting appropriate access to theAlaskaHIEinformationsystemscontainingEPHI.AccesstoAlaskaHIEinformationsystemscontainingEPHImustbelimitedtoAeHNandParticipatingSiteworkforcemembersandsoftwareprogramshavinganeedforspecificinformationinordertoaccomplishalegitimatetask.
Purpose
This policy reflects AeHN’s commitment to purchase and implement informationsystemsthatcomplywithAeHN’sHIPAASecuritypolicies.
Scope/Applicability
This policy is applicable to all AeHN workforce members that manage, control,access, useor discloseprotectedhealth information for anypurposes. TheAeHNworkforce includes employees and other paid staff, contractors, agents, andvendors.Thispolicy’sscopeincludesallprotectedhealthinformationcontainedonAeHNequipment,orotherwiseaccessiblebytheAeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.
RegulatoryCategory,Type,LegalRegulatoryReference
“ImplementpoliciesandproceduresforelectronicinformationsystemsthatmaintainEPHItoallow access only to those persons or software programs that have been granted accessrights...”
Technical Safeguards, Standard, AS 18.23.300 et seq.; 45 CFR 164.312; 7 AAC166.010;7AAC166.030;7AAC166.040;7AAC166.050;7AAC166.900
PolicyAuthority/Enforcement
AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) areresponsibleformonitoringandenforcementofthispolicy.
RelatedPolicies&Procedures
68
2.400TechnicalSafeguardsV3Page2of5 OriginallyAdopted07/20/2011 RevisionAdopted05/31/2013
Standard NumberAccessControl 2.401UniqueUserIdentification 2.402AutomaticLogoff 2.403EncryptionandDecryption 2.404AuditControls 2.405Integrity 2.406PersonorEntityAuthentication
2.407
TransmissionSecurity 2.408 Renewal/Review
This policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations and to ensure that it incorporates all recent developments in AeHN policies, procedures, activities, equipment and technology. In the event that significant related legal, regulatory or organizational changes occur, the policy will be reviewed and updated as needed.
PolicyI. InformationSystems
A. AeHNpurchasesandimplementsinformationsystemsthatcomplywithAeHN’sHIPAASecuritypolicies.
B. All current Alaska HIE information systems that do not currently comply with AeHN’sAdministrative Safeguardswill be identified and evaluated according to AeHN’s risk analysisprocess.
II. AccessControlandUniqueUserIDs
A. Asappropriate,AlaskaHIEinformationsystemssupportoneormoreofthefollowingtypesofaccess control to protect the confidentiality, integrity and availability of EPHI contained onAlaskaHIEinformationsystems:
1. Userbased2. Rolebased3. Contextbased
B. AlaskaHIEinformationsystemssupportaformalprocessforgrantingappropriateaccesstothe
AlaskaHIEinformationsystemscontainingEPHI.Ataminimum,theprocessincludes:
1. Procedure for granting different levels of access to the Alaska HIE informationsystemscontainingEPHI.
69
2.400TechnicalSafeguardsV3Page3of5 OriginallyAdopted07/20/2011 RevisionAdopted05/31/2013
2. Procedure for tracking and logging authorization of access to the Alaska HIEinformationsystemscontainingEPHI.
3. Procedure for regularly reviewing and revising, as necessary, authorization ofaccesstotheAlaskaHIEinformationsystemscontainingEPHI.
C. Asappropriate, security controlsormethods thatallowaccess to theAlaskaHIE information
systemscontainingEPHIwillinclude,ataminimum:
1. Uniqueuseridentifiers(userIDs)thatenablepersonsandidentitiestobeuniquelyidentified.User IDswillnotgiveany indicationof theuser’sprivilege level.Groupidentifierswill not be used to gain access to the Alaska HIE information systemscontainingEPHI.
2. Asecretidentifier(password).3. Thepromptremovalordisablingofaccessmethodsforpersonsandentitiesthatno
longerneedaccesstotheAlaskaHIEEPHI.4. Verificationthatredundantuseridentifiersarenotissued.
D. AeHN and Participating Site workforce members do not provide access to the Alaska HIE’s
informationsystemscontainingEPHItounauthorizedpersons.
E. Appropriate Alaska HIE information system owners or their designated delegates regularlyreview workforce member and software program access rights to Alaska HIE informationsystems containing EPHI to ensure that access is granted only to those having a need forspecific information in order to accomplish a legitimate task. Such rights will be revised asnecessary.
F. AllrevisionstoAeHNworkforcememberandsoftwareprogramaccessrightsaretrackedandlogged.Thisinformationissecurelymaintained.
III. AutomaticLogoff
A. AeHNworkforcemembersendelectronicsessionsoninformationsystemsthatcontainorcanaccessEPHIwhensuchsessionsarecompleted,unlesstheinformationsystemissecuredbyanappropriatelockingmethod,e.g.apasswordprotectedscreensaver.
B. AeHNworkforcememberslogofffromorlocktheirworkstation(s)whentheirshiftiscompleteortheyleavetheirworkstation(s).
IV. EncryptionandDecryption
When risk analysis indicates it is necessary, appropriate encryption is used to protect theconfidentiality, integrity, and availability of EPHI contained on the Alaska HIE informationsystems. The risk analysis is also used to determine the type and quality of the encryptionalgorithmandthelengthofcryptographickeys.
70
2.400TechnicalSafeguardsV3Page4of5 OriginallyAdopted07/20/2011 RevisionAdopted05/31/2013
V. AuditControls
A. AeHNisabletorecordandexaminesignificantactivityonitsinformationsystemsthatcontainor use EPHI. AeHN will conduct a risk analysis to identify and define what constitutes“significantactivity”onaspecificinformationsystem.
B. Appropriate hardware, software, or procedural auditing mechanisms are implemented onAlaska HIE information systems that contain or use EPHI. The level and type of auditingmechanismsthatareimplementedonAlaskaHIEinformationsystemsthatcontainoruseEPHIisdeterminedbyAeHN’sriskanalysisprocess.
C. Logs created by audit mechanisms implemented on Alaska HIE information systems will bereviewedregularly. ThefrequencyofsuchreviewwillbedeterminedbyAeHN’sriskanalysisprocess.
VI. DataIntegrity
A. AeHN appropriately protects the integrity of all EPHI contained on its information systems.SuchEPHI isprotected from improperalterationordestruction. AeHNperformsregularriskanalysistodeterminetheappropriatemeanstoprotecttheintegrityofallEPHIcontainedonitsinformationsystems.
B. AeHNhasimplementedaformal,documentedprocessforappropriatelyprotectingtheintegrityofallEPHIcontainedonitsinformationsystems.Ataminimum,theprocessincludes:
1. AprocedureforensuringthatthemethodsandcontrolsusedtoprotectintegrityareeffectiveanddonotsignificantlyimpactAlaskaHIEfunctionalityandworkflow.
2. A procedure defining how the Alaska HIE will detect and report instances ofattemptedorsuccessfulimproperalterationordestructionofAlaskaHIEEPHI.
3. A procedure defining how AeHN will respond to instances of attempted orsuccessfulimproperalterationordestructionofAlaskaHIEEPHI.
4. AproceduredefiningwhenandhowunnecessaryAlaskaHIEEPHIcanbedestroyed.Such destructionwill be conducted only by properly authorized AeHNworkforcemembers,ortheirdelegates.
C. MethodsusedtoprotecttheintegrityofEPHIcontainedonAlaskaHIEinformationsystemswill
ensurethatthevalueandstateoftheEPHIismaintainedanditisprotectedfromunauthorizedmodificationanddestruction.
VII. PersonorEntityAuthentication
A. AeHNhascreatedandimplementedaformal,documentedprocessforverifyingtheidentityofapersonorentitybeforegrantingthemaccesstoEPHI.
71
2.400TechnicalSafeguardsV3Page5of5 OriginallyAdopted07/20/2011 RevisionAdopted05/31/2013
B. AeHNusesanappropriateandreasonablesystem(s)toensurethatonlyproperlyauthenticatedpersonsandentitiesaccessAlaskaHIEEPHI.
VIII. DataTransmission&Integrity
A. AeHNappropriatelyprotectstheconfidentiality,integrityandavailabilityofalldataittransmitsoverelectroniccommunicationsnetworks.
B. Unless risk analysis indicates that there is not significant riskwhen sendingAlaskaHIEdataoveranelectroniccommunicationsnetwork,thedatawillbesentinencryptedformandhavecontrols to safeguard the integrity of the data. AeHN PSO will approve all encryption andintegritycontrolspriortotheiruse.
C. IntegritycontrolsarealwaysbeusedwhenhighlysensitiveAlaskaHIEdatasuchaspasswordsaretransmittedoverelectroniccommunicationsnetworks.
D. The AlaskaHIE’s integrity controls ensure that the value and state of all transmitted data ismaintainedandthedataisprotectedfromunauthorizedmodification.
IX. BreachDetectionandNotification
AeHN,throughitscontractwiththeSaaSvendorandcollaborationwithParticipants,hasputinplacereasonablesystemstodetect,address,mitigateandreportbreachesofPHI.
2.400 Technical Safeguards Policy
APPROVED BY: AeHN Board
ADOPTED: 7/20/2011 v1REVISED: 02/20/2013 v2REVISED: 05/31/2013 v3
REVISED
72
3.100 HIPAA PRIVACY & PERMITTED DISCLOSURES POLICY V3 Page 1 of 4 Originally Adopted 09/21/2011 Revision Adopted 05/31/2013
3.100HIPAAPrivacy&PermittedDisclosuresPolicy
PolicySummaryThispolicydescribesthebasicprivacyprotectionsandrightsthatapplytoprotectedhealthinformation(PHI)heldbytheAlaskaeHealthNetwork(AeHN),inadditiontothepermittedwaysinwhichsuchPHIcanbeusedanddisclosedbyAeHN.
Purpose
TocomplyfullywiththerequirementsregardingdisclosureofprotectedhealthinformationasprovidedintheHealthInsurancePortabilityandAccountabilityActof1996(HIPAA).
Scope/ApplicabilityThispolicyisapplicabletoallAeHNworkforcemembersthatmanage,control,access,useordiscloseprotectedhealthinformationforanypurposes.TheAeHNworkforceincludesemployeesandotherpaidstaff,contractors,agents,andvendors,aswellasinterns,volunteersandotherunpaidstaff.Thispolicy’sscopeincludesallprotectedhealthinformationcontainedonAeHNequipment,orotherwiseaccessiblebytheAeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.
RegulatoryCategory,Type,LegalRegulatoryReferencePrivacy Rule, 45 CFR §164.500 et seq.; AS 18.23.300 et seq.; 7 AAC 166.010; 7 AAC 166.030; 7 AAC 166.040; 7 AAC 166.050; 7 AAC 166.900
PolicyAuthority/EnforcementAeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) are responsible for monitoring and enforcement of this policy.
RelatedPolicies&Procedures 3.200 Privacy and Confidentiality Policy
Renewal/Review
This policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations and to ensure that it incorporates all recent developments in AeHN policies, procedures, activities, equipment and technology. In the event that significant related legal, regulatory or organizational changes occur, the policy will be reviewed and updated as needed.
PolicyI. Definitions.Forpurposesofthispolicy,thefollowingdefinitionsapply:
PSO.ThePSOforpurposesofthisPolicyoverseesallactivitiesrelatedtothedevelopment,implementation,andmaintenanceofAeHN’spoliciesandprocedurescoveringtheprivacy
73
3.100 HIPAA PRIVACY & PERMITTED DISCLOSURES POLICY V3 Page 2 of 4 Originally Adopted 09/21/2011 Revision Adopted 05/31/2013
ofprotectedhealthinformation.Thispersonisthekeycomplianceofficerforallfederalandstatelawsthatapplytotheprivacyofprotectedhealthinformation.HIPAA.HealthInsurancePortabilityandAccountabilityActof1996,afederallawpertainingtoprotectedhealthinformationofclients.“Minimum‐Necessary”Standard.AeHNusesanddisclosestheamountofPHIthatistheminimumnecessarytoaccomplishitsintendedpurposes.Inaddition,theAeHNUseandDisclosuresProceduresidentifyandprovidefortheminimumnecessaryaccessbyAeHNpersonneltoPHI.Participant.Forpurposesofthispolicy,theterm“Participant”includestheParticipatingusersoftheAeHNHealthInformationExchangeandthepatientsofthoseParticipants.PHI(HIPAAProtectedHealthInformation).InformationaboutAeHNParticipantsbecomes“protected”uponitscreationorreceiptbyanAeHNParticipant.PHIappliestoinformationinanyform—electronic,writtenorverbalasfollows:PHImeansinformationthatiscreatedorreceivedbyAeHNoraParticipantandrelatestothepast,present,orfuturephysicalormentalhealthorconditionofaParticipant;theprovisionofhealthcaretoaParticipant;orthepast,present,orfuturepaymentfortheprovisionofhealthcaretoaParticipant;andthatidentifiestheParticipantorforwhichthereisareasonablebasistobelievetheinformationcanbeusedtoidentifytheParticipant.HIPAA‐PHIincludesinformationofpersonslivingordeceased.UseandDisclosure.AeHNwilluseanddisclosePHIonlyaspermittedunderHIPAA.Theterms“use”and“disclosure”aredefinedasfollows:
Use.Thesharing,employment,application,utilization,examination,oranalysisofindividuallyidentifiablehealthinformationbyanyAeHNpersonnel,orbyaBusinessAssociateofAeHN.
Disclosure.Forprotectedhealthinformation,disclosuremeansanyrelease,transfer,provisionoraccessto,ordivulginginanyothermannerofindividuallyidentifiablehealthinformation.
US/DHHS.UnitedStatesDepartmentofHealthandHumanServices.
II. GeneralStatement.
ItisthepolicyofAeHNtocomplyfullywiththerequirementsofHIPAA.Tothatend,all
AeHNemployeesmustcomplywiththisPolicy.III. MitigationofInadvertentDisclosuresofPHI
EmployeesmustreportanyimproperuseordisclosureofPHIofwhichtheybecomeawaretothePSO.ThePSOwilldeterminethereasonableandappropriatestepsthatcanbetakenwhichmaymitigatetheharmtotheParticipant.ThemethodofmitigationwilldependonthefactsandcircumstancesoftheunauthorizeduseordisclosureasdeterminedinthediscretionofthePSO.
74
3.100 HIPAA PRIVACY & PERMITTED DISCLOSURES POLICY V3 Page 3 of 4 Originally Adopted 09/21/2011 Revision Adopted 05/31/2013
IV. SanctionsforViolationsofPHIPrivacy
AllofAeHN’scoveredworkforcemustcomplywiththisPolicywhenusingor disclosingPHI.SanctionsforusingordisclosingPHIinviolationofthisPolicywill beimposedinaccordancewithAeHNpoliciesregardingemployeedisciplinary action.Theseverityofthesanctionwilldependonthefactsandcircumstancesof theviolationandmayincludedisciplineuptoandincludingimmediatetermination ofemployment.
V. Documentation
AeHNshallmaintaincopiesofHIPAAcompliancedocumentsforaperiodofatleast six(6)yearsfromthedatethedocumentswerecreatedorwerelastineffect, whicheverislater,asdescribedintheAeHNUseandDisclosureProcedures.
VI. Training
AllAeHNemployeeswillcompleteHIPAAtraininguponemployment commencementandthereafteryearly.Proofoftrainingcompletionwillbekeptina separatefile.
VII. UsesandDisclosuresofPHI
A. PermittedUsesandDisclosuresofPHIbyAeHN:Treatment,PaymentandHealthCareOperations
DisclosureofPHIispermittedbyAeHNonlytoassistParticipantswithutilizingthe
HIEintreatmentandbilling,asdescribedintheAeHNUseandDisclosureProcedures,andasrequiredbylaw(asdescribedinVII.Bbelow).AeHNstaffshallreviewtheseproceduresandshalluseanddisclosePHIonlyinaccordancewithsuchprocedures.
B. MandatoryDisclosures HIPAArequiresdisclosureofinformationincertaincircumstances,includingbutnot
limitedtorequestsfromanindividualandrequestsfromtheU.S.DepartmentofHealthandHumanServices.TheserequireddisclosuresaredescribedfurtherintheAeHNUseandDisclosureProceduresandallAeHNstaffshallcomplywithsuchdisclosurerequests.
C. DisclosureofPHItoBusinessAssociates
AllusesanddisclosuresbyaBusinessAssociateofAeHNmustbemadeinaccordancewithavalidbusinessassociateoracontractincludingHIPAAcompliantbusinessassociatelanguage,subjecttotherequirementsofthisPolicyandtheAeHNUseandDisclosureProcedures.
VIII. Verification of Identity of Those Requesting PHI
75
3.100 HIPAA PRIVACY & PERMITTED DISCLOSURES POLICY V3 Page 4 of 4 Originally Adopted 09/21/2011 Revision Adopted 05/31/2013
EmployeesmusttakestepstoverifytheidentityofindividualswhorequestaccesstoPHI.TheymustalsoverifytheauthorityofanypersontohaveaccesstoPHI,iftheidentityorauthorityofsuchpersonisnotknown.Theprocessforverifyinganindividual’sidentityisdescribedfurtherinAeHN’sUseandDisclosureProcedures.
IX. Complying with Individual Rights
HIPAAprovidespatientswithindividualrightsthatshallberecognizedandenforcedbyAeHN.
TheAeHNPSOshalldevelopproceduresdescribingtheserightsandhowtorecognizetheserights.Thefollowingrightsshallberecognizedinaccordancewithsuchprocedures:A. AccessB. AmendmentC. AccountingofDisclosuresofPHID. ConfidentialCommunicationsE. RequestsforRestrictionsonUsesandDisclosuresofPHI
X. Complaints
A. InternalSubmissionofaComplaint. Anyindividualwhobelieveshis/herrightsunderHIPAAhavebeenviolatedmayfile
acomplaintregardingtheallegedviolation.Anyprivacy‐relatedcomplaintmadebyanindividualatanytimemustbeforwardedtothePSO.ThePSOwillinvestigatetheallegedprivacyviolations.IfanAeHNemployeeisdeterminedtobeinviolationofthisPolicy,s/hewillbesubjecttodiscipline,uptoandincludingterminationofemployment.
B. ExternalSubmissionofaComplaint.
AnindividualalsomayfileacomplaintwiththeSecretaryoftheU.S.DepartmentofHealthandHumanServices(“DHHS”).
3.100 HIPAA Privacy & Permitted Disclosures Policy
APPROVED BY:
ADOPTED: 09/21/2011 v1 REVISED: 02/20/2013 v2 REVISED: 05/31/2013 v3
REVISED:
76
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv3Page1of5 OriginallyAdopted02/20/2013 RevisionAdopted
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyPolicySummary
To meet the requirements of the Privacy, Security and Breach Notification Rules, AeHN has adopted this policy to govern the use and disclosure of PHI in the Health Information Exchange (HIE) (including Direct Secure Messaging). This document establishes, in accordance with applicable law, AeHN’s policy for ethical and compliant behavior in regard to the privacy and security of Protected Health Information (PHI), Personal Information, and other records protected by applicable state and federal confidentiality laws and contained in the HIE. The policy is divided into Privacy, Security and Breach Notification elements, each of which are further carried out by the procedures found at 4.201 et seq.
Purpose ThispolicyreflectsAeHN’scommitmenttoappropriatelyuseandphysicallyprotectprotectedhealthinformation(PHI).
Scope/Applicability
The following procedures apply to the access, use and disclosure of protected healthinformation by Participants through the AeHN Health Information Exchange ("HIE") andotherdataexchangeservicesbeingmadeavailabletoParticipantsinAeHN,suchasDirectSecureMessaging(theHIEandotherservicesarecollectivelyreferredtoasthe"System").If there is any conflict between this Policy and the Participation Agreement, theParticipationAgreementshallcontrol.Theproceduresfoundat4.201etseq.willspecifyifthey pertain solely to HIE, Direct Secure Messaging or both activities. Here is a tableindicatingtheapplicabilityoftheprocedurestoHIEandDSM,aswellasthecorrespondingprovisionoftheParticipationAgreement,ifany:Procedure Sections
ApplicabletoHIE
SectionsApplicabletoDSM
CorrespondingParticipationAgreement (PA)or HIE/DSMAddendum (HD)Section(s)
4.201 Participant CompliancewithLawandPolicy
All All PAII.B.2PAII.H.1HDIV.A
4.202 Notice of PrivacyPractices
All None HDVI.G
4.203 Opt‐Out Information All None HDVI.G
77
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv3Page2of5 OriginallyAdopted02/20/2013 RevisionAdopted
Procedure4.204 Access to and Use andDisclosureofInformation
All 1,2,4,5,6,8,10 HDIIIHDIV.B
4.205 Information Subject toSpecialProtectionProcedure
All None HDIV.D
4.206MinimumNecessary 1,2,4‐7 1,3‐7 4.207 Participant Workforce,AgentsandContractors
All All HDIV.C
4.208AmendmentandStorageofData
All 3‐4 HDV.G
4.209RequestsforRestrictions All All 4.210Mitigation All All 4.211 Investigations; IncidentResponseSystem
All All PAII.B.3HDVI.E
4.212 Authorized UserControls
All All HDV.D
4.213Sanctions All All
RegulatoryCategory,Type,LegalRegulatoryReference
45CFR§164(SecurityRule,BreachNotificationRule&PrivacyRule);AS18.23.300etseq.;7AAC166.010etseq.
PolicyAuthority/Enforcement
AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO), incollaborationwiththeParticipants,areresponsibleformonitoringandenforcementoftheExternalHIEPrivacy,SecurityandCompliancePolicyandrelatedProcedures.
RelatedPolicies&Procedures Security Rule ‐ Internal Security Policies and Procedures found at 2.100 through
2.408 Breach Notification Rule – 2.600 Breach Notification Policy; 2.601 Breach
NotificationProcedure Privacy Rule ‐ Internal Privacy Policies and Procedures found at 3.100 through
3.101 Privacy,Security,BreachNotificationandGeneralComplianceforHIEParticipants‐
ExternalHIEPrivacy,SecurityandComplianceProceduresfoundat4.201through4.213Renewal/ReviewThis policy is to be reviewed annually to determine if the policy complies with current HealthInsurancePortability andAccountabilityActof 1996 (HIPAA)Security regulationsand to ensure
78
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv3Page3of5 OriginallyAdopted02/20/2013 RevisionAdopted
thatitincorporatesallrecentdevelopmentsinAeHNpolicies,procedures,activities,equipmentandtechnology. Intheeventthatsignificantrelatedlegal,regulatoryororganizationalchangesoccur,thepolicywillbereviewedandupdatedasneeded.Policy
I. PrivacyPolicy.A. TheguidingAeHNprivacyprinciplesareappliedbyAeHNthroughitsinternalPrivacy
andSecurityPolicies, aswell as itsPrivacy andSecurityPlan.Theseprinciples are asfollows,andshouldbeappliedbyParticipantsintheiruseoftheHIEandDSM:
1. OpennessandTransparency.2. PurposeSpecificationandMinimization.3. DisclosureLimitation.4. AccessandUseLimitation.5. IndividualParticipationandControl.6. DataIntegrityandQuality.7. SecuritySafeguardsandControls.8. AccountabilityandOversight.9. Remedies.10. RelianceonCoveredEntityRulesandEnforcement.
B. QualifyingUsesofInformation. AeHNandParticipantshaveplacedtheburdenontherequestingParticipanttoaccessinformationfromanotherParticipant’srecordsonlyfora qualifying use by the requesting Participant. A qualifying use is one thatmeets thetermsoftheParticipationAgreementandStateandFederallaw.
C. MitigationofInadvertentDisclosuresofPHI
ParticipantsmustreportanyimproperuseordisclosureofPHIofwhichtheybecomeawaretoinaccordancewiththeproceduresenactedunderthisPolicy.TheParticipantshallworkwithAeHNtodeterminethereasonableandappropriatestepsthatcanbetakenwhichmaymitigateanyresultingharm.
D. SanctionsforViolationsofPHIPrivacy
AllParticipantsshallenactapolicyforimposingsanctionsforusingordisclosingPHIinviolationofthisPolicyandtheunderlyingProcedures,inaccordancewithProcedure4.213,“Sanctions”.
E. Documentation
ParticipantsshallmaintaincopiesofHIPAAcompliancedocumentsrelevanttotheiruseoftheHIEandDSMforaperiodofatleastsix(6)yearsfromthedatethedocumentswerecreatedorwerelastineffect,whicheverislater.
79
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv3Page4of5 OriginallyAdopted02/20/2013 RevisionAdopted
F. ComplyingwithIndividualRights
HIPAAprovidespatientswithindividualrightsthatshallberecognizedandenforcedbyAeHN,andParticipantsshallassistpatientsinexercisingtheserightsinaccordancewiththeproceduresenactedhereunder.Thefollowingrightsshallberecognizedinaccordancewithsuchprocedures:
A. AccessB. AmendmentC. AccountingofDisclosuresofPHID. ConfidentialCommunicationsE. RequestsforRestrictionsonUsesandDisclosuresofPHI
II. SecurityPolicy
1. Compliance. AeHN is committed to running the HIE in compliance with allapplicable laws,regulationsandAeHNpolicies/procedures.AeHNhasadoptedthis policy in part to provide for the security of EPHI in accordancewith thefederal HIPAA Security Regulations. This policy and the procedures enactedhereunder encompass AeHN’s general approach to compliance with HIPAASecurityRegulationsthroughpolicystatementsandproceduresinthefollowingcategories:
a. AdministrativeSafeguards,b. PhysicalSafeguards,andc. TechnicalSafeguards.
2. Administrative Safeguards. The security management process is designed toprevent,detect,contain,andcorrectsecurityviolationsrelativetotheHIE.Theexecution, development and implementation of remediation programs is thejointresponsibilityofAeHNandtheParticipants.
a. Participants are expected to cooperate fully with any risk assessmentbeingconductedbyAeHN.
b. HIEauditprocedureswillbe implementedandmaintainedtoregularlyreviewrecordsofinformationsystemactivity,suchasauditlogs,accessreports, and security incident tracking reports. These reviewswill beused todetermine ifParticipantsarecomplyingwith therequirementsofthispolicyandtherelatedprocedures.
c. ParticipantswillassistinmakingsureaccesstotheHIEisassignedandmanaged appropriate to the duties and responsibilities of eachauthorizeduser, and thatauthorizedusersareproperly trainedon theapplicablelaws,policiesandprocedures.
3. PhysicalSafeguards.PhysicalSafeguardsaretobemadeinordertoprotecttheHIE,relatedbuildingsandequipment fromnaturalandenvironmentalhazards
80
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv3Page5of5 OriginallyAdopted02/20/2013 RevisionAdopted
andunauthorizedintrusion.Procedureswillbeimplementedthatlimitphysicalaccess to electronic information systems and the facility or facilities inwhichsuch systemsarehoused,while still ensuring thatproperauthorizedaccess isallowed. Participants should ensure that similar safeguards are in place toprotectaccesspointstotheHIEownedbyorhousedwithParticipants.
4. Technical Safeguards. Technical Safeguards shall be maintained by eachParticipantthatprotecttheHIEandcontrolaccesstoassurethatsuchsystemsare accessed only by those individuals or software programs that have beengrantedaccessrights. Participantswill implementtechnicalsecuritymeasuresto guard against unauthorized access to ormodification of EPHI that is beingtransmittedtoorfromtheHIE.
III. BreachNotificationPolicy.AeHNhasimplementedinternalpoliciesandprocedurestoaddressbreaches, includingbreachnotificationandmitigationmeasures. Participantsare expected to assist with the breach notification process as it applies to theirorganization,andtofollowrelatedproceduresenactedunderthispolicy.
4.200ExternalHIEPrivacy,SecurityandCompliancePolicy
APPROVEDBY:AeHNBoard
ADOPTED: 02/20/2013 v1
REVISED: 05/31/2013 v2
REVISED: 04/18/2014 v3
81
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv32Page1of8 OriginallyAdopted02/20/2013 RevisionAdopted05/31/2013
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyPolicyBackground
AeHN has modeled its Network Responsibilities on the Nebraska Health InformationInitiative Privacy Rules, and the Connecting For Health "Model Privacy Rules andProceduresforHealthInformationExchange,"withanumberofdifferencesbasedonstatelaw, physical and technical safeguards available through AeHN, and AeHN's uniqueoperating environment. Thank you to those organizations for their knowledge andexpertise in this area. These core privacy principles and the rules that flow from thempromote balance between consumer control of and access to health information and theoperationalneedofcoveredentitiestoensurethatinformationusesanddisclosuresarenotoverly restricted, such that consumers would be denied many of the benefits andimprovements that information technologycanbring to thehealthcaresystem.Therulesare intended to reflect a carefully balanced view of all of the principles and avoidemphasizingsomeoverothersinanywaythatwouldweakentheoverallapproach.
PolicySummary
To meet the requirements of the Privacy, Security and Breach Notification Rules, AeHN has adopted this policy to govern the use and disclosure of PHI in the Health Information Exchange (HIE) (including Direct Secure Messaging). This document establishes, in accordance with applicable law, AeHN’s policy for ethical and compliant behavior in regard to the privacy and security of Protected Health Information (PHI), Personal Information, and other records protected by applicable state and federal confidentiality laws and contained in the HIE. The policy is divided into Privacy, Security and Breach Notification elements, each of which are further carried out by the procedures found at 4.201 et seq.
Purpose ThispolicyreflectsAeHN’scommitmenttoappropriatelyuseandphysicallyprotectprotectedhealthinformation(PHI).
Scope/Applicability
The following procedures apply to the access, use and disclosure of protected healthinformation by Participants through the AeHN Health Information Exchange ("HIE") andotherdataexchangeservicesbeingmadeavailabletoParticipantsinAeHN,suchasDirectSecureMessaging(theHIEandotherservicesarecollectivelyreferredtoasthe"System").If there is any conflict between this Policy and the Participation Agreement, theParticipationAgreementshallcontrol.Theproceduresfoundat4.201etseq.willspecifyifthey pertain solely to HIE, Direct Secure Messaging or both activities. Here is a table
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Line spacing: Multiple 1.15 li
Formatted: Font: 11 pt
82
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv32Page2of8 OriginallyAdopted02/20/2013 RevisionAdopted05/31/2013
indicatingtheapplicabilityoftheprocedurestoHIEandDSM,aswellasthecorrespondingprovisionoftheParticipationAgreement,ifany:Procedure Sections
ApplicabletoHIE
SectionsApplicabletoDSM
CorrespondingParticipationAgreement (PA)or HIE/DSMAddendum (HD)Section(s)
4.201 Participant CompliancewithLawandPolicy
All All PAII.B.2PAII.H.1HDIV.A
4.202 Notice of PrivacyPractices
All None HDVI.G
4.203 Individual Control ofInformationAvailableThroughHIEOpt‐Out InformationProcedure
All None HDVI.G
4.204 Access to and Use andDisclosureofInformation
All 1,2,4,5,6,8,107,9,11
HDIIIHDIV.B
4.205 Information Subject toSpecialProtectionProcedure
All None HDIV.D
4.206MinimumNecessary 1,2,4‐7 1,3‐7 4.207 Participant Workforce,AgentsandContractors
All All HDIV.C
4.208AmendmentandStorageofData
All 3‐4 HDV.G
4.209RequestsforRestrictions All All 4.210Mitigation All All 4.211 Investigations; IncidentResponseSystem
All All PAII.B.3HDVI.E
4.212 Authorized UserControls
All All HDV.D
4.213Sanctions All All
RegulatoryCategory,Type,LegalRegulatoryReference
45CFR§164(SecurityRule,BreachNotificationRule&PrivacyRule);AS18.23.300etseq.;7AAC166.010etseq.45CFR§164.502Usesanddisclosuresofprotectedhealthinformation:generalrules.(a)Standard.Acoveredentitymaynotuseordiscloseprotectedhealthinformation,exceptaspermittedorrequiredbythissubpartorbysubpartCofpart160ofthissubchapter.(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose
protectedhealthinformationasfollows:
Formatted Table
Formatted: Left
Formatted: Font: 11 pt, Not Bold
Formatted: Font: 11 pt
83
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv32Page3of8 OriginallyAdopted02/20/2013 RevisionAdopted05/31/2013
(i)Totheindividual;(ii) For treatment, payment, or health care operations, as permitted by and incompliancewith§164.506;(iii) Incident to a use or disclosure otherwise permitted or required by this subpart,provided that the covered entity has complied with the applicable requirements of§164.502(b),§164.514(d),and§164.530(c)withrespecttosuchotherwisepermittedorrequireduseordisclosure;(iv)Pursuanttoandincompliancewithavalidauthorizationunder§164.508;(v)Pursuanttoanagreementunder,orasotherwisepermittedby,§164.510;and(vi)Aspermittedbyandincompliancewiththissection,§164.512,or§164.514(e),(f),or(g).
(2) Required disclosures. A covered entity is required to disclose protected healthinformation:(i)Toanindividual,whenrequestedunder,andrequiredby§164.524or§164.528;and(ii)WhenrequiredbytheSecretaryundersubpartCofpart160ofthissubchapter toinvestigateordeterminethecoveredentity'scompliancewiththissubpart.
45CFR§164.306Securitystandards:Generalrules.(a)Generalrequirements.Coveredentitiesmustdothefollowing:(1) Ensure the confidentiality, integrity, and availability of all electronic protected healthinformationthecoveredentitycreates,receives,maintains,ortransmits.(2)Protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation.(3)ProtectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredundersubpartEofthispart.(4)Ensurecompliancewiththissubpartbyitsworkforce.45CFR§164.404NotificationtoIndividuals.(a) Standard—(1) General rule. A covered entity shall, following the discovery of a breach of unsecured protected healthinformation,notifyeachindividualwhoseunsecuredprotectedhealthinformationhasbeen,or is reasonablybelievedby thecoveredentity tohavebeen,accessed,acquired,used,ordisclosedasaresultofsuchbreach.Privacy,SecurityandBreachNotificationRules;RequiredandAddressableStandards;45CFR§164
PolicyAuthority/Enforcement
AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO), incollaborationwiththeParticipants,areresponsibleformonitoringandenforcementoftheExternalHIEPrivacy,SecurityandCompliancePolicyandrelatedProcedures.
RelatedPolicies&Procedures Security Rule ‐ Internal Security Policies and Procedures found at 2.100 through
2.408 Breach Notification Rule – 2.600 Breach Notification Policy; 2.601 Breach
NotificationProcedure Privacy Rule ‐ Internal Privacy Policies and Procedures found at 3.100 through
3.101
84
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv32Page4of8 OriginallyAdopted02/20/2013 RevisionAdopted05/31/2013
Privacy,Security,BreachNotificationandGeneralComplianceforHIEParticipants‐ExternalHIEPrivacy,SecurityandComplianceProceduresfoundat4.201through4.213
Renewal/ReviewThis policy is to be reviewed annually to determine if the policy complies with current HealthInsurancePortability andAccountabilityActof1996 (HIPAA)Security regulations and to ensurethatitincorporatesallrecentdevelopmentsinAeHNpolicies,procedures,activities,equipmentandtechnology. Intheeventthatsignificantrelatedlegal,regulatoryororganizationalchangesoccur,thepolicywillbereviewedandupdatedasneeded.Policy
I. PrivacyPolicy.I.A. TheguidingAeHNprivacyprinciplesareappliedbyAeHNthroughitsinternalPrivacy
andSecurityPolicies, aswell as itsPrivacyandSecurityPlan.Theseprinciples areasfollows,andshouldbeappliedbyParticipants in theiruseof theHIEandDSMareasfollows::
A.1. OpennessandTransparency.Clarityaboutprocedures,policies,developments,and
technology concerning the handling of protected health information is vital toprotecting privacy. Individuals should be able to understand what informationexistsaboutthem,howthepersonalinformationisused,andhowtheycancontroluseofthatinformation.
B.2. Purpose Specification and Minimization. Access to and use of protected healthinformation must be limited to the type and amount necessary to accomplishspecified permitted purposes.Minimizing the use of protected health informationwillhelpdecreasetheamountofprivacyviolations,whichmayoccurwhendataiscollected for one legitimate reason and then reused for different or unauthorizedpurposes.
C.3. Disclosure Limitation. Protected health information should be made availablethroughtheAeHNSystemtoParticipantsonlybylawfulmeans.Electroniccollectionofprotected informationmaybeconfusing tomost individuals. Individualsshouldbe educated about the potential health and treatment benefits aswell as risks totheir protected health information that are associated with participation in theSystem.IndividualsdecidingnottoparticipateshouldhavetheopportunitytoknowtheSystem‐wideeffectofsuchdecisionandthepotentialdisadvantages.
D.4. AccessandUseLimitation.ProtectedhealthinformationshouldbeobtainedbyoneParticipant from the System only pursuant tomutual agreement (included in theParticipant Agreement) that the information is being accessed for qualifyingpurposesoftherequestingParticipant.Informationrecipientsmayuseanddiscloseprotected health information obtained through the System only for purposes anduses consistent with the Participant Agreement and consistent with their
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Space After: 10 pt, Numbered + Level: 1 +Numbering Style: A, B, C, … + Start at: 1 + Alignment: Left +Aligned at: 0.5" + Indent at: 0.75"
Formatted: No underline
Formatted: Numbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Aligned at: 0.75" +Indent at: 1"
Formatted: No underline
Formatted: No underline
Formatted: No underline
85
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv32Page5of8 OriginallyAdopted02/20/2013 RevisionAdopted05/31/2013
obligationsascoveredentitiesunderHIPAAandotherapplicableFederalandStatelaws.
E.5. IndividualParticipationandControl.Consistentwiththescopeof individualrightsinHIPAA, individualsshouldhave theright torequestandreceive ina timelyandintelligible manner information regarding various parties that may have thatindividual’s specific health information. Individuals have a vital stake in personalprotected health information, such rights enable individuals to make informeddecisions about participation and provide another means to monitor forinappropriateaccess,useanddisclosureofprotectedhealthinformation.Individualparticipation promotes information quality, privacy, and confidence in privacypractices.IndividualsshouldbemadeawareoftheirrightswithregardtotheHIE,through theAeHNNoticeofDataPractices and theParticipants’ revisedNoticeofPrivacyPractices.
F.6. Data Integrity and Quality. Health information should be detailed, complete,appropriate,andcurrenttoguaranteeitsvaluetothevariousparties.Theeffectivedeliveryofqualityhealthcaredependsoncompletehealthinformation.Therefore,the System must maintain the integrity of protected health information andindividualsmustbeallowedtoviewinformationaboutthemandrequesttoamendsuchhealthinformationsothatitisaccurateandcomplete.
G.7. Security Safeguards and Controls. In an era of increased computer and Internet‐related crime, security safeguards are vital to privacy protection. Electronicenvironmentscouldbesusceptibletocyber‐crimewithoutadequatecontrols.Suchcontrolsareputinplacetopreventinformationloss,corruption,unauthorizeduse,modification, and disclosure. Safeguards that can be implemented includeinformation scrubbing, identity management tools, hashing, auditing,authenticating,andothermeanstoensureinformationprivacy.Privacyandsecuritysafeguards should be coordinated for the protection of protected healthinformation.
H.8. Accountability and Oversight. Privacy protections have less value to anindividual if privacy violators are not held accountable for failing to followprocedures relating to such privacy protections. Participants are unlikely to fullytrust the System and fully participate if they believe other Participants are notapplyingthesamerulesandbeingheldtothesamestandardofaccountability.Userandworkforcetraining,privacyaudits,andotheroversighttoolscanhelptoidentifyandaddressprivacyviolationsandsecuritybreachesbyconditioningparticipationand access authority on compliance with these and the individual Participant'sprivacy policies, by excluding from participation those who violate privacyrequirements,andbyidentifyingandcorrectingweaknessesinprivacyandsecuritysafeguards.
I.9. Remedies.Toensureprivacyprotectiontheremustbelegalandfinancialremediesthat hold violators accountable for failing to comply with System policies. Suchremedies will give individuals confidence in the organization’s commitment tokeeping protectedhealth informationprivate, andmitigate anyharm that privacy
Formatted: No underline
Formatted: No underline
Formatted: No underline
Formatted: No underline
Formatted: No underline
86
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv32Page6of8 OriginallyAdopted02/20/2013 RevisionAdopted05/31/2013
violations may cause individuals. As a condition of continued participation, allParticipantsintheSystemmusthaveacommondutytoparticipateininvestigation,mitigationandremediationstepsfortheintegrityoftheSystem.
J.10. RelianceonCoveredEntityRulesandEnforcement.WhileAeHNshouldhavea number of core policies and procedures for the benefit and confidence of allParticipants, AeHN should not try to replace policies, procedures and methodsalready adopted by Participants as covered entities under HIPAA. AeHN shouldidentify,disseminateandenforceonlythosepoliciesandproceduresnecessaryforcoordinationofprivacybreachresponseandothermitigatingmeasures,butshouldrecognizethatexistingParticipantpoliciesgoverninallotherareas.
B. QualifyingUsesof Information. AeHNandParticipantshaveplacedtheburdenontherequestingParticipanttoaccessinformationfromanotherParticipant’srecordsonlyfora qualifying use by the requesting Participant. A qualifying use is one thatmeets thetermsoftheParticipationAgreementandStateandFederallaw.
C. MitigationofInadvertentDisclosuresofPHI
ParticipantsmustreportanyimproperuseordisclosureofPHIofwhichtheybecomeawaretoinaccordancewiththeproceduresenactedunderthisPolicy.TheParticipantshallworkwithAeHNtodeterminethereasonableandappropriatestepsthatcanbetakenwhichmaymitigateanyresultingharm.
D. SanctionsforViolationsofPHIPrivacy
AllParticipantsshallenactapolicyforimposingsanctionsforusingordisclosingPHIinviolationofthisPolicyandtheunderlyingProcedures,inaccordancewithProcedure4.213,“Sanctions”.
E. Documentation
ParticipantsshallmaintaincopiesofHIPAAcompliancedocumentsrelevanttotheiruseoftheHIEandDSMforaperiodofatleastsix(6)yearsfromthedatethedocumentswerecreatedorwerelastineffect,whicheverislater.
F. ComplyingwithIndividualRights
HIPAAprovidespatientswithindividualrightsthatshallberecognizedandenforcedbyAeHN,andParticipantsshallassistpatientsinexercisingtheserightsinaccordancewiththeproceduresenactedhereunder.Thefollowingrightsshallberecognizedinaccordancewithsuchprocedures:
A. AccessB. AmendmentC. AccountingofDisclosuresofPHID. ConfidentialCommunicationsE. RequestsforRestrictionsonUsesandDisclosuresofPHI
Formatted: No underline
Formatted: Space After: 10 pt, Numbered + Level: 1 +Numbering Style: A, B, C, … + Start at: 1 + Alignment: Left +Aligned at: 0.5" + Indent at: 0.75"
Formatted: Font: (Default) +Headings (Cambria), 11 pt
Formatted: Space Before: 6 pt, After: 6 pt
87
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv32Page7of8 OriginallyAdopted02/20/2013 RevisionAdopted05/31/2013
II.
III.II. SecurityPolicy
1. Compliance. AeHN is committed to running the HIE in compliance with allapplicable laws,regulationsandAeHNpolicies/procedures.AeHNhasadoptedthis policy in part to provide for the security of EPHI in accordancewith thefederal HIPAA Security Regulations. This policy and the procedures enactedhereunder encompass AeHN’s general approach to compliance with HIPAASecurityRegulationsthroughpolicystatementsandproceduresinthefollowingcategories:
a. AdministrativeSafeguards,b. PhysicalSafeguards,andc. TechnicalSafeguards.
2. Administrative Safeguards. The security management process is designed toprevent,detect,contain,andcorrectsecurityviolationsrelativetotheHIE.Theexecution, development and implementation of remediation programs is thejointresponsibilityofAeHNandtheParticipants.
a. Participants are expected to cooperate fully with any risk assessmentbeingconductedbyAeHN.
b. HIEauditprocedureswillbe implementedandmaintainedtoregularlyreviewrecordsofinformationsystemactivity,suchasauditlogs,accessreports, and security incident tracking reports. These reviewswill beused todetermine ifParticipantsarecomplyingwith therequirementsofthispolicyandtherelatedprocedures.
c. ParticipantswillassistinmakingsureaccesstotheHIEisassignedandmanaged appropriate to the duties and responsibilities of eachauthorizeduser, and thatauthorizedusersareproperly trainedon theapplicablelaws,policiesandprocedures.
3. PhysicalSafeguards.PhysicalSafeguardsaretobemadeinordertoprotecttheHIE,relatedbuildingsandequipmentfromnaturalandenvironmentalhazardsandunauthorizedintrusion.Procedureswillbeimplementedthatlimitphysicalaccess to electronic information systems and the facility or facilities inwhichsuchsystemsarehoused,while still ensuring that properauthorizedaccess isallowed. Participants should ensure that similar safeguards are in place toprotectaccesspointstotheHIEownedbyorhousedwithParticipants.
4. Technical Safeguards. Technical Safeguards shall be maintained by eachParticipantthatprotecttheHIEandcontrolaccesstoassurethatsuchsystemsare accessed only by those individuals or software programs that have beengrantedaccessrights. Participantswill implementtechnicalsecuritymeasuresto guard against unauthorized access to ormodification of EPHI that is beingtransmittedtoorfromtheHIE.
Formatted: Font: +Headings (Cambria), 11 pt
Formatted: Normal, Space After: 10 pt, No bullets ornumbering
88
4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv32Page8of8 OriginallyAdopted02/20/2013 RevisionAdopted05/31/2013
IV.III. BreachNotificationPolicy.AeHNhasimplementedinternalpoliciesandprocedurestoaddressbreaches, includingbreachnotificationandmitigationmeasures. Participantsare expected to assist with the breach notification process as it applies to theirorganization,andtofollowrelatedproceduresenactedunderthispolicy.
4.200ExternalHIEPrivacy,SecurityandCompliancePolicy
APPROVEDBY:AeHNBoard
ADOPTED: 02/20/2013 v1
REVISED: 05/31/2013 v2
REVISED: 04/18/2014 v3
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
89
5/15/2013 Page 1 of 8
Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Total Income
4025 GRANTS 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 - - - 1,221,775
4060 PARTICIPANT FEES (HIE) 4,000 4,000 165,960 4,000 4,000 28,680 63,013 4,000 49,392 30,080 16,975 125,000 499,100
4065 PARTICIPANT FEES (DSM) 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 13,500
4068 CONSULTING - - - - - - - - - - - - -
4200 DONATIONS - - - - - - - - - - - - -
4300 CONTRACTS 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 1,500,000
4301 PAYERS - - - - - - - - - - - - -
- - - - - - - - - - - - -
- - - - - - - - - - - - -
Total Income 265,878 265,878 427,838 265,878 265,878 290,558 324,891 265,877 311,269 156,205 143,100 251,125 3,234,375
Gross Profit 265,878 265,878 427,838 265,878 265,878 290,558 324,891 265,877 311,269 156,205 143,100 251,125 3,234,375
Expenses
4490 GENERAL OFFICE -
4102 OFFICE SUPPLIES 1,867 1,867 1,867 1,867 1,867 1,867 1,866 1,866 1,866 500 500 500 18,300
4110 OUTREACH & MARKETING 4,975 4,974 27,975 4,976 5,976 4,976 16,276 5,976 5,976 1,000 1,000 20,685 104,765
4115 BANK CHARGES/FEES 20 20 20 20 20 20 20 20 20 20 20 20 240
4420 DUES/SUBSCRIPTIONS - - - - - - - - - - - - -
4450 PRINTING/COPIES/PHOTOS 800 10 10 800 10 10 800 10 10 800 10 10 3,280
4462 POSTAGE 1,300 100 100 1,300 100 100 1,300 100 100 1,200 - - 5,700
4500 INSURANCE - G/L, D&O, Cyber - 5,300 - - - - - - - - 1,750 - 7,050
4505 INSURANCE - WC - - - - - - - 4,200 - - - - 4,200
4700 FOOD OTHER 500 500 500 500 500 500 500 500 500 500 500 500 6,000
Total 4490 GENERAL OFFICE 9,462 12,771 30,472 9,463 8,473 7,473 20,762 12,672 8,472 4,020 3,780 21,715 149,535
4600 FACILITIES -
4620 FACILITIES RENT/LEASE 4,600 4,600 4,675 4,675 4,675 4,675 4,675 4,675 4,675 2,385 2,385 2,385 49,080
4680 UTILITIES - - - - - - - - - - - - -
4682 TELEPHONE/INTERNET 500 500 500 500 500 500 500 500 500 500 500 500 6,000
4690 MISC FACILITIES COSTS - - - - - - - - - - - - -
Total 4600 FACILITIES 5,100 5,100 5,175 5,175 5,175 5,175 5,175 5,175 5,175 2,885 2,885 2,885 55,080
4800 WORKSHOPS & EVENTS - - - - - - - - - - - - -
5050 HUMAN RESOURCES - - - 2,850 - - - - - 2,850 - - 5,700
5100 PAYROLL EXPENSES - - - - - - - - - - - - -
5110 TECHNICAL STAFF 32,879 32,880 32,880 32,880 32,880 32,881 32,882 32,881 32,881 27,917 27,917 27,917 379,674
5120 ADMINISTRATIVE STAFF 46,085 31,585 31,585 31,585 31,585 31,585 31,585 31,585 31,585 27,983 27,983 19,583 374,315
5170 BENEFITS 12,942 12,942 12,942 12,941 12,941 12,941 12,941 12,941 12,941 8,705 8,705 5,500 139,382
Total 5100 PAYROLL EXPENSES 91,906 77,407 77,407 77,406 77,406 77,407 77,408 77,407 77,407 64,605 64,605 53,000 893,371
5200 PROFESSIONAL FEES -
5210 LEGAL 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 38,400
Alaska eHealth NetworkBudget - All Classes by Month
July 2014 - June 2015
90
5/15/2013 Page 2 of 8
5215 ACCOUNTING & AUDITING 3,000 3,000 14,000 11,000 8,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 60,000
5220 PROJECT MANAGEMENT - - - - - - - - - - - - -
5225 PROJECT COMMUNICATIONS - - 22,500 - - 2,500 - - 2,500 - - 23,000 50,500
5235 OTHER CONSULTING SERVICES 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 12,000
5240 HIT/EHR CONSULTING 69,877 69,877 69,877 69,877 69,877 69,876 69,876 69,876 69,876 - - - 628,889
5250 CONTRACT EMP SVCS 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 12,000
Total 5200 PROFESSIONAL FEES 78,077 78,077 111,577 86,077 83,077 80,576 78,076 78,076 80,576 8,200 8,200 31,200 801,789
5300 TECHNOLOGY SERVICES -
5310 DESKTOP SUPPORT 200 200 200 200 200 200 200 200 200 200 200 200 2,400
5320 ONLINE HOSTING FEES 400 400 400 400 400 400 400 400 400 400 400 400 4,800
Direct Services Message 2,500 2,500 5,000 5,000 5,000 5,000 2,500 2,500 2,500 5,000 2,500 2,500 42,500
5360 WEBSITE DESIGN & MAINTENANCE - - - - - - - - 1,200 - - - 1,200
Total 5300 TECHNOLOGY SERVICES 3,100 3,100 5,600 5,600 5,600 5,600 3,100 3,100 4,300 5,600 3,100 3,100 50,900
5500 TRAVEL -
5520 TRANS/LODGING/OTHER 7,223 7,223 7,222 7,222 7,222 7,222 7,222 7,222 7,222 3,000 3,000 3,000 74,000
5525 MEALS & PER DIEM 500 500 500 500 500 500 500 500 500 500 500 500 6,000
5527 MISC TRAVEL EXPENSE - - - - - - - - - - - - -
Total 5500 TRAVEL 7,723 7,723 7,722 7,722 7,722 7,722 7,722 7,722 7,722 3,500 3,500 3,500 80,000
5510 TRAINING/STAFF EDUCATION 500 500 500 500 500 500 500 500 500 500 500 500 6,000
7400 EQUIPMENT/FURNITURE - - - - - - - - - - - - -
7420 EQUIP/FURN < $5K - - - - - - - - - - - - -
Total 7400 EQUIPMENT/FURNITURE - - - - - - - - - - - - -
Total Expenses 195,868 184,678 238,453 194,793 187,953 184,453 192,743 184,652 184,152 92,160 86,570 115,900 2,042,375
Net Operating Income 70,010 81,200 189,385 71,085 77,925 106,105 132,148 81,225 127,117 64,045 56,530 135,225 1,192,000
Other Income
7590 HIE Acquisition Reimbursement -
Total Other Income - - - - - - - - - - - - -
Other Expenses
7601 ORION OTHER 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 192,000
7600 AK HIE SERVICE (SAAS) 83,334 83,333 83,333 83,334 83,333 83,333 83,334 83,333 83,333 83,334 83,333 83,333 1,000,000
Total Other Expenses 99,334 99,333 99,333 99,334 99,333 99,333 99,334 99,333 99,333 99,334 99,333 99,333 1,192,000
Net Other Income (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (1,192,000)Net Income (29,324) (18,133) 90,052 (28,249) (21,408) 6,772 32,814 (18,108) 27,784 (35,289) (42,803) 35,892 -
91
5/15/2013 Page 3 of 8
Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Total Income
4025 GRANTS - - - - - - - - - - - - -
4060 PARTICIPANT FEES (HIE) 4,000 4,000 165,960 4,000 4,000 28,680 63,013 4,000 49,392 30,080 16,975 125,000 499,100
4065 PARTICIPANT FEES (DSM) 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 13,500
4068 CONSULTING -
4200 DONATIONS -
4300 CONTRACTS 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 1,500,000
4301 PAYERS - - - - - - - - - - - - -
-
- - - - - - - - - - - - -
Total Income 130,125 130,125 292,085 130,125 130,125 154,805 189,138 130,125 175,517 156,205 143,100 251,125 2,012,600
Gross Profit 130,125 130,125 292,085 130,125 130,125 154,805 189,138 130,125 175,517 156,205 143,100 251,125 2,012,600
Expenses
4490 GENERAL OFFICE -
4102 OFFICE SUPPLIES 200 200 200 200 200 200 200 200 200 500 500 500 3,300
4110 OUTREACH & MARKETING 1,000 1,000 24,000 1,000 2,000 1,000 12,300 2,000 2,000 1,000 1,000 20,685 68,985
4115 BANK CHARGES/FEES -
4420 DUES/SUBSCRIPTIONS -
4450 PRINTING/COPIES/PHOTOS 800 10 10 800 10 10 800 10 10 800 10 10 3,280
4462 POSTAGE 1,200 1,200 1,200 1,200 4,800
4500 INSURANCE - G/L, D&O, Cyber 5,300 - - - - - - - - 1,750 7,050
4505 INSURANCE - Workmen's Comp - - - - - - 4,200 - - - 4,200
4700 FOOD OTHER - - - - - - - - - - - -
Total 4490 GENERAL OFFICE 3,200 6,510 24,210 3,200 2,210 1,210 14,500 6,410 2,210 3,500 3,260 21,195 91,615
4600 FACILITIES -
4620 FACILITIES RENT/LEASE 2,310 2,310 2,385 2,385 2,385 2,385 2,385 2,385 2,385 2,385 2,385 2,385 28,470
4680 UTILITIES -
4682 TELEPHONE/INTERNET 250 250 250 250 250 250 250 250 250 500 500 500 3,750
4690 MISC FACILITIES COSTS -
Total 4600 FACILITIES 2,560 2,560 2,635 2,635 2,635 2,635 2,635 2,635 2,635 2,885 2,885 2,885 32,220
4800 WORKSHOPS & EVENTS -
5050 HUMAN RESOURCES 2,850 2,850 5,700
5100 PAYROLL EXPENSES -
5110 TECHNICAL STAFF 6,700 6,700 6,700 6,700 6,700 6,700 6,700 6,700 6,700 27,917 27,917 27,917 144,050
5120 ADMINISTRATIVE STAFF 26,585 12,085 12,085 12,085 12,085 12,085 12,085 12,085 12,085 27,983 27,983 19,583 198,815
5170 BENEFITS 5,500 5,500 5,500 5,500 5,500 5,500 5,500 5,500 5,500 8,705 8,705 5,500 72,410
Total 5100 PAYROLL EXPENSES 38,785 24,285 24,285 24,285 24,285 24,285 24,285 24,285 24,285 64,605 64,605 53,000 415,275
5200 PROFESSIONAL FEES -
5210 LEGAL 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 38,400
Alaska eHealth NetworkBudget - HIE by Month
July 2014 - June 2015
92
5/15/2013 Page 4 of 8
5215 ACCOUNTING & AUDITING 3,000 3,000 14,000 11,000 8,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 60,000
5220 PROJECT MANAGEMENT -
5225 PROJECT COMMUNICATIONS 22,500 2,500 2,500 23,000 50,500
5235 OTHER CONSULTING SERVICES 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 12,000
5240 HIT/EHR CONSULTING
5250 CONTRACT EMP SVCS 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 12,000
Total 5200 PROFESSIONAL FEES 8,200 8,200 41,700 16,200 13,200 10,700 8,200 8,200 10,700 8,200 8,200 31,200 172,900
5300 TECHNOLOGY SERVICES -
5310 DESKTOP SUPPORT 150 150 150 150 150 150 150 150 150 200 200 200 1,950
5320 ONLINE HOSTING FEES 200 200 200 200 200 200 200 200 200 400 400 400 3,000
5330 SECURITY SERVICES 2,500 2,500 5,000 5,000 5,000 5,000 2,500 2,500 2,500 5,000 2,500 2,500 42,500
5360 WEBSITE DESIGN & MAINTENANCE 1,200 1,200
Total 5300 TECHNOLOGY SERVICES 2,850 2,850 5,350 5,350 5,350 5,350 2,850 2,850 4,050 5,600 3,100 3,100 48,650
5500 TRAVEL -
5520 TRANS/LODGING/OTHER 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 36,000
5525 MEALS & PER DIEM 500 500 500 500 500 500 500 500 500 500 500 500 6,000
5527 MISC TRAVEL EXPENSE -
Total 5500 TRAVEL 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 42,000
5510 TRAINING/STAFF EDUCATION 500 500 500 500 500 500 500 500 500 500 500 500 6,000
7400 EQUIPMENT/FURNITURE -
7420 EQUIP/FURN < $5K -
Total 7400 EQUIPMENT/FURNITURE - - - - - - - - - - - - -
Total Expenses 59,595 48,405 102,180 58,520 51,680 48,180 56,470 48,380 47,880 91,640 86,050 115,380 814,360
Net Operating Income 70,530 81,720 189,905 71,605 78,445 106,625 132,668 81,745 127,637 64,565 57,050 135,745 1,198,240
Other Income
7590 HIE Acquisition Reimbursement -
Total Other Income - - - - - - - - - - - - -
Other Expenses
7601 ORION OTHER 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 192,000
7600 AK HIE SERVICE (SAAS) 83,334 83,333 83,333 83,334 83,333 83,333 83,334 83,333 83,333 83,334 83,333 83,333 1,000,000
Total Other Expenses 99,334 99,333 99,333 99,334 99,333 99,333 99,334 99,333 99,333 99,334 99,333 99,333 1,192,000
Net Other Income (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (1,192,000)Net Income (28,804) (17,613) 90,572 (27,729) (20,888) 7,292 33,334 (17,588) 28,304 (34,769) (42,283) 36,412 6,240
93
5/15/2013 Page 5 of 8
Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Total Income
4025 GRANTS 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 1,221,775
4060 PARTICIPANT FEES (HIE) - - - - - - - - - -
4065 PARTICIPANT FEES (DSM) -
4068 CONSULTING -
4200 DONATIONS - - - - - - - - - -
4300 CONTRACTS -
-
-
-
Total Income 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 1,221,775
Gross Profit 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 1,221,775
Expenses
4490 GENERAL OFFICE -
4102 OFFICE SUPPLIES 1,667 1,667 1,667 1,667 1,667 1,667 1,666 1,666 1,666 15,000
4110 OUTREACH & MARKETING 3,975 3,974 3,975 3,976 3,976 3,976 3,976 3,976 3,976 35,780
4115 BANK CHARGES/FEES -
4420 DUES/SUBSCRIPTIONS -
4450 PRINTING/COPIES/PHOTOS -
4462 POSTAGE 100 100 100 100 100 100 100 100 100 900
4500 INSURANCE - G/L, D&O, Cyber -
4505 INSURANCE - Workmen's Comp -
4700 FOOD OTHER -
Total 4490 GENERAL OFFICE 5,742 5,741 5,742 5,743 5,743 5,743 5,742 5,742 5,742 51,680
4600 FACILITIES -
4620 FACILITIES RENT/LEASE 2,290 2,290 2,290 2,290 2,290 2,290 2,290 2,290 2,290 20,610
4680 UTILITIES -
4682 TELEPHONE/INTERNET 250 250 250 250 250 250 250 250 250 2,250
4690 MISC FACILITIES COSTS -
Total 4600 FACILITIES 2,540 2,540 2,540 2,540 2,540 2,540 2,540 2,540 2,540 22,860
4800 WORKSHOPS & EVENTS -
5100 PAYROLL EXPENSES -
5110 TECHNICAL STAFF 26,179 26,180 26,180 26,180 26,180 26,181 26,182 26,181 26,181 235,624
5120 ADMINISTRATIVE STAFF 19,500 19,500 19,500 19,500 19,500 19,500 19,500 19,500 19,500 175,500
5170 BENEFITS 7,442 7,442 7,442 7,441 7,441 7,441 7,441 7,441 7,441 66,972
Total 5100 PAYROLL EXPENSES 53,121 53,122 53,122 53,121 53,121 53,122 53,123 53,122 53,122 478,096
5200 PROFESSIONAL FEES -
5210 LEGAL -
Alaska eHealth NetworkBudget - REC
July 2014 - June 2015
94
5/15/2013 Page 6 of 8
5215 ACCOUNTING & AUDITING -
5220 PROJECT MANAGEMENT -
5225 PROJECT COMMUNICATIONS -
5235 OTHER CONSULTING SERVICES -
5240 HIT/EHR CONSULTING 69,877 69,877 69,877 69,877 69,877 69,876 69,876 69,876 69,876 628,889
5250 CONTRACT EMP SVCS -
Total 5200 PROFESSIONAL FEES 69,877 69,877 69,877 69,877 69,877 69,876 69,876 69,876 69,876 628,889
5300 TECHNOLOGY SERVICES -
5310 DESKTOP SUPPORT 50 50 50 50 50 50 50 50 50 450
5320 ONLINE HOSTING FEES 200 200 200 200 200 200 200 200 200 1,800
Direct Services Message -
5360 WEBSITE DESIGN & MAINTENANCE -
Total 5300 TECHNOLOGY SERVICES 250 250 250 250 250 250 250 250 250 2,250
5500 TRAVEL -
5520 TRANS/LODGING/OTHER 4,223 4,223 4,222 4,222 4,222 4,222 4,222 4,222 4,222 38,000
5525 MEALS & PER DIEM -
5527 MISC TRAVEL EXPENSE -
Total 5500 TRAVEL 4,223 4,223 4,222 4,222 4,222 4,222 4,222 4,222 4,222 38,000
5510 TRAINING/STAFF EDUCATION -
7400 EQUIPMENT/FURNITURE -
7420 EQUIP/FURN < $5K -
Total 7400 EQUIPMENT/FURNITURE - - - - - - - - - -
Total Expenses 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 - - - 1,221,775
Net Operating Income - - - - - - - - - -
Other Income
7590 HIE Acquisition Reimbursement -
Total Other Income -
Other Expenses
7600 AK HIE SERVICE (SAAS) -
Total Other Expenses -
Net Other Income - Net Income -
95
5/15/2013 Page 7 of 8
Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Total Income
4025 GRANTS
4060 PARTICIPANT FEES (HIE)
4065 PARTICIPANT FEES (DSM)
4068 CONSULTING
4200 DONATIONS
4300 CONTRACTS
Total Income
Gross Profit
Expenses
4490 GENERAL OFFICE
4102 OFFICE SUPPLIES
4110 OUTREACH & MARKETING
4115 BANK CHARGES/FEES 20 20 20 20 20 20 20 20 20 20 20 20 240
4420 DUES/SUBSCRIPTIONS
4450 PRINTING/COPIES/PHOTOS
4462 POSTAGE
4500 INSURANCE - G/L, D&O, Cyber
4505 INSURANCE - Workmen's Comp
4700 FOOD OTHER 500 500 500 500 500 500 500 500 500 500 500 500 6,000
Total 4490 GENERAL OFFICE 520 520 520 520 520 520 520 520 520 520 520 520 6,240
4550 HUMAN RESOURCES
4600 FACILITIES
4620 FACILITIES RENT/LEASE
4680 UTILITIES
4682 TELEPHONE/INTERNET
4690 MISC FACILITIES COSTS
Total 4600 FACILITIES
4800 WORKSHOPS & EVENTS
5100 PAYROLL EXPENSES
5110 TECHNICAL STAFF
5120 ADMINISTRATIVE STAFF
5170 BENEFITS
Total 5100 PAYROLL EXPENSES
5200 PROFESSIONAL FEES
5210 LEGAL
Alaska eHealth NetworkBudget - Unrestricted by Month
July 2014 - June 2015
96
5/15/2013 Page 8 of 8
5215 ACCOUNTING & AUDITING
5220 PROJECT MANAGEMENT
5225 PROJECT COMMUNICATIONS
5235 OTHER CONSULTING SERVICES
5240 HIT/EHR CONSULTING
5250 CONTRACT EMP SVCS
Total 5200 PROFESSIONAL FEES
5310 DESKTOP SUPPORT
5320 ONLINE HOSTING FEES
Direct Services Message
5360 WEBSITE DESIGN & MAINTENANCE
Total 5300 TECHNOLOGY SERVICES
5500 TRAVEL
5520 TRANS/LODGING/OTHER
5525 MEALS & PER DIEM
5527 MISC TRAVEL EXPENSE
Total 5500 TRAVEL
5510 TRAINING/STAFF EDUCATION
7400 EQUIPMENT/FURNITURE
7420 EQUIP/FURN < $5K
Total 7400 EQUIPMENT/FURNITURE
Total Expenses 520 520 520 520 520 520 520 520 520 520 520 520 6,240
Net Operating Income (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (6,240)
Other Income
7590 HIE Acquisition Reimbursement
Total Other Income
Other Expenses
7600 AK HIE SERVICE (SAAS)
Total Other Expenses
Net Other IncomeNet Income (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (6,240)
97
Projected Projected Projected Projected Projected
Jul-13 Aug 2013 Sep 2013 Oct 2013 Nov 2013 Dec 2013 Jan 2014 Feb 2014 Mar 2014 Apr 2014 May 2014 Jun 2014 Total Variance Budget
Income
4025 Grant Revenue
4026 Grant Revenue - Deposits 194,934 222,736 163,856 94,130 160,832 125,427 160,187 201,952 78,210 243,277 191,376 191,376 2,028,293 (268,219) 2,296,512
4027 Grant Receivable Adjustments 44,249 12,019 39,290 58,782 -36,436 34,407 -53,471 -4,052 48,448 143,236 143,236 0
Total 4025 Grant Revenue 239,183 234,755 203,146 152,913 124,396 159,834 106,716 197,899 126,658 243,277 191,376 191,376 2,171,529 (124,983) 2,296,512
4060 Participant Fees (HIE) 4,266 27 144 25 63,022 15,352 18,400 18,400 119,636 (101,164) 220,800
4060.1 Allocated Participant Fees 0 0 0 0 0 0 0 0 0
4070 Services Revenue 250 2,500 0 0
4200 DONATIONS 10 500 323 750 750 2,333 (6,667) 9,000
4250 MISC. INCOME 185 1,307 -1,307 (55,488) 55,488
4300 State Contract Rev 29,000 60,020 29,000 288,250 29,000 29,000 33,900 293,350 29,000 386,250 36,491 36,491 36,491 (18,997) 55,488
4411 Interest Earnings 9 34 12 12 11 16 17 15 15 15 (437,875) 437,890
Total Income 272,459 294,987 232,146 441,315 155,237 187,563 203,650 491,583 171,026 629,794 249,532 247,032 3,576,325 501,147 3,075,178
Expenses
4490 GENERAL OFFICE
4102 OFFICE SUPPLIES 200 3,087 2,006 805 1,091 588 722 322 -897 432 2,892 2,892 14,140 (20,564) 34,704
4105 SOFTWARE AND LICENSE 471 120 1,000 1,591 1,591 0
4110 OUTREACH & MARKETING 1,875 650 3,245 4,104 6,200 1,978 4,382 2,246 11,325 11,325 47,330 (88,570) 135,900
4115 BANK CHARGES/FEES 8 12 9 7 6 28 5 48 5 5 132 132 0
4420 DUES/SUBSCRIPTIONS 145 428 716 393 638 249 197 100 100 2,966 1,766 1,200
4450 PRINTING/COPIES/PHOTOS 145 428 707 393 638 249 1,383 1,383 5,326 (11,270) 16,596
4461 FREIGHT 9 9 9 0
4462 POSTAGE 53 43 64 1,197 51 22 57 1,014 5 1,029 671 671 4,878 (3,174) 8,052
4470 TAXES/LICENSES/FEES 40 25 0 0 65 65 0
4501 INSURANCE - Cyber 5,198 550 167 167 6,082 4,078 2,004
4500 INSURANCE - G/L 1,200 0 1,200 1,200 0
4505 INSURANCE - WC -783 3,987 419 419 4,042 (986) 5,028
4700 FOOD OTHER 204 300 200 473 104 1,000 1,000 3,281 (8,719) 12,000
Total 4490 GENERAL OFFICE 2,630 9,844 1,807 6,805 5,553 637 7,971 9,098 5,647 3,935 19,157 17,957 91,041 (124,443) 215,484
4600 FACILITIES
4620 FACILITIES RENT/LEASE 3,492 7,905 4,579 4,579 4,579 4,579 4,616 4,579 4,579 4,400 4,400 52,289 (511) 52,800
4680 UTILITIES 107 109 30 246 (5,274) 5,520
4682 TELEPHONE/INTERNET 431 427 734 716 96 958 496 484 527 544 375 375 6,164 1,664 4,500
Total 4600 FACILITIES 4,031 8,442 764 5,296 4,675 5,538 5,075 5,100 5,106 5,123 4,775 4,775 58,699 (4,121) 62,820
4800 WORKSHOPS & EVENTS 266 266 532 (2,660) 3,192
5050 HUMAN RESOURCES 30 2,850 500 500 3,880 (2,120) 6,000
5100 PAYROLL EXPENSES 0 0 0 0 0
5110 TECHNICAL STAFF 28,968 30,246 30,718 27,035 27,035 27,452 27,452 27,452 27,452 27,452 35,182 35,182 351,624 (70,560) 422,184
5120 ADMINISTRATIVE STAFF 24,437 23,158 22,687 26,369 26,370 27,203 27,203 27,203 27,203 27,203 29,969 29,969 318,976 (40,652) 359,628
5170 BENEFITS 781 402 25,493 25,493 52,169 (253,747) 305,916
5170.1 Retirement - Co. Contrib. 0 231 0 0 231 0 257 0 0 719 719 0
5170.2 Health Insurance 5,532 6,374 5,853 5,300 5,727 828 3,755 3,904 3,111 3,312 0 0 43,697 43,697 0
Alaska eHealth NetworkStatement of Activities - Detail
July 1, 2013 - April 15, 2014
98
5170.3 Paid Leave 4,121 -321 1,931 1,779 2,598 1,990 -1,328 -975 4,716 2,597 0 0 17,109 17,109 0
5170.4 Self Pay Vision 260 200 160 0 0 620 620 0
Company Contributions - Retirement 1,125 1,125 1,125 1,125 1,325 1,358 1,358 1,358 1,358 1,358 0 0 12,617 12,617 0
Total 5170 BENEFITS 10,778 7,178 8,909 8,435 9,650 4,437 4,216 4,448 9,967 7,926 25,493 25,493 126,931 (969,989) 1,096,920
5180 PAYROLL TAXES 4,146 4,135 4,138 4,138 3,720 3,554 4,650 4,688 4,699 4,691 4,691 4,691 51,942 48,774 3,168
Taxes 0 0
Total 5100 PAYROLL EXPENSES 14,924 11,314 13,047 12,573 13,371 7,990 8,866 9,136 14,665 12,618 30,184 30,184 178,872 (921,216) 1,100,088
5200 PROFESSIONAL FEES 1,053 1,053 1,053 0
5210 LEGAL 5,802 1,615 2,218 3,190 2,276 1,918 616 1,078 2,772 924 2,500 2,500 27,410 (2,591) 30,000
5215 ACCOUNTING & AUDITING 9,752 2,856 14,960 8,305 4,838 2,859 2,155 3,397 5,479 2,928 3,200 3,200 63,929 25,529 38,400
5220 PROJECT MANAGEMENT 14,750 1,500 1,500 17,750 (250) 18,000
5225 PROJECT COMMUNICATIONS 3,358 1,685 978 2,796 0 0 8,816 8,816 0
5235 OTHER CONSULTING SERVICES 6,763 11,188 288 6,188 6,188 6,188 4,500 4,500 4,500 4,500 13,442 13,442 81,684 (79,620) 161,304
5240 HIT/EHR Consulting Services 167,883 193,709 137,449 81,152 62,331 47,904 58,848 96,172 60,596 87,367 78,583 78,583 1,150,575 207,579 942,996
5245 PRIVACY & SECURITY 2,500 2,950 2,500 2,500 2,500 2,500 2,500 2,500 2,500 2,500 2,500 2,500 30,450 30,450 0
5250 CONTRACT EMP SERVICES 400 350 263 463 375 725 800 800 800 4,975 4,975 0
Total 5200 PROFESSIONAL FEES 192,699 212,318 157,414 101,735 81,840 63,316 70,135 123,750 79,367 99,018 102,525 102,525 1,386,641 195,941 1,190,700
5300 Tech Services - Ops.
5310 DESKTOP SUPPORT 171.50 1,985.50 1,617.00 588.00 2,572.50 343.00 171.50 98.00 245.00 539.00 3,000 3,000 14,331 (21,669) 36,000
5320 ONLINE HOSTING FEES 354.06 208.16 274.16 566.16 734.16 486.16 177.70 94.30 299.46 38.46 1,000 1,000 5,233 (6,767) 12,000
5330 SECURITY SERVICES 0 0 0
MAINTENANCE 200.00 920.00 521 521 2,162 (4,090) 6,252
Total 5300 Tech Services - Ops. 526 2,194 1,891 1,354 3,307 829 349 192 1,464 577 4,521 4,521 21,726 (32,526) 54,252
5400 HIE Participant Exp.
5410 Participant Training 11,725 11,725 11,725 0
Total 5400 HIE Participant Exp. 0 11,725 0 0 0 0 0 0 0 0 0 0 11,725 11,725 0
5500 TRAVEL
5520 TRANS/LODGING/OTHER 3,605 2,453 5,645 1,441 1,048 5,756 3,818 5,937 4,167 4,562 9,917 9,917 58,266 (60,734) 119,000
5525 PER DIEM 418 1,593 1,348 540 300 937 1,369 942 611 611 1,579 1,579 11,827 (7,123) 18,950
5527 MISC TRAVEL EXPENSE 993 200 200 1,393 (1,007) 2,400
5528 CONFERENCE REGISTRATION 795 -100 195 -595 -595 0 0 -300 (300) 0
Total 5500 TRAVEL 4,023 5,040 6,993 1,981 1,348 7,488 5,086 7,074 4,183 4,578 11,696 11,696 71,186 (69,164) 140,350
5510 TRAINING/STAFF EDUCATION 600 775 225 3,110 4,710 4,710 0
7400 EQUIPMENT/FURNITURE
7420 EQUIP/FURN < $5K 22,657 -630 22,027 22,027 0
Total 7400 EQUIPMENT/FURNITURE 0 0 22,657 0 -630 0 0 0 0 0 0 0 22,027 22,027 0
Total Expenses 218,863 260,875 205,173 133,369 109,463 85,799 97,482 154,574 113,543 125,850 173,358 172,158 1,850,507 (919,187) 2,769,694
Net Operating Income 53,596 34,112 26,973 307,946 45,775 101,764 106,168 337,009 57,483 503,945 76,174 74,874 1,725,818 1,420,334 305,484
Other Income 0 0
7590 HIE Acquisition Reimbursement 83,333 83,333 83,333 83,333 83,333 83,333 83,333 83,333 83,333 0 0 0 750,000 0 750,000
Total Other Income 83,333 83,333 83,333 83,333 83,333 83,333 83,333 83,333 83,333 0 0 0 750,000 (0) 750,000
Other Expenses 0
7600 AK HIE SERVICE (SAAS) 83,333 83,333 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 993,055 (6,941) 999,996
Total Other Expenses 83,333 83,333 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 993,055 (6,941) 999,996
Net Other Income 0 0 695 695 695 695 695 695 695 -82,639 -82,639 -82,639 -243,055 6,941 -249,996
Net Income 53,596 34,112 27,668 308,641 46,469 102,459 106,863 337,703 58,178 421,306 -6,465 -7,765 1,482,763 1,427,275 55,488
99
Alaska eHealth Network Strategy Map DRAFT 2014 – 2016
Vision: An electronically-connected Alaska healthcare delivery system
OBJECTIVES
FIN
ANCI
AL
STAK
EHO
LDER
S
OPE
RATI
ON
S
CAPA
CITY
STAFF READINESS Provide learning and growth opportunities
PROVIDERS/PAYERS Increase EHR Adoption
and Meaningful Use
PATIENTS Ensure privacy of PHI and
maintain confidence in electronic exchange
DHSS Meet Public Health
reporting requirements
Metrics: Annual Provider and Patient Satisfaction Survey, participants meeting MU
POLICIES & PROCEDURES Minimize policy/procedure exceptions
PRIVACY & SECURITY Minimize security
issues
PARTICIPANT CONTRACT DELIVERABLES
Ensure timely deliverables
Metrics: Risk assessment, monthly P&S reports, annual policy review
STAFF SATISFACTION Provide safe and
adequate environment
CONTRACTOR CAPACITY Optimize use of staff
augmentation contractors
Metrics: Staff - Training reports and HR reviews; Board-meeting attendance and onboarding; Contractors-performance based contracts
SUSTAINABILITY Maintain AeHN viability
Market Penetration Onboard 85% of hospitals
and providers
BUDGET vs ACTUAL Ensure positive income
Metrics: Monthly Income, budget vs income, #/$ annual contracts, cash on hand, #hospitals, # providers, value of contracts up for renewal
HIE VENDOR RELATIONS Maintain timely resolution of
issues
Governance Optimize Board
engagement and effectiveness
1/21/2014 V1.0
100