Welcome: Road to Compliance

1. TRICARE Management Activity HEALTH AFFAIRS Welcome: Road to Compliance 2009 Data Protection Seminar TMA Privacy Office

2. Welcome: Road to ComplianceEverybody Wants Our Data

3. Welcome: Road to ComplianceAgenda Overview of TMA Privacy Office Organizational structure Mission and Program Overview Why are we here? Sharing the responsibility Breach statistics Complaint statistics Evolving threats Our environment is changing American Recovery and Reinvestment Act (ARRA) Challenges in health information exchange Implications to Privacy and Health Insurance Portability and Accountability Act (HIPAA) Security 3

4. Welcome: Road to ComplianceTMA Privacy Office Organization

5. Welcome: Road to ComplianceTMA Privacy Office Mission andProgram Overview To ensure stakeholders’ personally identifiable and protected health information are safeguarded at the highest level as TRICARE delivers the best medical support possible to all those entrusted to our care

6. Welcome: Road to Compliance Why Are We Here?

7. Welcome: Road to ComplianceSharing the Responsibility • All TMA staff share the responsibility for safeguarding Personally Identifiable Information (PII)/Protected Health Information (PHI) • The breach or loss of PII/PHI can have far-reaching effects, including: • Loss of public trust and stakeholder confidence • Potential fines and penalties • Congressional scrutiny • Financial or medical harm to beneficiaries due to exposure of data

8. Welcome: Road to ComplianceMHS Breach Statistics Total: 43 Total: 91 Total: 43 8

9. Welcome: Road to ComplianceMHS Complaint Statistics 9

10. Welcome: Road to CompliancePrivacy Complaints to HHS Status of all Privacy Complaints April 14, 2003 – April 30, 2009 Privacy Complaints Remaining Open (14%) 5,967 Privacy Complaints Resolved (86%) 37,724 Total Privacy Complaints Received 43,691 * Referrals to DOJ – 456, Referrals to CMS - 306 10

11. Welcome: Road to Compliance Investigated Resolutions 3500 3000 2500 2000 1500 1000 500 3,373 2,470 2,212 2,210 1,804 1,574 1,491 1,393 1,162 1.163 1,033 No Violation 896 721 642 Corrective Action 360 339 260 Total 79 PY 2003 2004 2005 2006 2007 2008 11

12. Welcome: Road to ComplianceEvolving Threats

13. Welcome: Road to Compliance Our Environment Is Changing

14. Welcome: Road to ComplianceAmerican Recovery and Reinvestment Act Breakdown of ARAA Funding (In Billions) Included in the $787 billion ARRA is approximately $20 billion in funding for healthcare IT, including incentive payments to physicians who implement and use eligible electronic medical records systems under the conditions laid out in the law. Health Care, $59(Health IT $20) Infrastructure And Science, $111 State and Local Fiscal Relief, $144 Protectingthe Vulnerable, $81 Source: http://www.recovery.gov/?q=node/88

15. Op-Div Security Officers Welcome: Road to ComplianceAmerican Recovery and Reinvestment Act HHS Relationship to Other Federal Agencies HHS Secretary CONCEPTUAL CIO ONC DoD /TMA Office for Civil Rights (OCR) Federal Trade Commission (FTC) CISO Chief Privacy Officer VA Privacy Office NeHC NHIN CMS HIPAA Federal Privacy / Security Officers HISPC State eHealth Collaborative

16. Welcome: Road to ComplianceAmerican Recovery and Reinvestment Act • Some of the ARRA provisions include: • Improved enforcement and audit expansion • Annual HHS guidance and education on security and privacy best practices • Breach notification requirements, including for non-CE PHR vendors • Clarification of wrongful disclosure including criminal penalties • Accounting of certain disclosures, including those made through an EHR for treatment, payment, or health care operations • Business Associates

17. Welcome: Road to ComplianceARRA - Impact on Health Information • High priority for ONC is defining “meaningful use” of EHRs. Implementation of EHRs results in increasing electronic PHI exposure “exponentially” • Implementation plan just released from ONC: • More than a third of the dollars appropriated for privacy and security, will be used to fund audits of covered entities and business associates. • ONC will provide training for state attorney general offices • Updated Strategic Plan is expected to be established by 12/31/2009 • ARRA creates a new penalty structure, including penalties based on “willful neglect”

18. Welcome: Road to ComplianceChallenges in Health Information Exchange • Personal Health Records (PHR) • Health record that is initiated and maintained by an individual • May include information about allergies and adverse drug reactions, medications, illnesses and hospitalizations, laboratory test results, etc. • Nationwide Health Information Network (NHIN) • A nationwide network of health records that can potentially be accessed by hospitals, insurers, doctors, and researchers • Data Use and Reciprocal Support Agreement (DURSA) • Spells out the rights and responsibilities of the participants in a health information exchange, especially NHIN, covering such areas as: • Responding to queries for health records, keeping data secure, handling a breach and complying with technical specifications for interoperability

19. Welcome: Road to ComplianceImplications of these Challenges • Implications on privacy and security include: • Unauthorized access via Internet or other data connections • Incompatible software between providers or between the provider and the individual • Identifying permitted purposes for the exchange of PHI • Preparing for future uses for the exchange of PHI • Extending HIPAA compliance for the exchange of PHI • Validating the consent and authorization requirements for the exchange of PHI

20. Welcome: Road to ComplianceOverview of the Road to Compliance