Date: June 18, 2010 Time: 11:00 am – 1:00 pm Location: NC Hospital Association

1. Date: June 18, 2010 Time: 11:00 am – 1:00 pm Location:NC Hospital Association 2400 Weston Parkway, Cary, NC 27513 Dial in:#: 1-866-922-3257 Participant Code: 654 032 36#

2. Agenda

3. NC HIE Operational Plan Calendar Governance, Clinical/Technical Ops, Finance WG Meetings Legal/Policy WG Meetings Legal/Policy Subcommittee Meetings NC HIE Board Meetings Operational Plan version releases Operational Plan due to ONC WG conference calls as needed Discussion Document – Not for Distribution 3

4. Report on Other Legal/Policy Subcommittee & NC HIE Board Meeting

5. Legal Subcommittee - June 8, 2010 Meeting

6. Policy Subcommittee - June 8, 2010 Meeting

7. Governance Workgroup - June 9, 2010 Meeting

8. Technical/Clinical Operations Workgroup – June 9, 2010 Meeting

9. Finance Workgroup – June 9, 2010 Meeting

10. Recap of Security Subcommittee June 8, 2010 Key Decisions

11. Security Subcommittee – Key Decisions from June 8, 2010 Meeting

12. Security Subcommittee – Key Decisions from June 8, 2010 Meeting

13. Breach Notification & Role-based AccessDiscussion Guide

14. Key Decision Points: Breach • What should the minimum standards be for: • Alerting participant organizations of situations where patients’ information may have been inappropriately accessed? • Alerting patients of situations where their information may have been inappropriately accessed? • Mitigating the impact of inappropriate access of patient information? If so, how? • Jointly investigating situations where patients’ health information may have been inappropriately accessed? • Who should have responsibility for the above? Local or community HIEs? Participants? • Should the policies & procedures establish common sanction policies to address situations when individuals violate the policies and procedures for accessing patient information through a local or community HIE? • What should they be?

15. Effective September 23, 2009, a CE must, following the discovery of a breach of protected health information, notify each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of such breach.1 Only unauthorized acquisition, use or disclosure that poses a significant risk for financial, reputational , or other harm to the individual is considered a breach. A BA must, following the discovery of a breach of PHI, notify the CE of such breach and provide required information to the CE. Unauthorized acquisition, access, use or disclosure of PHI that compromises privacy or security If good faith belief unauthorized person would not have reasonably been able to retain PHI And not if Unintentional access by authorized person if in good faith and not re-disclosed in manner not permitted under Privacy Rule Inadvertent disclosure from one authorized individual to another at same CE, BA or arrangement New HITECH Breach Notification Requirements ButNot 1 Only breaches of “unsecured” PHI (e.g. PHI that is not encrypted or has not been destroyed in accordance with guidance issued by HHS at 74 Fed. Reg. 19006-19010) trigger the breach notification requirement.

16. HITECH Breach Notification Requirements

17. Role-Based Access Standards • Role-Based Access Standards can be a useful tool in the authorization process, establishing whether a particular user has the right, based on job function or responsibilities, to access protected health information.1 Relevant HIPAA Security Standards include Workforce Security (45 CFR § 164.308(a)(3)) and Information Access Management (45 CFR § 164.308(a)(4)).