1

HIPAA 101Basic Session

HCCA Compliance Institute April 2005

2

GOUND RULES

THIS IS A BASIC SESSION If you expected something beyond the basics this is not the session to attendYou are welcome to stayHowever, if you stay you cannot write on your evaluation that this was too basic

Please turn your cell phones and pagers to vibrate or off.

3

Agenda

1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)

2. Transaction Code Sets3. National Provider Identifier (NPI)4. Privacy Regulations5. Security Regulations

4

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Health insurance access, portability, and renewalAttempts to prevent healthcare fraud and abuseAllows health insurance tax deduction for self-employmentPromotes administrative simplification

5

Transactions Code Sets

Compliance Date:

Original October 16, 2002(except small health plans – 2003)

Extension October 16, 2003

6

Transaction Code Sets

(1) Original:Proposed: May 7, 1998Published: August 17, 2000

Volume 65, Number 160 pp 50312-50372Effective Date: October 16, 2000

(2) Modifications:Proposed: May 31, 2002Published: February 20, 2003

Volume 68, Number 34 pp 8381-8399 Effective Date: March 24, 2003

Document can be located at: 1. http://www.cms.hhs.gov/hipaa/hipaa2/regulations/transactions/finalrule/txfinal.pdf2. http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0003ofr2-10.pdf

7

Administrative Simplification

Defines standards for electronic transaction submissionEstablishes standard codes setsEstablished unique identifiers

8

Administrative Simplification

Standard Electronic Transactions837I (institutional)837P(professional)835 (payment and remittance advice)270/271 (eligibility inquiry and response)276/277 (claim status inquiry and response)278 (referral certification and authorization)834 ( Health Plan enrollment / disenrollment)820 (Health Plan premium payment)275 (Proposed)

9

Administrative Simplification

Standard Code SetsICD-9-CM (diagnosis and procedures)NDC (national drug codes)CPT-4 (physician procedures)HCPCS (ancillary services/procedures)CDT (dental terminology)

No more local codes

10

Administrative Simplification

Standard IdentifiersEmployer Identification Number (EIN)National Provider Identifier (NPI)Health Plan (Payer) Identifier (forthcoming)

Claims Attachment Standards (forthcoming)

11

837 (Institutional & Professional)Requires

Billing provider employer identification number (EIN) or Social Security number (SSN).Pay-to provider EIN or SSN. Rendering provider EIN or SSN. Many physicians are refusing to give out this information where they are not the billing or pay-to providers; i.e they are performing a service for a hospital.

Hospitals have been substituting their own EIN where they can't get the physicians.Medicare is allowing a "dummy" EIN for the second reference whenthe Physician EIN/SSN is unknown -- can substitute 999999999 for the valid value

12

Enforcement Approach

Centers for Medicare & Medicaid Services (CMS) is responsible for enforcing the electronic transactions and code sets provisions of the law. CMS will focus on obtaining voluntary compliance and use a complaint-driven approach for enforcement of HIPAA’s electronic transactions and code sets provisions. When CMS receives a complaint about a covered entity, it will notify the entity in writing that a complaint has been filed.

13

Enforcement Approach

Following notification from CMS, the entity will have the opportunity to:

demonstrate compliancedocument its good faith efforts to comply with the standards, and/orsubmit a corrective action plan.

14

Demonstrating Compliance

Covered entities will be given an opportunity to demonstrate to CMS that they submitted compliant transactions.

15

Good Faith Policy

CMS recognizes that transactions often require the participation of two covered entities and that noncompliance by one covered entity may put the second covered entity in a difficult position. CMS intends to look at both covered entities’ good faith efforts to come into compliance with the standards in determining, on a case-by-case basis, whether reasonable cause for the noncompliance exists and, if so, the extent to which the time for curing the noncompliance should be extended.

16

Good Faith Policy

CMS will not impose penalties on covered entities that deploy contingencies (in order to ensure the smooth flow of payments) if they have made reasonable and diligent efforts to become compliant and, in the case of health plans, to facilitate the compliance of their trading partners. Specifically, as long as a health plan can demonstrate to CMS its active outreach/testing efforts, it can continue processing payments to providers. In determining whether a good faith effort has been made, CMS will place a strong emphasis on sustained actions and demonstrable progress.

17

Examples of Good Faith

• Increased external testing with trading partners. • Lack of availability of, or refusal by, the trading partner(s) prior to October 16, 2003 to test the transaction(s) with the covered entity whose compliance is at issue. • In the case of a health plan, concerted efforts in advance of the October 16, 2003 and continued efforts afterwards to conduct outreach and make testing opportunities available to its provider community.

18

CMS Complaint Form

Complaint TypeNon-Compliant Data ReceivedCompliant Data Sent and RejectedInvalid Companion GuidePrivacy ViolationOther, HIPAA Administrative Simplification Act ViolationOther

19

National Provider Identification (NPI)

Health plans assign identification numbers to health care providers -- individuals, groups, or organizations that provide medical or other health services or supplies. The result is that providers who do business with multiple health plans have multiple identification numbers. The NPI is a unique identification number for health care providers that will be used by all health plans.

Final rule - January 23, 2004 Effective date – May 23, 2005Compliance date – May 23, 2007Small health plans – May 23, 2008

20

National Provider Identifier (NPI)

The NPI is a 10-position numeric identifier with a check digit in the last position to help detect keying errors.

21

Uses of the NPI

The NPI must be used in connection with the electronic transactions identified in HIPAA. The NPI may be used in several other ways:

(1) by health care providers to identify themselves in health care transactions identified in HIPAA or on related correspondence; (2) by health care providers to identify other health care providers in health care transactions or on related correspondence; (3) by health care providers on prescriptions (however, the NPI could not replace requirements for the Drug Enforcement Administration number or State license number); (4) by health plans in their internal provider files to process transactions and communicate with health care providers;

22

Uses of the NPI

(5) by health plans to coordinate benefits with other health plans; (6) by health care clearinghouses in their internal files to create and process standard transactions and to communicate with health care providers and health plans; (7) by electronic patient record systems to identify treating health care providers in patient medical records; (8) by the Department of Health and Human Services to cross reference health care providers in fraud and abuse files and other program integrity files; (9) for any other lawful activity requiring individual identification of health care providers, including activities related to the Debt Collection Improvement Act of 1996 and the Balanced Budget Act of 1997.

23

Questions & Answers

24

What health care transactions are required to use the standards under this regulation?

1. Health claims and equivalent encounter information.

2. Enrollment and disenrollment in a health plan. 3. Eligibility for a health plan. 4. Health care payment and remittance advice. 5. Health plan premium payments. 6. Health claim status. 7. Referral certification and authorization. 8. Coordination of benefits.

25

Who is required to use the standards?

All private sector health plans (including managed care organizations and ERISA plans, and government health plans (including Medicare, State Medicaid programs, the Military Health System for active duty and civilian personnel, the Veterans Health Administration, and Indian Health Service programs), all health care clearinghouses, and all health care providers that choose to submit or receive these transactions electronically are required to use these standards.

26

Do I have to use standard transactions when conducting business inside my

corporate boundaries?

The decision on when a standard must be used does not depend on whether the transaction is being sent inside or outside corporate boundaries. Instead, a simple two part test, in question form, can be used to determine whether the standards are required.

27

Question 1: Is the transaction initiated by a covered entity or its business associate? If no, the standard need not be used.

Question 2: Is the transaction one for which the Secretary had adopted a standard? If yes, the standard must be used. If no, the standard need not be used.

Two Part Test

28

What is the effect on State law?

Section 1178 of the Social Security Act provides that standards for the transactions will supercede any State law that is contrary to them, but allows for an exception process.

29

Does the law require physicians to buy computers?

No, there is no such requirement. However, more physicians may want to use computers for submitting and receiving transactions such as health care claims and remittances/payments electronically.Remember that submission of paper claims to Medicare may result in slower payment.

30

How will the standards affect data stored in my system?

The transaction standards will apply only to electronic data interchange (EDI) -- when data are transmitted electronically between health care providers and health plans as part of a standard transaction. Data may be stored in any format as long as it can be translated into the standard transaction when required.Security standards, on the other hand, will apply to electronic protected health information.

31

Privacy Standards

I said to shred the document not the

person reading it!

32

What’s protected?

All medical records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally.

33

HIPAA IdentifiersA) Names;(B) Street address, city, county, precinct, zip code, and equivalent geo-codes(C) All elements of dates (except year) for dates directly related to an individual and all ages over 89(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan ID numbers;(J) Account numbers;

(K) Certificate/license numbers;(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers/serial numbers;(N) Web addresses (URLs);(O) Internet IP addresses;

(P) Biometric identifiers, incl. finger and voice prints;(Q) Full face photographic images and any comparable images; and(R) Any other unique identifying number, characteristic, or code.

34

Covered Entities

Health PlansHealth Care ClearinghousesHealth Care Providers

35

PHI

Uses & Disclosures for TPO

Authorization

Uses & Disclosures inthe public interest

Uses & Disclosuresw/an opportunityto object

36

How can a covered entity use and disclose PHI?

Treatment, Payment & Healthcare Operations (TPO)Without an authorization if statutorily exceptedAfter the patient has been given an opportunity to objectOnly with the patient’s explicit permission

37

U & Ds without the patient’s explicit permission.

Treatment, Payment & Health Care Operations. 164.506As required by law. 164.512Marketing & fundraising (pursuant to strict limitations)

38

U & Ds for TPO

Examples:A healthcare provider can discuss the patient’s case with her colleagues to determine the best course of treatmentA health plan can share information with the nursing home regarding payment for servicesA compliance office can obtain charts for compliance audits

39

U & Ds that do not require an authorization

Mandatory disclosures:HIPAA only mandates disclosures in two instances. 164.502(a)

To the patient with some exceptionsTo the Secretary of DHHS to investigate an alleged privacy violation

40

U & Ds for Other Purposes

Permissive disclosures 164.512

Specialized Gov. FunctionsAvert Serious ThreatWorkers’ Compensation

ResearchOrgan & Tissue Donation

Information about Decedents

Law EnforcementLegal ProceedingsHealth Oversight ActivitiesReport Abuse & NeglectPublic Health Activities

41

Public Health Activities

Prevent or control disease, injury or disabilityVital statistics, birth & deathsPublic health surveillancePublic health investigationsReport child abuse or neglectFDA reporting Alert individual of possible exposure to communicable diseaseEmployers under limited circumstances

42

Report Abuse or Neglect

Report to authorities authorized by law to receive information about victims of abuse, neglect or domestic violence

Based on reasonable beliefCE must inform the individual of the disclosure unless

There is a reasonable belief this would place the individual at risk for serious harm orIt would mean informing a personal representative who is believed to be responsible for the abuse or neglect

43

Health Oversight Activities

Disclosures may be made to entities authorized by law to oversee:

The health care systemGovernment benefit programs for which health information is relevant to beneficiary eligibilityEntities subject to government regulatory programsEntities subject to civil rights laws

44

Health Oversight Activities (cont.)

This does not include investigations where the individual is the subject of the investigation if it is not directly related to:

The receipt of health careA claim for public benefits related to health orQualification or receipt of public benefit or service if health is integral to the claim

45

Legal Proceedings

Court ordersLimited to the PHI expressly authorized

Subpoenas, discovery requests or other lawful process if satisfactory assurances is received that either:

Subject of information has been notified & given a chance to objectA qualified protective order has been requestedThe CE notifies the individual or seeks a protective order

46

Law Enforcement

If pursuant to process or otherwise required by lawIdentification and locationVictims of a crimeDecedents – if suspicion that death was result of criminal conductCrime on the premisesReport crime in an emergency

47

Information about Decedents

Coroners & Medical examinersDetermine cause of deathIdentificationOther duties authorized by law

Funeral DirectorsInformation necessary to carry out their duties

48

Organ and Tissue Donation

May disclose information necessary to facilitate organ, eye, or tissue donation

49

Research

Waiver or alteration of authorization approved by privacy board or IRBReviews preparatory to researchResearch on decedents informationDe-identified dataLimited data set used

50

De-identified data?A) Names;(B) Street address, city, county, precinct, zip code, and equivalent geo-codes(C) All elements of dates (except year) for dates directly related to an individual and all ages over 89(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan ID numbers;(J) Account numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers/serial numbers;(N) Web addresses (URLs);(O) Internet IP addresses;

(P) Biometric identifiers, incl. finger and voice prints;(Q) Full face photographic images and any comparable images; and(R) Any other unique identifying number, characteristic, or code.

51

Avert a Serious Threat

May disclose PHI consistent with applicable law & standards of ethical conduct if

Good faith believes the disclosures is necessary to avert a serious & imminent threat to

The publicAn individual

May not make the disclosure if the information is learned under certain conditions

52

Specialized Governmental Functions

Military & veteran activitiesNational securityProtection of the President & othersMedical suitability determinationsCorrectional institutionsCE that are governmental entities providing public benefits

53

Workers’ Compensation

May disclose to the extent necessary to comply with workers’ compensation laws or other similar programs

54

U & Ds that require an opportunity to object. 164.510

Facility DirectoriesFamily, Friends and others

Involved in the patient’s careInvolved in payment for the patient’s care

Notification

55

U & Ds Requiring an Authorization

All uses and disclosures of PHI that are not explicitly required or allowed under the regulations may only be done with an authorization.

MarketingFundraising

56

Patient’s Rights Under HIPAA

Access and copy information 164.524Request restriction of use for TPO or under 164.510(b)Request confidential communicationAn account of disclosuresReceive a copy of the notice of privacy practicesRequest amendments

57

Request Restrictions

45 CFR 164.522(a)Only applies to PHI used or disclosed for TPO or pursuant to 164.510(b)A covered entity is not required to agreeIf the CE agrees, it is bound by the restriction

58

Request Confidential Communications

45 CFR 164.522(b)Providers

Must accommodate reasonable requestsHealth Plan

Must accommodate if the individual clearly states that the disclosure or all or part of the information could endanger the individual

59

Access and Copy Information

45 CFR 164.524Individuals have a right to access the PHI about them in a DRS except

Psychotherapy notesPrepared in reasonable anticipation of litigationInformation to comply with CLIA if CLIA prohibits access

60

Access and Copy Information

Denial of access is non-reviewable ifPHI is excepted from right to accessIndividual is an inmate and access would jeopardize the facilityResearch information – if explained in research authorizationInformation is subject to the Privacy ActInformation obtained with promise of confidentiality from someone other than a health care provider

61

Access and Copy Information

Reviewable grounds for denialLicensed health care professional believes access would endanger the individual or another personInformation was received from another person and access could cause substantial harm to that individualRequest is made by a personal representative and access could cause substantial harm to the individual

62

Access and Copy Information

Must have process for reviewRequests for access must be acted upon within 30 or 60 daysCan get one 30-day extensionCan charge for copies

63

Request an Amendment

Individual may have information in the DRS amendedCE may deny the request if

Determines the information is correctCE did not create the informationInformation is not part of the DRSIndividual would not have the right to access under 164.524

CE must respond to request in 60 days

64

Accounting of Disclosures

45 CFR 164.528CE must account for all disclosures of PHI unless the disclosure was made

For TPOWith an authorizationIn a LDSAs an incidental disclosureTo the subject of the informationFor national security purposesPursuant to 164.510Prior to 4/14/03To correctional institution

65

Receipt of Notice of Privacy Practices

45 CFR 164.520Individual has a right to receive the notice of privacy practices at their first encounter after 4/14/03 or upon request

66

Other HIPAA Issues Minimal NecessaryOrganizational Arrangements

Organized Health Care ArrangementsAffiliated Covered EntitiesHybrid Covered Entities

Business AssociatesGroup Health PlansMiscellaneous issues

Psychotherapy notesVerification processes

Preemption of state law

67

Minimal Necessity

Role based accessAssure that individuals only have access to the information needed to do their job

DisclosuresDisclose on the minimal necessary for the purpose of the disclosureDoes not apply to disclosures made

With an authorizationTo a provider for treatmentTo the subject of the informationTo the Secretary of DHHSAs required by lawAs required to comply with the regulations

68

Organizational Arrangements

Organized Health Care Arrangements (OHCA)

Clinically integratedMore than one CE participates

Affiliated Covered Entities (ACE)Legally separate CEs that are affiliated by common ownership or control

Hybrid Covered Entity (HCE)Single covered entity with non-health care components

69

Business Associates

Business associates are entities that perform services for or on behalf of a CE involving PHI.Must have a business associate agreementA CE can be the business associate of another CE

70

Group Health Plans

Group health plans are covered entities under HIPAAThe employer is not the covered entityA GHP’s notice of privacy practices requires a statement regarding the use and disclosure for plan administrative functions

71

Miscellaneous Issues

Psychotherapy notesPart of the DRSRequire an authorization for uses and disclosures even for TPO

Verification processMust verify that individuals to whom you are disclosing information are really who they say they are

72

Administrative Requirements

Designate a privacy officialTrain members of the workforce on privacy requirementsSafeguard PHIDevelop sanctions for violations of the privacy policies and proceduresEstablish a means for individuals to complain about privacy violations

73

Individual Protection

North Carolina residentPositive review & raise3 weeks later diagnosed with genetic disorder Self-insured employerFired to avoid projected expenses

The Washington Post - December 2, 2000 p. A1

74

HIPAA Security and Privacy Incidents

California – UC Davis BA & surveyWashington – Criminal conviction of clinic employeeCalifornia – UC San DiegoKentucky – Nursing home records found in streetWashington DC – Washington Hospital Center patient records and payroll information found behind National Auboretum Washington Post 6/25/04

75

Kaiser Permanente – prospective member saw information from another prospective member’s applicationPennsylvania – women suing Pinnacle Health over use of med record in commercial for breast cancer awareness

76

Security of Information

Drug company inadvertently revealed 600 patient e-mail addresses used to remind patients to take their Prozac. At the end of the reminder service the list was sent to all participants.

The Washington Post - July 4, 2001 p. E1

77

Marketing

Medical marketing service advertised a database available to pharmaceutical marketers. 4.3 million people with allergies923,000 people with bladder control problems

See www.mmslists.com

78

Researchers

Office of protection from research risks suspends more than 1,000 studiesFailure to gain patient consent of research subjectsFailure to safeguard data

The Washington Post - January 12, 2000 p. B7

79

Health Privacy Project

Institute For Health Care Research and Policy

Georgetown University

www.healthprivacy.org

80

Questions & Answers

81

Security Standards

Compliance Date:April 20, 2005

(except small health plans – 2006)

(Page 8376)

82

Security Standards

Proposed: August 12, 1998

Published: February 20, 2003

Volume 68, No. 34, pp 8334 - 8381

Effective Date: April 21, 2003

Document can be located at: www.cms.hhs.gov/hipaa/hipaa2

83

Scope

All electronic PHI (ePHI) In motion AND at rest (created, received, maintained or transmitted) To ensure confidentiality, integrity, and availabilityTo protect against reasonably anticipated threats or hazards, and improper use or disclosure

(Page 8376)

84

Definitions

ConfidentialityOnly the right people see it

IntegrityOnly the right people change it

AvailabilityAccessible and usable upon demand

Reasonably Your guess is as good as mine!

85

Who must comply?

A Covered Entity(Same definition as T&Cs & Privacy)

A health planA health care clearinghouseA health care provider*

*who transmits ePHI in a format covered by the EDI component of HIPAA

(Page 8374)

86

Security vs. Privacy

Closely linked

Security enables Privacy

Security scope – addresses electronic PHI

Privacy scope – addresses electronic, paper and oral PHI

87

Security Threats

Active, evolving, never static

Goal: Controlling threats, by reasonable measures

people oriented hackers, viruses, insiders, disgruntled personsmust be actively managed by IT professionals

88

Standards

Standards are general requirementsPermits standards to be interpreted and implemented appropriately from the smallest provider to the largest planAdministrative, physical and technical standards (APT)

Technology NeutralTwo overarching standards (APT)

Policies and procedures, documentation

89

Policies and ProceduresCorporate

Information SecurityPolicy1.0.0

User Security

3.0.0

Incident Handling

4.0.0

Information SecurityAdministration

7.0.0

Contingency Planning

6.0.0

Record Processing

2.0.0

Technical SecurityManagement

8.0.0

Physical SafeguardsFor

Information Assets5.0.0

Bio-Med InfoAsset Control

9.0.0

(See handout)

90

Implementation Specifications

Are more specific measures that pertain to a standard (Page 8380)

Required (R) – Covered entity MUSTimplement the specification in order to successfully implement the standardAddressable (A) – Covered entity must:

Consider the specification, and implement if appropriateIf not appropriate, document reason why not, and what WAS done in its place to implement the standard

91Physical Technical

Safeguards

Administrative

92

Administrative Safeguards45 CFR 164.308

Security Management Process - 164.308(a)(1)Risk Analysis (R)Risk Management (R)Sanction Policy (R)Information System Activity Review (R)

Assigned Security Responsibility - 164.308(a)(2) (R)

Workforce Security – 164.308(a)(3)Authorization and/or Supervision (A)Workforce Clearance Procedure (A)Termination Procedures (A)

(Page 8377-8378)

93

Administrative Safeguards, cont.

Information Access Management - 164.308(a)(4) Isolating Health Care Clearinghouse Function (R)Access Authorization (A)Access Establishment and Modification (A)

Security Awareness and Training - 164.308(a)(5) Security Reminders (A)Protection from Malicious Software (A)Log-In Monitoring (A)Password Management (A)

94

Security Standards Training

Awareness training for all employees & staffVulnerabilities of the health information in the entities possessionPolicies/procedures that must be followed to ensure the protection of that informationPeriodic security remindersEducation concerning computer virusesEducation in login procedures and password management

95

Administrative Safeguards, cont.

Security Incident Procedures – (164.308(a)(6)Response and Reporting (R)

Contingency Plan - 164.308(a)(7)Data Backup Plan (R)Disaster Recovery Plan (R)Emergency mode Operation Plan (R)Testing and Revision Procedure (A)Application and Data Criticality Analysis (A)

Evaluation - 164.308(a)(8) (R)

Business Associate Contracts and Other Arrangements - 164.308(b)(1)

Written Contract or Other Arrangement (R)

96

Physical Safeguards45 CFR 164.310

Facility Access Controls - 164.310(a)(1)Contingency Operations (A)Facility Security Plan (A)Access Control and Validation Procedures (A)Maintenance Records (A)

(Page 8378)

97

Physical Safeguards, cont.

Workstation Use - 164.310(b) (R)

Workstation Security – 164.310(c) (R)

98

Physical Safeguards, cont.

Device and Media Controls - 164.310(d)(1)Disposal (R)Media Re-Use (R)Accountability (A)Data Backup and Storage (A)

99

Technical Safeguards45 CFR 164.312

Access Controls - 164.312(a)(1)Unique User Identification (R)Emergency Access Procedure (R)Automatic Logoff (A)Encryption and Decryption (A)

Audit Controls - 164.312(b) (R)

Integrity - 164.312(c)(1)Mechanism to Authenticate Electronic Protected Health Information (A)

100

Technical Safeguards, cont.

Person or Entity Authentication -164.312(d) (R)

Transmission Security - 164.312(e)(1)Integrity Controls (A)Encryption (A)

101

Bottom Line…

Consideration MUST be given to implementing all standardsUsing a combination of required and addressable implementation specifications and other security measuresNeed to document choicesThis arrangement allows the covered entity to make its own judgments regarding risks and the most effective mechanisms to reduce risks

102

Other Laws (State/Federal)

State privacy laws have security implications:

CA SB1386 – requires notification of individuals if information contained in an electronic format MAY have been breached UNLESS the data is encrypted.

Sarbanes/Oxley (SOX)

103

Real Life Issues

Ongoing training and monitoringBusiness AssociatesPhysicians and Physician Staff

Keeping up with both privacy and security rules and laws

Keeping in compliance without shutting down operations

104

Recent Breaches

Posted on Thu, Oct. 21, 2004UC hacking may have gotten data on 600,000SECURITY BREACH NOT REPORTED FOR WEEKSMercury News

Hacker breaches T-Mobile systems, reads US Secret Service emailBy Kelly Martin, SecurityFocusPublished Wednesday 12th January 2005 09:47 GMT

Company Warns Customers About Possible Identity TheftIdentity Thieves Reportedly Steal Computers Filled With Customer InformationPOSTED: 8:16 am CDT April 8, 2004

8 Million Credit Accounts ExposedFBI to Investigate Hacking of DatabaseBy Jonathan KrimWashington Post Staff Writer

Wednesday, February 19, 2003; Page E01

Credit agency reports security breach News Story by Carly SuppaMARCH 17, 2004

Oops! Firm accidentally eBays customer databaseBy John LeydenPublished Monday 7th June 2004 20:51 GMT

105

Questions & Answers

106

Contact InformationMarti Arvin, JD, CHCPrivacy OfficerUniversity of LouisvillePhone (502) 852-3803e-mail Marti.arvin@louisville.edu

Connie Emery, CPA, CIA, CISA, CISSP, CIPPInformation Privacy/Security OfficerTenet HealthSystemPhone (469) 893-6709e-mail connie.emery@tenethealth.com

John C. Falcetano, MA, CHC, CIAChief Audit & Compliance OfficerUniversity Health Systems of Eastern CarolinaPhone (252) 847-0125e-mail jfalceta@pcmh.com