1

Operating as a Hybrid Entity at Cornell

John Ruffing – jr17@cornell.eduAssistant Director, Center for Advanced Computing (CAC)

Cornell UniversityAssociate Director, Information Technology and Services

Weill Cornell Medical College

www.cac.cornell.edu

www.cac.cornell.edu 2

Overview

• Informing Perspectives• Organizational “Objects”• Cornell Logistics

www.cac.cornell.edu 3

Perspectives

• Institutional• Individual

www.cac.cornell.edu 4

Perspectives: Institutional

• Medical campus• Significant separation

–Distance, governance, ERP• Burdens

–Extensive–Expensive (potentially)

www.cac.cornell.edu 5

Burdens: Extensive

• Executing– Administrative– Technical– Physical

• Maintaining– Documentation– Training/Awareness– Periodic Review

www.cac.cornell.edu 6

Perspective: Individual

• Medical campus• Previously led

–EHR implementation (Epic)–SAP technical teams

• Coordinate IT aspects of audit

www.cac.cornell.edu 7

Overview

• Informing Perspectives• Organizational “Objects”• Cornell Logistics

www.cac.cornell.edu 8

Organizational Objects

• Covered Entity• Organized Healthcare Arrangement• Business Associate

9

Covered Entities

www.cac.cornell.edu

• Health Plans• Healthcare Clearinghouses• Healthcare Providers who

–Electronically transmit• Any health information in connection

with–Transactions for which HHS has

adopted standards

10

Typical HPC Providers

www.cac.cornell.edu

• Not covered entities themselves

• Not part of covered entity• Handling identifiable data

–Within the same institution–Ultimately from a covered

entity

11

Covered Entity Trap

www.cac.cornell.edu

• Entire legal entity–Often more than really applies

• Unnecessary burden–Extent–Expense

12

Hybrid Entity Escape?

www.cac.cornell.edu

• Covered components–Same criteria as entity–Distinct and relevant

•Function•Governance

• Formal designation

13

Cornell as Hybrid Entity

www.cac.cornell.edu

• Four components–Medical campus–Student health center–Benefits–Counsel

• Where is HPC?

14

Typical HPC Providers

www.cac.cornell.edu

• Not covered components themselves

• Not part of covered component• Resistance to including

–Burden–Definition

15

Business Associate

www.cac.cornell.edu

• Relationship to covered entity–For or on behalf–Other than in the workforce

• Separate legal entity

www.cac.cornell.edu 16

Overview

• Informing Perspectives• Organizational “Objects”• Cornell Logistics

www.cac.cornell.edu 17

Where is HPC?

• Privacy Rule–Extend the workforce

• Security Rule–Extend the protections

• Only as needed

www.cac.cornell.edu 18

Including HPC at Cornell

• Reminder: medical campus perspective

• Extending walled garden–Potential savings

• Not yet trying to share full resources• Three aspects

www.cac.cornell.edu 19

Including HPC: Physical

• Co-lo–Already has personnel controlling and

logging–Rationale for remote location

• Separate racks–Separate keys and associated controls

www.cac.cornell.edu 20

Extending to HPC: Technical

• IP Network– Extension of med network into data center

• With all security trimmings– Air gap (garden wall) to other networks

• Storage– Separate physical disks

• Shared array, on private management network– Shared storage switch

• Separate when volume makes feasible

www.cac.cornell.edu 21

Extending to HPC: Administrative Sharing

• Workforce– The lesson of athletics– Sysadmins leverage med training and

awareness, follow documentation and procedures– Joint position supervision (direct control)

• Compliance– Elements accountable within garden

• E.g. shared array, on private management network– Other frameworks and HITRUST