1. BlueCross BlueShield of Tennessee, Inc., an Independent Licensee of the BlueCross BlueShield Association. This document has been classified as public Information. Protecting Electronic Healthcare Information: Implementing Sound Security and Privacy Practices Health Plan Prospective Tena T. Roberson BlueCross BlueShield of Tennessee Deputy General Counsel and Chief Privacy Officer

2. 2 HIPAA Terms Health Insurance Portability & Accountability Act Covered Entity Protected Health Information Business Associate HealthCare Operations

3. 3 Covered Entity Health Care Provider Health Plan Heath Care Clearing House èHIPAA law applies to these three entities. èDoes Not apply to entities such as Google, Microsoft and other companies that are building personal health records

4. 4 Protected Health Information (PHI) Information created or received by a covered entity Relates to Past, Present or Future –Health Condition –Payment for Health Care –Identifies the Individual

5. 5 Business Associate An entity that uses or discloses PHI on behalf of a covered entity Covered entities are required to contract with Business Associates to identify permitted uses and disclosures of PHI Examples: Disease Management, Wellness Programs, Pharmacy Benefit Managers, etc.

6. 6 HealthCare Operations Quality assessment/improvement activitiesQuality assessment/improvement activities Case managementCase management Contacting providers/patients with information about treatment alternativesContacting providers/patients with information about treatment alternatives Provider credentialingProvider credentialing Evaluating provider performanceEvaluating provider performance Underwriting, premium ratingUnderwriting, premium rating Medical reviewMedical review

7. 7 HealthCare Operations continued Fraud and abuse detectionFraud and abuse detection Business planning and developmentBusiness planning and development Formulary developmentFormulary development Internal GrievancesInternal Grievances Creating de-identified informationCreating de-identified information Develop or improve payment methods or coverage policiesDevelop or improve payment methods or coverage policies

8. 8 Security Requirements in HIPAA Privacy Regulations Covered Entity must have administrative, physical and technical safeguards in place to protect their member’s PHI –Administrative safeguards- written policies and procedures, employee training, monitoring program effectiveness assessing new business initiatives –Physical safeguards- restrictions on building access, employee badges or smart cards, biometric access, locked offices and desk drawers

9. 9 Security Requirements in HIPAA Privacy Regulations Technical safeguards- Password protected computers, encrypted laptops, intrusion detection systems, firewalls, system limited access to data needed for job, etc. We generally stop 200-300 systems virus attacks every month and our intrusion detection system reflects over a million events per month. Security never stops, it changes constantly to keep up with new risks.

10. 10 Health Information Technology BlueAccess- Internally built system which allows our members, groups and providers on-line access to pertinent information. Shared Health- Clinical Health Record available to treating providers. Incorporates data from hospitals, labs, pharmacy and doctors. Has improved efficiency and decreased duplicate tests.

11. 11 Questions???