Mailing: 2440 East Tudor Road PMB 1143 AeHN BOARD OF ... · HiTrust requirements in process, review...

Mailing: 2440 East Tudor Road PMB 1143Anchorage, AK 99507

Physical: 4000 Old Seward Hwy, Suite 203 (907) 770-2626

AeHN BOARD OF DIRECTORS

Paul Sherry President, AeHN Health Policy Strategist, Alaska Native Tribal Health Consortium

Ken Osterkamp Vice-President, AeHN State Director, AARP Alaska

Chris Emond Treasurer, AeHN Director of Treasury Alaska Communications

Carl J. Kegley Secretary, AeHN IT Alaska Senior Director, Banner Health

Karen Perdue President/CEO, Alaska State Hospital and Nursing Home Association

Jeff Davis President, Premera Blue Cross Blue Shield

Melinda Rathkopf, MD Allergy, Asthma and Immunology Center of Alaska

William Streur Commissioner State of AK, DHSS

Jan Harris Vice Provost for Health Programs University of Alaska

Jerome List, MD President, Alaska EHR Alliance Alaska Ear, Nose and Throat

Nancy Merriman Executive Director Alaska Primary Care Assoc.

Mark Williams Director of Telehealth & Outreach Providence Health & Services, Alaska

Susan Yeager Director, Alaska VA Healthcare System

AeHN Board of Directors Meeting May 21, 2014

11:30 AM to 1:00 PM

Location: AeHN Conference Room, 4000 Old Seward, Suite 203

Dial in: 1‐424‐203‐8400 Access Code: 239155#

Business Agenda

1. Call to Order/Paul Sherrya. Welcome and Introductionsb. Approval of Agendac. Approval of Minutes ( 04‐16‐2014)

2. Standing Reports:a. President's Report/Paul Sherryb. Treasurer’s Report/Chris Emondc. Executive Director's Report/Rebecca

Madisond. REC Report/Dave Peterse. State Status Report/Paul Cartland

3. Privacy and Security Update/Carolyn Heyman‐LaynePolicy review: 2.000, 2.200, 2.300, 2.400, 3.100, 4.200

4. AeHN Proposed Budget 20155. Strategy Map / Paul Sherry6. Notice of Regular Meeting – June 18, 2014

AeHN Conference Room7. Adjournment

1

PG 1PG 3

PG 11

PG 22

PG 27

PG 44PG 90

PG 100

Claudette

Typewritten Text

Claudette

Typewritten Text

Claudette

Typewritten Text

Alaska eHealth Network

Page 2 of 2

Action Items required: May 21, 2014

Section 1: Call to Order

o Motion to approve the Agenda

o Motion to approve the minutes of April 16, 2014

Section 2: Standing Reports

o Motion to approve Presidents Report

o Motion to approve Treasurers Report

o Motion to approve Executive Director’s report

Section 3: Other Reports

o Motion to approve Policies:2.000, 2.200, 2.300, 2.400, 3.100, 4.200

o Motion to approve 2015 Proposed Budget

2

AeHN Board of Directors Meeting AeHN Conference Room, 4000 Old Seward Hwy, Suite 203, Anchorage

Wednesday, April 16, 2014 11:30 p.m.- 1:30 p.m.

Alaska eHealth Network –Board of Directors Meeting Minutes Page 1 of 3 April 16, 2014

Board Members Present A Davis, Jeff – Premera BC/BS P Osterkamp, Ken - AARP Ad Hoc: A Harris, Jan – University of AK (NV) P Rathkopf, Melinda MD P Madison, Rebecca Executive Director P Williams, Mark - Providence A Perdue, Karen – ASHNHA (Proxy-C Beemer) T Heyman-Layne, Carolyn AeHN (P-NV) T Kegley, Carl - Banner Health P Sherry, Paul - ANTHC T Yesmant, Claudette - Recorder T List, Jerome, MD – AEHRA A Streur, Bill - DHSS (Proxy - Paul Cartland) T Yeager, Susan – Dept. of Veterans Affairs P Emond, Chris - Alaska Communications T Merriman, Nancy - APCA P=Present / T=Teleconference / A=Absent / NV=Non-voting Member (Quorum = 7 Voting Members or Member Proxies) Guests Present (P) Carney, Darcy CCG (P-NV) (P) Hall, Rich - ANTHC (P) Cartland, Paul DHSS – Proxy B Streur

(P) Peters, Dave AeHN (P-NV) (T) Hartman, Sara - FCC (P) Jensen, Chad LaTouche Pediatrics (P) Cogan, Suzanne – Orion Health (T) Beemer, Connie ASHNHA – Proxy K Perdue (P) Montgomery, Kent – Orion Health Supporting Documents:

TIME AGENDA ITEM – Presenter/Discussion Consensus/Action

11:33 am

CALL TO ORDER a. Welcome and Introductions

President Sherry welcomed all attendees. Having determined that a quorum was present, President Sherry called the meeting to order at 11:33am. b. Approval of Agenda President Sherry presents a brief review of the agenda for today’s meeting. There was a motion by Mark Williams to approve the amended agenda, seconded by Ken Osterkamp. Motion approved.

Motion to approve agenda passed

3

Page 2 of 3

c. Approval of Minutes President Sherry gave an overview of the meeting minutes from 03/19/2014. There were no changes/edits recommended.

There was a motion by Chris Emond to approve the meeting minutes from 03/19/2014, seconded by Ken Osterkamp. Motion approved.

1. President’s Report (Paul Sherry) President Sherry reports that the officers continued to work on the evaluation process for the Executive Director and will discuss the final review during the Executive Session at the end of this meeting. There was a motion by Paul Cartland to approve the President’s Report, seconded by Connie Beemer.

2. Treasurer’s Report (Chris Emond) Chris Emond gives the Statement of Financial Position report as of February 28, 2014. Cash and money market accounts total $323,282.95. A review of the Statement of Activities ending February 28, 2014 shows a net income of $588,622.73. Enhancements to the financial reports continue to be made. A forecast for HIE Operations will be included next month. There was a motion by Mark Williams to approve the Treasurer’s Report, seconded by Paul Cartland. 3. Executive Directors Report (Rebecca Madison) Rebecca Madison presented the Executive Directors’ report. 1. Financial: Continue to complete State of Alaska deliverables; $3,261,276 of $4,608,528. Continuing to review and complete required monthly grant and contractor reports. 2. DSM: Working with Orion to beta test and implement DSM v2; developing migration plan from v1 to v2. 3. HIE: Fairbanks Cancer Center and Providence are the two highest priorities at this time. ANTHC and South Peninsula are next to onboard. Mt. Edgecumbe/SEARHC may onboard sooner due to their EHR readiness. 4. REC: Continues to sign on providers for MU services. 5. Privacy and Security: Risk Assessment – Futaris review of policies and contracts completed, audit of policy compliance begun, evaluation of HiTrust requirements in process, review of Orion Health Security Plan and policies begun, next phase will include a review of participant compliance, LaTouche Pediatrics will be the pilot site for the first participant audit, scheduled in May is scheduled to do an on-site survey of AeHN in April. Total Opt-Outs received = 29. 6. Resources: No cost extension application for approximately $1.2M accepted and approved. There was a motion by Chris Emond to approve the Executive Directors’ report, seconded by Ken Osterkamp. Motion approved. Update on REC Activities ( Dave Peters) Dave Peters reports the No Cost Extension paperwork was received on 3/26/2014 approving the extension. Clinical Workgroup Report (Melinda Rathkopf, MD) Melinda reports that the 4/9/2014 meeting was used as a practice run for her upcoming talk at Providence Grand Rounds scheduled for 4/25/2014. Clinical Workgroup is working on defining their role.

Motion to approve meeting minutes passed Motion to approve President’s report passed Motion to approve Treasurer’s report passed Motion to approve Executive Director’s report passed

4

Page 3 of 3

State Report (Paul Cartland)

Paul Cartland gives the State of Alaska report. He states that representatives from the Centers for Medicare and Medicaid Services (CMS) will be on-site June 4-5, 2014. 4. Privacy and Security (Carolyn Heyman-Layne) Carolyn Heyman-Layne reports that the Privacy and Security Workgroup meeting is scheduled to meet on 4/17/2014. There will be six policies to review before passing them to the Policy Review committee. The policies will be brought to the 5/21/2014 Board meeting. 5. ORION Health – Services and Product Update: (Suzanne Cogan and Kent Montgomery): Suzanne Cogan, Vice President of Sales and Kent Montgomery, Client Relationship Manager from ORION Health presented the Orion HIE Roadmap and client relationship strategy. PowerPoint slides are attached to minutes. 6. Strategy Map (Paul Sherry): President Sherry is leaving the draft Strategy Map open for additional review and comments, with the intent of getting formal approval in advance of the annual meeting in November. 7. Executive Session: The board entered into Executive Session for personnel matters at 1:00 p.m. and reconvened in regular session at 1:30 p.m. 8. Executive Director Compensation: Ken Osterkamp moved to approve an award of a 10% performance bonus for 2014 to the Executive Director to be paid in the first paycheck paid after June 30, 2014. The Board intends to establish a new compensation profile, including an incentive component, effective for FY2015. Motion seconded by Chris Emond. Motion approved. 9. Adjournment: The Board meeting adjourned at 1:35 p.m.

Respectfully submitted by: C. Yesmant

5

Copyright © 2002‐2011 Orion Health group of companies | All rights reserved

Alaska eHealth NetworkBoard of Directors Meeting

Orion Health

April 16, 2014Suzanne Cogan‐Vice President, Sales & Client Relationships

Kent Montgomery –Client Relationship Manager Company Overview

Orion Health

Page 3 • Copyright © 2013 Orion Health™ group of companies • All rights reserved

Orion Health and Alaska eHealth Network

• Alaska was Orion’s first SaaS (Software‐as‐a‐Service) client– November 2010

– AeHN Leadership helped to define and drive the product offering

• Alaska is the leading “Marquee” client for Orion– New and potential clients are asking for AeHN best practices

– Professional journals seek out successful programs to share the secrets and how‐tos

• Orion and AeHN partnership– Renewed commitment and thought leadership to one of Orion’s premier

clients

– Numerous beta tests and programs have been initiated at AeHN

– AeHN will be key leader in Solution Adoption Services rollout and will be involved in the Clinical Consulting program

– User group leadership


Orion Health Overview

Enable a better healthcare future through pioneering use of information technology and knowledge creation

• Privately‐held 20‐year old company dedicated to healthcare information integration for better population health management

• Established first comprehensive, national longitudinal patient record in New Zealand in 1995

• $150M USD Revenue per annum

• 1000+ Customers, 5 continents, 30 countries

• 45+ large Health Information Exchange deployments globally

• Auckland, NZ (global HQ); Santa Monica (US head office), Boston, Scottsdale (US R&D)

• 1,100 Staff

1,000


Orion Health – US Year in Review

• 95% YOY growth in North American revenue

• 70% YOY employee growth in US

• 40% YOY growth in statewide health information exchange (HIE) customers

• 200% YOY growth in private HIE customers which includes Accountable Care Organizations (ACOs)

• New US office locations

– R&D center in Scottsdale, AZ

– Raleigh, NC; Nashville, TN

• New product launches: Open Platform; Clinical Referrals

1,000


Orion Health Solution SuitesOrion Health has three distinct solution groups with specific strategies, markets, consumers and benefits:

Orion Health products are can be further defined in terms of Groups, Solutions, and Modules.

6



US Collaborative Care customers

HEALTH SYSTEM AND PAYER ORGANIZATIONS

• Catholic Health Initiatives, CO• Greenville Health System, SC• Highmark BCBS, PA• Huntsville Hospital, AL• KeyHIE, PA• Lahey Clinic, MA• Lehigh Valley Health Network, PA• Mary Washington Healthcare, VA • MS Medicaid• Ochsner Health System, LA• Rush Health, IL• Scottsdale Health Partners, AZ• Sutter Health, CA• St. Luke’s, PA• St Vincent’s Medical Center, FL• St. Francis Care, CT• Western Connecticut Health Network, CT

• Walgreens

HEALTH SYSTEM AND PAYER ORGANIZATIONS

• Catholic Health Initiatives, CO• Greenville Health System, SC• Highmark BCBS, PA• Huntsville Hospital, AL• KeyHIE, PA• Lahey Clinic, MA• Lehigh Valley Health Network, PA• Mary Washington Healthcare, VA • MS Medicaid• Ochsner Health System, LA• Rush Health, IL• Scottsdale Health Partners, AZ• Sutter Health, CA• St. Luke’s, PA• St Vincent’s Medical Center, FL• St. Francis Care, CT• Western Connecticut Health Network, CT

• Walgreens

PUBLIC ORGANIZATIONS• Alaska eHealth Network (AeHN), AK

• District of Columbia, DC• State of Idaho HIE, ID• Inland Empire HIE, CA• Louisiana Health Care Quality Forum, LA

• Maine HealthInfoNet, ME• The Massachusetts Health Information Highway (The HIway)

• Minnesota‐ Community Health Information Collaborative (CHIC)

• New Hampshire Health Information Organization, NH

• Nevada HIE (NV‐HIE)• New Mexico Health Information Collaborative, NM

• North Carolina DHHS, NC• North Dakota, ND• North Texas Accountable Healthcare Partnership, TX

PUBLIC ORGANIZATIONS• Alaska eHealth Network (AeHN), AK

• District of Columbia, DC• State of Idaho HIE, ID• Inland Empire HIE, CA• Louisiana Health Care Quality Forum, LA

• Maine HealthInfoNet, ME• The Massachusetts Health Information Highway (The HIway)

• Minnesota‐ Community Health Information Collaborative (CHIC)

• New Hampshire Health Information Organization, NH

• Nevada HIE (NV‐HIE)• New Mexico Health Information Collaborative, NM

• North Carolina DHHS, NC• North Dakota, ND• North Texas Accountable Healthcare Partnership, TX


International Collaborative Care customers

CANADA• Alberta Health Services, AB• New Brunswick Department of Health, NB• Quebec Department of Health, QC• Saskatchewan Department of Health, SK• The Northwest Territories, NT• Ministry of Health & Long Term Care, ON• Newfoundland & Labrador Centre for Health Information, NL

CANADA• Alberta Health Services, AB• New Brunswick Department of Health, NB• Quebec Department of Health, QC• Saskatchewan Department of Health, SK• The Northwest Territories, NT• Ministry of Health & Long Term Care, ON• Newfoundland & Labrador Centre for Health Information, NL

Asia• Singapore Ministry of Health, Singapore• Bumrungrad International Hospital, Thailand• Franco‐Vietnamese Hospital, Vietnam

Asia• Singapore Ministry of Health, Singapore• Bumrungrad International Hospital, Thailand• Franco‐Vietnamese Hospital, Vietnam

EUROPE• Greater Glasgow NHS Trust, Scotland• IB Salut, Palma, Spain• Health and Social Care Northern Ireland (HSCNI), Northern Ireland

EUROPE• Greater Glasgow NHS Trust, Scotland• IB Salut, Palma, Spain• Health and Social Care Northern Ireland (HSCNI), Northern Ireland

AUSTRALIA• NSW Health, Sydney, NSW• Hunter New England Local Health District, NSW • Dept. of Health & Ageing PCEHR, Australia

NEW ZEALAND• Canterbury District Health Board

AUSTRALIA• NSW Health, Sydney, NSW• Hunter New England Local Health District, NSW • Dept. of Health & Ageing PCEHR, Australia

NEW ZEALAND• Canterbury District Health Board


What the Analysts are Saying

ChilmarkOrion Health is arguably the largest provider of healthcare interoperability globally and a major HIE vendor in the U.S. ”

“

KLAS

Orion Health’s easy‐to‐use solutions and applications improve patient care and clinical decision making by enabling the exchange of healthcare information among disparate systems and providing integrated health data in a single, unified view.

“

”

May 2013, IDC Health Insights

#HI240928

Customers comment that Orion Health’s integration tools are flexible when it comes to accessing a wide variety of data sources, and the interfaces are configurable. Additionally, they report that Orion Health is an excellent partner and very responsive to customer suggestions.

“

”Page 11 • Copyright © 2013 Orion Health™ group of companies • All rights reserved

How did Orion do?

HIE Market Overview and Orion’s Position

Orion Health


HIE Technology Market in the US

• Current market size: $558M*• Expected to reach $878M by 2018 (CAGR of 9.5%)• Driven by:

• Change in reimbursement paradigm – need to reduce costs• Meaningful Use incentives• Growth by affiliation rather than acquisition

• Private HIE market larger than public market in 2013, with a projected CAGR of >10% over next 5 years

• 2013 HIMSS Analytics report: 50% of physicians surveyed indicated they were joining an HIE

• Payers increasingly part of the HIE fabric– Partnering with leading providers to share data and improve care coordination– Acquisitions of HIE technology by United, Aetna, Humana

*Source: Healthcare IT News, March 14, 2014

7



Population Health Management Components

Macro Level: Population

Micro Level: Patient

ClaimsData

ClinicalData

Collaborative Care Model


The Six A’s of Collaborative Care


ParsingValidationTransformationRoutingAcknowledgements

Privacy FilteringSecurity FilteringIndex LookupsNotification Routing

User ManagementPatient RecordBI and AnalyticsDirect MessagingImage Viewing

Portal Applications Health Pathways

Patient CohortPopulation HealthTasks for Clinicians

Data Repository HIE Module

CCD ExchangeNotificationsPrivacy & ConsentRecord Locator

Normalization

NormalizationSemanticsCode Set Mapping

MPI

DemographicsPatientsProviders

DemographicsEncountersLabs, RadsAllergies, DiagnosisDocumentsMedicationsProblems, Procedures

HL7, CCD, SSO, XDS

Data WarehouseClinical DataFinancial & Payer DataPopulation Analytics Enterprise Analytics

Clinical Portal Patient Portal

Clinical SummarySecure MessagingHealth LibraryCircle of Care

Portal Applications

Tasks for Patient Self Care

Healthcare Providers Patients and Families

Disparate Sources of Patient Data (e.g. HIE, EHR, Payors)

Healthcare Service Bus

Acquisition

Aggregation Analytics

Access

Action

Organizational Changes

Orion Health


Client Relationship Management

• In 2013, Orion changed its approach to existing accounts– Client Relationship Managers (CRMs) were realigned to focus on HIE

clients, their growth, their future plans

– Orion CRM “owns” the account, post implementation

• CRM introduced at kickoff

• At go live, CRM takes over ownership of the account

• Quarterly reviews and weekly updates with the client

• Updates to Orion leadership bi‐monthly

• Key escalation point for account issues


Solution Adoption Services

Combining key capabilities and applying our marketplace experience to deliver an

exceptional and comprehensive program aimed at simplifying participant connection to the

Orion Health core solution

8



Solution Adoption Services

How Solution Adoption fits Into Implementation Project

Solution Installation• Initial environment build• Configuration• Solution Hardening• UAT

Solution Adoption• Governance consulting• Participant engagement• Site roll‐out• Change management


SAS Team focus

• Focused client‐specific technical teams

• Project management

• Fully documented specifications for participant readiness

• Participant assistance services available

– HL7 interfaces

– XDS and XDR feeds

– CCD parsing

– Single Sign On integration

– Testing and migration

• Ongoing connection monitoring


Process Overview


Process Overview cont’d


Client Benefits

• SAS team improves execution of participant onboarding for clients

• SAS integrates and operates in conjunction with PSG (Professional Services Group) implementation, improves results and speed of final solution

• Continuity in personnel drives both consistency and efficiency

• Management of Change Requests and data conversion to eliminate blocking issues will speed execution

• Bundled services to create better defined offering for client decisions


Solution Adoption Leadership Team

Training, workflow re‐engineering and UAT assistance

HL7, XDS.binterfaces, CCD parsing

Architecture tools, quality assurance and library maintenance

DSM installs, certificate management, XDR connections and change control

Project Managementwork orders and scheduling

John NebergallVice President

9


Products and Roadmap

Orion Health


Orion Product Update

• Patient Portal 4.x• EMR Lite Strategy


Key Features

Secure User Invitation and Registration

Circle of Care ‐ Patient Representatives

View, Download and Transmit Health Information

Secure Messaging using Direct standard

Automatic Patient Education Resources

Activity History

View Appointments

Shared Files

Automatic Logoff

MU2 Certification (April 2014)

Patient Portal 4.0 Features


12 month Roadmap – Subject to Change

Notifications

Lab Results

Discrete Data e.g. Problems, Encounters and Demographics

April 2014

• User Invitation and Registration• Patient Reps• View, Download and Transmit C‐CDA• Secure Messaging using Direct standard• Automatic Patient Education Resources• Activity History• Appointment Viewing• Shared Files • Automatic Logoff

• MU2 CERTIFICATION COMPLETED

Clinical Workflow Suite Integration

Consent Management

3rd Party Web Integration

4.0 Releases

Circle of Care

Messaging


EMR Lite Update

• Orion had already begun development work on the next version of EMR lite

• To include MU2 certification• With the numerous EMR vendors available, Orion has decided to stop development on its EMR Lite product

• Orion will partner with the following EMR vendors• Practice Fusion• Greenway• Athena Health


Product Roadmap

• Twelve Month Roadmap– Open Healthcare Platform

• APIs and tooling to enable 3rd parties to develop and deploy applications

– Predictive and retrospective analytics (Johns Hopkins grouper population health analysis, LACE readmission risk score, ACO reports, HEDIS reports)

– DSM v2 General Availability

– CCD/CCDA automation

– Patient Portal enhancements

– Care coordination enhancements

– Various core system enhancements

• Beyond Twelve Months– Precise medicine enabled by “big data” ingestion (device data, genomics,

proteomics) and access to real‐time clinical data

10

As of Feb 28, 2014 As of Mar 31, 2014 Variance

ASSETS

Current Assets

Bank Accounts

1000 Checking - Wells Fargo 174,901.10 145,156.78 (29,744.32)

1020 Wells Fargo - Market Rate Savings 25,004.24 25,005.30 1.06

1025 Wells Fargo - High Yield Savings 125,072.75 195,088.17 70,015.42

Total Bank Accounts 324,978.09 365,250.25 40,272.16

Accounts Receivable

1050 Accounts Receivable 350,365.00 311,357.00 (39,008.00)

Total Accounts Receivable 350,365.00 311,357.00 (39,008.00)

Other current assets

1100 Grant Receivable

1110 Grant receivable - ONC REC 196,479.58 244,927.47 48,447.89

Total 1100 Grant Receivable 196,479.58 244,927.47 48,447.89

1200 Deposit - Lease 16,454.31 16,454.31 -

Total Other current assets 212,933.91 261,381.80 48,447.89

Total Current Assets 888,277.00 937,989.05 49,712.05

TOTAL ASSETS 888,277.00 937,989.05 49,712.05

LIABILITIES AND EQUITY

Liabilities

Current Liabilities

Accounts Payable

2000 Accounts Payable 141,338.98 179,626.30 38,287.32

Total Accounts Payable 141,338.98 179,626.30 38,287.32

Credit Cards

2520 WFB - CC Madison (4258) 3,898.55 7,103.10 3,204.55

Total Credit Cards 3,898.55 7,103.10 3,204.55

Other Current Liabilities

2100 Accrued Leave 41,834.82 46,550.85 4,716.03

2105 Accrued payroll 58,675.89 58,675.89 -

2150 Payroll Tax Payable 1,715.81 2,569.57 853.76

2170 Medical Insurance Payable 3,702.21 3,702.21 -

2180 Dental Insurance Payable 202.67 171.17 (31.50)

2450 Due to SaaS Provider 83,333.33 83,333.33

Total Other Current Liabilities 106,131.40 195,003.02 88,871.62

Total Current Liabilities 251,368.93 381,732.42 130,363.49

Total Liabilities 251,368.93 381,732.42 130,363.49

Equity

3400 Retained Earnings 48,066.27 48,066.27 -

Net Income 588,841.80 508,190.36 (80,651.44)

Total Equity 636,908.07 556,256.63 (80,651.44)

TOTAL LIABILITIES AND EQUITY 888,277.00 937,989.05 49,712.05


Statement of Financial PositionAs of March 31, 2014

11

Jul 2013 Aug 2013 Sep 2013 Oct 2013 Nov 2013 Dec 2013 Jan 2014 Feb 2014 Mar 2014 Total Income

4025 Grant Revenue 239,183.48 234,754.53 203,145.86 152,912.72 124,395.72 159,833.64 106,716.34 197,899.19 126,657.98 1,545,499.46

4060 Participant Fees (HIE) 4,266.00 27.00 144.00 25.00 63,022.00 15,352.00 82,836.00

4060.1 Allocated Participant Fees - - - -

4200 Donations 10.00 500.00 323.12 833.12

4250 Misc.Income 185.26 1,307.24 (1,307.24) 185.26

4300 State Contract Rev 29,000.00 60,020.00 29,000.00 288,250.00 29,000.00 29,000.00 33,900.00 293,350.00 29,000.00 820,520.00

4411 Interest Earnings 8.62 34.46 11.68 11.68 10.55 16.48 93.47

Total Income 272,459.48 294,986.79 232,145.86 441,315.34 155,237.42 187,563.08 203,650.02 491,582.86 171,026.46 2,449,967.31

Expenses

4490 General Office 2,485.38 9,416.40 1,806.62 6,089.44 5,553.06 637.42 7,577.48 8,459.43 5,398.02 47,423.25

4600 Facilities 4,031.15 8,441.56 763.56 5,295.54 4,675.00 5,537.63 5,075.01 5,100.20 5,106.18 44,025.83

5050 Human Resources 29.95 2,850.00 2,879.95

5100 Payroll Expenses 68,328.56 64,717.52 66,452.31 65,977.22 66,775.66 62,645.38 63,520.96 63,790.76 69,320.39 591,528.76

5200 Professional Fees 192,698.90 212,317.82 157,414.25 101,734.91 81,839.74 63,315.89 70,134.89 123,749.53 79,367.20 1,082,573.13

5300 Tech Services - Ops. 525.56 2,193.66 1,891.16 1,354.16 3,306.66 829.16 349.20 192.30 1,464.46 12,106.32

5400 HIE Participant Exp. 11,725.00 11,725.00

5500 Travel 4,023.49 5,039.53 6,992.82 1,981.35 1,347.69 7,488.30 5,086.30 7,073.58 4,578.32 43,611.38

5510 Training/Staff Education 600.00 775.00 225.00 3,110.00 4,710.00

7400 Equipment/Furniture 22,657.00 (630.00) 22,027.00

Total Expenses 272,122.99 313,851.49 258,577.72 186,057.62 162,867.81 140,453.78 151,743.84 208,590.80 168,344.57 1,862,610.62

Net Operating Income 336.49 (18,864.70) (26,431.86) 255,257.72 (7,630.39) 47,109.30 51,906.18 282,992.06 2,681.89 587,356.69

Other Income

7590 HIE Acquisition Reimbursement 83,333.33 83,333.33 83,333.35 83,333.33 83,333.33 83,333.33 83,333.33 83,333.33 666,666.66

Total Other Income 83,333.33 83,333.33 83,333.35 83,333.33 83,333.33 83,333.33 83,333.33 83,333.33 - 666,666.66

Other Expenses

7600 AK HIE Service (SAAS) 83,333.33 83,333.35 82,638.83 82,638.83 82,638.83 82,638.83 82,638.83 82,638.83 83,333.33 745,832.99

Total Other Expenses 83,333.33 83,333.35 82,638.83 82,638.83 82,638.83 82,638.83 82,638.83 82,638.83 83,333.33 745,832.99

Net Other Income - (0.02) 694.52 694.50 694.50 694.50 694.50 694.50 (83,333.33) (79,166.33)

Net Income 336.49 (18,864.72) (25,737.34) 255,952.22 (6,935.89) 47,803.80 52,600.68 283,686.56 (80,651.44) 508,190.36


Statement of Activities - All Classes Summary by MonthJuly 2013 - March 2014

12

Jul 2012 Aug 2012 Sep 2012 Oct 2012 Nov 2012 Dec 2012 Jan 2013 Feb 2013 Mar 2013 Apr 2013 May 2013 Jun 2013 Total Income

4025 Grant Revenue 66,067.05 72,664.64 69,923.98 82,317.68 60,733.25 76,945.17 65,249.08 104,756.02 104,107.12 72,625.32 77,996.36 95,115.39 948,501.06

4060 Participant Fees (HIE) (2,600.00) 32,301.25 29,701.25

4070 Vendor Services Revenue 750.00 750.00

Reimbursed (750.00) (750.00)

4200 Donations 805.00 11,218.50 3,185.00 6,499.47 21,707.97

4250 Misc.Income (375.00) 250.00 1,250.00 1,125.00

4300 State Contract Rev 25,250.00 20,000.00 87,750.00 30,000.00 28,000.00 20,000.00 20,000.00 20,000.00 20,000.00 20,000.00 20,000.00 74,070.00 385,070.00

4410 Workshop Income - REC 500.00 500.00

Total Income 89,897.05 103,383.14 161,358.98 151,118.40 88,733.25 98,195.17 85,249.08 124,756.02 124,107.12 92,625.32 97,996.36 169,185.39 1,386,605.28

Expenses

4490 General Office 1,662.03 5,839.81 1,747.75 2,039.96 5,607.75 742.05 2,033.92 6,741.97 4,744.93 5,789.71 5,514.20 5,481.84 47,945.92

4600 Facilities 3,154.00 3,604.47 3,714.55 4,037.85 3,749.58 4,877.84 3,640.30 3,736.84 3,846.14 3,760.24 3,869.21 3,892.26 45,883.28

4800 Workshops & Events 7,820.00 16,201.16 627.90 1,200.00 50.00 25,899.06

5010 Interest/Other Fees - -

5050 Human Resources 86.40 395.00 375.00 75.00 375.00 1,306.40

5070 Education/Scholarship 750.00 750.00

5100 Payroll Expenses 13,716.90 72,174.08 77,639.76 73,742.72 64,900.85 66,885.07 64,945.41 65,046.09 66,372.23 68,322.24 65,839.98 123,219.65 822,804.98

5200 Professional Fees 17,455.68 13,525.00 19,230.34 99,048.82 65,010.01 40,127.03 18,087.63 54,440.29 53,346.38 30,314.22 22,365.50 51,469.00 484,419.90

5300 Tech Services - Ops. 1,929.00 209.00 77.95 602.99 3,584.00 2,893.29 5,225.50 4,446.64 2,860.50 1,472.00 8,582.71 2,464.50 34,348.08

5500 Travel 3,048.89 1,322.87 5,596.16 3,403.07 2,292.75 8,360.83 3,159.23 1,623.63 3,138.45 5,429.59 5,165.08 10,270.14 52,810.69

5510 Training/Staff Education 975.00 405.00 1,380.00

Total Expenses 48,872.90 97,070.23 124,207.67 183,250.41 145,772.84 123,886.11 97,166.99 137,610.46 135,283.63 115,888.00 111,741.68 196,797.39 1,517,548.31

Net Operating Income 41,024.15 6,312.91 37,151.31 (32,132.01) (57,039.59) (25,690.94) (11,917.91) (12,854.44) (11,176.51) (23,262.68) (13,745.32) (27,612.00) (130,943.03)

Other IncomeqReimbursement 891,436.00 892,500.00 36,897.34 1,820,833.34

7700 In-kind Revenue 3,546.44 3,722.54 5,126.16 3,642.02 4,836.34 3,298.07 2,845.46 2,448.65 3,108.46 3,688.07 5,757.89 1,621.73 43,641.83

Total Other Income 3,546.44 3,722.54 5,126.16 3,642.02 896,272.34 3,298.07 2,845.46 2,448.65 3,108.46 3,688.07 898,257.89 38,519.07 1,864,475.17

Other Expenses

7600 AK HIE Service (SAAS) (303,686.00) 892,436.00 83,333.33 83,333.33 475,833.33 286,897.33 1,518,147.32 pServices 3,546.44 3,722.54 5,126.16 3,642.02 4,836.34 3,298.07 2,845.46 2,448.65 3,108.46 3,688.07 5,757.89 1,621.73 43,641.83

Total Other Expenses (300,139.56) 3,722.54 5,126.16 3,642.02 897,272.34 3,298.07 2,845.46 2,448.65 86,441.79 87,021.40 481,591.22 288,519.06 1,561,789.15

Net Other Income 303,686.00 - - - (1,000.00) - - - (83,333.33) (83,333.33) 416,666.67 (249,999.99) 302,686.02

Net Income 344,710.15 6,312.91 37,151.31 (32,132.01) (58,039.59) (25,690.94) (11,917.91) (12,854.44) (94,509.84) (106,596.01) 402,921.35 (277,611.99) 171,742.99


Statement of Activities - All Classes Summary by MonthJuly 2012 - June 2013

13

REC - Core REC - Direct

Total REC Restricted

2. OPR - HIE

3. OPR - Unallowable TOTAL

Income

4025 Grant Revenue 338,557.51 1,206,941.95 1,545,499.46 1,545,499.46

4060 Participant Fees (HIE) - 82,836.00 82,836.00

4060.1 Allocated Participant Fees - (45,134.44) 45,134.44 -

4200 Donations - 510.00 323.12 833.12

4250 Misc.Income - 185.26 185.26

4300 State Contract Rev - 820,520.00 820,520.00

4411 Interest Earnings - 93.47 93.47

Total Income 338,557.51 1,206,941.95 1,545,499.46 859,010.29 45,457.56 2,449,967.31

Expenses

4490 General Office 35,653.72 650.00 36,303.72 10,099.47 1,020.06 47,423.25

4600 Facilities 34,173.32 34,173.32 9,852.51 44,025.83

5050 Human Resources 2,137.50 29.95 2,167.45 712.50 2,879.95

5100 Payroll Expenses 150,608.34 275,983.76 426,592.10 164,936.63 591,528.76

5200 Professional Fees 74,714.69 904,183.54 978,898.23 58,184.00 44,437.50 1,081,519.73

5300 Tech Services - Ops. 8,925.93 8,925.93 3,180.39 12,106.32

5400 HIE Participant Exp. - 11,725.00 11,725.00

5500 Travel 15,373.76 25,094.70 40,468.46 4,196.32 44,664.78

5510 Training/Staff Education 450.00 1,000.00 1,450.00 3,260.00 4,710.00

7400 Equipment/Furniture 16,520.25 16,520.25 5,506.75 22,027.00

Total Expenses 338,557.51 1,206,941.95 1,545,499.46 271,653.57 45,457.56 1,862,610.62

Net Operating Income - - - 587,356.72 - 587,356.69

Other Income

7590 HIE Acquisition Reimbursement - 666,666.66 666,666.66

Total Other Income - - - 666,666.66 - 666,666.66

Other Expenses

7600 AK HIE Service (SAAS) - 745,832.99 745,832.99

Total Other Expenses - - - 745,832.99 - 745,832.99

Net Other Income - - - (79,166.33) - (79,166.33)

Net Income - - - 508,190.39 - 508,190.36


Statement of Activities - Summary by ClassJuly 2013 - March 2014

14

REC - Core REC - Direct Total REC Restricted 2. OPR - HIE


Income

4025 Grant Revenue - -

4026 Grant Revenue - Deposits 374,378.26 1,027,885.61 1,402,263.87 1,402,263.87

4027 Grant Receivable Adjustments (35,820.75) 179,056.34 143,235.59 143,235.59

Total 4025 Grant Revenue 338,557.51 1,206,941.95 1,545,499.46 - - 1,545,499.46

4060 Participant Fees (HIE) - 82,836.00 82,836.00

4060.1 Allocated Participant Fees - (45,134.44) 45,134.44 -

4200 Donations - 510.00 323.12 833.12

4250 Misc.Income - 185.26 185.26

4300 State Contract Rev - 820,520.00 820,520.00

4411 Interest Earnings - 93.47 93.47

Total Income 338,557.51 1,206,941.95 1,545,499.46 859,010.29 45,457.56 2,449,967.31

Expenses

4490 General Office - -

4102 Office Supplies 5,858.81 5,858.81 1,864.53 200.00 7,923.34

4105 Software and License 443.16 443.16 1,147.72 1,590.88

4110 Outreach & Marketing 18,961.17 650.00 19,611.17 2,822.15 22,433.32

4115 Bank Charges/Fees 8.71 8.71 70.46 47.74 126.91

4450 Printing/Copies/Photos 1,920.31 1,920.31 640.12 2,560.43

4461 Frieght 8.55 8.55 8.55

4462 Postage 1,709.03 1,709.03 797.88 2,506.91

4470 Taxes/Licenses/Fees 30.00 30.00 10.00 40.00

4500 Insurance - G/L 4,310.98 4,310.98 1,437.00 5,747.98

4505 Insurance - WC 2,403.00 2,403.00 801.00 3,204.00

4700 Food Other - 508.61 772.32 1,280.93

Total 4490 General Office 35,653.72 650.00 36,303.72 10,099.47 1,020.06 47,423.25

4600 Facilities - -

4620 Facilities Rent/Lease 30,336.08 30,336.08 8,573.37 38,909.45

4680 Utilities 184.48 184.48 61.50 245.98

4682 Telephone/Internet 3,652.76 3,652.76 1,217.64 4,870.40

Total 4600 Facilities 34,173.32 - 34,173.32 9,852.51 - 44,025.83

5050 Human Resources 2,137.50 29.95 2,167.45 712.50 2,879.95

5100 Payroll Expenses - -

5110 Technical Staff (27,659.76) 223,191.33 195,531.57 58,276.56 253,808.13

5120 Administrative Staff 137,883.70 24,991.82 162,875.52 68,959.49 231,835.01

5170 Benefits 179.28 215.60 394.88 386.52 781.40

5170.1 Retirement - Co. Contrib. (2,561.03) 1,545.79 (1,015.24) 1,477.79 462.55

5170.2 Health Insurance 17,968.92 3,090.04 21,058.96 19,325.44 40,384.40

5170.3 Paid Leave 7,581.61 7,581.61 6,930.16 14,511.77

5170.4 Self Pay Vision 440.00 440.00 180.00 620.00

Company Contributions - Retirement 8,783.28 2,475.00 11,258.28 11,258.28

Total 5170 Benefits 32,392.06 7,326.43 39,718.49 28,299.91 - 68,018.40

5180 Payroll Taxes 7,992.34 20,474.18 28,466.52 9,400.67 37,867.22

Total 5100 Payroll Expenses 150,608.34 275,983.76 426,592.10 164,936.63 - 591,528.76


Statement of Activities - Detail by ClassJuly 2013 - March 2014

15

REC - Core REC - Direct Total REC Restricted 2. OPR - HIE



Statement of Activities - Detail by ClassJuly 2013 - March 2014

5200 Professional Fees - - -

5210 Legal 3,881.39 3,881.39 17,604.11 21,485.50

5215 Accounting & Auditing 40,950.82 40,950.82 13,650.31 54,601.13

5220 Project Management - 14,750.00 14,750.00

5225 Project Communications 6,148.67 6,148.67 2,667.08 8,815.75

5235 Other Consulting Services 5,000.00 5,000.00 862.50 44,437.50 50,300.00

5240 HIT/EHR Consulting Services 6,858.81 899,183.54 906,042.35 906,042.35

5245 Privacy & Security 16,875.00 16,875.00 6,075.00 22,950.00

5250 Contract Emp Services - 2,575.00 2,575.00

Total 5200 Professional Fees 74,714.69 904,183.54 978,898.23 58,184.00 44,437.50 1,081,519.73

5300 Tech Services - Ops. - -

5310 Desktop Support 5,843.99 5,843.99 1,948.01 7,792.00

5320 Online Hosting Fees 2,241.94 2,241.94 952.38 3,194.32

5360 Website Design & Maintenance 840.00 840.00 280.00 1,120.00

Total 5300 Tech Services - Ops. 8,925.93 - 8,925.93 3,180.39 - 12,106.32

5400 HIE Participant Exp. - -

5410 Participant Training - 11,725.00 11,725.00

Total 5400 HIE Participant Exp. - - - 11,725.00 - 11,725.00

5500 Travel - -

5520 Trans/Lodging/Other 13,182.26 19,154.46 32,336.72 2,982.32 35,319.04

5525 Per Diem 1,896.50 4,947.00 6,843.50 1,214.00 8,057.50

5527 Misc Travel Expense 993.24 993.24 993.24

5528 Conference Registration 295.00 295.00 295.00

Total 5500 Travel 15,373.76 25,094.70 40,468.46 4,196.32 - 44,664.78

5510 Training/Staff Education 450.00 1,000.00 1,450.00 3,260.00 4,710.00

7400 Equipment/Furniture - -

7420 Equip/Furn < $5K 16,520.25 16,520.25 5,506.75 22,027.00

Total 7400 Equipment/Furniture 16,520.25 - 16,520.25 5,506.75 - 22,027.00

Total Expenses 338,557.51 1,206,941.95 1,545,499.46 271,653.57 45,457.56 1,862,610.62

Net Operating Income - - - 587,356.72 - 587,356.69

Other Income

7590 HIE Acquisition Reimbursement - 666,666.66 666,666.66

Total Other Income - - - 666,666.66 - 666,666.66

Other Expenses

7600 AK HIE Service (SAAS) - 745,832.99 745,832.99

Total Other Expenses - - - 745,832.99 - 745,832.99

Net Other Income - - - (79,166.33) - (79,166.33)

Net Income - - - 508,190.39 - 508,190.36

16

Actual Budget Variance Income

4060 Participant Fees (HIE) 82,836.00 165,600.00 (82,764.00)

4060.1 Allocated Participant Fees - -

4065 Participant Fees (DSM) 6,750.00 (6,750.00)

4200 Donations 833.12 41,616.00 (40,782.88)

4250 Misc.Income 185.26 185.26

4300 State Contract Rev 820,520.00 761,000.00 59,520.00

4411 Interest Earnings 93.47 93.47

Total Income 904,467.85 974,966.00 (70,498.15)

Expenses

4490 General Office -

4102 Office Supplies 2,064.53 5,400.00 (3,335.47)

4105 Software and License 1,147.72 1,147.72

4110 Outreach & Marketing 2,822.15 10,800.00 (7,977.85)

4115 Bank Charges/Fees 118.20 118.20

4420 Dues/Subscription 900.00 (900.00)

4450 Printing/Copies/Photos 640.12 1,800.00 (1,159.88)

4462 Postage 797.88 900.00 (102.12)

4470 Taxes/Licenses/Fees 10.00 10.00

4500 Insurance - G/L 1,437.00 378.00 1,059.00

4505 Insurance - WC 801.00 936.00 (135.00)

4700 Food Other 1,280.93 9,000.00 (7,719.07)

Total 4490 General Office 11,119.53 30,114.00 (18,994.47)

4600 Facilities -

4620 Facilities Rent/Lease 8,573.37 13,950.00 (5,376.63)

4680 Utilities 61.50 1,080.00 (1,018.50)

4682 Telephone/Internet 1,217.64 1,350.00 (132.36)

Total 4600 Facilities 9,852.51 16,380.00 (6,527.49)

5050 Human Resources 712.50 712.50

5100 Payroll Expenses -

5110 Technical Staff 58,276.56 84,600.00 (26,323.44)

5120 Administrative Staff 68,959.49 85,500.00 (16,540.51)

5170 Benefits 386.52 66,060.00 (65,673.48)

5170.1 Retirement - Co. Contrib. 1,477.79 1,477.79

5170.2 Health Insurance 19,325.44 19,325.44

5170.3 Paid Leave 6,930.16 6,930.16

5170.4 Self Pay Vision 180.00 180.00

Total 5170 Benefits 28,299.91 66,060.00 (37,760.09)

5180 Payroll Taxes 9,400.67 2,376.00 7,024.67

Total 5100 Payroll Expenses 164,936.63 238,536.00 (73,599.37)

5200 Professional Fees -

5210 Legal 17,604.11 22,500.00 (4,895.89)

5215 Accounting & Auditing 13,650.31 11,250.00 2,400.31

5220 Project Management 14,750.00 13,500.00 1,250.00

5225 Project Communications 2,667.08 2,667.08

5235 Other Consulting Services 45,300.00 13,500.00 31,800.00

5245 Privacy & Security 6,075.00 6,075.00

5250 Contract Emp Services 2,575.00 2,575.00

Total 5200 Professional Fees 102,621.50 60,750.00 41,871.50


OPR - HIE plus Unallowable - Budget vs.ActualJuly 2013 - March 2014

17

Actual Budget Variance


OPR - HIE plus Unallowable - Budget vs.ActualJuly 2013 - March 2014

5300 Tech Services - Ops. -

5310 Desktop Support 1,948.01 9,000.00 (7,051.99)

5320 Online Hosting Fees 952.38 2,250.00 (1,297.62)

5360 Website Design & Maintenance 280.00 280.00

Total 5300 Tech Services - Ops. 3,180.39 11,250.00 (8,069.61)

5400 HIE Participant Exp. -

5410 Participant Training 11,725.00 11,725.00

Total 5400 HIE Participant Exp. 11,725.00 - 11,725.00

5500 Travel -

5520 Trans/Lodging/Other 2,982.32 17,000.00 (14,017.68)

5525 Per Diem 1,214.00 4,250.00 (3,036.00)

5527 Misc Travel Expense 900.00 (900.00)

Total 5500 Travel 4,196.32 22,150.00 (17,953.68)

5510 Training/Staff Education 3,260.00 3,260.00

7400 Equipment/Furniture -

7420 Equip/Furn < $5K 5,506.75 5,506.75

Total 7400 Equipment/Furniture 5,506.75 - 5,506.75

Total Expenses 317,111.13 379,180.00 (62,068.87)

Net Operating Income 587,356.72 595,786.00 (8,429.28)

Other Income

7590 HIE Acquisition Reimbursement 666,666.66 666,666.66

Total Other Income 666,666.66 - 666,666.66

Other Expenses

7600 AK HIE Service (SAAS) 745,832.99 749,997.00 (4,164.01)

Total Other Expenses 745,832.99 749,997.00 (4,164.01)

Net Other Income (79,166.33) (749,997.00) 670,830.67

Net Income 508,190.39 (154,211.00) 662,401.39

18


4025 Grant Revenue 533,871.00 (533,871.00)

4026 Grant Revenue - Deposits 374,378.26 374,378.26

4027 Grant Receivable Adjustments (35,820.75) (35,820.75)

Total 4025 Grant Revenue 338,557.51 533,871.00 (195,313.49)

Total Income 338,557.51 533,871.00 (195,313.49)

Expenses


4102 Office Supplies 5,858.81 19,503.00 (13,644.19)

4105 Software and License 443.16 443.16

4110 Outreach & Marketing 18,961.17 14,625.00 4,336.17

4115 Bank Charges/Fees 8.71 8.71

4450 Printing/Copies/Photos 1,920.31 9,747.00 (7,826.69)

4461 Frieght 8.55 8.55

4462 Postage 1,709.03 2,439.00 (729.97)

4470 Taxes/Licenses/Fees 30.00 30.00

4500 Insurance - G/L 4,310.98 1,125.00 3,185.98

4505 Insurance - WC 2,403.00 2,835.00 (432.00)

Total 4490 General Office 35,653.72 50,274.00 (14,620.28)

4600 Facilities -

4620 Facilities Rent/Lease 30,336.08 25,650.00 4,686.08

4680 Utilities 184.48 3,060.00 (2,875.52)

4682 Telephone/Internet 3,652.76 2,025.00 1,627.76

Total 4600 Facilities 34,173.32 30,735.00 3,438.32

4800 Workshops & Events 2,394.00 (2,394.00)

5050 Human Resources 2,137.50 2,137.50


5110 Technical Staff (27,659.76) (27,659.76)

5120 Administrative Staff 137,883.70 184,221.00 (46,337.30)

5170 Benefits 179.28 69,633.00 (69,453.72)

5170.1 Retirement - Co. Contrib. (2,561.03) (2,561.03)


5170.3 Paid Leave 7,581.61 7,581.61

5170.4 Self Pay Vision 440.00 440.00

Company Contributions - Retirement 8,783.28 8,783.28

Total 5170 Benefits 32,392.06 69,633.00 (37,240.94)

5180 Payroll Taxes 7,992.34 7,992.34


5200 Professional Fees 1,053.40 1,053.40

5210 Legal 3,881.39 3,881.39

5215 Accounting & Auditing 40,950.82 17,550.00 23,400.82

5225 Project Communications 6,148.67 6,148.67

5235 Other Consulting Services 107,478.00 (107,478.00)

5240 HIT/EHR Consulting Services 6,858.81 9,747.00 (2,888.19)

5245 Privacy & Security 16,875.00 16,875.00

Total 5200 Professional Fees 75,768.09 134,775.00 (59,006.91)


5310 Desktop Support 5,843.99 18,000.00 (12,156.01)

5320 Online Hosting Fees 2,241.94 6,750.00 (4,508.06)


REC Core Budget vs.ActualJuly 2013 - March 2014

19

Actual Budget Variance


REC Core Budget vs.ActualJuly 2013 - March 2014

5360 Website Design & Maintenance 840.00 2,439.00 (1,599.00)

Total 5300 Tech Services - Ops. 8,925.93 27,189.00 (18,263.07)

5500 Travel -


5525 Per Diem 1,896.50 4,500.00 (2,603.50)

5527 Misc Travel Expense 900.00 (900.00)

5528 Conference Registration 295.00 295.00

Total 5500 Travel 14,320.36 23,400.00 (9,079.64)

5510 Training/Staff Education 450.00 11,250.00 (10,800.00)

7400 Equipment/Furniture -

7420 Equip/Furn < $5K 16,520.25 16,520.25

Total 7400 Equipment/Furniture 16,520.25 - 16,520.25

Total Expenses 338,557.51 533,871.00 (195,313.49)

Net Operating Income - - -

Other Income

7700 In-kind Revenue - -

Total Other Income - - -

Other Expenses

7710 In-kind Expense - Donated Services - -

Total Other Expenses - - -

Net Other Income - - -

Net Income - - -

20


4025 Grant Revenue 1,188,513.00 (1,188,513.00)

4026 Grant Revenue - Deposits 1,027,885.61 1,027,885.61

4027 Grant Receivable Adjustments 179,056.34 179,056.34

Total 4025 Grant Revenue 1,206,941.95 1,188,513.00 18,428.95

Total Income 1,206,941.95 1,188,513.00 18,428.95

Expenses


4102 Office Supplies 1,125.00 (1,125.00)

4110 Outreach & Marketing 650.00 76,500.00 (75,850.00)

4450 Printing/Copies/Photos 900.00 (900.00)

4462 Postage 2,700.00 (2,700.00)

Total 4490 General Office 650.00 81,225.00 (80,575.00)

5050 Human Resources 29.95 4,500.00 (4,470.05)


5110 Technical Staff 223,191.33 232,038.00 (8,846.67)

5120 Administrative Staff 24,991.82 24,991.82

5170 Benefits 215.60 93,744.00 (93,528.40)

5170.1 Retirement - Co. Contrib. 1,545.79 1,545.79


Company Contributions - Retirement 2,475.00 2,475.00

Total 5170 Benefits 7,326.43 93,744.00 (86,417.57)

5180 Payroll Taxes 20,474.18 20,474.18


5200 Professional Fees -

5235 Other Consulting Services 5,000.00 5,000.00

5240 HIT/EHR Consulting Services 899,183.54 697,500.00 201,683.54

Total 5200 Professional Fees 904,183.54 697,500.00 206,683.54


5360 Website Design & Maintenance 2,250.00 (2,250.00)

Total 5300 Tech Services - Ops. - 2,250.00 (2,250.00)

5500 Travel -


5525 Per Diem 4,947.00 5,400.00 (453.00)

5527 Misc Travel Expense 993.24 993.24

Total 5500 Travel 25,094.70 59,400.00 (34,305.30)

5510 Training/Staff Education 1,000.00 17,856.00 (16,856.00)

Total Expenses 1,206,941.95 1,188,513.00 18,428.95

Net Operating Income - - -

Net Income - - -


REC Direct Budget vs.ActualJuly 2013 - March 2014

21

Alaska eHealth Network Dashboard as of 3/31/2014

Financial:

Objective: Balanced budget with consistent monthly income that supports HIE for all Alaskans; measurement is positive income and expenses within budget

Notes: Revenue stable, AeHN services expanding

(3,000,000.00)

(2,000,000.00)

(1,000,000.00)

-

1,000,000.00

2,000,000.00

Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

Month

AeHN Income

FY12

FY13

FY14

-

20,000.00

40,000.00

60,000.00

80,000.00

100,000.00

Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Month

HIE Operations Expense

FY12

FY13

FY14

$0.00

$50,000.00

$100,000.00

$150,000.00

$200,000.00

$250,000.00

$300,000.00

Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Month

REC Expense

FY12

FY13

FY14

04/15/2014 Page 1 of 3

22


Direct Secure Messaging:

Objective: Increase Meaningful Use of EHRs through exchange of data via DSM; measurement is number of providers implementing and number of providers using.

Notes: Over 20,000 messages sent monthly; DSM continues to grow

Health Information Exchange:

Objective: Increase Meaningful Use of EHRs through increased HIE use; measurement is number of users by facility and community

Notes: 8 hospitals signed; 11 hospitals reviewing contracts; over 400 individual users

Help Desk:

Objective: Timely resolution of help desk issues; measurement is volume/type of calls and time to resolution

Notes: System down time = 0.000%

0

5000

10000DSM Users by Month

Apr 2014 (n=4,650)

FY12 FY13 FY14

0

200

400

600

Hosp Amb SOA Other

Active DSM Users (n=1,708)

Mar-14 Mar-14

0

5

10

Qtr 4 '13 Qtr 1 '14 Qtr 2 '14 Qtr 3 '14

Hospitals

0

200

400

600

Qtr 4 '13 Qtr 1 '14 Qtr 2 '14 Qtr 3 '14

Providers

0

100

200

300

LOGIN ISSUES ERROR TRAINING OTHER

Help Desk Calls (n=295)

Mar-14 Apr-14

04/15/2014 Page 2 of 3

23


Regional Extension Center:

Objective: Meet REC grant goals by 4/2014; measurement is M1 (contract) % of goal and rank, M2 (certified EHR implemented) % of goal and rank, M3 (MU stage 1) % goal and rank

Notes: Goals for M1 and M2 have been met. M3 target must be met by October if provider is to reach M3 by April 2015.

Update as of 9/16/2013

Percent of Goal (n=538)

% Change Since Last

Month

Overall National Rank (n=62)

Overall Increase

Grant Milestones Mar ‘14 Apr ‘14 Mar ‘14 Apr ‘14 M1 – Contract 124% 126% 2.0% 20 18 +2 M2 – EHR Go-Live 107% 109% 2.0% 32 25 +7 M3 – MU Stage 1 61% 65% 5.0% 55 56 -1

State of Alaska Contract:

Objective: Meet SOA deliverables on time; measurement is deliverables, time and revenues

Notes: Continue to address deliverables. Amendment #3 is fully completed and invoiced.

Contract Amendment

Status Note

#3 (n=44) Completed 41 $34,090 All deliverables submitted, reworking Future

#4 (n=19) Completed 14 $971,435 High priority items remaining are Lab Pilot, MDN, and DSM Upgrades. Late 3 $115,000

Future 2 $50,000 #5 (n=37)

Completed 8 $1,963,750 High priority items are ELR, VacTrAK, BioSense and DSM v2 implementation.

Late Future 29 $1,474,252

#6 (n=5)

Completed 5 $39,000 Late Future

Privacy and Security:

Objective: Ensure patient confidentiality

Total Opt-Outs: 31 (24 Fairbanks, 7 Anchorage)

Event Reported Resolved Time to Resolution Privacy Complaints 0 NA NA Security Issues in Audit 5 5 Corrected Event Attempted Successful Resolution Breach Attempts 0 NA

04/15/2014 Page 3 of 3

24

AeHN Executive Director Report

Apr 16, 2014 to May 21, 2014

1) HIE:

a) Continue to meet weekly with State HIT Coordinator to review issues related to the AeHN/SOA contract; Amendment 3 is completed and billed; Amendment 4 and 5 dates under revision

b) State Reportables: i) ELRs (electronic lab reporting - hospitals) – first successful test achieved, in queue –

Providence, ANMC, FMH and SPH ii) BioSense (syndromic surveillance -hospitals) – first successful test achieved, in queue –

Providence; ANMC, FMH and SPH iii) VacTrAK (immunizations – hospitals and eligible providers) – two successful tests, in queue –

LaTouche, Providence, ANMC, FMH, SPH, CPGH, and other ambulatory entities c) EHR Lite – looking for alternatives, Orion now supports three products Practice Fusion,

Greenway and Athena Health d) Patient Portal – implementation to be completed by end of May, testing will begin with a few

pilot sites e) 8 hospitals signed, 11 hospitals reviewing contract, onboarding started with South Peninsula

Hospital, Wrangell, Petersburg, Providence (includes 4 hospitals), Mt Edgecombe, Central Peninsula General Hospital and Alaska Native Medical Center (includes KANA and SCF)

2) Privacy and Security/Risk Assessment

a) Risk Assessment – Penetration tests showed no vulnerabilities b) Futaris contract – completed AeHN and LaTouche audits; Futaris will report on findings and next

phase of HiTrust certification at the next board meeting

3) Resources a) No current cash flow issues and adequate staffing b) REC grant ends in April 2015, balanced budget will require increased revenues through

additional HIE contracts and fees for other provider services

4) Direct Secure Messages a) Over 4,600 active mailboxes; key usage includes State of Alaska/provider PHI transfers and C-

CDA transfers for referrals b) NATE and VA certificates implemented cleanup of old accounts in process c) Working with Orion Health to beta test and implement DSM v2; migration plan from v1 to v2

5) Lab Pilots a) State Lab – one final issue to address before closure (MDN), waiting for Orion Health

6) Policies and Procedures

a) On-going work to review and implement procedures for AeHN operations b) PSC Workgroup has moved to quarterly meetings

ED Report Page 1 of 2 25

AeHN Executive Director Report

Apr 16, 2014 to May 21, 2014

7) Financial:

a) State Deliverables - $3,261,276 of $4,608,528 b) Developing fee for service and other revenue streams c) Completed required monthly grant and contractor reports

8) Meetings

a) Weekly SOA meeting with HIT Coordinator, weekly with PH b) Weekly onboarding meeting with: 19 onboarding clients c) Biweekly ONC Grantee meetings d) Weekly Orion for status on UAT testing, system upgrades, and DSM concerns

WORKGROUP UPDATES

Clinical and Informatics – No updates since last board meeting.

Privacy, Security, and Compliance - No updates since last board meeting.

ED Report Page 2 of 2 26

Alaska HIT Monthly Status Report Reporting Period: Week of May12th State HIT Coordinator: Paul Cartland

Deliverable Summary: Current (for regular AeHN deliverables) Approved (all approved deliverables have been removed from the tracking table below)

56 of 89

Late 32 of 33

Legend Conditionally Approved Rejected or Late

Schedule

Deliverable has been conditionally approved: may just need to make adjustments or changes and provide an updated deliverable to State that addresses comments

Deliverable has been rejected: revised submission of deliverable is needed or the deliverable is late for submission

Regular AeHN/DHSS Contract Deliverables Contract Amendment #

Deliverable #

Deliverable Name Status Contract Due Date

State Deliverable Review Status

Conditionally Approved/ Rejected Updates Due Date

Needs AeHN Board Approval

Comments

3 3 Copies of Applications for Funding Opportunities

Within 5 business days of submission

• As of 2/18/2013 IT Planning office has not received any copies of applications for funding opportunities

4 3 Message Delivery Notification (MDN)

10/31/2012 Late • Never received DTF for deliverable, MDN that has been implemented is not what was requested by State

4 5 Lab Pilot Wrap Up

12/31/2012 Late • Lab Pilot has not completed

4 7A Statewide HIE Survey: finalized survey script

11/30/2012 Late • If deliverable was completed DTF was never submitted for approval by DHSS

4 7B Statewide HIE Survey: delivery of survey results from interviews with a minimum of 500 provider

1/31/2013 Late • If deliverable was completed DTF was never submitted for approval by DHSS

Alaska HIT Project Monthly Status Report – Week of May12, 2014 1 - of - 17

27


Deliverable #





Comments

organizations and all in state hospitals

5 1 Master Provider Index: HIE interface design, develop and implement an interface between the DHSS MPI and the HIE

12/31/2013 Late

5 2B Pass through to Orion Health: payable upon a valid invoice from Orion

9/30/2013 Late

5 3 DSM Version 2 (2013 Version)

6/30/2013 Late

5 5A Populate CDR via DSM: implement capability to capture data from DSM CCD attachments

6/30/2013 Late

5 5B Populate CDR via DSM: Orion Health develop capability to capture data from CCD attachments routed via DSM

6/30/2013 Late

5 5C Populate CDR via DSM: $15,000 per EHR for up to 10 EHRs

6/30/2013 Late

5 5D Populate CDR via DSM: AeHN create data validation and quality compliance to ensure data is correctly captured and incorporated into CCDs

9/30/2013 Late

5 6A Medicaid Claims Data into CDR: Create Data Mapping from MMIS DW to Orion CDR

12/31/2013 Late


28


Deliverable #





Comments

5 6B Medicaid Claims data into CDR: create a one-time historical data load from MMIS DW to populate CDR

12/31/2013

Late

5 6C HIE Enterprise MPI (EMPI will be loaded with Medicaid patient demographics, patient and any cross-reference identifiers

3/31/2014 Late

5 6D As new AK MMIS becomes operational the HIE will be able to receive regular claims feeds from Medicaid environment

3/31/2014 Late

5 7B Biosense Connectivity: Coordinate hospital on-boarding schedule

8/30/2013 Late

5 8A Blue Button: Develop Blue Button import/export functionality in HIE

11/30/2013 Late

5 8B Blue Button: Integrate MyAlaska patient authentication into the HIE for Blue Button download and PHR access

2/28/2014 Late

5 8C Blue Button: Synchronize the HIE EMPI with DHSS’s MCI

2/28/2014 Late

5 8D Blue Button: Integrate with AeHN patient communication plan

3/31/2014 Late


29


Deliverable #





Comments

5 9 Orion Health disease management module: Supporting obesity, diabetes care and cardiovascular disease

3/31/2014 Late

5 10A HIE Acceptance survey of public awareness: pre-roll out survey results statewide

8/1/2013 Late

5 10B HIE Acceptance survey of public awareness: post-roll out survey results statewide

2/1/2014 Late

5 11A Privacy & Security: security certification

8/1/2013 Late

5 11B Privacy & security: HIE certification

2/1/2014 Late

5 12 Consent management: update clinical portal to allow 3 options for consumers (opt-in, opt-out, opt-out partial)

6/30/2013 Late

5 13B Orion Health maintenance contract

3/29/2014 Late • One half (½) of payment was approved 10/8/2013

5 14A Business Intelligence: Purchase license and install system

1/31/2014 Late

5 14B Business Intelligence: Test and implement

2/28/2014 Late

5 14C Business Intelligence: Develop and implement 2 analytic reports

3/31/2014 Late

6 1 Assessment of AeHN & DPH infrastructure for current HIT/Data exchange landscape as

9/30/2013 Late


30


Deliverable #





Comments

it relates to Public Health

6 3 Summarized Document

11/30/2013 Late


31

Re-Occurring AeHN/DHSS Contract Deliverables Contract Amendment #

Deliverable #

Deliverable Name

Status Contract Amendment Due Date


Conditionally Approved / Updates / Due Date


Comments

3 R-1 Annual Budget Update

Due in May each year

• Initial budget was approved 5/31/2013

3 R-2 Quarterly Budget

Quarterly within 15 calendar days of the end of each quarter

• In March 2014 it was determined that the financial updates provided at each AeHN Board meeting would be considered the quarterly budget update deliverable

• Have not received any quarterly budgets since the original budget was approved in May 2013

• Initial budget was approved 5/31/2013, quarterly budgets can begin September 2013

3, 5, 6 R-3, R-8 Weekly Status Report including transactions by provider type for Direct service

Weekly on Mondays

• AeHN continues to work with DHSS to submit and revise weekly status reports as necessary

• DHSS continues to receive weekly status reports

• DHSS IT Planning office requested that weekly status report contain HIE on-boarding information/matrix

• AeHN weekly reports have been received by DHSS inconsistently, not usually received weekly. DHSS reminded AeHN of the weekly status report

• Continue to receive weekly status report

• Received a combined report on 1/21/2013 for the weeks ending 1/11 and 1/18. Status report does not include DSM metrics.

• Did not receive weekly status report for week of 12/24/2012. Status report does not include DSM metrics needed for ONC reporting.

• Received weekly status report for week of 12/10/2012. Status report


32


Deliverable #

Deliverable Name





Comments

does NOT include DSM metrics needed for ONC reporting.

• Weekly status report has not been received from AeHN since early August.

• Weekly status report for week of Aug 1-8 was received on Monday 8/6/2012

• Weekly status report for week ending 7/20/2012 was received on 7/23/2012 however the only updates in the report were the DSM metrics.

• Weekly status report for week ending 7/13/2012 was received late on 7/17/2012. Comments were sent back to AeHN regarding this status report on 7/20/2012.

• Weekly status report for week ending 7/6/2012 was received late on 7/11/2012; status reports are due on Mondays. Additionally status report was not complete.

• Weekly status report for week ending June 29 was not received. Email was sent to AeHN on 7/5/2012 requesting status of weekly status report, no response received from AeHN.

3 R-4 DSM Directory for Alaska's Master Provider Directory

Weekly • IT Planning office has not received weekly DSM directory since May 2013.

• Continue to receive weekly spreadsheets of DSM Directory

• Received an Excel spreadsheet with DSM directory on 1/21/2013.

• Format needed to be electronically submitted to Alaska's Master Provider Index is still being determined

3 R-5 Workgroup Weekly • DHSS received updated


33


Deliverable #

Deliverable Name





Comments

Schedule and roster Updates

workgroup rosters in March 2014 • 10/1/2013 – Have not received any

updates

3 R-6 Workgroup Reports to Contractor Board of Directors

Monthly • DHSS continues to not receive any updates

• 10/1/2013 – Have not received any updates

3 R-7 Project Plan Updates

Weekly • DHSS continues to not receive any updates

• 10/1/2013 – Have not received any updates


34

Critical Active Issues Summary - Current Reporting Period and Unresolved from Prior Reporting Period(s) ID Date Project Title Description Discussion Comments Status Trend Resolution 20 11/2/2011 HIE Governance AeHN

Corrective Action Plan (CAP)

The DHSS Commissioner has requested AeHN develop a CAP to address the findings of the HIE Assessment performed by Cognosante

CAP is due to State by 12/2/2011

• 5/14/14: deliverable status has not changed since April report

• 4/8/2014 - currently there are 32 deliverables that are late.

• 3/10/2014 - currently there are 26 late deliverables. DHSS has approved several deliverables for payment without receiving DTFs.

• 1/6/2014 - currently there are 30 late deliverables from contract amendments 1 - 6. There are 46 approved deliverables. There are 13 delivreables not yet submitted by AeHN.

• 10/1/2013 - Currently there are 25 late deliverables from contract amendments #3 - #5. There are 45 approved deliverables from contract amendments #3 - #5. There are 15 deliverables which have not yet been submitted and are due at a future date from contract amendments #3 - #5. There are 5 re-occurring deliverables that are considered late or the IT Planning office has never received.

• 8/20/2013 - Contract amendment #6 was signed • 8/19/2013 - Contract amendment #6 has been sent

to AeHN for signatures • 5/24/2013 - Contract amendment #5 has been

signed by State & AeHN • 4/29/2013 - State and AeHN are still discussing

contract amendment • 4/15/2013 - State and AeHN have agreed to a new

contract amendment following the contract re-negotiations between AeHN and Orion Health. Contract Amendment with State and AeHN will include HIE Phase 2 activities and should be completed and signed shortly.

• 2/19/2013 - continue to receive weekly status reports and now DSM Provider Directory reports on a weekly basis. Currently there are 24 late deliverables (4 of these had been conditionally approved but have long since past their resubmission due dates).

• 1/22/2013 - now receive weekly status report on a more regular basis but other deliverables have not been submitted. Currently there are 20 late deliverables and 4 Conditionally Approved deliverables that have not been re-submitted within 10 business days of the DTF being returned to AeHN.

• 12/13/2012 - improving trends in deliverables from

Active No Change


35

ID Date Project Title Description Discussion Comments Status Trend Resolution AeHN; HIT office is working closely with AeHN to ensure deliverables are satisfactory; there are still 17 late deliverables, 4 that have been withdrawn by AeHN for re-submission, 1 conditionally approved, and 5 not yet submitted.

• 9/26/2012 - improving trend in deliverables from AeHN, 5 deliverables have been approved, 3 are conditionally approved and 1 has been rejected. AeHN Executive Director has provided an updated timeline for when deliverables will be sent to DHSS

• 8/29/2012 - most contract amendment deliverables have either been rejected or have been conditionally approved without updated submissions sent to HIT Program Office. Paul Cartland is working with AeHN's new Executive Director, Rebecca Madison to determine priority of deliverables and updated submission dates.

• 8/7/2012 - 12 deliverables have been rejected without a 2nd updated deliverable having been submitted, 2 deliverables have been rejected and 2nd versions are due later in August, 7 deliverables have been conditionally approved but State has not received any updated documents addressing State's comments (1 of these is not due back to State until next week), 21 deliverables are late, 1 deliverable is in review with State, 2 deliverables are due at either future dates or due dates were not identified in contract amendment

• 7/30/2012 - 12 deliverables have been rejected without a 2nd updated deliverable having been submitted, 1 deliverable was rejected but a 2nd updated deliverable has been submitted, 7 deliverables have been conditionally approved with no updated documents provider to address State comments, 19 deliverables are considered late, 3 deliverables are in review with State, 5 deliverables are due at either future dates or due dates were not identified in contract amendment

• 6/29/2012- Two of the three deliverables required under contract amendment 3 were rejected and the other was conditionally approved. Fifteen deliverables are being reviewed. An additional eight are past due for delivery.

• 5/30/2012- AeHN continues to submit weekly reports. There are concerns with sustainability plans and privacy/security standards.

• 5/2/2012 - AeHN is submitting weekly status reports and is participating in a weekly meeting with HIT


36

ID Date Project Title Description Discussion Comments Status Trend Resolution Program office to discuss the status report, updates and any issues or concerns

• 1/30/2012 - State has not approved AeHN's CAP, State and AeHN continue to work together along with Deloitte technical assistance to reach a point with AeHN's CAP that it can be approved

• 12/21/2011 - State requested that AeHN staff meet with State and Cognosante to develop action items from the CAP review.

• 12/2/2011 - State received AeHN's CAP and will review.

46 1/22/2013 HIE Governance PMP on AeHN staff

AeHN does not currently have a PMP certified staff person.

AeHN does not currently have a PMP certified staff person. This is a requirement in the contract between DHSS and AeHN.

• 4/8/2014 - Anticipated AeHN staff member will be PMP certified by October 2014

• 10/1/2013 - No known change from April comment • 4/15/2013 - no updated provided by AeHN • 1/22/2013 - IT Planning office is unsure what AeHN

is doing about hiring a PMP certified staff person.

Active No Change

47 1/22/2013 HIE Governance Privacy & Security Officer on AeHN staff

AeHN has not been able to hire a privacy and security officer for their staff.

DHSS is concerned because AeHN has not been able to hire a Privacy & Security officer for their staff. This is a critical area of concern for the HIE and is needed before moving to a production status.

• 10/1/2013 - No known change from June comment • 6/10/2013 - AeHN Executive Director is acting as the

Privacy & Security office at this time • 4/15/2013 - no updated provided by AeHN • 1/22/2013 - AeHN has posted a combined Privacy &

Security Office and Data Quality position. The IT Planning office is concerned that AeHN will not be able to find a person with these two skill sets and both these areas are areas of concern and really need to have two separate individuals employed.

Active No Change

49 4/29/2013 HIE Governance Direct Secure Messaging (DSM) Solution current & version 2013

The DSM solution Orion has implemented for Alaska does not meet the needs for State of AK. State has been requesting for months for changes which have not been implemented, these include: group mailboxes, quality email connectivity, reporting by role, and other functionalities.

Orion has recently proposed a new version: 2013 DSM but this version doesn't fulfill all of the state's requests and may even be a step backwards for some functionality.

• 3/10/2014 - DSM V2 beta testing is not progressing. Orion Health has started to conduct meetings with beta testing entities but Orion appears to be working in a silo and not listening to their customers demands.

• DSM V1 continues to have issues that require entire system reboots, latest issues have been related to emails not sending or being received and issues with DSM settings not being saved

• 2/3/2014 - DSM V2 beta testing is not progressing due to lack of Orion support

• 1/6/2014 - Alaska is participating in DSM V2 beta testing, so far functionality in DSM V2 is significantly less and will not meet needs for participants

Active Worsening


37

ID Date Project Title Description Discussion Comments Status Trend Resolution • 10/1/2013 - No known change since September

comment • 9/13/2013 - Orion Health presented a modified plan

for DSM version 2, this modified plan will most likely not work for Alaska because it does not allow for HISP to HISP communication so users of the current DSM solution will not be able to communicate with users on version 2.

• 8/19/2013 - Still waiting for final details and updates about DSM version 2 and exact date this can be implemented and how Orion will address DHSS concerns with solution

• 6/10/2013 - Orion Health DSM version 2 will not be available for email migration until October 2013. This date is not satisfactory for DHSS and has been rejected. AeHN and DHSS are researching mitigation strategies.

• 4/29/2013 - Orion has been telling AeHN and State for weeks that they will provide dates for when Version 2013 could be implemented in Alaska and continues to avoid providing a date and answer the States concerns about 2013 version.


38

Risk Report Summary ID Date Project Title Description Comments Status Severity Probability Impact Strategy 11 12/31/2011 HIE

Governance

Insufficient Funds for Corrective Action Plan

If AeHN is not sufficiently staffed or funded to support the demands of the corrective action plan they will not be able to meet the expectations set in the AeHN/State contract, the Corrective Action Plan, nor other stakeholder expectations.

• 10/1/2013 - No change since September comment

• 9/13/2013 - no update provided by AeHN

• 6/10/2013 - AeHN Executive Director is filling roles until AeHN can hire staff

• 4/29/2013 - Status of a data quality person and a privacy/security staff person has not changed

• 4/15/2013 - AeHN still has not hired a Data Quality person nor a Privacy/Security staff person.

• 1/22/2013 - AeHN has increased staffing; however, AeHN has not hired a Data Quality person nor a Privacy Security staff person and currently has this posted as a single position. The IT Planning office is concerned that these are two critical positions needed and it will be difficult to fill this position combine these two skill sets.

• 12/13/2012 - HIT Office is monitoring staffing

• 9/26/2012 - new AeHN ED has increased staffing through hiring and contracting with third parties.

• 8/29/2012 - New AeHN ED, Rebecca Madison started in early August. Doris Yanis-House has agreed to stay on with

Active 2 - Significant; affecting all performance and budgets

1 - High; will occur (100%)

3 - Moderately Controllable

The Alaska HIT Program office works to supply templates, documentation, assistance and guidance as practical. AeHN prioritizes CAP word appropriately; some HIE program activities may be delayed as a result of focus on Direct implementation and corrective action plan activities.


39

ID Date Project Title Description Comments Status Severity Probability Impact Strategy AeHN as a contract employee to assist with DSM, unsure about Joe Furrer's employment status with AeHN. AeHN continues to struggle with staffing and funds.

• 7/30/2012 - AeHN Executive Director, Bill Sorrells last day was 7/20/2012. The new AeHN ED doesn't start until Aug. 8th. The other two HIE staff: Joe Furrer and Doris Yanis-House have also submitted their resignation letters and will be gone from AeHN by middle of August.

• 5/1/2012 - Due to the CAP for AeHN REC pressure on AeHN as an organization has increased. AeHN is still understaffed and funded. State HIT Program Office developed an HIE Staffing Comparison that was presented to the AeHN Board for discussion.

• 2/29/2012 - The HIT Program office and technical assistance contractor Deloitte continue to work with AeHN regarding their CAP submission.

• 1/30/2012 - HIT Program office and AeHN meet the week of January 2nd to discuss gaps in AeHN's CAP submission. A matrix was provided to AeHN regarding gaps and


40

ID Date Project Title Description Comments Status Severity Probability Impact Strategy strategies were discussed. HIT Program office is still concerned about AeHN's CAP since it has not yet been approved by State and has requested further technical assistance from Deloitte.

• 12/31/2011 - HIT Program office and AeHN are scheduled to meet in early January to discuss action steps necessary for the corrective action plan.

34 4/29/2013 HIE Governance

Direct Secure Messaging (DSM) Current and Version 2013

If Orion Health cannot implement a Direct solution that meets the States requirements and needs the State may have to find HISP services with another vendor.

• 3/10/2014 - Alaska continues to beta test DSM V2, V2 will not meet functionality needs as it has been presented by Orion. DSM V1 is experiencing system issues: emails not sending/receiving, MDNs inconsistently working, settings not saving

• 1/6/2014 - Alaska is beta testing DSM V2, V2 is not currently meeting functionality needs

• 10/1/2013 - No change since September comment

• 9/13/2013 - Orion Health presented to AK a modified DSM version 2 plan which will most likely not work for Alaska because it does not allow for HISP to HISP communication.

• 6/10/2013 - Orion health's DSM solution version 2 will not be ready for implementation until

Active 1 - High; probably project failure

2 - Expected; could occur (75%)

2 - Largely Uncontrollable

Mitigation Strategy - If Orion Health cannot provide a solution that meets the needs State will need to identify another vendor to provide Direct/HISP services.


41

ID Date Project Title Description Comments Status Severity Probability Impact Strategy October 2013, this delivery date has been rejected by State. AeHN and State are developing mitigation strategies.

• 5/3/2013 - Orion Health's DSM solution continues to be unstable: there is a timestamp issue where emails are being sent at a certain time but when received the timestamp on the email reflects a future date/time; at least one State user's DSM User ID disappeared - it was restored but only after system wide shutdown occurred

• 4/29/2013 - Orion Health continues to be unable to meet the States needs for DSM and are unable to provide accurate dates for when they might be able to provide a solution that meets the States needs

36 1/16/2014 HIE Governance

Orion Health Communications

Orion Health has significantly poor communications not only internally to their organization but also with their customers.

• 3/10/2014 - Orion communications continue to be poor

• 1/16/2014 - example of poor communications: Alaska has been asking Orion Health about when the patient portal would be first implemented, Alaska has been asking Orion Health for a date for weeks only to find out from North Dakota customer that Orion Health demoed the

Active 2 - Significant; affecting all performance and budgets

2 - Expected; could occur (75%)

2 - Largely Uncontrollable

Alaska will continue to monitor. DHSS recommended to AeHN that this be logged in a risk register with Orion Health if one is available.


42

ID Date Project Title Description Comments Status Severity Probability Impact Strategy version 4.0 of the Patient Portal to them and plan to roll it out for ND weekend of 1/18/2014.

• Another example of poor internal communication: Orion Health assigned resources to work with Alaska on developing public health interfaces, there were separate resources for the different interfaces, Alaska provided URLs for Orion Health to use to connect to BizTalk for all the interfaces but this information was not communicated internally to all Orion Health resources working on the various interfaces.


43

2.000 Introduction to Internal Security Policies v3 Page 1 of 6 Originally Adopted 09/21/2011 Revision v3 Adopted 05/31/2013

2.000IntroductiontoInternalSecurityPoliciesPolicySummary

As such, AeHN has adopted a series of Security Policies to comply with theresponsibilitiesoutlinedintheSecurityRuleoftheHealthInsurancePortabilityandAccountability Act of 1996 (HIPAA). This policy provides the general terms andprovisionsthatapplytoalloftheSecurityPolicies,alongwiththedefinedtermsandacronymsthatareusedtherein.

Purpose The Alaska eHealth Network (AeHN) is committed to protecting the privacy andsecurity of the protected health information (PHI) contained in the systems itoversees. This policy reflects AeHN’s commitment to appropriately use andphysicallyprotectEPHI.

Scope/ApplicabilityThis policy is applicable to all AeHN workforce members that manage, control,access, useordiscloseprotectedhealth information for anypurposes. TheAeHNworkforce includesWorkforceMembers and other paid staff, contractors, agents,and vendors. This policy’s scope includes all protected health informationcontained on AeHN equipment, or otherwise accessible by the AeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.

RegulatoryCategory,Type,LegalRegulatoryReference45CFR§164.306Securitystandards:Generalrules.(a)Generalrequirements.Coveredentitiesmustdothefollowing:(1)Ensuretheconfidentiality,integrity,andavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits.(2)Protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation.(3)ProtectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredundersubpartEofthispart.(4)Ensurecompliancewiththissubpartbyitsworkforce.

AS18.23.310Confidentialityandsecurityofinformation.

(a)Thedepartmentshallestablishappropriatesecuritystandardstoprotectthetransmission and receipt of individually identifiable information contained in thesystemestablishedunderAS18.23.300.Thestandardsmust

(1)includecontrolsoveraccesstoandcollection,organization,andmaintenanceofrecordsanddatathatprotecttheconfidentialityoftheindividualwhoisthesubjectofahealthrecord;

Formatted: Font: Italic

Formatted: Font: Bold


Formatted: Font: +Headings (Cambria), 11 pt, Italic




44


(2) includeasecureandtraceableelectronicauditsystem for identifyingaccesspointsandtrails;

(3)meetthemoststringentapplicablefederalorstateprivacylawgoverningtheprotectionoftheinformationcontainedinthesystem.

(b) A person may not release or publish individually identifying healthinformationfromthesystemforpurposesunrelatedtothetreatmentorbillingofthepatientwhoisthesubjectoftheinformation.Useordistributionoftheinformationforamarketingpurposeisstrictlyprohibited.

(c)Thedepartmentshallestablishproceduresforapatientwhoisthesubjectofahealthrecordcontainedinthesystem

(1)tooptoutofthesystem;(2)toconsenttothedistributionofthepatient'srecordscontainedinthesystem;(3) tobenotifiedofaviolationof the confidentialityprovisions requiredunder

thissection;(4) on request to the department, to view an audit report created under this

sectionforthepurposeofmonitoringaccesstothepatient'srecords.;7AAC166.030;7AAC166.040;7AAC166.900;45CFR160;45CFR164(PartsAandC)

PolicyAuthority/Enforcement

AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) areresponsibleformonitoringandenforcementoftheAeHNInternalSecurityPoliciesandProcedures.

RelatedPolicies&ProceduresPolicyNumber

ProcedureNumber

Policy/ProcedureTitle

2.100 ConsumerOptOutElectionPolicy 2.101 ConsumerOptOutElectionProcedure2.200 AdministrativeSafeguardsPolicy 2.201 SecurityManagementProcessProcedure 2.202 RiskAnalysisProcedure 2.203 RiskManagementProcedure 2.204 EmployeeSanctionsProcedure 2.205 InformationSystemActivityProcedure 2.206 AssignedSecurityResponsibilityProcedure 2.207 WorkforceSecurityProcedure 2.208 AuthorizationandSupervisionProcedure 2.209 WorkforceClearanceProcedure 2.210 TerminationProcedure 2.211 InformationAccessManagementProcedure 2.212 AccessAuthorizationProcedure

















45


2.213 AccessEstablishmentandModificationProcedure 2.214 SecurityAwarenessandTrainingProcedure 2.215 SecurityRemindersProcedure 2.216 ProtectionfromMaliciousSoftwareProcedure 2.217 Log‐inMonitoringProcedure 2.218 PasswordManagementProcedure 2.219 SecurityIncidentProcedure 2.220 ContingencyPlanProcedure2.300 PhysicalSafeguardsPolicy 2.301 WorkstationUseProcedure 2.302 WorkstationSecurityProcedure 2.303 DeviceandMediaControlsProcedure 2.304 AccountabilityProcedure2.400 TechnicalSafeguardsPolicy 2.401 AccessControlProcedure 2.402 UniqueUserIdentificationProcedure 2.403 AutomaticLogoffProcedure 2.404 EncryptionandDecryptionProcedure 2.405 AuditControlsProcedure 2.406 IntegrityProcedure 2.407 PersonorEntityAuthenticationProcedure 2.408 TransmissionSecurityProcedure2.600 BreachNotificationPolicy 2.601 BreachNotificationProcedure3.100 HIPAAPrivacyPolicy 3.101 Use,DisclosureandPrivacyRightsProcedure Renewal/Review

This policy is to be reviewed annually to determine if the policy complies withcurrent HIPAA Security regulations and to ensure that it incorporates all recentdevelopments inAeHNpolicies, procedures, activities, equipment and technology.In the event that significant related legal, regulatory or organizational changesoccur,thepolicywillbereviewedandupdatedasneeded.

Policy

I. GeneralPolicyRequirements:

A. Annual Review. AeHN will annually review all Internal Security Policies andProcedures to determine if they complywith currentHIPAA Security regulations,applicable Alaska law and AeHN contractual obligations. In the event thatsignificantrelatedlegal,regulatoryororganizationalchangesoccur, thepolicywillbereviewedandupdatedasneeded.

46


B. FormatofPHI.AeHNusesthesoftware‐as‐a‐servicemodelforthetransmissionandstorage of PHI. Although AeHN does not have PHI directly contained on its owninformationsystems,itisthestewardforsuchinformationheldbycontractorsandinacentraldatarepository. For thatreason,AeHNmustcontinuetocomplywiththesepoliciesandproceduresanytimeitishandlingPHI,inanyformat.

C. Workforce Access. AeHNWorkforceMemberswill not directlymanage or accessPHIonaregularbasis,butsomeWorkforceMemberswillhavetheabilitytodosowhen necessary. This requires such Workforce Members to comply with allresponsibilities of a health information exchange under HIPAA. No employee ofAeHNis tohaveaccess toPHI through theHIE,except forpurposesofauditingorperformingaudit functions, andother legalobligationsof theorganization. AeHNprimarilyfacilitatesthesecuretransferofPHIfromoneEHRtoanotherEHR.

D. Application to AeHN Workforce, Not Other Participants. These policies andproceduresapply to theAeHNworkforcemembers and the informationused anddisclosedbyAeHN.Theymayreferenceandrequirecollaborationwithparticipants,butdonotapplydirectlytoparticipantsintheHIE.Theguidelinesforparticipationand privacy and security responsibilities for participants are outlined in theExternalHIEPrivacy,SecurityandCompliancePolicyandrelatedproceduresfoundat4.200etseq.

II. SecurityStandards:

A. AdministrativeSafeguards. Administrativesafeguardsshallbeusedtomanagethe selection, development, implementation and maintenance of securitymeasurestoprotectPHIandtomanagetheconductofAeHN’sworkforcefortheprotectionofandauthorizedaccess toPHI. AeHN’sAdministrativeSafeguardsPolicy is found at 2.200 and the procedures enacted thereunder are found at2.201etseq. ThoseproceduresfollowthegeneralorderoftheAdministrativeSafeguardprovisionsintheHIPAASecurityRule.

B. Physical Safeguards. Physical Safeguards are to be made in order to protectAeHN’s electronic information systems, related buildings and equipment fromnaturalandenvironmentalhazardsandunauthorizedintrusion.Procedureswillbe implemented either directly or through AeHN vendors that limit physicalaccess to electronic information systems and the facility or facilities inwhichsuchsystemsarehoused,while still ensuring that properauthorizedaccess isallowed. AeHN’s Physical Safeguards Policy is found at 2.300 and theprocedures enacted thereunder are found at 2.301 et seq. Those proceduresfollow the general order of the Physical Safeguard provisions in the HIPAASecurityRule.

47


C. TechnicalSafeguards.TechnicalSafeguardsshallbemaintainedthatprotectPHIand control access to assure that such systems are accessed only by thoseindividualsorsoftwareprogramsthathavebeengrantedaccessrights.AeHN’sTechnical Safeguards Policy is found at 2.400 and the procedures enactedthereunder are found at 2.401 et seq. Those procedures follow the generalorderoftheTechnicalSafeguardprovisionsintheHIPAASecurityRule.

D. Breach Notification. A policy and procedures for breach notification shall bemaintained to ensure that breaches are adequately and appropriatelyaddressed. AeHN’sBreachNotificationPolicyisfoundat2.600andtheBreachNotificationProcedureisfoundat2.601.

GlossaryAS AlaskaStatutesAeHN AlaskaeHealthNetwork–thedesignatedHIEfortheStateofAlaskaBAA BusinessAssociateAgreementCFR CodeofFederalRegulationsDSM DirectSecureMessagingED ExecutiveDirectorEPHI ElectronicProtectedHealthInformationHIE AeHNHealthInformationExchangeHIPAA HealthInsurancePortabilityandAccountabilityActof1996PA ParticipantAgreement‐TheAgreementexecutedbetweenanentity

orindividualandAeHNthatdefinesthetermsofusefortheHIE.Participant AnentityorindividualthathasenteredintoaParticipantAgreement

withAeHN.PHI ProtectedHealthInformation‐Informationthatismaintainedinany

formormediumthat:o IscreatedorreceivedbyaHIPAACoveredEntityorBusiness

Associate,oranyotherUseroftheHIE;ando Relatestothepast,present,orfuturephysicalormental

healthconditionofanindividual;theprovisionofhealthcaretoanindividual;orthepast,present,orfuturepaymentfortheprovisionofhealthcaretoanindividual;and Thatidentifiestheindividual;or Withrespecttowhichthereisareasonablebasisto

believetheinformationcanbeusedtoidentifytheindividual.

o DoesnotincludeeducationrecordscoveredbytheFamilyEducationalRightsandPrivacyAct,asamended,20U.S.C.1232g;oremploymentrecordsheldbyanentityinitsroleasemployer.

SaaS SoftwareasaServicePSO PrivacyandSecurityOfficer

48


UserIDs UniqueUserIdentifiers

2.000 Introduction to Internal Security Policies

APPROVED BY: AeHN Board

ADOPTED: 7/20/2011 v1REVISED: 02/20/2013 v2REVISED: 05/31/2013 v3

REVISED:

49


2.000IntroductiontoInternalSecurityPoliciesPolicySummary

As such, AeHN has adopted a series of Security Policies to comply with theresponsibilitiesoutlinedintheSecurityRuleoftheHealthInsurancePortabilityandAccountability Act of 1996 (HIPAA). This policy provides the general terms andprovisionsthatapplytoalloftheSecurityPolicies,alongwiththedefinedtermsandacronymsthatareusedtherein.

Purpose The Alaska eHealth Network (AeHN) is committed to protecting the privacy andsecurity of the protected health information (PHI) contained in the systems itoversees. This policy reflects AeHN’s commitment to appropriately use andphysicallyprotectEPHI.

Scope/ApplicabilityThis policy is applicable to all AeHN workforce members that manage, control,access, useor discloseprotectedhealth information for anypurposes. TheAeHNworkforce includesWorkforceMembers and other paid staff, contractors, agents,and vendors. This policy’s scope includes all protected health informationcontained on AeHN equipment, or otherwise accessible by the AeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.

RegulatoryCategory,Type,LegalRegulatoryReference45CFR§164.306Securitystandards:Generalrules.(a)Generalrequirements.Coveredentitiesmustdothefollowing:(1)Ensuretheconfidentiality,integrity,andavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits.(2)Protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation.(3)ProtectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredundersubpartEofthispart.(4)Ensurecompliancewiththissubpartbyitsworkforce.

AS18.23.310Confidentialityandsecurityofinformation.

(a)Thedepartmentshallestablishappropriatesecuritystandardstoprotectthetransmission and receipt of individually identifiable information contained in thesystemestablishedunderAS18.23.300.Thestandardsmust

(1)includecontrolsoveraccesstoandcollection,organization,andmaintenanceofrecordsanddatathatprotecttheconfidentialityoftheindividualwhoisthesubjectofahealthrecord;

50


(2) includeasecureandtraceableelectronicauditsystem for identifyingaccesspointsandtrails;

(3)meetthemoststringentapplicablefederalorstateprivacylawgoverningtheprotectionoftheinformationcontainedinthesystem.

(b) A person may not release or publish individually identifying healthinformationfromthesystemforpurposesunrelatedtothetreatmentorbillingofthepatientwhoisthesubjectoftheinformation.Useordistributionoftheinformationforamarketingpurposeisstrictlyprohibited.

(c)Thedepartmentshallestablishproceduresforapatientwhoisthesubjectofahealthrecordcontainedinthesystem

(1)tooptoutofthesystem;(2)toconsenttothedistributionofthepatient'srecordscontainedinthesystem;(3) tobenotifiedofaviolationof the confidentialityprovisions requiredunder

thissection;(4) on request to the department, to view an audit report created under this

sectionforthepurposeofmonitoringaccesstothepatient'srecords.7AAC166.030;7AAC166.040;7AAC166.900;45CFR160;45CFR164(PartsAandC)


AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) areresponsibleformonitoringandenforcementoftheAeHNInternalSecurityPoliciesandProcedures.

RelatedPolicies&ProceduresPolicyNumber

ProcedureNumber

Policy/ProcedureTitle

2.100 ConsumerOptOutElectionPolicy 2.101 ConsumerOptOut ElectionProcedure2.200 AdministrativeSafeguardsPolicy 2.201 SecurityManagementProcessProcedure 2.202 RiskAnalysisProcedure 2.203 RiskManagementProcedure 2.204 EmployeeSanctionsProcedure 2.205 InformationSystemActivityProcedure 2.206 AssignedSecurityResponsibilityProcedure 2.207 WorkforceSecurityProcedure 2.208 AuthorizationandSupervisionProcedure 2.209 WorkforceClearanceProcedure 2.210 TerminationProcedure 2.211 InformationAccessManagementProcedure 2.212 AccessAuthorizationProcedure

51


2.213 AccessEstablishmentandModificationProcedure 2.214 SecurityAwarenessandTrainingProcedure 2.215 SecurityRemindersProcedure 2.216 ProtectionfromMaliciousSoftwareProcedure 2.217 Log‐inMonitoringProcedure 2.218 PasswordManagementProcedure 2.219 SecurityIncidentProcedure 2.220 ContingencyPlanProcedure2.300 PhysicalSafeguardsPolicy 2.301 WorkstationUseProcedure 2.302 WorkstationSecurityProcedure 2.303 DeviceandMediaControlsProcedure 2.304 AccountabilityProcedure2.400 TechnicalSafeguardsPolicy 2.401 AccessControlProcedure 2.402 UniqueUserIdentificationProcedure 2.403 AutomaticLogoffProcedure 2.404 EncryptionandDecryptionProcedure 2.405 AuditControlsProcedure 2.406 IntegrityProcedure 2.407 PersonorEntityAuthenticationProcedure 2.408 TransmissionSecurityProcedure2.600 BreachNotificationPolicy 2.601 BreachNotificationProcedure3.100 HIPAAPrivacyPolicy 3.101 Use,DisclosureandPrivacyRightsProcedure Renewal/Review

This policy is to be reviewed annually to determine if the policy complies withcurrent HIPAA Security regulations and to ensure that it incorporates all recentdevelopments inAeHNpolicies, procedures, activities, equipment and technology.In the event that significant related legal, regulatory or organizational changesoccur,thepolicywillbereviewedandupdatedasneeded.

Policy

I. GeneralPolicyRequirements:

A. Annual Review. AeHN will annually review all Internal Security Policies andProcedures to determine if they complywith current HIPAA Security regulations,applicable Alaska law and AeHN contractual obligations. In the event thatsignificantrelatedlegal,regulatoryororganizationalchangesoccur,thepolicywillbereviewedandupdatedasneeded.

52


B. FormatofPHI.AeHNusesthesoftware‐as‐a‐servicemodelforthetransmissionandstorage of PHI. Although AeHN does not have PHI directly contained on its owninformationsystems,itisthestewardforsuchinformationheldbycontractorsandinacentraldatarepository. For thatreason,AeHNmustcontinuetocomplywiththesepoliciesandproceduresanytimeitishandlingPHI,inanyformat.

C. Workforce Access. AeHNWorkforceMemberswill not directlymanage or accessPHIonaregularbasis,butsomeWorkforceMemberswillhavetheabilitytodosowhen necessary. This requires such Workforce Members to comply with allresponsibilities of a health information exchange under HIPAA. No employee ofAeHNis tohaveaccess toPHI throughtheHIE,except forpurposesofauditingorperformingaudit functions, andother legalobligationsof theorganization. AeHNprimarilyfacilitatesthesecuretransferofPHIfromoneEHRtoanotherEHR.

D. Application to AeHN Workforce, Not Other Participants. These policies andprocedures apply to theAeHNworkforcemembers and the informationused anddisclosedbyAeHN.Theymayreferenceandrequirecollaborationwithparticipants,butdonotapplydirectlytoparticipantsintheHIE.Theguidelinesforparticipationand privacy and security responsibilities for participants are outlined in theExternalHIEPrivacy,SecurityandCompliancePolicyandrelatedproceduresfoundat4.200etseq.

II. SecurityStandards:

A. AdministrativeSafeguards. Administrativesafeguardsshallbeusedtomanagethe selection, development, implementation and maintenance of securitymeasurestoprotectPHIandtomanagetheconductofAeHN’sworkforcefortheprotectionofandauthorizedaccess toPHI. AeHN’sAdministrativeSafeguardsPolicy is found at 2.200 and the procedures enacted thereunder are found at2.201etseq. ThoseproceduresfollowthegeneralorderoftheAdministrativeSafeguardprovisionsintheHIPAASecurityRule.

B. Physical Safeguards. Physical Safeguards are to be made in order to protectAeHN’s electronic information systems, related buildings and equipment fromnaturalandenvironmentalhazardsandunauthorizedintrusion.Procedureswillbe implemented either directly or through AeHN vendors that limit physicalaccess to electronic information systems and the facility or facilities inwhichsuch systemsarehoused,while still ensuring thatproperauthorizedaccess isallowed. AeHN’s Physical Safeguards Policy is found at 2.300 and theprocedures enacted thereunder are found at 2.301 et seq. Those proceduresfollow the general order of the Physical Safeguard provisions in the HIPAASecurityRule.

53


C. TechnicalSafeguards.TechnicalSafeguardsshallbemaintainedthatprotectPHIand control access to assure that such systems are accessed only by thoseindividualsorsoftwareprogramsthathavebeengrantedaccessrights.AeHN’sTechnical Safeguards Policy is found at 2.400 and the procedures enactedthereunder are found at 2.401 et seq. Those procedures follow the generalorderoftheTechnicalSafeguardprovisionsintheHIPAASecurityRule.

D. Breach Notification. A policy and procedures for breach notification shall bemaintained to ensure that breaches are adequately and appropriatelyaddressed. AeHN’sBreachNotificationPolicyisfoundat2.600andtheBreachNotificationProcedureisfoundat2.601.

GlossaryAS AlaskaStatutesAeHN AlaskaeHealthNetwork–thedesignatedHIEfortheStateofAlaskaBAA BusinessAssociateAgreementCFR CodeofFederalRegulationsDSM DirectSecureMessagingED ExecutiveDirectorEPHI ElectronicProtectedHealthInformationHIE AeHNHealthInformationExchangeHIPAA HealthInsurancePortabilityandAccountabilityActof1996Participant AnentityorindividualthathasenteredintoaParticipantAgreement

withAeHN.PHI ProtectedHealthInformation‐Informationthatismaintainedinany

formormediumthat:o IscreatedorreceivedbyaHIPAACoveredEntityorBusiness

Associate,oranyotherUseroftheHIE;ando Relatestothepast,present,orfuturephysicalormental

healthconditionofanindividual;theprovisionofhealthcaretoanindividual;orthepast,present,orfuturepaymentfortheprovisionofhealthcaretoanindividual;and Thatidentifiestheindividual;or Withrespecttowhichthereisareasonablebasisto

believetheinformationcanbeusedtoidentifytheindividual.

o DoesnotincludeeducationrecordscoveredbytheFamilyEducationalRightsandPrivacyAct,asamended,20U.S.C.1232g;oremploymentrecordsheldbyanentityinitsroleasemployer.

SaaS SoftwareasaServicePSO PrivacyandSecurityOfficerUserIDs UniqueUserIdentifiers

54


2.000 Introduction to Internal Security Policies



REVISED:

55

2.200 Administrative Safeguards V3 Page 1 of 8 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013

2.200AdministrativeSafeguardsPolicy

PolicySummaryAlaska eHealth Network (AeHN) ensures the confidentiality, integrity andavailabilityofitsinformationsystemscontainingPHIbyimplementingappropriateand reasonable policies, procedures and controls to prevent, detect, contain, andcorrect security violations. AeHN’s administrative safeguards include a securitymanagementprogrambasedonformalandregularprocessesforriskanalysisandmanagement,sanctionpoliciesfornon‐compliance,andinformationsystemactivityreview.

All AeHN workforce members are responsible for appropriately protecting PHImaintained on the Alaska HIE information systems. AeHN management isresponsible for ensuring the confidentiality, integrity and availability of all PHImaintainedontheAlaskaHIEinformationsystems.

Purpose ThispolicyreflectsAeHN’scommitmenttoensuretheconfidentiality,integrity,andavailabilityofitsinformationsystemscontainingPHIbyimplementingpoliciesandprocedurestoprevent,detect,contain,andcorrectsecurityviolations.

Scope/Applicability

This policy is applicable to all AeHN workforce members that manage, control,access, useor discloseprotectedhealth information for anypurposes. TheAeHNworkforce includes employees and other paid staff, contractors, agents, andvendors.Thispolicy’sscopeincludesallprotectedhealthinformationcontainedonAeHNequipment,orotherwiseaccessiblebytheAeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.

RegulatoryCategory,Type,LegalRegulatoryReference Implementpoliciesandprocedurestoprevent,detect,contain,andcorrectsecurityviolations.

Administrative Safeguards, Standard,AS18.23.300 et seq.; 7AAC166.010; 7AAC166.030;7AAC166.040;7AAC166.050;7AAC166.900;45CFR164.308(a)


AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) areresponsibleformonitoringandenforcementofthispolicy.

56


RelatedPolicies&Procedures

Number Standard2.201 SecurityManagementProcess2.202 RiskAnalysis2.203 RiskManagement2.204 EmployeeSanctions2.205 InformationSystemActivityReview2.206 AssignedSecurityResponsibility2.207 WorkForceSecurity2.208 Authorizationand/orSupervision2.209 WorkforceClearanceProcedure2.210 TerminationProcedures2.211 InformationAccessManagement2.212 AccessAuthorization2.213 AccessEstablishmentandModification2.214 SecurityAwarenessandTraining2.215 SecurityReminders2.216 ProtectingfromMaliciousSoftware2.217 Log‐InMonitoring2.218 PasswordManagement2.219 SecurityIncidentProcedures2.220 ContingencyPlan

Renewal/Review

ThispolicyistobereviewedannuallytodetermineifthepolicycomplieswithcurrentHIPAASecurityregulationsandtoensurethatitincorporatesallrecentdevelopmentsinAeHNpolicies,procedures,activities,equipmentandtechnology.Intheeventthatsignificantrelatedlegal,regulatoryororganizationalchangesoccur,thepolicywillbereviewedandupdatedasneeded.

Policy

I. SecurityManagementProcess

A. Integrity and Confidentiality of PHI. AeHN makes active strides to protect theintegrity and confidentiality of PHI information managed on behalf of providerorganizations participating in the statewide health information exchange. Theseactivities include, but are not limited to the use of identity protected storage,networkstorage,systemaccesslogging,physicalprotectionsandsecurity,andusereducation.

57


B. Best Practices. AeHN actively enforces compliance with HIPAA regulations byutilizingandrequiringtheuseof‘bestpractice’securitymeasures,including,butnotlimited to, utilizing mandatory network login, strong password discipline,workstationsecurity,protectednetworkstorageandphysicalsecurity.

C. Privacy and Security Officer. AeHN is committed to ensuring the privacy andsecurityofPHIthatitmanagesonbehalfofitsparticipatingproviderorganizations.Inorder tomanage the facilitationand implementationof activities related to theprivacy and security of PHI, AeHN will appoint and maintain an internal PSOposition. The PSO will serve as the focal point for security compliance‐relatedactivitiesandresponsibilities,as listed in theAeHNpoliciesandprocedures. If,atany point, a PSO is not maintained as a separate position, the AeHN ExecutiveDirectorshallserveasthePSO.

II. EmployeeandWorkforceManagement

A. CompliancewithPoliciesandProcedures. AeHNworkforcememberswillcomplywithallapplicableAeHNsecuritypoliciesandprocedures. Compliance ismandatedtoensuretheconfidentiality,integrityandavailabilityoftheAlaskaHIEinformationsystems.

B. TrainingandAwareness. AeHNworkforcememberswill understand andbeawareof allapplicableAeHNsecuritypoliciesandprocedures.AeHNwillprovideregulartrainingandawarenessforworkforcemembersonAeHNsecuritypoliciesandprocedures.

C. Sanctions Procedures. AeHNwill establish formal, documented procedures for applyingappropriate sanctions against workforce members who do not comply with its securitypoliciesandprocedures.

D. Enforcement of Policies and Procedures. AeHN actively controls EPHI and educates itsworkforcemembersinEPHIsecuritybyanyofthefollowing:

1. AeHNwill demonstrate its commitment to enforce HIPAA regulations and secureEPHI information by establishing a PSO who will be charged with the ongoingprocessofestablishing,maintainingandupdatingHIPAArules,policies,proceduresandguidelines.

2. TheAeHNPSOwillaggressivelyenforceHIPAAguidelinesandproceduresandwillactivelyintroducenewproceduresinthefaceofrapidlychangingtechnology.

3. TheAeHNPSO andworkforcememberswillmeet at least semi‐annually to auditexisting procedures and technology to ensure that HIPAA regulations are beingactivelyenforced.

4. TheAeHNPSOisresponsibleforestablishingtrainingguidelinesforeachrespectiveAeHN workforce member specifically with regards to the types and amount oftraining required to meet HIPAA regulations. Training for each person may be

58


combined and presented in a group setting, or otherwise available in a formatdeemedappropriatebythePSO.

E. BasicSecurityTraining. Despite the fact thatallAeHNworkforcememberswillnothave

regular access tooraday‐to‐dayneed tohandleEPHI, allAeHNworkforcememberswillreceiveinitialandannualtraininginandwillfollowbaselineinformationsecuritypolicies.Thiswillinclude,butnotbelimitedto,passworduseanddiscipline,useofnetworkstorageandworkstationlocking.

F. PromotionofHIPAAPoliciesandProcedures. TheEDandPSOwill activelypromoteandenforceHIPAApoliciesandprocedurestoAeHNworkforcemembers.

III. RiskAnalysis&RiskManagement

A. Annul Auditing. All AeHN HIPAA procedures must undergo formal risk managementauditingatleastyearly.

B. Annual Risk Analysis. AeHN, or an independent 3rd party, shall annually conduct a riskanalysis(“RiskAnalysis”)thatwill,ataminimum:

1. IdentifyandprioritizethethreatstotheAlaskaHIEinformationsystemscontainingEPHI.

2. Identify and prioritize the vulnerabilities of the Alaska HIE information systemscontainingEPHI.

3. Identify and define the security measures used to protect the confidentiality,integrity,andavailabilityoftheAlaskaHIEinformationsystemscontainingEPHI.

4. IdentifythelikelihoodthatagiventhreatwillexploitaspecificvulnerabilityontheAlaskaHIEinformationsystemcontainingEPHI.

5. Identifythepotentialimpactstotheconfidentiality,integrity,andavailabilityoftheAlaskaHIEinformationsystemscontainingEPHIifagiventhreatexploitsaspecificvulnerability.

6. Any report compiled will include all statistical and technology references toformulaterecommendations.

7. Judgments used in AeHN’s Risk Analysis, such as assumptions, defaults, anduncertainties,shouldbeexplicitlystatedanddocumented.

C. DistributionofRiskAnalysisResults.Asappropriate,theAeHNPSOandmanagementwill

share results of the Risk Analysis with the AeHN Board of Directors and the Audit andComplianceCommittee.

D. Review of Information Systems Activity. The AeHN PSO or assigned AeHN workforcememberwillregularlyreviewrecordsofactivityoninformationsystemscontainingEPHI.

IV. AccessandAuthorization‐Internal

59


A. PositionAuthority. Individual jobdescriptions forAeHNworkforcememberswill be thebasisfordefiningaccessauthorityandthespecificinformationsystemcontentthatwillbeaccessible. The nature and extent of access to the Alaska HIE information systemscontainingEPHIwillbebasedonanongoingriskanalysisprocess.Ataminimum,theriskanalysiswillconsiderthefollowingfactors:

1. Theimportanceoftheapplicationsrunningontheinformationsystem2. ThevalueorsensitivityoftheEPHIontheinformationsystem3. The extent to which the information system is connected to other information

systems

B. Need for Access. Access to the Alaska HIE information systems containing EPHIwill beauthorizedonlyforproperlytrainedAeHNworkforcemembershavingalegitimateneedforspecificinformationinordertoaccomplishjobresponsibilitiesasdefinedinindividualjobdescriptions. Job descriptionswill be reviewed at least annually to validate necessity ofaccesstosomeorallEPHImaintainedintheAlaskaHIEinformationsystems.

C. Limitation on Authorization. AeHN workforce members will not access the Alaska HIEinformation systems containing EPHI for which they have not been given properauthorization. NoemployeeofAeHNis tohaveaccess toPHI throughtheHIE,except forpurposes of auditing or performing audit functions, or other legal obligations of theorganization.AeHNwillensurethatallworkforcememberswhohavetheabilitytoaccessthe Alaska HIE information systems containing EPHI are appropriately authorized orsupervised. AeHNwillmaintainadocumentedprocessforauthorizingappropriateaccesstotheAlaskaHIEinformationsystemscontainingEPHI.Thiswillinclude:

1. AdefinitionofrolesbasedonindividualAeHNworkforcejobdescriptions.2. AsummaryofauthorizedcategoriesofEPHIcontent thatcanbeaccessedbyeach

role.3. An annual review of roles and authorized categories of access to EPHI to be

conductedaspartoftheongoingriskanalysisprocess.

D. WorkforceScreeningandTermination.AeHNworkforcememberswillbescreenedduringthehiringprocesstoidentifypossibleareasofriskwhichwillbevettedbeforeretentioninapositionthatrequiresaccesstoEPHI.AeHNwillsustainaformal,documentedprocessforterminatingaccesstoEPHIwhentheemploymentofaworkforcememberends,ortheneedtoaccessEPHIotherwiseterminates.

E. Confidentiality Agreements. All AeHN workforce members who access the Alaska HIEinformation systems containing EPHIwill sign a confidentiality agreement inwhich theyagree not to provide or discuss EPHI or confidential information with unauthorizedpersons. Confidentiality agreements will be reviewed and signed annually by AeHNworkforcememberswhoaccesstheAlaskaHIEinformationsystemscontainingEPHI.

60


V. Access&Authorization–ExternalorParticipatingSiteWorkforceMembers

AeHN will have a formal, documented process for establishing, documenting, reviewing, andmodifyingaccesstotheAlaskaHIEinformationsystemscontainingEPHI.Theprocesswillbebasedon AeHN and the Participating Organizations’ access authorization policy. At a minimum, theprocessmustinclude:

A. Access Establishment. Procedure for establishing different levels of access to the AlaskaHIEsystemscontainingEPHI.

B. Access Documentation. Procedure for documenting levels of access established to theAlaskaHIEinformationsystemscontainingEPHI.

C. Access Review. Procedure for regularly reviewingAeHN and ParticipatingOrganizationsworkforce member access privileges to the Alaska HIE information systems containingEPHI.

D. Access Modification. Procedure for modifying AeHN and Participating Organizationsworkforce member access privileges to the Alaska HIE information systems containingEPHI.

E. Access Termination. Procedure for terminating AeHN and Participating Organizationworkforce members’ access privileges to the Alaska HIE information systems containingEPHI.

VI. InformationSecurity

A. SecurityReminders. AeHNwillmakecertain thatallof itsworkforcemembers, includingthosewhoworkremotely,areregularlyremindedofinformationsecurityrisksandhowtofollow AeHN security policies. Additionally, workforce members will be provided withinformation aboutAeHN security procedures andhow to use theAlaskaHIE informationsystemsinwaysthatminimizepossiblesecurityrisks.

B. Maintenance of Security. AeHN will ensure that the confidentiality, integrity, andavailability of EPHI on the Alaska HIE information systems is maintained when itsinformationsystemsareaccessedbythirdparties.Beforethirdpartypersonsaregrantedaccess to the Alaska HIE information systems containing EPHI, a risk analysis will beperformed.Afterasuccessfulriskanalysis,accessbythirdpartypersonstotheAlaskaHIEinformation systems containing EPHI will be allowed only after an agreement has beensigneddefiningthetermsforaccess.

C. RiskDetection. AeHNmust be able to effectively detect and preventmalicious software,particularly viruses, worms and malicious code. AeHN will develop, implement, and

61


regularly review a formal, documented process for guarding against, detecting, andreportingmalicioussoftwarethatposesarisktoitsinformationsystemsanddata.

VII. PasswordsandLog‐In

A. MonitoringLog‐In. AeHNwilldevelop, implement,andregularlyreviewa formalprocessformonitoring log‐in attempts and reporting discrepancies. Access to all theAlaskaHIEinformationsystemswillbeviaasecurelog‐inprocess.

B. Password Safeguards. AeHN will develop, implement, and regularly review a formalprocessforappropriatelycreating,changingandsafeguardingpasswordsusedtovalidateauser’sidentityandestablishaccesstoitsinformationsystemsanddata.

VIII. SecurityIncidents

A. SecurityIncidentResponse.AeHNwillalsomaintainadocumentedprocessforquicklyandeffectively detecting and responding to security incidents that may impact theconfidentiality, integrity, or availability of the Alaska HIE information systems. At aminimum,AeHN’sPSOwillensurethat:

1. All actions taken are intended tominimize the damage of a security incident andpreventfurtherdamage.

2. Onlyauthorizedandappropriately trainedAeHNemployeesareallowedaccess toaffected information systems in order to respond to or recover from a securityincident.

3. Allactionstakenarecarefullydocumented.

B. Security Incident Monitoring. AeHN will maintain a mechanism for quantifying andmonitoringthetypes,volumesandcostsofsecurityincidents.Thisinformationwillbeusedtoidentifytheneedforimprovedoradditionalsecuritycontrols.AeHN’sPSOisauthorizedto investigate any and all alleged violations of AeHN security policies, and to takeappropriateactiontomitigatetheinfractionandapplysanctionsaswarranted.

IX. DisasterRecovery&Backup

A. Emergency Response. AeHN will have a formal process for both preparing for andeffectively responding to emergencies and disasters that damage the confidentiality,integrityoravailabilityofitsinformationsystems.ThiswillincludecoordinationwithourSaaSvendortoensurethatithasappropriatedisasterrecoveryandbackupproceduresinplace.

B. Backup Plan. AeHN, independently or through its SaaS vendor, must have a formal,documentedbackupplanforitsinformationsystems.Ataminimum,theplanmust:

1. Identifyinformationsystemsandelectronicmediatobebackedup.

62


2. Provideabackupschedule.3. Identifywherebackupmediaarestoredandwhomayaccessthem.4. Outlinerestorationprocedures.5. Identify who is responsible for ensuring the backup of information systems and

electronicmedia.

C. Data Restoration. Restoration procedures for the Alaska HIE electronic media andinformation systems containing EPHI must be regularly tested to ensure that they areeffectiveandthattheycanbecompletedwithinthetimeallottedintheAlaskaHIE’sdisasterrecoveryplan.

D. Data Retention. The retention period for backup of EPHI on the AlaskaHIE informationsystemsandelectronicmediaandanyrequirements forarchivecopiestobepermanentlyretainedmustbedefinedanddocumented.

E. Disruption Analysis. Risk analysis should be used to determine and document themaximumamountof lossthatmayoccurifbackupoftheAlaskaHIEinformationsystemsand electronic media is disrupted. Such analysis should be used to determine if allappropriateandreasonablemeasuresarebeingusedtobackuptheAlaskaHIEinformationsystemsandelectronicmedia.

2.200 Administrative Safeguards Policy



REVISED:

63

2.300 Physical Safeguards V3 Page 1 of 4 Originally Adopted 07/20/2011 Revision Adopted 05/31/2013

2.300PhysicalSafeguardsPolicy

PolicySummary

AlaskaeHealthNetwork(AeHN)facilities,workstationsandstorageareasmustbeaccessedandusedonlyforauthorizedpurposes. WorkforcemembersmustnotuseAeHNfacilities,workstationsorequipmenttoengageinanyactivitythatiseitherillegalunderlocal,state,federal,orinternationallaworisinviolationofAeHNpolicy.AccesstotheAlaskaHIEPHImustbecontrolledandauthenticated.

Purpose ThispolicyreflectsAeHN’scommitmenttoappropriatelyuseandphysicallyprotectPHI.

Scope/Applicability

ThispolicyisapplicabletoallAeHNworkforcemembersthatmanage,control,access,useordiscloseprotectedhealth information foranypurposes. TheAeHNworkforce includesemployees and other paid staff, contractors, agents, and vendors. This policy’s scopeincludes all protected health information contained on AeHN equipment, or otherwiseaccessiblebytheAeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.

RegulatoryCategory,Type,LegalRegulatoryReference

Implement policies and procedures to limit physical access to its electronic informationsystemsand the facilityor facilities inwhich theyarehoused,while ensuring thatproperlyauthorizedaccessisallowed.

Physical Safeguards, Standard, AS 18.23.300 et seq.; 45 CFR 164.310; ; 7 AAC166.010;7AAC166.030;7AAC166.040;7AAC166.050;7AAC166.900




Standard NumberWorkstationUse 2.301WorkstationSecurity 2.302DeviceandMediaControls 2.303Accountability 2.304

Formatted: Indent: Left: 0", Hanging: 0.5"

64


Renewal/ReviewThis policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations and to ensure that it incorporates all recent developments in AeHN policies, procedures, activities, equipment and technology. In the event that significant related legal, regulatory or organizational changes occur, the policy will be reviewed and updated as needed.

Policy

I. UseofAeHNProperty.AeHNfacilities,workstations,equipmentandstoragewillbeusedonly

for authorized purposes: to support the educational, clinical, administrative, and otherfunctionsofAeHN.Suchusedemonstratesrespectforintellectualproperty,ownershipofdata,securitycontrols,andindividuals'rightstoprivacy.

A.Workstations

1. All workforce members who use AeHN workstations will take all reasonableprecautionstoprotecttheconfidentiality,integrity,andavailabilityofPHI.

2. Workforce members will not use AeHN facilities, workstations, equipment orstorage toengage inanyactivity that iseither illegalunder local, state, federal,orinternationallaworisinviolationofAeHNpolicy.

3. AccesstoallAeHNworkstationscontainingPHIwillbecontrolledwithausernameandpasswordoranaccessdevicesuchasatoken.

4. AeHNworkstationscontainingPHIwillbephysicallylocatedinsuchamannerastominimizetheriskthatunauthorizedindividualscangainaccesstothem.

B.DeviceandMediaControlandAccountability

1. It is the policy of AeHN that no PHI is to be stored on any media within AeHN for any purpose. No employee of AeHN is to have access to PHI through the HIE, except for purposes of auditing or performing audit functions, or other legal obligations of the organization. AeHN primarily facilitates the secure transfer of PHI from one EHR to another EHR.

2. PHI located on the Alaska HIE information systems or electronic media will beprotected against damage, theft, and unauthorized access. This includes both PHIreceived by the Alaska HIE and created within the Alaska HIE. PHI must beconsistentlyprotectedandmanagedthroughitsentirelifecycle,fromoriginationtodestruction.

65


3. AeHNwillregularlyconductaformal,documentedprocessthatensuresconsistentcontrol of all electronic media and information systems containing PHI that iscreated,sent,receivedordestroyedbytheAlaskaHIE.

4. All Alaska HIE information systems and electronic media containing PHI will belocated and stored in secure environments that are protected by appropriatesecurity barriers and entry controls. The level of these controls should becommensurate with identified risks to the electronic media and informationsystems. AllAlaskaHIE informationsystemsandelectronicmediacontainingPHIwillbedisposedofsecurelyandsafelywhennolongerrequired.

5. WorkforcemembersshoulduseonlyAeHNapprovedandtrackedelectronicmediatostorePHI.PHIwillnotbestoredonAeHNworkforcememberhomecomputers.

6. AeHNemployeesandaffiliateswhomoveelectronicmediaorinformationsystemscontainingPHIareresponsibleforthesubsequentuseofsuchitemsandwilltakeallappropriate and reasonable actions to protect them against damage, theft, andunauthorizedaccess.

C.DataBackupandStorage

1. Backup of PHI onAlaskaHIE information systems and electronicmedia, togetherwith accurate and complete records of the backup copies and documentedrestoration procedures, will be stored in a secure remote location, at a sufficientdistance from AeHN facilities to escape damage from a disaster at AeHN. ThisprocessmaybecarriedoutinaHIPAAcompliantmannerbyAeHN’sSaaSvendor.

2. AeHNwillconfirmthatthevendorhasenactedbackupandrestorationproceduresfortheAlaskaHIEelectronicmedia,andinformationsystemscontainingPHIwillberegularly tested to ensure that they are effective and that they can be completedwithinareasonableamountoftime.

3. TheretentionperiodforbackupofPHIontheAlaskaHIEinformationsystemsandelectronic media and any requirements for archive copies to be permanentlyretainedwill be defined and documented by AeHN or the vendor responsible forsuchbackup.

66


2.300 Physical Safeguards Policy


ADOPTED: 7/20/2011 v1 REVISED: 02/20/2013 v2 REVISED: 05/31/2013 v3

REVISED:

67

2.400TechnicalSafeguardsV3Page1of5 OriginallyAdopted07/20/2011 RevisionAdopted05/31/2013

2.400TechnicalSafeguardsPolicy

PolicySummary

AlaskaeHealthNetwork(AeHN)mustpurchaseandimplementinformationsystemsthat comply with AeHN’s Technical Safeguards policy. Alaska HIE informationsystems must support a formal process for granting appropriate access to theAlaskaHIEinformationsystemscontainingEPHI.AccesstoAlaskaHIEinformationsystemscontainingEPHImustbelimitedtoAeHNandParticipatingSiteworkforcemembersandsoftwareprogramshavinganeedforspecificinformationinordertoaccomplishalegitimatetask.

Purpose

This policy reflects AeHN’s commitment to purchase and implement informationsystemsthatcomplywithAeHN’sHIPAASecuritypolicies.

Scope/Applicability

This policy is applicable to all AeHN workforce members that manage, control,access, useor discloseprotectedhealth information for anypurposes. TheAeHNworkforce includes employees and other paid staff, contractors, agents, andvendors.Thispolicy’sscopeincludesallprotectedhealthinformationcontainedonAeHNequipment,orotherwiseaccessiblebytheAeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.


“ImplementpoliciesandproceduresforelectronicinformationsystemsthatmaintainEPHItoallow access only to those persons or software programs that have been granted accessrights...”

Technical Safeguards, Standard, AS 18.23.300 et seq.; 45 CFR 164.312; 7 AAC166.010;7AAC166.030;7AAC166.040;7AAC166.050;7AAC166.900




68


Standard NumberAccessControl 2.401UniqueUserIdentification 2.402AutomaticLogoff 2.403EncryptionandDecryption 2.404AuditControls 2.405Integrity 2.406PersonorEntityAuthentication

2.407

TransmissionSecurity 2.408 Renewal/Review

This policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations and to ensure that it incorporates all recent developments in AeHN policies, procedures, activities, equipment and technology. In the event that significant related legal, regulatory or organizational changes occur, the policy will be reviewed and updated as needed.

PolicyI. InformationSystems

A. AeHNpurchasesandimplementsinformationsystemsthatcomplywithAeHN’sHIPAASecuritypolicies.

B. All current Alaska HIE information systems that do not currently comply with AeHN’sAdministrative Safeguardswill be identified and evaluated according to AeHN’s risk analysisprocess.

II. AccessControlandUniqueUserIDs

A. Asappropriate,AlaskaHIEinformationsystemssupportoneormoreofthefollowingtypesofaccess control to protect the confidentiality, integrity and availability of EPHI contained onAlaskaHIEinformationsystems:

1. Userbased2. Rolebased3. Contextbased

B. AlaskaHIEinformationsystemssupportaformalprocessforgrantingappropriateaccesstothe

AlaskaHIEinformationsystemscontainingEPHI.Ataminimum,theprocessincludes:

1. Procedure for granting different levels of access to the Alaska HIE informationsystemscontainingEPHI.

69


2. Procedure for tracking and logging authorization of access to the Alaska HIEinformationsystemscontainingEPHI.

3. Procedure for regularly reviewing and revising, as necessary, authorization ofaccesstotheAlaskaHIEinformationsystemscontainingEPHI.

C. Asappropriate, security controlsormethods thatallowaccess to theAlaskaHIE information

systemscontainingEPHIwillinclude,ataminimum:

1. Uniqueuseridentifiers(userIDs)thatenablepersonsandidentitiestobeuniquelyidentified.User IDswillnotgiveany indicationof theuser’sprivilege level.Groupidentifierswill not be used to gain access to the Alaska HIE information systemscontainingEPHI.

2. Asecretidentifier(password).3. Thepromptremovalordisablingofaccessmethodsforpersonsandentitiesthatno

longerneedaccesstotheAlaskaHIEEPHI.4. Verificationthatredundantuseridentifiersarenotissued.

D. AeHN and Participating Site workforce members do not provide access to the Alaska HIE’s

informationsystemscontainingEPHItounauthorizedpersons.

E. Appropriate Alaska HIE information system owners or their designated delegates regularlyreview workforce member and software program access rights to Alaska HIE informationsystems containing EPHI to ensure that access is granted only to those having a need forspecific information in order to accomplish a legitimate task. Such rights will be revised asnecessary.

F. AllrevisionstoAeHNworkforcememberandsoftwareprogramaccessrightsaretrackedandlogged.Thisinformationissecurelymaintained.

III. AutomaticLogoff

A. AeHNworkforcemembersendelectronicsessionsoninformationsystemsthatcontainorcanaccessEPHIwhensuchsessionsarecompleted,unlesstheinformationsystemissecuredbyanappropriatelockingmethod,e.g.apasswordprotectedscreensaver.

B. AeHNworkforcememberslogofffromorlocktheirworkstation(s)whentheirshiftiscompleteortheyleavetheirworkstation(s).

IV. EncryptionandDecryption

When risk analysis indicates it is necessary, appropriate encryption is used to protect theconfidentiality, integrity, and availability of EPHI contained on the Alaska HIE informationsystems. The risk analysis is also used to determine the type and quality of the encryptionalgorithmandthelengthofcryptographickeys.

70


V. AuditControls

A. AeHNisabletorecordandexaminesignificantactivityonitsinformationsystemsthatcontainor use EPHI. AeHN will conduct a risk analysis to identify and define what constitutes“significantactivity”onaspecificinformationsystem.

B. Appropriate hardware, software, or procedural auditing mechanisms are implemented onAlaska HIE information systems that contain or use EPHI. The level and type of auditingmechanismsthatareimplementedonAlaskaHIEinformationsystemsthatcontainoruseEPHIisdeterminedbyAeHN’sriskanalysisprocess.

C. Logs created by audit mechanisms implemented on Alaska HIE information systems will bereviewedregularly. ThefrequencyofsuchreviewwillbedeterminedbyAeHN’sriskanalysisprocess.

VI. DataIntegrity

A. AeHN appropriately protects the integrity of all EPHI contained on its information systems.SuchEPHI isprotected from improperalterationordestruction. AeHNperformsregularriskanalysistodeterminetheappropriatemeanstoprotecttheintegrityofallEPHIcontainedonitsinformationsystems.

B. AeHNhasimplementedaformal,documentedprocessforappropriatelyprotectingtheintegrityofallEPHIcontainedonitsinformationsystems.Ataminimum,theprocessincludes:

1. AprocedureforensuringthatthemethodsandcontrolsusedtoprotectintegrityareeffectiveanddonotsignificantlyimpactAlaskaHIEfunctionalityandworkflow.

2. A procedure defining how the Alaska HIE will detect and report instances ofattemptedorsuccessfulimproperalterationordestructionofAlaskaHIEEPHI.

3. A procedure defining how AeHN will respond to instances of attempted orsuccessfulimproperalterationordestructionofAlaskaHIEEPHI.

4. AproceduredefiningwhenandhowunnecessaryAlaskaHIEEPHIcanbedestroyed.Such destructionwill be conducted only by properly authorized AeHNworkforcemembers,ortheirdelegates.

C. MethodsusedtoprotecttheintegrityofEPHIcontainedonAlaskaHIEinformationsystemswill

ensurethatthevalueandstateoftheEPHIismaintainedanditisprotectedfromunauthorizedmodificationanddestruction.

VII. PersonorEntityAuthentication

A. AeHNhascreatedandimplementedaformal,documentedprocessforverifyingtheidentityofapersonorentitybeforegrantingthemaccesstoEPHI.

71


B. AeHNusesanappropriateandreasonablesystem(s)toensurethatonlyproperlyauthenticatedpersonsandentitiesaccessAlaskaHIEEPHI.

VIII. DataTransmission&Integrity

A. AeHNappropriatelyprotectstheconfidentiality,integrityandavailabilityofalldataittransmitsoverelectroniccommunicationsnetworks.

B. Unless risk analysis indicates that there is not significant riskwhen sendingAlaskaHIEdataoveranelectroniccommunicationsnetwork,thedatawillbesentinencryptedformandhavecontrols to safeguard the integrity of the data. AeHN PSO will approve all encryption andintegritycontrolspriortotheiruse.

C. IntegritycontrolsarealwaysbeusedwhenhighlysensitiveAlaskaHIEdatasuchaspasswordsaretransmittedoverelectroniccommunicationsnetworks.

D. The AlaskaHIE’s integrity controls ensure that the value and state of all transmitted data ismaintainedandthedataisprotectedfromunauthorizedmodification.

IX. BreachDetectionandNotification

AeHN,throughitscontractwiththeSaaSvendorandcollaborationwithParticipants,hasputinplacereasonablesystemstodetect,address,mitigateandreportbreachesofPHI.

2.400 Technical Safeguards Policy



REVISED

72

3.100 HIPAA PRIVACY & PERMITTED DISCLOSURES POLICY V3 Page 1 of 4 Originally Adopted 09/21/2011 Revision Adopted 05/31/2013

3.100HIPAAPrivacy&PermittedDisclosuresPolicy

PolicySummaryThispolicydescribesthebasicprivacyprotectionsandrightsthatapplytoprotectedhealthinformation(PHI)heldbytheAlaskaeHealthNetwork(AeHN),inadditiontothepermittedwaysinwhichsuchPHIcanbeusedanddisclosedbyAeHN.

Purpose

TocomplyfullywiththerequirementsregardingdisclosureofprotectedhealthinformationasprovidedintheHealthInsurancePortabilityandAccountabilityActof1996(HIPAA).

Scope/ApplicabilityThispolicyisapplicabletoallAeHNworkforcemembersthatmanage,control,access,useordiscloseprotectedhealthinformationforanypurposes.TheAeHNworkforceincludesemployeesandotherpaidstaff,contractors,agents,andvendors,aswellasinterns,volunteersandotherunpaidstaff.Thispolicy’sscopeincludesallprotectedhealthinformationcontainedonAeHNequipment,orotherwiseaccessiblebytheAeHNWorkforce,includingbutnotlimitedtotheHIEandDSM.

RegulatoryCategory,Type,LegalRegulatoryReferencePrivacy Rule, 45 CFR §164.500 et seq.; AS 18.23.300 et seq.; 7 AAC 166.010; 7 AAC 166.030; 7 AAC 166.040; 7 AAC 166.050; 7 AAC 166.900

PolicyAuthority/EnforcementAeHN’s Executive Director (ED) and Privacy and Security Officer (PSO) are responsible for monitoring and enforcement of this policy.

RelatedPolicies&Procedures 3.200 Privacy and Confidentiality Policy

Renewal/Review

This policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations and to ensure that it incorporates all recent developments in AeHN policies, procedures, activities, equipment and technology. In the event that significant related legal, regulatory or organizational changes occur, the policy will be reviewed and updated as needed.

PolicyI. Definitions.Forpurposesofthispolicy,thefollowingdefinitionsapply:

PSO.ThePSOforpurposesofthisPolicyoverseesallactivitiesrelatedtothedevelopment,implementation,andmaintenanceofAeHN’spoliciesandprocedurescoveringtheprivacy

73


ofprotectedhealthinformation.Thispersonisthekeycomplianceofficerforallfederalandstatelawsthatapplytotheprivacyofprotectedhealthinformation.HIPAA.HealthInsurancePortabilityandAccountabilityActof1996,afederallawpertainingtoprotectedhealthinformationofclients.“Minimum‐Necessary”Standard.AeHNusesanddisclosestheamountofPHIthatistheminimumnecessarytoaccomplishitsintendedpurposes.Inaddition,theAeHNUseandDisclosuresProceduresidentifyandprovidefortheminimumnecessaryaccessbyAeHNpersonneltoPHI.Participant.Forpurposesofthispolicy,theterm“Participant”includestheParticipatingusersoftheAeHNHealthInformationExchangeandthepatientsofthoseParticipants.PHI(HIPAAProtectedHealthInformation).InformationaboutAeHNParticipantsbecomes“protected”uponitscreationorreceiptbyanAeHNParticipant.PHIappliestoinformationinanyform—electronic,writtenorverbalasfollows:PHImeansinformationthatiscreatedorreceivedbyAeHNoraParticipantandrelatestothepast,present,orfuturephysicalormentalhealthorconditionofaParticipant;theprovisionofhealthcaretoaParticipant;orthepast,present,orfuturepaymentfortheprovisionofhealthcaretoaParticipant;andthatidentifiestheParticipantorforwhichthereisareasonablebasistobelievetheinformationcanbeusedtoidentifytheParticipant.HIPAA‐PHIincludesinformationofpersonslivingordeceased.UseandDisclosure.AeHNwilluseanddisclosePHIonlyaspermittedunderHIPAA.Theterms“use”and“disclosure”aredefinedasfollows:

Use.Thesharing,employment,application,utilization,examination,oranalysisofindividuallyidentifiablehealthinformationbyanyAeHNpersonnel,orbyaBusinessAssociateofAeHN.

Disclosure.Forprotectedhealthinformation,disclosuremeansanyrelease,transfer,provisionoraccessto,ordivulginginanyothermannerofindividuallyidentifiablehealthinformation.

US/DHHS.UnitedStatesDepartmentofHealthandHumanServices.

II. GeneralStatement.

ItisthepolicyofAeHNtocomplyfullywiththerequirementsofHIPAA.Tothatend,all

AeHNemployeesmustcomplywiththisPolicy.III. MitigationofInadvertentDisclosuresofPHI

EmployeesmustreportanyimproperuseordisclosureofPHIofwhichtheybecomeawaretothePSO.ThePSOwilldeterminethereasonableandappropriatestepsthatcanbetakenwhichmaymitigatetheharmtotheParticipant.ThemethodofmitigationwilldependonthefactsandcircumstancesoftheunauthorizeduseordisclosureasdeterminedinthediscretionofthePSO.

74


IV. SanctionsforViolationsofPHIPrivacy

AllofAeHN’scoveredworkforcemustcomplywiththisPolicywhenusingor disclosingPHI.SanctionsforusingordisclosingPHIinviolationofthisPolicywill beimposedinaccordancewithAeHNpoliciesregardingemployeedisciplinary action.Theseverityofthesanctionwilldependonthefactsandcircumstancesof theviolationandmayincludedisciplineuptoandincludingimmediatetermination ofemployment.

V. Documentation

AeHNshallmaintaincopiesofHIPAAcompliancedocumentsforaperiodofatleast six(6)yearsfromthedatethedocumentswerecreatedorwerelastineffect, whicheverislater,asdescribedintheAeHNUseandDisclosureProcedures.

VI. Training

AllAeHNemployeeswillcompleteHIPAAtraininguponemployment commencementandthereafteryearly.Proofoftrainingcompletionwillbekeptina separatefile.

VII. UsesandDisclosuresofPHI

A. PermittedUsesandDisclosuresofPHIbyAeHN:Treatment,PaymentandHealthCareOperations

DisclosureofPHIispermittedbyAeHNonlytoassistParticipantswithutilizingthe

HIEintreatmentandbilling,asdescribedintheAeHNUseandDisclosureProcedures,andasrequiredbylaw(asdescribedinVII.Bbelow).AeHNstaffshallreviewtheseproceduresandshalluseanddisclosePHIonlyinaccordancewithsuchprocedures.

B. MandatoryDisclosures HIPAArequiresdisclosureofinformationincertaincircumstances,includingbutnot

limitedtorequestsfromanindividualandrequestsfromtheU.S.DepartmentofHealthandHumanServices.TheserequireddisclosuresaredescribedfurtherintheAeHNUseandDisclosureProceduresandallAeHNstaffshallcomplywithsuchdisclosurerequests.

C. DisclosureofPHItoBusinessAssociates

AllusesanddisclosuresbyaBusinessAssociateofAeHNmustbemadeinaccordancewithavalidbusinessassociateoracontractincludingHIPAAcompliantbusinessassociatelanguage,subjecttotherequirementsofthisPolicyandtheAeHNUseandDisclosureProcedures.

VIII. Verification of Identity of Those Requesting PHI

75


EmployeesmusttakestepstoverifytheidentityofindividualswhorequestaccesstoPHI.TheymustalsoverifytheauthorityofanypersontohaveaccesstoPHI,iftheidentityorauthorityofsuchpersonisnotknown.Theprocessforverifyinganindividual’sidentityisdescribedfurtherinAeHN’sUseandDisclosureProcedures.

IX. Complying with Individual Rights

HIPAAprovidespatientswithindividualrightsthatshallberecognizedandenforcedbyAeHN.

TheAeHNPSOshalldevelopproceduresdescribingtheserightsandhowtorecognizetheserights.Thefollowingrightsshallberecognizedinaccordancewithsuchprocedures:A. AccessB. AmendmentC. AccountingofDisclosuresofPHID. ConfidentialCommunicationsE. RequestsforRestrictionsonUsesandDisclosuresofPHI

X. Complaints

A. InternalSubmissionofaComplaint. Anyindividualwhobelieveshis/herrightsunderHIPAAhavebeenviolatedmayfile

acomplaintregardingtheallegedviolation.Anyprivacy‐relatedcomplaintmadebyanindividualatanytimemustbeforwardedtothePSO.ThePSOwillinvestigatetheallegedprivacyviolations.IfanAeHNemployeeisdeterminedtobeinviolationofthisPolicy,s/hewillbesubjecttodiscipline,uptoandincludingterminationofemployment.

B. ExternalSubmissionofaComplaint.

AnindividualalsomayfileacomplaintwiththeSecretaryoftheU.S.DepartmentofHealthandHumanServices(“DHHS”).

3.100 HIPAA Privacy & Permitted Disclosures Policy

APPROVED BY:

ADOPTED: 09/21/2011 v1 REVISED: 02/20/2013 v2 REVISED: 05/31/2013 v3

REVISED:

76

4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv3Page1of5 OriginallyAdopted02/20/2013 RevisionAdopted

4.200ExternalHIEPrivacy,SecurityandCompliancePolicyPolicySummary

To meet the requirements of the Privacy, Security and Breach Notification Rules, AeHN has adopted this policy to govern the use and disclosure of PHI in the Health Information Exchange (HIE) (including Direct Secure Messaging). This document establishes, in accordance with applicable law, AeHN’s policy for ethical and compliant behavior in regard to the privacy and security of Protected Health Information (PHI), Personal Information, and other records protected by applicable state and federal confidentiality laws and contained in the HIE. The policy is divided into Privacy, Security and Breach Notification elements, each of which are further carried out by the procedures found at 4.201 et seq.

Purpose ThispolicyreflectsAeHN’scommitmenttoappropriatelyuseandphysicallyprotectprotectedhealthinformation(PHI).

Scope/Applicability

The following procedures apply to the access, use and disclosure of protected healthinformation by Participants through the AeHN Health Information Exchange ("HIE") andotherdataexchangeservicesbeingmadeavailabletoParticipantsinAeHN,suchasDirectSecureMessaging(theHIEandotherservicesarecollectivelyreferredtoasthe"System").If there is any conflict between this Policy and the Participation Agreement, theParticipationAgreementshallcontrol.Theproceduresfoundat4.201etseq.willspecifyifthey pertain solely to HIE, Direct Secure Messaging or both activities. Here is a tableindicatingtheapplicabilityoftheprocedurestoHIEandDSM,aswellasthecorrespondingprovisionoftheParticipationAgreement,ifany:Procedure Sections

ApplicabletoHIE

SectionsApplicabletoDSM

CorrespondingParticipationAgreement (PA)or HIE/DSMAddendum (HD)Section(s)

4.201 Participant CompliancewithLawandPolicy

All All PAII.B.2PAII.H.1HDIV.A

4.202 Notice of PrivacyPractices

All None HDVI.G

4.203 Opt‐Out Information All None HDVI.G

77


Procedure4.204 Access to and Use andDisclosureofInformation

All 1,2,4,5,6,8,10 HDIIIHDIV.B

4.205 Information Subject toSpecialProtectionProcedure

All None HDIV.D

4.206MinimumNecessary 1,2,4‐7 1,3‐7 4.207 Participant Workforce,AgentsandContractors

All All HDIV.C

4.208AmendmentandStorageofData

All 3‐4 HDV.G

4.209RequestsforRestrictions All All 4.210Mitigation All All 4.211 Investigations; IncidentResponseSystem

All All PAII.B.3HDVI.E

4.212 Authorized UserControls

All All HDV.D

4.213Sanctions All All


45CFR§164(SecurityRule,BreachNotificationRule&PrivacyRule);AS18.23.300etseq.;7AAC166.010etseq.


AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO), incollaborationwiththeParticipants,areresponsibleformonitoringandenforcementoftheExternalHIEPrivacy,SecurityandCompliancePolicyandrelatedProcedures.

RelatedPolicies&Procedures Security Rule ‐ Internal Security Policies and Procedures found at 2.100 through

2.408 Breach Notification Rule – 2.600 Breach Notification Policy; 2.601 Breach

NotificationProcedure Privacy Rule ‐ Internal Privacy Policies and Procedures found at 3.100 through

3.101 Privacy,Security,BreachNotificationandGeneralComplianceforHIEParticipants‐

ExternalHIEPrivacy,SecurityandComplianceProceduresfoundat4.201through4.213Renewal/ReviewThis policy is to be reviewed annually to determine if the policy complies with current HealthInsurancePortability andAccountabilityActof 1996 (HIPAA)Security regulationsand to ensure

78


thatitincorporatesallrecentdevelopmentsinAeHNpolicies,procedures,activities,equipmentandtechnology. Intheeventthatsignificantrelatedlegal,regulatoryororganizationalchangesoccur,thepolicywillbereviewedandupdatedasneeded.Policy

I. PrivacyPolicy.A. TheguidingAeHNprivacyprinciplesareappliedbyAeHNthroughitsinternalPrivacy

andSecurityPolicies, aswell as itsPrivacy andSecurityPlan.Theseprinciples are asfollows,andshouldbeappliedbyParticipantsintheiruseoftheHIEandDSM:

1. OpennessandTransparency.2. PurposeSpecificationandMinimization.3. DisclosureLimitation.4. AccessandUseLimitation.5. IndividualParticipationandControl.6. DataIntegrityandQuality.7. SecuritySafeguardsandControls.8. AccountabilityandOversight.9. Remedies.10. RelianceonCoveredEntityRulesandEnforcement.

B. QualifyingUsesofInformation. AeHNandParticipantshaveplacedtheburdenontherequestingParticipanttoaccessinformationfromanotherParticipant’srecordsonlyfora qualifying use by the requesting Participant. A qualifying use is one thatmeets thetermsoftheParticipationAgreementandStateandFederallaw.

C. MitigationofInadvertentDisclosuresofPHI

ParticipantsmustreportanyimproperuseordisclosureofPHIofwhichtheybecomeawaretoinaccordancewiththeproceduresenactedunderthisPolicy.TheParticipantshallworkwithAeHNtodeterminethereasonableandappropriatestepsthatcanbetakenwhichmaymitigateanyresultingharm.

D. SanctionsforViolationsofPHIPrivacy

AllParticipantsshallenactapolicyforimposingsanctionsforusingordisclosingPHIinviolationofthisPolicyandtheunderlyingProcedures,inaccordancewithProcedure4.213,“Sanctions”.

E. Documentation

ParticipantsshallmaintaincopiesofHIPAAcompliancedocumentsrelevanttotheiruseoftheHIEandDSMforaperiodofatleastsix(6)yearsfromthedatethedocumentswerecreatedorwerelastineffect,whicheverislater.

79


F. ComplyingwithIndividualRights

HIPAAprovidespatientswithindividualrightsthatshallberecognizedandenforcedbyAeHN,andParticipantsshallassistpatientsinexercisingtheserightsinaccordancewiththeproceduresenactedhereunder.Thefollowingrightsshallberecognizedinaccordancewithsuchprocedures:

A. AccessB. AmendmentC. AccountingofDisclosuresofPHID. ConfidentialCommunicationsE. RequestsforRestrictionsonUsesandDisclosuresofPHI

II. SecurityPolicy

1. Compliance. AeHN is committed to running the HIE in compliance with allapplicable laws,regulationsandAeHNpolicies/procedures.AeHNhasadoptedthis policy in part to provide for the security of EPHI in accordancewith thefederal HIPAA Security Regulations. This policy and the procedures enactedhereunder encompass AeHN’s general approach to compliance with HIPAASecurityRegulationsthroughpolicystatementsandproceduresinthefollowingcategories:

a. AdministrativeSafeguards,b. PhysicalSafeguards,andc. TechnicalSafeguards.

2. Administrative Safeguards. The security management process is designed toprevent,detect,contain,andcorrectsecurityviolationsrelativetotheHIE.Theexecution, development and implementation of remediation programs is thejointresponsibilityofAeHNandtheParticipants.

a. Participants are expected to cooperate fully with any risk assessmentbeingconductedbyAeHN.

b. HIEauditprocedureswillbe implementedandmaintainedtoregularlyreviewrecordsofinformationsystemactivity,suchasauditlogs,accessreports, and security incident tracking reports. These reviewswill beused todetermine ifParticipantsarecomplyingwith therequirementsofthispolicyandtherelatedprocedures.

c. ParticipantswillassistinmakingsureaccesstotheHIEisassignedandmanaged appropriate to the duties and responsibilities of eachauthorizeduser, and thatauthorizedusersareproperly trainedon theapplicablelaws,policiesandprocedures.

3. PhysicalSafeguards.PhysicalSafeguardsaretobemadeinordertoprotecttheHIE,relatedbuildingsandequipment fromnaturalandenvironmentalhazards

80


andunauthorizedintrusion.Procedureswillbeimplementedthatlimitphysicalaccess to electronic information systems and the facility or facilities inwhichsuch systemsarehoused,while still ensuring thatproperauthorizedaccess isallowed. Participants should ensure that similar safeguards are in place toprotectaccesspointstotheHIEownedbyorhousedwithParticipants.

4. Technical Safeguards. Technical Safeguards shall be maintained by eachParticipantthatprotecttheHIEandcontrolaccesstoassurethatsuchsystemsare accessed only by those individuals or software programs that have beengrantedaccessrights. Participantswill implementtechnicalsecuritymeasuresto guard against unauthorized access to ormodification of EPHI that is beingtransmittedtoorfromtheHIE.

III. BreachNotificationPolicy.AeHNhasimplementedinternalpoliciesandprocedurestoaddressbreaches, includingbreachnotificationandmitigationmeasures. Participantsare expected to assist with the breach notification process as it applies to theirorganization,andtofollowrelatedproceduresenactedunderthispolicy.

4.200ExternalHIEPrivacy,SecurityandCompliancePolicy

APPROVEDBY:AeHNBoard

ADOPTED: 02/20/2013 v1

REVISED: 05/31/2013 v2

REVISED: 04/18/2014 v3

81

4.200ExternalHIEPrivacy,SecurityandCompliancePolicyv32Page1of8 OriginallyAdopted02/20/2013 RevisionAdopted05/31/2013

4.200ExternalHIEPrivacy,SecurityandCompliancePolicyPolicyBackground

AeHN has modeled its Network Responsibilities on the Nebraska Health InformationInitiative Privacy Rules, and the Connecting For Health "Model Privacy Rules andProceduresforHealthInformationExchange,"withanumberofdifferencesbasedonstatelaw, physical and technical safeguards available through AeHN, and AeHN's uniqueoperating environment. Thank you to those organizations for their knowledge andexpertise in this area. These core privacy principles and the rules that flow from thempromote balance between consumer control of and access to health information and theoperationalneedofcoveredentitiestoensurethatinformationusesanddisclosuresarenotoverly restricted, such that consumers would be denied many of the benefits andimprovements that information technologycanbring to thehealthcaresystem.Therulesare intended to reflect a carefully balanced view of all of the principles and avoidemphasizingsomeoverothersinanywaythatwouldweakentheoverallapproach.

PolicySummary

To meet the requirements of the Privacy, Security and Breach Notification Rules, AeHN has adopted this policy to govern the use and disclosure of PHI in the Health Information Exchange (HIE) (including Direct Secure Messaging). This document establishes, in accordance with applicable law, AeHN’s policy for ethical and compliant behavior in regard to the privacy and security of Protected Health Information (PHI), Personal Information, and other records protected by applicable state and federal confidentiality laws and contained in the HIE. The policy is divided into Privacy, Security and Breach Notification elements, each of which are further carried out by the procedures found at 4.201 et seq.

Purpose ThispolicyreflectsAeHN’scommitmenttoappropriatelyuseandphysicallyprotectprotectedhealthinformation(PHI).

Scope/Applicability

The following procedures apply to the access, use and disclosure of protected healthinformation by Participants through the AeHN Health Information Exchange ("HIE") andotherdataexchangeservicesbeingmadeavailabletoParticipantsinAeHN,suchasDirectSecureMessaging(theHIEandotherservicesarecollectivelyreferredtoasthe"System").If there is any conflict between this Policy and the Participation Agreement, theParticipationAgreementshallcontrol.Theproceduresfoundat4.201etseq.willspecifyifthey pertain solely to HIE, Direct Secure Messaging or both activities. Here is a table

Formatted: Font: 11 pt


Formatted: Line spacing: Multiple 1.15 li


82


indicatingtheapplicabilityoftheprocedurestoHIEandDSM,aswellasthecorrespondingprovisionoftheParticipationAgreement,ifany:Procedure Sections

ApplicabletoHIE

SectionsApplicabletoDSM

CorrespondingParticipationAgreement (PA)or HIE/DSMAddendum (HD)Section(s)

4.201 Participant CompliancewithLawandPolicy

All All PAII.B.2PAII.H.1HDIV.A

4.202 Notice of PrivacyPractices

All None HDVI.G

4.203 Individual Control ofInformationAvailableThroughHIEOpt‐Out InformationProcedure

All None HDVI.G

4.204 Access to and Use andDisclosureofInformation

All 1,2,4,5,6,8,107,9,11

HDIIIHDIV.B

4.205 Information Subject toSpecialProtectionProcedure

All None HDIV.D

4.206MinimumNecessary 1,2,4‐7 1,3‐7 4.207 Participant Workforce,AgentsandContractors

All All HDIV.C

4.208AmendmentandStorageofData

All 3‐4 HDV.G

4.209RequestsforRestrictions All All 4.210Mitigation All All 4.211 Investigations; IncidentResponseSystem

All All PAII.B.3HDVI.E

4.212 Authorized UserControls

All All HDV.D

4.213Sanctions All All


45CFR§164(SecurityRule,BreachNotificationRule&PrivacyRule);AS18.23.300etseq.;7AAC166.010etseq.45CFR§164.502Usesanddisclosuresofprotectedhealthinformation:generalrules.(a)Standard.Acoveredentitymaynotuseordiscloseprotectedhealthinformation,exceptaspermittedorrequiredbythissubpartorbysubpartCofpart160ofthissubchapter.(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose

protectedhealthinformationasfollows:

Formatted Table

Formatted: Left

Formatted: Font: 11 pt, Not Bold


83


(i)Totheindividual;(ii) For treatment, payment, or health care operations, as permitted by and incompliancewith§164.506;(iii) Incident to a use or disclosure otherwise permitted or required by this subpart,provided that the covered entity has complied with the applicable requirements of§164.502(b),§164.514(d),and§164.530(c)withrespecttosuchotherwisepermittedorrequireduseordisclosure;(iv)Pursuanttoandincompliancewithavalidauthorizationunder§164.508;(v)Pursuanttoanagreementunder,orasotherwisepermittedby,§164.510;and(vi)Aspermittedbyandincompliancewiththissection,§164.512,or§164.514(e),(f),or(g).

(2) Required disclosures. A covered entity is required to disclose protected healthinformation:(i)Toanindividual,whenrequestedunder,andrequiredby§164.524or§164.528;and(ii)WhenrequiredbytheSecretaryundersubpartCofpart160ofthissubchapter toinvestigateordeterminethecoveredentity'scompliancewiththissubpart.

45CFR§164.306Securitystandards:Generalrules.(a)Generalrequirements.Coveredentitiesmustdothefollowing:(1) Ensure the confidentiality, integrity, and availability of all electronic protected healthinformationthecoveredentitycreates,receives,maintains,ortransmits.(2)Protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation.(3)ProtectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredundersubpartEofthispart.(4)Ensurecompliancewiththissubpartbyitsworkforce.45CFR§164.404NotificationtoIndividuals.(a) Standard—(1) General rule. A covered entity shall, following the discovery of a breach of unsecured protected healthinformation,notifyeachindividualwhoseunsecuredprotectedhealthinformationhasbeen,or is reasonablybelievedby thecoveredentity tohavebeen,accessed,acquired,used,ordisclosedasaresultofsuchbreach.Privacy,SecurityandBreachNotificationRules;RequiredandAddressableStandards;45CFR§164


AeHN’s Executive Director (ED) and Privacy and Security Officer (PSO), incollaborationwiththeParticipants,areresponsibleformonitoringandenforcementoftheExternalHIEPrivacy,SecurityandCompliancePolicyandrelatedProcedures.

RelatedPolicies&Procedures Security Rule ‐ Internal Security Policies and Procedures found at 2.100 through

2.408 Breach Notification Rule – 2.600 Breach Notification Policy; 2.601 Breach

NotificationProcedure Privacy Rule ‐ Internal Privacy Policies and Procedures found at 3.100 through

3.101

84


Privacy,Security,BreachNotificationandGeneralComplianceforHIEParticipants‐ExternalHIEPrivacy,SecurityandComplianceProceduresfoundat4.201through4.213

Renewal/ReviewThis policy is to be reviewed annually to determine if the policy complies with current HealthInsurancePortability andAccountabilityActof1996 (HIPAA)Security regulations and to ensurethatitincorporatesallrecentdevelopmentsinAeHNpolicies,procedures,activities,equipmentandtechnology. Intheeventthatsignificantrelatedlegal,regulatoryororganizationalchangesoccur,thepolicywillbereviewedandupdatedasneeded.Policy

I. PrivacyPolicy.I.A. TheguidingAeHNprivacyprinciplesareappliedbyAeHNthroughitsinternalPrivacy

andSecurityPolicies, aswell as itsPrivacyandSecurityPlan.Theseprinciples areasfollows,andshouldbeappliedbyParticipants in theiruseof theHIEandDSMareasfollows::

A.1. OpennessandTransparency.Clarityaboutprocedures,policies,developments,and

technology concerning the handling of protected health information is vital toprotecting privacy. Individuals should be able to understand what informationexistsaboutthem,howthepersonalinformationisused,andhowtheycancontroluseofthatinformation.

B.2. Purpose Specification and Minimization. Access to and use of protected healthinformation must be limited to the type and amount necessary to accomplishspecified permitted purposes.Minimizing the use of protected health informationwillhelpdecreasetheamountofprivacyviolations,whichmayoccurwhendataiscollected for one legitimate reason and then reused for different or unauthorizedpurposes.

C.3. Disclosure Limitation. Protected health information should be made availablethroughtheAeHNSystemtoParticipantsonlybylawfulmeans.Electroniccollectionofprotected informationmaybeconfusing tomost individuals. Individualsshouldbe educated about the potential health and treatment benefits aswell as risks totheir protected health information that are associated with participation in theSystem.IndividualsdecidingnottoparticipateshouldhavetheopportunitytoknowtheSystem‐wideeffectofsuchdecisionandthepotentialdisadvantages.

D.4. AccessandUseLimitation.ProtectedhealthinformationshouldbeobtainedbyoneParticipant from the System only pursuant tomutual agreement (included in theParticipant Agreement) that the information is being accessed for qualifyingpurposesoftherequestingParticipant.Informationrecipientsmayuseanddiscloseprotected health information obtained through the System only for purposes anduses consistent with the Participant Agreement and consistent with their








Formatted: Space After: 10 pt, Numbered + Level: 1 +Numbering Style: A, B, C, … + Start at: 1 + Alignment: Left +Aligned at: 0.5" + Indent at: 0.75"

Formatted: No underline

Formatted: Numbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Aligned at: 0.75" +Indent at: 1"




85


obligationsascoveredentitiesunderHIPAAandotherapplicableFederalandStatelaws.

E.5. IndividualParticipationandControl.Consistentwiththescopeof individualrightsinHIPAA, individualsshouldhave theright torequestandreceive ina timelyandintelligible manner information regarding various parties that may have thatindividual’s specific health information. Individuals have a vital stake in personalprotected health information, such rights enable individuals to make informeddecisions about participation and provide another means to monitor forinappropriateaccess,useanddisclosureofprotectedhealthinformation.Individualparticipation promotes information quality, privacy, and confidence in privacypractices.IndividualsshouldbemadeawareoftheirrightswithregardtotheHIE,through theAeHNNoticeofDataPractices and theParticipants’ revisedNoticeofPrivacyPractices.

F.6. Data Integrity and Quality. Health information should be detailed, complete,appropriate,andcurrenttoguaranteeitsvaluetothevariousparties.Theeffectivedeliveryofqualityhealthcaredependsoncompletehealthinformation.Therefore,the System must maintain the integrity of protected health information andindividualsmustbeallowedtoviewinformationaboutthemandrequesttoamendsuchhealthinformationsothatitisaccurateandcomplete.

G.7. Security Safeguards and Controls. In an era of increased computer and Internet‐related crime, security safeguards are vital to privacy protection. Electronicenvironmentscouldbesusceptibletocyber‐crimewithoutadequatecontrols.Suchcontrolsareputinplacetopreventinformationloss,corruption,unauthorizeduse,modification, and disclosure. Safeguards that can be implemented includeinformation scrubbing, identity management tools, hashing, auditing,authenticating,andothermeanstoensureinformationprivacy.Privacyandsecuritysafeguards should be coordinated for the protection of protected healthinformation.

H.8. Accountability and Oversight. Privacy protections have less value to anindividual if privacy violators are not held accountable for failing to followprocedures relating to such privacy protections. Participants are unlikely to fullytrust the System and fully participate if they believe other Participants are notapplyingthesamerulesandbeingheldtothesamestandardofaccountability.Userandworkforcetraining,privacyaudits,andotheroversighttoolscanhelptoidentifyandaddressprivacyviolationsandsecuritybreachesbyconditioningparticipationand access authority on compliance with these and the individual Participant'sprivacy policies, by excluding from participation those who violate privacyrequirements,andbyidentifyingandcorrectingweaknessesinprivacyandsecuritysafeguards.

I.9. Remedies.Toensureprivacyprotectiontheremustbelegalandfinancialremediesthat hold violators accountable for failing to comply with System policies. Suchremedies will give individuals confidence in the organization’s commitment tokeeping protectedhealth informationprivate, andmitigate anyharm that privacy






86


violations may cause individuals. As a condition of continued participation, allParticipantsintheSystemmusthaveacommondutytoparticipateininvestigation,mitigationandremediationstepsfortheintegrityoftheSystem.

J.10. RelianceonCoveredEntityRulesandEnforcement.WhileAeHNshouldhavea number of core policies and procedures for the benefit and confidence of allParticipants, AeHN should not try to replace policies, procedures and methodsalready adopted by Participants as covered entities under HIPAA. AeHN shouldidentify,disseminateandenforceonlythosepoliciesandproceduresnecessaryforcoordinationofprivacybreachresponseandothermitigatingmeasures,butshouldrecognizethatexistingParticipantpoliciesgoverninallotherareas.

B. QualifyingUsesof Information. AeHNandParticipantshaveplacedtheburdenontherequestingParticipanttoaccessinformationfromanotherParticipant’srecordsonlyfora qualifying use by the requesting Participant. A qualifying use is one thatmeets thetermsoftheParticipationAgreementandStateandFederallaw.

C. MitigationofInadvertentDisclosuresofPHI

ParticipantsmustreportanyimproperuseordisclosureofPHIofwhichtheybecomeawaretoinaccordancewiththeproceduresenactedunderthisPolicy.TheParticipantshallworkwithAeHNtodeterminethereasonableandappropriatestepsthatcanbetakenwhichmaymitigateanyresultingharm.

D. SanctionsforViolationsofPHIPrivacy

AllParticipantsshallenactapolicyforimposingsanctionsforusingordisclosingPHIinviolationofthisPolicyandtheunderlyingProcedures,inaccordancewithProcedure4.213,“Sanctions”.

E. Documentation

ParticipantsshallmaintaincopiesofHIPAAcompliancedocumentsrelevanttotheiruseoftheHIEandDSMforaperiodofatleastsix(6)yearsfromthedatethedocumentswerecreatedorwerelastineffect,whicheverislater.

F. ComplyingwithIndividualRights

HIPAAprovidespatientswithindividualrightsthatshallberecognizedandenforcedbyAeHN,andParticipantsshallassistpatientsinexercisingtheserightsinaccordancewiththeproceduresenactedhereunder.Thefollowingrightsshallberecognizedinaccordancewithsuchprocedures:

A. AccessB. AmendmentC. AccountingofDisclosuresofPHID. ConfidentialCommunicationsE. RequestsforRestrictionsonUsesandDisclosuresofPHI


Formatted: Space After: 10 pt, Numbered + Level: 1 +Numbering Style: A, B, C, … + Start at: 1 + Alignment: Left +Aligned at: 0.5" + Indent at: 0.75"

Formatted: Font: (Default) +Headings (Cambria), 11 pt

Formatted: Space Before: 6 pt, After: 6 pt

87


II.

III.II. SecurityPolicy

1. Compliance. AeHN is committed to running the HIE in compliance with allapplicable laws,regulationsandAeHNpolicies/procedures.AeHNhasadoptedthis policy in part to provide for the security of EPHI in accordancewith thefederal HIPAA Security Regulations. This policy and the procedures enactedhereunder encompass AeHN’s general approach to compliance with HIPAASecurityRegulationsthroughpolicystatementsandproceduresinthefollowingcategories:

a. AdministrativeSafeguards,b. PhysicalSafeguards,andc. TechnicalSafeguards.

2. Administrative Safeguards. The security management process is designed toprevent,detect,contain,andcorrectsecurityviolationsrelativetotheHIE.Theexecution, development and implementation of remediation programs is thejointresponsibilityofAeHNandtheParticipants.

a. Participants are expected to cooperate fully with any risk assessmentbeingconductedbyAeHN.

b. HIEauditprocedureswillbe implementedandmaintainedtoregularlyreviewrecordsofinformationsystemactivity,suchasauditlogs,accessreports, and security incident tracking reports. These reviewswill beused todetermine ifParticipantsarecomplyingwith therequirementsofthispolicyandtherelatedprocedures.

c. ParticipantswillassistinmakingsureaccesstotheHIEisassignedandmanaged appropriate to the duties and responsibilities of eachauthorizeduser, and thatauthorizedusersareproperly trainedon theapplicablelaws,policiesandprocedures.

3. PhysicalSafeguards.PhysicalSafeguardsaretobemadeinordertoprotecttheHIE,relatedbuildingsandequipmentfromnaturalandenvironmentalhazardsandunauthorizedintrusion.Procedureswillbeimplementedthatlimitphysicalaccess to electronic information systems and the facility or facilities inwhichsuchsystemsarehoused,while still ensuring that properauthorizedaccess isallowed. Participants should ensure that similar safeguards are in place toprotectaccesspointstotheHIEownedbyorhousedwithParticipants.

4. Technical Safeguards. Technical Safeguards shall be maintained by eachParticipantthatprotecttheHIEandcontrolaccesstoassurethatsuchsystemsare accessed only by those individuals or software programs that have beengrantedaccessrights. Participantswill implementtechnicalsecuritymeasuresto guard against unauthorized access to ormodification of EPHI that is beingtransmittedtoorfromtheHIE.

Formatted: Font: +Headings (Cambria), 11 pt

Formatted: Normal, Space After: 10 pt, No bullets ornumbering

88


IV.III. BreachNotificationPolicy.AeHNhasimplementedinternalpoliciesandprocedurestoaddressbreaches, includingbreachnotificationandmitigationmeasures. Participantsare expected to assist with the breach notification process as it applies to theirorganization,andtofollowrelatedproceduresenactedunderthispolicy.

4.200ExternalHIEPrivacy,SecurityandCompliancePolicy

APPROVEDBY:AeHNBoard

ADOPTED: 02/20/2013 v1

REVISED: 05/31/2013 v2

REVISED: 04/18/2014 v3







89

5/15/2013 Page 1 of 8

Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Total Income

4025 GRANTS 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 - - - 1,221,775

4060 PARTICIPANT FEES (HIE) 4,000 4,000 165,960 4,000 4,000 28,680 63,013 4,000 49,392 30,080 16,975 125,000 499,100

4065 PARTICIPANT FEES (DSM) 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 13,500

4068 CONSULTING - - - - - - - - - - - - -

4200 DONATIONS - - - - - - - - - - - - -

4300 CONTRACTS 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 1,500,000

4301 PAYERS - - - - - - - - - - - - -

- - - - - - - - - - - - -

- - - - - - - - - - - - -

Total Income 265,878 265,878 427,838 265,878 265,878 290,558 324,891 265,877 311,269 156,205 143,100 251,125 3,234,375

Gross Profit 265,878 265,878 427,838 265,878 265,878 290,558 324,891 265,877 311,269 156,205 143,100 251,125 3,234,375

Expenses

4490 GENERAL OFFICE -

4102 OFFICE SUPPLIES 1,867 1,867 1,867 1,867 1,867 1,867 1,866 1,866 1,866 500 500 500 18,300

4110 OUTREACH & MARKETING 4,975 4,974 27,975 4,976 5,976 4,976 16,276 5,976 5,976 1,000 1,000 20,685 104,765

4115 BANK CHARGES/FEES 20 20 20 20 20 20 20 20 20 20 20 20 240

4420 DUES/SUBSCRIPTIONS - - - - - - - - - - - - -

4450 PRINTING/COPIES/PHOTOS 800 10 10 800 10 10 800 10 10 800 10 10 3,280

4462 POSTAGE 1,300 100 100 1,300 100 100 1,300 100 100 1,200 - - 5,700

4500 INSURANCE - G/L, D&O, Cyber - 5,300 - - - - - - - - 1,750 - 7,050

4505 INSURANCE - WC - - - - - - - 4,200 - - - - 4,200

4700 FOOD OTHER 500 500 500 500 500 500 500 500 500 500 500 500 6,000

Total 4490 GENERAL OFFICE 9,462 12,771 30,472 9,463 8,473 7,473 20,762 12,672 8,472 4,020 3,780 21,715 149,535

4600 FACILITIES -

4620 FACILITIES RENT/LEASE 4,600 4,600 4,675 4,675 4,675 4,675 4,675 4,675 4,675 2,385 2,385 2,385 49,080

4680 UTILITIES - - - - - - - - - - - - -

4682 TELEPHONE/INTERNET 500 500 500 500 500 500 500 500 500 500 500 500 6,000

4690 MISC FACILITIES COSTS - - - - - - - - - - - - -

Total 4600 FACILITIES 5,100 5,100 5,175 5,175 5,175 5,175 5,175 5,175 5,175 2,885 2,885 2,885 55,080

4800 WORKSHOPS & EVENTS - - - - - - - - - - - - -

5050 HUMAN RESOURCES - - - 2,850 - - - - - 2,850 - - 5,700

5100 PAYROLL EXPENSES - - - - - - - - - - - - -

5110 TECHNICAL STAFF 32,879 32,880 32,880 32,880 32,880 32,881 32,882 32,881 32,881 27,917 27,917 27,917 379,674

5120 ADMINISTRATIVE STAFF 46,085 31,585 31,585 31,585 31,585 31,585 31,585 31,585 31,585 27,983 27,983 19,583 374,315

5170 BENEFITS 12,942 12,942 12,942 12,941 12,941 12,941 12,941 12,941 12,941 8,705 8,705 5,500 139,382

Total 5100 PAYROLL EXPENSES 91,906 77,407 77,407 77,406 77,406 77,407 77,408 77,407 77,407 64,605 64,605 53,000 893,371

5200 PROFESSIONAL FEES -

5210 LEGAL 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 38,400

Alaska eHealth NetworkBudget - All Classes by Month

July 2014 - June 2015

90

5/15/2013 Page 2 of 8

5215 ACCOUNTING & AUDITING 3,000 3,000 14,000 11,000 8,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 60,000

5220 PROJECT MANAGEMENT - - - - - - - - - - - - -

5225 PROJECT COMMUNICATIONS - - 22,500 - - 2,500 - - 2,500 - - 23,000 50,500

5235 OTHER CONSULTING SERVICES 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 12,000

5240 HIT/EHR CONSULTING 69,877 69,877 69,877 69,877 69,877 69,876 69,876 69,876 69,876 - - - 628,889

5250 CONTRACT EMP SVCS 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 12,000

Total 5200 PROFESSIONAL FEES 78,077 78,077 111,577 86,077 83,077 80,576 78,076 78,076 80,576 8,200 8,200 31,200 801,789

5300 TECHNOLOGY SERVICES -

5310 DESKTOP SUPPORT 200 200 200 200 200 200 200 200 200 200 200 200 2,400

5320 ONLINE HOSTING FEES 400 400 400 400 400 400 400 400 400 400 400 400 4,800

Direct Services Message 2,500 2,500 5,000 5,000 5,000 5,000 2,500 2,500 2,500 5,000 2,500 2,500 42,500

5360 WEBSITE DESIGN & MAINTENANCE - - - - - - - - 1,200 - - - 1,200

Total 5300 TECHNOLOGY SERVICES 3,100 3,100 5,600 5,600 5,600 5,600 3,100 3,100 4,300 5,600 3,100 3,100 50,900

5500 TRAVEL -

5520 TRANS/LODGING/OTHER 7,223 7,223 7,222 7,222 7,222 7,222 7,222 7,222 7,222 3,000 3,000 3,000 74,000

5525 MEALS & PER DIEM 500 500 500 500 500 500 500 500 500 500 500 500 6,000

5527 MISC TRAVEL EXPENSE - - - - - - - - - - - - -

Total 5500 TRAVEL 7,723 7,723 7,722 7,722 7,722 7,722 7,722 7,722 7,722 3,500 3,500 3,500 80,000

5510 TRAINING/STAFF EDUCATION 500 500 500 500 500 500 500 500 500 500 500 500 6,000

7400 EQUIPMENT/FURNITURE - - - - - - - - - - - - -

7420 EQUIP/FURN < $5K - - - - - - - - - - - - -

Total 7400 EQUIPMENT/FURNITURE - - - - - - - - - - - - -

Total Expenses 195,868 184,678 238,453 194,793 187,953 184,453 192,743 184,652 184,152 92,160 86,570 115,900 2,042,375

Net Operating Income 70,010 81,200 189,385 71,085 77,925 106,105 132,148 81,225 127,117 64,045 56,530 135,225 1,192,000

Other Income

7590 HIE Acquisition Reimbursement -

Total Other Income - - - - - - - - - - - - -

Other Expenses

7601 ORION OTHER 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 192,000

7600 AK HIE SERVICE (SAAS) 83,334 83,333 83,333 83,334 83,333 83,333 83,334 83,333 83,333 83,334 83,333 83,333 1,000,000

Total Other Expenses 99,334 99,333 99,333 99,334 99,333 99,333 99,334 99,333 99,333 99,334 99,333 99,333 1,192,000

Net Other Income (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (1,192,000)Net Income (29,324) (18,133) 90,052 (28,249) (21,408) 6,772 32,814 (18,108) 27,784 (35,289) (42,803) 35,892 -

91

5/15/2013 Page 3 of 8


4025 GRANTS - - - - - - - - - - - - -

4060 PARTICIPANT FEES (HIE) 4,000 4,000 165,960 4,000 4,000 28,680 63,013 4,000 49,392 30,080 16,975 125,000 499,100

4065 PARTICIPANT FEES (DSM) 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 1,125 13,500

4068 CONSULTING -

4200 DONATIONS -

4300 CONTRACTS 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 125,000 1,500,000

4301 PAYERS - - - - - - - - - - - - -

-

- - - - - - - - - - - - -

Total Income 130,125 130,125 292,085 130,125 130,125 154,805 189,138 130,125 175,517 156,205 143,100 251,125 2,012,600

Gross Profit 130,125 130,125 292,085 130,125 130,125 154,805 189,138 130,125 175,517 156,205 143,100 251,125 2,012,600

Expenses


4102 OFFICE SUPPLIES 200 200 200 200 200 200 200 200 200 500 500 500 3,300

4110 OUTREACH & MARKETING 1,000 1,000 24,000 1,000 2,000 1,000 12,300 2,000 2,000 1,000 1,000 20,685 68,985

4115 BANK CHARGES/FEES -

4420 DUES/SUBSCRIPTIONS -

4450 PRINTING/COPIES/PHOTOS 800 10 10 800 10 10 800 10 10 800 10 10 3,280

4462 POSTAGE 1,200 1,200 1,200 1,200 4,800

4500 INSURANCE - G/L, D&O, Cyber 5,300 - - - - - - - - 1,750 7,050

4505 INSURANCE - Workmen's Comp - - - - - - 4,200 - - - 4,200

4700 FOOD OTHER - - - - - - - - - - - -

Total 4490 GENERAL OFFICE 3,200 6,510 24,210 3,200 2,210 1,210 14,500 6,410 2,210 3,500 3,260 21,195 91,615

4600 FACILITIES -

4620 FACILITIES RENT/LEASE 2,310 2,310 2,385 2,385 2,385 2,385 2,385 2,385 2,385 2,385 2,385 2,385 28,470

4680 UTILITIES -

4682 TELEPHONE/INTERNET 250 250 250 250 250 250 250 250 250 500 500 500 3,750

4690 MISC FACILITIES COSTS -

Total 4600 FACILITIES 2,560 2,560 2,635 2,635 2,635 2,635 2,635 2,635 2,635 2,885 2,885 2,885 32,220

4800 WORKSHOPS & EVENTS -

5050 HUMAN RESOURCES 2,850 2,850 5,700

5100 PAYROLL EXPENSES -

5110 TECHNICAL STAFF 6,700 6,700 6,700 6,700 6,700 6,700 6,700 6,700 6,700 27,917 27,917 27,917 144,050

5120 ADMINISTRATIVE STAFF 26,585 12,085 12,085 12,085 12,085 12,085 12,085 12,085 12,085 27,983 27,983 19,583 198,815

5170 BENEFITS 5,500 5,500 5,500 5,500 5,500 5,500 5,500 5,500 5,500 8,705 8,705 5,500 72,410

Total 5100 PAYROLL EXPENSES 38,785 24,285 24,285 24,285 24,285 24,285 24,285 24,285 24,285 64,605 64,605 53,000 415,275


5210 LEGAL 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 3,200 38,400

Alaska eHealth NetworkBudget - HIE by Month

July 2014 - June 2015

92

5/15/2013 Page 4 of 8

5215 ACCOUNTING & AUDITING 3,000 3,000 14,000 11,000 8,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 60,000

5220 PROJECT MANAGEMENT -

5225 PROJECT COMMUNICATIONS 22,500 2,500 2,500 23,000 50,500

5235 OTHER CONSULTING SERVICES 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 12,000

5240 HIT/EHR CONSULTING

5250 CONTRACT EMP SVCS 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 1,000 12,000

Total 5200 PROFESSIONAL FEES 8,200 8,200 41,700 16,200 13,200 10,700 8,200 8,200 10,700 8,200 8,200 31,200 172,900


5310 DESKTOP SUPPORT 150 150 150 150 150 150 150 150 150 200 200 200 1,950

5320 ONLINE HOSTING FEES 200 200 200 200 200 200 200 200 200 400 400 400 3,000

5330 SECURITY SERVICES 2,500 2,500 5,000 5,000 5,000 5,000 2,500 2,500 2,500 5,000 2,500 2,500 42,500

5360 WEBSITE DESIGN & MAINTENANCE 1,200 1,200

Total 5300 TECHNOLOGY SERVICES 2,850 2,850 5,350 5,350 5,350 5,350 2,850 2,850 4,050 5,600 3,100 3,100 48,650

5500 TRAVEL -

5520 TRANS/LODGING/OTHER 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 3,000 36,000

5525 MEALS & PER DIEM 500 500 500 500 500 500 500 500 500 500 500 500 6,000

5527 MISC TRAVEL EXPENSE -

Total 5500 TRAVEL 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 3,500 42,000

5510 TRAINING/STAFF EDUCATION 500 500 500 500 500 500 500 500 500 500 500 500 6,000

7400 EQUIPMENT/FURNITURE -

7420 EQUIP/FURN < $5K -

Total 7400 EQUIPMENT/FURNITURE - - - - - - - - - - - - -

Total Expenses 59,595 48,405 102,180 58,520 51,680 48,180 56,470 48,380 47,880 91,640 86,050 115,380 814,360

Net Operating Income 70,530 81,720 189,905 71,605 78,445 106,625 132,668 81,745 127,637 64,565 57,050 135,745 1,198,240

Other Income


Total Other Income - - - - - - - - - - - - -

Other Expenses

7601 ORION OTHER 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 16,000 192,000

7600 AK HIE SERVICE (SAAS) 83,334 83,333 83,333 83,334 83,333 83,333 83,334 83,333 83,333 83,334 83,333 83,333 1,000,000

Total Other Expenses 99,334 99,333 99,333 99,334 99,333 99,333 99,334 99,333 99,333 99,334 99,333 99,333 1,192,000

Net Other Income (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (99,334) (99,333) (99,333) (1,192,000)Net Income (28,804) (17,613) 90,572 (27,729) (20,888) 7,292 33,334 (17,588) 28,304 (34,769) (42,283) 36,412 6,240

93

5/15/2013 Page 5 of 8


4025 GRANTS 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 1,221,775

4060 PARTICIPANT FEES (HIE) - - - - - - - - - -

4065 PARTICIPANT FEES (DSM) -

4068 CONSULTING -

4200 DONATIONS - - - - - - - - - -

4300 CONTRACTS -

-

-

-

Total Income 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 1,221,775

Gross Profit 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 1,221,775

Expenses


4102 OFFICE SUPPLIES 1,667 1,667 1,667 1,667 1,667 1,667 1,666 1,666 1,666 15,000

4110 OUTREACH & MARKETING 3,975 3,974 3,975 3,976 3,976 3,976 3,976 3,976 3,976 35,780

4115 BANK CHARGES/FEES -

4420 DUES/SUBSCRIPTIONS -

4450 PRINTING/COPIES/PHOTOS -

4462 POSTAGE 100 100 100 100 100 100 100 100 100 900

4500 INSURANCE - G/L, D&O, Cyber -

4505 INSURANCE - Workmen's Comp -

4700 FOOD OTHER -

Total 4490 GENERAL OFFICE 5,742 5,741 5,742 5,743 5,743 5,743 5,742 5,742 5,742 51,680

4600 FACILITIES -

4620 FACILITIES RENT/LEASE 2,290 2,290 2,290 2,290 2,290 2,290 2,290 2,290 2,290 20,610

4680 UTILITIES -

4682 TELEPHONE/INTERNET 250 250 250 250 250 250 250 250 250 2,250

4690 MISC FACILITIES COSTS -

Total 4600 FACILITIES 2,540 2,540 2,540 2,540 2,540 2,540 2,540 2,540 2,540 22,860

4800 WORKSHOPS & EVENTS -

5100 PAYROLL EXPENSES -

5110 TECHNICAL STAFF 26,179 26,180 26,180 26,180 26,180 26,181 26,182 26,181 26,181 235,624

5120 ADMINISTRATIVE STAFF 19,500 19,500 19,500 19,500 19,500 19,500 19,500 19,500 19,500 175,500

5170 BENEFITS 7,442 7,442 7,442 7,441 7,441 7,441 7,441 7,441 7,441 66,972

Total 5100 PAYROLL EXPENSES 53,121 53,122 53,122 53,121 53,121 53,122 53,123 53,122 53,122 478,096


5210 LEGAL -

Alaska eHealth NetworkBudget - REC

July 2014 - June 2015

94

5/15/2013 Page 6 of 8

5215 ACCOUNTING & AUDITING -

5220 PROJECT MANAGEMENT -

5225 PROJECT COMMUNICATIONS -

5235 OTHER CONSULTING SERVICES -

5240 HIT/EHR CONSULTING 69,877 69,877 69,877 69,877 69,877 69,876 69,876 69,876 69,876 628,889

5250 CONTRACT EMP SVCS -

Total 5200 PROFESSIONAL FEES 69,877 69,877 69,877 69,877 69,877 69,876 69,876 69,876 69,876 628,889


5310 DESKTOP SUPPORT 50 50 50 50 50 50 50 50 50 450

5320 ONLINE HOSTING FEES 200 200 200 200 200 200 200 200 200 1,800

Direct Services Message -

5360 WEBSITE DESIGN & MAINTENANCE -

Total 5300 TECHNOLOGY SERVICES 250 250 250 250 250 250 250 250 250 2,250

5500 TRAVEL -

5520 TRANS/LODGING/OTHER 4,223 4,223 4,222 4,222 4,222 4,222 4,222 4,222 4,222 38,000

5525 MEALS & PER DIEM -

5527 MISC TRAVEL EXPENSE -

Total 5500 TRAVEL 4,223 4,223 4,222 4,222 4,222 4,222 4,222 4,222 4,222 38,000

5510 TRAINING/STAFF EDUCATION -

7400 EQUIPMENT/FURNITURE -

7420 EQUIP/FURN < $5K -

Total 7400 EQUIPMENT/FURNITURE - - - - - - - - - -

Total Expenses 135,753 135,753 135,753 135,753 135,753 135,753 135,753 135,752 135,752 - - - 1,221,775

Net Operating Income - - - - - - - - - -

Other Income


Total Other Income -

Other Expenses

7600 AK HIE SERVICE (SAAS) -

Total Other Expenses -

Net Other Income - Net Income -

95

5/15/2013 Page 7 of 8


4025 GRANTS

4060 PARTICIPANT FEES (HIE)

4065 PARTICIPANT FEES (DSM)

4068 CONSULTING

4200 DONATIONS

4300 CONTRACTS

Total Income

Gross Profit

Expenses

4490 GENERAL OFFICE

4102 OFFICE SUPPLIES

4110 OUTREACH & MARKETING


4420 DUES/SUBSCRIPTIONS

4450 PRINTING/COPIES/PHOTOS

4462 POSTAGE

4500 INSURANCE - G/L, D&O, Cyber

4505 INSURANCE - Workmen's Comp

4700 FOOD OTHER 500 500 500 500 500 500 500 500 500 500 500 500 6,000

Total 4490 GENERAL OFFICE 520 520 520 520 520 520 520 520 520 520 520 520 6,240

4550 HUMAN RESOURCES

4600 FACILITIES

4620 FACILITIES RENT/LEASE

4680 UTILITIES

4682 TELEPHONE/INTERNET

4690 MISC FACILITIES COSTS

Total 4600 FACILITIES

4800 WORKSHOPS & EVENTS

5100 PAYROLL EXPENSES

5110 TECHNICAL STAFF

5120 ADMINISTRATIVE STAFF

5170 BENEFITS

Total 5100 PAYROLL EXPENSES

5200 PROFESSIONAL FEES

5210 LEGAL

Alaska eHealth NetworkBudget - Unrestricted by Month

July 2014 - June 2015

96

5/15/2013 Page 8 of 8

5215 ACCOUNTING & AUDITING

5220 PROJECT MANAGEMENT

5225 PROJECT COMMUNICATIONS

5235 OTHER CONSULTING SERVICES

5240 HIT/EHR CONSULTING

5250 CONTRACT EMP SVCS

Total 5200 PROFESSIONAL FEES

5310 DESKTOP SUPPORT

5320 ONLINE HOSTING FEES

Direct Services Message

5360 WEBSITE DESIGN & MAINTENANCE

Total 5300 TECHNOLOGY SERVICES

5500 TRAVEL

5520 TRANS/LODGING/OTHER

5525 MEALS & PER DIEM

5527 MISC TRAVEL EXPENSE

Total 5500 TRAVEL

5510 TRAINING/STAFF EDUCATION

7400 EQUIPMENT/FURNITURE

7420 EQUIP/FURN < $5K

Total 7400 EQUIPMENT/FURNITURE

Total Expenses 520 520 520 520 520 520 520 520 520 520 520 520 6,240

Net Operating Income (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (6,240)

Other Income

7590 HIE Acquisition Reimbursement

Total Other Income

Other Expenses

7600 AK HIE SERVICE (SAAS)

Total Other Expenses

Net Other IncomeNet Income (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (520) (6,240)

97

Projected Projected Projected Projected Projected

Jul-13 Aug 2013 Sep 2013 Oct 2013 Nov 2013 Dec 2013 Jan 2014 Feb 2014 Mar 2014 Apr 2014 May 2014 Jun 2014 Total Variance Budget

Income

4025 Grant Revenue

4026 Grant Revenue - Deposits 194,934 222,736 163,856 94,130 160,832 125,427 160,187 201,952 78,210 243,277 191,376 191,376 2,028,293 (268,219) 2,296,512

4027 Grant Receivable Adjustments 44,249 12,019 39,290 58,782 -36,436 34,407 -53,471 -4,052 48,448 143,236 143,236 0

Total 4025 Grant Revenue 239,183 234,755 203,146 152,913 124,396 159,834 106,716 197,899 126,658 243,277 191,376 191,376 2,171,529 (124,983) 2,296,512

4060 Participant Fees (HIE) 4,266 27 144 25 63,022 15,352 18,400 18,400 119,636 (101,164) 220,800

4060.1 Allocated Participant Fees 0 0 0 0 0 0 0 0 0

4070 Services Revenue 250 2,500 0 0

4200 DONATIONS 10 500 323 750 750 2,333 (6,667) 9,000

4250 MISC. INCOME 185 1,307 -1,307 (55,488) 55,488

4300 State Contract Rev 29,000 60,020 29,000 288,250 29,000 29,000 33,900 293,350 29,000 386,250 36,491 36,491 36,491 (18,997) 55,488

4411 Interest Earnings 9 34 12 12 11 16 17 15 15 15 (437,875) 437,890

Total Income 272,459 294,987 232,146 441,315 155,237 187,563 203,650 491,583 171,026 629,794 249,532 247,032 3,576,325 501,147 3,075,178

Expenses

4490 GENERAL OFFICE

4102 OFFICE SUPPLIES 200 3,087 2,006 805 1,091 588 722 322 -897 432 2,892 2,892 14,140 (20,564) 34,704

4105 SOFTWARE AND LICENSE 471 120 1,000 1,591 1,591 0

4110 OUTREACH & MARKETING 1,875 650 3,245 4,104 6,200 1,978 4,382 2,246 11,325 11,325 47,330 (88,570) 135,900


4420 DUES/SUBSCRIPTIONS 145 428 716 393 638 249 197 100 100 2,966 1,766 1,200

4450 PRINTING/COPIES/PHOTOS 145 428 707 393 638 249 1,383 1,383 5,326 (11,270) 16,596

4461 FREIGHT 9 9 9 0

4462 POSTAGE 53 43 64 1,197 51 22 57 1,014 5 1,029 671 671 4,878 (3,174) 8,052

4470 TAXES/LICENSES/FEES 40 25 0 0 65 65 0

4501 INSURANCE - Cyber 5,198 550 167 167 6,082 4,078 2,004

4500 INSURANCE - G/L 1,200 0 1,200 1,200 0

4505 INSURANCE - WC -783 3,987 419 419 4,042 (986) 5,028

4700 FOOD OTHER 204 300 200 473 104 1,000 1,000 3,281 (8,719) 12,000

Total 4490 GENERAL OFFICE 2,630 9,844 1,807 6,805 5,553 637 7,971 9,098 5,647 3,935 19,157 17,957 91,041 (124,443) 215,484

4600 FACILITIES

4620 FACILITIES RENT/LEASE 3,492 7,905 4,579 4,579 4,579 4,579 4,616 4,579 4,579 4,400 4,400 52,289 (511) 52,800

4680 UTILITIES 107 109 30 246 (5,274) 5,520

4682 TELEPHONE/INTERNET 431 427 734 716 96 958 496 484 527 544 375 375 6,164 1,664 4,500

Total 4600 FACILITIES 4,031 8,442 764 5,296 4,675 5,538 5,075 5,100 5,106 5,123 4,775 4,775 58,699 (4,121) 62,820

4800 WORKSHOPS & EVENTS 266 266 532 (2,660) 3,192

5050 HUMAN RESOURCES 30 2,850 500 500 3,880 (2,120) 6,000

5100 PAYROLL EXPENSES 0 0 0 0 0

5110 TECHNICAL STAFF 28,968 30,246 30,718 27,035 27,035 27,452 27,452 27,452 27,452 27,452 35,182 35,182 351,624 (70,560) 422,184

5120 ADMINISTRATIVE STAFF 24,437 23,158 22,687 26,369 26,370 27,203 27,203 27,203 27,203 27,203 29,969 29,969 318,976 (40,652) 359,628

5170 BENEFITS 781 402 25,493 25,493 52,169 (253,747) 305,916

5170.1 Retirement - Co. Contrib. 0 231 0 0 231 0 257 0 0 719 719 0

5170.2 Health Insurance 5,532 6,374 5,853 5,300 5,727 828 3,755 3,904 3,111 3,312 0 0 43,697 43,697 0

Alaska eHealth NetworkStatement of Activities - Detail

July 1, 2013 - April 15, 2014

98

5170.3 Paid Leave 4,121 -321 1,931 1,779 2,598 1,990 -1,328 -975 4,716 2,597 0 0 17,109 17,109 0

5170.4 Self Pay Vision 260 200 160 0 0 620 620 0

Company Contributions - Retirement 1,125 1,125 1,125 1,125 1,325 1,358 1,358 1,358 1,358 1,358 0 0 12,617 12,617 0

Total 5170 BENEFITS 10,778 7,178 8,909 8,435 9,650 4,437 4,216 4,448 9,967 7,926 25,493 25,493 126,931 (969,989) 1,096,920

5180 PAYROLL TAXES 4,146 4,135 4,138 4,138 3,720 3,554 4,650 4,688 4,699 4,691 4,691 4,691 51,942 48,774 3,168

Taxes 0 0

Total 5100 PAYROLL EXPENSES 14,924 11,314 13,047 12,573 13,371 7,990 8,866 9,136 14,665 12,618 30,184 30,184 178,872 (921,216) 1,100,088

5200 PROFESSIONAL FEES 1,053 1,053 1,053 0

5210 LEGAL 5,802 1,615 2,218 3,190 2,276 1,918 616 1,078 2,772 924 2,500 2,500 27,410 (2,591) 30,000

5215 ACCOUNTING & AUDITING 9,752 2,856 14,960 8,305 4,838 2,859 2,155 3,397 5,479 2,928 3,200 3,200 63,929 25,529 38,400

5220 PROJECT MANAGEMENT 14,750 1,500 1,500 17,750 (250) 18,000

5225 PROJECT COMMUNICATIONS 3,358 1,685 978 2,796 0 0 8,816 8,816 0

5235 OTHER CONSULTING SERVICES 6,763 11,188 288 6,188 6,188 6,188 4,500 4,500 4,500 4,500 13,442 13,442 81,684 (79,620) 161,304

5240 HIT/EHR Consulting Services 167,883 193,709 137,449 81,152 62,331 47,904 58,848 96,172 60,596 87,367 78,583 78,583 1,150,575 207,579 942,996

5245 PRIVACY & SECURITY 2,500 2,950 2,500 2,500 2,500 2,500 2,500 2,500 2,500 2,500 2,500 2,500 30,450 30,450 0

5250 CONTRACT EMP SERVICES 400 350 263 463 375 725 800 800 800 4,975 4,975 0

Total 5200 PROFESSIONAL FEES 192,699 212,318 157,414 101,735 81,840 63,316 70,135 123,750 79,367 99,018 102,525 102,525 1,386,641 195,941 1,190,700

5300 Tech Services - Ops.

5310 DESKTOP SUPPORT 171.50 1,985.50 1,617.00 588.00 2,572.50 343.00 171.50 98.00 245.00 539.00 3,000 3,000 14,331 (21,669) 36,000

5320 ONLINE HOSTING FEES 354.06 208.16 274.16 566.16 734.16 486.16 177.70 94.30 299.46 38.46 1,000 1,000 5,233 (6,767) 12,000

5330 SECURITY SERVICES 0 0 0

MAINTENANCE 200.00 920.00 521 521 2,162 (4,090) 6,252

Total 5300 Tech Services - Ops. 526 2,194 1,891 1,354 3,307 829 349 192 1,464 577 4,521 4,521 21,726 (32,526) 54,252

5400 HIE Participant Exp.

5410 Participant Training 11,725 11,725 11,725 0

Total 5400 HIE Participant Exp. 0 11,725 0 0 0 0 0 0 0 0 0 0 11,725 11,725 0

5500 TRAVEL

5520 TRANS/LODGING/OTHER 3,605 2,453 5,645 1,441 1,048 5,756 3,818 5,937 4,167 4,562 9,917 9,917 58,266 (60,734) 119,000

5525 PER DIEM 418 1,593 1,348 540 300 937 1,369 942 611 611 1,579 1,579 11,827 (7,123) 18,950

5527 MISC TRAVEL EXPENSE 993 200 200 1,393 (1,007) 2,400

5528 CONFERENCE REGISTRATION 795 -100 195 -595 -595 0 0 -300 (300) 0

Total 5500 TRAVEL 4,023 5,040 6,993 1,981 1,348 7,488 5,086 7,074 4,183 4,578 11,696 11,696 71,186 (69,164) 140,350

5510 TRAINING/STAFF EDUCATION 600 775 225 3,110 4,710 4,710 0

7400 EQUIPMENT/FURNITURE

7420 EQUIP/FURN < $5K 22,657 -630 22,027 22,027 0

Total 7400 EQUIPMENT/FURNITURE 0 0 22,657 0 -630 0 0 0 0 0 0 0 22,027 22,027 0

Total Expenses 218,863 260,875 205,173 133,369 109,463 85,799 97,482 154,574 113,543 125,850 173,358 172,158 1,850,507 (919,187) 2,769,694

Net Operating Income 53,596 34,112 26,973 307,946 45,775 101,764 106,168 337,009 57,483 503,945 76,174 74,874 1,725,818 1,420,334 305,484

Other Income 0 0

7590 HIE Acquisition Reimbursement 83,333 83,333 83,333 83,333 83,333 83,333 83,333 83,333 83,333 0 0 0 750,000 0 750,000

Total Other Income 83,333 83,333 83,333 83,333 83,333 83,333 83,333 83,333 83,333 0 0 0 750,000 (0) 750,000

Other Expenses 0

7600 AK HIE SERVICE (SAAS) 83,333 83,333 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 993,055 (6,941) 999,996

Total Other Expenses 83,333 83,333 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 82,639 993,055 (6,941) 999,996

Net Other Income 0 0 695 695 695 695 695 695 695 -82,639 -82,639 -82,639 -243,055 6,941 -249,996

Net Income 53,596 34,112 27,668 308,641 46,469 102,459 106,863 337,703 58,178 421,306 -6,465 -7,765 1,482,763 1,427,275 55,488

99

Alaska eHealth Network Strategy Map DRAFT 2014 – 2016

Vision: An electronically-connected Alaska healthcare delivery system

OBJECTIVES

FIN

ANCI

AL

STAK

EHO

LDER

S

OPE

RATI

ON

S

CAPA

CITY

STAFF READINESS Provide learning and growth opportunities

PROVIDERS/PAYERS Increase EHR Adoption

and Meaningful Use

PATIENTS Ensure privacy of PHI and

maintain confidence in electronic exchange

DHSS Meet Public Health

reporting requirements

Metrics: Annual Provider and Patient Satisfaction Survey, participants meeting MU

POLICIES & PROCEDURES Minimize policy/procedure exceptions

PRIVACY & SECURITY Minimize security

issues

PARTICIPANT CONTRACT DELIVERABLES

Ensure timely deliverables

Metrics: Risk assessment, monthly P&S reports, annual policy review

STAFF SATISFACTION Provide safe and

adequate environment

CONTRACTOR CAPACITY Optimize use of staff

augmentation contractors

Metrics: Staff - Training reports and HR reviews; Board-meeting attendance and onboarding; Contractors-performance based contracts

SUSTAINABILITY Maintain AeHN viability

Market Penetration Onboard 85% of hospitals

and providers

BUDGET vs ACTUAL Ensure positive income

Metrics: Monthly Income, budget vs income, #/$ annual contracts, cash on hand, #hospitals, # providers, value of contracts up for renewal

HIE VENDOR RELATIONS Maintain timely resolution of

issues

Governance Optimize Board

engagement and effectiveness

1/21/2014 V1.0

100

Date post:	27-Jul-2018
Category:	Documents
Upload:	vantu
View:	215 times
Download:	0 times