Privacy and Security Past, Present, & Future Danika E. Brinda, MA, RHIA, CHPS Assistant Professor/REACH HIT Consultant The College of St. Scholastica September 27, 2013 Objectives • Understand the Security Rule and how it relates to you • Understand the Privacy Rule and how it relates to you • Understand where privacy regulations have been, where they are at, and where they are going • Understand big changes and challenges with compliance The transition of Privacy and Security in Healthcare • First attempt at development of federal rules and regulations to protect the privacy and security of Protected Health Information (PHI) 1996 – HIPAA Regulation Enacted 2005 – Security Rule Mandated 2003 – Privacy Rule Mandated 2013 – Omnibus Rule of 2013 (Final ARRA/HITECH) 2009 – Interim ARRA/HITECH Provision on Privacy and Security HIPAA in the News Feds Go to Court to Collect First‐Ever Fine for Medical Billing Firm Says HIPAA Violations Featured in Health Business Daily, Aug. 18, 2011, and in Personal Information Leaked to Government News of the Week, Theft Ring In February, the Office for Civil Rights imposed a www.ihealthbeat.org, December 3, 2012 $4.3 million fine on a Maryland medical group that “Advanced Data Processing said that an employee improperly accessed individual had refused to honor 41 patients’ requests for account data in the company's their medical records…” Text Message Use Among Providers Raise HIPAA Concerns Written by Joyce McLaughlin, JD, Senior Counsel, Davis & Wilkerson ,August 11, 2011,http://www.beckershospitalreview.com “As the possibilities for electronic communication continue to expand with great speed, use of the technology by hospital employees and physicians without adequate security can expose your facility to HIPAA violations. The increasing use of cell phones and texting …” ambulance billing system and leaked the information to a theft ring. The worker has admitted to the crime and has been fired…” 9 Patients' Identities Stolen in Emory Read Healthcare Data Breach more: http://www.ihealthbeat.org/artic Written by Sabrina Rodak| October 25, les/2012/12/3/medical-billing-firm2011 | http://www.beckershospitalreview.com “Nine patients says-personal-information-leaked-toof Emory Healthcare's orthopedic clinic in Tucker, Ga., theft-ring.aspx#ixzz2LMpz9bx2…” have had fraudulent tax returns filed in their name, according to a Channel 2 report. The nine patients were among 32 Emory orthopedic clinic patients whose hospital bills were stolen in April…” Hippocratic Oath • Original Translation (5th Century BCE): “…All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.” • Classic Translation (A long time ago): : “…What I may see or hear in the course of treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep myself holding such things shameful to be spoken about.” • Modern Version – 1964: “…I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. Most especially must I tread with care in matters of life and death. ” What is Protected Health Information? • Protected Health Information (PHI) – Health information that identifies an individual, or could create a reasonable basis to believe the information could be used to identify an individual – Can be past, present, or future information • Electronic Protected Health Information (ePHI) – Health Information that is transmitted or maintained in electronic format Examples of Protected Health Information • • • • • • • • • • • • Patient’s Name Age / Date of Birth Address Telephone Numbers Medical Record Number Social Security Number Account Number Health History or Conditions Treatment of Medications Dates of Treatments and Hospitalizations Hospital or Clinic Bill Biometric Identifiers Location of Breach September 2009 - July 2013 16% Computer 23% 2% 2% Electronic Medical Record E-Mail Laptop Network Server Other 13% 25% 9% 10% Other Portable Devices Paper Breach by Type September 2009 - July 2013 19% 6% 5% Hacking/IT Incident Improper Disposal 11% 1% Loss 2% Other Theft Unknown Unauthroized Access/Disclosure 56% Bueinss Associate Involvement September 2009 - July 2013 Total Breaches > 500 People: 627 Business Associates, 138, 22% Covered Entities, 489, 78% People Impacted By Breach September 2009 - July 2013 Total People Impacted 22,199,751 Covered Entities 9,276,985 Business Associates 12,110,729 43% 57% Source: http://www.hipaasec urenow.com/index.p hp/blog/ Top 2012 Data Breaches Source: http://www.dolbey.com/uncategorized/redspin2012-health-data-breach-report-breakdown/ What are the Major HIPAA Compliance Areas? • Privacy Requirements – Notices, Authorizations and Consents – Accounting of Disclosures – Business Associates – Breach Notification • Security Requirements and – Administrative, Physical, and Technical Safeguards – Business Associates – Risk Assessment and Compliance Programming HIPAA – The Privacy Rule • Published on December 28, 2000 • Final Rule published on August 14, 2002 • Effective Date – April 14, 2003 HIPAA – The Privacy Rule • The Final HIPAA Privacy Rule (45 CFR Parts 160 and 164) focused on three major purposes: 1. protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information; 2. to improve the quality of health care in the U.S. by restoring trust in the health care system, and 3. To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals. High Level Overview: Privacy Practices • • • Appointment of Chief Privacy Officer Notice of Privacy Practices Disclosures • • • • • • • • • • Minimum Necessary Authorizations Accounting of Disclosures (extended through ARRA IFR) Request Restrictions on where PHI is sent Designated Record Set Business Associate Agreements (extended through ARRA IFR) Medical Record Amendments Alternative forms of Communication with Patients Training of the Workforce Privacy/Breach Investigations and Notifications (extended through ARRA IFR) Designated Record Set Components • Defined by HIPAA to include: – patient medical records – billing records – Enrollment, payment, claims, adjudication, and cases – medical management record systems maintained by or for a health plan – information used in whole or in part to make care-related decisions HIPAA – The Security Rule • Final Rule Published February 20, 2003 • Effective Date – April 20, 2005 • The Final HIPAA Security Rule defines administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI. What’s the Focus of the Security Rule There are 4 distinct parts to the Security Rule: 1. Administrative Safeguards are administrative actions, including the establishment of policies and procedures, to manage the activities needed to establish security measures that protect ePHI. 2. Physical Safeguards are physical measures and policies and procedures, including policies and procedures, to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. 3. Technical Safeguards are the technology, including policies and procedures for its use, that protect ePHI and control access to it. 4. Organizational Safeguards are arrangements made between organizations to protect ePHI, including Business Associate Agreements. HIPAA and Confidentiality, Integrity, Accessibility (CIA) Source: http://www.hipaaacademy.net/consulting/hipaaSecurityRuleOverview.html Addressable v. Required • Standards are broken up into two categories (45 CRF 164.306(d)) • Addressable – the covered entity must assess the reasonableness and appropriateness of the safeguard to protect the entity’s ePHI – The size, complexity and capability of the covered entity – The covered entity technical infrastructure, hardware, and software security capabilities – The costs of security measures – The probability and criticality of potential risks to ePHI. • Required – the covered entity must comply with the standard and implement policies and/or procedures that meet the requirement Administrative Safeguards Standards Security Management Process Assigned Security Responsibility Workforce Security Implementation Specifications R = Required A = Addressable Risk Analysis R Risk Management R Sanction Policy R Information System Activity Review R Designate Security Officer R Authorization and/or Supervision A Workforce Clearance Procedure A Termination Procedures A Physical Safeguards Standards Facility Access Controls Implementation Specifications R = Required A = Addressable Contingency Operations A Facility Security Plan A Access Control and Validation Procedures A Maintenance Records A Workstation Use R Workstation Security R Device and Media Controls Disposal R Media Re-use R Accountability A Data Backup and Storage A Technical Safeguards Standards Access Control Implementation Specifications Unique User Identification R Emergency Access Procedure R Automatic Logoff A Encryption and Decryption A Audit Controls Integrity R Mechanism to Authenticate Electronic PHI Person or Entity Authentication Transmission Security R = Required A = Addressable A R Integrity Controls A Encryption A Organizational Safeguards Standards Implementation Specifications Business Associate Business associate contracts Contracts or other arrangements Other Arrangements Requirements for group health plans Implementation Specification Policies and Procedure Documentation R = Required A = Addressable R R R R Time Limit R Availability R Updates R American Recovery and Reinvestment Act (ARRA) of 2009 • February 2009, President Obama signed ARRA • ARRA defines the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII – Strengthens HIPAA Privacy and Security Rules – Affects both Covered Entities and their Business Associates – Published draft privacy regulations on July 14, 2010 in the Federal Register – Responses to the draft regulations were due by September 13, 2010 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rule 2013 February 17, 2009 President Obama signed the American Recovery and Reinvestment Act (ARRA) of 2009 Title XIII, The Health Information Technology for Economical and Clinical Health Act (HITECH) included provisions on HIPAA Privacy, Security and Enforcement. Interim Rules were established to address HITECH Privacy Requirements for Breach Notification and Enforcement On January 25, 2013 the Federal Register published Part II, 45 CFR Parts 160 and 164 Most of the interim rules that were in the ARRA act are moving from Interim Rules to Final Rules Effective Date: March 26, 2013 Compliance Date: September 23, 2013 (180 Days) What’s Still Missing that Keeps Us Waiting… Some components of the Interim Rule are still missing. The hopes is that these will be published later in 2013 › Accounting of Disclosures/Access Reports › Minimum Necessary Guidance › Distribution of penalties and settlements to harmed individuals Breach Notification 2013 • Most of the components remained the same except: – Removed the Risk of Harm analysis and replaced with a more objective Risk Assessment analysis – The objective risk analysis needs to show evidence of evaluating: • The nature and extent of PHI involved – types & likelihood of reidentification • The unauthorized person(s) who use the PHI or whom it was disclosed to • If the PHI was acquired, viewed or disclosed (re-disclosed) • The extent to which the risk to the PHI has been mitigated – Eliminates the exception in the interim rule that limited data sets were not included in breach investigation HITECH Definition 2009 Defined as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” New Breach Definition An impermissible use or disclosure of PHI is “presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” **A Comment to interim final rule suggesting compromise standard indicates that it is whether PHI is “inappropriately viewed, reidentified, re-disclosed, or otherwise misused” (Adam Greene) 37 What Did NOT Change from IFR to Final Rule • • • • • • • • • • Definition of “Unsecured Protected Health Information” When a breach is treated as “discovered” Timeline for notifications – clock starts at Date of Discovery Content of notification Methods of notification Notification to the media and the Secretary (minor modification – counting from year of discovery) Notification by Business Associate Delay requested by law enforcement Documentation and burden of proof Pre-emption standard regarding state laws Breach Definitions “Exceptions” • Unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. – Example: A staff member receives a fax intended for a nurse on a different nursing unit. She quickly forwards the information to the correct location within her healthcare facility. • Inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. – Example: A nurse call a physician to discuss a patient’s case. After the nurse finishes that conversation, she realizes that she contact the incorrect patient information to the physician. As long as the physician doesn’t do anything else with the information, it is not considered a breach. 39 Breach Definitions “Exceptions” • Good faith by the covered entity or business associate that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. – Example: A fax was sent to the incorrect recipient. The recipient of the information calls to inform the facility and returns the documents in its original condition. As long as the information is returned and assumed that the incorrect recipient couldn’t have retained the information, it is not considered a breach. 40 Examples of Potential Breaches • An Employee inappropriately accesses a co-workers chart • A fax is sent to the incorrect fax number • A release of information is sent to the incorrect recipient • An employee blogs about their work day which included specific patient diagnosis that can link to a patient • Someone has hacked into your EHR and obtained SSN for multiple patients • A physician/employee inappropriately access a chart of a celebrity • An e-mail with PHI in the context was sent to the incorrect e-mail recipient Breach Notification 2013 Interim Breach Notification Final Breach Notification Analyze Type of PHI disclosed Analyze Type of PHI disclosed Evaluate the Recipient of the PHI Evaluate the Recipient of the PHI Evaluate if PHI was access, disclosed, used, or acquired Evaluate if PHI was access, viewed, reidentified, re-disclosed, Intent of potential breach ___________ Steps to mitigate or eliminate risk of harm Steps to mitigate risk to PHI Patient Access to Electronic Health Records • If PHI held electronically, individual entitled to an electronic copy if in a “designated record set” (not just the • information in an “EHR”) • Must be in the format requested if “readily producible;” if not, in a readable electronic form and format agreed upon by the entity and the individual • • • Not required to buy new software to do this – but must have capability to provide some electronic copy If individual declines to accept electronic formats entity makes available, can default to hard copy Not required to accept patient’s device – but can’t require individuals to purchase a device from you if they don’t want to Patient Access – Technical Safeguards • Must have reasonable safeguards in place to protect transmission of ePHI – but… • If an individual wants information by unencrypted email, entity can send if they advise the individual that such transmission is risky • Must have a secure mechanism – can’t force individuals to accept unsecure • Omnibus Rule allows up to 60 days (30 days less); preamble urges entities to make information available sooner when possible Fundraising and PHI • Added 4 new categories that can be released for fundraising: Department of Service, Treating Physician, Outcome Information, and Health Insurance Status • Strengthens and Defines Opt-Out For Fundraising • • • • Clearly Defined Must not require undue burden (writing a letter) May not effect treatment or payment If opt out – CE MUST not make fundraising communications to patient Changes to Research • Covered entities are now allowed to combine conditioned and unconditioned authorizations for research; however, they must differentiate between the two. • Conditioned: required to participate in this study • Unconditioned: optional use/disclosure for other studies/tissue banking/registries • NOTE: Unconditioned MUST be opt in such as a check box or additional signature line. Changes to Access to Immunizations Covered Entities may now release immunization records to schools without an authorization IF: • State law requires the school to have the immunization record • The CE received written or oral documentation (it must be documented) Changes to Accessed to Deceased Patient’s Records • PHI of a deceased patient is no longer considered protected health information after 50 years from death • CE may disclose PHI to person(s) involved in decedent’s care or payment if not contrary to prior expressed preference Marketing and PHI • In the Omnibus Rule, marketing is defined as “a communication about a product or service that encourage recipients to purchase or use the product or service.” – Federal Register, January 25, 2013 • Under the new regulation, CE must obtain authorization to use PHI to make any treatment and healthcare operations communications IF the CE receives financial remuneration for making the communication from a third party that product is being promoted Marketing and PHI • Excluded • Refill Requests • Can be reimbursed for actual costs • Generic Equivalents • Adherence communication reminding patients to take medication • Costs can only be collected for labor, supplies and postage Selling Protected Health Information • Covered Entities are not allowed to receive any remuneration in exchange for protected health information. • Exceptions (no limits provided): • • • • • Treatment Payment Public Health Sale of CE to another organization Required by Law Selling Protected Health Information • Exceptions (Limits Defined) • Any other permissible purpose if remuneration limited to reasonable, costbased fee for preparation and transmittal **This is new from the HITECH Act** • Research • To an individual for access and accounting GINA Act Changes • Changes impact Health Plans and not Health Care Organizations. – Clarification that genetic information is health information – Health plan (other than long-term care plan) may not use or disclose genetic information for underwriting purposes Business Associates Definition of Business Associate has changed › Old: An individual or organization who uses or discloses protected health information on behalf of the covered entity. › New: An individual or organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity Examples: Health Information Exchange, e-prescribing gateway, data transmission services, offers a personal health record, ect. Mere Conduits – narrow definition and only apply to courier services such as the Postal Service or Internet Service Provider Business Associates • Must enter into business associate agreements with an subcontractors who will receive, create, or transmit PHI on behalf of the BA (on behalf of the CE) • A subcontractor is someone “a person to who a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate” • The line is followed as far down as the PHI Business Associate Compliance Requirements Comply with the Security Rule’s administrative, physical and technical safeguards (including policies and procedures) Comply with specific components of the Privacy Rul › Not required to provide NPP or designate a privacy officer Any other items included by the CE in the business associate agreement Business Associates Direct Liability • Impermissible uses and disclosures of PHI • Failure to provide breach notification to the covered entity • Failure to provide access to a copy of electronic PHI to the CE, the individual or designee(s) • Failure to disclose PHI to OCR where requirement during an investigation or determination of a BA compliance with Business Associates Compliance Dates Additional time allowed to enter into conforming business associate agreements (Limited Deemed Compliance Date) › If BAAs comply with pre-Omnibus rule, parties have 1 additional year to bring their BAAs into compliance September 22, 2014 › If BAAs do not comply with pre-Omnibus rule (or no BAA exists), must enter into BAAs that comply September 23, 2013 Regardless of compliance deadlines, compliance with Omnibus Rule required when existing BAAs renew or are modified Restriction of Protected Health Information • Covered entity must agree to individual’s request to restrict disclosure to health plan, if: For payment or health care operations, • Disclosure is not required by law, and • Individual (or person on individual’s behalf) pays for item or service in full out of pocket • Discussion – what do you think? Notice of Privacy Practices • The Notice of Privacy Practices must be updated by and made available by September 23, 2013. • Should include all previous information PLUS: – Prohibition on sale of PHI – Duty to notify affected individuals of a breach of unsecured PHI – Right to opt out of fundraising (if applicable) Monetary Penalties • The monetary penalties remain the same from the Interim Rule • Four tiered categories defined • Clearer definitions on each of the categories • Explanation of how the violations will be counted • Factors used to determine a penalty HITECH Fines for Breaches Tiers Definition Tier A – “Did not know” CE or BA did not know or would have not known a violation occurred Tier B – “Reasonable Cause” An act or omission in which a CE or BA knew or would have known that the act violated an administrative simplification provision, but didn’t act with willful neglect. Tier C – “Willful Neglect – Timely Corrected” Conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA – corrected within 30 days of the date of discovery by CE or BA Tier D – “Willful Neglect – Not timely Corrected” Conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA – not corrected within 30 days of the date of discovery by CE or BA HITECH Fines for Breaches Tiers Per Violation Minimum Per Violation Maximum Max per Calendar Year per Violation Tier A – “Did not know” $100 $50,000 $1,500,000 Tier B – “Reasonable Cause” $1,000 $50,000 $1,500,000 Tier C – “Willful Neglect – Timely Corrected” $10,000 $50,000 $1,500,000 Tier D – “Willful Neglect – Not timely Corrected” $50,000 $1,500,000 $1,500,000 Factors used for Determining Fine OCR will consider 5 factors in determining the amount of the penalty: • The nature and extent of the violation (including number of people involved and the time of the breach) • The nature and extent of the harm resulting from the violation (physical, financial, and reputational harm) • The history of prior compliance with the administrative simplification provision, including violations by the Covered Entity or Business Associate • The financial condition of the Covered Entity or Business Associate • Such other matters as justice may require Category Complaints Filed Cases Investigated Cases with Corrective Action Civil Monetary Penalties& Resolution Agreements(since 2008) Total Number 77,200 27,500 18,600 $14.9m Million Resource: http://conference.himss.org/himss13/pdfs/7.pdf Starting to Think about September 23, 2013 Steps to take: • Review and Revise your NPP, plan to distribute new copy by 9/23/13 (update everywhere – printed, electronic, ect) • Review and update policies and procedures • Update BAA, create BA model to review all current vendors to determine if they are a BAA • Update HIPAA Authorization forms as needed Starting to Think about September 23, 2013 • Create/Update a process for releasing immunizations to schools • Create/Update a policy/form for request to restrict information to insurance companies • Update Breach Notification Policy and Procedure • Plan for regular meeting to assure this is on task and ownership is assigned. Some Sample Checklists • http://www.nixonpeabody.com/webfiles/Nixo n%20Peabody%20%20HIPAA%20Compliance%20Checklist.pd f • http://www.martindale.com/health-carelaw/article_Holland-Hart-LLP_1694528.htm • http://www.lexology.com/library/detail.aspx? g=53f3d1e0-e633-4921-ac0a-6619b39a3578 • http://www.ebglaw.com/showclientalert.aspx? References • http://www.hipaasurvivalguide.com/hipaaomnibus-rule.php • http://www.cooley.com/HIPAA-omnibus-rule • http://www.americanbar.org/content/newsletter/p ublications/aba_health_esource_home/aba_healt h_law_esource_1301_hipaa_countryman.html • AHIMA Live Conference with Adam Greene • www.himss.org • www.ahima.org References • • • • • • • • http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php http://www.cooley.com/HIPAA-omnibus-rule http://www.americanbar.org/content/newsletter/publications/aba_h ealth_esource_home/aba_health_law_esource_1301_hipaa_country man.html AHIMA Live Conference with Adam Greene www.himss.org www.ahima.org http://media.straffordpub.com/products/omnibus-hipaa-ruleimpact-on-covered-entities-2013-03-12/presentation.pdf http://www.cooley.com/HIPAA-omnibus-rule HIPAA/HITECH Act Privacy, Security, Enforcement, and Breach Notification Modifications Final Rule - 2013 • January 17, 2013 – Final Rule Announced • Friday, January 25, 2013 – Final Rule Published • The Final Rule Contains Modifications to • • • • The Breach Notification Rule. The HIPAA Enforcement Rule, implementing changes mandated by the HITECH Act. The Privacy and Security Rules, implementing changes mandated by the HITECH Act, as well as other changes to the Privacy Rule proposed in July 2010. The Privacy Rule, implementing changes required by the Genetic Information Nondiscrimination Act. What Didn’t Change • • • • • • • • • • Definition of “Unsecured Protected Health Information” When a breach is treated as “discovered” Timeline for notifications – clock starts at Date of Discovery Content of notification Methods of notification Notification to the media and the Secretary (minor modification – counting from year of discovery) Notification by Business Associate Delay requested by law enforcement Documentation and burden of proof Pre-emption standard regarding state laws Monetary Penalties • • • • • The monetary penalties remain the same from the Interim Rule Four tiered categories defined Clearer definitions on each of the categories Explanation of how the violations will be counted Factors used to determine a penalty HITECH Fines for Breaches Tiers Definition Tier A – “Did not know” CE or BA did not know or would have not known a violation occurred Tier B – “Reasonable An act or omission in which a CE or BA knew or would have Cause” known that the act violated an administrative simplification provision, but didn’t act with willful neglect. Tier C – “Willful Neglect – Timely Corrected” Conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA – corrected within 30 days of the date of discovery by CE or BA Tier D – “Willful Conscious, intentional failure or reckless indifference to the Neglect – Not timely obligation to comply with HIPAA – not corrected within 30 days of Corrected” the date of discovery by CE or BA HITECH Fines for Breaches Tiers Per Violation Minimum Per Violation Maximum Max per Calendar Year per Violation Tier A – “Did not know” $100 $50,000 $1,500,000 Tier B – “Reasonable Cause” $1,000 $50,000 $1,500,000 Tier C – “Willful Neglect – Timely Corrected” $10,000 $50,000 $1,500,000 Tier D – “Willful Neglect – Not timely Corrected” $50,000 $1,500,000 $1,500,000 Factors used for Determining Fine OCR will consider 5 factors in determining the amount of the penalty: • The nature and extent of the violation (including number of people involved and the time of the breach) • The nature and extent of the harm resulting from the violation (physical, financial, and reputational harm) • The history of prior compliance with the administrative simplification provision, including violations by the Covered Entity or Business Associate • The financial condition of the Covered Entity or Business Associate • Such other matters as justice may require Category Complaints Filed Cases Investigated Cases with Corrective Action Civil Monetary Penalties& Resolution Agreements(since 2008) Total Number 77,200 27,500 18,600 $14.9 Million Resource: http://conference.himss.org/himss13/pdfs/7.pdf Questions? Danika E. Brinda, MA, RHIA, CHPS 612.325.9742 dbrinda@css.edu www.stratishealth.org