HIPAA 101 Basic Session
Transcription
HIPAA 101 Basic Session
HIPAA 101 Basic Session HCCA Compliance Institute April 2005 1 GOUND RULES THIS IS A BASIC SESSION If you expected something beyond the basics this is not the session to attend You are welcome to stay However, if you stay you cannot write on your evaluation that this was too basic Please turn your cell phones and pagers to vibrate or off. 2 Agenda 1. Health Insurance Portability and Accountability Act of 1996 (HIPAA) 2. Transaction Code Sets 3. National Provider Identifier (NPI) 4. Privacy Regulations 5. Security Regulations 3 Health Insurance Portability and Accountability Act of 1996 (HIPAA) Health insurance access, portability, and renewal Attempts to prevent healthcare fraud and abuse Allows health insurance tax deduction for self-employment Promotes administrative simplification 4 Transactions Code Sets Compliance Date: Original October 16, 2002 (except small health plans – 2003) Extension October 16, 2003 5 Transaction Code Sets (1) Original: Proposed: May 7, 1998 Published: August 17, 2000 Volume 65, Number 160 pp 50312-50372 Effective Date: October 16, 2000 (2) Modifications: Proposed: May 31, 2002 Published: February 20, 2003 Volume 68, Number 34 pp 8381-8399 Effective Date: March 24, 2003 Document can be located at: 1. http://www.cms.hhs.gov/hipaa/hipaa2/regulations/transactions/finalrule/txfinal.pdf 2. http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0003ofr2-10.pdf 6 Administrative Simplification Defines standards for electronic transaction submission Establishes standard codes sets Established unique identifiers 7 Administrative Simplification Standard Electronic Transactions 837I (institutional) 837P(professional) 835 (payment and remittance advice) 270/271 (eligibility inquiry and response) 276/277 (claim status inquiry and response) 278 (referral certification and authorization) 834 ( Health Plan enrollment / disenrollment) 820 (Health Plan premium payment) 275 (Proposed) 8 Administrative Simplification Standard Code Sets ICD-9-CM (diagnosis and procedures) NDC (national drug codes) CPT-4 (physician procedures) HCPCS (ancillary services/procedures) CDT (dental terminology) No more local codes 9 Administrative Simplification Standard Identifiers Employer Identification Number (EIN) National Provider Identifier (NPI) Health Plan (Payer) Identifier (forthcoming) Claims Attachment Standards (forthcoming) 10 837 (Institutional & Professional) Requires Billing provider employer identification number (EIN) or Social Security number (SSN). Pay-to provider EIN or SSN. Rendering provider EIN or SSN. Many physicians are refusing to give out this information where they are not the billing or pay-to providers; i.e they are performing a service for a hospital. Hospitals have been substituting their own EIN where they can't get the physicians. Medicare is allowing a "dummy" EIN for the second reference when the Physician EIN/SSN is unknown -- can substitute 999999999 for the valid value 11 Enforcement Approach Centers for Medicare & Medicaid Services (CMS) is responsible for enforcing the electronic transactions and code sets provisions of the law. CMS will focus on obtaining voluntary compliance and use a complaint-driven approach for enforcement of HIPAA’s electronic transactions and code sets provisions. When CMS receives a complaint about a covered entity, it will notify the entity in writing that a complaint has been filed. 12 Enforcement Approach Following notification from CMS, the entity will have the opportunity to: demonstrate compliance document its good faith efforts to comply with the standards, and/or submit a corrective action plan. 13 Demonstrating Compliance Covered entities will be given an opportunity to demonstrate to CMS that they submitted compliant transactions. 14 Good Faith Policy CMS recognizes that transactions often require the participation of two covered entities and that noncompliance by one covered entity may put the second covered entity in a difficult position. CMS intends to look at both covered entities’ good faith efforts to come into compliance with the standards in determining, on a case-by-case basis, whether reasonable cause for the noncompliance exists and, if so, the extent to which the time for curing the noncompliance should be extended. 15 Good Faith Policy CMS will not impose penalties on covered entities that deploy contingencies (in order to ensure the smooth flow of payments) if they have made reasonable and diligent efforts to become compliant and, in the case of health plans, to facilitate the compliance of their trading partners. Specifically, as long as a health plan can demonstrate to CMS its active outreach/testing efforts, it can continue processing payments to providers. In determining whether a good faith effort has been made, CMS will place a strong emphasis on sustained actions and demonstrable progress. 16 Examples of Good Faith • Increased external testing with trading partners. • Lack of availability of, or refusal by, the trading partner(s) prior to October 16, 2003 to test the transaction(s) with the covered entity whose compliance is at issue. • In the case of a health plan, concerted efforts in advance of the October 16, 2003 and continued efforts afterwards to conduct outreach and make testing opportunities available to its provider community. 17 CMS Complaint Form Complaint Type Non-Compliant Data Received Compliant Data Sent and Rejected Invalid Companion Guide Privacy Violation Other, HIPAA Administrative Simplification Act Violation Other 18 National Provider Identification (NPI) Health plans assign identification numbers to health care providers -- individuals, groups, or organizations that provide medical or other health services or supplies. The result is that providers who do business with multiple health plans have multiple identification numbers. The NPI is a unique identification number for health care providers that will be used by all health plans. Final rule - January 23, 2004 Effective date – May 23, 2005 Compliance date – May 23, 2007 Small health plans – May 23, 2008 19 National Provider Identifier (NPI) The NPI is a 10-position numeric identifier with a check digit in the last position to help detect keying errors. 20 Uses of the NPI The NPI must be used in connection with the electronic transactions identified in HIPAA. The NPI may be used in several other ways: (1) by health care providers to identify themselves in health care transactions identified in HIPAA or on related correspondence; (2) by health care providers to identify other health care providers in health care transactions or on related correspondence; (3) by health care providers on prescriptions (however, the NPI could not replace requirements for the Drug Enforcement Administration number or State license number); (4) by health plans in their internal provider files to process transactions and communicate with health care providers; 21 Uses of the NPI (5) by health plans to coordinate benefits with other health plans; (6) by health care clearinghouses in their internal files to create and process standard transactions and to communicate with health care providers and health plans; (7) by electronic patient record systems to identify treating health care providers in patient medical records; (8) by the Department of Health and Human Services to cross reference health care providers in fraud and abuse files and other program integrity files; (9) for any other lawful activity requiring individual identification of health care providers, including activities related to the Debt Collection Improvement Act of 1996 and the Balanced Budget Act of 1997. 22 Questions & Answers 23 What health care transactions are required to use the standards under this regulation? 1. 2. 3. 4. 5. 6. 7. 8. Health claims and equivalent encounter information. Enrollment and disenrollment in a health plan. Eligibility for a health plan. Health care payment and remittance advice. Health plan premium payments. Health claim status. Referral certification and authorization. Coordination of benefits. 24 Who is required to use the standards? All private sector health plans (including managed care organizations and ERISA plans, and government health plans (including Medicare, State Medicaid programs, the Military Health System for active duty and civilian personnel, the Veterans Health Administration, and Indian Health Service programs), all health care clearinghouses, and all health care providers that choose to submit or receive these transactions electronically are required to use these standards. 25 Do I have to use standard transactions when conducting business inside my corporate boundaries? The decision on when a standard must be used does not depend on whether the transaction is being sent inside or outside corporate boundaries. Instead, a simple two part test, in question form, can be used to determine whether the standards are required. 26 Two Part Test Question 1: Is the transaction initiated by a covered entity or its business associate? If no, the standard need not be used. Question 2: Is the transaction one for which the Secretary had adopted a standard? If yes, the standard must be used. If no, the standard need not be used. 27 What is the effect on State law? Section 1178 of the Social Security Act provides that standards for the transactions will supercede any State law that is contrary to them, but allows for an exception process. 28 Does the law require physicians to buy computers? No, there is no such requirement. However, more physicians may want to use computers for submitting and receiving transactions such as health care claims and remittances/payments electronically. Remember that submission of paper claims to Medicare may result in slower payment. 29 How will the standards affect data stored in my system? The transaction standards will apply only to electronic data interchange (EDI) -- when data are transmitted electronically between health care providers and health plans as part of a standard transaction. Data may be stored in any format as long as it can be translated into the standard transaction when required. Security standards, on the other hand, will apply to electronic protected health information. 30 Privacy Standards I said to shred the document not the person reading it! 31 What’s protected? All medical records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally. 32 HIPAA Identifiers A) Names; (B) Street address, city, county, precinct, zip code, and equivalent geo-codes (C) All elements of dates (except year) for dates directly related to an individual and all ages over 89 (D) Telephone numbers; (E) Fax numbers; (F) Electronic mail addresses; (G) Social security numbers; (H) Medical record numbers; (K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers/serial numbers; (N) Web addresses (URLs); (O) Internet IP addresses; (P) Biometric identifiers, incl. finger and voice prints; (Q) Full face photographic images and any comparable images; and (R) Any other unique identifying number, characteristic, or code. (I) Health plan ID numbers; (J) Account numbers; 33 Covered Entities Health Plans Health Care Clearinghouses Health Care Providers 34 Uses & Disclosures w/an opportunity to object Uses & Disclosures for TPO PHI Authorization Uses & Disclosures in the public interest 35 How can a covered entity use and disclose PHI? Treatment, Payment & Healthcare Operations (TPO) Without an authorization if statutorily excepted After the patient has been given an opportunity to object Only with the patient’s explicit permission 36 U & Ds without the patient’s explicit permission. Treatment, Payment & Health Care Operations. 164.506 As required by law. 164.512 Marketing & fundraising (pursuant to strict limitations) 37 U & Ds for TPO Examples: A healthcare provider can discuss the patient’s case with her colleagues to determine the best course of treatment A health plan can share information with the nursing home regarding payment for services A compliance office can obtain charts for compliance audits 38 U & Ds that do not require an authorization Mandatory disclosures: HIPAA only mandates disclosures in two instances. 164.502(a) To the patient with some exceptions To the Secretary of DHHS to investigate an alleged privacy violation 39 U & Ds for Other Purposes Permissive disclosures 164.512 Public Health Activities Health Oversight Activities Law Enforcement Organ & Tissue Donation Avert Serious Threat Workers’ Compensation Report Abuse & Neglect Legal Proceedings Information about Decedents Research Specialized Gov. Functions 40 Public Health Activities Prevent or control disease, injury or disability Vital statistics, birth & deaths Public health surveillance Public health investigations Report child abuse or neglect FDA reporting Alert individual of possible exposure to communicable disease Employers under limited circumstances 41 Report Abuse or Neglect Report to authorities authorized by law to receive information about victims of abuse, neglect or domestic violence Based on reasonable belief CE must inform the individual of the disclosure unless There is a reasonable belief this would place the individual at risk for serious harm or It would mean informing a personal representative who is believed to be responsible for the abuse or neglect 42 Health Oversight Activities Disclosures may be made to entities authorized by law to oversee: The health care system Government benefit programs for which health information is relevant to beneficiary eligibility Entities subject to government regulatory programs Entities subject to civil rights laws 43 Health Oversight Activities (cont.) This does not include investigations where the individual is the subject of the investigation if it is not directly related to: The receipt of health care A claim for public benefits related to health or Qualification or receipt of public benefit or service if health is integral to the claim 44 Legal Proceedings Court orders Limited to the PHI expressly authorized Subpoenas, discovery requests or other lawful process if satisfactory assurances is received that either: Subject of information has been notified & given a chance to object A qualified protective order has been requested The CE notifies the individual or seeks a protective order 45 Law Enforcement If pursuant to process or otherwise required by law Identification and location Victims of a crime Decedents – if suspicion that death was result of criminal conduct Crime on the premises Report crime in an emergency 46 Information about Decedents Coroners & Medical examiners Determine cause of death Identification Other duties authorized by law Funeral Directors Information necessary to carry out their duties 47 Organ and Tissue Donation May disclose information necessary to facilitate organ, eye, or tissue donation 48 Research Waiver or alteration of authorization approved by privacy board or IRB Reviews preparatory to research Research on decedents information De-identified data Limited data set used 49 De-identified data? A) Names; (B) Street address, city, county, precinct, zip code, and equivalent geo-codes (C) All elements of dates (except year) for dates directly related to an individual and all ages over 89 (D) Telephone numbers; (E) Fax numbers; (F) Electronic mail addresses; (G) Social security numbers; (H) Medical record numbers; (I) Health plan ID numbers; (J) Account numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers/serial numbers; (N) Web addresses (URLs); (O) Internet IP addresses; (P) Biometric identifiers, incl. finger and voice prints; (Q) Full face photographic images and any comparable images; and (R) Any other unique identifying number, characteristic, or code. 50 Avert a Serious Threat May disclose PHI consistent with applicable law & standards of ethical conduct if Good faith believes the disclosures is necessary to avert a serious & imminent threat to The public An individual May not make the disclosure if the information is learned under certain conditions 51 Specialized Governmental Functions Military & veteran activities National security Protection of the President & others Medical suitability determinations Correctional institutions CE that are governmental entities providing public benefits 52 Workers’ Compensation May disclose to the extent necessary to comply with workers’ compensation laws or other similar programs 53 U & Ds that require an opportunity to object. 164.510 Facility Directories Family, Friends and others Involved in the patient’s care Involved in payment for the patient’s care Notification 54 U & Ds Requiring an Authorization All uses and disclosures of PHI that are not explicitly required or allowed under the regulations may only be done with an authorization. Marketing Fundraising 55 Patient’s Rights Under HIPAA Access and copy information 164.524 Request restriction of use for TPO or under 164.510(b) Request confidential communication An account of disclosures Receive a copy of the notice of privacy practices Request amendments 56 Request Restrictions 45 CFR 164.522(a) Only applies to PHI used or disclosed for TPO or pursuant to 164.510(b) A covered entity is not required to agree If the CE agrees, it is bound by the restriction 57 Request Confidential Communications 45 CFR 164.522(b) Providers Must accommodate reasonable requests Health Plan Must accommodate if the individual clearly states that the disclosure or all or part of the information could endanger the individual 58 Access and Copy Information 45 CFR 164.524 Individuals have a right to access the PHI about them in a DRS except Psychotherapy notes Prepared in reasonable anticipation of litigation Information to comply with CLIA if CLIA prohibits access 59 Access and Copy Information Denial of access is non-reviewable if PHI is excepted from right to access Individual is an inmate and access would jeopardize the facility Research information – if explained in research authorization Information is subject to the Privacy Act Information obtained with promise of confidentiality from someone other than a health care provider 60 Access and Copy Information Reviewable grounds for denial Licensed health care professional believes access would endanger the individual or another person Information was received from another person and access could cause substantial harm to that individual Request is made by a personal representative and access could cause substantial harm to the individual 61 Access and Copy Information Must have process for review Requests for access must be acted upon within 30 or 60 days Can get one 30-day extension Can charge for copies 62 Request an Amendment Individual may have information in the DRS amended CE may deny the request if Determines the information is correct CE did not create the information Information is not part of the DRS Individual would not have the right to access under 164.524 CE must respond to request in 60 days 63 Accounting of Disclosures 45 CFR 164.528 CE must account for all disclosures of PHI unless the disclosure was made For TPO With an authorization In a LDS As an incidental disclosure To the subject of the information For national security purposes Pursuant to 164.510 Prior to 4/14/03 To correctional institution 64 Receipt of Notice of Privacy Practices 45 CFR 164.520 Individual has a right to receive the notice of privacy practices at their first encounter after 4/14/03 or upon request 65 Other HIPAA Issues Minimal Necessary Organizational Arrangements Organized Health Care Arrangements Affiliated Covered Entities Hybrid Covered Entities Business Associates Group Health Plans Miscellaneous issues Psychotherapy notes Verification processes Preemption of state law 66 Minimal Necessity Role based access Assure that individuals only have access to the information needed to do their job Disclosures Disclose on the minimal necessary for the purpose of the disclosure Does not apply to disclosures made With an authorization To a provider for treatment To the subject of the information To the Secretary of DHHS As required by law As required to comply with the regulations 67 Organizational Arrangements Organized Health Care Arrangements (OHCA) Clinically integrated More than one CE participates Affiliated Covered Entities (ACE) Legally separate CEs that are affiliated by common ownership or control Hybrid Covered Entity (HCE) Single covered entity with non-health care components 68 Business Associates Business associates are entities that perform services for or on behalf of a CE involving PHI. Must have a business associate agreement A CE can be the business associate of another CE 69 Group Health Plans Group health plans are covered entities under HIPAA The employer is not the covered entity A GHP’s notice of privacy practices requires a statement regarding the use and disclosure for plan administrative functions 70 Miscellaneous Issues Psychotherapy notes Part of the DRS Require an authorization for uses and disclosures even for TPO Verification process Must verify that individuals to whom you are disclosing information are really who they say they are 71 Administrative Requirements Designate a privacy official Train members of the workforce on privacy requirements Safeguard PHI Develop sanctions for violations of the privacy policies and procedures Establish a means for individuals to complain about privacy violations 72 Individual Protection North Carolina resident Positive review & raise 3 weeks later diagnosed with genetic disorder Self-insured employer Fired to avoid projected expenses The Washington Post - December 2, 2000 p. A1 73 HIPAA Security and Privacy Incidents California – UC Davis BA & survey Washington – Criminal conviction of clinic employee California – UC San Diego Kentucky – Nursing home records found in street Washington DC – Washington Hospital Center patient records and payroll information found behind National Auboretum Washington Post 6/25/04 74 Kaiser Permanente – prospective member saw information from another prospective member’s application Pennsylvania – women suing Pinnacle Health over use of med record in commercial for breast cancer awareness 75 Security of Information Drug company inadvertently revealed 600 patient e-mail addresses used to remind patients to take their Prozac. At the end of the reminder service the list was sent to all participants. The Washington Post - July 4, 2001 p. E1 76 Marketing Medical marketing service advertised a database available to pharmaceutical marketers. 4.3 million people with allergies 923,000 people with bladder control problems See www.mmslists.com 77 Researchers Office of protection from research risks suspends more than 1,000 studies Failure to gain patient consent of research subjects Failure to safeguard data The Washington Post - January 12, 2000 p. B7 78 Health Privacy Project Institute For Health Care Research and Policy Georgetown University www.healthprivacy.org 79 Questions & Answers 80 Security Standards Compliance Date: April 20, 2005 (Page 8376) (except small health plans – 2006) 81 Security Standards Proposed: August 12, 1998 Published: February 20, 2003 Volume 68, No. 34, pp 8334 - 8381 Effective Date: April 21, 2003 Document can be located at: www.cms.hhs.gov/hipaa/hipaa2 82 Scope All electronic PHI (ePHI) In motion AND at rest (created, received, maintained or transmitted) To ensure confidentiality, integrity, and availability To protect against reasonably anticipated threats or hazards, and improper use or disclosure (Page 8376) 83 Definitions Confidentiality Only the right people see it Integrity Only the right people change it Availability Accessible and usable upon demand Reasonably Your guess is as good as mine! 84 Who must comply? A Covered Entity (Same definition as T&Cs & Privacy) A health plan A health care clearinghouse A health care provider* *who transmits ePHI in a format covered by the EDI component of HIPAA (Page 8374) 85 Security vs. Privacy Closely linked Security enables Privacy Security scope – addresses electronic PHI Privacy scope – addresses electronic, paper and oral PHI 86 Security Threats Active, evolving, never static Goal: Controlling threats, by reasonable measures people oriented hackers, viruses, insiders, disgruntled persons must be actively managed by IT professionals 87 Standards Standards are general requirements Permits standards to be interpreted and implemented appropriately from the smallest provider to the largest plan Administrative, physical and technical standards (APT) Technology Neutral Two overarching standards (APT) Policies and procedures, documentation 88 Policies and Procedures Corporate Information Security Policy 1.0.0 Record Processing User Security Incident Handling 2.0.0 3.0.0 4.0.0 Contingency Planning 6.0.0 Information Security Administration 7.0.0 Technical Security Management 8.0.0 Physical Safeguards For Information Assets 5.0.0 Bio-Med Info Asset Control 9.0.0 (See handout) 89 Implementation Specifications Are more specific measures that pertain to a standard (Page 8380) Required (R) – Covered entity MUST implement the specification in order to successfully implement the standard Addressable (A) – Covered entity must: Consider the specification, and implement if appropriate If not appropriate, document reason why not, and what WAS done in its place to implement the standard 90 Safeguards Administrative Physical Technical 91 Administrative Safeguards 45 CFR 164.308 Security Management Process - 164.308(a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility - 164.308(a)(2) (R) Workforce Security – 164.308(a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) (Page 8377-8378) 92 Administrative Safeguards, cont. Information Access Management - 164.308(a)(4) Isolating Health Care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training - 164.308(a)(5) Security Reminders (A) Protection from Malicious Software (A) Log-In Monitoring (A) Password Management (A) 93 Security Standards Training Awareness training for all employees & staff Vulnerabilities of the health information in the entities possession Policies/procedures that must be followed to ensure the protection of that information Periodic security reminders Education concerning computer viruses Education in login procedures and password management 94 Administrative Safeguards, cont. Security Incident Procedures – (164.308(a)(6) Response and Reporting (R) Contingency Plan - 164.308(a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency mode Operation Plan (R) Testing and Revision Procedure (A) Application and Data Criticality Analysis (A) Evaluation - 164.308(a)(8) (R) Business Associate Contracts and Other Arrangements - 164.308(b)(1) Written Contract or Other Arrangement (R) 95 Physical Safeguards 45 CFR 164.310 Facility Access Controls - 164.310(a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) (Page 8378) 96 Physical Safeguards, cont. Workstation Use - 164.310(b) (R) Workstation Security – 164.310(c) (R) 97 Physical Safeguards, cont. Device and Media Controls - 164.310(d)(1) Disposal (R) Media Re-Use (R) Accountability (A) Data Backup and Storage (A) 98 Technical Safeguards 45 CFR 164.312 Access Controls - 164.312(a)(1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls - 164.312(b) (R) Integrity - 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) 99 Technical Safeguards, cont. Person or Entity Authentication 164.312(d) (R) Transmission Security - 164.312(e)(1) Integrity Controls (A) Encryption (A) 100 Bottom Line… Consideration MUST be given to implementing all standards Using a combination of required and addressable implementation specifications and other security measures Need to document choices This arrangement allows the covered entity to make its own judgments regarding risks and the most effective mechanisms to reduce risks 101 Other Laws (State/Federal) State privacy laws have security implications: CA SB1386 – requires notification of individuals if information contained in an electronic format MAY have been breached UNLESS the data is encrypted. Sarbanes/Oxley (SOX) 102 Real Life Issues Ongoing training and monitoring Business Associates Physicians and Physician Staff Keeping up with both privacy and security rules and laws Keeping in compliance without shutting down operations 103 Recent Breaches Posted on Thu, Oct. 21, 2004 UC hacking may have gotten data on 600,000 SECURITY BREACH NOT REPORTED FOR WEEKS Hacker breaches T-Mobile systems, reads US Secret Service email By Kelly Martin, SecurityFocus Published Wednesday 12th January 2005 09:47 GMT Mercury News Company Warns Customers About Possible Identity Theft Identity Thieves Reportedly Steal Computers Filled With Customer Information POSTED: 8:16 am CDT April 8, 2004 Credit agency reports security breach News Story by Carly Suppa MARCH 17, 2004 Oops! Firm accidentally eBays customer database By John Leyden Published Monday 7th June 2004 20:51 GMT 8 Million Credit Accounts Exposed FBI to Investigate Hacking of Database By Jonathan Krim Washington Post Staff Writer Wednesday, February 19, 2003; Page E01 104 Questions & Answers 105 Contact Information Marti Arvin, JD, CHC Privacy Officer University of Louisville Phone (502) 852-3803 e-mail [email protected] Connie Emery, CPA, CIA, CISA, CISSP, CIPP Information Privacy/Security Officer Tenet HealthSystem Phone (469) 893-6709 e-mail [email protected] John C. Falcetano, MA, CHC, CIA Chief Audit & Compliance Officer University Health Systems of Eastern Carolina Phone (252) 847-0125 e-mail [email protected] 106