1
Operating as a Hybrid Entity at Cornell
John Ruffing – [email protected] Director, Center for Advanced Computing (CAC)
Cornell UniversityAssociate Director, Information Technology and Services
Weill Cornell Medical College
www.cac.cornell.edu
www.cac.cornell.edu 2
Overview
• Informing Perspectives• Organizational “Objects”• Cornell Logistics
www.cac.cornell.edu 3
Perspectives
• Institutional• Individual
www.cac.cornell.edu 4
Perspectives: Institutional
• Medical campus• Significant separation
–Distance, governance, ERP• Burdens
–Extensive–Expensive (potentially)
www.cac.cornell.edu 5
Burdens: Extensive
• Executing– Administrative– Technical– Physical
• Maintaining– Documentation– Training/Awareness– Periodic Review
www.cac.cornell.edu 6
Perspective: Individual
• Medical campus• Previously led
–EHR implementation (Epic)–SAP technical teams
• Coordinate IT aspects of audit
www.cac.cornell.edu 7
Overview
• Informing Perspectives• Organizational “Objects”• Cornell Logistics
www.cac.cornell.edu 8
Organizational Objects
• Covered Entity• Organized Healthcare Arrangement• Business Associate
9
Covered Entities
www.cac.cornell.edu
• Health Plans• Healthcare Clearinghouses• Healthcare Providers who
–Electronically transmit• Any health information in connection
with–Transactions for which HHS has
adopted standards
10
Typical HPC Providers
www.cac.cornell.edu
• Not covered entities themselves
• Not part of covered entity• Handling identifiable data
–Within the same institution–Ultimately from a covered
entity
11
Covered Entity Trap
www.cac.cornell.edu
• Entire legal entity–Often more than really applies
• Unnecessary burden–Extent–Expense
12
Hybrid Entity Escape?
www.cac.cornell.edu
• Covered components–Same criteria as entity–Distinct and relevant
•Function•Governance
• Formal designation
13
Cornell as Hybrid Entity
www.cac.cornell.edu
• Four components–Medical campus–Student health center–Benefits–Counsel
• Where is HPC?
14
Typical HPC Providers
www.cac.cornell.edu
• Not covered components themselves
• Not part of covered component• Resistance to including
–Burden–Definition
15
Business Associate
www.cac.cornell.edu
• Relationship to covered entity–For or on behalf–Other than in the workforce
• Separate legal entity
www.cac.cornell.edu 16
Overview
• Informing Perspectives• Organizational “Objects”• Cornell Logistics
www.cac.cornell.edu 17
Where is HPC?
• Privacy Rule–Extend the workforce
• Security Rule–Extend the protections
• Only as needed
www.cac.cornell.edu 18
Including HPC at Cornell
• Reminder: medical campus perspective
• Extending walled garden–Potential savings
• Not yet trying to share full resources• Three aspects
www.cac.cornell.edu 19
Including HPC: Physical
• Co-lo–Already has personnel controlling and
logging–Rationale for remote location
• Separate racks–Separate keys and associated controls
www.cac.cornell.edu 20
Extending to HPC: Technical
• IP Network– Extension of med network into data center
• With all security trimmings– Air gap (garden wall) to other networks
• Storage– Separate physical disks
• Shared array, on private management network– Shared storage switch
• Separate when volume makes feasible
www.cac.cornell.edu 21
Extending to HPC: Administrative Sharing
• Workforce– The lesson of athletics– Sysadmins leverage med training and
awareness, follow documentation and procedures– Joint position supervision (direct control)
• Compliance– Elements accountable within garden
• E.g. shared array, on private management network– Other frameworks and HITRUST
Top Related