Ensuring that privacy, security and accountability are maintained in the exchange of protected health information is paramount to building trust among all participants involved in the use of electronic health records. This critical goal serves as the basis of two important programs that are making Texas a national leader in protecting health information as the state works to build confidence and increase participation in its network of health information exchanges (HIEs).
Through the HIE Accreditation Program, public and private HIE organizations operating in the state will be recognized for meeting and maintaining accepted and uniform standards in the handling of protected health information (PHI). The accreditation program is designed to increase trust in HIE efforts and improve interoperability within the state, which should increase the number of physicians and patients participating in HIEs.
To administer the accreditation program, the Texas Health Services Authority (THSA) selected the Electronic Healthcare Network Accreditation Commission (EHNAC), a nonprofit standards development organization. THSA and EHNAC are working collaboratively to develop a program based on existing criteria and processes from EHNAC’s Health Information Exchange Accreditation Program(HIEAP), while ensuring that it is aligned with Texas law and relevant guidance from the Office of the National Coordinator for Health Information Technology (ONC).
Once the program is fully developed, EHNAC and THSA will review technical performance, business processes, resource management and other relevant information to ensure that accredited HIEs within Texas are interoperable with state and federal programs, and provide the private, secure and proper exchange of health information in accordance with established laws and public policy as well as patient preferences.
“Hospitals and physicians that participate in an accredited HIE will know that the HIE has met best practices with respect to privacy and security as well as other key areas in order to offer providers and their patients a level of trust with the HIE,” said Tony Gilman, chief executive officer, THSA.
THSA is also launching a second initiative. This program is the first state program of its kind and focuses on compliance with federal and state medical privacy and security laws and regulations. The Texas Covered Entity Privacy and Security Certification Program is designed to improve the protection of health information for Texas residents by certifying that those who use and disclose protected health information are in compliance with laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Texas Medical Records Privacy Act.
Organizations participating in the program will be able to show that they have met state and federal privacy and security standards in order to manage risk and increase confidence in how they protect health information.
THSA selected the Health Information Trust Alliance (HITRUST) to implement the Texas Covered Entity and Privacy and Security Certification Program. HITRUST utilizes its Common Security Framework (CSF) to validate the compliance of organizations with various regulatory requirements, industry standards and best practices. According to HITRUST, its CSF is the most widely adopted security framework in the U.S. health care industry. THSA and HITRUST have worked together to ensure the Texas program criteria include all relevant federal and state privacy and security laws and regulations.
Covered entities, as that term is defined under Texas law, can undergo an assessment using a CSF assessor organization to analyze their adherence to the relevant controls. If the assessment shows sufficient compliance with the criteria, HITRUST will recommend to THSA that the entity receive certification. Smaller entities will be able to request a certification by conducting a remote assessment that would then be submitted to HITRUST for review. The certification fee varies from $2,500 to $7,500, based on an organization’s size. Entities using a third party assessor organization will negotiate separately with the assessor organization to determine the assessment fee.
Organizations that obtain a recommendation for certification from HITRUST and achieve certification from THSA will be able to leverage the certification in an action or proceeding imposing any civil or administrative penalties for violations of the Texas Medical Records Privacy Act. Covered entities, as that term is defined under HIPAA, may also use the certification as a method of demonstrating their past compliance with the HIPAA administrative simplification provisions, thus potentially mitigating damages in an action brought for a HIPAA violation.
“Increasing confidence and trust in organizations involved in exchanging and maintaining electronic health information will not only foster greater participation in HIEs, but also support sustainability of HIE efforts in Texas and across the United States,” stated Gilman.
He continued, “We’re pleased that these two programs place Texas at the forefront of state efforts to manage the privacy and security requirements of protected health information while advancing the development of HIEs in our state.”
Additional information on the Texas Covered Entity Privacy and Security Program is available at www.HIETexas.org.