EHNAC and HITRUST Partner to Strengthen Privacy and Security Requirements for TNAP

Collaboration ensures that stakeholders adhere to the latest privacy and security best practices

The Electronic Healthcare Network Accreditation Commission (EHNAC) (@EHNAC) and HITRUST (@HITRUST) announced a partnership to strengthen the framework of the Trusted Network Accreditation Program (TNAP). TNAP seeks to promote interoperability by assuring the security and privacy of trusted networks and the use of enabling technologies in the healthcare ecosystem. The program provides third-party review with accreditation for Trusted Exchange qualified health information networks and participants, addresses existing security and privacy compliance mandates and aligns with new TEFCA regulatory requirements.

Developed through an industry collaboration in alignment with the development of the Trusted Exchange Framework with Common Agreement (TEFCA), TNAP provides third-party accreditation for healthcare exchange entities such as qualified health information networks (QHINs), participants, health information exchanges, accountable care organizations, data registries, participant members, and other stakeholders. The program is administered by EHNAC and assesses an organization’s ability to demonstrate alignment with TEFCA requirements, including reviewing technical performance, business processes, and resource management, as well as leveraging the HITRUST CSF for privacy and security requirements.

“EHNAC and HITRUST are committed to ensuring that all organizations are able to adhere to the latest best practices and standards in privacy and security while meeting federal and state compliance mandates,” said Lee Barrett, Executive Director and CEO, EHNAC. “That’s why it’s critical for programs like TNAP to have the support of leading Standards Development Organizations. The value add to the program is immeasurable when ensuring stakeholder-trust in today’s complex and cyber risk-based healthcare ecosystem.”

HITRUST and EHNAC are working together to ensure the privacy and security requirements for TNAP (based on the HITRUST CSF) align with the current guidance for the Trusted Exchange Framework and the Common Agreement and will provide additional updates as future versions are released.

The HITRUST CSF addresses security, privacy, and regulatory challenges facing organizations in many industries, including healthcare. By integrating and harmonizing over 40 nationally and internationally accepted security- and privacy-related regulations, standards, and frameworks, the HITRUST CSF helps organizations address information risk management and compliance challenges through a comprehensive and flexible risk- and compliance-based framework of prescriptive and scalable controls.

Organizations that obtain the HITRUST Risk-based, 2-year (r2) Certification and EHNAC Accreditation can demonstrate that they are achieving the highest standards in their data protection and privacy programs.

“Incorporating HITRUST r2 Certification as a requirement of TNAP enables organizations that may rely on a TNAP accreditation to know that the accreditation’s standards for privacy and security are appropriate given the risk posed and compliance requirements. This is of utmost importance as we seek to enable further interoperability in general and the TEFCA system in particular,” said Steve Baram, Executive Vice President, Customer Engagement, HITRUST.

Organizations applying for TNAP accreditation can select one of two programs: TNAP-QHIN accreditation or TNAP-Participant/Participant Member accreditation. TNAP-QHIN accreditation is tailored towards healthcare information networks that desire to align with TEFCA. TNAP-Participant/Participant Member accreditation is for those organizations that plan to participate in a QHIN or with an entity that will be participating in a QHIN through another source. Many of these will be individual healthcare entities or social service providers and can use the TNAP Accreditation with a HITRUST r2 Validated Assessment with Certification requirement as part of a robust third-party risk management system.

Barrett added, “As an assessor for HITRUST, EHNAC is the only organization able to provide EHNAC accreditation and conduct HITRUST assessment services. Organizations that obtain HITRUST Certification may also leverage assessment reporting to obtain accreditation for any of EHNAC’s 20 stakeholder-specific accreditation programs, including TNAP.”

Healthcare industry stakeholders are encouraged to visit the TNAP website to download and review the TNAP criteria. Applicant candidates commencing the accreditation process will be required to adhere to TNAP v.1.0.

The Electronic Healthcare Network Accreditation Commission (EHNAC) is a voluntary, self-governing standards development organization (SDO) established to develop standard criteria and accredit organizations that electronically exchange healthcare data. These entities include accountable care organizations, data registries, electronic health networks, EPCS vendors, e-prescribing solution providers, financial services firms, health information exchanges, health information service providers, management service organizations, medical billers, outsourced service providers, payers, practice management system vendors, third-party administrators and trusted networks. The Commission is an authorized HITRUST CSF Assessor, making it the only organization with the ability to provide both EHNAC accreditation and HITRUST CSF certification.

EHNAC was founded in 1993 and is a tax-exempt 501(c)(6) nonprofit organization. Guided by peer evaluation, the EHNAC accreditation process promotes quality service, innovation, cooperation and open competition in healthcare.

Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks as well as detailed assessment and assurance methodologies.