HITRUST and THSA Help Texas Ensure Health Information Secure

HITRUST and THSA Partner to Help Texas Take the Lead in Efforts to Ensure Health Information is Secure

Press ReleaseAUSTIN & FRISCO, TX – The Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST) announced a partnership to improve the protection of health information for Texas residents. Working together, the two organizations will develop and implement the Texas Covered Entity Privacy and Security Certification Program, as created with the 2011 passage of Texas House Bill (HB) 300. With this program, Texas is the first state to develop a formal approach to certification that incorporates state and federal privacy and security regulations.

HITRUST was awarded the exclusive contract to provide certification recommendation and related services to the THSA in support of HB 300, which amended the Texas Medical Records Privacy Act and builds upon the Federal Health Information Technology for Economic and Clinical Health (HITECH) Act through additional protection requirements. Additionally, the legislation specifies state-level administrative penalties and legal liability for health information breaches due to non-compliance.

“As Chair of the House Public Health Committee and author of Texas HB 300, I know that lawmakers are very serious about the safeguarding of individuals’ health data,” said Rep. Lois Kolkhorst. “The certification process is designed to help with compliance of state and federal privacy and security laws, and to help organizations that handle health information to mitigate and control risks.”

“Our medical records are our most sensitive information, so it is vitally important that they are protected,” said Senator Jane Nelson, the Senate sponsor of HB 300. “By obtaining this certification, healthcare organizations can demonstrate a commitment to ensuring their consumers’ health information is private and secure.”

Accordingly, Texas Health and Safety Code (THSC) § 181.205 specifically allows a covered entity to introduce evidence of its good faith efforts to comply with HIPAA and state law related to the privacy of health information in an action or proceeding imposing an administrative penalty or assessing a civil penalty related to an unauthorized disclosure. In determining the penalty imposed by other law in accordance with THSC § 181.201, a court or state agency must also consider several factors, including the covered entity’s compliance history and whether the covered entity was certified at the time of the violation.

“For this program to be successful, it must provide the appropriate level of assurance and verification while still being practical and implementable; therefore, it was important we select the best possible partner for developing and implementing the Texas Covered Entity Privacy and Security Certification Program,” said Tony Gilman, chief executive officer, THSA. “We are confident in our choice given HITRUST’s leading role in the assessment and certification of compliance with multiple health information protection regulations and best practices through the HITRUST Common Security Framework (CSF).”

“We are very pleased to partner with the THSA to develop and implement the certification program,” said Daniel Nutkis, chief executive officer, HITRUST. “Organizations have desperately sought certification as a means to proactively validate their level of compliance with various regulatory requirements, industry standards and best practices, and obtain a recognizable benefit for their due diligence and continued due care. By offering the first government-sponsored certification of its kind, Texas has taken a leading role in improving information protection in the healthcare industry.”

“Leveraging the HITRUST CSF will provide Texas covered entities a tailorable, but prescriptive set of baseline controls, which they can use to demonstrate compliance with Texas standards through formal certification,” said Dr. Bryan Cline, vice president, CSF development, HITRUST. “However, the program’s impact will likely be felt far beyond the state of Texas because Texas certification requires compliance with the HIPAA Privacy and Security Rules, which means that organizations must implement reasonable safeguards appropriate to their organization to ensure sensitive health information is adequately protected. The Texas Covered Entity Privacy and Security Certification Program will help define what is ‘reasonable,’ ‘appropriate’ and ‘adequate’ for not only Texas, but for healthcare organizations across the country.”

Most covered entities will be able to obtain a Texas certification recommendation from HITRUST by undergoing an assessment conducted by a HITRUST CSF Assessor organization against the controls specified in the HITRUST CSF. However, smaller entities will be able to request a certification recommendation through HITRUST by conducting a remote assessment. Healthcare organizations pursuing HITRUST certification independent of the Texas program will be encouraged to also obtain a Texas certification recommendation as there are a very limited number of additional controls to assess, making the process very efficient and cost effective.

Development and implementation timeline

HITRUST incorporated information protection requirements from Texas HB 300 (82R) in the fifth major release of the HITRUST CSF in early 2013. Additional control language supporting relevant privacy and security requirements contained in the Texas standards specified at TAC § 390.2 will be included in the late-October release of the HITRUST CSF, at which time Texas covered entities may begin the process of specifying and implementing controls in preparation for formal assessment and certification.

More information on the Texas Covered Entity Privacy and Security Certification Program can be found at HIETexas.org. Organizations interested in learning more about the certification recommendation and related services to be provided by HITRUST should visit hitrustalliance.net/texas.