Partnership for Accreditation of HISPs, CAs, and RAs

There are three key changes within the recent HIPAA Omnibus final rule that raise the stakes for ensuring the security and privacy of your healthcare communication over the internet, including messages like instructions or test results shared with other healthcare providers. In addition, the Meaningful Use Stage 2 incentives add a new core objective to use secure messaging to communicate relevant health information with patients. Even if you use top-notch systems like a certified EHR, how can you be sure to protect patient privacy during the electronic delivery process?

Two of the three key changes are closely related. The first change is that business associates and sub-contractors are liable for compliance with privacy and security measures. In turn, covered entities can be liable for the actions of business associates depending on the nature of the contractual relationship. The second change is the adoption of the tiered structure and higher civil monetary penalties for violations introduced by HITECH in 2009. With potentially greater liability and higher costs for violations, it’s critical to have secure electronic messaging which requires a trustworthy network of Health Information Services Providers (HISP), Certificate Authorities (CA), and Registration Authorities (RA).

The third key change is the risk assessment criteria for determining notification requirements due to a breach of unsecured protected health information. The final rule changes the standard of assessing the risk from “harm to an individual” to “probability that the protected health information has been compromised.” The rule also provides guidance to covered entities and business associates to presume a breach requires notification unless the organization can document the low probability of compromised PHI. The final rule lists specific factors to use as part of the assessment. It also encourages covered entities to take advantage of the “safe harbor” of either encrypting or destroying PHI to avoid potential issues with breach notifications.

Healthcare providers should check to make sure to use an accredited HISP, RA, and CA to help meet the HIPAA privacy and security rules regarding protected health information as well as meaningful use incentives for certified EHR systems. The Office of the National Coordinator (ONC) initiated the Direct Project in 2010 charged with developing a simple, secure, scalable, standards-based way to authenticate and deliver encrypted health information over the internet. Members of this project formed DirectTrust.org to focus on gaining public confidence in this initiative while helping to develop and enforce the related rules. Recently, the Electronic Healthcare Network Accreditation Commission (EHNAC) announced that it is partnering with DirectTrust.org to create a national accreditation program for HISPs, CAs, and RAs. The program will incorporate the previous testing work of DirectTrust.org with the extensive expertise of EHNAC in the development, oversight, and execution of nationally recognized healthcare industry accreditation programs.

Lee Barrett is executive director of EHNAC, a federally recognized, standards development organization designed to improve transactional quality, operational efficiency and data security in healthcare. Previously, Barrett was President, CEO of IGI Global Health, a provider of services to HIEs, EMRs, portals and EDI Transactional platforming. He has also served as board trustee on the NJ HITEC Regional Extension Center. Follow EHNAC on twitter @EHNAC.