Accreditation for HIEs: EHNAC’s Executive Director Explains the Whys and Wherefores

As featured on Healthcare Informatics

By Mark Hagland

Earlier this spring, the Farmington, Conn.-based Electronic Healthcare Network Accreditation Commission (EHNAC), a federally recognized standards development organization and non-profit accrediting body founded in 1993, announced a new agreement with the federal government, in which DirectTrust, a non-profit association created by and for participants in the Direct community, had been awarded a cooperative agreement from the Office of the National Coordinator for Health Information Technology (ONC) for continued development and implementation of its accreditation program for health information service providers (HISPs) developed in partnership with EHNAC. The Direct Trusted Agent Accreditation Program (DTAAP) co-sponsored by EHNAC and DirectTrust, will be further developed through ONC’s Exemplar HIE Governance Entities Program. The program is designed to encourage the continued development and adoption of policies, interoperability requirements and business practices to increase the ease of health information exchange (HIE). The creation of DTAAP will create a vehicle for the accreditation of health information exchanges, as explained in a press release accompanying the Apr. 4 announcement. As the press release indicated, “One of the areas of focus in the cooperative agreement will be on the continued development and implementation of DTAAP as a national accreditation for health information “trusted agent” service providers, including HISPs, certificate authorities (CAs) and registration authorities (RAs). The accreditation program, launched in November 2012, is currently in use at six beta sites, and is projected to have wide-scale industry adoption by the end of 2013 and int5o 2014,” the press release noted.

Recently, Lee Barrett, the executive director of EHNAC, spoke with HCI Editor-in-Chief Mark Hagland to explain some of the intricacies and nuances of all these developments, and to share his perspectives on broad efforts in the healthcare industry to make the practice of health information exchange more effective and streamlined. Below are excerpts from that interview.

To begin with, I think many people are confused about the differences between accreditation and certification. Could you help clarify things a bit?

We’ve come down to a simple differentiation: certification is really a self-attestation/self-assessment that an organization goes through, and a third party is validating the information through some type of logic or program that helps them look at the information submitted. An accreditation goes much more deeply than a certification. It’s not only looking at a self-attestation or self-assessment, but also includes a site review or site audit.

So someone highly qualified as a site auditor is going out to visit an organization, and accreditation is really validation. So if an organization has submitted, for example, that its leaders have appropriate controls for entering a building, for getting into their computer room, and role-based access controls, we go and have an auditor review those controls. And they can ask, from the time someone goes into that building—are all those controls appropriate for the size and scope of the organization or not? Do they really follow their rules for role-based access to PHI [protected health information]? Do they have screen savers and other types of controls on their workstations where users are logged off after a certain period of inactivity? We look at all of those aspects. All those elements apply to the accreditation of health information exchanges; we also have accreditation programs for medical billers and other types of exchanges, for example, clearinghouses.

We’re primarily talking about HIE, then?

No, we’re also talking about the accreditation of e-prescribing vendors, and also of banks and financial service organizations, having to do with healthcare financial transactions. And medical billers, third-party administrators, outsource vendors. We have a variety of accreditation programs for all of those stakeholders. And the other aspect that’s probably new to you, is an accreditation program for health information service providers or HISPs; certificate authorities or CAs; and registration authorities, or RAs. And all of these have to do with the Direct protocol, and securing the exchange of clinical messages.

So we’ve created an accreditation program with for accrediting these HISPs, CAs, and RAs, and EHNAC was given an award, as the April announcement and press release indicated. Actually, we’ve been given two awards recently. One award from ONC was to, in partnership with EHNAC for our DirectTrust agent accreditation program; and then the other was the New York eHealth Collaborative, and that award had to do with outreach and awareness in the industry regarding Direct. So the accreditation that ONC is trying to do here is trying to get these HISPs, CAs, and RAs, to go through accreditation in 2013, in an effort to meet meaningful use Stage 2 compliance in January 2014; because Direct is part of that meaningful use Stage 2 directive. And as part of that, we’re looking at this as part of a self-assessment, and doing a site visit or site audit of that organization, around the trust anchors and trust bundles, and creating support for the Direct protocol. And we have a major focus as well on privacy, security, and confidentiality of the data.

There are four areas we focus on: first, the privacy, security, and confidentiality of the data; second, technical performance, the operational capabilities of the network, for health information exchanges or any of those stakeholders I was talking about. Third, we’re also looking at best practices; and fourth, the physician, human, and administrative resources that an organization provides to support the services they’re promoting.

Can you help distinguish between what you do at EHNAC with accreditation, and what CCHIT and the other deemed entities do around certification? I know the deemed entities are focused on vendor product certification, which is of course, very different.

Right, so CCHIT [the Certification commission for Health Information Technology] is a deemed entity by ONC for EHR [electronic health record ]certification. Yes, the two processes very different. And whether it’s CCHIT, URAC, or NCQA, there are a number of organizations that are accreditation/certification bodies, and we work collaboratively together, such that we try to minimize redundancy and ambiguity in the market, where we don’t want to have competing accreditations or certifications for the same entities. And we don’t compete with CCHIT on EHRs; that’s not our core set of programs.

I have to think I might not have been the only person in healthcare who was confused about this.

No, you’re not. In both Maryland and New Jersey, our program—our clearinghouse or electronic healthcare network program is mandated in those two states, so that any payer that uses a clearinghouse or EHN has to use an EHNAC-accredited one. And in Maryland, managed service organizations (MSOs) and e-prescribing networks also have to be accredited by us. MSOs provide a lot of EHR services; and those entities do go through us for accreditation.

How many HIEs have been accredited by you?

Five so far, including Michiana Health Information Network, and the Utah Health Information Network.

So this is in an early stage of development overall?

To a degree it is, but certainly with Direct, we’ve had success already in that ONC has given the accreditation nod to and EHNAC, for the accreditation program for DirectTrust; and they’re looking to get at least half of the HISPs, the CAs, and the RAs, accredited by the end of 2013. And there are a number of HIEs that also perform the services of a HISP. So there’s a possibility that a number of the HIEs would go through that accreditation model.

Are we talking about some organizations potentially needing to go through two different accreditation processes?

Well, if an HIE is acting in the role of a health information service provider, they could go through the accreditation for DirectTrust, but also could go through the HISP accreditation. They would have two accreditations. We have many organizations that have multiple accreditations.

Accreditation for an HIE is not mandated right now, correct

No, it isn’t.

So the value of accreditation is as a kind of “Good Housekeeping seal of approval,” then correct?

With the new HIPAA Omnibus Rule, with more rules and greater enforcement, the fact that business associates are treated in the same way as covered entities and that OCR [the federal Office of Civil Rights] is going to be doing more audits, there’s a greater need to have the appropriate privacy, security, and confidentiality rules and best practices in place, so having a third-party review from an organization like EHNAC helps organizations gain trust with their stakeholders. So we’re helping organizations to gain trust with their stakeholders around how they’re handling PHI and other types of clinical data. So it goes back to having that Good Housekeeping seal of approval, absolutely.

What would you most like our readers to understand about all of this?

The first is the aspect of building trust with stakeholders, so they have the appropriate policies and processes in place to meet the requirements of the HIPAA Omnibus Rule and meaningful use requirements; and in that context, certification or accreditation is extremely important. Second, the key is to demonstrate trust in the industry, and to assure that organizations have all the right controls. What we have found is that organizations that have gone through our accreditation model have really raised the bar. We institute and help organizations with the implementation of best practices. And our accreditation is very consultative, so we help organizations position themselves best for growth; we help them put together a comprehensive disaster recovery program and business continuity program, and to help them minimize the opportunity for any data breach. So the need for third-party review is absolutely critical for organizations.