An In-Depth Interview with Lee Barrett

Written by Bobby Williams, MBCP, MBCI

Tuesday, 14 January 2014

Lee Barrett is the executive director of EHNAC. He has held executive leadership positions in a number of HIT solution companies and is currently active on several boards. He has nine years of experience working with providers on the board and leading the American Dental Association Business Enterprises (ADABEI) for profit subsidiary of the ADA. He has led several global healthcare consulting organizations including PriceWaterhouseCoopers, Covansys, Virtusa, and SAIC. He worked more than 20 years in the health insurance industry in leadership roles with Aetna, Travelers, MassMutual, and CT Mutual. He led the development of the HIPAA transactional and privacy and security standards and provisions as chair of ASC X12N and assisted in the founding and chairing of WEDI.

Williams: EHNAC is an accrediting body that focuses on the health insurance industry’s clearinghouse functionality. A clearinghouse is like a large airport, with transactions coming in from all over the country and being routed to the correct destinations in other parts of the country. The transactions are usually between doctors, pharmacies, or hospitals (providers) and insurance companies (payers).

Lee, one of the hottest topics in the news, is security of protected healthcare information (PHI). The costs of a breach can cost a payer or a provider millions of dollars (2011 figures average $5.5 million per incident). How does EHNAC help its accredited members focus on HIPAA security?

Barrett: EHNAC has devoted many years to the development/refinement and enhancement of its privacy, security, and confidentiality criteria based upon the latest healthcare legislative reforms such as HIPAA, HITECH, ARRA, ACA, and Omnibus Rule.

The privacy/confidentiality criteria have 12 specific areas which include the HIPAA Privacy Rule, HITECH, and Omnibus Rule in addition to focus on patch management, wireless security, etc.

The security section of our accreditation programs contain 58 specific criteria which focus on organization requirements of hybrid entities; administrative safeguards; and technical safeguards, organizational requirements for BA contracts, and policies/procedures documentation.

We have committees that monitor ongoing healthcare reform legislation developments, and we have a minimum annual release of new versions of our accreditation programs. However, if certain changes occur that warrant an interim version to be released, as was the case with the Omnibus Rule announcement in January 2013 with industry implementation scheduled for Sept. 23, 2013, we incorporated those specific new provisions in all of our programs and just released the interim versions on Aug. 23. Compliance and assisting all healthcare stakeholders in which we have accreditation programs to support them are critical to us to reduce the risk of any PHI breach and provide a high level of trust to all those entities that have relationships with our accredited organizations. We take privacy, security, and confidentiality very seriously.

To read the full interview, visit Disaster Recovery Journal and look for the Winter 2014 issue.