EHNAC looks to fill HIPAA, Meaningful Use compliance gaps

As featured on HealthIT Security

By Patrick Ouellette

When looking at future Office for Civil Rights (OCR) privacy and security audits, it’s important to focus not on 2013, but 2014 after the HIPAA omnibus rule has gone into effect. The Electronic Healthcare Network Accreditation Commission (EHNAC), a federally-recognized, independent accrediting organization, told HealthITSecurity.com at HIMSS13 that it can provide assistance in this area.

EHNAC Executive Director Lee Barrett said that the expansion of HIPAA responsibilities has increased the need for many healthcare organizations to look toward outside sources for guidance and security testing. EHNAC has been in conversation with OCR since the HIPAA omnibus rule came out and has been mapping the OCR audit protocol to its own criteria. While Barrett says that EHNAC has identified a large number of similarities, he thinks the audits shouldn’t be limited to solely HIPAA. “What’s different is OCR aligned their standards strictly to HIPAA protocols,” he said. “We do the same, but have taken it a step further and gone out with best practices.”

In response to the HIPAA omnibus rule, EHNAC’s advisory group has taken all of the rule’s new provisions, mapping those to their own criteria, and will come out with another release of its criteria to come out in tandem with the HIPAA omnibus September enforcement date. Since HIPAA now includes responsibility for the line of business associates (BAs) and covered entities, there’s a greater focus on penalties and breach notification has taken on a broader perspective, Barrett said EHNAC offers unique experience.

“More organizations are going to look for third-party review to objectively evaluate their policies, procedures and controls,” he said. “A big part of our accreditation model is around privacy and security so we think many organizations will want to interact with us before OCR comes into audit them.”

HIPAA concerns

Many healthcare organizations have taken a pretty minimalist approach to HIPAA to this point. According to Barrett, plenty of organizations aren’t aware of the omnibus rule at this point and don’t realize that it’s not just going to be a checklist anymore. Instead, the key is to receive on-site visits from outside bodies.

Many organizations have asked, with an accreditation, why do you have to do an actual site audit and why can’t we just do a self-attestation? My answer is that in 50 percent of the cases where we’ve gone to an accreditation, if I go by a self-attestation I would say they look like they have all the stuff in place. When we go into an organization and they tell us about their role based access, for example, we want to see their actual controls and who’s responsible for what. Often times, they don’t have an answer. These are things organizations often don’t think about and the omnibus rule takes it to a whole new level and the exposure is higher.

Barrett attended a recent HIPAA summit and because the omnibus rule doesn’t go into effect until September, OCR said it won’t do any audits until the rule goes into effect. It seems as though the OCR thinks that without the rule being in effect, people would get confused and it won’t be doing audits to any great extent this year. With 2014 audits looming, the industry has a transitional year to get compliant.

Direct Trusted Agent Accreditation Program (DTAAP)

A big part of Stage 2 Meaningful Use compliance once January 2014 rolls around will be direct messaging security and privacy. EHNAC, in partnership with DirectTrust.org, thinks its DTAAP program will help organizations prepare for digital certificate and public/private key requirements. The program was launched back in November and Barrett said there are six betas in program, with EHNAC looking for further feedback from customers.

Barrett also discussed an Office of the National Coordinator for Health Information Technology (ONC) funding opportunity announcement where it’s going to award four organizations the role of defining how to launch Direct for the industry and ways the industry can meet the January 2014 Stage 2 Meaningful Use compliance deadline. ONC, according to Barrett, will make that announcement on Mar. 25 and DirectTrust.org applied to be one of those four (and EHNAC is tied to that application). Once the four are picked, ONC will put together another forum with those entities and form a roadmap and the milestones to achieve before January 2014. EHNAC is looking to be, along with DirectTrust.org, the only accreditation organization to administer the Direct accreditation.