Site Visits

Purpose

This provides instructions for determining which sites must be visited for any given accreditation or re-accreditation cycle for any and all organizations seeking EHNAC accreditation.

Definitions

Cloud Service Provider – A provider of computing services that meets NIST’s cloud computing definition of “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.” (see NIST Special Publication 800-144, p. vi).

EHNAC Program – Any of the Accreditation Programs offered by EHNAC for which an Organization may be seeking accreditation.

FedRAMP – See www.FedRAMP.gov

In-scope Organization Site – Organization Sites deemed “in scope” are any and all physical locations at which the EHNAC Organization provides services related to the EHNAC Program for which they are seeking accreditation, and any and all sites that create, receive, maintain, or transmit PHI or DTAAP PII or cryptographic information related to those services. Services considered in scope include but are not limited to:

  1. Data Center – under all circumstances
  2. Network Administration – where necessary to the business for accreditation
  3. Customer Service/Helpdesk – where necessary to the business for accreditation
  4. DRP Facilities — any functions with access to PHI or DTAAP PII or cryptographic information related EHNAC-accredited services
  5. Lockbox– where necessary to the business for accreditation
  6. Product Development – where necessary to the business for accreditation
  7. Storage Backup – without appropriate documentation/evidence via contract/agreement for services including an SLA.
  8. Production Operations – under all circumstances
  9. Printing or Scanning operations – where PHI is involved

In-scope Outsourced Site – Outsourced Sites deemed “in scope” are any and all Outsourced Sites related to the EHNAC Program for which they are seeking accreditation, and any sites where the Organization’s PHI or DTAAP PII or cryptographic information is created, received, maintained, or transmitted. Such sites may include but are not limited to:

Services considered in scope include but are not limited to:

  1. Data Center — under all circumstances
  2. Network Administration – where necessary to the business for accreditation
  3. Private Cloud – any functions with access to PHI or DTAAP PII or cryptographic information related EHNAC accreditation services
  4. Customer Service/Helpdesk – where necessary to the business for accreditation
  5. DRP Facilities — any functions with access to PHI or DTAAP PII or cryptographic information related EHNAC-accredited services
  6. Lockbox– where necessary to the business for accreditation
  7. Product Development – where necessary to the business for accreditation
  8. Storage Backup – without appropriate documentation/evidence via contract/agreement for services including an SLA.
  9. Production Operations – under all circumstances
  10. Printing or Scanning operations – where PHI is involved

Offshore or International– For purposes of EHNAC accreditation, a location other than a State of the United States, the District of Columbia, Puerto Rico, or U.S. Virgin Islands. [Other insular areas such as American Samoa, Guam, and Northern Mariana Islands are deemed to be “offshore” or international locations].

Organization – An entity (company, government entity such as an HIE, etc.) seeking EHNAC accreditation or re-accreditation.

Outsourced Site – Sites belonging to an Outsourcer.

Outsourcer – An entity that is contractually obligated to provide services to the Organization.

PII – Personally Identifiable Information.

Private Cloud – A private cloud is one in which the computing environment is operated exclusively for a single organization. It may be managed by the organization or by a third party, and may be hosted within the organization’s data center or outside of it. A private cloud has the potential to give the organization greater control over the infrastructure, computational resources, and cloud consumers than can a public cloud. (from NIST Special Publication 800-144, p.3)

Public Cloud – A public cloud is one in which the infrastructure and computational resources that it comprises are made available to the general public over the Internet. It is owned and operated by a cloud provider delivering cloud services to consumers and, by definition, is external to the consumers’ organizations. (from NIST Special Publication 800-144, p.3)

Self-Assessment – The comprehensive report provided by Organizations seeking accreditation. This report includes responses to the criteria and various types of evidence demonstrating compliance with the criteria.

Sites Requiring a Site Visit

A site visit is required at each In-scope Organization Site and each In-scope Outsourced Site as those terms are defined above. Each of these sites must be visited for initial accreditation and each must be visited for each re-accreditation cycle. The only exceptions to this are listed below.

International Based Organizations

All International based Organization’s In-scope sites must have Site Visits performed to be considered for EHNAC Accreditation

Requirement of Additional Site Visits Based on Proximity

For each site not in close proximity (1 hour away) to another being reviewed, a separate trip must be scheduled and a full Site Visit Fee plus the related travel expenses will be charged.

Sites Not Requiring a Site Visit

Individual Home-based Offices

When individuals work out of their homes, those offices will not be visited. However, evidence must be provided that the employee complies with the same policies and procedures as all other workers, and additional scrutiny may be made regarding the equipment, networking, and communications used by such workers. Furthermore, no production processing systems may be housed and no PHI or DTAAP PII or cryptographic information may be stored or printed in home-based offices.

Outsourcer of Outsourcer

If functions are “outsourced” or contracted externally by an Outsourcer (e.g. a data service provider outsourcing DRP) and if appropriate BA agreements are in place between the parties, further analysis will be performed to determine if the secondary Outsourcer must be reviewed.

Encrypted Archives

If data containing PHI or DTAAP PII or cryptographic information is archived by a third party, if that data is appropriately encrypted prior to being sent to the third party (using encryption that meets HIPAA requirements) AND if an appropriate BA agreement is in place with that third party, that site does not need to be visited.

Sites that are International

  1. EHNAC has determined that it will, at the option of the Organization, physically review Organizational Sites and Outsourced Sites that are located “offshore” or internationally though it is not required.
  2. If a US based Organization has an otherwise In-scope Organization Site or In-scope Outsourced Site that is located offshore, EHNAC will at the request of the organization, perform a site visit or accredit that location of the Organization.
  3. Without a Site Visit, an organization will be ineligible for EHNAC accreditation if any of the following Organizational Sites or Outsourced Sites are located internationally:
    1. CA Operations
    2. Corporate Main Operations
    3. Data Center Hosting Facilities (unless they are only used for Disaster Recovery purposes)
    4. HIE Technical Operations
    5. HISP Operations
    6. Lockbox Operations
    7. RA Operations
    8. Facilities which store PHI or DTAAP PII or cryptographic information that was ever unencrypted outside of the United States.
  4. EHNAC will annotate its website to disclose that the accredited entity has any offshore sites that were not physically reviewed.
  5. Each Organization for accreditation must provide documentation to substantiate that:
    1. It fully and accurately discloses to its business partners and customers that it performs services in an offshore location(s).
    2. It makes available upon request to a business partner or customer a reasonable description of all measures the Organization takes to ensure the confidentiality, integrity and availability of protected health information (as those terms are defined by 45 C.F.R. Parts 160, 162, and 164) that the Organization transmits or receives from an offshore site.

Other Sites that are Out of Scope

Other sites that do not require a site visit, irrespective of whether or not they are outsourced, include:

  1. Human Resources (HR)
  2. Finance
  3. Product Development – where PHI and DTAAP PII or cryptographic information is not accessed and where the function is not necessary to the business for accreditation.
  4. Customer Service – where PHI and DTAAP PII or cryptographic information is not handled and the function is not necessary to the business for accreditation.
  5. Hospital Information Services (HIS) solutions unrelated to the accreditation program
  6. Practice Management Services (POMIS) solutions unrelated to the accreditation program

Sentinel Event Applicability

EHNAC’s Sentinel Event Policy must be referenced and followed by Organizations as it relates to Outsourced Sites. For example, circumstances triggering a Sentinel Event include:

  • Entering into an agreement with a new Outsourcer;
  • Adding or significantly modifying a physical location in which an Organization provides a function related to the EHNAC Program for which it is accredited; and
  • Significant events associated with In-scope Outsourced Sites including but not limited to their addition or significant modification of physical locations.

If such an event occurs within 12 months of the last accreditation, a physical site visit must be made to the new or modified facility.

Mutual Use of Outsourced Vendor

If multiple Organizations use a common In-Scope Outsourced Site, a site visit to that Outsourced Site is only required once every 2 years.  The first Organization to use such an Outsourcer will pay the full Site Visit Fee for that visit.  The Outsourcer will be monitored and any other Organization using that Outsourcer during the 2 year rotation will pay a Site Visit Fee equivalent to a 25% discount of the full Site Visit Fee.  An actual site visit will not be made in these discounted cases, unless the Outsourcer has significantly changed functionality during the 2-year rotation.

EHNAC Outsource Vendor Accreditation Program

If an Organization uses an Outsourcer that is EHNAC accredited, the Organization will not be required to provide a site visit to the accredited Outsourcer.  EHNAC will maintain a list on its website that includes the approval date of accredited Outsource vendors.

Outsource vendors seeking their own accreditation must undergo the appropriate site visits even if they have previously been visited within the context of another Organization’s accreditation.

Organizations with Multiple Outsourced Organization Sites

For Organizations with multiple facilities that include the same in-house or Outsourcer under the same policies and procedures such as lockbox facilities, a site visit rotation will be used to accredit the Organization [See the EHNAC website’s Accreditation Guidelines].

EHNAC Site Visit Access to Outsourced Sites

Organizations with In-scope Outsourced Sites must ensure that EHNAC representatives obtain access to the location(s) of an Outsourcer to determine if the vendor meets applicable EHNAC accreditation standards.  Organizations will include in each vendor agreement a provision that states essentially the following:

Vendor acknowledges that [name of Organization] is accredited by the Electronic Health Network Accreditation Commission (“EHNAC”) and that the EHNAC accreditation process requires an on-site visit (the “Site Visit”) by EHNAC to verify compliance with applicable EHNAC criteria. Vendor agrees that upon reasonable prior notice from [name of Organization] that EHNAC, its representatives or agents shall have reasonable access at reasonable times to the premises, procedures, systems and records of Vendor to the extent that such access is necessary to enable EHNAC to perform the Site Visit and to evaluate whether the services provided to Organization meet EHNAC accreditation criteria.  Vendor agrees to reasonably cooperate with EHNAC, its representatives and agents in the conduct of the Site Visit solely for the purpose of enabling [name of Organization] to obtain EHNAC accreditation.

Outsourcers That Do Not Handle PHI or DTAAP PII or Cryptographic Information

If PHI or DTAAP PII or cryptographic information is handled by the Outsourcer (created, received, maintained, or transmitted), then, as stated above, EHNAC must conduct an on-site visit. If there are multiple sites, EHNAC will follow the same multi-site policy already established. However, if no PHI or DTAAP PII or cryptographic information is handled by the Outsourcer, EHNAC will accept another auditor’s report and will review it to see if:

  1. the report covers all the areas EHNAC addresses, AND
  2. the controls found to be in place for those areas meet EHNAC’s requirements, AND
  3. the audit was conducted within the last two years, AND
  4. the audit was conducted by a properly-qualified auditor.

If no PHI or DTAAP PII or cryptographic information is handled and if 1 through 4 above are all found to be true, no site visit will be required to that Outsourcer site. There may be, however, a separate charge for the review of the auditor’s report.

Virtual Organizations

If an Organization pursuing accreditation is completely virtual with no corporate offices, a minimum of one site visit must still be conducted to interview key personnel including subject matter experts regarding representations made in the Self-Assessment.  The interviews are instrumental in obtaining an understanding of the organization as a whole and in understanding how specific services under review are delivered.  The Organization must make arrangements to have their site visit interview in a private conference room at a location they determine. The Organization should consult with their site reviewer to ensure appropriate personnel are in attendance.

Multiple Programs

If an Organization pursues accreditation for multiple EHNAC Programs, all sites related to each program pursued must be taken into consideration.

If an accredited organization indicates a desire to add an additional program (other than DTAAP, PMSAP and EPCS) between accreditation cycles, and has the same sites to review, the Multiple Program Fee will apply and a $1,500 Desk Review fee is also assessed.  If there are additional sites to review, then the applicable Site Visit Fee and associated travel expense costs apply.

If an accredited organization adds either DTAAP, PMSAP and/or EPCS between their accreditation cycles, a Site Visit would be required to review the additional material that will be submitted in the Self-assessment.  See Site Visit information in the Accreditation Guidelines.

If an Organization pursues accreditation for the Cloud-Enabled Accreditation Program (CEAP) they must either also apply for a primary program or already be accredited in another EHNAC Accreditation program.  CEAP is always a Multiple Program where CEAP is the secondary program.

Cloud Service Providers

Use of FedRamp-Authorized Cloud Service Provider

Beginning January 1, 2016, an organization may apply for accreditation if they use a FedRAMP-authorized Cloud Service provider (see www.FedRAMP.gov).  To be accredited, the organization must apply for their program of choice PLUS they must apply for the new CEAP (Cloud Enabled Accreditation Program) program.  The multi-program fees will apply, and an additional site visit day must be scheduled to review the details of the CEAP program.  During that additional site visit day, a call must be arranged with a representative of the FedRAMP-authorized cloud service provider.

General Cloud Service Policy

If an Organization uses a Cloud Service Provider and the organization is NOT applying for a CEAP accreditation, all of the above requirements are still applicable, including those listed under EHNAC Site Visit Access to Outsourced Sites above. Furthermore:

  1. A thorough, documented risk assessment must be in place identifying the cloud-based risks to data at rest, data in motion, and data in use, with a demonstration that controls are in place to appropriately mitigate those risks.
  2. The use of Public Clouds (as defined by NIST) is not permitted for PHI or DTAAP PII or cryptographic information.
  3. Any Cloud models other than Private Cloud (as defined by NIST) will be reviewed and may not be determined permissible for PHI or DTAAP PII or cryptographic information.

 

 

Updated 1/19/16