EHNAC released a draft of its accreditation program, including discussions on HIPAA mandates.
The Electronic Healthcare Network Accreditation Commission (EHNAC) released the first draft of its latest accreditation program this week. The organization is accepting public comments through Feb. 10, according to a release. EHNAC is an accrediting body for facilities that electronically exchange healthcare data.
For the agency’s Health Information Exchange Accreditation Program (HIEAP), eight sections were updated, discussing a range of topics including privacy and confidentiality, technical performance, business practices and authentication.
“The EHNAC criteria for each of its accreditation programs sets the foundational requirements for measuring an organization’s ability to meet federal and state healthcare reform mandates such as HIPAA, Omnibus, ARRA/HITECH, ACA and other mandates for covered entities and business associates focusing on the areas of privacy, security, confidentiality, best practices, procedures and assets,” EHNAC explained in a statement.
In terms of healthcare privacy and security regulations, EHNAC added several mandatory pieces of criteria for cloud service providers (CSP) under its HIEAP. For example, a candidate for the HIEAP must have a business associate agreement in place with each CSP. Moreover, the organization must prove that each CSP has business associate agreements in place with each BA.
“Accredited companies must have appropriate administrative, technical and physical policies and procedures to ensure the integrity and confidentiality of protected healthcare information,” EHNAC explained. “These policies and procedures must protect against any anticipated threats or hazards to the security or integrity of such information. As a practical matter, the required level of security is intended to be commensurate with the attendant risks.”
The agency’s Practice Management System Accreditation Program (PMSAP) is a third-party review, according to the company, and is meant to provide extra assurance to the provider community during the evaluation process of PMS system vendors.
Also discussed in the HIE program evaluation are technical performance guidelines, such as communicating electronic messages securely, and proper business practices. This includes ensuring that accredited companies have business practices that “facilitate the maintenance of the technical performance criteria and must exhibit truth-in-advertising.”
EHNAC also outlines best practices for granting authorized users PHI access, specifically based upon the role of that individual in providing care. Moreover, the agency explains the proper way for covered entities to require participants to pass an authentication methodology before receiving access to PHI.
HIPAA mandates are making headlines recently, with some organizations urging federal authorities to make huge changes. The American Medical Informatics Association (AMIA) wrote a letter to state Representative Fred Upton, asking that HIPAA to be updated to allow for exemptions in terms of access to patient’s PHI, specifically for “observational or data research.”
“To facilitate the discovery, development and delivery of new treatments and cures, AMIA believes that we must develop a ‘learning health system’ in which the data and information generated during routine delivery of health care is leveraged across clinics, hospitals and integrated networks…” the letter read.
The post HIPAA Mandates Discussed, Comments Sought in EHNAC Program appeared first on HealthITSecurity.com.