The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will be showing up at healthcare organizations’ doors to perform privacy and security audits in 2013, sometimes unexpectedly so. One way organizations can prepare for 169-item performance audit that focuses on the HIPAA Privacy Rule, Security Rule and Breach Notification Rule is by connecting with security accreditation bodies such as Electronic Healthcare Network Accreditation Commission (EHNAC).
EHNAC is a federally-recognized, independent accrediting organization that it says is designed to improve transactional quality, operational efficiency and data security in healthcare. It was formed in the mid 1990s and mainly worked with clearing houses, eventually evolving to accrediting healthcare payers for their request for proposals (RFP) and now its customers range from healthcare providers to healthcare information exchanges (HIEs).
Debra Hopkinson, RN MS, EHNAC Vice President, Operations, said that EHNC has received good reviews from customers who have been through the non-mandatory OCR audit. They added up the number of hours it would’ve taken to do research (some estimated upwards of 180) and the amount of money to get ready for the OCR visit without EHNAC accreditation.
“They basically had everything they needed when [OCR] got there,” Hopkinson said. “[EHNAC] performs an audit in mitigating the risk with an OCR audit and going into experiences people have had with how they should proceed because these audits are going to be mandatory next year.”
Hopkinson also said EHNAC recently had a meeting with OCR and they were interested in what it does in terms of fees, criteria and experiences. She said that potentially in the future OCR could consider the idea that an EHNAC accreditation would preclude organization from going through an OCR audit. In addition to preparing for the 2013 OCR audits, EHNAC accreditation can help ensure compliance with healthcare reform legislative mandates such as HIPAA, ARRA-HITECH and other select state rules and regulations.
Though most organizations enroll voluntarily, at this time both Maryland and New Jersey require organizations to attain EHNAC accreditation to connect to their respective states’ electronic healthcare networks (EHN). Healthcare organizations can apply on the EHNAC website, fill out a self-assessment form based on EHNAC’s required client criteria, provide evidence that it’s met that criteria and after a site review confirms that this is the case, they head to the facilities to consult and offer best practices. From a security standpoint, CIOs and CISOs will participate in these reviews after a project team has set an agenda and divided the meetings into responsibility groups.
Hopkinson said that the EHNAC internal security assessment provides these three components:
1. Provide a third party level of testing of vulnerability/risk/cyberware/security analytics/mobile/agile etc…
2. Independent review of security policies, procedures and controls
3. EHNAC recognition as a nationally industry recognized not-for-profit accreditation organization as an objective independent third party auditor
EHNAC announced an agreement with DirectTrust.org recently, which was formed by Direct Project members who are developing software to securely exchange authenticated and encrypted health information messages over the Internet. DirectTrust.org is working with EHNAC on development of a national accreditation program for Health Information Service Providers (HISPs), Certificate Authorities (CAs) and Registration Authorities (RAs). Some companies have self-attested during the development phase and the formal accreditation program is expected to launch in early 2013, according to HealthDataManagement.com.
“We’re hoping to have draft criteria within the next few weeks and we’re having on-site meeting to merge DirectTrust and EHNAC criteria,” Hopkinson said, adding that EHNAC plans on pre-launching with betas late in 2012 or early 2013.
EHNAC fees and accreditation costs depend on hospital size and revenue and the details can be found here in its accreditation guidelines. There will be an EHNAC Webinar on Dec. 10 titled “Are You Ready for an OCR Audit?,” will look at how organizations can mitigate risk, prepare for and manage OCR audits. Lee Barrett, executive director of EHNAC, legal professionals with HIPAA, ARRA/HITECH and protected health information (PHI) will speak in the Webinar.