The Texas Health Services Authority (THSA) has announced it will employ the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) to standardize its approach to certification that includes both state and federal privacy and security regulations.
The Texas Health Services Authority (THSA) was created in 2007 as a public-private partnership, legally structured as a nonprofit corporation, to facilitate the state’s health information exchange (HIE) and health information technology (HIT). The HITRUST Common Security Framework (CSF) can be used by any and all organizations that create, access, store or exchange personal health and financial information and has been gaining popularity in the healthcare industry.
The new partnership gives an inside look into how Texas is trying to form a program that meets state (the Texas Covered Entity Privacy and Security Certification Program) and federal (HIPAA) requirements. The Texas state program was born out of the 2011 Texas House Bill (HB) 300), which took new HITECH regulations into consideration and included state-level administrative penalties and legal liability for health information breaches due to non-compliance.
“As Chair of the House Public Health Committee and author of Texas HB 300, I know that lawmakers are very serious about the safeguarding of individuals’ health data,” said Rep. Lois Kolkhorst said in the report. “The certification process is designed to help with compliance of state and federal privacy and security laws, and to help organizations that handle health information to mitigate and control risks.”
THSA will use HITRUST’s experience with assessment and compliance certifications with health information protection regulations and best practices. “For this program to be successful, it must provide the appropriate level of assurance and verification while still being practical and implementable; therefore, it was important we select the best possible partner for developing and implementing the Texas Covered Entity Privacy and Security Certification Program,” said Tony Gilman, chief executive officer, THSA.
THSA is aiming to remove some of the ambiguities involved with both state and federal health data privacy and security requirements, including which safeguards are “reasonable,” “appropriate” and “adequate”. The press release added that most covered entities will be able to obtain a Texas certification recommendation from HITRUST by undergoing an assessment conducted by a HITRUST CSF Assessor organization against the controls specified in the HITRUST CSF. (Smaller entities will be able to request a certification recommendation through HITRUST by conducting a remote assessment.)
HITRUST initially incorporated information protection requirements from Texas HB 300 (82R) in the fifth release of the HITRUST CSF back in in early 2013. But more control language supporting relevant privacy and security requirements contained in the Texas standards specified at TAC § 390.2 will be included in the late-October release of the HITRUST CSF. Then Texas covered entities can spec the needed controls in preparation for formal assessment and certification.