The Electronic Healthcare Network Accreditation Commission (EHNAC) has been in the news quite often in January. From announcing that MedAllies and DataMotion had both been fully accredited in the EHNAC and DirectTrust.org Direct Trusted Agent Accreditation Program (DTAAP) to adding five new commissioners this week, EHNAC has great perspective on how healthcare is currently progressing with secure data exchange.
DTAAP accreditation certifies HIPAA compliance in health data processing and transactions, so many organizations are starting to enter into the accreditation process. EHNAC Executive Director Lee Barrett took some time to chat with HealthITSecurity.com and offer updates on some of EHNAC’s current projects as well as his views on health information exchange (HIE) privacy and security.
It’s been a while since we’ve talked. Can you talk about some recent EHNAC updates?
Barrett: DTAAP has gone extremely well. We’ve gotten a number of organizations that have been accredited and probably 20 or so are going through the process right now in candidate status.
Because Stage 2 Meaningful Use has been deferred, the timeline to implement [Stage 2 requirements] has been elongated. So there are a lot of organizations that have yet to go through the accreditation, but the awareness of the need for accreditation is certainly out there. We’ve got a lot of these health information service providers (HISPs) that are starting to believe that if they’re not accredited, they’ll be at a competitive disadvantage because others are able to demonstrate trust.
We’re also starting to see a lot of the HIEs contract out with certificate authorities (CAs) and registration authorities (RAs) and understand the need to provide that level of accreditation and trust to validate to a third party that they’re providing the appropriate services. In November, we were awarded the contract and RFP for Texas that makes us the accreditation body for the 12 HIEs in Texas as well as other enterprise-wide exchanges. We are working with the Texas Health Services Authority to make our HIE accreditation program state-specific. We’re going to be working with three betas during the first half of this year and hopefully roll out any final changes within the June time frame.
How did the HIPAA Omnibus Rule affect your programs?
Barrett: Based on the HIPAA Omnibus Rule, we’ve updated and refined all of our programs to keep up with the new requirements. For several of our programs, this required us to do a lot of paperwork. And we’ve taken new patient responsibilities in terms of patient consent into consideration as well. We’ve also spent a good amount of time with the Office for Civil Rights over the past year to align our programs and best practices with the OCR audit protocol.
How are HIEs progressing with accreditation?
Barrett: There was a big concern even a year or year and a half ago that the HIEs were no longer going to be in existence because they have found sustainable funding other than what they’ve received from the government. But there are a number of HIEs that are going to proliferate and have sustainable business models. For those that do, a very small number of them have gone through the accreditation process. Texas took that on and wanted to have a third party for privacy and security confidentiality while ensuring the trust between various stakeholders was validated. Texas is one of the first states to do so, though we’re aware of a few other states having some level of review by a state agency and had put some level of criteria together.
But there hasn’t been anything on a nation-wide level. We’re trying to build off of the model we built with Texas and work with other states as well. As a not-for-profit our main goal is to help the industry achieve a level of trust between stakeholders. We’re seeing a lot more exchanges – whether it’s HIEs or ACOs – and we need to ensure there’s a strong level of data security.
What are you seeing in terms of awareness around the Direct protocol?
Barrett: We’re finding that organizations need to find awareness about is, with more and more clinical data being exchanged between healthcare organizations themselves and with labs, how they’re going to encrypt data from point A to point B or multi-point to multi-point. How organizations are going to secure the messaging and achieve meaningful use using Direct is important.
First, they need to ensure they’re authenticated and can send a message from my lab to another lab. Second, after they’re authenticated, they need to be sure that the other entity is a trusted one and enter into a trust anchor bundle. As organizations go through accreditation, they are put in the trust anchor bundle database to determine who and who has not been authenticated. And to be compliant, they would use the Direct protocol for securing and encrypting the message from point A to point B. From a Stage 2 Meaningful Use education awareness perspective, we think there are a lot more organizations that understand the combination of the trust anchor authentication and the need to use Direct to secure the messages.