At the risk of over simplifying the role each of these groups play in the healthcare industry, the essence is the same – different people trying to figure out the best way to securely use electronic protected health information (ePHI) and supporting technology. However, without a single, industry-developed and accepted approach to securing ePHI, we are left with a federal statute, the HIPAA Security Rule, to drive the information security programs of our payers, providers, and business associates. Unfortunately, as we all know, a compliance-driven security program is often insufficient.
Rather, frameworks, accreditation programs, incentives, and penalties need to be developed that enable security programs to support business objectives as well as address compliance requirements. Each of the following are trying to do just that:
Health Information Trust Alliance (HITRUST)
Throw every infosec framework, standard, and data security law into the blender, press the “innovate” button, and pour yourself a best-of Common Security Framework (CSF) smoothie. But don’t forget to pay at the counter. Here at Redspin, we are all in favor of the best practice approach, as our own services often leverage lessons-learned from each industry. However, the CSF will have a hard time reaching critical mass until the framework is freely accessible to all.
Electronic Healthcare Network Accreditation Commission (EHNAC)
A non-profit, standards development organization, EHNAC has developed a number of accreditation programs to improve transactional quality, operational efficiency and data security in healthcare. Specific to data security, they have opted to select a subset of safeguards from the HIPAA Security Rule to measure an organization’s information security program. The accreditation process involves a self-assessment questionnaire (including documentation of implemented controls), follow up on-site visit(s), an annual fee, and you are accredited for two years.
Centers for Medicare & Medicaid Services (CMS) “Meaningful Use” Incentive Program
The last (but certainly not least) stage 1 core requirement for hospitals and professionals to show meaningful use of EHR technology is to “Protect Electronic Health Information” by implementing a single HIPAA Security Rule safeguard: Perform a Security Risk Analysis. If you have to pick one, CMS got it right by selecting the one safeguard that has to be done first to align the management of the security program with necessary operational and technical controls.
Health Information Technology for Economic and Clinical Health (HITECH) Act
What if the HIPAA Security Rule is perfect as is, but we just need better enforcement and a broader range of institutions that it applies to? Please welcome the HITECH Act that 1) created a breach notification provision, 2) strengthened enforcement by increasing the financial penalties per violation, and 3) widened the scope of the Security Rule to include business associates. Time will only tell if the public spotlight and financial penalties on data security breaches will have a positive affect in the industry.
Let’s review. One purpose, yet four different applications of the HIPAA Security Rule:
- HITRUST = Security Rule + entourage
- EHNAC = Security Rule/2
- Meaningful Use = Security Rule/100, and
- HITECH Act = Security Rule on steroids.
While there is not industry consensus, we certainly are moving in the right direction.