How Texas is Boosting HIPAA ComplianceNew Certification Program Builds on HITRUST Effort
A new voluntary privacy and security certification program for covered entities in Texas aims to bolster compliance with HIPAA and state regulations - and perhaps help organizations avoid federal sanctions.
The Texas Health Services Authority developed the new Texas Covered Entity Privacy and Security Certification in partnership with the Health Information Trust Alliance, or HITRUST.
THSA is a public-private partnership created by the Texas Legislature in 2007 to support the improvement of the healthcare system by promoting and coordinating health information exchange and health IT. HITRUST, best known for its Common Security Framework, offers certification of compliance with that framework.
In 2011, the Texas legislature authorized THSA to identify relevant security and privacy standards and develop a certification program that covered entities could use to demonstrate compliance with federal and state health information protection requirements. THSA hired HITRUST to develop the certification program, explains Tony Gilman, CEO of the authority.
The Texas certification builds on HITRUST's framework with several additional components that address compliance with provisions of the Texas Medical Record Privacy Act and other regulations, he says.
Validation of Compliance
The new Texas certification should be considered a mitigating factor when government regulators determine potential civil monetary fines for HIPAA violations, Gilman contends.
Under the HIPAA Omnibus Rule, enforcement penalties can range up to $1.5 million per violation. The Department of Health and Human Service's Office for Civil Rights in recent months has also signaled that it's ramping up enforcement. Earlier this month, it slapped two healthcare organizations with a total of nearly $2 million in fines in two settlements related to relatively small breaches involving stolen unencrypted mobile devices (see 2 Stolen Laptop Incidents Lead to Penalties).
In late March, THSA sent a letter to OCR asking whether OCR would consider an entity's Texas certification when deciding whether to impose penalties for HIPAA violations. Specifically, THSA is seeking clarification from OCR about whether the office would consider the Texas certification as evidence of a covered entity's "history of prior compliance" to HIPAA as a mitigating factor in determining fines, Gilman says.
But so far, THSA has not received a formal response from OCR, Gilman says.
An OCR spokeswoman tells Information Security Media Group: "While OCR does not endorse any particular credentialing or accreditation program, we certainly encourage covered entities and business associates to build strong compliance programs internally. Many of these credentialing/accreditation programs can help them do so."
The spokeswoman adds: "OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity's history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance. "
Children's Medical Center Dallas is the first covered entity to receive the new Texas privacy and security certification. The medical center sought to obtain the certification after attaining Common Security Framework compliance certification from HITRUST earlier this year, says Pamela Arora, CIO at Children's.
Many of the processes involved in getting the Texas and HITRUST certifications are similar, she says. The Texas certificate builds upon the HITRUST CSF certification, with some extra requirements, including engaging additional stakeholders, such as an organization's medical affairs, health information management and legal departments, in the process, Arora says.
The CIO explains that the HITRUST CSF certification that is available for health entities nationally involves conducting a security and privacy self-assessment against the framework; engaging a third-party vendor to evaluate the medical center's compliance programs; and updating programs and implementing any needed changes based on the assessments. Then HITRUST reviews the results and awards certification if qualifications are met.
The Texas certification process includes all those steps, plus another step - validating compliance to THSA's specific certification requirements, such as adherence to state regulations, she says.
Helping to avoid hefty government financial sanctions wasn't the main motivation for Children's seeking the certifications, Arora says. Rather, the certifications provide additional motivation for the hospital to continually assess and validate its compliance, she says.
For instance, Children's' needs to annually perform "smaller" assessments and validations "taking into account the changing privacy and security landscape," and then become re-certified every other year by HITRUST.
"This is a second set of eyes validating our HIPAA compliance program," she says.
Working with other healthcare entities that also adhere to the same security framework and rules of the road is important to Children's Medical Center, Arora says. "Having only one driver following the rules doesn't make everyone safer," she says.
The hospital CIO says the continuum of patient care is dependent on the flow of data - and that flow of data from one entity to another is based on trust. "So data will only flow at the speed of trust."