While at HIMSS last week, I got a chance to sit down with Lee Barrett, Electronic Healthcare Network Accreditation Commission (EHNAC)’s executive director, to get an update on his organization’s newest accreditation program, the Health Information Exchange Accreditation Program (HIEAP), as well as how its other certification programs are going.
Last year we reported that UHIN’s cHIE in September was the first HIE to be certified by EHNAC (Farmington, Conn.). Currently, there are three more HIEs going through the certification process, according to Barrett, but it’s too early to release the names of those HIEs. The HIEAP not only accredits HIEs, but also vendors over roughly a six-month period with several steps, including a site visit. “Security is key to increasing trust,” Barrett emphasizes. Making sure that the infrastructure to exchange data meets privacy and security regulations is crucial, he adds. Eventually, Barrett believes there will be a federal mandate for HIEs to be accredited like electronic health records (EHRs).
Management Service Organization Accreditation
Another accreditation program gaining steam that EHNAC recently released is the Management Service Organization Accreditation Program (MSOAP) that assesses security infrastructure and data integrity measures of centralized data operating centers. This program ensures MSOs exceed industry-established standards and comply with Health Insurance Portability and Accountability Act (HIPAA) regulations in areas such as privacy and confidentiality measures, level-of-service and escalation procedures, transaction response times, and systems availability.
State regulatory agencies, like the Baltimore-based Maryland Health Care Commission (MHCC), are looking for a level of confidence, says Barrett, and are embracing MSOAP accreditation as a state requirement, because these organizations are increasingly becoming consolidators of personal health information (PHI) and have as much stake in privacy and security as hospitals do. Barrett says there are now 20 organizations going through the MSOAP program in Maryland. And his organization is working with other states like Minnesota and Utah to create accreditation programs, as well as having conversations with the Office of the National Coordinator of Health information Technology (ONC) to possibly create a federal program.
Financial Services Certification
Barrett also stresses the importance of making sure financial institutions are up to snuff on developing and implementing policies to ensure compliance with using and disclosing PHI. He notes the importance for these institutions to identify their potential status as a “covered entity” or a “business associate” under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. His organization’s Financial Services Accreditation Program (FSAP) has two routes, the FSAP-EHN (electronic health network), which ensures that the organization follows established criteria for processing payments and other financial transactions, while the FSAP-Lockbox accredits financial entities, outsourcer organizations, and other third party administrators having lockbox operations that handle healthcare data.
One thing Barrett confirms his organization won’t be accrediting is electronic health records. He contends that the space is already full enough and that EHNAC “doesn’t want to add to that ambiguity.”
