EHNAC, HITRUST ease security certification processes

Groups unify efforts aim to reduce redundancies and costs, says Lee Barrett.


For many years, the Electronic Healthcare Network Accreditation Commission has accredited vendors, providers and other stakeholders for meeting a series of best business practices, which includes privacy and security practices.

Recently, HITRUST has begun certifying industry stakeholders that meet a comprehensive set of best practices for the security and availability of healthcare data. But many stakeholders get certified under both programs and have been asking EHNAC and HITRUST to streamline the privacy and security processes to avoid redundant assessments, additional complexities and added cost.

Now, that will happen as EHNAC will drop its privacy and security procedures and adopt the HITRUST procedures. The organizations mapped criteria between the two programs and found significant overlap, says Lee Barrett, executive director of EHNAC.

Also See: A journey through EHNAC accreditation

For instance, if a stakeholder goes through both accreditations, it will start with the HITRUST Common Security Framework certification, known as CSF, and would not have to do the privacy-security components of EHNAC, which would port over the HITRUST certification when the stakeholder goes through EHNAC accreditation. CSF will be the surviving standard for privacy and security controls, for both programs.

That means that CSF will be incorporated into all 18 of EHNAC’s accreditation programs, according to Barrett. Further, EHNAC will be an assessor for HITRUST and use the CSF for its privacy and security components.

In all other ways, both organizations will continue with their proprietary accreditation programs.

“This removes the concentric circles,” says Daniel Nutkis, CEO at HITRUST. “Organizations felt they were wasting resources and time—the responsibility was on us to streamline the process.”

More for you

Loading data for hdm_tax_topic #care-team-experience...