EHNAC accreditation now aligns with HIPAA audit policies

The Electronic Healthcare Network Accreditation Commission, which offers 18 programs to accredit healthcare software vendors for meeting best business and security practices, has finalized its criteria for 2017.

Three of the changes are impactful, says Lee Barrett, executive director at EHNAC. The most meaningful change is aligning the program with the HHS Office for Civil Rights HIPAA audit protocols. Any organization with EHNAC accreditation will be in a better position if it is audited because the organization already will have documentation of policies and procedures to quickly respond to OCR inquiries. In 2016, four organizations that are members of EHNAC were audited by OCR and did very well, he adds.

Lee Barrett HDM
Lee Barrett

Under the updated criteria, 18 programs now will require more specificity on uses and disclosures of protected health information, such as how PHI is handled, reviewed or modified, and to better spell out how role-based access to PHI is handled, such as determining and tracking who has view-only access and who has rewrite access. OCR, for instance, will be able to understand if a record was modified by other than designated individuals.

Also See: EHNAC, HITRUST ease security certification processes

Additional changes to EHNAC criteria provide better ways to define roles and responsibilities for three types of vendors that support the Direct Trust secure messaging protocols. Before Direct Trust users can exchange messages and attachments, they must interact with three ‘trusted agents,” each of which has separate roles and responsibilities, Barrett explains.

Here is how it works:

• A Health Information Service Provider, or HISP, handles the encryption and identity validation on behalf of a Direct Trust addressee, assigns accounts and addresses, and arranges for the addresses to be issued an X.509 digital certificate.

• A Certificate Authority, or CA, issues the X.509 digital certificate to the addressee, along with the public key, relying on information supplied to it by the Registration Authority, or RA, which verifies and proofs the identity of the addressee, applying for an X.509 digital certification.

Consequently, Direct Trust this year added eight new criteria for health information service providers and seven new criteria each to certificate authorities and registration authorities, which EHNAC also added.

For reprint and licensing requests for this article, click here.