- Cybersecurity Task Force Urges IT Infrastructure Improvements
"In addition to the large overhaul of our criteria's privacy and security sections with HITRUST's CSF requirements, a wide range of other enhancements have been made to each program based on feedback from accredited organizations and approved recommendations from the EHNAC Criteria Committee," EHNAC Senior Site Reviewer/Auditor Ron Moser said in a statement.
"These include clarifications, updates to ancillary documentation included with EHNAC packages, elimination of some criteria, clarification on the requirement for claims attachments backups, and additional customer support criteria, among others,” he continued. “And throughout this 60-day public review period, we hope to receive even more feedback from the industry and stakeholders as they determine the effectiveness of these changes."
The 18 enhanced criteria programs and their new version numbers include:
- ACOAP - Accountable Care Organization Accreditation Program (V3.0)
- CEAP - Cloud Enabled Accreditation Program (V1.2)
- DRAP - Data Registry Accreditation Program (V3.0)
- DTAAP-CA - Direct Trusted Agent Accreditation Program for Certificate Authorities (V3.0)
- DTAAP-HISP P&S - Direct Trusted Agent Accreditation Program for Health Information Service Providers (V1.0)
- DTAAP-RA - Direct Trusted Agent Accreditation Program for Registration Authorities (V3.0)
- ePAP-EHN - e-Prescribing Accreditation Program (V8.0)
- EPCSCP-Pharmacy - Electronic Prescription of Controlled Substances Certification Program - Pharmacy Vendor (V3.0)
- EPCSCP-Prescribing - Electronic Prescription of Controlled Substances Certification Program - Prescribing Vendor (V3.0)
- FSAP-EHN - Financial Services Accreditation Program for Electronic Health Networks (V4.0)
- FSAP-Lockbox - Financial Services Accreditation Program for Lockbox Services (V4.0)
- HIEAP - Health Information Exchange Accreditation Program (V3.0)
- HNAP-EHN - Healthcare Network Accreditation Program for Electronic Health Networks [Includes Payer] (V12.0)
- HNAP-Medical Biller - Healthcare Network Accreditation Program for Medical Billers (V3.0)
- HNAP-TPA - Healthcare Network Accreditation Program for Third Party Administrators (V3.0)
- MSOAP - Management Service Organization Accreditation Program (V3.0)
- OSAP - Outsourced Services Accreditation Program (V3.0)
- PMSAP - Practice Management System Accreditation Program (V3.0)
Health IT infrastructure is addressed thoroughly in these updates. Organizations following the Cloud Enabled Accreditation Program (CEAP), for example, can ensure that cloud vendors are managing their healthcare data across cloud-enabled networks within compliance regulations.
CEAP is a baseline for the CSP FedRAMP-standard platform service for stakeholders to ensure that cloud infrastructure is in compliance with federal guidelines and frameworks. This includes the areas of integrity, portability, interoperability, compliance monitoring, reporting, and industry accreditation.
The updated 2018 criteria are prompted by EHNAC’s recently announced partnership with HITRUST. The collaboration between the two organizations was announced back in February. EHNAC was designated as an Assessor for HITRUST, which allows the former to assist healthcare organization in developing better data privacy and security measures.
The HITRUST CSF addresses regulatory and compliance requirements, including HIPAA and HITECH, as well as helps organizations comply with both government and third-party requirements, such as FTC guidelines and the NIST Cybersecurity Framework.
EHNAC Executive Director Lee Barrett explained to HealthITSecurity.com that the designation will help organizations streamline security and compliance assurances so tasks can be less redundant and complex.
“We are now the only organization in the industry with the ability to provide both EHNAC accreditation and HITRUST CSF certification,” Barrett said. “Organizations that obtain a CSF certification may also leverage that assessment in obtaining accreditation for any of EHNAC’s 18 stakeholder-specific accreditation programs.”
The updated 2018 criteria can be used to ensure that infrastructure data is exchanged within compliance regulations for payers and providers. The 60-day window gives healthcare organizations the opportunity to make sure these changes are effective.