Statement
to the
Subcommittee on Health Data Needs, Standards, and Security of the National Committee on Vital and Health Statistics (NCVHS)
RE: Perspectives on Implementation of Security in Health Care Provisions relating to P.L. 104-191
Presented by Lee Barrett
August 6, 1997
My name is Lee Barrett. I am Executive Director of the Electronic Healthcare Network Accreditation Commission (EHNAC). It is my pleasure to appear today on behalf of EHNAC before the Subcommittee on Health Data Needs, Standards, and Security of the National Committee on Vital and Health Statistics (NCVHS). I would like to thank you for the opportunity to testify.
My statement summarizes the views and concerns of the EHNAC and its accreditation activities as they relate to the healthcare industry and electronic transactions of health information addressed by the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191).
Let me begin by telling you about EHNAC. With the help of industry work groups, EHNAC establishes clear criteria against which clearinghouse and value-added network performance is measured. The four major areas evaluated include Privacy/Confidentiality, Technical Performance, Business Practices, and Resources. EHNAC defines its evaluation and accreditation procedures, including different accreditation levels, methods for granting and revoking accreditation, probationary periods and provisional accreditation. These steps are intended to represent full disclosure of the process and rules under which accreditation will operate, giving participants as clear an understanding as possible of expectations and processes.
The EHNAC Accreditation process provides an independent peer evaluation of an organization's ability to perform to certain industry-established criteria. The process allows companies to review their existing performance levels and to bring those levels into accordance with industry-established criteria with the help of the accrediting body and industry mentors.
Accreditation supports continuous improvement of an organization while helping to raise the standards of an industry as a whole, evaluating performance measured against industry-established criteria. It offers a viable alternative to government regulation. The accreditation process and the work of an independent accrediting body protect the interests of the general public while providing a benchmark for prospective users to evaluate service capabilities.
The following comments will address the questions we were asked to discuss, as well as any other issues that could be of concern to the process of accreditation.
The following criteria has been established by a committee of over 50 individuals representing a broad-based coalition of Value Added Networks (VAN's), clearinghouse's and other interested parties. This set of criteria is presently being reviewed to assure that the use of the Internet, Intranet and other electronic transmission sources are appropriately safeguarded.
STANDARD I: PRIVACY AND CONFIDENTIALITY
Accredited companies must have appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of protected healthcare information. These safeguards must protect against any anticipated threats or hazards to the security or integrity of such information.
MEASURES TO ENSURE DATA SECURITY
I.A. 1.a SHALL have policies to protect against disclosure of personally identifiable healthcare data.
Samples of acceptable evidence:
- personnel handbook
- company policies
- employee privacy and confidentiality agreements
- employee contracts
- nondisclosure agreements
- general description of password protection procedures
I.A. 2.a SHALL maintain all necessary resources to ensure continuing compliance with data security policies, including secure methods of access to and transmission of data.
Samples of acceptable evidence:
- personnel handbook
- company policies
- employee privacy and confidentiality agreements
- employee contracts
- nondisclosure agreements
I.A. 3.a SHALL provide educational resources to ensure employee training sufficient to maintain compliance.
Sample of acceptable evidence:
- training program description
- general description of password protection procedures
I.A. 4.a SHALL use protected healthcare information about individuals only as is necessary for the processing of appropriate electronic transmissions.
Samples of acceptable evidence:
- employee privacy and confidentiality agreements
- employee contracts
- non-disclosure agreements
- general description of password protection procedures
I.A. 5.a. SHALL refrain from selling or otherwise using personally identifiable data in such a way as to violate privacy or confidentiality as defined by government standards.
Samples of acceptable evidence:
- employee privacy and confidentiality agreements
- employee contracts
- non-disclosure agreements
- general description of password protection procedures
I.A. 6.a Should have plans for utilizing or supporting encryption as a security measure in compliance with any legislation requiring it.
EHNAC refers to its process and documentation as criteria, rather than standards. All of these criteria certainly could be adopted by the Secretary, with the potential inclusion of additional forms of documentation, if warranted. As previously indicated, EHNAC is undertaking a review of the existing criteria to assure that Internet, Intranet and other electronic means are included. As other business and industry needs are identified, EHNAC has developed the consensus-based process to address the requirements and assure compliance.
100% of the shalls must be in compliance and 30% of the should criteria.
CRITERIA I: PRIVACY AND CONFIDENTIALITY
Accredited companies must have appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of protected healthcare information. These safeguards must protect against any anticipated threats or hazards to the security or integrity of such information.
CRITERIA II: TECHNICAL PERFORMANCE
Accredited companies must provide their customers the capability to send and receive data transmissions electronically in appropriate formats while assuring security, privacy, and confidentiality, timeliness, and accuracy (including effective safeguards and recovery procedures against viruses, transmission interruptions, data handling errors and other internally and/pr externally caused problems). This capability must include compliance with generally accepted industry standards formats such as UB92, NSF and Accredited Standards Committee X12 and any other government- mandated standards. "Electronic Data Interchange" or "EDI" means the computer application-to-application exchange of business data in a standard format using a telecommunications network.
CRITERIA III: BUSINESS PRACTICES
Accredited companies must have business practices that facilitate the maintenance of the technical performance Criteria and must exhibit truth-in-advertising - - i.e., the company must actually be doing what it says it will do for customers. To qualify in this Criteria area, accredited companies must: have procedures for measuring customer satisfaction; provide non-restricted systems of access; adequately provide for customer education and training; and have standard contract or service agreements.
CRITERIA IV: RESOURCES
Accredited companies must possess the physical, human and administrative resources necessary to maintain a high level of technical performance and business practices. These resources must include: plant and equipment facilities adequate to conduct the company's current and anticipated business volume; qualified professional and staff personnel; and professional development programs to keep up with changes in the industry. While resource-related criteria are primarily expressed in terms of inputs, they are required because of their basic role as guarantors of effective outcome performance.
In addition to the criteria already established, EHNAC has a Standards Committee that is comprised of a broad based coalition of participants from various sectors of the healthcare industry who review the current criteria and recommend changes, where appropriate. For example, the committee will be meeting on August 12th to consider criteria for inclusion to address the Internet including provisions regarding security for this medium.
Although the criteria is stable, the committee is always reviewing the documentation to assure consistency, assure the appropriate levels of coverage, assurance of the business necessity and the information required to achieve compliance.
EHNAC also collaborates with other industry organizations such as the Association for Electronic Healthcare Transactions (AFECHT) and others to incorporate other business requirements and to educate and increase awareness concerning the HIPPA legislation and the aspects of security and confidentiality. EHNAC also works with other standards organizations to assure that their development efforts and requirements are also incorporated, where appropriate.
Yes, we feel that the government should be actively involved in industry discussions and assist in the following ways:
Support of these initiatives will help to assure that the industry is best positioned to incorporate criteria and standards for security and confidentiality. These areas have become critical and will be even more so as patient records and other clinical information gets transmitted through multiple sources.
Thank you for the opportunity to present our perspectives on issues associated with security. EHNAC looks forward to a continued and productive relationship with NCVHS and the Subcommittee on Health Data Needs, Standards, and Security.
Other materials provided with this testimony:
ELECTRONIC TRANSACTIONS CRITERIA for the Healthcare Industry, 13th Version, November 19, 1996