New certification program provides 'safe harbor' of privacy, security compliance

Texas is the first state in the nation to create a formal Covered Entity Privacy and Security Certification Program to enable covered entities within the state to demonstrate their dedication to protecting patients' health information. The program, developed as part of Texas' House Bill (HB) 300 amending its Medical Records Privacy Act, also enhances consumer access to electronic health records, requires notification and authorization for electronic disclosing of protected health information (PHI), requires standards for electronic data sharing, and increases penalties for violations. The program applies to "covered entities" as defined by Texas law.

The Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST) have partnered to implement the Certification Program.

Tony Gilman, executive director of THSA and Daniel Nutkis, chief executive officer of HITRUST, talked exclusively with FierceEMR, sharing the details of the program, as well as their expectations.

FierceEMR:  What is the purpose of the certification program?

Gilman (right): As we move to an electronic world, patients and consumers will continue to be interested in protecting their personal health information. There is a lot of value in being able to show that you're taking proactive steps to protect the data. Plus the government can also take certification into consideration as a mitigating factor when imposing penalties for a violation.

Nutkis: A lot of people have been disappointed that there has been no seal of approval for doing what you're supposed to be doing. This is the first state to provide a safe harbor. This is a fantastic event.

FierceEMR:  How does the program work?

Gilman: Small covered entities will be allowed to conduct a self assessment and submit it to HITRUST for review. Larger organizations, like a payer or hospital, will likely partner with a third party assessor to do assessments. Covered entities can attain either THSA certification or both THSA's certification and HITRUST's national Common Security Framework (CSF) certification.

FierceEMR:  How much does certification cost?

Gilman: The cost of the program changes based on the amount of revenue the covered entity generates in a year. For example, a "small entity" (one that generates less than $5 million revenue in a year) that seeks to attain only the THSA's certification (and not HITRUST's CSF certification) will pay $5,000, and must reapply for certification each year. If the small entity is getting the HITRUST CSF certification and wants to add the Texas certification as well, the price for the Texas portion is $2,500.

Nutkis (left): Note that certification is voluntary. But the law is not voluntary. HB 300 isn't optional; HIPAA isn't optional. And with attorney generals enforcing more, this will have a lot of impact.

FierceEMR: The program is expected to launch by the end of this year. What kind of interest have you received, thus far?

Gilman: Several Texas covered entities have already shown interest in obtaining certification. Also, as providers become more focused on the HIPAA and Meaningful Use Stage 2 security risk assessment requirements, we anticipate more interest from smaller entities in the program.

FierceEMR:  Will it have an impact beyond Texas?

Nutkis: Two other states have already expressed interest in creating certification programs. For states that don't approach [HITRUST], we'll we approaching them.

This interview has been edited and condensed for clarity.