SECURETexas Health Information Privacy & Security Certification Program FAQs

Transcription

1 What is the relationship between the Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST)? The THSA and HITRUST have partnered to help improve the protection of healthcare information for Texas residents. The THSA is leveraging the HITRUST CSF, the most widely-adopted security framework in the U.S. healthcare industry, to form the basis of the SECURETexas: Health Information Privacy & Security Certification Program, as created in accordance with Texas House Bill (HB) 300 passed in HITRUST was awarded the exclusive contract to provide certification recommendation and related services to the THSA in support of the program but the criteria for certification and the award of certifications under the program are determined by the THSA in conjunction with the Texas Health and Human Services Commission, which codifies the standards in rule. What exactly is the SECURETexas Certification? The certification allows Texas covered entities to show they have met privacy and security standards in order to reduce regulatory penalties, manage risk and increase confidence in how they protect health information. In Texas House Bill 300 (82R), as codified in Texas Health and Safety Code Section (d), the Texas Legislature directed the Texas Health Services Authority (THSA) to establish a process by which a covered entity may apply for certification by the THSA of a covered entity s past compliance with privacy and security standards ratified by the Texas Health and Human Services Commission (HHSC) for the electronic sharing of protected health information. Those standards can be found at Title 1, Chapter 390, Texas Administrative Code. Is a court required to consider whether the covered entity was certified at the time of the violation? Yes. THSC Sections and state that the court or agency shall consider this information, thus making such consideration mandatory. How often is a security analysis required under HIPAA? HIPAA does not specify how often a security analysis must be completed. However, as a best practice, a security analysis should be completed on an annual basis. Does the SECURETexas Certification measure compliance with HIPAA? Will obtaining the SECURETexas Certification help with an OCR audit? Yes, SECURETexas certification includes compliance with both federal and state laws. Obtaining the SECURETexas Certification will help with an OCR audit by providing the covered entity with a tool to display prior compliance with HIPAA privacy and security rules, thus potentially reducing any civil money penalties under HIPAA in compliance with 45 CFR (c). Does the SECURETexas Certification certify that Texas covered entities will be compliant with state and federal privacy and security law into the future? No, THSC (d) states specifically that the THSA shall establish a process by which a covered entity may apply for certification by the [THSA] of a covered entity s past compliance with standards developed by the THSA for the electronic sharing of protected health information. However, it is likely that an entity with a focus on and an environment encouraging compliance will remain compliant with the law after the certification audit is finished. 1 of 5

2 Since this is voluntary, what are the benefits of obtaining certification? Obtaining the THSA s SECURETexas Certification will benefit Texas covered entities in many ways, including better compliance with HIPAA and other federal privacy and security standards, as well as mitigation of civil and administrative penalties for violations of the Texas Medical Records Privacy Act. It will also clearly demonstrate to business partners, healthcare providers, and patients that the covered entity cares about privacy and security. How does this relate to or reduce HIPAA and breach-related fines and penalties? In general, if the organization can show federal and state regulators it obtained certification and maintains its practices and policies around privacy and security, the regulators will consider it in making a determination as to the amount of fines or penalties assessed. Pursuant to 45 CFR (c), in determining the amount of any civil money penalty, the Secretary of the U.S. Department of Health and Human Services will consider mitigating factors, including the history of prior compliance with the administrative simplification provisions. Obtaining the SECURETexas Certification will provide the covered entity a tool to display this prior compliance, potentially reducing any potential civil money penalties under HIPAA: Between $100-$50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if the entity did not know of the violation. Between $1,000-$50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if there was a reasonable cause for the violation. Between $10,000-$50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if there was willful neglect but the organization took corrective action. $50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if there was willful neglect and the organization did not take corrective action. How does this relate to or reduce Texas and federal breach-related fines and penalties? In general, if the organization can show federal and state regulators it obtained certification and maintains it practices and policies around privacy and security, the regulators will consider it in making its determination as to the fines or penalties assessed. Pursuant to Section (b), Health & Safety Code, the Texas Office of the Attorney General (OAG) may institute an action for civil penalties against a Texas covered entity for violation of the Texas Medical Records Privacy Act not to exceed: $5,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed negligently. $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally. $250,000 for each violation in which the covered entity knowingly or intentionally used PHI for financial gain. Up to $1,500,000 if the court finds that the violations have occurred with a frequency to constitute a pattern or practice. However, pursuant to Sections and , Health & Safety Code, when imposing civil or administrative penalties against a Texas covered entity for a violation of the Texas Medical Records Privacy Act, the court must consider six factors, including whether the covered entity had the THSA s SECURETexas Certification at the time of the violation. 2 of 5

3 Furthermore, obtaining the THSA s SECURETexas Certification may help prove another mitigating factor the covered entity s compliance history that will reduce the amount of the civil or administrative penalty. The results of the certification survey can act as direct evidence of the covered entity s compliance with the Texas Medical Records Privacy Act. Who is eligible to apply for SECURETexas Certification? Almost any individual or organization that comes into possession of protected health information is eligible to apply. This includes governmental entities, healthcare providers, health plans, pharmacies, laboratories and their business associates, as well as other businesses or individuals who have access to protected health information. What is the process and how much does it cost? There are three approaches available based on the size and type of organization. Most organizations will be required to undergo an onsite assessment by a third party HITRUST CSF Assessor and submit those documents to HITRUST for review, which carry costs based on the size and complexity of the assessment. If the organization has met the requirements for SECURETexas Certification, HITRUST will provide a recommendation letter that the assessed entity can submit to THSA for certification. The certification fee varies from $2,500 to $7,500 based on an organization s size. Healthcare providers with annual revenue less than $5 million (small providers) will be able to submit documents directly to HITRUST for a remote assessment. The remote assessment fee is $2,500. If the organization has met the requirements for SECURETexas Certification, HITRUST will provide a recommendation letter that the assessed entity can submit to the THSA for certification. Entities with 150 or fewer employees are not required to contract with a third-party assessor regardless of how much revenue the entity generates each year. HITRUST will conduct a remote assessment of these entities, with fees varying from $1500 to $3000. Do you expect small organizations to seek certification? Yes, absolutely. The benefits of certification apply to small organizations as well as to larger organizations; small organizations are more likely to need help ensuring that they are aware of and meeting all state and federal requirements. Is Texas the first state to offer such a program? Yes, Texas is the first state to offer a certification for compliance with federal regulations and state level medical privacy laws. Texas hopes to set an example for the rest of the country that covered entities are dedicated to protect the privacy and security of patients sensitive health information. Do you anticipate other states will follow the approach? Yes, after Texas displays the benefits of obtaining its certification, including a higher level of compliance in safeguarding PHI, other states will likely follow suit. 3 of 5

4 Why did the THSA contract with only one vendor to operate the SECURETexas Certification Program? HITRUST is an industry leader in the certification of compliance with medical security law and is expanding its offering to include privacy law in This existing system made for a strong foundation for the SECURETexas Certification Program. Additionally, while the THSA and HITRUST are partnering on developing the program, one of HITRUST s strengths is that it allows entities to contract independently with approved HITRUST CSF Assessor organizations, none of which are HITRUST-owned. Why did Texas provide a vehicle for certification when the federal government does not? Texas has always gone above and beyond federal law in protecting patients health information. Texas strengthened the protections found in HIPAA by creating the Texas Medical Records Privacy Act in 2001 and again strengthened the protections found in the HITECH Act by passing House Bill 300 in This included creating a robust certification program that could measure a covered entity s compliance with the myriad of state and federal laws relating to the privacy and security of protected health information. This helps an organization know proactively if it complies with federal regulations and state level medical privacy laws. How does this relate to information protection of HIEs and HIXs in Texas? SECURETexas Certification provides a standard mechanism for demonstrating compliance with federal and state privacy and security laws and industry best practices for the protection of sensitive patient information, which HIEs and HIXs can leverage to provide shared assurances with regulators and among business partners, participating organizations and their customers. Are there any advantages for organizations to get a SECURETexas Certification when they do their annual HIPAA risk assessments? The SECURETexas Certification includes an assessment of compliance with HIPAA and other related privacy and security laws at the federal and state level. Accordingly, covered entities may use SECURETexas Certification to make reasonable assertions about their state of HIPAA compliance in lieu of a separate HIPAA risk assessment. If I don t want to seek SECURETexas Certification, do I still need to comply with the Texas Medical Records Privacy Act? Yes, a covered entity doing business in Texas is required to comply with the Texas Medical Records Privacy Act found in Texas Health and Safety Code Chapter 181, which was amended by passage of House Bill 300 (82R). The covered entity must also comply with the applicable standards codified in Title 1 Texas Administrative Code Chapter 390, regardless of whether or not it seeks SECURETexas Certification. However, it is to a covered entity s benefit to have SECURETexas Certification as it may demonstrate to federal and state regulators its current and prior compliance with the law in the event of a data breach or a consumer complaint that initiates an investigation or audit. If our organization is HITRUST CSF Certified, can that be leveraged to support our SECURETexas Certification? If the HITRUST CSF certification was issued in the last six months, it can be leveraged to demonstrate compliance with controls that are also required for SECURETexas Certification. The organization would then only have to have the additional requirements assessed by a HITRUST CSF Assessor. 4 of 5

5 If our organization already subscribes to the HITRUST MyCSF tool, what do we need to do to perform a SECURETexas readiness assessment or track our remediation? Organizations with a current subscription to the HITRUST MyCSF tool will automatically have access to Texas privacy and security control requirements and have the ability to perform a readiness assessment against them at no additional charge. In addition, organizations with a MyCSF Plus subscription will also be able to track their corrective action plan at no additional charge. Where can I go to learn more? More information on the SECURETexas Certification Program can be found at SecureTexas.org. Organizations interested in learning more about the certification recommendation and related services provided by HITRUST should visit HITRUSTAlliance.net/texas. 5 of 5