SECURETexas Health Information Privacy & Security Certification Program FAQs



Similar documents
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry

University Healthcare Physicians Compliance and Privacy Policy

Model Business Associate Agreement

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

what your business needs to do about the new HIPAA rules

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

HIPAA and HITRUST - FAQ

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

HIPAA and HITECH Compliance for Cloud Applications

BUSINESS ASSOCIATE AGREEMENT

Assessment Process HITRUST, Frisco, TX. All Rights Reserved.

Obtaining CSF Certification Lessons Learned and Why Do It

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

HITRUST CSF Assurance Program

Business Associate Agreement

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Business Associate Agreement (BAA) Guidance

COMPLIANCE ALERT 10-12

BUSINESS ASSOCIATES [45 CFR (e), (e), (d) and (e)]

HIPAA BUSINESS ASSOCIATE AGREEMENT

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

Business Associate Management Methodology

FirstCarolinaCare Insurance Company Business Associate Agreement

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

BUSINESS ASSOCIATE ADDENDUM

Business Associates, HITECH & the Omnibus HIPAA Final Rule

HIPAA and HITECH Compliance Simplification. Sol Cates

New Privacy Laws Impacting the Health Care Work Place

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

HIPAA Security Rule Compliance

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

HIPAA BUSINESS ASSOCIATE AGREEMENT

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

HIPAA Privacy Rule Policies

OCR/HHS HIPAA/HITECH Audit Preparation

BUSINESS ASSOCIATE AGREEMENT

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

The Institute of Professional Practice, Inc. Business Associate Agreement

HIPAA Business Associate Contract. Definitions

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA BUSINESS ASSOCIATE AGREEMENT

2016 OCR AUDIT E-BOOK

Dissecting New HIPAA Rules and What Compliance Means For You

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

HIPAA COMPLIANCE PLAN FOR 2013

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

HIPAA BUSINESS ASSOCIATE AGREEMENT

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Appendix : Business Associate Agreement

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

HIPAA Business Associate Agreement Instructions

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

CA Technologies Healthcare security solutions:

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

Transcription:

What is the relationship between the Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST)? The THSA and HITRUST have partnered to help improve the protection of healthcare information for Texas residents. The THSA is leveraging the HITRUST CSF, the most widely-adopted security framework in the U.S. healthcare industry, to form the basis of the SECURETexas: Health Information Privacy & Security Certification Program, as created in accordance with Texas House Bill (HB) 300 passed in 2011. HITRUST was awarded the exclusive contract to provide certification recommendation and related services to the THSA in support of the program but the criteria for certification and the award of certifications under the program are determined by the THSA in conjunction with the Texas Health and Human Services Commission, which codifies the standards in rule. What exactly is the SECURETexas Certification? The certification allows Texas covered entities to show they have met privacy and security standards in order to reduce regulatory penalties, manage risk and increase confidence in how they protect health information. In Texas House Bill 300 (82R), as codified in Texas Health and Safety Code Section 182.108(d), the Texas Legislature directed the Texas Health Services Authority (THSA) to establish a process by which a covered entity may apply for certification by the THSA of a covered entity s past compliance with privacy and security standards ratified by the Texas Health and Human Services Commission (HHSC) for the electronic sharing of protected health information. Those standards can be found at Title 1, Chapter 390, Texas Administrative Code. Is a court required to consider whether the covered entity was certified at the time of the violation? Yes. THSC Sections 181.201 and 181.205 state that the court or agency shall consider this information, thus making such consideration mandatory. How often is a security analysis required under HIPAA? HIPAA does not specify how often a security analysis must be completed. However, as a best practice, a security analysis should be completed on an annual basis. Does the SECURETexas Certification measure compliance with HIPAA? Will obtaining the SECURETexas Certification help with an OCR audit? Yes, SECURETexas certification includes compliance with both federal and state laws. Obtaining the SECURETexas Certification will help with an OCR audit by providing the covered entity with a tool to display prior compliance with HIPAA privacy and security rules, thus potentially reducing any civil money penalties under HIPAA in compliance with 45 CFR 160.408(c). Does the SECURETexas Certification certify that Texas covered entities will be compliant with state and federal privacy and security law into the future? No, THSC 182.108(d) states specifically that the THSA shall establish a process by which a covered entity may apply for certification by the [THSA] of a covered entity s past compliance with standards developed by the THSA for the electronic sharing of protected health information. However, it is likely that an entity with a focus on and an environment encouraging compliance will remain compliant with the law after the certification audit is finished. 1 of 5

Since this is voluntary, what are the benefits of obtaining certification? Obtaining the THSA s SECURETexas Certification will benefit Texas covered entities in many ways, including better compliance with HIPAA and other federal privacy and security standards, as well as mitigation of civil and administrative penalties for violations of the Texas Medical Records Privacy Act. It will also clearly demonstrate to business partners, healthcare providers, and patients that the covered entity cares about privacy and security. How does this relate to or reduce HIPAA and breach-related fines and penalties? In general, if the organization can show federal and state regulators it obtained certification and maintains its practices and policies around privacy and security, the regulators will consider it in making a determination as to the amount of fines or penalties assessed. Pursuant to 45 CFR 160.408(c), in determining the amount of any civil money penalty, the Secretary of the U.S. Department of Health and Human Services will consider mitigating factors, including the history of prior compliance with the administrative simplification provisions. Obtaining the SECURETexas Certification will provide the covered entity a tool to display this prior compliance, potentially reducing any potential civil money penalties under HIPAA: Between $100-$50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if the entity did not know of the violation. Between $1,000-$50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if there was a reasonable cause for the violation. Between $10,000-$50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if there was willful neglect but the organization took corrective action. $50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if there was willful neglect and the organization did not take corrective action. How does this relate to or reduce Texas and federal breach-related fines and penalties? In general, if the organization can show federal and state regulators it obtained certification and maintains it practices and policies around privacy and security, the regulators will consider it in making its determination as to the fines or penalties assessed. Pursuant to Section 181.201(b), Health & Safety Code, the Texas Office of the Attorney General (OAG) may institute an action for civil penalties against a Texas covered entity for violation of the Texas Medical Records Privacy Act not to exceed: $5,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed negligently. $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally. $250,000 for each violation in which the covered entity knowingly or intentionally used PHI for financial gain. Up to $1,500,000 if the court finds that the violations have occurred with a frequency to constitute a pattern or practice. However, pursuant to Sections 181.201 and 181.205, Health & Safety Code, when imposing civil or administrative penalties against a Texas covered entity for a violation of the Texas Medical Records Privacy Act, the court must consider six factors, including whether the covered entity had the THSA s SECURETexas Certification at the time of the violation. 2 of 5

Furthermore, obtaining the THSA s SECURETexas Certification may help prove another mitigating factor the covered entity s compliance history that will reduce the amount of the civil or administrative penalty. The results of the certification survey can act as direct evidence of the covered entity s compliance with the Texas Medical Records Privacy Act. Who is eligible to apply for SECURETexas Certification? Almost any individual or organization that comes into possession of protected health information is eligible to apply. This includes governmental entities, healthcare providers, health plans, pharmacies, laboratories and their business associates, as well as other businesses or individuals who have access to protected health information. What is the process and how much does it cost? There are three approaches available based on the size and type of organization. Most organizations will be required to undergo an onsite assessment by a third party HITRUST CSF Assessor and submit those documents to HITRUST for review, which carry costs based on the size and complexity of the assessment. If the organization has met the requirements for SECURETexas Certification, HITRUST will provide a recommendation letter that the assessed entity can submit to THSA for certification. The certification fee varies from $2,500 to $7,500 based on an organization s size. Healthcare providers with annual revenue less than $5 million (small providers) will be able to submit documents directly to HITRUST for a remote assessment. The remote assessment fee is $2,500. If the organization has met the requirements for SECURETexas Certification, HITRUST will provide a recommendation letter that the assessed entity can submit to the THSA for certification. Entities with 150 or fewer employees are not required to contract with a third-party assessor regardless of how much revenue the entity generates each year. HITRUST will conduct a remote assessment of these entities, with fees varying from $1500 to $3000. Do you expect small organizations to seek certification? Yes, absolutely. The benefits of certification apply to small organizations as well as to larger organizations; small organizations are more likely to need help ensuring that they are aware of and meeting all state and federal requirements. Is Texas the first state to offer such a program? Yes, Texas is the first state to offer a certification for compliance with federal regulations and state level medical privacy laws. Texas hopes to set an example for the rest of the country that covered entities are dedicated to protect the privacy and security of patients sensitive health information. Do you anticipate other states will follow the approach? Yes, after Texas displays the benefits of obtaining its certification, including a higher level of compliance in safeguarding PHI, other states will likely follow suit. 3 of 5

Why did the THSA contract with only one vendor to operate the SECURETexas Certification Program? HITRUST is an industry leader in the certification of compliance with medical security law and is expanding its offering to include privacy law in 2014. This existing system made for a strong foundation for the SECURETexas Certification Program. Additionally, while the THSA and HITRUST are partnering on developing the program, one of HITRUST s strengths is that it allows entities to contract independently with approved HITRUST CSF Assessor organizations, none of which are HITRUST-owned. Why did Texas provide a vehicle for certification when the federal government does not? Texas has always gone above and beyond federal law in protecting patients health information. Texas strengthened the protections found in HIPAA by creating the Texas Medical Records Privacy Act in 2001 and again strengthened the protections found in the HITECH Act by passing House Bill 300 in 2011. This included creating a robust certification program that could measure a covered entity s compliance with the myriad of state and federal laws relating to the privacy and security of protected health information. This helps an organization know proactively if it complies with federal regulations and state level medical privacy laws. How does this relate to information protection of HIEs and HIXs in Texas? SECURETexas Certification provides a standard mechanism for demonstrating compliance with federal and state privacy and security laws and industry best practices for the protection of sensitive patient information, which HIEs and HIXs can leverage to provide shared assurances with regulators and among business partners, participating organizations and their customers. Are there any advantages for organizations to get a SECURETexas Certification when they do their annual HIPAA risk assessments? The SECURETexas Certification includes an assessment of compliance with HIPAA and other related privacy and security laws at the federal and state level. Accordingly, covered entities may use SECURETexas Certification to make reasonable assertions about their state of HIPAA compliance in lieu of a separate HIPAA risk assessment. If I don t want to seek SECURETexas Certification, do I still need to comply with the Texas Medical Records Privacy Act? Yes, a covered entity doing business in Texas is required to comply with the Texas Medical Records Privacy Act found in Texas Health and Safety Code Chapter 181, which was amended by passage of House Bill 300 (82R). The covered entity must also comply with the applicable standards codified in Title 1 Texas Administrative Code Chapter 390, regardless of whether or not it seeks SECURETexas Certification. However, it is to a covered entity s benefit to have SECURETexas Certification as it may demonstrate to federal and state regulators its current and prior compliance with the law in the event of a data breach or a consumer complaint that initiates an investigation or audit. If our organization is HITRUST CSF Certified, can that be leveraged to support our SECURETexas Certification? If the HITRUST CSF certification was issued in the last six months, it can be leveraged to demonstrate compliance with controls that are also required for SECURETexas Certification. The organization would then only have to have the additional requirements assessed by a HITRUST CSF Assessor. 4 of 5

If our organization already subscribes to the HITRUST MyCSF tool, what do we need to do to perform a SECURETexas readiness assessment or track our remediation? Organizations with a current subscription to the HITRUST MyCSF tool will automatically have access to Texas privacy and security control requirements and have the ability to perform a readiness assessment against them at no additional charge. In addition, organizations with a MyCSF Plus subscription will also be able to track their corrective action plan at no additional charge. Where can I go to learn more? More information on the SECURETexas Certification Program can be found at SecureTexas.org. Organizations interested in learning more about the certification recommendation and related services provided by HITRUST should visit HITRUSTAlliance.net/texas. 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information