Healthcare Organizations Can Now Obtain Certification with Texas Security and Privacy Regulation

Oct 8, 2013

HITRUST was awarded the exclusive contract to provide certification recommendation and related services to the THSA in support of HB 300, which amended the Texas Medical Records Privacy Act and builds upon the Federal Health Information Technology for Economic and Clinical Health (HITECH) Act through additional protection requirements. Additionally, the legislation specifies state-level administrative penalties and legal liability for health information breaches due to non-compliance.

“As Chair of the House Public Health Committee and author of Texas HB 300, I know that lawmakers are very serious about the safeguarding of individuals’ health data,” said Rep. Lois Kolkhorst. “The certification process is designed to help with compliance of state and federal privacy and security laws, and to help organizations that handle health information to mitigate and control risks.”

“Our medical records are our most sensitive information, so it is vitally important that they are protected,” said Senator Jane Nelson, the Senate sponsor of HB 300. “By obtaining this certification, healthcare organizations can demonstrate a commitment to ensuring their consumers’ health information is private and secure.”

Accordingly, Texas Health and Safety Code (THSC) § 181.205 specifically allows a covered entity to introduce evidence of its good faith efforts to comply with HIPAA and state law related to the privacy of health information in an action or proceeding imposing an administrative penalty or assessing a civil penalty related to an unauthorized disclosure. In determining the penalty imposed by other law in accordance with THSC § 181.201, a court or state agency must also consider several factors, including the covered entity’s compliance history and whether the covered entity was certified at the time of the violation.

“For this program to be successful, it must provide the appropriate level of assurance and verification while still being practical and implementable; therefore, it was important we select the best possible partner for developing and implementing the Texas Covered Entity Privacy and Security Certification Program,” said Tony Gilman, chief executive officer, THSA. “We are confident in our choice given HITRUST’s leading role in the assessment and certification of compliance with multiple health information protection regulations and best practices through the HITRUST Common Security Framework (CSF).”

“We are very pleased to partner with the THSA to develop and implement the certification program,” said Daniel Nutkis, chief executive officer, HITRUST. “Organizations have desperately sought certification as a means to proactively validate their level of compliance with various regulatory requirements, industry standards and best practices, and obtain a recognizable benefit for their due diligence and continued due care. By offering the first government-sponsored certification of its kind, Texas has taken a leading role in improving information protection in the healthcare industry.”

“Leveraging the HITRUST CSF will provide Texas covered entities a tailorable, but prescriptive set of baseline controls, which they can use to demonstrate compliance with Texas standards through formal certification,” said Dr. Bryan Cline, vice president, CSF development, HITRUST. “However, the program’s impact will likely be felt far beyond the state of Texas because Texas certification requires compliance with the HIPAA Privacy and Security Rules, which means that organizations must implement reasonable safeguards appropriate to their organization to ensure sensitive health information is adequately protected. The Texas Covered Entity Privacy and Security Certification Program will help define what is ‘reasonable’, ‘appropriate’ and ‘adequate’ for not only Texas, but for healthcare organizations across the country.”

Most covered entities will be able to obtain a Texas certification recommendation from HITRUST by undergoing an assessment conducted by a HITRUST CSF Assessor organization against the controls specified in the HITRUST CSF. However, smaller entities will be able to request a certification recommendation through HITRUST by conducting a remote assessment. Healthcare organizations pursuing HITRUST certification independent of the Texas program will be encouraged to also obtain a Texas certification recommendation as there are a very limited number of additional controls to assess, making the process very efficient and cost effective.

Development and implementation timeline
HITRUST incorporated information protection requirements from Texas HB 300 (82R) in the fifth major release of the HITRUST CSF in early 2013. Additional control language supporting relevant privacy and security requirements contained in the Texas standards specified at TAC § 390.2 will be included in the late-October release of the HITRUST CSF, at which time Texas covered entities may begin the process of specifying and implementing controls in preparation for formal assessment and certification.

More information on the Texas Covered Entity Privacy and Security Certification Program can be found at HIETexas.org. Organizations interested in learning more about the certification recommendation and related services to be provided by HITRUST should visitHITRUSTAlliance.net/Texas.

About THSA
The Texas Health Services Authority (THSA) was created by the Texas Legislature in 2007 as a public private partnership, legally structured as a nonprofit corporation, to support the improvement of the Texas health care system by promoting and coordinating HIE and health information technology (HIT) throughout the state to ensure that the right information is available to the right health care providers at the right times. In 2011, the Texas Legislature authorized THSA to identify relevant security and privacy standards and develop a certification program by which Covered Entities could demonstrate compliance with federal and state health information protection requirements. For more information, visit www.HIETexas.org.

About HITRUST
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit www.HITRUSTAlliance.net.

All product and company names herein may be trademarks of their respective owners.