State of Texas To Implement Patient Privacy Compliance Certification Program
October 24, 2013
Texas is moving ahead with a robust patient privacy agenda, as the first state to offer a certification for compliance with both federal and state laws.
The Health Information Trust Alliance, or HITRUST, is crafting certification recommendations to the Texas Health Services Authority, a public-private health IT coordinating body created in 2007 by the Texas legislature, to help providers and other health businesses comply with a raft of recent regulations, including the HIPAA business associates rule and several Texas laws that exceed the scope of federal protections.
The Texas Health Services Authority’s Covered Entity Privacy and Security Certification Program will incorporate much of HITRUST Common Security Framework, which aligns requirements of existing standards and regulation from the federal and state regulatory agencies like CMS, technical agencies like the National Institutes of Standards and Technology and third parties.
“For this program to be successful, it must provide the appropriate level of assurance and verification while still being practical and implementable,” Texas Health Services Authority CEO Tony Gilman said in a media release.
Concerned that HIPAA and HITECH did not safeguard protected health information enough, in 2011 the Texas legislature amended the state Medical Privacy Act, adding stronger rules than federal law in some areas and an early version of the now national business associates rule that extends “covered entity” liability to anyone handling protected patient data.
The new law requires providers and relevant covered entities to give patients access to digital copies of their EHRs within 15 business days of a written request, compared to 30 days under HIPAA, and it also imposes fines for wrongful disclosure ranging from $5,000 to $1.5 million per year — in addition to any federal penalties — based on the risk of patient harm, compliance history and other factors.
HITRUST’s vice preseident of Common Security Framework development, Bryan Cline, MD, said in a media release that the new certification will “provide Texas covered entities a tailorable, but prescriptive set of baseline controls.”
A former chief information security officer at Catholic Health East, Cline also thinks that the certification program’s impact “will likely be felt far beyond the state of Texas because Texas certification requires compliance with the HIPAA Privacy and Security Rules, which means that organizations must implement reasonable safeguards appropriate to their organization to ensure sensitive health information is adequately protected.”
Article written by Anthony Brino
