How healthcare stakeholders can navigate the HITRUST framework.
HIPAA compliance is the responsibility of all healthcare stakeholders.
Soon after figuring out how to go about the definition of “business entity,” Congress introduced the Omnibus rule. Thanks to the establishment of the Health Information Trust Alliance or HITRUST, the HITRUST framework assists vendor management and Health Insurance Portability and Accountability Act (HIPAA) compliance, which had unexpectedly become ‘a thing.’ The management of patient health information can be compared to the gathering of evidence from a given crime scene.
>> LISTEN: Amazon Alexa and the Potential of Voice Assistants for Healthcare
If you can recall the O.J. Simpson trial, then you probably know about the bloody fingerprint. The blood sample of Simpson disappeared during police investigations. However, only 6 millileters of the 8 milliliters of blood were accounted for, arousing suspicions of planted evidence. Although HIPAA may not be as exhilarating as a car chase, tracking a chain of evidence or chain of trust matters a lot.
Protected health information (PHI) comprises different types of information that is accessible to health providers. When trying to understand the different ways that the HITRUST Framework assists vendor management and HIPAA, you need first to learn the various terms that fall under this particular umbrella.
“Health information” includes information received or created by a healthcare provider, healthcare clearinghouse, health plan, public health authority, school or university and employer life insurer. The information can be linked to the past, current or future mental and physical health of a person.
“Individually identifiable health information” encompasses all the demographic information, which can be traced back to patients. In short, this covers the information that can be used to spot a person or clearly identify them.
PHI entails all individually identifiable health details or information, which can be maintained in electronic media, conveyed through electronic media, or maintained or conveyed in any other media. The protected health information excludes all the education records safeguarded by the Family Educational Rights and Privacy Act, employment records maintained by a covered entity in its duty as an employer, and the records featured in 20 U.S.C.1232g(a)(4)(B)(iv).
According to HIPAA, a business associate entails any entity or person, excluding a covered entity’s workforce member, who provides services to or carries out activities and functions on behalf of a covered entity with access to PHI. A business associate could even be a cleaning service that works around files or a cloud storage vendor.
>> READ: Keeping HIPAA Compliance Efforts Up to Date
Health information exchange makes up one of the common IT terminologies with different meanings. In essence, it refers to the sending and receiving of digital information that occurs between various providers. In other areas, the term translates to the broader idea of general information movement that takes place between stakeholders. In terms of how HITRUST Framework aids vendor management and HIPAA, health information exchange can also refer to the entity that facilitates information movement.
Health information exchange can refer to all the vendors that handle your patient data. As such, vetting such vendors is crucial due to the safety concerns associated with that information.
Although HIPAA and vendor management are akin to other types of vendor monitoring, they are more invasive, especially if you are the vendor. Under HIPAA, working with vendors calls for the need to trust them with not only your information but also your client’s information. While this may not require you to complete an SSAE 18 review and be SOC compliant, you have to know how your vendors oversee their information security measures and interact with information.
You can consider a chain of trust partner contract as a written trust fall task. “Trust falls “used to exist in corporate training. A chain of trust agreement acts as the adult, contractual form of this case. The business entity positioned at the top of the chain engages in a contract with its vendor.
The particular relationship is covered by the agreement between the business entity and the vendor. Nonetheless, that particular vendor may require having some vendor for itself. As such, this means that in spite of having some degree of isolation from the initial business entity, the vendors are also associated with the business entity through their functions with other vendors.
In case your business falls anywhere in the scope of a business entity, you need to figure out how to comply with HIPAA.
Most HIPAA compliance conditions feature in other frameworks, particularly those involved in governing information systems. However, if you are planning to implement HIPAA or you have already done so, you may want to focus on the possible gaps.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens.
Get the best insights in healthcare analytics directly to your inbox.
Make Sure You’re HIPAA Compliant Before You Have to Prove It
EHRs Can Be Dangerous. Are New Guidelines Necessary?
Overcoming the Cultural Resistance to Health Tech