|
|
|
|
|
Hospital asked whether password protected screen
saver is as HIPAA compliant as automatic logout. |
|
Vendor asked for endorsement of its
HIPAA-compliance certificate |
|
CMS replied that it will not specify criteria by
which it chose Claredi. |
|
Help clarify compliance criteria and
certification. Be a HIPAA hero. |
|
|
|
|
Peter Barry suggested HIPAA transaction
certification |
|
Ioana Singureanu suggested HL7 conformance
certification |
|
|
|
Who will certify? |
|
|
|
|
What is Accreditation Generically |
|
Accreditation Players |
|
HIPAA Transactions |
|
HIPAA Privacy |
|
Quiz |
|
|
|
|
Testing or Inspection |
|
Certify:
attest to the qualifications of personnel, processes, procedures, or
items in accordance with applicable requirements. |
|
Accredit:
recognize a body as competent to perform certain certifications. |
|
|
|
|
1st Party: self-assessment |
|
2nd Party: done by customer of supplier |
|
3rd Party: performed by a body that is independent of both supplier and
customer organizations |
|
|
|
|
ISO conformity assessment guides and registry of
compliant entities for 9000, FCC for radio stations, Underwriter’s Lab for
safety, Microsoft Certified Software Engineers, … |
|
Those that might relate to HIPAA next. |
|
|
|
|
ANSI’s Accreditation Committee prepares
procedures, reviews the process of evaluation, recommends accreditation,
and audits ANSI accredited programs |
|
ANSI current accreditations apply to areas like
windows, wastewater treatment units, and food service equipment |
|
|
|
|
NIST administers National Voluntary Laboratory
Accreditation Program which
accredits laboratory’s technical competence. |
|
NIST cooperates in developing accreditation
criteria |
|
|
|
|
|
|
Physicians, nurses, technicians are certified |
|
JCAHO certifies providers and will incorporate
some HIPAA Privacy |
|
URAC certifies HMOs and will certify some
software soon |
|
AHIMA will certify Privacy Professionals |
|
HIMSS will certify Security Professionals |
|
|
|
|
Congress mandated National Research Council
(NRC) to address accreditation. |
|
NRC said NIST should phase out
government-operated conformity assessment activities. |
|
Private-sector conformity assessment services
should be accredited by NIST. |
|
|
|
|
Stand-alone systems can test conformity |
|
Web-based systems also can test |
|
Many vendors offer such products or services |
|
How is a covered entity to choose? |
|
|
|
|
Web site |
|
Charges about $1k per entity |
|
If one entity has 100 partners, the cost is
$100k |
|
But Claredi tries to make national database so
that each partner does only once. |
|
|
|
|
HIPAA standardizes 90% of a transaction |
|
Each payer tests with its clients for the 10%
(or 100%) |
|
|
|
|
Given that payer buys the testing software, who
certifies it? |
|
Quality transactions are a continuous process –
who will test and certify that? |
|
|
|
|
CMS requires its fiscal intermediaries to
certify with Claredi |
|
Yet, CMS gives no criteria for choosing a
certification service |
|
|
|
|
Who will accredit the certifiers? |
|
Might NIST’s Information Technology Lab work
with X12, NCPDP, WEDI, HHS, DoD, private companies, … to develop
conformance test suite? |
|
Might National Voluntary Laboratory
Accreditation Program then go further? |
|
|
|
|
HIPAA Privacy is multi-facetted |
|
Different entity types may have different
processes be compliant |
|
Vendors say they are HIPAA-compliant. |
|
How does a covered entity know what tools are
worth using? |
|
|
|
|
Various tools support it. |
|
Could any society, consortium, government
agency, … convincingly say that a particular type of covered entity had
chosen a tool consistent with HIPAA expectations? |
|
|
|
|
Libraries of training material and various
training management systems are being used. |
|
The training vendors test and claim to certify
adequate training. |
|
How can the covered entities know what to trust? |
|
|
|
|
Even the safe haven is vague in places. |
|
If a covered entity acquires some other tool,
such as one for computational disclosure, how will it know about HIPAA
compliance? |
|
Who might develop test suites and a
certification standard? |
|
|
|
|
Overall Privacy compliance like ISO 9000
compliance |
|
But add condition that objectives consistent
with HIPAA |
|
Require documentation of performance to
objectives |
|
Why not create a certification of quality
management for Privacy? |
|
|
|
|
What is accreditation? |
|
What in HIPAA should be accredited? |
|
Who is best positioned to do it? |
|
|
|
|
|
Comments:
rada@umbc.edu |
|
Notes