At least seven healthcare insurers and vendors are requiring their business associates to successfully conduct a comprehensive assessment of their information technology privacy and security status and obtain a certification of completion within the next two years.

The insurers and vendors are members of industry security consortium HITRUST, which among other initiatives offers the CSF Assurance Program, a standardized process for assessing and certifying compliance with internal processes, HIPAA, HITECH, credit-debit card processing, and state rules and regulations. CSF stands for Common Security Framework, a platform that supports numerous HITRUST programs.

Insurers Anthem, Healthcare Services Corp., Highmark, Humana and UnitedHealth Group are imposing the assessments and remediation work on their business associates, as are information technology vendors athenahealth and Availity. The insurers alone have more than 7,500 business associates.

Also See: New Service IDs Cyber Threats before They Hit

Highmark has spent the past 1.5 years enhancing its security protections, says Omar Khawaja, chief information security officer. But when information leaves the organization, it still needs strong security controls.

“We do onsite assessments and send questionnaires, but can’t review all with a couple thousand suppliers,” he adds. So, requiring BAs to go through the HITRUST assessment process and receive certification makes the entire ecosystem more secure and efficient. The bottom line is that Highmark expects its BAs to keep information as secure as the insurer does.

The insurer is working with its vendors to identify start dates for the assessment/certification process; the dates could start with renewal of a contract or at another time. Certification is for two years with interim follow-up work done midway through.

Highmark itself expects to certify in a few months and understands that BAs will need time to prepare, Khawaja says. “If we had picked a narrow scope, we could have been done some time ago.” The CSF Assurance Program, he adds, is comprehensive but very doable.

This story first appeared on Health Data Management's web site.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access