A Utah HIE's Path to Accreditation--and Beyond

Why did you decide to pursue accreditation through EHNAC?

As I mentioned, we started out as a clearinghouse. And the first executive director of our HIE was a gentleman who came from the aerospace industry, and really believed in the power of an outside entity to check on processes and policies, in order to engender trust. As I had mentioned, my board and members are composed of very intense competitors; so developing and maintaining trust in that somewhat inherently hostile environment, is very important. So we actually got our first accreditation in 2004, from EHNAC, for the clearinghouse part of what we do.  EHNAC accredits every other year. And I myself am an EHNAC commissioner. Because EHNAC is all about an independent, rigorous, third-party set of eyeballs, on your privacy and security, your customer service, and the performance of your network. And back in the 1990s, when EHNAC first started, the accreditation was mostly around clearinghouse activity. So that’s where they started, and they’ve consistently moved into new areas, as appropriate. And I became a commissioner in 2009.

So we were accredited every year from 2004. And as a commissioner, I began to push EHNAC to accredit HIEs, and I helped them design the HIE accreditation; it was a lot of work. And how you secure a clearinghouse is very similar to how you secure an HIE. But the processes weren’t identical; a lot of the EHNAC processes for clearinghouses have to do with criteria around the 4010 and 5010 forms, for example; but there’s a lot about connections and how you give people access, that are similar.

So we took the clearinghouse accreditation and mapped it into HIE and added a bunch of stuff. So we’ve now been accredited twice on the HIE side, and continue to get accredited on the clearinghouse side every other year. And as you may know, the Office of Civil Rights, which has the responsibility for monitoring HIPAA, started auditing people last year. They audited 112 or 115 organizations; well, they picked our name out of a hat. And the week after we were reaccredited for HIE, the OCR showed up, but they were looking at us as a clearinghouse. Our EHNAC accreditation was for both HIE and for clearinghouse, and we had just finished both processes, and the OCR showed up.

And the good thing is that most of the EHNAC accreditation is based on HIPAA. So as OCR started asking us the HIPAA-related questions, we’d show them what we had done. So it was a lot of work, but we were one of the very few entities among the group of 112 or 115 entities that had an audit of no findings. We came out with a completely clean bill of health. That was a ‘wow.’ And so the lesson here is, if you are a covered entity—and in truth, most of the larger clearinghouses are EHNAC-accredited now.

That seems like a built-in endorsement of the accreditation process.

Yes. If you look at the fines involved in the HIPAA [Health Insurance Portability and Accountability Act of 1996] process, the EHNAC accreditation fees are very reasonable. You start with a self-evaluation that’s about 600 pages. And the EHNAC person comes and does a site visit of your headquarters and of your data centers. And we have data centers all over the country; that’s the expensive part, actually, is all the plane tickets! But it’s very worth it. The point of audits is to make sure you’re doing things right. And I don’t believe in hiding audits; I embrace audit processes.

What would you say to HIE leaders who might think of accreditation as an “extra” or a “nice-to-have”?

Yes, or else, they might think of it as an awful thing to have to do! And when I talk to leaders who are just starting to get going, they’ll say, well, we don’t have the bandwidth to do this right now. But for UHIN, it made sense, because our members are competitors with one another, and so we had to establish that level of trust. So it’s a good thing to do. And yes, it is a lot of work, but yes, it’s worth it. And we were the first organization to get accredited. And I created the criteria, so I felt it was only fair that I be the one to test-drive it. And we modified the criteria after we were accredited. We were the guinea pig. But the criteria have continued to be updated and improved. And that’s one of the good things about EHNAC. The people on the commission are a restless, driven bunch of people! And they’re very committed to creating an accreditation process that will stand up to these kinds of tests, and that will remain germane and relevant in this rapidly changing world.

And as informatics explodes, there will be good products, and not-so-good products. There will be the unfortunate, fly-by-night people; but also some really good organizations. And accreditation can really help people discriminate between the solid organizations and those not so solid. It’s a really hard thing to do, but so appropriate.