Earlier this spring, the Farmington, Conn.-based Electronic Healthcare Network Accreditation Commission (EHNAC), a federally recognized standards development organization and non-profit accrediting body founded in 1993, announced a new agreement with the federal government, in which DirectTrust, a non-profit association created by and for participants in the Direct community, had been awarded a cooperative agreement from the Office of the National Coordinator for Health Information Technology (ONC) for continued development and implementation of its accreditation program for health information service providers (HISPs) developed in partnership with EHNAC. The Direct Trusted Agent Accreditation Program (DTAAP) co-sponsored by EHNAC and DirectTrust, will be further developed through ONC’s Exemplar HIE Governance Entities Program. The program is designed to encourage the continued development and adoption of policies, interoperability requirements and business practices to increase the ease of health information exchange (HIE). The creation of DTAAP will create a vehicle for the accreditation of health information exchanges, as explained in a press release accompanying the Apr. 4 announcement. As the press release indicated, “One of the areas of focus in the cooperative agreement will be on the continued development and implementation of DTAAP as a national accreditation for health information “trusted agent” service providers, including HISPs, certificate authorities (CAs) and registration authorities (RAs). The accreditation program, launched in November 2012, is currently in use at six beta sites, and is projected to have wide-scale industry adoption by the end of 2013 and int5o 2014,” the press release noted.
Recently, Lee Barrett, the executive director of EHNAC, spoke with HCI Editor-in-Chief Mark Hagland to explain some of the intricacies and nuances of all these developments, and to share his perspectives on broad efforts in the healthcare industry to make the practice of health information exchange more effective and streamlined. Below are excerpts from that interview.
To begin with, I think many people are confused about the differences between accreditation and certification. Could you help clarify things a bit?
We’ve come down to a simple differentiation: certification is really a self-attestation/self-assessment that an organization goes through, and a third party is validating the information through some type of logic or program that helps them look at the information submitted. An accreditation goes much more deeply than a certification. It’s not only looking at a self-attestation or self-assessment, but also includes a site review or site audit.
So someone highly qualified as a site auditor is going out to visit an organization, and accreditation is really validation. So if an organization has submitted, for example, that its leaders have appropriate controls for entering a building, for getting into their computer room, and role-based access controls, we go and have an auditor review those controls. And they can ask, from the time someone goes into that building—are all those controls appropriate for the size and scope of the organization or not? Do they really follow their rules for role-based access to PHI [protected health information]? Do they have screen savers and other types of controls on their workstations where users are logged off after a certain period of inactivity? We look at all of those aspects. All those elements apply to the accreditation of health information exchanges; we also have accreditation programs for medical billers and other types of exchanges, for example, clearinghouses.
We’re primarily talking about HIE, then?
No, we’re also talking about the accreditation of e-prescribing vendors, and also of banks and financial service organizations, having to do with healthcare financial transactions. And medical billers, third-party administrators, outsource vendors. We have a variety of accreditation programs for all of those stakeholders. And the other aspect that’s probably new to you, is an accreditation program for health information service providers or HISPs; certificate authorities or CAs; and registration authorities, or RAs. And all of these have to do with the Direct protocol, and securing the exchange of clinical messages.