The Texas Health Services Authority (THSA) recently announced its selection of the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), the most widely adopted information privacy and security framework in the U.S. healthcare industry, to form the basis of the Texas Covered Entity Privacy and Security Certification Program, setting the stage for Texas to become the first state in the nation to implement a formal certification program that incorporates state and federal privacy and security regulations, including HIPAA and the Texas Medical Records Privacy Act (TMRPA). The voluntary certification program, first created in 2011 under Texas House Bill 300 (HB 300), is intended to allow Texas-covered entities to demonstrate their compliance with federal and state privacy and security standards "in order to reduce regulatory penalties, manage risk and increase confidence" in their protection of health information.
In 2011, HB 300 required the THSA to develop a process by which a covered entity (which, as defined under Texas law, includes almost any person or organization that comes into possession of protected health information) could apply for certification of past compliance with the privacy and security standards ratified by the Texas Health and Human Services Commission for the sharing of electronic information. HB 300 also amended the TMRPA to include a list of mitigating factors Texas courts must consider in determining the appropriate penalty for a covered entity that violates the TMRPA, including its compliance history and whether it was certified at the time of the violation. Although the U.S. Department of Health and Human Services (HHS) is not required to consider whether a covered entity has been certified in determining the appropriate civil money penalty to impose for HIPAA violations and breaches, HHS must consider a covered entity's history of prior compliance with HIPAA standards. Accordingly, the THSA has indicated that certification could serve as a "safe harbor" at both the state and federal level.
Two certification options are available that vary based on the size of the entity in question. Larger entities, such as hospitals, likely will be required to undergo an onsite assessment by a third party HITRUST CSF Assessor and to submit documentation from this assessment to HITRUST for review. If the entity meets the requirements for Texas Covered Entity Privacy and Security Certification, HITRUST will provide a recommendation letter that the organization then can submit to the THSA for certification. Smaller entities with annual revenue of less than $5 million will be able to conduct a remote assessment and submit documentation directly to HITRUST for review.
Although certification is voluntary, it is not free. The certification fee varies based on the size of the entity and the complexity of the assessment and can range from $2,500 to $7,500. Certification also expires after one year, meaning covered entities must pay the certification fee annually. Discounts may be available for entities choosing to combine THSA certification with other HITRUST products. The THSA also is encouraging covered entities to use the Texas certification assessment as a supplement to, or substitute for, the periodic risk assessment required under HIPAA, which many entities conduct annually.
Many Texas-covered entities have expressed interest in certification, and other states are closely monitoring the Texas certification program to determine whether they should implement similar programs. However, questions remain regarding the benefits of certification in relation to its cost. The extent to which certification will mitigate state and/or federal penalties is unclear, and while certification may demonstrate that an organization has taken certain steps to protect health information, it will not insulate covered entities from potential breaches and investigations. Whether Texas-covered entities will view certification as a valuable undertaking remains unclear and could depend, at least in part, on the outcome of the first breach involving a certified entity.