Healthcare Information Security

Patient Privacy News

Data Security, Privacy Key in EHNAC Designation with HITRUST

EHNAC was recently designated as a HITRUST CSF Assessor, hoping to assist healthcare organizations maintain data privacy and security measures.

Health data privacy and security key focus in recent EHNAC designation

Source: Thinkstock

By Elizabeth Snell

- The Electronic Healthcare Network Accreditation Commission (EHNAC) was recently designated as an Assessor for the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF). The move will allow EHNAC to help healthcare organizations create strong data privacy and security measures.

EHNAC can now provide HITRUST CSF services, it explained in a press release. The HITRUST CSF addresses numerous regulatory and compliance requirements for healthcare, including HIPAA and HITECH. Furthermore, it helps organizations that must comply with government and third-party requirements as well, such as the NIST Cybersecurity Framework and FTC guidelines.

EHNAC Executive Director Lee Barrett explained that the designation is the next step in his organization’s recent partnership with HITRUST. Security and compliance assurances can be streamlined, helping healthcare approach those tasks in a less complex and redundant way.

“We are now the only organization in the industry with the ability to provide both EHNAC accreditation and HITRUST CSF certification,” Barrett said. “Organizations that obtain a CSF certification may also leverage that assessment in obtaining accreditation for any of EHNAC’s 18 stakeholder-specific accreditation programs.”

HITRUST Chief Compliance Officer Ken Vander Wal added that EHNAC is a “perfect addition” to the HITRUST program. The move will help healthcare organizations adopt and utilize the CSF requirements, he said, while also improving customer confidence in how their personal data is protected.

The EHNAC and HITRUST collaboration was first announced in October 2016, when the organizations decided to work together to reduce costs and streamline the HIPAA compliance and assessment process.

EHNAC reported that it would replace its HIPAA-related privacy and security criteria with the HITRUST CSF provisions and controls. EHNAC would still maintain its stakeholder-specific benefits to the accreditation process.

HITRUST’s CSF is “a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management,” according to the HITRUST website.

EHNAC also has a voluntary accreditation program, which caters to organizations that exchange healthcare data electronically. It works to guide entities through best practices and operational and technical framework reviews.

That potential redundancy and crossover was a major factor in why the two accreditation and certification organizations wanted to work together, EHNAC’s Barrett told in November 2016.

“We had heard from a lot of organizations that as they go through different types of certification, such as EHNAC, HITRUST, and others, that the internal cost for them to go through the various certifications and accreditations is very significant,” he said. “The organizations say that in many cases they have to answer similar types of questions, responses, or self-assessments.”

Furthermore, there was a significant amount of overlap with the privacy and security component in the EHNAC accreditation and the HITRUST Common Security Framework. Many organizations were going through both HITRUST certification and EHNAC accreditation, Barrett explained.

“If you take a clearinghouse, for example, if they go through HITRUST certification, all their privacy and security components will now go over into their EHNAC accreditation,” Barrett stated explained. “Those privacy and security components, they will not have to do again for their EHNAC accreditation.”

HITRUST CEO Dan Nutkis reiterated that his organization had also been told by hospitals and health plans that eliminating certain redundancies could help reduce the cost, time, and effort spent on meeting certain requirements.

“We had been hearing that we needed to be cognizant of the impact of the changes and additional requirements had on them,” Nutkis said. “Additionally, we needed to understand how competing, inconsistent requirements, or duplicative requirements had on them.” 

It was also important for EHNAC and HITRUST to properly collaborate with one another, since that is something that they often encourage healthcare organizations to do themselves.

“We were asking industry members to collaborate, we were asking them to do things that we weren’t doing ourselves,” Nutkis stated. “That led to some discussions between EHNAC and HITRUST where we agreed that it was our responsibility, and we should take some leadership here to streamline the process for industry.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks