HITRUST's Position On The American Recovery and Reinvestment Act of 2009

The American Recovery and Reinvestment Act of 2009, approved by Congress on February 13, recognizes that privacy and security are fundamental to the adoption of health information technologies - and without real and meaningful information security, concerns arise regarding who has access to personal health and sensitive information and leaves patients skeptical and wary of electronic health information systems and exchanges.

The HITRUST alliance was born out of the belief that information security is critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information, and in turn realizing the promise for quality improvement and cost containment in America's healthcare system.

For the past 18 months, HITRUST has been working with industry to develop a Common Security Framework (CSF) that will enable greater and more efficient protection of health information. The effort was led by a full-time team and supported by knowledgeable and experienced healthcare, professional services, information technology and security organizations. The CSF is a prescriptive and certifiable framework that is the only approach today that makes it cost effective and practical for organizations of any type and size – scaling from private practices, hospitals and health plan providers to pharmacies, pharmaceutical manufacturers, data exchanges and clearing houses – to implement security programs in a consistent way and determine compliance against the myriad of business and partner requirements as well as evolving state and federal standards and regulations.

By normalizing the variances and inconsistencies regarding “how” to implement various standards, regulations and policies, the CSF will help healthcare organizations with the efficient interpretation of and compliance with regulations, such as those imposed by the American Recovery and Reinvestment Act of 2009. Ultimately, the CSF will help increase the level of information protection, reduce complexity, and increase efficiencies - all while creating an effective means for certification and a consistent method of reporting information security compliance to regulators and business partners.

“Industry has recognized the importance of more effective and efficient information security for this nation’s healthcare system and came together over 18 months ago to address these issues. It has been a significant undertaking and the tens of thousands of hours invested by those involved, spanning the healthcare industry and related technology disciplines, demonstrates how industry has stepped up to do the right thing with leadership and commitment on these important issues. As organizations now begin to comply with the CSF we will continue to work towards our goal of greater trust in the protection of health information,” stated Daniel Nutkis, CEO, HITRUST.

“Early results are proving that industry has created an effective security framework and, as importantly, an effective process to address evolving regulatory, business practices, technologies and threats. Rather than reacting to compliance deadlines at the last minute, an approach that tends to be ineffective and costly, organizations are adopting practical approaches to security that are designed and recommended by the industry, for the industry in alignment with government requirements. We look forward to working with the Department of Health and Human Services to share our lessons learned and aid the process as they begin to implement the provisions of The American Recovery and Reinvestment Act of 2009,” said Cliff Baker, Chief Strategy Officer, HITRUST.

Editorial Note: HITRUST will make the CSF generally available to the public, coinciding with a launch event on March 2nd in San Francisco, CA. For more information on the launch event please visit www.HITRUSTalliance.net/launch.

By HITRUST