A Resounding Endorsement AHA Endorses Private Companies to Move HIPAA Compliant Technology Forward

A new and growing practice by the American Hospital Association (AHA) is providing a new tool for health care facilities as they struggle to stay ahead of the security and privacy rules and regulations set forth by HIPAA.

 

The AHA has begun endorsing specific, private companies and their products and services, primarily in the areas of technology and information organization and security, in order to provide a standardized recommendation for quality compliance products to all AHA member facilities. The endorsement process is a long and involved one, which evaluates a number of components including the level of technology, flexibility, and scalability of company’s products, but also that company’s overall corporate mission and vision, financials, ethics, and expertise.

To date, only a handful of companies nationwide have earned the AHA’s exclusive endorsement.

AHA-affiliated health care facilities are not bound in any way to using the endorsed products or services, however Jim DiDonato, information security officer for Baystate Health Systems, said the service essentially eliminates the same lengthy research process hospitals must complete when researching and choosing companies to assist with HIPAA compliance interventions, easing a facility’s work load.

“The AHA’s strategy to begin endorsing products is a good one, and I find it helpful,” DiDonato said. “To find companies that offer services that are important to us requires a lot of research, and for a reputable organization to do that research and go so far as to endorse a company eliminates a lot of work for us and makes our job easier.

“We don’t have to choose the company the AHA endorses,” DiDonato continued, “but we know right away that it’s a solid product, and so it allows us to begin the process of choosing a company at a point that’s a little further along than it was in the past. And I think that usually, the AHA endorsed company is going to end up on our short list when we’re choosing who to ultimately go with.”

Post Production

One such company, PostX, based in Cupertino, Calif., manufactures, sells, and services secure messaging software, which can be used in health care facilities of varying sizes to ensure that E-mails being sent externally and internally are HIPAA compliant in the areas of security and privacy.

PostX was endorsed by the AHA in June, and is currently one of three companies on Baystate’s short list, said DiDonato, as they mull options to enhance their secure messaging systems throughout the health system (the other two companies are Tumbleweed, based in Redwood City, Calif., and CipherTrust of Atlanta, Ga.)

Shawn Eldridge, director of products and strategy for PostX, said that, although the AHA has announced endorsements in other industries, this is the first such endorsement in the secure messaging industry.

“There were a lot of hoops to jump through,” he said. ‘The AHA is without a doubt the most trusted and recognized brand in health care – this did not come quickly or without a good deal of work our part as well as that of the AHA.

“There were all sorts of categories in which we were evaluated and overall I’d call it a strenuous process that lasted about nine months,” Eldridge continued. “The AHA gradually started eliminating vendors that didn’t meet their criteria.”

At the close of the research process that led to the AHA’s endorsement of PostX, Eldridge said an expansive suite of products had been included under the auspices of the endorsement, including programs that allow centralized and flexible E-mail gateway solution for managing all HIPAA policies and decisions, multiple secure delivery methods, integrated solutions for identifying the best secure delivery method to use for their patients, partners, and employees, and comprehensive tracking and monitoring of E-mail traffic.

The ability to tailor programs to various sized hospitals was also taken into account – PostX offers products ranging anywhere from $1,000 to $100,000 depending on the needs and size of a hospital.

Guiding the Process

Eldridge echoed DiDonato’s comments that the AHA endorsement process has a marked impact on a facilities decision-making process when it comes to securing a vendor to assist with HIPAA compliance.

“The endorsement carries weight in several different areas,” he said. “One is that when it comes to the gathering of information that is necessary when a facility is trying to select a vendor, the AHA has already confirmed a lot of those things. Second, having the endorsement allows us to feel very comfortable with saying that we hold and maintain the most prestigious endorsement in our industry. For us, that’s huge.”

Through his work in information security and, specifically HIPAA compliance, DiDonato can also appreciate the weight of the endorsement. The HIPAA compliance date for security regulations passed in April, but now many hospitals find themselves at a point where maintenance and improvement of current systems is necessary, and one of the largest components of that maintenance is the area of secure messaging – specifically, safe, compliant E-mail systems.

“HIPAA is one of those areas in which maintenance is not only essential, it’s constant,” he said, adding that because not only is the protection but also the accessibility of all information within a health care facility intrinsic to quality patient care, creating a viable, compliant environment is one of the most involved processes a hospital can undertake.

“We’re not trying to build Fort Knox,” he explained. “That’s not feasible and it threatens patient care. When the AHA endorses a company, that tells us that they have done the research into due diligence that is necessary to creating a solutions that will address the issues of quality patient care as well as security.”
That’s not to say that Baystate Health Systems will always opt to go with an AHA endorsed vendor – with such a vast network of members, DiDonato said, the AHA ultimately chooses the company that seems to best fit the needs of most of those hospitals, but when it comes to HIPAA compliance and maintenance of that compliance, everyone is in a different place.

Perpetual Concerns

“Everyone in the industry is at a different point when it comes to implementing secure messaging,” he said. “Some have already implemented a system and moved on, others don’t even have the issue on their radar screens yet.

“There are hospitals with thousands of beds and hospitals with five, so one product isn’t always going to be best for everyone,” he continued. “We take these endorsements with a grain of salt and will use them judiciously, but the fact remains that the AHA has taken it upon itself to complete a lot of work for hospitals ahead of time and that will always be a help to us.” v