WellPoint Endorses HITRUST Framework

Insurer urges partners to use it to demonstrate security
WellPoint Endorses HITRUST Framework
WellPoint Inc., a health insurer with 33 million members, is encouraging its business partners to use the HITRUST Common Security Framework to demonstrate their capabilities for keeping health information secure.

The framework "is a great way to streamline or eliminate some of the work we are performing to verify the security posture of our partners," says Roy Mellinger, WellPoint's vice president of IT security and chief information security officer.

The Health Information Trust Alliance developed the framework to help organizations demonstrate security and comply with various regulations, including the HITECH Act.

A Big Win
The WellPoint endorsement is a significant win for HITRUST, says security expert Tom Walsh, president of Tom Walsh Consulting, Overland Park, Kan. He expects other providers and payers may follow WellPoint's lead in the months ahead.

A number of larger provider organizations, including Baylor Healthcare System, are already using the HITRUST framework.

Walsh says the framework could, in particular, help providers and payers "help ensure their business associates are HIPAA Security Rule compliant." He calls the framework "a starting point for common ground" on assessing security.

Internal Programs
Until now, the Indianapolis-based insurer has been using its own Security Assessment Framework and Evaluation program, or SAFE, to size up the capabilities of business partners, Mellinger explains. Business partners "include vendors and service providers who access our facilities, access our systems or provide information, such as data feeds or paper files, to provide a service to us," he adds. I

n addition to SAFE, WellPoint has been using a Vendor Risk Management program "which helps us determine the types of risk exposure that may exist for a particular vendor or service provider," Mellinger explains.

Not a Requirement
Wellpoint is not requiring its partners to use the HITRUST framework, "but if they do we will accept it" as evidence of their security efforts, Mellinger explains. Those who don't use the HITRUST framework can continue to use WellPoint's SAFE program, which includes a detailed questionnaire.

"We expect that our business partners will have implemented information security safeguarding programs that consist of administrative, technical and operational measures appropriate for their size and complexity that mitigate physical and logical security risks and effectively safeguard sensitive healthcare information," Mellinger says. "We want to see demonstrated proof that these measures are in place and are working as intended."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.