WellPoint Endorses HITRUST Framework
Insurer urges partners to use it to demonstrate securityThe framework "is a great way to streamline or eliminate some of the work we are performing to verify the security posture of our partners," says Roy Mellinger, WellPoint's vice president of IT security and chief information security officer.
The Health Information Trust Alliance developed the framework to help organizations demonstrate security and comply with various regulations, including the HITECH Act.
A Big Win
The WellPoint endorsement is a significant win for HITRUST, says security expert Tom Walsh, president of Tom Walsh Consulting, Overland Park, Kan. He expects other providers and payers may follow WellPoint's lead in the months ahead.
A number of larger provider organizations, including Baylor Healthcare System, are already using the HITRUST framework.
Walsh says the framework could, in particular, help providers and payers "help ensure their business associates are HIPAA Security Rule compliant." He calls the framework "a starting point for common ground" on assessing security.
Internal Programs
Until now, the Indianapolis-based insurer has been using its own Security Assessment Framework and Evaluation program, or SAFE, to size up the capabilities of business partners, Mellinger explains. Business partners "include vendors and service providers who access our facilities, access our systems or provide information, such as data feeds or paper files, to provide a service to us," he adds.
I
n addition to SAFE, WellPoint has been using a Vendor Risk Management program "which helps us determine the types of risk exposure that may exist for a particular vendor or service provider," Mellinger explains.
Not a Requirement
Wellpoint is not requiring its partners to use the HITRUST framework, "but if they do we will accept it" as evidence of their security efforts, Mellinger explains. Those who don't use the HITRUST framework can continue to use WellPoint's SAFE program, which includes a detailed questionnaire.
"We expect that our business partners will have implemented information security safeguarding programs that consist of administrative, technical and operational measures appropriate for their size and complexity that mitigate physical and logical security risks and effectively safeguard sensitive healthcare information," Mellinger says. "We want to see demonstrated proof that these measures are in place and are working as intended."