Site Visits

Purpose

This provides instructions for determining which sites must be visited for any given accreditation or re-accreditation cycle for any and all organizations seeking EHNAC accreditation.

Definitions

Cloud Service Provider – A provider of computing services that meets NIST’s cloud computing definition of “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.” (see NIST Special Publication 800-144 ).

Designated Record Set – A “designated record set” is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether the records have been used to make a decision about the particular individual requesting access.

The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

EHNAC Program – Any of the Accreditation Programs offered by EHNAC for which an Organization may be seeking accreditation.

FedRAMP – See www.FedRAMP.gov

In-scope Organization Site – Organization Sites deemed “in scope” are any and all physical locations at which the EHNAC Organization provides services related to the EHNAC Program for which the Organization is seeking accreditation, or any and all sites that create, receive, maintain, or transmit PHI or PII or cryptographic information related to those services. Services considered in scope include, but are not limited to:

  1. Data Center – under all circumstances
  2. Network Administration – where necessary to the business for accreditation
  3. Private Cloud – any functions with access to PHI or PII or cryptographic keys related EHNAC accreditation services
  4. Customer Service/Help desk – where necessary to the business for accreditation
  5. DRP Facilities — any functions with access to PHI or PII or cryptographic information related EHNAC-accredited services
  6. Lockbox – where necessary to the business for accreditation
  7. Product Development – where necessary to the business for accreditation
  8. Storage Backup – without appropriate documentation/evidence via contract/agreement for services including an SLA.
  9. Production Operations – under all circumstances
  10. Printing or Scanning operations – where PHI is involved

In-scope Outsourced Site – Outsourced Sites deemed “in scope” are any and all Outsourced Sites related to the EHNAC Program for which the Organization is seeking accreditation, or any sites where the Organization’s PHI or PII or cryptographic information is created, received, maintained, or transmitted. Such sites may include but are not limited to:

Services considered in scope include but are not limited to:

  1. Data Center — under all circumstances
  2. Network Administration – where necessary to the business for accreditation
  3. Private Cloud – any functions with access to PHI or PII or cryptographic information related EHNAC accreditation services
  4. Customer Service/Helpdesk – where necessary to the business for accreditation
  5. DRP Facilities — any functions with access to PHI or PII or cryptographic information related EHNAC-accredited services
  6. Lockbox– where necessary to the business for accreditation
  7. Product Development – where necessary to the business for accreditation
  8. Storage Backup – without appropriate documentation/evidence via contract/agreement for services including an SLA.
  9. Production Operations – under all circumstances
  10. Printing or Scanning operations – where PHI is involved

Offshore or International – For purposes of EHNAC accreditation, a location other than a State of the United States, the District of Columbia, Puerto Rico, or U.S. Virgin Islands. [Other insular areas such as American Samoa, Guam, and Northern Mariana Islands are deemed to be “offshore” or international locations].

Organization – An entity (company, government entity such as an HIE, etc.) seeking EHNAC accreditation or re-accreditation.

Outsourced Site – Sites belonging to an Outsourcer.

Outsourcer – An entity that is contractually obligated to provide services to the Organization.

PII – Personally Identifiable Information.

Private Cloud – A private cloud is one in which the computing environment is operated exclusively for a single organization. It may be managed by the organization or by a third party and may be hosted within the organization’s data center or outside of it. A private cloud has the potential to give the organization greater control over the infrastructure, computational resources, and cloud consumers than can a public cloud. (from NIST Special Publication 800-144, p.3)

Public Cloud – A public cloud is one in which the infrastructure and computational resources that it comprises are made available to the general public over the Internet. It is owned and operated by a cloud provider delivering cloud services to consumers and, by definition, is external to the consumers’ organizations. (from NIST Special Publication 800-144)

Self-Assessment – The comprehensive report provided by Organizations seeking accreditation. This report includes responses to the criteria and various types of evidence demonstrating compliance with the criteria.

Sites Requiring a Site Visit

A site visit is required at each In-scope Organization Site and each In-scope Outsourced Site as those terms are defined above. Each of these sites must be visited for initial accreditation and each must be visited for each re-accreditation cycle. Additional information is provided here.

International Based Organizations

All International based Organization’s In-scope sites must have Site Visits performed to be considered for EHNAC Accreditation.  For more specific information see the “Sites that are International” section below.

Sites Not Requiring a Site Visit

Individual Home-based Offices

When individuals work out of their homes, those offices will not be visited. However, evidence must be provided that the employee complies with the same policies and procedures as all other workers, and additional scrutiny may be made regarding the equipment, networking, and communications used by such workers. Furthermore, no production processing systems may be housed and no PHI or PII or cryptographic information may be stored or printed in home-based offices unless it can be demonstrated such systems are appropriately protected.

Outsourcer of Outsourcer

If functions are “outsourced” or contracted externally by an Outsourcer (e.g. a data service provider outsourcing DRP) and if appropriate BA agreements are in place between the parties, further analysis will be performed to determine if the secondary Outsourcer must be reviewed.  If the secondary Outsourcer is a cloud service provider that does not allow site visits to their data centers, the Cloud Service Provider (CSP) criteria must be addressed within the candidate’s Self-assessment.

Encrypted Archives

If data containing PHI or PII or cryptographic information is archived by a third party, if that data is appropriately encrypted prior to being sent to the third party (using encryption that meets HIPAA requirements) AND if an appropriate BA agreement is in place with that third party, that site does not need to be visited.

Shredding Services

The physical site of the shredding organization will typically not be visited, provided appropriate controls and business associate agreements are shown to be in place.

Sites that are International

As a candidate completes the EHNAC Application and PHI Flow materials (Section I of the Self-Assessment), any time that PHI (includes EHI and/or sensitive data) is handled (includes “read only” International – outside of the United States, whether data or resources, or both, residing outside of the US), the following must be in place:

  1. The Organization must provide documentation to substantiate that:
    – It fully and accurately discloses to its business partners and customers that it performs services in an international location(s).
    – It makes available upon request to a business partner or customer a reasonable description of all measures the Organization takes to ensure the confidentiality, integrity and availability of protected health information (as those terms are defined by 45 C.F.R. Parts 160, 162, and 164) that the Organization transmits or receives from an international site.
  2. Respective formal policies and procedures and training materials providing enough detail of administrative, physical and technical safeguards to satisfy the Reviewer questions must be submitted to the Reviewer as part of the submission materials. Information must be sufficient to satisfy the Reviewer requests and prove that because the controls are in place, there is decreased risk of PHI handling off-shore for the candidate.
  3. Candidate’s notification of international data/resources will be displayed on EHNAC website.
    – Optionally, candidate can support an international site visit to be conducted to avoid the website notification.
  4. Should an international resource be responsible for the creation of a protected health information designated record set, regardless of where the data resides, a site visit is required.

At any time during the review process, should the Reviewer deem that in his or her expert opinion, the desk review process does not satisfy the completion of the above, an on-site visit will be scheduled.

Additionally, EHNAC has 5 International criteria in every program. They are:

I.B.1             Candidate must identify all international locations with workforce members performing in-scope services and /or PHI associated with this accreditation.

I.B.2             Candidate must, if utilizing in-scope international organizations, provide documentation substantiating that it fully and accurately discloses to business partners and customers that it performs services in international locations.

I.B.3             Candidate must, if utilizing in-scope international organizations, provide documentation substantiating that it makes available upon request to a business partner or customer a reasonable description of all measures the candidate takes to ensure the confidentiality, integrity and availability of protected health information (as those terms are defined by 45 C.F.R. Parts 160, 162, and 164) that the candidate transmits or receives from the international sites.

I.B.4             Candidate must, if utilizing in-scope international organizations, provide documentation showing administrative, technical, and physical safeguards are in place within the international organizations.

I.B.5             Candidate must, if utilizing in-scope international organizations, provide documentation showing that the workforce of those international organizations has been appropriately trained on HIPAA and Security Awareness at least annually.

Additionally, EHNAC Reviewers discuss the environment of the international entity with the candidate in order to learn more about the level of risk imposed by the entity. Most all of the international organizations maintain data in the US (whether cloud-based i.e. AWS, or within a US-based data center) and have restrictions on workforce for limiting access, prohibiting print-screen capture, prohibiting USB usage, prohibiting cell phone use on the production floor. If the reviewer is not comfortable with the level of risk determined, a site visit may be requested and recommendations for changes may result.

Other Sites that are Out of Scope

Other sites that do not require a site visit, irrespective of whether or not they are outsourced, include:

  1. Human Resources (HR)
  2. Finance
  3. Product Development – where PHI and PII or cryptographic information is not accessed and where the function is not necessary to the business for accreditation.
  4. Customer Service – where PHI and PII  is not handled, and the function is not necessary to the business for accreditation.
  5. Hospital Information Services (HIS) solutions unrelated to the accreditation program
  6. Practice Management Services (POMIS) solutions unrelated to the accreditation program

Sentinel Event Applicability

EHNAC’s Sentinel Event Policy must be referenced and followed by Organizations as it relates to Outsourced Sites. For example, circumstances triggering a Sentinel Event include:

  • Entering into an agreement with a new Outsourcer;
  • Adding or significantly modifying a physical location in which an Organization provides a function related to the EHNAC Program for which it is accredited; and
  • Significant events associated with In-scope Outsourced Sites including but not limited to their addition or significant modification of physical locations.

If such an event occurs within 12 months of the last accreditation, a physical site visit must be made to the new or modified facility.

Mutual Use of Outsourced Vendor

If multiple Organizations use a common In-Scope Outsourced Site, a site visit to that Outsourced Site is only required once every 2 years.  The first Organization to use such an Outsourcer will pay the full Site Visit Fee for that visit.  The Outsourcer will be monitored and any other Organization using that Outsourcer during the 2-year rotation will pay a Site Visit Fee equivalent to a 25% discount of the full Site Visit Fee.  An actual site visit will not be made in these discounted cases, unless the Outsourcer has significantly changed functionality during the 2-year rotation.

EHNAC Outsource Vendor Accreditation Program

If an Organization uses an Outsourcer that is EHNAC accredited, the Organization will not be required to provide a site visit to the accredited Outsourcer.  EHNAC will maintain a list on its website that includes the approval date of accredited Outsource vendors.

Outsource vendors seeking their own accreditation must undergo the appropriate site visits even if they have previously been visited within the context of another Organization’s accreditation.

Organizations with Multiple Outsourced Organization Sites

For Organizations with multiple facilities that include the same in-house or Outsourcer under the same policies and procedures such as lockbox facilities, a site visit rotation will be used to accredit the Organization [See the EHNAC website’s Accreditation Guidelines].

EHNAC Site Visit Access to Outsourced Sites

Organizations with In-scope Outsourced Sites must ensure that EHNAC representatives obtain access to the location(s) of an Outsourcer to determine if the vendor meets applicable EHNAC accreditation standards.  Organizations will include in each vendor agreement a provision that states essentially the following:

Vendor acknowledges that [name of Organization] is accredited by the Electronic Health Network Accreditation Commission (“EHNAC”) and that the EHNAC accreditation process requires an on-site visit (the “Site Visit”) by EHNAC to verify compliance with applicable EHNAC criteria. Vendor agrees that upon reasonable prior notice from [name of Organization] that EHNAC, its representatives or agents shall have reasonable access at reasonable times to the premises, procedures, systems and records of Vendor to the extent that such access is necessary to enable EHNAC to perform the Site Visit and to evaluate whether the services provided to Organization meet EHNAC accreditation criteria.  Vendor agrees to reasonably cooperate with EHNAC, its representatives and agents in the conduct of the Site Visit solely for the purpose of enabling [name of Organization] to obtain EHNAC accreditation.

Outsourcers That Do Not Handle PHI or PII or Cryptographic Information

If PHI or PII or cryptographic information is handled by the Outsourcer (created, received, maintained, or transmitted), then, as stated above, EHNAC must conduct an on-site visit. If there are multiple sites, EHNAC will follow the same multi-site policy already established. However, if no PHI or PII or cryptographic information is handled by the Outsourcer, EHNAC will accept another auditor’s report and will review it to see if:

  1. the report covers all the areas EHNAC addresses, AND
  2. the controls found to be in place for those areas meet EHNAC’s requirements, AND
  3. the audit was conducted within the last two years, AND
  4. the audit was conducted by a properly-qualified auditor.

If no PHI or PII or cryptographic information is handled and if 1 through 4 above are all found to be true, no site visit will be required to that Outsourcer site. There may be, however, a separate charge for the review of the auditor’s report.

Virtual Organizations

If an Organization pursuing accreditation is completely virtual with no corporate offices, a minimum of one site visit must still be conducted to interview key personnel including subject matter experts regarding representations made in the Self-Assessment.  The interviews are instrumental in obtaining an understanding of the organization as a whole and in understanding how specific services under review are delivered.  The Organization must make arrangements to have their site visit interview in a private conference room at a location they determine. The Organization should consult with their site reviewer to ensure appropriate personnel are in attendance.

Multiple Programs

If an Organization pursues accreditation for multiple EHNAC Programs, all sites related to each program pursued must be taken into consideration.

If an accredited organization indicates a desire to add an additional program (other than DTAAP, PMSAP and EPCS) between accreditation cycles, and has the same sites to review, the Multiple Program Fee will apply and a $3,000 Desk Review fee is also assessed.  If there are additional sites to review, then the applicable Site Visit Fee and associated travel expense costs apply.

If an accredited organization adds either DTAAP, PMSAP and/or EPCS between their accreditation cycles, a Site Visit would be required to review the additional material that will be submitted in the Self-assessment.  See Site Visit information in the Accreditation Guidelines.

Cloud Service Providers

General Cloud Service Policy

If an Organization uses a Cloud Service Provider, all the above requirements are still applicable, including those listed under EHNAC Site Visit Access to Outsourced Sites. Furthermore:

  1. A thorough, documented risk assessment must be in place identifying the cloud-based risks to data at rest, data in motion, and data in use, with a demonstration that controls are in place to appropriately mitigate those risks.
  2. The use of Public Clouds (as defined by NIST) is not permitted for PHI or PII or cryptographic keys.
  3. Any Cloud models other than Private Cloud (as defined by NIST) will be reviewed and may not be determined permissible for PHI or PII or cryptographic keys.
Use of FedRAMP-Authorized Cloud Service Provider

Beginning April 1, 2019, an organization must complete the Cloud Service Provider (CSP) section during an accreditation if they use a FedRAMP-authorized Cloud Service provider (see www.FedRAMP.gov).

Updated 06/04/2022