HIPAA Risk Assessment, CMMC Compliance, and HITRUST Audits

For organizations facing regulatory compliance requirements from several industries, it can be difficult to understand where to start. Luckily, there’s a one-size-fits-all solution available in HITRUST CSF certification.

Key takeaways:

• The HIPAA risk assessment and compliance guidelines are vague and challenging
• CMMC 2.0 compliance requires robust framework implementation and assessment
• Becoming HITRUST CSF certified will help streamline your compliance processes

 

HIPAA Risk Assessment Requirements

The Health Insurance Portability and Accountability Act (HIPAA) applies to all covered entities within and adjacent to healthcare, along with their business associates. It exists to safeguard protected health information, such as patient records, and it’s governed by the US Department of Health and Human Services. One of the central pillars of healthcare compliance is conducting HIPAA risk assessments to identify and mitigate potential threats to PHI within your systems.

However, unlike many other compliance frameworks, the HHS does not provide specific parameters for the assessments. The HHS’s guidance on risk analyses does establish that analytical tools should be used to determine risk likelihood and potential impact, but there isn’t any particular, uniform metric that organizations have to use to do so. It’s open to interpretation.

Working with a HIPAA advisor helps organizations navigate this vagueness to remain compliant.

The HIPAA risk assessment requirements may seem vague, but that is true for the entire framework. HIPAA is intentionally open-ended to give covered entities options for securing PHI.

 

Request a Consultation

 

Other HIPAA Compliance Requirements

Beyond risk assessments, covered entities also need to implement IT and security infrastructure to meet the other requirements of the three prescriptive HIPAA rules. In a nutshell, these are:

• Privacy Rule – Covered entities need to control uses and disclosures of PHI, including:

• • • Making it available to patients, their representatives, and the HHS, upon request
    • Preventing all other access, except for Permitted Uses and Disclosures
    • Limiting all use and disclosure to the minimum necessary amount

• Security Rule – Covered entities also need to implement:

• • • Administrative safeguards, or policies and training initiatives to protect PHI
    • Physical safeguards, such as barriers and segmentation for PHI assets
    • Technical safeguards, or secure configurations across all PHI systems

• Breach Notification Rule – If a breach occurs, covered entities are responsible for:

• • Notifying impacted parties by written communication within 60 days
  • Notifying the HHS Secretary within 60 days or annually for small breaches
  • Notifying local media outlets when breaches impact 500 or more individuals

Failure to meet these requirements could lead to HIPAA Enforcement. The HHS may conduct an audit if it receives a complaint or otherwise suspects a HIPAA violation may be present. The investigation can lead to civil money penalties and, in the worst cases, criminal charges.

The best way to avoid these consequences is to work with a HIPAA compliance partner.

CMMC 2.0 Compliance Requirements

Just as HIPAA exists to safeguard PHI in and adjacent to healthcare, there are standards that protect sensitive forms of information that government and military contractors work with. The National Institute for Standards and Technology (NIST) has developed its Special Publication (SP) 800-171 to standardize protections for Controlled Unclassified Information (CUI).

Organizations that work with the Department of Defense (DoD) need to achieve Cybersecurity Maturity Model Certification (CMMC) 2.0 compliance. This involves implementing several NIST controls up to specific Levels of protection, based primarily on how much risk is posed to CUI. 

Full CUI protection at Level 2 requires implementing 110 Practices, covering all of SP 800-171:

• 22 Access Control (AC) Practices
• Three Awareness and Training (AT) Practices
• Nine Audit and Accountability (AU) Practices
• Nine Configuration Management (CM) Practices
• 11 Identification and Authentication (IA) Practices
• Three Incident Response (IR) Practices
• Six Maintenance (MA) Practices
• Nine Media Protection (MP) Practices
• Two Personnel Security (PS) Practices
• Six Physical Protection (PE) Practices
• Three Risk Assessment (RA) Practices
• Four Security Assessment (CA) Practices
• 16 System and Communications Protection (SC) Practices
• Seven System and Information Integrity (SI) Practices

Note that, at Level 1, only 17 of the 110 are required. However, many organizations will need to reach Level 2 sooner rather than later. And, at Level 3, an as-yet undetermined set of Practices adapted from SP 800-172 will be required. Also, each Level has its own assessment protocols.

Assessments at Each CMMC Level

CMMC as a whole exists primarily to prevent threats to CUI. But unlike the NIST frameworks on which it is based, it is also concerned with another form of sensitive data. Organizations that process Federal Contract Information (FCI), which is by nature less sensitive than CUI, may only need to achieve CMMC Level 1 certification. This includes implementing far fewer Practices than Levels 2 or 3. And it can be achieved through annual self assessments.

Some organizations at CMMC Level 2 will also qualify for self assessment. However, many more firms will require third-party assessments, conducted by a certified third-party assessor organization (C3PAO) listed by the Cyber AB. These happen triennially rather than annually.

Organizations subject to the most threats to CUI need to achieve Level 3 certification, which requires triennial government-led assessments. The scope and parameters of Level 3 are still under development, whereas Level 1 scope and Level 2 scope are well established. But any organization that anticipates needing Level 3 should begin preparing as soon as possible.

 

HITRUST Audits and Compliance

The HITRUST Alliance has developed a comprehensive framework, the CSF, that condenses thousands of requirements across dozens of regulatory frameworks into a compact set of controls. In the CSF, there are 14 Control Categories. These break down into 156 individual Specifications, or requirements, distributed across 49 Control Objectives as follows:

• Information Security Management Program – One Objective, one Specification
• Access Control – Seven Objectives, 25 Specifications
• Human Resources Security – Four Objectives, nine Specifications
• Risk Management – One Objective, four Specifications
• Security Policy – One Objective, two Specifications
• Organization of Information Security – Two Objectives, 11 Specifications
• Compliance – Three Objectives, 10 Specifications
• Asset Management – Two Objectives, five Specifications
• Physical and Environmental Security – Two Objectives, 13 Specifications
• Communications and Operations Management – 10 Objectives, 32 Specifications
• Information Systems Maintenance – Six Objectives, 13 Specifications
• Information Security Information Management – Two Objectives, five Specifications
• Business Continuity Management – One Objective, five Specifications
• Privacy Practices – Seven Objectives, 21 Specifications

Each of these Specifications breaks down further into Implementation Levels. There are base numbered Levels, along with Levels catering to regulatory mapping (e.g., “Level HIPAA”). This makes it so that organizations can conduct HITRUST audits to “assess once, report many.”

At present, there are three ways to become HITRUST CSF certified:

• HITRUST Essentials (e1) Assessments – These certify an organization’s Foundational Cybersecurity across 44 practices, including some of NIST SP 800-171, for one year.
• HITRUST Implemented (i1) Assessments – These certify an organization’s Leading Practices (182 requirements), including all of SP 800-171 and the HIPAA Security Rule.
  • Rapid recertification is available with a 60-practice assessment.
• HITRUST Risk-based (r2) Assessments –  These certify an organization’s commitment to Expanded Practices, including HIPAA, PCI DSS, GDPR, and more, for two years.

With multiple options available, depending on your compliance needs, HITRUST is the best way to satisfy all regulations with the least amount of implementation and assessment crossover.

 

Streamline Your Compliance Today

Regulations like HIPAA and CMMC are difficult for many reasons. HIPAA is vague, with little specific guidance for HIPAA risk assessments and other requirements, and CMMC is extremely robust, requiring many rigid specifications. And organizations that operate in between regulatory contexts, like healthcare and government or military contracting, are often faced with the unique challenge of meeting several different frameworks’ requirements at once. HITRUST audits offer a unified implementation and assessment protocol for most or all of your compliance needs.

RSI Security has helped countless organizations streamline their compliance programs through HITRUST CSF certification and other means. We’re dedicated to serving you above all else, and we know that the right way is the only way to keep your data—and your clientele—safe.

To learn more about how HITRUST audits and HITRUST CSF certification will streamline your HIPAA risk assessment, CMMC 2.0 compliance, and more, contact RSI Security today!