The HITRUST Act (Health Information Trust Alliance) establishes the framework for online healthcare information security, while also encouraging healthcare organizations to adopt digital patient files. Digitizing healthcare information makes it easier to share between approved organizations or personnel. Patients can also access their records online, eliminating the need for them to request paper copies.
Before the HITRUST Act healthcare professionals and patients often spent time requesting copies of files that could delay care and treatment. Along with encouraging organizations to transition from paper to electronic files, the HITRUST ACT also supports HIPAA. If an organization is not compliant with HIPAA, they are also out of compliance with HITRUST and this can result in serious and expensive penalties. Here you’ll learn how the HITRUST Act enforces penalties for non-compliance and what it can mean to the organization.
What is HITRUST Compliance
Organizations need to know what steps they have to take before they can be expected to meet HITRUST compliance regulations. In simple terms, HITRUST compliance requirements concentrate solely on security. It states that patients must be able to access their files in a secure online setting. This requirement also applies to the sharing of protected patient information between authorized healthcare personnel. PHI (personal health information) must be protected from any and all security breaches.
To prevent security breaches the HITRUST Act established CSF (a common security framework) that is designed to be used by any organization that stores, exchanges, creates or has access to regulated or sensitive information. This applies to patients’ healthcare information.
Companies can purchase the framework from HITRUST. There is also a free version of the software, though it doesn’t list the implementation level for each compliance requirement. If more information is needed about compliance requirements, the myCSF tool can also be purchased. It will determine what security requirements apply to the business and the implementation level they need to meet for each standard. These requirements will vary depending on the type of organization.
What is the MyCSF Tool
It was understood with the HITRUST Act that organizations would need guidance on how to implement the necessary security protocols. This is what myCSF tool does, it analyzes an organization’s online security measures. Organizations can use the tool for routine self-checks to determine if any aspect of their security protocols need to be addressed. The analysis examines several aspects.
- How effectively security protocols are communicated from management to the workforce.
- Were the protocols promptly and correctly implemented?
- Does the workforce understand the security protocols
- Are the protocols effective
- The length of time to respond to a security breach – if one happens.
The myCSF tool will help healthcare organizations implement the security protocols necessary to avoid penalties due to a lack of HITECH compliance.
What are the Penalties for Non-HITRUST Compliance
The HITRUST Alliance understands that encouraging healthcare organizations to switch from paper to digital patient files would create issues with privacy. This is against the core tenement of HIPAA, which is designed to protect patients’ right to privacy. The two acts work together to ensure patients’ privacy while also encouraging the implementation of digitized files.
Since privacy is a legal right, the HITRUST Act stiffened the penalties for non-compliance and requires that all organizations be HIPAA certified before they can meet all HITRUST regulations. The penalties can be severe, ranging from fines up to a maximum of $1.5 million to possible imprisonment.
HIPAA compliance is based on a four-tier system that determines the severity of the penalty. There are two primary factors that are used to determine the penalty tier.
- If a security breach is noted during an annual audit, the organization has a 30-day grace period to correct/fix the issue. An extension can be given if the organization shows that it has been working to resolve the problem.
- Willful neglect is defined in the HITECH Act as ignoring a compliance violation that should have been noticed with due diligence. If it is a smaller healthcare organization with fewer resources, it will be determined if the problem was willfully ignored or just not noticed due to a smaller workforce.
If an organization fails to meet HITRUST compliance, one of four penalty tiers could be applied. The severity of the penalty will vary depending on the infraction and how it was responded to.
- Tier One: Fines range from $100 to $25,000 per violation. This fine can be amended within 30-days if the organization was not aware of the security violation and responded in a timely period once it was discovered.
- Tier Two: The minimum fine is $1,000 – up to a maximum of $100,000. If an organization was not aware of the violation and did not address it in a timely manner, a fine for each penalty can be assessed.
- Tier Three: Fines start at $10,000 and can go as high as $250,000 for each violation. An organization has 30-days to amend its protocols after willfully neglecting to implement adequate security and performing due diligence.
- Tier Four: Fines range from $50,000 up to $1.5 million for each violation. These steep fines are leveled against an organization that willfully neglect security and did not correct any lapses within thirty days.
Jail time is rarely doled out as a punishment for and of the four tiers, though it can be applied if willful neglect continues. However, if an organization or even a third-party associate has the intention or did sell protected health information prison time can range from 6 months up to ten years.
The fines for non-compliance are steep and there is a reason for this. Before the HITRUST Act loopholes existed in HIPAA that allowed healthcare organizations to escape or ignore penalties for non-compliance.
How HITRUST Compliance is Enforced
Compliance for healthcare organizations with the HITRUST Act is enforced by OCR (Office of Civil Rights) a department in HHS (Health and Human Services). Unfortunately, the civil rights department is not able to always keep up with HITRUST compliance violations. This does not mean that organizations that handle PHI can relax their security protocols.
Even if an audit from the OCR is missed or late, it is still the organization’s responsibility to stay current with any security breaches or lapses in the protocol. A fine can often be avoided if the organization can show that it responded to any potential threat in a timely manner. Since audits from the OCR can be sporadic, using the CSF framework can help healthcare organizations avoid potentially expenses fines.
Steps to HITRUST CSF Certification
As you now know, failing to meet HITRUST compliance regulations can result in expensive fines or even prison time. The penalties can accumulate per infraction and it doesn’t take long to add up. To prevent penalties a healthcare organization must be HIPAA and HITRUST compliant. A CSF certification can prove that an organization is following all of the required regulations.
Getting a CSF certificate that proves your organization is compliant isn’t easy. It’s time-consuming and often frustrating. However, it is worth it when you avoid penalties along with possible censorship that could detrimentally affect the business. Here are five steps that can help businesses meet compliance regulations and simply the CSF framework.
- Most organizations hire a third-party auditor like RSI Security to perform the time-consuming audit, especially if it’s the first time. HITRUST CSF is the standard security framework used for compliance but it can take a while to get set-up. Often the main problem is switching from the old HIPAA framework to HITRUST CSF.
- The next step is to determine the scope of the project. There are 19 HITRUST domains, each with a set of standards. Not all domains apply to every organization. For example, a chiropractor will not need to keep track of written prescriptions. This is one of the standards on a domain. This is often the most time-consuming part of the audit, which is why many organizations decide to hire an auditor.
- The organization’s first audit can take up to six months to complete. This is mainly due to the large amount of documentation needed for certification. Everything from risk assessment and policies to implementation and employee understanding will need to be documented and submitted. After the first audit is completed, subsequent ones usually only take around two-months. This is dependent on the number of domains and standards that apply to the organization.
- Once the audit is finished the CSF information must be validated by a third-party assessor. This process can take up to five-weeks before organizations can submit the audit.
- The final step is to certify the CSF audit with the HITRUST Alliance. This can take up to 18-months, depending on how many items are debated.
Getting HITRUST and HIPAA certified can take over two years the first time an organization uses the CSF framework. This time period does shorten by the second or third audit but there is still a long waiting period to be recertified. During the period before certification organizations can still operate as normal as long as there aren’t any pending violations. These will need to be resolved before certification is issued.
What’s Needed for HITRUST Certification
An organization that needs to be HITRUST and HIPAA certified must have a score that shows compliance on all applicable levels. There are five compliance scores that can appear on an assessment.
- Noncompliance (NC) indicates that security protocols are not implemented or followed. It can also indicate that a security breach was discovered during the audit and the organization will have it resolved within thirty-days.
- Somewhat Compliant (SC) is a score that notices there are security issues but are being addressed before a breach occurs.
- Partial Compliance (PC) is scored when organizations are meeting most regulations but are lacking in some others. Even though this is a low or mid score, it is still high enough for certification. Companies need to have any security issues resolved before the next audit or they could be fined and deemed non-compliant.
- Mostly Compliant (MC) indicates that the organization only has minor security issues and they’re being addressed. This score is high enough for certification.
- Full Compliance (FC) is the highest score and indicates that there are not any security issues and that all HITRUST regulated protocols are being followed for certification.
The five compliance levels are scored in increments of 25. Starting with NC with a score of 25 going up to 100 for full compliance. Generally, organizations with scores of 75 and higher achieve certification, while 50 and lower will need to be audited again.
To further explain how compliance scoring works, there are five topics that sum up the requirements.
- Policies cover the Privacy and Security rules that need to be implemented for HITRUST compliance.
- Procedures and Practices take the policies and translate them into procedures and practices that the workforce follows for HIPAA compliance.
- Implementing Required Procedures ensures that the right protocols are in place in the correct department.
- Measurement and Enforcement ensure that the protocols are in place and there is documentation to support the fact.
- Management of Procedures ensures that all tools and controls are in place to properly manage the security protocols.
Avoiding HITRUST Penalties
You can avoid HITRUST penalties by following the requirements needed for certification. This often starts with a CSF assessment. This tool is designed and approved by the HITRUST Alliance and will check for any breaches and potential problems in an organization’s security protocols.
Whether it’s validation or a self-assessment, you need a third-party auditor. RSI Security is here to handle your assessment and answer any questions you have about HITRUST certification and penalties.