Ever since 1996, with the passage of the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations have been assessing the risks that are associated with electronic health records (EHRs). Now, with nearly every hospital utilizing the latest gadgets in healthcare technology from cloud storage to automation to mobile tablets and devices, the need for protecting patient data is at an all-time high.
To help manage and reduce the risk of data breaches, healthcare organizations promote the use of security frameworks. One such framework is the HITRUST community security framework (CSF). The reason this framework is among the most trusted in the healthcare industry is how it can be adjusted to fit any HIPAA mandate or new healthcare law — thus never leaving room for penalties due to security issues.
In fact, it’s for this very reason healthcare organizations are starting to require their business associates to be HITRUST certified. If you’re considering HITRUST CSF, then you should be aware of the different types of HITRUST assessment.
Why Bother With Assessments?
It’s a fair question: Why care about a HITRUST assessment in the first place? The biggest reason most organizations will consider assessments is to ensure that they will survive an audit by the Office of Civil Rights (OCR), the department under the Health and Human Services in charge of enforcing the penalties associated with the HIPAA Privacy and Security Rules.
To become HITRUST Certified (one of the assessments described below) means to operate in compliance with all HIPAA mandates. That way, an audit won’t result in substantial fines and affect the organization.
HIPAA Mandates: A Quick Overview
For those unfamiliar with the complexities of HIPAA and the act that reinforced HIPAA with stringent enforcement laws and penalties — the HITECH Act — here’s a brief overview of what organizations need to comply with:
- Meaningful Use Program – aka the adoption of EHRs – Prior to the HITECH Act of 2009, less than half of all office-based physicians were operating with electronic health records. With the newer, more expensive penalties attached to HIPAA, the adoption rate soared to 80% within a few years. While this has improved the communication and accessibility of electronic personal health information (e-PHI), it hasn’t come without its downsides — thus the need for privacy and security rules.
- HIPAA Privacy Rule – The patient’s right to data privacy is a core tenant of HIPAA. The privacy rule sets in place guidelines that healthcare organizations have to follow, including:
- Patients control their e-PHI
- Regulations overuse and release of e-PHI
- Monetary fees and jail time for violating the patient’s right to data privacy
- Sets minimum necessary guidelines for disclosure of e-PHI
- HIPAA Security Rule – The Security Rule deals with the safeguards (technical, physical, and administrative) surrounding e-PHI, particularly in two areas:
- Risk assessment to avoid “willful neglect” of HIPAA policies
- Risk mitigation to reduce these assessed risks
- Breach Notification Rule – In the case that a breach does occur, HIPAA outlines how and to what degree an organization needs to notify the people affected by the breach.
Each of these rules is detailed in-depth in HIPAA with outlines for both how to implement the security guidelines and the violations that will occur as a result of noncompliance. The reason to use HITRUST assessments is to avoid these penalties and fees.
HIPAA Violation Penalties
HIPAA violations can cause significant penalties from fines to imprisonment. It’s based on a four-tiered system of penalties that deals with the extent of the noncompliance. The primary factors that determine which tier penalty you fall under are:
- 30-day Correction Period – If during an audit a security flaw was noted, the healthcare organization is given a 30-day correction period to correct this. In some cases, extensions can be given — the idea is that the organization has to put forth reasonable effort to fix the issues.
- Willful Neglect – Defined in the HITECH Act is “Willful Neglect.” This is determined by whether or not a healthcare organization would have known about a HIPAA regulation with reasonable effort. For smaller healthcare providers, this determines whether the organization purposefully ignored the compliance regulation.
The four tiers of penalties associated with these factors are then as follows:
- Tier A – $100 minimum per violation up to $25,000 – If the HIPAA violation occurred and the healthcare entity was unaware of the violation, but the entity amends its policy within 30 days.
- Tier B – $1,000 minimum per violation up to $100,000 – If the HIPAA violation occurred and the healthcare entity was unaware of the violation, and the entity does not amend their policy.
- Tier C – $10,000 minimum per violation up to $250,000 – If the HIPAA violation occurred due to willful neglect, but the entity amends its policy within 30 days.
- Tier D – $50,000 minimum per violation up to $1,500,000 – If the HIPAA violation occurred due to willful neglect, and the entity does not amend its policy within 30 days.
Additionally, criminal charges can be brought forth when a person or entity has the intent to sell personal health information. In these cases, imprisonment ranges from 6 months to 10 years depending on the scope of the charge.
Utilizing the different types of HITRUST assessments can avoid the headache of both the audit and the penalties associated.
Types of Assessments
As a part of the HITRUST CSF Assurance Program, there are three types of assessments available for healthcare organizations:
- HITRUST Self Assessment
- HITRUST CSF Validation
- HITRUST CSF Certification
Each of these has a different purpose and a different methodology behind them. To understand which one your organization needs, let’s dive deeper.
HITRUST Self Assessment
When first implementing a new security framework, chances are, many of the security provisions will be similar to the old ones. The purpose then of the self-assessment is to identify large gaps in security. These can then be addressed internally before running through the more expensive assessments.
The self-assessment tools available are:
- CSF Assessment Report
- MyCSF Software
CSF Assessment Report
The first option is the more traditional route of self-assessment. HITRUST provides an assessment report that healthcare providers and business associates can run through internally. It’s essentially a long checklist of security items that are needed to ensure that you have the proper measures in place to protect against data breaches and to avoid unnecessary fines for noncompliance.
Because the assessment report is done internally and not through a certified third-party assessor, the best HITRUST can offer is a limited level of assurance. These are based on the self-reported results, however, not by any external assessment.
MyCSF is software developed by HITRUST as a way for healthcare organizations to reimagine the way they assess and manage security risks. Before MyCSF, the only method of self-assessment was through the assessment report; what MyCSF offers is an interactive way to provide that same assurance.
- Performance tracking – If you want to track your security performance throughout the year, MyCSF is a great tool to do so. It offers real-time updates to security provisions and cyber threats.
- Interactive navigation – The user interface is designed to guide users through the security platform. On the home screen, for example, it offers an overview of your organization, assessments and their statuses, notifications relevant to your company, and a bulletin with the newest security news.
- CSF Assessment Functionality – As you run through assessments, the security factors are broken down into easy-to-follow, intuitive steps. Progress on assessments can be saved, paused, and restarted as you find time to run through the security protocols.
- Access to list of security controls – You can integrate the exact security controls that are necessary to your individual organization. While HIPAA compliance sits at the forefront of the framework, there may be other controls you wish to focus on.
- Documentation library – When you need evidence support, you can search through the documentation library and add evidence directly to the assessment area where needed. This makes it easy to update and maintain documentation in your report.
- Delegate workload to other users – If the security assessment is handled within a team, you can assign workloads to different team members.
- Score current data security – As you assess each area of your current data security network, you can assign a maturity score which will help decide which areas need the most focus. Maturity scores can be thought of as how developed policies are and how defined the procedures that ensure the policy is enacted.
- Track maturity score progress – When you increase the security measures, you can update maturity scores and watch as your security rating increases.
- API Integration – Integrate, publish, or exchange information related to security assessment between tools like GRC and HITRUST Assessment Xchange for further detailed analysis.
If this workload seems overwhelming to organize internally, you can talk to third-party certified CSF Assessors who will guide you through the process. RSI Security experts are available to assist in self-assessment, CSF validation, and certification.
HITRUST CSF Validation
The next level of security assurance is to become CSF validated. A certified assessor will perform an on-site visit and review the self-assessment provided by the organization. When the assessor submits this to HITRUST, a Validated Report will return.
While this will help organizations identify areas of security that are lacking and weren’t previously identified in the self-assessment, it does not verify HIPAA compliance. The only method that provides this is the HITRUST CSF Certification.
HITRUST CSF Certification
The final step in the assurance program is to become HITRUST CSF Certified. This is where the certified assessor will individually review and score each of the security measures within the security framework. The score will be based on compliance according to the following:
- Noncompliance (NC)
- Somewhat Compliant (SC)
- Partial Compliance (PC)
- Mostly Compliant (MC)
- Full Compliance (FC)
Whether or not a security measure is compliant depends on how the security policies are put in place and what procedural practices follow. These topics sum up the scoring:
- Policies – To be HIPAA compliant, each area of the Privacy and Security Rules have to be integrated into internal policies within the healthcare provider.
- Procedure and practices – These policies are then translated into specific procedures and practices that employees can follow to ensure HIPAA compliance.
- Implementing procedures – Once the practices are defined, they must be implemented within the relevant departments.
- Measurement and enforcement – To ensure that these practices are implemented, measurement systems have to be put in place. This will provide evidence that practices are followed.
- Management of procedures – Each of the administrative, technical, or physical controls put in place must be managed to ensure proper practice.
How Healthcare Organizations Leverage CSF Certification
HITRUST was linked as a resource in assessing security risk, managing that risk, and the implementation of a security framework by the Department of Health and Human Services. This is due to how the framework integrates HIPAA mandates and other security frameworks into one standardized system.
Organizations can leverage CSF certifications to ensure the protection of personal health information and avoid audit anxiety and HIPAA penalties. Because of its success, healthcare providers are also starting to require their business associates to be CSF certified to protect themselves against the added HITECH provisions.
Leverage RSI Security for Your Organization
Before the statement of auditing arrives in your inbox, be sure that your data security systems are up to date. Organizations can leverage RSI Security to implement and verify HITRUST CSF certification — experts are ready to help. They’ll assist you with compliance services, including:
- Facilitated self-assessment – Ensure that no gaps in security exist in your security network
- Validation and certification – Go the extra step to become CSF certified and ensure HIPAA compliance
- Continuous security monitoring – Companies are constantly barraged by cyber threats. It only takes one moment when your guard is down to suffer a massive data breach.
- Healthcare security risk and advising – Not only will the risk be assessed, but the experts at RSI Security will advise you on how to best protect your patient’s data.
HHS. Summary of the HIPAA Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Health-IT. Office-based Physician Electronic Health Record Adoption. https://dashboard.healthit.gov/quickstats/pages/physician-ehr-adoption-trends.php
HIPAA Journal. What are the Penalties for HIPAA Violations? https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
HHS. Guidance on Risk Analysis Requirements under the HIPAA Security Rule. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf