In a rapidly evolving, digital healthcare industry, the protection of your private data is more important than ever. As the years have passed and the U.S. healthcare industry made the slow transition from physical to digital recordkeeping, various laws and measures were enacted to better protect customers and ensure that healthcare-related organizations were acting in compliance.
One avenue through which a healthcare organization will achieve compliance is via the HITRUST Alliance. Naturally, you may read this and wonder, what does HITRUST stand for? So, if you want the answer to that and much much more, read on to discover everything you need to know about HITRUST.
The Dilemma with “HIPAA Compliance”
The phrase “HIPAA compliant” gets bandied about quite frequently in the medical world, whether by doctors, healthcare providers, vendors, developers, auditors, or consultants. Oddly enough, the phrase itself is a bit of a bugaboo, or at least a misnomer, in that the term is based on subjective assessment of compliance.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, was legislation set forth by President Clinton in order to help usher the American medical system into the Information Age. According to HHS, “HIPAA required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.”
In order to accomplish this measure, HHS later produced two key rules related to HIPAA:
- HIPAA Privacy Rule – Also known as the Standards for Privacy of Individually Identifiable Health Information, this rule sets out a national guideline and standards for the protection of electronic health records [EHR].
- HIPAA Security Rule – Also known as the Security Standards for the Protection of Electronic Protected Health Information, it created a national slate of security standards meant to protect health information stored or transmitted electronically.
In its original form, HIPAA had no universal standards, nor did it have a prescriptive compliance framework intended to create a standardized response. To make matters worse, the original time was about as long, complicated, and enthralling as James Joyce’s Ulysses. In a ten year retrospective, Daniel Solove had this to say on the matter:
When the HIPAA regulation initially went into effect, it generated significant skepticism, confusion, and even angst. Many in the healthcare industry asked: would it be possible to provide efficient healthcare and comply with all of HIPAA’s requirements? What did protecting the confidentiality of protected health information mean? How would HIPAA be enforced? Would HIPAA interfere with the relationships between patients and healthcare providers?
Many of these fears were manifested, resulting in a cumbersome and expensive product that few complied with. It wasn’t until the adoption of the 2009 HITECH Act where the regulations and systems were fortified and compliance strongly pushed. The bill sought and mostly accomplished these four primary outcomes:
- Increase adoption rates of EHRs by healthcare providers.
- Tighten HIPAA loopholes by updating language.
- Provide increased enforcement mechanisms for HIPAA violations
- Ensure that healthcare providers were compliant and held accountable
What Does HITRUST Stand For?
As mentioned, there were no compliance frameworks or guidelines for businesses to follow. In a way, they were forced to stumble and bumble blindly around, hoping against hope that they had somehow satisfied the rules. In regards to this mounting problem, Kurt Hagerman writes:
Providers that follow HIPAA requirements are often unsure of what constitutes “reasonable and appropriate” protections. Often they implement controls without reasonable justification – or worse, implement controls that aren’t sufficient. They conduct inadequate risk assessments or skip them entirely. When you consider how many significant fines the OCR issued in 2012, the need for standardized and actionable guidance becomes clear.
Fortunately, several movers and shakers within the industry saw that this was no way to go about such a massive overhaul. In order to remedy the situation, the Health Information Trust Alliance [HITRUST] was formed in 2007. This organization was created as a privately held company that would work with leaders within the realms of information security, technology, and healthcare to create a clearer path towards compliance. Today, it’s driven by a management team and governed by an Executive Council with members hailing from the following organizations:
- Express Scripts
- Health Care Service Corporation
- IMS Health
- Kaiser Permanente
- McKesson Corporation
- UnitedHealth Group
Together, they worked to create the HITRUST CSF.
HITRUST CSF Certification
But what does HITRUST CSF stand for? Simply put, it’s short for the HITRUST Alliance’s Common Security Framework [CSF]—a prescriptive array of controls meant to ensure compliance with the various regulations and standards set out in the law. In fact, per their own website, “The HITRUST Approach provides organizations a comprehensive information risk management and compliance program to provide an integrated approach that ensures all programs are aligned, maintained and comprehensive to support an organization’s information risk management and compliance objectives.”
The purposes of the HITRUST CSF certification are fourfold:
- Certify that your business has undergone an exhaustive third-party audit and is in total compliance with HIPAA regulations.
- Eliminate inconsistencies and waste that are typical in healthcare compliance.
- Demonstrate to business associates that you care deeply about their privacy and security of any privately stored, shared, or disseminated healthcare information.
- Provide businesses with further reasons for maintaining a high standard of privacy and security of all data.
The HITRUST independent body set out to create standards and best practices for safeguarding private information and reducing the risk of outside intrusion or improper dissemination. It groups a variety of federal and state, healthcare and external industry regulations and standards, in a comprehensive framework and prescriptive set of controls tailored to a company’s size and age. The common security framework incorporates various accepted standards such as:
- ISO – The International Organization for Standardization, a Swiss-based organization established in 1947 that has issued thousands of standards in a variety of fields. The most common of which is the ISO 9000 and ISO 9001:2008.
- NIST – The National Institute of Standards and Technology is “a non-regulatory government agency that develops technology, metrics, and standards to drive innovation and economic competitiveness.” The NIST is a cybersecurity framework of practices and standards as they relate to data, control, and information systems.
- PCI – The Payment Card Industry Data Security Standard is a group of security standards meant to regulate any company that accepts, stores, processes or shares credit card information.
- HIPAA – The Health Insurance Portability and Accountability Act of 1996 was a piece of U.S. legislation meant to set forth data privacy and security provisions in order to protect digitally stored processes of disseminated medical information.
- COBIT – The Control Objectives for Information and Related Technology is a framework of controls and regulations set forth by the Information Systems Audit and Control Association in order to manage and regulate IT.
SF certification tests security controls and verifies not only that a vendor meets key regulations and industry-defined requirements, but also that it appropriately manages risk involving data security, availability, confidentiality, processing integrity, and privacy. Although it is demanding, the HITRUST framework is also quite flexible. This uncommon combination of precision and flexibility allows the framework to be tailored to organizations of any size and readiness state.
CSF Degrees of Assurance
HITRUST provides three varying degrees of assurance, which are basically more intense forms of the same assessment. Each degree is tied to the cost, amount of effort and time necessary, and the rigor of the audit, with each building on the subsequent level. The Degrees of Assurance are as follows:
- Degree 1: CSF Self Assessment – Any company seeking CSF certification is counseled to take this initial step. This audit is conducted internally in order to assess the security controls of each facet of your organization. A thorough self-assessment and prescriptive remediation at the conclusion of the process can save your business time and money down the line by helping you avoid glaring areas of noncompliance.
- Degree 2: CSF Validated – This stage requires a third-party, HITRUST-Approved, CSF Assessor such as RSI Security to confirm that all of the documentation gathered in the initial self-assessment is accurate. In addition to a document review, it will also necessitate an on-site visit by the CSF Assessor. Upon completion of the review process, the assessor will provide the company with a CSF Validated Report.
- Degree 3: CSF Certified – Once you have become CSF Validated, the lawyers at HITRUST will then step in and review the assessor’s work. This process can take anywhere from 3 to 24 months, so patience is required as they go through the painstaking process of reviewing and certifying the validation.
Once this is completed and you receive your CSF certification, you will have to renew it annually in accordance with changes in technology, rules, and regulations. Fortunately, the renewal process is much more streamlined and less expensive since the vast majority of your organization will already be in compliance based upon the previous certification. As a result, only small tweaks or adjustments here and there will likely be necessary.
Benefits of HITRUST Certification
If you’ve been tasked with obtaining HITRUST certification, you’re likely doing so at the behest of a client or business partner. Although some businesses may take alternative options or audits to prove compliance and their ability to protect sensitive data, HITRUST is the most rigorous option at hand. A few benefits of utilizing HITRUSTS’s CSF Authorization include:
- Scalable – The CSF control set is tailored to each business assessment and is tied to its specific size, complexity, and type. According to Omar Kwaja, Vice President and CISO at Himark health, “Highmark has required our third-parties to be HITRUST CSF Certified for the past three years. By adopting a comprehensive and risk-based, yet transparent and consistent approach, we have simplified the process of ensuring our third parties adequately protect our information. Without this approach, our third-party risk program would not have been able to scale as effectively.”
- Saves You Time and Money – Although there is a substantial initial temporal and monetary investment to perform the three Degrees of CSF Assurance, it can save large swaths of time and chunks of cash during further audits since there is already so much overlap in the CSF controls with other regulatory requirements. As a result, you have phenomenal visibility of the various controls, making it simple to show how your controls program satisfies alternate standards.
With one comprehensive assessment, you will be positioned to generate a multitude of reports showing compliance with various other regulatory or best practice guidelines. This multi-standard alignment is especially valuable for organizations that have clients, partners, government regulators, or stakeholders with a wide and varied array of reporting requirements.
- Sets Forth a Clear Standard – As mentioned previously, the earlier laws related to these changes in how healthcare companies should handle electronic data had neither enforcement mechanisms nor prescriptive compliance standards. HITRUST, on the other hand, has clear prescriptive requirements and controls that healthcare organizations must adhere to in order to prove compliance. This made the entire process more transparent and easier to abide by for both organizations and their clients.
HITRUST with RSI Security
HITRUST was created to help set forth a framework for compliance with HIPAA, HITECH, and other similar policy aims. Now, two decades later, it has helped businesses realize those goals. Most importantly, it has been one of the critical factors protecting an individual’s private information.
If your organization wishes to achieve HITRUST certification, the team at RSI Security is uniquely positioned to help you attain that mantle. We function as both an advisor and an assessor, helping you navigate the complex pathway towards compliance. So, if you need help, contact RSI security today and our team will walk alongside you throughout the entire journey.
And for this journey – despite your dexterity in the field – is best done with a sherpa.
Department of Health and Human Services. Summary of the HIPAA Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Solove, D. Allima. HIPAA Turns 10: Analyzing the Past, Present and Future Impact.
Hagerman, K. Healthcare IT News. The Benefits of HITRUST Certification. (2013). https://www.healthcareitnews.com/blog/benefits-hitrust-certification
HITRUST Alliance. About Us. https://hitrustalliance.net/about-us/
Davoren, J. Small Business Chronicle. What is ISO Compliant. https://smallbusiness.chron.com/iso-compliant-61481.html
Data Insider. What is NIST Compliance? (2018).
PCI Compliance Guide. PCI FAQs. https://digitalguardian.com/blog/what-nist-compliance
ISCA. Cobit. Framework for IT Governance and and Control. http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
Medecision. The Importance of HITRUST Certification. (2019). https://www.medecision.com/the-importance-of-hitrust-certification/
HITRUST Alliance. HITRUST Continues to See Expansion of HITRUST CSF Assessments as De Facto Approach for Third Party Risk Management. (2019). https://hitrustalliance.net/hitrust-continues-see-expansion-hitrust-csf-assessments-de-facto-approach-third-party-risk-management/