Preparing for HITRUST Certification

Six Things You Should Know

As the volume of data has exploded in the information age, an increasingly complex web of regulations has evolved to keep all that data secure and private. The occasional overlap between regulations has generated frustration among businesses who find the road to compliance full of S-turns, cloverleafs, and confusing signage.

Most regulations specify that compliance is mandatory, but many fail to provide actionable instructions for doing so.

HITRUST helps many organizations fill in those blanks.

1. What HITRUST Is and Is Not

HITRUST was founded as the Health Information Trust Alliance in 2007. Since then, the scope of HITRUST has expanded beyond healthcare to other regulated industries. However, the healthcare industry currently remains its greatest beneficiary—perhaps because its need is greatest.

With the help of information security and technology organizations and data protection professionals in the private and public sectors, HITRUST established a Cybersecurity Framework (CSF).

The HITRUST framework is unique in that it integrates all of the core security and privacy requirements that apply to healthcare providers, not simply the HIPAA requirements.

The HITRUST framework can be employed by any organization who creates, accesses, uses, stores, or exchanges data that is sensitive, proprietary, or regulated, including Protected Health Information (PHI) and Personally Identifiable Information (PII).

HITRUST is a non-regulatory body and use of the HITRUST Cybersecurity Framework is voluntary.

2. How HITRUST Works With HIPAA

The HITRUST Cybersecurity Framework is designed to provide a more user-friendly and instructional roadmap to HIPAA compliance. The framework is both risk-based and compliance-based, and offers a comprehensive, prescriptive program that also enables healthcare providers who adopt the framework to achieve HITRUST Certification.

HITRUST brings together relevant regulations and standards to form a single overarching security and privacy framework.

Importantly, it fully integrates the numerous requirements of the HIPAA Security Rule with the equally numerous requirements of ISO-IEC 27002:2013, NIST SP 800-53, PCI-DSS v3, and the NIST Cybersecurity Framework.

For any healthcare organization struggling to achieve complete HIPAA compliance, as required by HIPAA regulations, the HITRUST framework offers a user manual of sorts that alleviates the struggle by prescribing compliance and risk management activities that are efficient and orderly.

3. How NIST Framework Relates to HITRUST

The NIST Cybersecurity Framework is based on a wide variety of existing cybersecurity standards, guidelines, and best practices. Industry-agnostic, it is designed to assist all sorts and sizes of organizations, in virtually all industries, to better manage and reduce their cybersecurity risks.

The NIST framework encompasses 98 core subcategories that describe intended cybersecurity outcomes. HITRUST helps organizations comply with the NIST Cybersecurity Framework. 

While it is the foremost creator and promulgator of standards across a sweeping array of disciplines since 1901, the National Institute of Standards and Technology (NIST) is a non-regulatory body and use of the NIST Cybersecurity Framework is voluntary.

4. HITRUST Provides Unique and Important Benefits

The unique advantages of utilizing the HITRUST Cybersecurity Framework are important for many organizations in the healthcare industry.

• The framework provides a clear, organized path to HITRUST Certification, enabling healthcare organizations to take a step beyond HIPAA compliance to earn a certificate of compliance.
• Because it is focused on both risk and compliance, a healthcare provider or other business can customize the framework’s security and privacy control baselines to better suit their own organization type, size, systems, and regulatory requirements.
• The framework brings together relevant regulations and standards in a single-source solution for security and privacy. This means users do not need to cobble together their own programs in efforts to meet various complex regulatory requirements.
• The HITRUST Cybersecurity Framework is both comprehensive and prescriptive, offering complete compliance guidance and tools, and instructing users how to proceed with each step of the process.
• Healthcare providers, from national hospital systems to small private practices, can follow established templates, procedures, and protocols in order to comply more easily with all the regulations that apply to them, including HIPAA, ISO-IEC, NIST, and PCI.
• Recognizing that the needs and resources of smaller practices are often different from their larger counterparts, HITRUST has created some useful options for businesses of all sizes and types.

Earning HITRUST Certification speaks volumes about a healthcare practice or hospital system. It tells patients, business associates, peers, competitors, auditors, and regulators that data privacy, information security, and regulatory compliance are of utmost importance to the certified organization.

It’s a bit like earning a prestigious award—and one that can be promoted and advertised to enhance an organization’s credentials.

5. HITRUST Assessment Requirements

Security risk assessments are evaluations that gauge and document an organization’s security posture at any given time.

HITRUST assessments enable healthcare organizations to evaluate their security and privacy programs and demonstrate that they have achieved the prescribed security and privacy improvements in order to reduce their risk. The HITRUST Assessment is a required step for HITRUST Certification.

HITRUST assessments are conducted by authorized external assessors in accordance with established protocols. These “validated assessments” must be performed in partnership with an Authorized External Assessor organization, after which they can be submitted to HITRUST for quality assurance review and issuance of a HITRUST CSF Validated Assessment Report. The report is a prerequisite to certification.

Prior to the official or validated assessment, a self-assessment or readiness assessment is a smart step. A readiness assessment is useful in (1) discovering weaknesses in an organization’s security and privacy programs, (2) presenting remediation recommendations, and (3) allowing time to remedy the weaknesses prior to conducting a validated assessment.

The readiness assessment may be conducted by an organization’s own internal personnel with the expert assistance of a HITRUST readiness assessor, or by the readiness assessor alone.

Preparedness can save time and expense in subsequent steps.

6. The Significance of HITRUST Certification

We are often asked what impact HITRUST has on healthcare providers and others in the healthcare industry who have already achieved HIPAA compliance.  

All who have reached this goal deserve congratulations, as it is no simple achievement.

HIPAA compliance is documented by an annual security risk assessment, including assessment reports and remediation documentation. These materials can be gathered and presented to auditors from the U.S. Health and Human Services Department Office For Civil Rights as acceptable proof of HIPAA compliance status.

However, what HIPAA does not offer is certification of compliance. For organizations who wish to certify their HIPAA compliance status, HITRUST provides a clear avenue to certification.

In addition, depending on an individual organization’s security risk assessment scope and parameters, HIPAA compliance does not necessarily encompass NIST, PCI, and ISO-IEC standards, which have vital applications in the healthcare industry.

For healthcare providers who desire to upgrade their compliance and information security programs to meet these core standards, HITRUST provides the means to do so.

Earning HITRUST Certification is a comprehensive and widely accepted benchmark of a healthcare organization’s data privacy, information security, and regulatory compliance position.

Summary

HITRUST is unique in providing a cybersecurity framework that integrates all the core security and privacy requirements that apply to healthcare providers. The framework addresses HIPAA requirements as well as NIST, ISO-IEC, and PCI standards for the ultimate in compliance convenience and efficiency.

Through HITRUST, healthcare organizations have access to many resources, including templates and other tools. Those who wish to work on their own can get started by downloading the latest version of the HITRUST CSF (v9.4) License Agreement.

In addition, healthcare organizations can take advantage of available HITRUST readiness services that will prepare them for the HITRUST validated assessment and help them avoid pitfalls and unnecessary expense. And they can tap into a network of authorized external assessors to help them through the validated assessment process. By leveraging these resources, healthcare organizations are able to prepare themselves for HITRUST Certification in order to reap its many unique and important benefits.