HITRUST in Healthcare Makes Great Sense. Adopting the HITRUST CSF Covers All Your Bases, from HIPAA to PCI and More
The HITRUST CSF is a unique and elegant solution for healthcare organizations, health plans, and business associates who are required to comply with multiple federal regulations in addition to HIPAA—which these days means virtually all covered entities. That’s because the HITRUST Framework incorporates and cross-references the existing standards and regulations that apply to the healthcare industry, all in one place, all in a single framework. With three levels of assessment and certification available. What’s not to love about that?
Reasons to Adopt HITRUST in Healthcare
Since its inception in 2007, HITRUST has championed programs that help healthcare organizations and their business associates, as well as other industries, effectively safeguard their sensitive data and manage their information risk.
From the beginning, the HITRUST CSF has leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks—including leading authoritative sources such as HIPAA, PCI, ISO, NIST, and GDPR—to assemble a comprehensive set of security and privacy controls in one framework. And HITRUST continually adds new or updated regulatory requirements as they are released.
The HITRUST CSF standardizes these requirements across authoritative sources to provide clarity and consistency and to reduce the burden of compliance on healthcare organizations, business associates, and insurance plans.
The commitment and expertise demonstrated by HITRUST ensure that organizations that adopt the framework are well-prepared to meet new security and privacy risks head-on by complying with the regulations developed to address those risks.
Reasons to Adopt the HITRUST Framework
For regulated healthcare entities there are five compelling reasons to use the HITRUST CSF, as outlined below:
- Adopting the Framework demonstrates your commitment to robust information security and sound risk management throughout your organization.
- The HITRUST CSF incorporates the requirements of a host of regulations, providing a single source for healthcare organizations to refer to in achieving and maintaining all necessary compliance.
- In addition to enabling compliance with HIPAA, adopting the HITRUST CSF facilitates compliance with ISO standards, the NIST Security Framework, the Data Security Standard maintained by the Payment Card Industry (PCI-DSS), and the General Data Protection Regulation (GDPR) that governs business conducted in the European Union.
- Need more reasons? Eight out of 10 top cloud service providers use the HITRUST Framework, along with 75% of Fortune 20 companies, and thousands of other organizations across numerous industries.
- Finally, healthcare entities don’t have to go it alone. 24By7Security and other HITRUST Authorized Readiness Licensees are approved to help organizations prepare for the successful adoption of the HITRUST CSF and successful completion of the appropriate HITRUST Assessment.
The Role of HITRUST in Healthcare
Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and help healthcare organizations manage information risk. HITRUST developed the certifiable HITRUST Framework to enhance healthcare entities’ cybersecurity and data protections and enable them to demonstrate compliance with HIPAA and other applicable regulations. 
HITRUST develops, maintains, and provides broad access to its risk and compliance management frameworks, assessments, and assurance methodologies, which have been widely adopted around the world. The HITRUST approach enables organizations to implement a comprehensive, integrated information risk management and compliance program, without having to reinvent the wheel or create their own methodologies.
An important advantage of the HITRUST Framework lies in its continual incorporation of additional authoritative sources as security regulations evolve in the ongoing fight against cybercrime. HITRUST introduced significant updates in January 2023 as part of version 11.0, essentially redesigning the Framework to substantially increase efficiencies and cyberthreat-adaptive assurances. The latest version, 11.2, leverages the speed, accuracy, and efficiency of the AI-supported toolkit in the v11 framework to update three authoritative sources and add six new ones.
Impact of HITRUST on HIPAA Compliance
As members of the healthcare industry are well aware, achieving full HIPAA compliance does not result in any form of HIPAA certification. Instead, the reward is a robust cybersecurity program that complies with the mandatory HIPAA Rules, including the HIPAA Security Rule and HIPAA Privacy Rule.
HITRUST changes this for healthcare entities who adopt the HITRUST CSF and undergo an assessment that leads to HITRUST certification. It is probably the most effective way to achieve full HIPAA compliance and maintain it on a current basis. In turn, this keeps your compliance program on favorable footing with the HHS Office for Civil Rights, which enforces HIPAA compliance and imposes penalties for non-compliance.
Three Types of HITRUST Assessments and Certifications
In the healthcare industry, the certifiable HITRUST Framework offers any healthcare entity a thorough, adaptable, effective way to manage risk and comply with HIPAA regulations and other applicable security standards.
HITRUST offers a step-by-step guide to achieving the appropriate level of information security and cybersecurity based on the size and scope of the individual healthcare organization.
It also provides a clear path to demonstrating HIPAA compliance—a goal that every healthcare entity, including business associates, should pursue with urgency. The HITRUST Framework is a proven prescription for robust healthcare security.
The HITRUST Framework offers three different levels of assessment and certification, beginning with the HITRUST Essentials 1-year Assessment (e1).
Next is the HITRUST Implemented 1-year Assessment (i1), followed by the HITRUST Risk-based 2-year Assessment (r2).
The HITRUST r2 Assessment offers the highest level of assurance and thus requires significantly more effort than the 1-year assessments. With the release of HITRUST CSF 11.0 in January 2023, the i1 Assessments can serve as the baseline for r2 Assessments, an enhancement that significantly reduces the number of controls in scope.
HITRUST and SOC 2
The relationship between HITRUST and SOC 2 can be confusing, so let’s take a moment to describe the fundamental and vital difference between the two as well as how they work together.
In document form, HITRUST is a certification, whereas SOC 2 is an attestation report. Developed and governed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is a set of principles that provide a foundation for evaluating a service organization’s internal controls. Known as the Trust Services Criteria, these principles relate to the security, availability, processing integrity, confidentiality, and privacy of customer data in a service organization.
According to a SOC 2 FAQ offered on the HITRUST website, the two standards can be employed together for several purposes. Specifically, a mapping between the requirements of the HITRUST CSF and the AICPA’s Trust Services Criteria enables service organizations to provide information to users about whether the organization’s controls for data security, availability, and confidentiality are designed and operating effectively to meet the applicable Trust Services Criteria and HITRUST CSF criteria. This increases transparency and provides users with additional information for decision-making.
In addition, service organizations may consider four available options for SOC 2 reporting, including (1) SOC 2 reporting only, (2) SOC 2 plus HITRUST CSF reporting, (3) HITRUST CSF certification without a SOC 2 report, and (4) SOC 2 plus HITRUST CSF reporting plus CSF certification.
Finally, SOC 2 is not a regulation and as such does not demand compliance (unlike HIPAA and GDPR, for example). However, compliance with SOC 2 may be driven by a service organization’s customers, prospects, investors, directors, and other stakeholders who seek demonstrated assurance that all appropriate controls are in place to protect their data.
HITRUST Resources for Healthcare Organizations
Downloadable resources are available for the asking at the HITRUST Resource Center, including the HITRUST CSF, Threat Catalog, and Assessment Handbook, as well as case studies, ebooks, and FAQs.
You will also find a list of External Assessors and Internal Assessors who are qualified to perform HITRUST Assessments. Healthcare entities who wish to prepare in advance for a successful HITRUST assessment can engage specialized expertise in the form of HITRUST Authorized Readiness Licensees. These Licensees are approved to conduct readiness assessments and provide consulting services toward implementing the HITRUST Framework. 
In a welcome display of synergy, the HHS Office for Civil Rights recognizes the value of having members of the healthcare industry adopt the HITRUST Framework. In addition, any healthcare organization can leverage the HITRUST Framework to demonstrate its adherence to the Recognized Security Practices promulgated by the OCR.
Summary
The HITRUST CSF is a unique and elegant solution for healthcare organizations, health plans, and business associates who, in addition to HIPAA, are required to comply with other federal regulations. The HITRUST Framework incorporates and cross-references the existing standards and regulations that apply to the healthcare industry, all in one place, all in a single framework.
Three levels of assessment and certification are available to meet the needs of healthcare entities of all types and sizes. All three are validated assessments with certifications, and range from the most essential cybersecurity controls to leading cybersecurity practices, to advanced cybersecurity practices.
Adopting HITRUST in healthcare is no doubt the most effective way to complete your HIPAA compliance efforts and keep them current. In addition, it enables you to clearly demonstrate your compliance in the event the Office for Civil Rights comes calling.
