In previous blog articles, we have covered what HITRUST certifications are and compliance requirements, understanding the HITRUST certification process, and scoring HITRUST CSF controls, but one very frequent question is, “What is the benefit of getting HITRUST certified?” Right behind that, in terms of frequency, are the following HIPAA-related questions:
- How does a HITRUST certification differ from HIPAA compliance?
- Which is better, HITRUST or HIPAA?
- Do I have to do HITRUST and HIPAA?
Let’s see what we can do to clarify in a quick article.
What is the HITRUST Common Security Framework (CSF)?
According to HITRUST: “The HITRUST CSF is a framework that normalizes security and privacy requirements for organizations, including federal legislation (e.g., HIPAA), federal agency rules and guidance (e.g., NIST), state legislation (e.g., California Consumer Privacy Act), international regulation (e.g., GDPR), and industry frameworks (e.g., PCI, COBIT). It simplifies the myriad requirements by providing a single-source solution tailored to the organization’s needs. The CSF is the only framework built to provide scalable security and privacy requirements based on the different risks and exposures of each unique organization.”
The HITRUST CSF
- Includes, harmonizes, and cross-references existing, globally recognized standards, regulations, and business requirements, including ISO, EU GDPR, NIST, PCI (and HIPAA)
- Scales controls according to the type, size, and complexity of an organization
- Provides prescriptive requirements to ensure clarity
- Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds
- Allows for the adoption of alternate controls when necessary
- Evolves according to user input and changing conditions in the standards and regulatory environment on an annual basis
- Provides a unified approach for managing data protection compliance
Simply put, HITRUST has incorporated dozens of control frameworks into a standardized and consistent set of controls that can address the majority of controls necessary for the majority of environments.
What Is the Difference Between HIPAA & HITRUST? A High-Level Overview
One of the main differences between HIPAA and HITRUST is that HIPAA is a regulatory framework, and an organization cannot become “HIPAA certified.” In contrast, with a HITRUST assessment, certification can be achieved if the scoped HITRUST requirements (as applicable to your organization) are met. To elaborate:
HIPAA provides legal requirements/guidelines on how organizations are to handle Protected Health Information (PHI). An organization can perform a HIPAA self-assessment to demonstrate compliance, however, having an impartial third party conduct the audit and provide a report provides much greater assurance of your compliance to business partners. During a HIPAA compliance assessment, the third-party auditor will determine if you are compliant with the HIPAA requirements set forth, generally, in the HIPAA security, breach notification, and/or privacy rules. Additional information on the rules can be found at the HHS.gov site. If there are HIPAA gaps identified as a result of the audit, once remediated, an organization should be HIPAA compliant. HIPAA deals specifically, and only, with the handling of protected health information and is only applicable to covered entities (providers, insurance companies, etc.) and their business partners.
HITRUST provides an industry-agnostic framework that allows a certification that is based on over 35 industry-standard frameworks that include industry best practices and can add controls based on your company, your functions, and your market. Depending on your choice of assessment and your selection of controls, your assessment can validate as much as you need.
To further explain, before starting a HITRUST assessment, an organization must “scope” their assessment. As a part of this process, the organization will provide responses to various “risk factors” within the myCSF tool. Once completed, a set of requirements tailored to your organization (which are mapped and cross-referenced to multiple frameworks) will be selected and generated. From this point, an organization can choose to conduct a readiness assessment or a validated assessment.
How Does a Readiness Assessment Work Compared to An Actual Assessment?
The readiness assessment is designed to help evaluate how closely an organization’s control environment aligns with the HITRUST CSF. There is no certification available with a readiness assessment. The readiness assessment can be completed internally, with the help of a HITRUST Readiness Licensee, or with the help of a HITRUST External Assessor. Check out our related article to learn about HITRUST readiness assessment pitfalls to avoid.
In contrast, a validated assessment must be performed with a HITRUST External Assessor who will review evidence to validate the CSF application in your environment and will result in either one of the two reports:
- A validated report (no certification)
- A validated report with certification
Security Concerns in Healthcare & How to Address Them
Personal Healthcare Information (PHI) is some of the most personal, private, and sensitive information processed in regard to people. Safeguarding it is not just an ethical and business necessity, it’s a legal requirement. While approaches to this vary, HIPAA is the law of the land, and HITRUST can be a significant tool in evaluating your security processes, posture, and the successful implementation of controls to protect this data and your data subjects.
Healthcare Security Breaches
If you are a healthcare organization or you provide services to them, securing your infrastructure and applications is essential. The damage from a breach – financial and reputational – can be significant. According to the 2022 IBM data breach report, the average total cost of a healthcare security breach is over $10 million. While reputational damage isn’t so easy to quantify, loss of public trust can impact customers, potential employees, and partner organizations. Simply put, in many industries and for many companies, a single breach could destroy your company.
So, how do we avoid all that unpleasantness? Well, the most straightforward method of reducing the likelihood of a breach is to implement sound security controls that follow industry best practices.
The Problem with Healthcare Compliance
If you are in the healthcare business you are probably very familiar with all of the following regulations.
Trying to make sure you are compliant with all of these regulations takes a lot of time and money. With limited budgets, time, and resources, it can be difficult to know where to focus efforts and challenging to know when enough has been done.
What Is the Benefit of HITRUST? Why Get a HITRUST Certification?
So what are the benefits of getting HITRUST certified? Let’s talk about the top five.
- Reassure Your Clients and Customers: From being able to put a HITRUST badge on your website to letting your account managers say “Yes, we are HITRUST certified,” a HITRUST certification lets your customer and potential customers know you are following, and being tested on, a comprehensive set of security controls. Since HITRUST certification requires an independent third-party assessor, people know they are choosing to do business with an organization that implements and tests industry-standard security controls.
- Simplify Your Audit Process: Just to be clear, HITRUST cannot necessarily replace other audits. PCI compliance, for example, may still be required by your payment processor, or your industry may have legislative or regulatory requirements that a HITRUST audit cannot be a substitute for. However, as a comprehensive framework built on a combination of others and with highly-customizable control sets based on additional frameworks you may be utilizing, HITRUST can help standardize and centralize your audit documentation and evidence. Also, your customer and clients may recognize the value of a HITRUST audit and substitute it for standard vendor assessment or other audits and attestation.
- Pick a Framework That Matches YOUR Business: HITRUST has been evolving, and with the addition of the HITRUST Essentials and the HITRUST Implemented frameworks to the existing HITRUST Risk-based assessment, an audit (and your auditor) can focus on controls relevant to your industry, your environment, and your (and your customers’) needs.
- Get BETTER!: The HITRUST certification process is in-depth and comprehensive. Since the HITRUST CSF aggregates multiple frameworks, it allows an ‘eyes on’ moment to validate that you’re doing what you think you’re doing and doing it in every case. Whether it’s system hardening, event logging, data or record retention, access control, incident response, or Business Continuity and Disaster Recovery, you, along with your third-party assessor, will delve, dive, inspect, and validate your controls and their consistent application. (Remember how much a breach can cost?)
- Stop Guessing: While HITRUST is fundamentally different from other frameworks, it can provide a significant boost in your confidence that you are meeting the requirements of other frameworks. By adding HIPPA, PCI, or even state-level privacy legislative requirements to your HITRUST assessment, an organization can ensure they are tested against the controls within those frameworks. This inclusion will be reflected in your certification documentation, letting you assure anyone who needs to know that you’re doing what you should be doing.
How Do I Get HITRUST Certified?
The essence of the process is simple and mostly traditional, you can start with a readiness assessment, either guided by your audit firm or with your internal teams, and move forward with a validated assessment by engaging HITRUST and an external firm authorized to validate assessments. Like most audits, the process involves evaluating the controls in place and their implementation against the CSF’s requirements and scoring methodologies. Details on the nature of the assessments and the available reports and certifications are as follows.
What is HIPAA Compliance?
We have several blogs on HIPAA and HITRUST reporting processes that can be referenced for further details. Therefore, in the section below, I will provide a brief overview of each to compare the two processes.
Is HITRUST Only for Healthcare?
HITRUST has historically had a healthcare focus, but the last iterations of the CSF have moved to be much more general and comprehensive. Of the 30+ frameworks utilized to build the HITRUST CSF, only a few are specifically healthcare. With the ability to scope your controls, HITRUST can be applicable to virtually any market, audience, or product. Simply, HITRUST can be used for healthcare, but it can also be used to demonstrate a commitment to information security for any organization.
HIPAA, of course, remains specific to healthcare providers and downstream use of Personal Healthcare Information (PHI).
Does HITRUST include HIPAA? How Are They Similar?
I’m only including this question – “But I thought I remembered HIPAA and HITRUST were very similar, or supposed to be in the same space?” – because I semi-frequently run into people who remember a connection between the two frameworks and, honestly, I don’t want them questioning their sanity. Yes, they were once tied very closely, and HITRUST, at its inception, was largely inclusive of the HIPAA controls in its default framework. As HITRUST has grown and the CSF has matured, HIPAA has become an add-on control set to the base CSF controls, allowing HITRUST to be more useful for any organization and more customizable for healthcare providers and healthcare adjacent organizations.
So – What Does HITRUST Get Me That HIPAA Doesn’t?
HITRUST offers a certification and a validated assessment. Depending on the certification, it lasts one or two years and allows your organization to say “It’s not just us telling you we’re doing it right, an external assessor and HITRUST have validated this.” HIPAA, while comprehensive in the protection of a subset of assets, can be narrow in scope and a significant subset of the HIPAA security rule controls that apply to non-provider organizations aren’t “enforced” except as a result of a breach, if at all. HITRUST provides a time-bound, validated, comprehensive assurance to you, your executives, and your customers.
I hope this article helped clarify questions you have on HITRUST overall and its benefits, as well as how the process contrasts with a HIPAA assessment.
From the information outlined, the HITRUST process may seem daunting. It can also be a very positive, eye-opening, and reasonably smooth process if you have the right organization helping you. Getting HITRUST certified can be a heavy lift and requires expertise in the maturity model, healthcare regulations, NIST controls, policy/standards/process development, and more.
HITRUST is not an easy process, but with the right team, it shouldn’t be overwhelming. If you have been asked by one of your clients for a HITRUST-validated certification, or your HIPAA compliance status, reach out to Linford & Co and we can walk you through the processes and pricing for each.
This article was originally published on 9/15/2020 and was updated on 6/14/2023.
Brian has over 2 decades of experience in System Administration and Information Security, having worked at all levels of Government (City, County, State, and Federal) and with companies ranging from startup to Fortune-20. He transitioned to auditing in 2018 and has delivered audits and attestations as varied as SOC 1 and 2, HITRUST, FISMA, FERPA, PCI, CSA-star and HIPAA. With Linford and Co, he focuses primarily on HITRUST and SOC 2.