Health care related organizations who wish to demonstrate their compliance with HIPAA and other regulations are choosing more and more to become HITRUST compliant or certified. We know…another information security framework…great!
In the past, health care organizations have either signed business associate agreements or verbally committed to their partners that they were HIPAA compliant and had adequate information security controls in place. In addition, some organizations may have provided their SOC reports or other compliance or attestation reports to demonstrate compliance.
One problem with the old approach to HIPAA is that there has always been some ambiguity involved with HIPAA compliance. Some controls are addressable and others are required. Please see our blog post on required vs. addressable HIPAA requirements.
Also, HIPAA has never had a “certification” available, so organizations have had to use an internal resource to perform a self-assessment against the HIPAA requirements before holding themselves out as HIPAA compliant or hire an external assessor to perform an independent assessment.
A consortium of health care organizations came together in 2007 and formed the HITRUST Alliance, a nonprofit that has focused on making information protection a core pillar of health care information systems and exchanges. HITRUST was created to address specific health care challenges such as concern over breaches, numerous and sometimes inconsistent requirements and standards, compliance issues, and the growing risk and liability associated with information security in the healthcare industry.
It’s no secret that the number of breaches and information security related concerns are on the rise. In response, the HITRUST Alliance created the myCSF framework which can be used by all organizations that create, access, store, or exchange sensitive information. The HITRUST myCSF framework was developed as a way for organizations to assess their compliance with a variety of information security regulations that may be included within a HITRUST assessment.
Wikipedia Definition: “The Health Information Trust Alliance, or HITRUST, is a privately held company located in the United States that, in collaboration with health care, technology and information security leaders, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards.”
HITRUST Executive Council members represent the following organizations:
- Anthem, Inc.
- Express Scripts, Inc.
- Health Care Service Corporation
- Hospital Corporation of America
- Humana Inc.
- IMS Health
- Kaiser Permanente
- McKesson Corporation
- UnitedHealth Group
Differences Between HITRUST Self Assessment vs. Validated Assessment vs. Certification
HITRUST certification has two separate paths. An organization may use the HITRUST myCSF tool to perform a self-assessment. Based on the scoping answers provided by the organization for the self-assessment, a customized HITRUST assessment is built to assess the organization’s unique environment against its applicable compliance criteria. The tool assists in identifying areas for improvement and areas that would be considered in compliance with the HITRUST criteria. Once the self-assessment is complete and corrective actions are implemented, a third party may be engaged to confirm the organization meets the criteria and provides a validated assessment.
The self-assessment step may also be skipped if desired by the organization, however, it is a good idea to be able to remediate any gaps prior to the validated assessment. If an organization elects to go straight to the validated assessment, there is a risk that gaps may be identified and the validated assessment may not be completed until the gaps are remediated.
If an organization desires even greater comfort related to HITRUST compliance, they may submit their validated assessment to HITRUST who can “certify” the validated assessment.
After HITRUST certification, organizations can send a press release and hold themselves out in the market as being HITRUST certified.
Difference Between a HITRUST Certified Assessor and a Certified Practitioner
A Certified CSF Practitioner is an individual that has completed the required training, passed an exam, and meets the experience requirements for a practitioner.
A HITRUST CSF Assessor is a firm that has met all the requirements to become authorized to perform HITRUST CSF validated assessments.
CSF Assessors are those organizations that have been approved by HITRUST for performing assessment services associated with the CSF. CSF Assessors are critical to HITRUST’s efforts to provide trained resources to health care organizations of varying size and complexity to assess compliance with security control requirements and document corrective action plans that align with the CSF.
Typical HITRUST Compliance Timeline
Before starting the certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment.
Once the self assessment and any remediation is complete, an organization is ready to begin the validated assessment process and must select a HITRUST Assessor.
Once an Assessor is selected, an organization must purchase a validated assessment from HITRUST. The organization then completes the validated assessment using the MyCSF tool and the Assessor will perform the validation/audit work.
Once the Assessor’s work is complete, the work is submitted to HITRUST for review. HITRUST will create a report and, depending on the scores in the report, will issue a letter of certification.
What is the HITRUST myCSF?
The CSF is structured along the lines of ISO 27001:2005 with the 11 control clauses (or categories) but adds an additional control category to address implementation of an Information Security Management Program, similar to that of the ISMS of ISO 27001:2005, and another category to address risk management in particular.
HITRUST also added a 14th control category to address specific privacy practices, such as HIPAA and NIST, that are otherwise not addressed in the previous 13 categories.
- Control Categories: Topical information protection areas.
- Control Objectives: States the desired result or purpose of what is to be achieved.
- Control Specifications: The policies, procedures, guidelines, practices, or organizational structures, which can be of administrative, technical, management, or legal nature to meet the Control Objectives.
- Control Implementation Requirements: Detailed information to support the implementation of the control and meeting the Control Objective. Multiple levels (1, 2, and 3) of Implementation Requirements may be defined depending on an organization’s or system’s environment and risks, which is the set of minimum-security controls defined for an information system.
- Standard Mapping: The cross-reference between each Implementation Requirement level and the requirements and controls of other common standards and regulations.
In summary, HITRUST compliance and certification is a good option for health care related organizations to demonstrate compliance with a variety of information security standards. The HITRUST myCSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards.
The ability to tailor an assessment to an organization’s specific services and related risks differentiates HITRUST compliance and certification from other health care compliance initiatives. Contact us if we can help you with HITRUST certification and compliance.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.