Our firm has been a HITRUST CSF assessor for nearly a year and we have numerous lessons learned. We have seen common pitfalls as well as identified what is needed to make HITRUST compliance achievable, even for a small company. This article will summarize what we have learned about HITRUST and the process for HITRUST certification.
What is HITRUST Compliance?
The Health Information Trust Alliance (HITRUST) has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store, or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards. Companies may obtain the CSF framework from HITRUST or purchase access to the myCSF tool to determine the specific CSF requirements that apply to the organization.
HITRUST Alliance was founded in 2007 as a not-for-profit to develop and champion programs to safeguard sensitive information such as electronic protected health information (ePHI). HITRUST attempts to fill a void that some regulations such as HIPAA do not address. For example, while the HIPAA Security rule includes many good requirements, the enforcement side is lacking.
HIPAA vs. HITRUST
Many companies that must comply with HIPAA have escaped deeper questions from relying entities in the past by signing a business associate agreement and self-attesting compliance with HIPAA. This “taking your word for it” approach to HIPAA was concerning to healthcare providers who use service organizations to support processes. Large healthcare providers have begun to demand greater assurance that HIPAA controls are in place at service organizations. IT audit firms have begun to offer HIPAA compliance gap assessments, compliance reports (e.g., AICPA AT-C 315), and finally HITRUST certifications to address the market need for greater HIPAA compliance assurance.
HIPAA Non-Compliance Enforcement
Currently, the Office of Civil Rights only has time to focus on breaches and egregious HIPAA violations. You can get a sense for the type of issues the OCR concerns itself with by visiting this page on their site.
What is HITRUST myCSF?
The HITRUST myCSF is a governance, risk, and compliance tool built by HITRUST that is used by organizations to assess compliance with various standards and frameworks. A HITRUST myCSF assessment is tailored to each organization’s unique system and factors so that each assessment is unique to an organization. HITRUST requirements are based off of ISO 27001 and applied to the healthcare industry.
HITRUST Implementation Levels
Each of the controls defined by HITRUST has three different implementation levels associated with them. The implementation levels build off of each other. This means a Level 3 implementation includes all of the level 1 and level 2 implementations as well. Implementation levels are built upon three unique risk factors:
- Organization factors: e.g., the type of organization or the size of the organization.
- System factors: e.g., internet connections, number of records, or the use of mobile devices in the organization.
- Regulatory factors: e.g., state or specialized industry requirements.
Free CSF vs. paid myCSF
While it is possible to obtain a free version of the CSF framework, you cannot determine which implementation level is required for each of the requirements unless you purchase access to the myCSF tool. This is part of HITRUST’s proprietary information that you must pay to get access to. As you create an assessment object within the tool and answer the scoping factors, the tool will determine the implementation level for each requirement. You can error on the side of implementing the highest implementation level for each control from the publicly available CSF, but do you really want to spend thousands (potentially) implementing a system or process that you don’t have to implement to become HITRUST certified?
HITRUST Certification Cost
HITRUST compliance is not cheap. For one, because it’s a more robust set of requirements than many other standards and frameworks. For perspective, many of our SOC 2 clients have 80-100 controls tested within a SOC 2 report. A typical HITRUST validated assessment may have upwards of 400 control requirements. In addition, the maturity of each control to address the requirements must be assessed for five different maturity levels. That could mean an assessor has to look at 2000-2500 pieces of documentation or evidence to complete a validated assessment. Another reason for the higher fees is that assessor firms must pay an annual fee to HITRUST each year to maintain their assessor status. HITRUST Validated Assessment fees range from $40,000/yr to $250,000/yr depending on the factors associated with the assessment. See a HITRUST whitepaper comparing CSF, ISO 27001, and NIST 800-53.
Maturity Levels and Scoring
To receive a HITRUST certification you must have at least a score of 62% (HITRUST 3-) or greater in each domain with corrective action plans for any requirements scoring less than 62%. One key lesson we have learned is that if it is your organization’s first time through HITRUST, you might consider focusing on policy, procedure, and implementation scores as opposed to measured and managed scores. Identifying metrics related to certain processes can be difficult at times. If you have a 75% score without evidence of measured and managed, you are meeting the HITRUST requirement. When organizations hold themselves out as HITRUST certified, they don’t typically offer the score from the Validated assessment. As a result, ask yourself if it’s worth the brain cells to go after a few extra points. That same time could be focused on documenting policies and procedures that are not in place and implementing required controls. Remember that a perfect policy, procedure, and implementation score gets you a 75% which does not even require a corrective action plan for a requirement.
HITRUST Maturity Level Scoring
The following illustration shows the maximum points available for each HITRUST maturity level.
- Policy – 25%
- Procedure – 25%
- Implemented – 25%
- Measured – 15%
- Managed – 10%
Self Assessment vs. Validated Assessment
Self – Organizations may choose to perform a self-assessment against the applicable CSF requirements within the myCSF tool. HITRUST will also perform a limited validation of the self-assessment results that can be shared with a relying user entity. We have seen organizations get good value from a self-assessment when they have the appropriate skills and expertise as well as score themselves fairly without bias. We have had at least two clients perform a self-assessment and score themselves with perfect scores without providing sufficient support for us to come to the same conclusions. It pays to be hard on yourself during the self-assessment.
Validated – A validated assessment must be performed by a HITRUST assessor firm. A validated assessment requires an independent auditor to assess compliance with the applicable HITRUST CSF requirements. A validated assessment must be performed for an organization to become HITRUST certified. Upon completion of a validated assessment, an organization can pay a HITRUST certification fee, submit any corrective action plans, and have HITRUST spot check the results of the validated assessment. If no significant issues are identified beyond what was identified in the validated assessment, an organization will receive a HITRUST certification and certification letter.
Summary: HITRUST Tips
To summarize, here are some tips to make for a smoother adoption of HITRUST:
- When you do scope the coverage of your report, do so wisely and cover only the services that are most relevant to the user entities that are demanding HITRUST certification.
- Leverage SOC 2 when possible
- Perform a thorough self-assessment and identify specific evidence to support scores
- Consider leaving out measured and managed scoring and evidence for the first year. Focus on the policy, procedure, and implementation maturity levels since those combine for the majority of the score for each requirement (75%).
- Know your resources and have resources available to remediate both policy and procedural gaps as well as implementation gaps
Read more Linford & Company blog posts related to HITRUST:
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.