Earlier this month, we announced that Connectria has, once again, passed all of its third-party certifications. For a complete list and a high-level look at each of these certifications, you can refer to our recent post: Know Your Audit Reports.
HITRUST is the most recent addition to this list, but many people are less familiar with HITRUST than with regulations like HIPAA and PCI DSS. In this post, we’ll answer some of the most common questions we get about HITRUST compliance.
Is HITRUST a regulation?
HITRUST (Health Information Trust Alliance) is a not-for-profit organization chartered in 2007 whose mission is to help organizations safeguard their data and mitigate data security risks. The executive board of the organization is comprised of leaders from some of the largest healthcare organizations in the industry.
HITRUST’s Common Security Framework (CSF) is a set of prescriptive controls that cover several industry standards, including ISO 27001 and HIPAA. So, HITRUST is not a regulation, and compliance/certification is not mandated. However, HITRUST certification offers a great deal of value to organizations that need to comply with HIPAA.
What industries or types of businesses can use the HITRUST framework?
The HITRUST framework is designed for the healthcare industry, although it also incorporates security best practices from more generic regulations, such as SOC and NIST, as well as industry-specific regulations like HIPAA, HITECH, and PCI DSS. Although healthcare organizations are not required to comply with the HITRUST CSF, per se, certification can help demonstrate HIPAA compliance if the organization is investigated by the OCR.
Likewise, if you trust your sensitive data to a third-party managed cloud provider (or any one of the other types of business associate types outlined in HIPAA), they do not need to be HITRUST-certified. However, due to the comprehensive nature of the HITRUST CSF framework, HITRUST certification provides a more robust level of scrutiny than a HIPAA compliance audit alone.
Does HITRUST replace HIPAA?
As anyone who’s ever set HIPAA compliance strategy knows, HIPAA’s security and privacy rules can be rather vague. For example, covered entities and business associates are required to conduct a risk analysis to ensure the adequate protection of ePHI. However, HIPAA leaves it up to the organizations involved to determine how to go about conducting what they call an “accurate and thorough assessment.”
As you might imagine, some organizations do a more thorough job than others. Even if the organization contracts with a third-party firm to conduct a HIPAA audit, they’re still responsible for addressing any gaps in compliance. Many firms, especially smaller ones, simply don’t have the prerequisite skill set to determine and execute the best approach.
And remember, even though your independent HIPAA auditor may have conducted a thorough audit, there is no such thing as “HIPAA certified.” In the event of a complaint, it’s up to the investigator to determine whether the organization did an adequate job. No doubt, many of the settlements reach with the HHS and OCR involved organizations that thought they had HIPAA compliance covered.
The HITRUST CSF seeks to provide the industry with an actionable approach to HIPAA compliance. According to the HITRUST alliance, the HITRUST CSF:
- Includes, harmonizes, and cross-references existing, globally recognized standards, regulations, and business requirements, including ISO, EU GDPR, NIST, and PCI;
- Scales controls according to type, size, and complexity of an organization;
- Provides prescriptive requirements to ensure clarity;
- Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds;
- Allows for the adoption of alternate controls, when necessary;
- Evolves according to user input and changing conditions in the standards and regulatory environment on an annual basis; and
- Provides a unified approach for managing data protection compliance.
Is there an official HITRUST certification?
HITRUST offers a two-step approach to certification. First, the myCSF tool can be used to perform a self-assessment. This may be adequate for some organizations, but for most covered entities and business associates, it really is just the beginning. Using the self-assessment tools, you’ll be able to identify potential gaps in your security approach. Addressing these before engaging with a HITRUST assessor will increase your chances of receiving a validated certification.
The second step is to engage a HITRUST assessor to conduct a validated assessment. This assessment will involve onsite interviews, a documentation review, and system testing. The assessment is intense, but if you’ve already undergone validation for other regulations and standards, you’ll likely have an easier time of it as the CSF framework maps to many other regulations.
If you’ve not gone through an independent assessment for other regulations, HITRUST certification can help you validate faster. Many HITRUST assessors also specialize in other regulations and can create a validation report for standards like SOC and PCI based on the results of your HITRUST assessment.
If my managed service provider is HITRUST certified, does that mean they can also meet my HIPAA requirements?
Remember, there is no such things as a HIPAA certification. However, a third-party HIPAA audit is an important validation when choosing an MSP. That said, the HITRUST assessment is more stringent and specific, so generally speaking, it offers greater reassurance that your data will be in good hands.
Take the Fast Track to Securing Your Data
If validating your security approach and processes through HITRUST seems like more effort than your organization has the time for, I can’t say I blame you. When we first contracted with a HITRUST assessor, we had already passed audits for several other regulations and standards, such as GDPR, PCI, SOC 2, FISMA, HIPAA, etc. Nevertheless, the HITRUST assessment process was still grueling. I can only imagine how challenging it would be for an IT department that is spread thin, as so many are.
If you don’t have the bandwidth to go through the HITRUST certification process or even engage an independent HIPAA auditor, you probably don’t have the bandwidth to manage your data in-house. We can help you build a comprehensive plan for safely migrating your X86 or IBM workloads to either a private cloud hosted in one of our certified data centers or to AWS, Azure, or GCP. A secure environment, combined with the rights services and tools, can help you achieve your compliance and security goals. To discuss your organization’s compliance requirements, reach out to one of our solutions architects here.