Ensuring regulatory compliance is one of the most vital — and complex — task any healthcare organization and its business partners wrestle with. Failure to secure patient data can result in costly penalties and reputational damage. A time-consuming process, compliance requirements also can be vague. Additionally, many healthcare entities lack the resources and skills to implement the practices and controls to achieve compliance.
Because of the subjective nature of the Health Insurance Portability and Accountability Act (HIPAA) requirements, HITRUST is a standardized, common security framework that any HIPAA-covered entity can use to prove they align with the requirements. In short, HITRUST helps health organizations maintain compliance with HIPAA regulations more easily.
What Does HITRUST Stand For?
HITRUST stands for the Health Information Trust Alliance. Founded in 2007, HITRUST is a private organization that develops and maintains a cybersecurity framework to help organizations achieve HIPAA compliance requirements.
According to the HITRUST Alliance, HITRUST “was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”
A major compliance challenge for many organizations is balancing essential risk mitigation measures with their limited resources, skills, and budgets. HITRUST simplifies this process by breaking down and prioritizing the complete set of controls and requirements, implementing them in phases. This approach allows organizations to focus their compliance efforts on the most critical issues, spreading the costs and implementation over a more manageable timeframe.
The HITRUST CSF (Common Security Framework) combines aspects of several common security frameworks and compliance regulations — including HIPAA, PCI DSS, ISO, and NIST — and outlines a set of controls that meet their requirements. It has 135 specific controls mapped to specific HIPAA-compliant standards and specifications. Additionally, each CSF control has multiple levels with varying requirements. This was added to HIPAA to promote the adoption of health information technology and the use of electronic health records (EHRs), in particular, to streamline healthcare and reduce costs. Additional changes help ensure HIPAA-covered entities comply with any HITRUST requirement and how they are enforced.
~ Tougher penalties for violation of the HIPAA security and privacy laws.
~ Mandatory security audits of all healthcare providers to determine if they meet minimum standards to comply with the security and privacy rules.
~ A four-step tiered system for assigning penalties for HIPAA violations. Organizations can be penalized even if they were unaware a violation occurred.
~ The extension of HIPAA Privacy and Security Rules directly applies to a healthcare organization’s business associates. This includes medical transcription companies, law firms, software vendors, collections companies, and other entities whose work allows them to access personal health information.
Because HITRUST is an expansion of HIPAA, HITRUST CSF moves organizations toward HIPPA compliance.
What Is HITRUST Certification?
HITRUST certification is a way for organizations to demonstrate compliance with HIPAA. In the past, healthcare organizations signed agreements or verbally attested they had HIPAA compliant security controls and practices in place. Essentially, this was a promise made to business associates not easily validated. With HITRUST certification, healthcare organizations can show they are operating in line with HIPAA guidelines and requirements to establish themselves as a trusted business partner.
HITRUST offers a three-step process called the Degrees of Assurance to become HITRUST CSF Certified.
The first step is a HITRUST CSF assessment that uses the HITRUST myCSF tool. An organization answers a series of questions which leads to a customized HITRUST assessment that shows how well that business’s particular environment meets applicable compliance standards. The myCSF tool helps identify areas where the organization is in compliance with HITRUST criteria and where it needs improvement.
After completing the self-assessment and making any necessary corrective actions, the organization can take the second step, requesting a third party confirm they meet the relevant HITRUST criteria. A HITRUST-approved CSF Assessor then makes an on-site visit to verify the information the organization gathered during the HITRUST CSF assessment and issues a validated assessment.
For the final Degree of Assurance, the organization submits its validated assessment for HITRUST review and certification. A HITRUST CSF Certification is good for up to two years, after which the organization’s compliance must be re-assessed.
The Journey Toward CSF
The timeframe for completing HITRUST certification varies by organization depending on many factors. HITRUST requires organizations to show readiness against 135 CSF controls. These controls are divided into 19 different domains:
1. Information Protection Program
2. Endpoint Protection
3. Portable Media Security
4. Mobile Device Security
5. Wireless Protection
6. Configuration Management
7. Vulnerability Management
8. Network Protection
9. Transmission Protection
10. Password Management
11. Access Control
12. Audit Logging and Monitoring
13. Education, Training, and Awareness
14. Third-Party Security
15. Incident Management
16. Business Continuity and Disaster Recovery
17. Risk Management
18. Physical & Environmental Security
19. Data Protection and Privacy
How long the certification process takes depends on an organization’s maturity and complexity of its environment, as well as its resource availability, security program readiness, and remediation requirements. In general, the self-assessment and third-party validated assessment can each be completed within eight weeks. However, it can take up to 24 months for HITRUST to review the assessments and issue certification.
Cost is another consideration Notably, organizations can expect to spend anywhere from $50,000 to $200,000, depending on their size and complexity. Typically, the decision to pursue certification is based on the requirements of doing business with a certain type of client or entering into a new market.
What Are the Benefits?
Another advantage of the HITRUST certification process is its ability to significantly enhance an organization’s security posture. Being more rigorous and prescriptive than other regulatory frameworks, the HITRUST CSF compels organizations to undertake thorough and comprehensive risk management procedures. This process helps identify data security gaps, and addressing these gaps during the assessment ultimately strengthens the organization’s overall security posture.
Additionally, the HITRUST certification process establishes clear standards for achieving HIPAA compliance. Unlike HIPAA and other compliance frameworks, which do not specify how to achieve and demonstrate compliance, the CSF provides organizations with clear, actionable guidelines to meet a variety of globally recognized standards. This helps remove uncertainty about the necessary steps to take.
Scalability is also a key advantage of HITRUST CSF. The CSF control set is customized for each business assessment based on the organization’s type, size, and complexity. This flexibility allows organizations to tailor the CSF to their specific needs, making it an effective solution for businesses of all sizes. Additionally, the CSF control set is tailored to each business assessment according to its type, size, and complexity. Organizations can adapt the CSF to its unique needs, making it a solution for businesses of all sizes.
How Do HITRUST and HIPAA Compare and Contrast?
Both HITRUST and HIPAA address regulatory compliance for any healthcare provider, so, understandably, some believe the two are interchangeable. It’s important to understand the differences between the two and how they work together so you can better meet your compliance responsibilities.
The primary difference is that HIPAA is a federal law enforced by government agencies, whereas the HITRUST framework was created by a private group of security professionals. HITRUST CSF was developed to assist healthcare companies and their partners in achieving HIPAA compliance more easily and efficiently.
[Recommended Reading: HITRUST vs. HIPAA]
HITRUST Offers a Smoother Path to HIPAA Compliance
Data breaches pose a severe threat to healthcare organizations, and their frequency is increasing. The HIPAA Journal reports that the healthcare sector encountered approximately 5,150 data breaches involving 500 or more records from October 21, 2009, to December 31, 2022. These breaches exposed a staggering 382,262,109 healthcare records.
HITRUST CSF can help identify and remediate any security holes in your environment. It gives you greater confidence in your data security and demonstrates your compliance with applicable HIPAA requirements.
Managed security services are often the answer for healthcare organizations seeking to implement security controls and comply with regulations. A detection and response solution provides a variety of reports to demonstrate compliance with specific HITRUST CSF control categories and HIPAA regulations. Additionally, it highlights areas where compliance may be lacking, allowing you to take corrective action.
Choose Fortra’s Alert Logic managed services solutions to reach your compliance goals.
Additional Resources:
Alert Logic Helps Iodine Software Meet HITRUST Compliance Mandates | Case Study