Guest Column | July 27, 2018

Demystifying HITRUST Compliance

By Joseph Pedano, Evolve IP

Regulatory Compliance Elevated Standards

Develop your understating of the most widely applied healthcare security framework

Healthcare organizations are subjected to a growing number of regulations - all in the interest of better protecting patient data. However, keeping up with the most current standards is a challenge for all stakeholders across healthcare organizations.

HITRUST is one of the most significant standards in the healthcare and compliance conversation. While many are still confused about the particulars of HITRUST, it’s important to develop a basic understanding of the framework’s primary aspects.

What Is HITRUST?

The HITRUST Common Security Framework (CSF) is a comprehensive security standard developed by healthcare industry experts who desired a measurable and objective means of managing risk. Specifically, they needed to ensure that healthcare-covered entities (subject to HIPAA) and their third-party business associates were A) meeting the requirements of HIPAA, and B) doing so in a way that provided security and data protection. The HITRUST Common Security Framework (CSF) is a comprehensive security standard developed by healthcare industry experts who desired a measurable and objective means of managing risk. Specifically, they needed to ensure that healthcare-covered entities (subject to HIPAA) and their third-party business associates were A) meeting the requirements of HIPAA, and B) doing so in a way that provided security and data protection. What is HITRUST? The HITRUST Common Security Framework CSF is today an all-encompassing security framework which addresses a multitude of national and international security, privacy and regulatory guidelines. What is HITRUST?The HITRUST Common Security Framework CSF is today an all-encompassing security framework which addresses a multitude of national and international security, privacy and regulatory guidelines.

HITRUST’s CSF is largely based upon ISO standards. It includes, harmonizes, and cross-references most globally-recognized standards, regulations, and business requirements. It is mapped to more than 20 different compliance requirements and authoritative documents. HITRUST is a “single-source” compliance framework that incorporates HIPAA/HITECH, ISO 27001, NIST, PCI-DSS, European GDPR rules, FFIEC and multiple other industry frameworks, and various state privacy laws. It takes into consideration both the common and unique aspects of these existing compliance requirements and connects them into one centralized repository.

The unique aspect of HITRUST is that it rationalizes this diverse set of regulations and standards into a single overarching security framework. The CSF is risk, and compliance-based, meaning that organizations can tailor the security control baselines and vendor management programs to their specific organization type, size, systems, and regulatory requirements.

By integrating legislation, regulations, standards, and best practices into a single overarching framework, HITRUST changes the way information security and privacy-related risk is managed. The prescriptive nature makes companies more secure, and the fact that so many frameworks are embraced means that evidence of companies polices and compliance will be respected by the regulators and auditors in their industry. Therefore, it provides a single, consistent approach to assessment, certification and risk acceptance.

HITRUST is the most dynamic security standard that offers a certification. It evolves according to user input and changing conditions in the healthcare industry, and also in the overall regulatory environment on an annual basis. As needs change, the HITRUST CSF changes with it. As an example, the CSF adapts based on feedback from the community, and from an updated set of cross-references and security requirements, among other sources.

How HITRUST Helps Healthcare Organizations

HITRUST has become widely accepted across the healthcare industry as a standard to certify that the demands of HIPAA have been met. It provides an industry-wide approach for managing third-party risk from business associates.

Implementing the CSF creates many tangible and intangible benefits. As you begin to build your knowledge of HITRUST, know these key facts:

  • HITRUST is the most widely applied security framework in the U.S. healthcare industry - All of the requirements of HIPAA/HITECH have been incorporated into the framework, meaning that it covers all healthcare-specific security, privacy, and regulatory concerns. As such, it has been adopted by 83 percent of hospitals and healthcare providers.
  • HITRUST improves risk management. The HITRUST CSF is important to all organizations in compliance-focused industries as it ensures strong, documented, and repeatable risk management procedures. Any organization that needs to protect patient or customer records, intellectual property, and other proprietary information can benefit by following its guidelines. In fact, HITRUST is increasingly becoming a standard in the highly regulated finance industry as well.
  • HITRUST is required by many of the leading payers. On February 8, 2016, five major healthcare payers issued a letter to their business associates explaining the need to be HITRUST-certified within two years. Today, more than 90 payers and other healthcare industry companies require their third-party service providers (business associates) to become HITRUST certified.
  • HITRUST is actively updated to address current regulations and cybersecurity threats. The framework is revised and expanded regularly to ensure that healthcare organizations are prepared whenever new regulations and security risks are introduced. A system of continuous review and improvement ensures that the security posture is constantly updated, adapted, and improved to address emerging threats and cyberattacks. It is the most frequently updated security framework in use, with quarterly updates and annual audit changes. This means that organizations that abide by the CSF can actively ensure its security is maximized.
  • HITRUST certification shows strength. The investment in HITRUST provides evidence that an organization is committed to compliance and security. Specifically, it means that third-party auditors have thoroughly reviewed the company’s IT and business environment, and have agreed that the highest security standards have been met.

Achieving HITRUST CSF Compliance

Armed with an understanding of HITRUST and its benefits, healthcare executives and IT leaders must institute polices and technologies to achieve compliance. Meeting this requirement is only possible when each technology partner can demonstrate compliance in their Business Associates Agreement (BAA). All organizations that handle protected health information (PHI) are required to meet Health Insurance Portability and Accountability Act (HIPAA) guidelines, and many are required to meet obligations in the Service Organization Control 2 (SOC II) framework.

However, while both HIPAA and SOC II are components of HITRUST, they together do not meet the full HITRUST requirements. SOC II, in particular, is a strictly reporting framework, not a control framework. The controls that are put into a SOC II report are chosen by a company’s own management team, and auditors are only required to evaluate whether or not the company is following its own stated controls.

With this in mind, healthcare organizations are increasingly requiring technology and service partners to demonstrate HITRUST certification from the not-for-profit HITRUST Alliance. Working together, providers, payers, technology partners, and everyone in the healthcare ecosystem can better collaborate to ensure that patient data is safe at every touchpoint.

About The Author

Joseph Pedano’s expertise lies in creating secure and compliant next-generation cloud environments. His 25-year career in technology has been dedicated to the delivery of value-added computing and communications solutions. jpedano@evolveip.net.