Ensuring regulatory compliance is one of the most vital — and complex — task any healthcare organization and its business partners wrestle with. Failure to secure patient data can result in costly penalties and reputational damage. A time-consuming process, compliance requirements also can be vague. Additionally, many healthcare entities lack the resources and skills to implement the practices and controls to achieve compliance.
Because of the subjective nature of the Health Insurance Portability and Accountability Act (HIPAA) requirements, HITRUST created a standardized, common security framework that any HIPAA-covered entity can use to prove they are in line with HIPAA regulatory requirements. HITRUST compliance helps health organizations maintain compliance with HIPAA regulations more easily.
What Does HITRUST Stand For?
HITRUST stands for the Health Information Trust Alliance.
Founded in 2007, HITRUST is a private organization that develops and maintains a cybersecurity framework to help organizations achieve HIPAA compliance requirements.
According to the HITRUST Alliance, HITRUST “was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”
A significant compliance challenges faced by many organizations is balancing necessary risk mitigation measures with their resources, skill, and budgetary limitations. HITRUST streamlines the process by breaking down and prioritizing the full set of controls and requirements and phasing their implementation. This brings more focus to the organization’s compliance efforts, enabling them to prioritize the most critical issues and spread the costs and implementation of controls over a longer period.
The HITRUST CSF (Common Security Framework) combines aspects of other common security frameworks — including HIPAA, PCI, ISO, and NIST — and outlines a set of controls that meet their requirements. It has 135 specific controls mapped to specific HIPAA-compliant standards and specifications. Each CSF control has multiple levels with varying requirements.
This was added to HIPAA to promote the adoption of health information technology and the use of electronic health records (EHRs), in particular, to streamline healthcare and reduce costs. Additional changes help ensure HIPAA-covered entities comply with any HITRUST requirement and how they are enforced.
Some changes the HITRUST framework introduced include:
- Tougher penalties for violation of the HIPAA security and privacy laws.
- Mandatory security audits of all healthcare providers to determine if providers meet minimum standards to comply with the security and privacy rules.
- A four-step tiered system for assigning penalties for HIPAA violations. Organizations can be penalized even if they were unaware a violation occurred.
- The extension of HIPAA Privacy and Security Rules requirements to apply directly to a healthcare organization’s business associates, including medical transcription companies, law firms, software vendors, collections companies, and other entities whose work allows them to access personal health information.
Because HITRUST is an expansion of HIPAA, the HITRUST CSF moves organizations toward HITRUST CSF compliance.
What Is HITRUST Certification?
HITRUST certification is a way for organizations to demonstrate compliance with HIPAA. In the past, healthcare organizations signed agreements or verbally attested they had HIPAA compliant security controls and practices in place. Essentially, this was a promise made to business associates not easily validated. With HITRUST certification, healthcare organizations can show they are operating in line with HIPAA guidelines and requirements to establish themselves as a trusted business partner.
HITRUST offers a three-step process called the Degrees of Assurance to become HITRUST CSF Certified.
The first step is a HITRUST CSF assessment that uses the HITRUST myCSF tool. The organization answers a series of questions which leads to a customized HITRUST assessment that shows how well that business’s particular environment meets applicable compliance standards. The myCSF tool helps identify areas where the organization is in compliance with HITRUST criteria and where it needs improvement.
After completing the self-assessment and making any necessary corrective actions, the organization can take the second step, requesting a third party confirm they meet the relevant HITRUST criteria. A HITRUST-approved CSF Assessor then makes an on-site visit to verify the information the organization gathered during the HITRUST CSF assessment and issues a validated assessment.
For the final Degree of Assurance, the organization submits its validated assessment for HITRUST review and certification. A HITRUST CSF Certification is good for up to two years, after which the organization’s compliance must be re-assessed.
How Long Does It Take to Receive HITRUST Certification?
The timeframe for completing the HITRUST certification varies by organization depending on many factors. HITRUST requires organizations to show readiness against 135 CSF controls. These controls are divided into 19 different domains:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Protection
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training & Awareness
- Third-Party Security
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
How long the HITRUST certification process takes depends on the organization’s maturity and complexity of its environment, as well as its resource availability, security program readiness, and remediation requirements. In general, the self-assessment and third-party validated assessment can each be completed within eight weeks. However, it can take up to 24 months for HITRUST to review the assessments and issue certification.
Cost is another consideration for HITRUST CSF. Notably, organizations can expect to spend anywhere from $50,000 to $200,000, depending on their size and complexity. Typically, the decision to pursue certification is based on the requirements of doing business with a certain type of client or entering into a new market.
[Recommended Reading: Accelerating HITRUST CSF Certification with AWS]
What Are the Benefits of HITRUST Certification?
HITRUST certification brings several benefits to the organization. The primary plus is it establishes the certified organization as a trusted business partner. Indeed, many organizations seek HITRUST certification because a client requires it. Being able to show that your organization meets or exceeds compliance requirements gives you a competitive edge over organizations unable to demonstrate compliance.
Another benefit is that the HITRUST certification process improves an organization’s security posture as it is far more rigorous and prescriptive than other regulatory frameworks. HITRUST CSF pushes organizations to conduct deep and comprehensive risk-management procedures. Through this process, data security gaps can be discovered. Remediating these as part of the assessment process ultimately enhances the organization’s security posture.
Additionally, the HITRUST certification process sets forth clear standards for achieving HIPAA compliance. HIPAA and other compliance frameworks do not prescribe how to achieve and prove compliance. Consequently, this leaves organizations unsure about what actions to take. The HITRUST CSF offers clear, actionable guidelines to meet a range of globally recognized standards.
HITRUST CSF’s scalability is another advantage. The CSF control set is tailored to each business assessment according to its type, size, and complexity. Organizations can adapt the CSF to its unique needs, making it a solution for businesses of all sizes.
How Do HITRUST and HIPAA Compare and Contrast?
Both HITRUST and HIPAA address regulatory compliance for any healthcare provider, so, understandably, some believe the two are interchangeable. It’s important to understand the differences between the two and how they work together so you can better meet your compliance responsibilities.
The main deviation is that HIPAA is a federal law implemented and enforced by government agencies while the HITRUST framework was created by a private group of security professionals. The HITRUST CSF was developed to help healthcare companies and their partners achieve HIPAA compliance more easily and efficiently.
Another difference is that HIPAA does not prescribe what practices and security controls organizations should adopt to meet their regulatory requirements. Its often-nuanced language makes it difficult for many companies to determine what measures they need to take to meet its standards. HITRUST attempts to provide organizations clearer direction around what actions to take along with a certification process to demonstrate compliance.
[Recommended Reading: HITRUST vs. HIPAA]
HITRUST Offers a Smoother Path to HIPAA Compliance
Data breaches devastate health care organizations. Unfortunately, they are on the rise. According to HIPAA Journal, the healthcare industry experienced about 5,150 data breaches of 500 or more records. This resulted in the exposure of 382,262,109 healthcare records between October 21, 2009, and December 31, 2022.
HITRUST CSF certification can help identify and remediate any security holes in your environment. It provides you a higher level of confidence in your data security, and show you are meeting applicable HIPAA requirements.
Managed detection and response (MDR) solutions are often the answer for health care organizations looking to implement security controls and demonstrate adherence to regulations. MDR offers you a range of reports to show where you meet requirements with specific HITRUST CSF control categories and HIPAA regulations. It also demonstrates in what areas you fall short so you can take corrective action.
Collaborate with Fortra’s Alert Logic MDR to demonstrate compliance with various regulations in the HITRUST Framework.
[Recommended Reading: Alert Logic Helps Iodine Software Meet HITRUST Compliance Mandates]