Articles & Blogs
The Journey from HIPAA Compliance to HITRUST Certification
In today’s complex technological world, there is always the danger of a hostile threat environment lurking around the corner, waiting to manipulate the potholes in the processes and technology. People and organizations with malicious intent always try to act upon such opportunities and cause everlasting damage to the organization’s reputation and finances. In such a scenario, securing information and information assets of the organization are of paramount importance. There are several ways to secure information and information assets within an organization. Some organizations may deploy strict controls like access control, secure equipment sitting area, authorization, and authentication, etc.
The healthcare industry is no different and is not safe from the malicious intent of hackers and trespassers. Sensitive healthcare information like patient data, patient recovery status, personal information, etc. always needs to be safeguarded. Hence, the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, which outlines protection and security standards for health care data. HIPAA is a public law that can be considered landmark legislation when it was enacted in the ‘90s. Before its enactment, there were no security standards or requirements for protecting health care information. While HIPAA is an act that details standards for compliance, HITRUST is an organization that helps you achieve those standards by the means of industry-acclaimed certification.
Transitioning from HIPAA Compliance to HITRUST Certification
When an organization transitions from being HIPAA Compliant to being getting HITRUST certified, is not a straightforward and simple journey altogether. This involves a lot of effort and adjustments along the way on the part of the organization. Often organizations who are HIPAA compliant, assume, that getting HITRUST certification is an easy walk. But in reality, the path to HITRUST certification is very robust and cumbersome. HITRUST certification is an exhaustive and comprehensive certification process and organizations often must scale up their efforts to get compliant.
The common pitfalls or roadblock often faced by organizations in the journey from HIPAA to HITRUST are:
- HITRUST requires exhaustive policies and procedures to be in place spread across 19 domains of Information Security. Organizations often fall short of producing the exhaustiveness or robustness in their documentation that HITRUST mandates
- HITRUST certification process mandates the actual implementation of solutions and security controls. In many cases, organizations that are HIPAA compliant do not have enough security controls in place to be even eligible for HITRUST certification
- HIPAA compliance is a self-declaration made by the management of the organization keeping in view the security posture of the entity. In most cases when the organization goes for HITRUST certification, it comes as a revelation as they do not clear the HITRUST certification because of not having a good enough security posture. HITRUST certification is a very comprehensive and robust assessment of the security posture of an entity
- HITRUST mandates the storage and secure treatment sensitive and covered information should get. Covered information includes ePHI, PII, etc. In comparison to HIPAA, HITRUST is more particular and employs strict measures about the secure handling of ePHI
- As opposed to HIPAA, which has defined penalties for security breaches, the enforcement of HITRUST is dependent on the healthcare industry itself, typically covered entities like hospitals and payers, requiring HITRUST CSF Certification of vendors
- HITRUST also claims that with their framework, you can “assess once and report many” – which means that a HITRUST Certification can be used as the building block to attain other certifications and reports such as a SOC II or NIST 800-53. Thus, HITRUST can be labeled as more versatile and comprehensive
How to attain HITRUST Certification?
Without a standardized framework, process, and certifying body, HIPAA is often an obstacle for healthcare technology. HITRUST is an attempt to help vendors better prove their security and to help covered entities streamline security and compliance reviews of vendors. HITRUST is an acronym for the Health Information Trust (HITRUST) Alliance, an independent testing organization that issues the Certified Security Framework (CSF) certification to vendors who successfully pass their rigorous security evaluation. Because HIPAA is a set of standards, and the HITRUST CSF provides a prescriptive set of controls that meet the requirements of not only HIPAA but other security standards such as PCI and NIST. As such, HITRUST is a valuable resource for risk management and compliance for organizations that handle sensitive data.
The 5 Steps to HITRUST CSF Certification
- Step 1: Investigate the process
- Step 2: Scope the project with the chosen HITRUST CSF Assessor
- Step 3: Complete the CSF
- Step 4: Validate the CSF with the assessor
- Step 5: Certify the CSF with HITRUST Alliance
The organization should first determine the business drivers for attempting certification which should include identifying key stakeholders, defining scope, and selecting an Authorized External Assessor Organization. HITRUST recommends a Readiness Assessment be performed to prepare organizations for the Validated Assessment. Organizations can involve Authorized Internal and External Assessor Organizations as part of the Readiness Assessment. Based upon the results of the Readiness Assessment the organization should develop a remediation plan and work with its Authorized External Assessor Organization to define the timing of the Validated Assessment. Before beginning the Validated Assessment, the organization will need to purchase a Validated Assessment object from HITRUST if they are not a subscriber. The organization will need to complete the Validated Assessment using the MyCSF tool and then the Authorized External Assessor Organization will be required to perform the validation/audit work. Once the Authorized External Assessor Organization’s work is complete, they submit the assessment to HITRUST for review. HITRUST will perform quality assurance procedures, create a report, and, depending on the scores in the report, will issue a Letter of Certification.
Thus, we have seen that though HIPAA mandates a set of security and privacy safeguards to be implemented, HITRUST is the certifying body that evaluates the compliance of an organization against the standard. Achieving HITRUST CSF Certification requires significantly more time, effort, and resources than a HIPAA audit. Being HITRUST CSF Certified should be seen as a more significant badge for security and compliance than completing a HIPAA audit. I can conclude by saying that the journey traversed by an organization from being HIPAA compliant to HITRUST certified is indeed an eventful Security Compliance journey.