The HITRUST CSF™ is a widely adopted security framework for healthcare companies and has been gaining popularity as a more structured, unified, and comprehensive standard that can be used to help satisfy HIPAA and HITECH in a defensible fashion. However, many small and mid-sized healthcare companies struggle with understanding the framework and building an internal review and certification program, particularly if they have recently migrated to the cloud.
This past week, Matthew Sharp, CISO of Logicworks, and his team responded to the most frequently asked questions about HITRUST™ in this free eBook. Logicworks is a compliant cloud solutions provider that helps companies like Orion Health, MassMutual, and dozens of healthcare SaaS companies to build and manage public, private, and hybrid clouds. Contact Matt for more information.
What is HITRUST™?
HITRUST is a privately held corporation established by a coalition of leaders across a variety of healthcare organizations, including Anthem, Humana, and UnitedHealth Group. They developed the HITRUST CSF™ that includes a prescriptive set of controls incorporated from multiple standards, regulations, and business requirements.
In June 2015, several of the largest adopting organizations announced that in roughly two years, they would only work with Business Associates that had achieved HITRUST CSF™ certification. This has caused a dramatic rise in interest in the HITRUST CSF™, particularly for software and digital health companies who sell services to these companies.
As a result, some companies that are currently becoming HITRUST Certified “must” do so in order to remain competitive. However, some payers and providers adopt HITRUST CSF™ because it provides a prescriptive, streamlined process for implementing and assessing a cybersecurity program that protects electronic personal health information (ePHI).
What is HIPAA and how is it different from HITRUST™?
Comparing HIPAA and HITRUST™ is like comparing apples and oranges; HIPAA is a law, and HITRUST CSF™ is a framework. The HITRUST CSF™ integrates the requirements of the HIPAA Security Rule with the standards of NIST, HITECH, PCI DSS, and other controls, facilitating a unified control rationalization. The HITRUST CSF™ offers a Validation/Certification program — a clear, prescriptive set of controls for achieving compliance, and a toolset to support assessment. Unlike HIPAA, your organization can be “HITRUST CSF™ Certified”. The benefit of HITRUST™ assessment is that you can “assess once and report many” – in other words, that a single HITRUST™ assessment can produce a HIPAA assessment report, SOC 2 report, NIST assessment report, etc.
Therefore, in order to produce a HIPAA assessment report, either for internal purposes or to demonstrate compliance to customers, you have two options: either go through the HITRUST™ assessment process, which can produce a HIPAA assessment report and potentially many other reports (such as SOC 2 or NIST), or go through a HIPAA assessment process, which produces a HIPAA assessment report.
If I’m HITRUST CSF Certified, does that mean I’m HIPAA Compliant?
The short answer is yes. According to HITRUST, the HITRUST CSF™ is equal to credible HIPAA compliance. More specifically, “[by] implementing the HITRUST CSF™ control requirements that are applicable to an organization based on its specific organizational, system and regulatory risk factors, each and every standard and implementation specification in the Security Rule is addressed in a very complete and robust way.”
HITRUST states that the HITRUST CSF™ certification has been previously accepted by the OCR as supplementary evidence of compliance with HIPAA….