HITRUST  CERTIFICATION 

Overview

HITRUST is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.    It maintains the Common Security Framework(CSF). This CSF is an emerging standard, primarily in the health care industry, but applicable to the commercial space also.  As a certifiable framework, it brings together multiple other compliance frameworks, such as;

  •           HIPAA:            Health Insurance Portability and Accountability Act           
  •           HITECH:         Health Information Technology for Economic and Clinical Health 
  •           NIST:               National Institute of Standards and Technology           
  •           ISO:                 International Organization for Standardization               
  •           COBIT:            Control Objectives for Information and Related Technology            
  •           FTC:                Federal Trade Commission             
  •           PCI-DSS:        Payment Card Industry Data Security Standard           
  •           GDPR:            General Data Protection Regulation (European Union)

By simultaneously addressing the security/process frameworks of  HIPAA, HITECH, NIST, ISO, COBIT, FTC, PCI-DSS, and GDPR,  HITRUST helps covered entities meet information security regulations across this broad interlocking set of security/compliance domains.  This comprehensive deliverable is accomplished via one(1) unified compliance exercise.  HITRUST also scales controls according to the type, size, and complexity of an organization.

 

From another perspective, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and;

  • de-identification frameworks     
  • related assessment and assurance methodologies, and   
  • initiatives advancing cyber sharing, analysis, and resilience

HITRUST incorporates HIPAA requirements and the NIST framework into a more prescriptive manner. Like ISO 27001 and FedRAMP, HITRUST certifies third-party auditors who can then grant an official certification of compliance to an organization. In addition to third-party certifications, both HIPAA and HITRUST have self-assessments that can be used to verify compliance with those standards.

 

What is HITRUST Compliance Certification?

Part of what makes HITRUST different is the fact that it is certifiable.  A health care facility cannot be certified in HIPAA compliance or in how well the practice follows Federal Trade Commission laws. Customarily, healthcare practices just sign agreements that ‘verify’ that they are, in fact, HIPAA compliant.   The applicable signed forms confirm that the healthcare practice  has implemented the right measures to put security controls in place.  Effectively, this cannot be confirmed or judged by anyone, making it more of an “I promise” sort of situation.   

 

By moving to the HITRUST superset compliance methodology, the medical practice has two options for certification;

  1. Hire a HITRUST CSF assessor to execute the readiness exercise/validation  assessment.  
  2. Use the HITRUST self-assessment tool, which is very detailed and prescriptive in nature.

The self-assessment tool needs to be executed on a regular basis. 

The HITRUST certification, whether obtained from a CSF assessor or via the self-assessment process, is good for two(2) years. 

 

The CSF framework and HITRUST assessment and certification covers 19 different domains:

 

  1. Healthcare Data Protection & Privacy
  2. Information Protection
  3. Wireless Protection
  4. Transmission Protection
  5. Network Protection
  6. Endpoint Protection
  7. Portable Media Security
  8. Mobile Device Security
  9. Third Party Security
  10. Physical & Environmental Security
  11. Configuration Management
  12. Vulnerability Management
  13. Password Management
  14. Incident Management
  15. Risk Management
  16. Access Control
  17. Audit Logging & Monitoring
  18. Education, Training & Awareness
  19. Business Continuity Management & Disaster Recovery

 

HITRUST vs HIPAA

Let’s summarize with five important points; 

  • HITRUST is a superset of HIPAA and HITECH 
  • A medical practice cannot become HIPAA/HITECH certified 
  • A medical practice can become HITRUST (CSF) certified, via;
  1. Hiring of a HITRUST CSF assessor, who performs the assessment, OR
  2. Use the HITRUST self-assessment tool

The HITRUST CSF assessment is good for two years.

 

 

 

 

We WILL deliver the solution that you  need !

As a first step, we will be delighted to answer any and all of your questions !

   Contact Us Today !

Contact-Us