HITRUST Certification is growing in popularity. What started as a framework for the healthcare industry has now expanded to include other regulated industries. Continual changes to cybersecurity, cloud technology, regulations, and other factors can make the road to achieving HITRUST Certification seem like an arduous journey.
Many small and midsized companies struggle with understanding the framework and with building a security and compliance program which satisfies potentially hundreds of HITRUST control requirements. As the security landscape becomes more complex, staying secure and compliant is becoming increasingly difficult.
What is HITRUST?
According to HITRUST, the Common Security Framework (CSF) takes applicable parts of existing standards and regulations such as ISO 27001/2, SOC II, SSAE 16, the NIST Cybersecurity Framework and the OCR HIPAA Audit protocols, and presents it as a “common” framework – hence the name Common Security Framework. The CSF is intended to be a risk-based framework as opposed to a compliance-based framework.
Structurally, the HITRUST CSF contains 75 core control statements (version 9.1) which need to be met in order for a company to obtain certification. The additional number of controls which need to be met is based on a number of factors including geographical, company size and annual revenue.
HITRUST requires clients to use its software application, myCSF, to complete the certification process. The application is broadly a static document repository used to upload and cross-reference your collected evidence so it can be reviewed by an accredited HITRUST assessor.
HIPAA vs HITRUST
One of the major differences between HIPAA and HITRUST is that HIPAA is a Federal law, whereas HITRUST is a framework. HITRUST integrates the requirements of the HIPAA Security Rule in its framework, along with other controls.
HIPAA does not have a certification - no organization can say that they are ‘HIPAA Certified’ as there is no such thing. One critique of the HIPAA Security Rule is that its language is often vague, making it hard to know how to comply with its requirements. HITRUST tries to remediate this with a clearer and more prescriptive set of controls and an end-goal of certification. HITRUST also claims that with their framework, you can “assess once and report many” - which means that a HITRUST Certification can be used as the building block to attain other certifications and reports such as a SOC 2 or NIST 800-53.
Another difference between the two is that HIPAA has defined penalties for security breaches whereas HITRUST does not. The Office for Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security rules, and for fining companies for data breaches as appropriate.. HITRUST is a commercial framework and so failure to meet the required standard has no direct federal liability. Consequences, if any, are limited to the contractual or commercial drivers that initiated the requirement for HITRUST certification e.g. a vendor may not purchase services.
If I’m HITRUST Certified, Am I HIPAA Compliant?
No. While HITRUST does provide you with a framework that should allow you to meet the requirements of HIPAA, HITRUST certification does not guarantee that you are “HIPAA compliant”. However, implemented correctly, HITRUST certification should allow you to demonstrate you are taking reasonable steps to operate in line with HIPAA and as such can be used as an effective framework to demonstrate that the majority of the HIPAA regulations are being met. It is important to note that HITRUST, in theory, may not cover all of the specifications of the HIPAA Security Rule and has never been formally endorsed by OCR. However, according to HITRUST, "The CSF and CSF Assurance Program has been used in past resolution agreements with OCR.”
Are you considering HITRUST Certification but not sure where to begin? Contact us for a complimentary meeting with one of our security and compliance consultants who will answer all of your HITRUST questions.