The Definitive Guide to Getting Started with HITRUST

HITRUST stands for Health Information Trust Alliance. It was created in 2007 as an independent, not-for-profit organization with the goal to develop and enhance security programs designed to safeguard Protected Health Information, or PHI.

Initially, the Alliance was founded to create a third-party certification for the healthcare industry that also incorporates HIPAA controls, known as the HITRUST Common Security Framework (HITRUST CSF). Since its inception, the Alliance has broadened its services and capabilities to help organizations across multiple industries manage risk and compliance.

Nonetheless, HITRUST CSF remains a go-to security framework for healthcare organizations, with 81% of hospitals and 80% of health plans leveraging the framework.

What is the HITRUST CSF?

HITRUST and HIPAA may sound similar and they may share similar aspects to protecting health information–but they’re actually very different.

For starters, HIPAA is a U.S. federal law. HIPAA, the Health Insurance Portability and Accountability Act of 1996, requires that covered entities and business associates protect sensitive health information. HIPAA is made up of three main rules:

1. The HIPAA Security Rule: this rule specifies which organizations must follow the rule and controls needed to protect PHI.
2. The HIPAA Privacy Rule: this rule specifies the permitted use and disclosure of PHI.
3. The Breach and Notification Rule: this rule states that all discovered breaches must be reported within 60 days.

HIPAA lays the groundwork for protecting PHI, but does not provide a framework for comprehensively implementing controls, nor does it provide a mechanism for an organization to demonstrate with a high degree of assurance that they have done so successfully.

HITRUST provides both the framework as well as the independent, third party report that enables organizations to prove that they have implemented the necessary controls to protect PHI.

As mentioned in the previous section, HITRUST CSF is a comprehensive security framework  that addresses both security risk and compliance. Think of it as an “umbrella framework” that embodies the requirements of several other standards and regulations, such as HIPAA, PCI, and GDPR. While HITRUST isn’t a federal regulation like HIPAA, the majority of U.S. hospitals and health systems have adopted HITRUST, and many organizations require that their third parties become HITRUST certified.

HITRUST ultimately allows organizations to identify security measures that align with their risk factors, such as their organization type, company size, technology systems and regulatory requirements.

We cover this and more in our eBook: HITRUST® Certification: Is It Right For Your Organization?

There are many reasons organizations choose to get HITRUST certified.

For example, in the Healthcare industry, Healthcare providers’ reliance on technologies to store and transmit PHI has grown. With this adoption comes the need to demonstrate compliance with many other state and federal regulations, standards and security frameworks. HITRUST creates a streamlined approach to addressing these standards in one, single risk-based approach.

Below are some key benefits to investing in HITRUST:

1. Position yourself as a leader in security and compliance with the “Gold Standard.”

Healthcare customers know that cyberthreats and risks are very real. They want to know that their information is being handled delicately and responsibly by healthcare organizations, and doesn’t fall into the wrong hands.

When an organization is HITRUST certified, they can easily demonstrate this to customers and third parties due to HITRUST’s status as a Gold Standard. HITRUST is essentially the most comprehensive of all frameworks, providing multiple levels of assurance of risk management and compliance. It is considered a rigorous, yet effective approach that strongly influences an organization’s stance as a leader in security.

2. HITRUST keeps you ahead of the curve.

HITRUST updates its methodologies, programs and solutions regularly to remain up-to-date on changing regulations. Companies that achieve the HITRUST r2 certification, i.e. the 2-year HITRUST certification are required to perform interim assessments every year, and recertify every two years. Companies that opt for the HITRUST i1 certification, must re-certify every year to stay current.

3. It’s easy to scale and cost-effective.

HITRUST embodies several types of security frameworks and standards, making it a holistic approach to healthcare data security. As a result, it’s easy for an organization to produce multiple reports with one assessment, if needed.

HITRUST is also a repeatable process. Once an organization achieves an initial certification, the process becomes easier and more cost-effective year after year.

There are two  common types of HITRUST assessments: a readiness assessment and a validated assessment.

A HITRUST Readiness Assessment

Previously known as a HITRUST Self-Assessment, the HITRUST Readiness Assessment permits organizations to work on their own, or with an experienced consultant, to assess their existing security program against the HITRUST controls that are in scope for the organization and determine how close they are to ready to undergo the rigorous testing required to pass a Validated Assessment and get certified.

This readiness assessment will provide a valuable gap analysis to help the organization understand how much work is needed to complete the required control implementation before they begin their audit. . In fact, HITRUST recommends it. Additionally, for a small fee HITRUST will issue a Readiness Report that the organization can use to show their clients and stakeholders that they are on the path towards HITRUST validated assessment.

To complete a HITRUST readiness assessment, you will need to purchase a subscription to the HITRUST MyCSF platform to identify your risk and scoping factors and access the specific control requirements targeted for your organization.

A Validated HITRUST Assessment

A validated HITRUST assessment is performed by an independent third party, called an authorized external HITRUST CSF assessor. After selecting an assessor, an organization  will need to purchase a MyCSF subscription as well as a validated assessment report from HITRUST. The assessor will review and validate the organization’s maturity scores for the applicable set of controls and submit their assessment to HITRUST for review. 

If the organization scores high enough on each of the 19 domains of a HITRUST assessment, HITRUST will make the determination to grant them a letter of certification with their validated assessment report.

Preparing for HITRUST is no easy task. There are hundreds of man-hours required, evidence to collect and submit, and external assessors to vet.

HITRUST is daunting, but it’s doable. With the right team and support, the HITRUST process can be a smooth-sailing, successful experience for all involved.

Below are five tips that will help you prepare for HITRUST certification.

1. Educate and communicate.

When seeking a HITRUST certification, everyone should be made aware–and we mean everyone. Employees, stakeholders, assessors and HITRUST. You’ll definitely need buy-in from executives, but everyone should understand their role in the process.

Even employees that don’t have a direct impact or relationship with a HITRUST audit should understand that the company is undergoing the process of revamping and improving its security programs. It will likely impact them at some point as the organization improves its policies and procedures, thus directly impacting how people perform their jobs.

2. Budget time and resources among your team.

In the previous section we reviewed  the indirect HITRUST costs. Be sure to allocate time to your team, especially your IT team. They will be taking on the majority of the HITRUST workload. Your security, operations and IT departments will be the ones doing the heavy lifting, so don’t neglect to include them from the onset and budget the necessary time and resources  to them. Many auditors recommend working with experienced HITRUST consultants as well as hiring at least one full time person to support the HITRUST assessment.

3. Have your security evidence and documentation ready.

HITRUST requires records for each audited period. You will be asked when you’ve updated your systems, policies and procedures, and you’ll need the evidence to back up those claims. Be ready with any documentation to support changes to your operations. If you already have an integrated risk management platform with built-in documentation, you’re already a step ahead.

It may take your team weeks to months to collect and prepare evidence, so having a system in place to easily retrieve the latest documents and notes for your HITRUST certification (now and in the future) will make your life easier.

4. Proper scoping is essential.

For your HITRUST process to be successful, your organization will need to understand its scope and security maturity level. While HITRUST CSF is a flexible framework and can be tailored to nearly any organization, it’s important to purchase a MyCSF subscription early in the process to gain access to, and begin to understand your specific risk factors to ensure you are applying the framework appropriately. Working with an outside HITRUST vendor can help you understand your company’s risk factors and set them appropriately.

5. Don’t go it alone.

HITRUST takes a lot of time and effort, and it’s an ongoing process requiring recertification every two years, with an annual review. While the process gets easier, the first HITRUST attempt is rigorous.

If you need the extra hand, don’t overlook the benefit of hiring a HITRUST preparer. If you are going to work with a HITRUST vendor, it’s valuable to seek one out early on in the process. A HITRUST preparer can help you with your readiness assessment and get you in shape for the real deal.

Like many security frameworks, HITRUST is not a checkbox. A HITRUST Certification is valid for two years, though a scaled-down, interim review on the first anniversary as well as ongoing maintenance is required.

After you receive certification, your compliance team will need to complete Corrective Active Plans for any deficiencies, keep up to date on HITRUST CSF updates, continue to operate ad-hoc, daily, monthly, quarterly and annual controls, and prepare for the next assessment.