By Ken Lynch
Jan. 22, 2020
Breaches of health-care data are all too common. In fact, healthcare surpasses every other sector in the number of breaches of private information. Fortunately, there is a data-privacy framework that can help known as HITRUST Common Security Framework (CSF). Here is what this standard is and how it can help your practice.
Currently, in version 9.2, HITRUST seeks to protect sensitive information and manage information risk and compliance. It is governed by the Health Information Trust Alliance and builds on other compliance frameworks like HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry), NIST (National Institute of Standards and Technology), and ISO (International Organization for Standardization).
It is designed for use by any organization that handles sensitive and/or regulated information – meaning creating, accessing, storing or exchanging this type of data- and applies to all industries and throughout the third-party supply chain.
Your Practice Can Get Certified in HITRUST to Show How Secure It Is
To get certified, your organization must implement all required HITRUST controls and pass the assessment. The first thing you should do is carry out a self-audit on your organization to ascertain your level of readiness in data security. The tools, requirements and methodology for self-assessment can all be found in the CSF Assurance Program. While self-assessment will help create a baseline for your organization’s controls, you can only attain HITRUST certification by working with approved HITRUST assessor firms.
Next, you would begin remediation to implement all the CSF requirements fully. Once you’re satisfied with the changes you’ve made, you can apply for CSF validation. This is done through a third-party, HITRUST-approved CSF assessor, who will conduct an onsite audit at your practice to verify your information and status.
HITRUST then reviews the verified assessment and gives a validated report on your practice. When they confirm that your practice meets all the certification requirements, they then issue your practice with a HITRUST CSF Certification, valid for two years.
Costly, But Worth It to Secure Your Practice & Show Patients Their Information Is Secure
The road to certification can take as long as four months, depending on your initial preparedness and how many changes you implement to meet the requirements in scope. You’ll incur direct costs, which include HITRUST fees, the assessor’s fee, certification fee and any remediation resources. For a small OD practice, this can be anywhere between $60,000 and $100,000. For a practice with a large chain of clinics, the cost can be even higher.
However, the ROI you can get from covering these costs makes them all worth it. First of all, you can beef up your data security at a time when cyber-security cases are increasingly being reported in the health industry. Secondly, HITRUST is a well-recognized regulation, which will make it easy to form partnerships with security-conscious businesses or attract security-conscious customers and investors.
When your practice is HITRUST-certified, it says you’re a trusted partner in health-care provision. Patients and stakeholders will be more willing to do with business with you when they know their health and financial information is safe in your systems.
Many consumers now consider a business’s security posture a vital factor in their decision to work with it. When you have HITRUST certification, they’re more likely to consider your services.
Compliance and certification bring security to the core of your services. In turn, your business’s data is less prone to cyber-attacks and accidental exposure by employees and third parties.
How Does Meeting HITRUST Standards Differ from Just Meeting HIPAA Standards?
While HIPAA is a compliance-based regulation, HITRUST is a compliance- and risk-based framework that incorporates security controls from various regulations and harmonizes all these standards into a single set of controls, and adapts safeguards for compliance.
Other Articles to Explore
In doing so, HITRUST provides a comprehensive and scalable framework that can be adopted by organizations of any type and size, while HIPAA implementation specifications and standards are vague and offer limited guidance in determining risk.
HITRUST covers:
• General security, regulatory, statutory and in-depth business security requirements. It:
• Is prescriptive
• Offers assessment guidelines
• Is certifiable and gives third-party assurance
HIPAA is:
• Not prescriptive
• Does not offer comprehensive general security guidance and requirements
• Gives limited audit guidelines
• Not certifiable and doesn’t provide third-party assurance.
HITRUST & HIPAA Are Different, But HITRUST Certification Aids HIPAA Compliance
HITRUST extensively maps the CSF controls to the HIPAA Security, Data Breach and Privacy Rules, and uses multiple-level requirements to address each HIPAA Rule. More specifically, 65 out of the 135 controls implemented by HITRUST target HIPAA regulations. So, when you become HITRUST certified, it means you’ve taken specific steps to meet the implementation specifications stipulated by HIPAA, which makes it easy to become HIPAA-compliant.
HITRUST Certification Means Less Time Spent on Secondary Audits
In addition to being great for business, HITRUST certification also means you’ll spend less time and resources on secondary audits from complementary regulatory bodies such as NIST, PCI and HIPAA. Because HITRUST references these regulations, it means that when you get CSF Certified, you already have the necessary specifications in place for these other regulations, and an assessment from them will be more of a verification of compliance. You will, however, need to provide documentation to prove that you are indeed compliant with these regulations to the auditors.
Market Your Enhanced Data Security
Getting HITRUST Certified is a big deal. It shows your commitment to security and tells your patients that you’re not taking any chances and that you’ve implemented an industry-approved standard to keep their data safe.
You can display the HITRUST CSF Certified logo on your web site, publications and in your communication to your patients. Informed patients, who already know the implication of the HITRUST certification, will find it easier to trust you.
You may also add a short explanation in your patient communications of what it means to be HITRUST-compliant and why it matters to enlighten patients who may not know about HITRUST. If they’re to choose between you and a competitor who is not HITRUST certified, they’re more likely to go for your practice.
Help Mitigating Impact of Data Breach–Should One Occur after HITRUST Certification
A history of HITRUST compliance may cushion you from harsh repercussions as regulators may, before taking any punitive actions, use your compliance history to ascertain whether you made a good faith effort to abide by the established regulatory and legal requirements to safeguard your patient’s data. Regulators also use the same to determine what controls you had in place and to what level you applied them at the time of the breach.
The Office for Civil Rights (OCR) encourages covered entities “to build strong compliance programs internally. Many of these credentialing/accreditation programs can help them do so,” and adds: “OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/ accreditation program or on its own, would have that considered when determining past compliance.”
Adding HITRUST Certification Long-Term to Your Practice
HITRUST undertakes an interim review of your practice 12 months after the initial assessment, after which they issue a HITRUST Certification. The certification is typically valid for two years, after which you’ll need to apply for recertification.
However, due to IT operations’ dynamic nature, you’ll need to get re-certified annually. An annual audit would ensure that if you hire new employees, change business partners, or adopt new IT solutions, you’ll still be HITRUST-compliant.
Follow-up assessments after the initial certification aren’t as tedious and demanding as the first one. They may also be cheaper since you already have all the requirements in place. You’ll still need to pay assessor and certification fees, but because you’re able to accurately self-assess, you can opt to do so via the myCSF platform on the HITRUST web site. It costs $2,500 to access the myCSF Tool for 90-days. Thereafter, you’ll pay $3,750 to submit your self-audit report for scoring.
The benefits of annual re-certification are that you get to maintain your HITRUST compliance status and sustain your good standing in your patients’ eyes.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. Through its lightweight software, the company makes compliance and risk management tasks seamless for hot growing companies.
