Organizations that work in healthcare-related industries face a number of compliance obligations. Likely the most pressing of these compliance obligations is the Health Insurance Portability and Accountability Act (HIPAA). For organizations that are required to demonstrate HIPAA compliance, the term “HITRUST” is likely to have come up at some point. But what exactly is HIPAA? And why should organizations care about HITRUST, particularly if they are looking to demonstrate HIPAA compliance? Below we provide an overview of what HIPAA regulates and how HIPAA compliance and HITRUST Certification differ and present reasons that may make HITRUST Certification the right choice for your organization.
What is HIPAA?
HIPAA governs two primary things: (1) how protected health information (PHI) is protected; and (2) the privacy rights afforded to individuals with respect to their PHI. Organizations subject to HIPAA are divided into “covered entities” and “business associates”.
Covered entities include healthcare providers (e.g. doctors or clinics), healthcare clearinghouses (e.g. billing services), and health plans (e.g. health insurance companies).
A business associate is a person or organization, other than a workforce member of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI. A business associate can also be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate.
For some organizations, HIPAA compliance is a clear mandate – such as healthcare providers, for example. But even organizations that aren’t healthcare-focused may need to demonstrate some level of HIPAA compliance as a result of being a business associate to a covered entity.
So how do organizations go about demonstrating HIPAA compliance? At this time, the only way of demonstrating HIPAA compliance is through an independent audit. However, at present, there is no official or widely recognized certification for HIPAA compliance. This means that current HIPAA audits are done in a non-standardized manner leading to inconsistent application of HIPAA’s requirements and a less reliable audit report.
HITRUST is a non-profit organization that created and maintains the HITRUST Common Security Framework (CSF). The HITRUST CSF was originally designed to be a security framework for companies in the healthcare industry handling electronic PHI, but now has been expanded to other data-sensitive sectors. HITRUST provides a framework for organizations to comply with various regulations and standards based on the company’s size, types of systems deployed, and applicable regulatory requirements.
The HITRUST CSF incorporates existing controls and requirements developed from laws such as HIPAA and HITECH, as well as security standards such as NIST, ISO, PCI, and federal and state privacy laws. The HITRUST CSF harmonizes existing controls from these standards, regulations, and business requirements and delivers a standardized and defined process for effectively and efficiently evaluating compliance and security risks. Organizations assess their internal systems, policies, and procedures against these controls.
One major benefit of the HITRUST CSF is that it is flexible enough to accommodate nearly any type of organization. At the same time, the HITRUST CSF’s standards are quite rigorous, meaning that if your organization becomes HITRUST Certified, you will have objectively demonstrated that your organization has robust data security and privacy practices that your business partners and customers can rely on.
- HITRUST Certification is a significant undertaking. Organizations considering HITRUST should understand that a time and resource commitment is required to achieve certification.
- HITRUST is not tied to HIPAA compliance. Organizations seeking to use HITRUST to demonstrate HIPAA compliance (or any other qualifying regulatory requirement) must ensure that they set the proper scope for their HITRUST assessment. If you aren’t sure about proper scoping, a HITRUST assessor firm (like Vicis Law) can help you with that.
- HITRUST Certification runs in two-year cycles. Every two years, including the first year, a full audit is required. During the odd years, only a simple, less intensive interim audit is needed.
- HITRUST is capable of covering a wide variety of legal, regulatory, and business compliance requirements. The number of required controls that need to be satisfied grows as your organization adds regulatory factors to the scope of your audit. However, this can still produce cost and time savings over repetitive audits for different standards. In addition, HITRUST cross-references every control to help minimize redundancy. As HITRUST says, “Assess Once, Report Many“.
We Can Help
We can help with HIPAA compliance or HITRUST Certification. If you’re interested in learning more about our services, please contact us below.
- HIPAA Compliance
- HITRUST Certification
- HITRUST Readiness and Self-Assessments
Schedule a meeting with us
If you would like to set up a day and time to speak with us, please schedule time with us for a free consultation.