Leveraging HITRUST for HIPAA Compliance

How to cut through the ambiguity, use HITRUST to demonstrate HIPAA compliance, and take your risk model seriously.

The Challenges with HIPAA

The HIPAA Security, Privacy, and Breach Notification Rules were signed into law with the intent to protect sensitive health information from unauthorized use and disclosure.

By design, the requirements within the framework are fairly vague to keep up with the ever-evolving threat landscape and to ensure the requirements can apply to organizations across a variety of sectors.

While this type of framework provides flexibility in how organizations may meet the intent of the requirements, it also leaves many questions around the interpretation of the requirements and what constitutes compliance with them.

This phenomenon has led many companies to search for a more structured approach in demonstrating HIPAA compliance.

The HITRUST Solution

At its inception, HITRUST was considered by many to be the answer to HIPAA compliance.

The HITRUST CSF provides a prescriptive and scalable framework, allowing organizations to provide structure to their security program while also enabling them to comply with the various HIPAA requirements.

As part of the release of version 9.2 of the HITRUST CSF, HITRUST has designated itself to be industry-agnostic, however, the framework still offers several benefits to organizations seeking to formulate a response to HIPAA compliance.

Assessment Scoping

As part of the validated assessment process, all organizations are required to complete a thorough scoping process, whereby the entity identifies the locations, infrastructure, software, and personnel that will be included in the scope of the assessment.

This exercise helps organizations determine which portions of the business will need to be HIPAA compliant, especially if only a subset of business units is required to handle protected health information (PHI). This step helps organizations ensure that they do not expend valuable resources pursuing HIPAA compliance for irrelevant business functions.

Additionally, the output of the scoping process is a listing of requirements that apply to an organization based on the nature of their business and their responses to the scoping questionnaire.

Organizations are only evaluated against those requirements, helping to ensure that resources are not allocated towards requirements that do not apply to the entity.

Risk-based Information Security Approach

The HITRUST CSF has incorporated the concept of implementation levels into the framework.

The implementation levels are used to help match the maturity level of a business to its risk profile. Organizations that are subject to higher levels of risk will be required to comply with more stringent controls.

Organizations pursuing HIPAA compliance often have questions around how much security is enough. The HITRUST CSF answers this question by aligning an organization’s compliance requirements with risks to PHI or other sensitive data.

HIPAA Compliance Reporting Pack and Regulatory Assistance Center

In 2021, the HITRUST Alliance announced its plans to release two additional services to organizations pursuing HIPAA compliance: a HIPAA compliance reporting pack and the Regulatory Assistance Center.

The HIPAA compliance reporting pack will enable organizations to leverage information collected as part of the validated assessment and generate reports that demonstrate HIPAA compliance.

The generated reports show how the evidence and information supporting the HITRUST assessment demonstrate HIPAA compliance.

The Regulatory Assistance Center is available to HITRUST-certified organizations if they are subject to an Office of Civil Rights (OCR) audit. Such organizations will be provided with access to privacy and legal professionals who may be able to help support the investigation process.

Conclusion

HITRUST provides organizations with a means to demonstrate HIPAA compliance effectively and efficiently while strengthening their information security program.

The framework provides the context to address common questions and challenges associated with the HIPAA requirements.

Additionally, the HITRUST Alliance provides access to numerous resources that organizations can leverage to demonstrate compliance. For information on how to get started on a HITRUST assessment click here.

By Michael Carroll|2021-02-22T20:37:47+00:00February 22nd, 2021|HITRUST|0 Comments

About the Author: Michael Carroll

Michael is a former Cyber Risk Manager for risk3sixty, an Atlanta-based Information Risk Management (IRM) firm helping clients implement business-first information security and compliance programs. Michael's primary responsibilities include: - HITRUST Practice Lead: Leading HITRUST gap assessments, validated assessments, and program implementations. - Assisting with the creation and maintenance of security and compliance related initiatives such as ISO 27001, SOC 1, SOC 2, HIPAA, HITRUST, NIST 800-53, and IT SOX. - Enabling sound security strategy by delivering expert level guidance on cybersecurity best practices. - Helping companies communicate their security / compliance story to partners, customers, and regulators.

Leveraging HITRUST for HIPAA Compliance

The Challenges with HIPAA

The HITRUST Solution

Assessment Scoping

Risk-based Information Security Approach

HIPAA Compliance Reporting Pack and Regulatory Assistance Center

Conclusion

Share This Story, Choose Your Platform!

About the Author: Michael Carroll

Related Posts

HITRUST v11 Validated Assessments Overview for the e1, i1, & r2

Selecting HITRUST e1 over i1: A Case Study

HITRUST i1 vs SOC 2: What’s The Difference?

How HITRUST Fuels Growth for B2B SaaS Companies

Leave A Comment Cancel reply