How to cut through the ambiguity, use HITRUST to demonstrate HIPAA compliance, and take your risk model seriously.

The Challenges with HIPAA

The HIPAA Security, Privacy, and Breach Notification Rules were signed into law with the intent to protect sensitive health information from unauthorized use and disclosure.

By design, the requirements within the framework are fairly vague to keep up with the ever-evolving threat landscape and to ensure the requirements can apply to organizations across a variety of sectors.

While this type of framework provides flexibility in how organizations may meet the intent of the requirements, it also leaves many questions around the interpretation of the requirements and what constitutes compliance with them.

This phenomenon has led many companies to search for a more structured approach in demonstrating HIPAA compliance.

The HITRUST Solution

At its inception, HITRUST was considered by many to be the answer to HIPAA compliance.

The HITRUST CSF provides a prescriptive and scalable framework, allowing organizations to provide structure to their security program while also enabling them to comply with the various HIPAA requirements.

As part of the release of version 9.2 of the HITRUST CSF, HITRUST has designated itself to be industry-agnostic, however, the framework still offers several benefits to organizations seeking to formulate a response to HIPAA compliance.

Assessment Scoping

As part of the validated assessment process, all organizations are required to complete a thorough scoping process, whereby the entity identifies the locations, infrastructure, software, and personnel that will be included in the scope of the assessment.

This exercise helps organizations determine which portions of the business will need to be HIPAA compliant, especially if only a subset of business units is required to handle protected health information (PHI). This step helps organizations ensure that they do not expend valuable resources pursuing HIPAA compliance for irrelevant business functions.

Additionally, the output of the scoping process is a listing of requirements that apply to an organization based on the nature of their business and their responses to the scoping questionnaire.

Organizations are only evaluated against those requirements, helping to ensure that resources are not allocated towards requirements that do not apply to the entity.

Risk-based Information Security Approach

The HITRUST CSF has incorporated the concept of implementation levels into the framework.

The implementation levels are used to help match the maturity level of a business to its risk profile. Organizations that are subject to higher levels of risk will be required to comply with more stringent controls.

Organizations pursuing HIPAA compliance often have questions around how much security is enough. The HITRUST CSF answers this question by aligning an organization’s compliance requirements with risks to PHI or other sensitive data.

HIPAA Compliance Reporting Pack and Regulatory Assistance Center

In 2021, the HITRUST Alliance announced its plans to release two additional services to organizations pursuing HIPAA compliance: a HIPAA compliance reporting pack and the Regulatory Assistance Center.

The HIPAA compliance reporting pack will enable organizations to leverage information collected as part of the validated assessment and generate reports that demonstrate HIPAA compliance.

The generated reports show how the evidence and information supporting the HITRUST assessment demonstrate HIPAA compliance.

The Regulatory Assistance Center is available to HITRUST-certified organizations if they are subject to an Office of Civil Rights (OCR) audit. Such organizations will be provided with access to privacy and legal professionals who may be able to help support the investigation process.

Conclusion

HITRUST provides organizations with a means to demonstrate HIPAA compliance effectively and efficiently while strengthening their information security program.

The framework provides the context to address common questions and challenges associated with the HIPAA requirements.

Additionally, the HITRUST Alliance provides access to numerous resources that organizations can leverage to demonstrate compliance. For information on how to get started on a HITRUST assessment click here.