4 November, 2019
HITRUST Compliance for Dummies
HITRUST stands for Health Information Trust Alliance (HITRUST). This alliance has defined and established a CSF – Common Security Framework. This framework can be used by organizations that access, store, create, or exchange either regulated or sensitive data. The framework has a set of prescriptive controls that harmonize the requirements of many standards and regulations in one place.
Founded in 2007 as a not-for-profit organization, the objective of this alliance is to develop programs to safeguard sensitive information (such as ePHI). Primarily, HITRUST certification has attempted to fill the gaps left unaddressed by the HIPAA Security Rule.
HIPAA v. HITRUST
It must be noted that either of these is not a replacement for the other. HIPAA is a US legislation that has to be complied with mandatorily if it applies to an organization. On the other end, HITRUST is a voluntary certification.
We have seen that many HIPAA-compliant companies steered away by HIPAA compliance in a real sense by showing self-attested compliance with HIPAA or signing a business associate agreement (BAA). This approach was particularly disliked by healthcare providers (who are covered entities under HIPAA) who rely on service organizations to support their processes. The demand for greater assurance eventually leads to the formation of the HITRUST alliance.
What is HITRUST myCSF?
myCSF is a GRC tool developed by the alliance for organizations to assess and examine their compliance with multiple frameworks and standards. It allows an organization to tailor its assessment based on its systems and unique factors.
More or less, HITRUST requirements seem similar to ISO 27001; however, they are explicitly applied to the healthcare industry.
All the controls prescribed by HITRUST have three implementation levels. They are built off each other. This essentially means that Level 3 implementation includes Level 1 and 2, while Level 2 implementation includes Level 1.
The three implementation levels are as follows –
- Level 1 – Organization Factors: type, size, location, etc.
- Level 2 – System Factors: Number of records, log data, mobile devices, internet connections, network devices, etc.
- Level 3 – Regulatory Factors: Legal and regulatory requirements, and industry requirements.
HITRUST Certification Cost
A HITRUST assessor looks at over 400 controls on five different maturity levels. This is necessarily looking at around 2000-2500 pieces of evidence to get a clear picture of HITRUST implementation by an organization. Such an assessment will not be any cheaper.
Depending upon the factors, the HITRUST assessment fee may range from around $35k to $300k per year.
Maturity Levels and Scoring
Maximum points available for each maturity level in HITRUST are –
- Policy: 25%
- Procedure: 25%
- Implemented: 25%
- Measured: 15%
- Managed: 10%
For getting HITRUST certified, an organization must score 62% or more in each of the control domains. If an organization is applying for certification for the very first time, it must focus on policy, procedure, and implementation – because these three are 75%, i.e., 13% more than the minimum required score.
Self v. Validated Assessment
An organization may choose to perform a self-assessment of its HITRUST implementation against the requirements applicable in myCSF tool. In cases of self-assessment, HITRUST performs a limited validation of self-assessment results. An organization can derive good value when an assessor possesses appropriate skills and expertise and is not biased towards the organization. Scoring perfectly during self-assessment is inevitably an unethical practice.
On the other hand, a validated assessment is performed by a firm that has been identified as such by the HITRUST Alliance. To get certified with HITRUST, an independent assessment performed by an independent auditor belonging to a HITRUST assessor firm is mandatory.