The benefits of HITRUST certification

By Kurt Hagerman
August 02, 2013
08:43 AM

As healthcare providers rely more and more on evolving technologies to store and transmit their data, compliance has become an increasingly complex landscape to navigate. Managing the security requirements from federal and state agencies and other third parties can be a daunting task, one that consumes considerable energy, expense, and effort. When you consider that healthcare organizations and their IT vendors must not only achieve compliance but prove that they are a trustworthy resource, it’s obvious that the industry needs a system that is clear, efficient and secure.

The basic compliance rule book, of course, comes straight from HIPAA. By now experienced providers are familiar with HIPAA’s baseline of requirements; they must ensure the confidentiality, integrity, and availability of any data they create, receive, maintain, or transmit, while providing reasonable protection against threats. This all sounds reasonable enough until providers dig a little deeper for an actionable roadmap and instead find vague language with a lot of loopholes.

Consider, for instance, HIPAA’s guidelines that allow for considerations such as the size, complexity, and capabilities of the organization, including technical infrastructure, hardware, and software capabilities, costs of security measures, and the probability of potential risks when selecting controls to implement. These guidelines are too elastic to provide specific and reliable direction for providers – nor does following them offer a solid guarantee of data protection.

As a result, providers that follow HIPAA requirements are often unsure of what constitutes “reasonable and appropriate” protections. Often they implement controls without reasonable justification – or worse, implement controls that aren’t sufficient. They conduct inadequate risk assessments or skip them entirely.  When you consider how many significant fines the OCR issued in 2012, the need for standardized and actionable guidance becomes clear.

This is where the Health Information Trust Alliance (HITRUST) comes in. Developed by healthcare and IT professionals, the HITRUST Common Security Framework (CSF) helps organizations by providing an efficient and prescriptive framework for managing the security requirements inherent in HIPAA. By integrating the diverse set of existing requirements applicable to agencies and businesses, HITRUST seeks to eliminate the inconsistencies and wasted resources so typical in reporting healthcare compliance. This is not to say that HIPAA is a waste or should be ignored. HITRUST should be seen, rather, as an important, industry-managed approach to meeting HIPAA security rule requirements.

HITRUST can offer providers a trusted benchmark from which they can measure and manage their own compliance – while offering proven protection to their customers.

The Value of the HITRUST CSF

When you consider that virtually every healthcare provider has more than just one compliance obligation, the advantages of the HITRUST CSF becomes clear. By translating HIPAA and HITECH requirements into an actionable roadmap that is cross-referenced to many other security and data privacy regulations, the CSF provides organizations with a prescriptive set of controls that can be used to manage compliance across a broad range of regulatory requirements. This comprehensive approach reduces complexity, risk and cost while protecting sensitive patient and other data.  

With one simplified compliance process, the CSF:

  • Incorporates existing, globally recognized standards such as HIPAA, NIST, ISO, PCI, FTC Red Flag and COBIT
  • Reduces risk of non-compliance with HIPAA
  • Scales according to your organization’s size, type and complexity
  • Provides clear, actionable guidelines
  • Evolves according to your needs, as well as changes in both the healthcare industry and the regulatory environment

The Benefits of HITRUST Certification

Right now it is virtually impossible to claim that your organization is “certified HIPAA compliant” as no formal process or status exists. Yet HITRUST offers a third-party assessment that verifies your organization has met all of the industry-defined certification requirements of the CSF.

What benefits can certification offer you? To start, it can save you considerable time and money when it comes to audits; because the consolidated controls view from the CSF provides visibility into the controls overlap among multiple regulatory requirements, you’ll be able to demonstrate exactly how your controls program is meeting the combined requirements. With one assessment, you can generate multiple reports addressing multiple legislative, regulatory or best practice frameworks such as HIPAA, PCI or NIST.

Yet perhaps the most far-reaching and competitive advantage relates to your brand. Consumers today are aware of and concerned by cybercrime and privacy breaches, and most are too cynical to truly believe an organization’s marketing claims of data protection. Yet a third-party attestation – one benchmarked against a recognized controls framework specifically designed to fully address the letter and spirit of HIPAA - can lend your security program both credibility and prestige. Once HITRUST CSF Certified, your organization will be able to advertise its compliance and security, with the proof to back it up. 

A Foundation for Better Healthcare

When it comes to compliance, the world of healthcare technology can be a complicated place. HITRUST certification simplifies compliance by offering providers a tailored set of controls, founded on the expertise and best practices of leading healthcare and IT experts, for an assumed set of risks and compliance requirements. By helping organizations of all sizes and backgrounds become certified, the CSF ultimately allows providers to spend less time worrying about compliance – and spend more time focused on patient care.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

clinical researchers looking at data on a screen
Success Stories & ROI
Breaking down barriers in patient-centered clinical research

Most Read

A new risk atop ECRI's annual health tech hazards list: AI
HIMSSCast: Concrete guidance to improve hospital cybersecurity
Chang Gung Memorial Hospital, Linkou scores Taiwan's first DIAM validation
Three for 2025: What you need to know about agentic AI, cancer informatics and data security imperatives
Nebraska sues Change Healthcare over ransomware attack
Q&A: CybersolutionsMD CEO on preventing cyberattacks

Research

White Papers

More Whitepapers

Artificial Intelligence
Patient Engagement
Patient Engagement

Webinars

More Webinars

Privacy & Security
Privacy & Security
Imaging

More Stories

Ty Greenhalgh and Mike Powers_HIMSS25 preview__Las Vegas skyline Photo by halbergman/E+/Getty Images
Health system alignment on IoT device security
Opening of the Centre for Digital Health and Precision Medicine at The Apollo University
Apollo Hospitals launches digital health research centre...
A computer programmer doing codes
Cyber threat sharing network for health launched and...
Robert F. Kennedy Jr. speaking
Robert F. Kennedy Jr. touts AI to address problems facing rural hospitals
Ian Shakil at Commure_Network abstract 3D concept Photo by Verigo3D/E+/Getty Images
Human oversight is a must for AI ambient documentation
Cheryl Reinking, DNP, RN, of El Camino Health on nursing
El Camino Health saves $850K in RN replacement with frontline manager platform
Doctor in scrubs setting up laptop for telehealth
Zoom takes Suki partnership to next level
Senior consults with physician via telehealth with smartphone
Connected health tools help seniors, but a digital divide persists