If your healthcare organization is subject to HIPAA, odds are you’ve come across HITRUST CSF in the course of your compliance efforts. Understanding what the framework is and how it relates to HIPAA can help you decide the best path for your compliance journey.

Read on to find the details you need to decide whether HITRUST certification is the right choice for your healthcare organization.

What is HIPAA compliance?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into U.S. law by President Bill Clinton in 1996 to address two key issues within the healthcare industry:

• Ensure health insurance coverage for employees who are between jobs. Without HIPAA, individuals in this situation could be left without access to health insurance and potentially unable to pay for necessary healthcare. 
• Prevent healthcare fraud by securing protected health information (PHI). The HIPAA Privacy Rule introduced critical changes to how healthcare organizations can store, handle, access, and share sensitive patient information. 

HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities.

HIPAA compliance is the process of securing PHI and ePHI in accordance with HIPAA rules.

What is HITRUST CSF? 

The Health Information Trust Alliance (HITRUST) was founded in 2007 to help organizations from all sectors (but especially healthcare) effectively manage information risk and secure sensitive data. HITRUST partnered with data protection professionals to establish HITRUST CSF as a single security and privacy framework that would satisfy requirements across multiple data privacy regulations, including HIPAA, ISO 27001, NIST, GDPR, and PCI DSS. The HITRUST common security framework offers clarity and consistency for organizations that need to comply with several data privacy and security laws.

HITRUST helps healthcare organizations with information risk management across a matrix of third-party assurance assessments and it’s one of the most effective ways to demonstrate compliance with HIPAA requirements. Because it offers organizations a  comprehensive way to implement data protection best practices, HITRUST is one of the most widely adopted cybersecurity frameworks across the globe.

HITRUST vs HIPAA: What are the legal requirements?

HIPAA and HITRUST are not the same, and it is possible to be HITRUST certified and still violate HIPAA.

HIPAA is a federal law that explains what healthcare organizations must do to protect sensitive patient information. All covered entities and their business associates must comply with HIPAA regulations or risk civil or criminal violation penalties.

HITRUST CSF is a framework that helps covered entities and business associates take the necessary steps to comply with the requirements laid out in HIPAA legislation. As is true with many other cybersecurity frameworks such as NIST, HITRUST certification is not legally mandated. Any healthcare organization or service provider can pursue certification.

Simply put, HIPAA defines what covered entities must do under the law. HITRUST helps them figure out how they will do it.

How HITRUST certification helps healthcare organizations prove HIPAA compliance

HIPAA requires organizations to complete annual internal information security audits, but it’s not prescriptive about how covered entities and business associates can prove compliance with the law. 

To demonstrate HIPAA compliance, healthcare organizations can become HITRUST CSF certified, which involves a third-party audit.

The HITRUST Certification Process

As with most data security audits, the process is typically broken down into a few defined phases: 

Phase 1: Readiness and remediation

To prepare for HITRUST certification, many organizations hire an authorized HITRUST external assessor to help them determine the type and scope of audit they need and evaluate the controls they currently have in place. This process helps them identify and fix any gaps they may have in their compliance posture before their audit. The readiness assessment and remediation phase can take anywhere from 2-6 months. 

Phase 2: Validated assessment

The assessor will test controls, review documentation, interview personnel, and review penetration testing and vulnerability scanning reports. Based on their findings, the assessor will determine control maturity and level of compliance: fully, mostly, partially, somewhat, or non-compliant. The final assessment is sent to HITRUST for approval.

Phase 3: Quality assurance review and report

Once the validated assessment is submitted, HITRUST completes a quality assurance review and generates a final certification report. This can take 4-8 weeks. 

HITRUST certification is valid for 24 months, with an interim assessment required at 12 months. 

Secureframe makes it easy to get HIPAA compliant and HITRUST certified

With the emergence of more sophisticated threats and the prevalence of data privacy legislation, it’s more important than ever to protect your business and your customers against security risks and data breaches. Our all-in-one security and privacy compliance automation platform makes it faster and easier to achieve and maintain compliance with the most rigorous global security standards.

• Continuously monitor your HIPAA safeguards and security controls for continuous compliance
• Access data security and privacy training within the platform and track employee completion
• Monitor vendors and business associates with access to PHI in one platform
• Automatically collect evidence for annual compliance audits

To learn more about how Secureframe streamlines security and privacy compliance, schedule a demo with a product expert.