“If I’m being honest, I’d tell that the process we went through to achieve HITRUST CSF Certification was incredibly painful. It was time consuming and resource intensive beyond our wildest expectations. Personally, as the Datica Privacy Officer and point person for HITRUST, I was taxed beyond anything I expected.” — Dr. Travis Good, Co-founder, CEO, and Chief Privacy Officer, Datica
Complying with HIPAA and proving it are two different things. Datica is HIPAA compliant. We can point you to the documentation we’ve created to show how we comply with all the various HIPAA rules. But, ultimately, because there is no true HIPAA certification, the only way to prove HIPAA compliance is to go through 3rd party audits as we have at Datica. Our customers leverage those audits to prove the infrastructure they use is HIPAA compliant. Basically, we do all this work to make proving compliance easier for our customers.
Unlike many other technology companies who claim to be HIPAA compliant, we have definitive validation and proof in the form of our HITRUST CSF Certification. HITRUST, for those that don’t know, is an industry-driven attempt to create a prescriptive, standardized, repeatable compliance framework that all organizations in healthcare can trust.
Simple Painful Steps to HITRUST CSF Certification
We went through our first HITRUST CSF audit alongside Coalfire — a 3rd party auditor — in 2015 and are now in the midst of our 2017 renewal audit. After going through this a few times now, we can summarize the HITRUST CSF Certification process with these five giant steps. It’s an involved process and there are no shortcuts. A company considering HITRUST Certification must traverse the same steps.
Step 1: Investigate the process
There are different ways to conduct an audit and the first undertaking is for the company to work with their auditor (for example, Coalfire) to make a decision about which kind of audit to do. HITRUST CSF is fast becoming the standard, but many auditors have proprietary auditing processes that are also an option. When Datica went through this step, and in an effort to move from HIPAA to HITRUST CSF Certification, Datica executives and employees spent considerable time researching the domains of HITRUST.
Step 2: Scope the project with the chosen HITRUST CSF Assessor
This step is fairly straightforward involving the estimation of time and cost. In this part of the process, it’s determined how many and which of the 19 total HITRUST domains, dozens of controls, and 700+ potential requirements apply to the company. Controls vary depending on the type of company and products being certified. For exmaple, a cloud platform like Datica has several hundred requirements that apply to us whereas a company that is not cloud based may have a completely different set of controls and requirements that apply to them. We have all the details about the domains, controls, and requirements that applied to Datica which we’ll describe in a future Acadmy article. Subscribe to the right so you don’t miss that.
Step 3: Complete the CSF
A sizeable amount of documentation is involved during the completion, including policies, risk assessments, as well as technical documentation and configurations. This can take 3-6 months the first year and around 2 months for subsequent audits. The amount of time this takes is highly dependent on the full scope of each company’s audit determined in step 2.
Step 4: Validate the CSF with assessor
The company will need to provide evidence for entries in the CSF. This part of the process can take 4-5 weeks.
Step 5: Certify the CSF with HITRUST Alliance
Almost there! This is the lengthiest part of the process, with it taking up to 18 months for lawyers at the HITRUST Alliance to audit the audit involving back and forth on specific line items. Now that HITRUST CSF is becoming the standard way to conduct HIPAA compliance audits, the volume of requests going through HITRUST has increased from just hundreds in 2016 to thousands now in 2017. Once this step is complete, the company receives a HITRUST CSF certificate.
Rinse and Repeat
This whole process needs to be completed on an annual basis but the good news is it’s much faster, slightly easier, and potentially less expensive the second time around. HITRUST isn’t easy, and it shouldn’t be. The experience we’ve gained as a company and the extensive testing of our technology brings great value to our customers. The best news of all of this for Datica customers is that HITRUST allows for inheritance, which means if you are planning to obtain your own CSF certification, you can inherit Datica’s certificate to shortcut an average of 40% of the time and costs of the process.