April 8, 2014

Down the road to HITRUST

Travis Good, MD

Co-founder & Chief Technology Officer

Catalyze is focused on compliance, specifically compliant hosting and backend services. Hopefully that’s obvious or we’re doing very badly with marketing and messaging. We typically don’t add “HIPAA” in front of “compliance” because we think of compliance more broadly and there is a stigma in the healthcare industry attached to “HIPAA Compliance”. But, our technology and organizational structure was built with information security at its core, and aspects of HIPAA have driven our policies - especially as it relates to training and educating our team members about the privacy and security of ePHI.

One of the major problems with “HIPAA Compliance” is that the rules that make up HIPAA are more like recommendations than specific rules. Most of them are very high level, and do not necessarily map to specific requirements. That leaves much up to interpretation. Because of this, an emerging standard, backed by some very big names in healthcare (United, CVS, McKesson, and more), is starting to gain acceptance. This new standard is called HITRUST. HITRUST was created to harmonize “the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC)”. It raises the audit bar considerably but, at the same time, establishes a formal certification for healthcare technology security.

HITRUST has created what it calls the Common Security Framework (CSF), which is a dynamic set of requirements. We think of it as a more prescriptive version of the HIPAA rules, but it’s really much more than that. I say dynamic because it is updated periodically, and certifications are mapped to specific versions of the CSF. Formal HITRUST CSF Certification, with the validation of an approved auditor, lasts for 2 years. Smaller vendors can also self assess themselves against the CSF.

We’re excited to share that we’ve officially kicked off our HITRUST audit. Audits are hard to get excited about, but this is one we’ve been looking forward to for a while. The HITRUST audit is much more involved than our HIPAA assessment. It starts with us independently completing the CSF online, which is a good amount of work, then going over all of it with our independent auditors, then doing our on site audit and penetration testing, then submitting everything to HITRUST for certification. Organizations can self assess themselves against the CSF but, since we’re compliance partners for our customers, we are going do the full audit to get to full certification.

This takes time, but it’s something we are committed to and something we feel is important for us and our customers. In talking to customers and prospects, they see value in our approach both to technology and to compliance more broadly. Technology is only one part of us providing compliant hosting and services to our customers. We feel that HITRUST CSF Certification will be an additional benefit to our customers and to our customers’ customers.

There are several additional things falling out of this process, all of which will help us as an organization. We’ll be writing more about this, but we’ve changed the way that we do version control, as well as share publicly, our organizational and information security policies with customers and partners. We’ve also created a better risk assessment process and breach notification strategy. More on these in later posts. If you have any questions about HITRUST, please email compliance@catalyze.io.

tag HIPAA Compliance HITRUST Company