Master the complexities of cloud compliance with expert resources and relevant insights.

Guide to Understanding HITRUST


Take a moment and imagine an industry where healthcare providers, payers and third party vendors have grown weary of the immeasurable interpretations of regulations, audits and “standard” inconsistencies. Can you imagine it? It’s not that far from reality, right? Now also imagine that leaders of those organizations formed an alliance to take on the massive endeavor of uniforming these regulations and standards. As Einstein so shrewdly said, your imagination is your preview of life’s coming attractions.

Leaders of healthcare providers, payers and third party vendors have formed an alliance to regulate the interpretation of healthcare’s inconsistent view of standards. That alliance is called HITRUST and provides a common security framework (CSF).

The HITRUST CSF is rapidly becoming the future of healthcare compliance validation. This guide is a condensed course meant to bring you up to speed on the What, Why, and How of HITRUST.

What is HITRUST?

Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges.

The HITRUST organization, in partner with other technology and information security leaders, created and maintains the Common Security Framework (CSF). The CSF, currently in version nine, is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF, and varying state requirements. By utilizing this framework, HITRUST has constructed a system infrastructure roadmap so that any healthcare organization can certify that they securely create, access, store, or transmit protected health information (PHI).

Why does HITRUST matter?

As healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state and third party security mandates has become a feat that can quickly consume an organization’s resources.

If that isn’t enough, getting through all of the twists, turns, and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn’t it obvious that the industry is in need of a system that is clear, standard, and secure? Thankfully, that’s exactly what HITRUST has established in order to put the trust in data security.

In 2015, HITRUST announced the expansion of the healthcare industry’s use of the CSF Assurance Program in an attempt to efficiently and effectively manage third-party assurance processes. Some of the largest healthcare organizations, including Anthem, Humana, United Healthcare, HCSC, Highmark, and others are now requiring their business associates to obtain HITRUST CSF certification within the next twenty-four months. Additionally, large hospitals and health systems are
now highly recommending that business associates and partners pursue HITRUST certification.

Already being the most widely adopted assessment, the CSF Assurance Program will quickly force business associates to assess and report on their data privacy and security position or risk losing their contracts and renewals with healthcare systems.

Structure of the HITRUST CSF

In contrast to HIPAA, the CSF does not create broad buckets like administrative and security controls. The HITRUST CSF is divided into thirteen different control domains:

  1. Information Protection Program

  2. Endpoint Protection

  3. Portable Media Security

  4. Mobile Device Security

  5. Wireless Security

  6. Configuration Management

  7. Vulnerability Management

  8. Network Protection

  9. Transmission Protection

  10. Password Management

  1. Access Control

  2. Audit Logging & Monitoring

  3. Education, Training and Awareness

  4. Third Party Assurance

  5. Incident Management

  6. Business Continuity & Disaster Recovery

  7. Risk Management

  8. Physical & Environmental Security

  9. Data Protection & Privacy

In addition to the above Control Categories, HITRUST has 156 Control Specifications. For each of those controls defined by HITRUST, three distinct implementation levels exist. Each implementation level builds
on the one before it — level two includes all of level one plus additional requirements, level three includes all of level two plus additional requirements. Therefore, level three has the most stringent set of requirements. Implementation levels in the CSF are determined for each organization based on their risk profile, accounting for aspects like the size of an organization and the number of stored health records. Most organizations have varied levels of implementation for their one hundred thirty five controls from level one, two, or three.

The HITRUST CSF Assessment

The start of every HITRUST assessment begins with a gathering of information on the entity being assessed. This information is used to gauge the organization, system, and regulatory requirements for the assessment to determine the risk and scope. In contrast to HIPAA, which subjectively states that controls should be implemented that are “reasonable and appropriate,” HITRUST is prescriptive in dynamically assigning implementation levels for each requirement.

Degrees of Assurance

HITRUST likes categories in sets of threes. In addition to three implementation levels, HITRUST offers three different Degrees of Assurance which are essentially levels of assessment. The Degrees of Assurance align with cost, level of effort, amount of time, and rigor. Each level builds on the one before it so the following options exist starting with the least cost, effort, time, and rigor.

  1. Self Assessment. This is simply an organization completing the CSF on its own. It is valuable, typically as an internal tool for the organization, because it’s done again with a standardized framework. External parties don’t verify any aspects of this type of assessment. It results in a HITRUST issued CSF Self Assessment Report.

  2. CSF Validated. This and the CSF Certified option below require a third party CSF Assessor to verify the information gathered by the organization completing the assessment. The CSF Assessor must be approved by HITRUST. This Degree of Assurance requires an onsite visit by the CSF Assessor. HITRUST reviews the completed and validated assessment and issues a Validated Report as the outcome.

  3. CSF Certified. Similar to the CSF Validated assessment, the organization undergoing the assessment is granted a HITRUST Certification that is good for two years. The major difference for this Degree of Assurance is that the organization granted HITRUST Certification meets all of the certification requirements of the CSF. This builds on the CSF Validated assessment in that HITRUST reviews and certifies the entries of the organization and the validation of the third party assessor. In the case of Datica, this final step for certification took three to four months.

Cost of a HITRUST CSF Assessment and Certification

Cost is one of a few gating factors for companies considering a HITRUST Assessment. This cost can broken down into two broad categories — direct and indirect costs.

Direct Costs

A validated HITRUST Assessment that results in a HITRUST CSF Certification is a more complete, certified version of a HIPAA audit. It was created by large healthcare enterprises to mirror PCI compliance. It is similar to a full HIPAA audit but goes into much more granular detail about the maturity of controls and compliance programs. A standard web app is used to enter information and those entries are validated by a HITRUST approved assessor. Then the HITRUST organization reviews all the entries, typically asks for more evidence, and you hopefully get HITRUST certified at the end. The direct costs for this include both fees to HITRUST and to your auditor or approved assessor. The direct costs, at the low end, are about $60,000- $120,000 but costs can be much higher for larger organizations.

Indirect Costs

As Steve Jobs said, “the most precious resource we have is time,” and indirect costs are harder to quantify. In regard to the Datica HITRUST assessment, we estimate the total time spent for all employees at 400 hours. Also necessary to consider is the time spent between each audit to address issues

and solidify compliance and information security programs. Though not captured for our HITRUST assessment, this contributes to the overall cost of compliance.

Total Costs

Conservatively estimating the cost of an hour of work to be $100/hour, a rough calculation can be tallied. With the cost of salaries, benefits, and lost opportunities from work not performed simultaneously (writing code, customer support, sales, marketing, etc) a partial loss must be considered. Based on those numbers, the total cost of the HITRUST Assessment is appraised $100,0000-$160,000. If you are considering HITRUST, cost is only one consideration. Audits are time consuming and distracting, factors that are hard to quantify. Weigh the audit’s value for your organization.

For us, HITRUST Certification was a no brainer because audits are part of our value proposition to customers. We have many customers that effectively scale sales without having done audits themselves, so it’s not essential to closing deals — even very large deals. It’s also important to understand the cost of an audit is not simply a cost at one point in time. Audits are typically followed by annual reviews, sort of like miniature audits. These also cost money, eat time, and can be a distraction.

Our HITRUST Journey

There is no “secret sauce” to achieving HITRUST Certification. Simply put, certification is the result of intensive detailed preparation, exceedingly long hours, exceptionally talented individuals and a willingness to learn every step of the way. The process is incredibly laborious and consumed time and resources beyond our wildest expectations, even with a team that has experienced HIPAA from all imaginable angles - technical auditors, mobile app vendors, clinicians, compliant platform vendors, etc.

HITRUST isn’t easy, and it shouldn’t be. The experience Datica has gained as a company and the extensive testing of our technology brings great value to our customers. We’re ecstatic because our HITRUST Certification is helping our customers prove their applications and data are secure by being an even more compelling proof than our HIPAA audits. If you’re already a Datica customer, there’s nothing you need to do; the Datica Compliant Cloud infrastructure you’re hosting on is HITRUST CSF Certified.

If you’re not a Datica customer and have questions about what it takes to complete a HIPAA audit or HITRUST assessment, please don’t hesitate to reach out, as our team of experts wants to be your trusted resource.

From startups to enterprise, Datica provides the easiest way to use PHI/PII/PCI in the cloud. We eliminate compliance guess-work so your teams can innovate quickly without the headaches. Compliance and security certainty with cloud flexibility. Don’t let compliance ambiguity slow your team down and add risk to your business. Partner with Datica, get building and stay compliant with SOC 2, HIPAA, HITRUST, and PCI.

Need Compliance Help?

Talk to the experts.