October 19, 2016

HITRUST Inheritance: The most important compliance announcement of the year

Travis Good, MD

Co-founder & Chief Technology Officer

We completed our initial HITRUST assessment about three years ago. The process of working with the HITRUST CSF, our 3rd party HITRUST approved auditors, and HITRUST as a certifying body had a steep learning curve; we’ve since completed additional HITRUST assessments and extended our HITRUST CSF Validated Assessment to include additional service providers and certify product and organizational changes. Since achieving our HITRUST Certification, our goal has been to educate the industry about our experience, both positive and negative, with HITRUST, and lower the barrier for others to achieve HITRUST Certification.

We feel strongly that the healthcare industry needs a true industry-accepted certification for security and compliance in order to streamline the adoption of new technologies while maintaining the highest privacy standards for health-related data. HITRUST represents that certification in healthcare today. We’ve seen the power of HITRUST at reducing our contracting process with certain covered entities from months to minutes (or however long it takes to securely upload your HITRUST Certification report). Achieving a CSF Validated Assessment, especially for those new to HITRUST, is a time consuming and expensive endeavor. That’s why we’re so excited HITRUST launched it’s inheritance program this summer and will fully incorporate the concept of inheritance into the CSF this December.

We knew the HITRUST CSF Inheritance Program was on the HITRUST roadmap for several years and we felt it would be a huge benefit to our customers. In the words of HITRUST:

This program simplifies the process and reduces the effort for hosting and service organization customers. By working with a participating service provider, customers can reduce the required testing and associated costs for inherited controls in a fully automated manner.

Datica is proud to be a participating service provider in the inheritance program because it enables our customers to explicitly lean on us, and our specific controls, proof, and scores in the CSF, to streamline their own HITRUST Certification. We are working on our own guide for customers that will help estimate how much of the burden of HITRUST this relieves and what specific controls you should inherit from us. Of the roughly 7,000 entries within our own CSF, we know there is a lot of work, time, and money that our customers can get back by using this feature in the CSF.

Using the inheritance program is straightforward. Below is a summary of the steps.

  1. When completing your CSF, choose “Request Inheritance” for any requirements you plan to inherit from Datica. Do this throughout the CSF. Our guide should help immensely with this.
  2. From the Assessment page you can then choose “Inheritance Request”. This will take you to a screen where you will see all the requirements to which you selected “Request Inheritance”. If you inherit all of the controls from Datica, as most of our customers will, you can choose all of the items in the list then select “Datica” from the Vendor list.
  3. Datica will then approve all those relevant controls from your request and you’ll be notified via email.

That’s it. As you can see by the simplicity of the process, we think this is a huge win for our customers. We’ve spent lots of time and money to prove how we comply with both HIPAA and HITRUST, and now our customers can fully leverage that work directly within the HITRUST CSF.



The Truth About HITRUST — and Why It Should Become the Industry Standard

Travis Good, MD

Co-founder & Chief Technology Officer

There's still a lot of misinformation and misunderstanding about HITRUST, even among vendords and consultants. This article will clear up some of the confusion.

event-note November 9, 2016

5 Predictions for Digital Health in 2016

Travis Good, MD

Co-founder & Chief Technology Officer

Prediction posts are fun, despite my relatively low batting average for success. The hardest part about making predictions in healthcare is timing. And timing can be everything. Lots of predictions, like we'll see X% risk-based or value-based care contracts, are hard to deny but quantifying...

event-note December 21, 2015