Proving HIPAA compliance is hard for startups. It takes time, energy and money to develop a new digital health product that is HIPAA compliant. However, just saying your product is HIPAA compliant isn’t enough to actually bring it to market. Today’s startups need to be able to provide definitive validation and proof in the form of HITRUST CSF certification.
HITRUST is an industry-driven attempt to create a prescriptive, standardized, repeatable compliance framework that all organizations in healthcare can trust. Now, HITRUST has launched the RightStart Program that's specifically built to make it easier and more economical for startups to achieve HITRUST CSF certification.
Since day one, we at Datica have been focused on security and HIPAA compliance and we aren't reaching when we say It's in our DNA. For us, being HITRUST CSF certified has always been a differentiator though achieving it the first time around, as a startup ourselves, was an intensive process.
The process to achieve HITRUST CSF Certification can be confusing and resource-intensive for a startup. I’m excited to be a mentor for the new HITRUST RightStart Program to help simplify the process for startups going through the program. Making HITRUST more accessible to small organizations and helping them to anchor their compliance programs on HITRUST is a big win for the industry.” Travis Good
To understand this newest HITRUST program, it's important to know where HITRUST came from. After HIPAA was passed into law in 1996, the following decade or so was a confusing, disorganized morass in which the HIPAA Security Rule did not provide prescriptive measures for covered entities (CE) and business associates (BA).
Basically, these organizations were given the flexibility to implement comprehensive information security programs and analyze their own levels of risk — something many healthcare organizations had no experience with. So even those who did have programs had ones that were significantly less robust than they needed.
In 2007, leaders within the healthcare field — including CIOs, security and privacy officers from leading healthcare providers, insurers and vendors — came together to solve this problem. HITRUST initially developed an information security framework with the intentions of creating an industry standard, including control baselines so an organization could make their own choice based on their unique needs. Originally referred to as the HITRUST Common Security Framework (CSF), the CSF was developed specifically for healthcare — designed to be scalable, customizable and capable of providing certifiable risk assurances.
Today, the HITRUST CSF is the most widely adopted information privacy and security risk management framework among healthcare organizations in the United States. In addition, many organizations outside of the U.S. have also implemented the HITRUST CSF.
What is the HITRUST RightStart Program?
In a nutshell, HITRUST is bundling and pricing its programs to align with the needs of startups. This new program aims to make it easier and more economical for startups to achieve HITRUST CSF certification which, in turn, will help them navigate their way to market with effective information privacy and security programs.
- The HITRUST CSF. A framework that includes thirty-five different resources, such as NIST, HIPAA, and GDPR. The HITRUST CSF is a way for digital health organizations to prove compliance within one single comprehensive and harmonized assessment.
- The HITRUST CSF Assurance Program. Delivers assessment and reporting against the framework of the HITRUST CSF.
- The HITRUST MyCSF Assessment Platform. The MyCSF SaaS platform provides startups with a purposefully designed and engineered solution for performing and managing risk assessments.
- The HITRUST Academy. Training courses that teach information protection best practices and how to manage risk with the HITRUST CSF.
Who Can Participate?
A HITRUST RightStart Program participating organization must have all of the following.
- Been incorporated or founded within the last three years
- Have a productive service line, or be close
- Have less than 50 full-time employees
- Have less than $10M in revenue
Visit HITRUST to learn more about the program and find out how to participate.