Major organizations in healthcare, currently United Healthcare, HCSC, Highmark, Anthem, and Humana will require HITRUST CSF Certification in all business associate and partner agreements. Those requirements apply to both new and existing contracts. In addition, ten pediatric hospitals are strongly encouraging all of their vendors to become HITRUST CSF Certified. This is a major shift that was done in an effort to reduce the exceptional redundancy and flawed-fraught current process of doing one-off reviews for every vendor.
Many may be asking themselves what HITRUST is and what this means exactly, and as HIPAA compliance experts, we’re here to answer your questions since we have achieved HITRUST CSF Certification. And as Dr. Good says:
If I’m being honest, I’d tell you that the process we went through to achieve HITRUST CSF Certification was incredibly hard. It was time consuming and resource intensive beyond our wildest expectations. Personally, as the Catalyze Privacy Officer and point person for HITRUST, I was taxed beyond anything I expected. I’ve experienced HIPAA from multiple angles - as a technical auditor, as a mobile app vendor, as a clinician, and as a compliant platform vendor - but I learned more about compliance from this HITRUST experience than anything I’ve done before. But, that’s all the more reason to be excited about this announcement! HITRUST isn’t easy, and it shouldn’t be. The experience we’ve gained as a company and the extensive testing of our technology bring great value to our customers. I’m ecstatic because our HITRUST CSF Certification will help our customers prove their applications and data are secure. It’s more compelling proof than our HIPAA audits.
3 HITRUST Facts to Get You Started
- HITRUST, or the Health Information Trust Alliance, is actually not a framework at all, but the organization that created and maintains the Common Security Framework, or CSF.
- The CSF, currently in version 7, is a certifiable framework that brings together, or harmonizes, several other compliance frameworks and standards including HIPAA, PCI, ISO, and NIST. By “harmonize” the CSF maps all of those standards together, with the CSF as the central mapping key.
- According to its website, HITRUST, and its corresponding CSF, “was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” Security and compliance are a key part of the success of health technology; they cannot be ignored or treated as an afterthought. Without a standardized framework, process, and certifying body, HIPAA is often an obstacle for healthcare technology. HITRUST is an attempt to help vendors better prove their security and to help covered entities streamline security and compliance reviews of vendors. In that attempt, HITRUST is succeeding.