Last week we posted about the big news from the HITRUST Third Party Assurance Summit, namely that several huge organizations including United Healthcare, Humana, and Anthem, are requiring all business associates and partners to become HITRUST CSF Certified. Existing vendors will have contracts negotiated to come in line with this new requirement. In addition to the group of large payers requiring HITRUST CSF Certification, ten pediatric hospitals are also sending letters to all business associates and partners that they strongly encourage them to become HITRUST CSF Certified.
This was very big news, and the reaction at the conference was fitting the announcement. Almost every session saw audience members waiting in line to ask questions of speakers. And the general sentiment was could be described as “shocked”. It made for a lively and fruitful conference. I think a lot of people were candid in their reactions and the speakers were truthful and accurate in responses. There were several themes that popped up in audience questions that we’ve covered below.
Why is the industry forcing its business associates and partners to be HITRUST CSF Certified?
The organizations requiring HITRUST CSF Certification from vendors were clear that the goal of this new policy was to standardize on a certifiable security framework. Today, as we know all too well at Catalyze, the security and compliance process when selling and implementing technology at a covered entity is overly cumbersome. Vendors are asked to essentially reinvent the wheel with each new customer. And covered entities (health systems, payers, clearinghouses) are essentially reinventing the wheel with each new vendor. Standardizing on HITRUST, a security framework that the industry helped define, should streamline that process.
How do you determine the scope for your HITRUST assessment?
This was a big topic that didn’t have a great answer. One of the unique things about HITRUST is that you can essentially “certify” any portion of your technology. If you run 5 applications or have 3 facilities, you can certify each one independently. The general takeaway at the conference was to use good judgement and include any technologies and / or departments that touch ePHI. This isn’t a great answer but it’s one that you’ll need to answer with your assessor when you start you HITRUST journey.
Will the entities requiring HITRUST CSF Certification accept SOC2?
In the immediate term, yes. Going forward, the entities at the conference expect new SOC2 certifications to be done through HITRUST CSF. One part of the value of HITRUST is that it maps to many other standards frameworks, including PCI, NIST, and SOC. The HITRUST CSF can now be used to become SOC2 Certified.
How long does a HITRUST assessment take?
The average time listed at the conference was 6-9 months for a medium to large organization. I think this is a bit on the short side from our experience at Catalyze. I think smaller entities can expect 6-8 months and larger entities closer to 10-12 months. There will be a lot of variability based on lead time and work done in MyCSF before the assessment actually begins.
How much does a HITRUST assessment cost?
This is another question that came down to “it depends”. The answer is largely dependent on the scope of the assessment. I think the simplest answer is the range of quotes we recently got for a new HITRUST assessment - $45-60k. These did not include the $10k to HITRUST or any advisory hours.
We hope this summary of the HITRUST Third Party Assurance Summit was helpful. As always, we’re available if you have additional questions for us, either from the conference or from our experience becoming HITRUST CSF Certified. Stay tuned for more HITRUST-related content leading up to the next official HITRUST event in April.