HITRUST: A Primer
HITRUST is an industry-driven organization with a mission to create a standardized and certifiable security and compliance framework for the healthcare industry. It was founded by and is still governed by representatives from covered entities included Unitedhealthcare, Anthem, and Highmark. The framework created by HITRUST, called the Common Security Framework (CSF), is an evolving framework now on version 8.0.
The mission of HITRUST is to standardize the compliance framework and certification process for healthcare but also to streamline the the process of third party assurance, which basically means making it less resource intensive for both covered entities (payor, providers, clearinghouses) and business associates (BAs) as covered entities assess the risk of data security and compliance in working with third parties (BAs).
Victim of its own success
Fast forward to today—HITRUST is well accepted in the healthcare industry and is increasingly required by covered entities (CEs) for all partners and business associates. These trends are driving demand for HITRUST amongst business associates and, in turn, HITRUST is now seeking more input and feedback from the business associate community. CEs are looking to engage with more BAs and to leverage the HITRUST CSF as the tool to for reducing liability. Ultimately the need to engage with business associates is a natural result of the success of HITRUST in the industry and amongst CEs.
Because of this need to engage with business associates, HITRUST decided to form a Business Associate council in early 2016 to, in HITRUST’s words:
….to ensure healthcare industry business associates and other key vendors are able to influence and directly engage with HITRUST, healthcare organizations relating to the HITRUST 3rd Party Assurance program, and other programs impacting business associates.
HITRUST called for volunteers to participate in providing a voice for BAs is shaping HITRUST:
Through interaction with the BA Council, HITRUST will work to ensure that the Third Party Assurance and other programs are considering and accommodating business associate and vendor perspectives and objectives.
HITRUST selected a group of 17 founding members representing a diverse swath of the BA landscape from Epic to Dropbox to Salesforce to Datica; we’re honored to be chosen and to lend a voice for BAs in helping to influence HITRUST initiatives and programs.
Why does it matter?
HITRUST was founded by a group of very large CEs, all of which are payors. Covered entities are fundamentally different from business associates. Covered entities leverage business associates for services; put another way, covered entities are customers for business associates. There are significant differences around liability as CEs are liable for breaches, both for themselves as well as from their BAs. As such, CEs need a compliance framework they can use internally and this was the initial impetus for HITRUST. CEs also need a way to manage the risk of working with 3rd party BAs while BAs need a way to provide evidence to CEs that the risk in working with BAs is mitigated. The HITRUST CSF is emerging as the tool of choice for these use cases.
It is a 2-sides transaction when it comes to CEs, BAs, and third party assurance. This is a change from the original HITRUST use case. BAs need a compliance framework to assure not only their own, internal auditors and compliance groups but also the compliance groups at their CE customers. And there are a lot more BAs than CEs. HITRUST estimates that the 5 major payors mandating HITRUST for BAs impacts close to 7,500 BAs! That’s an astounding number.
In order to meet this overwhelming demand and the unique needs of this new cohort, HITRUST created the Business Associate Council. The council is already working on several initiatives. One initiative, which started before the Business Associate Council but is in line with BA needs, is the concept of compliance inheritance within the CSF. We’re confident more enhancements will be created based on the work of the Business Associate Council and that these enhancements will add value to BAs that decide to leverage the CSF as their compliance framework.