November 11, 2019

What Are HITRUST Requirements?

Grant Barrick

Vice President of Marketing

The healthcare regulatory landscape is complex. The HITRUST CSF is a framework designed and created to streamline regulatory compliance through a common set of security controls mapped to the various standards to enable organizations to achieve and maintain compliance. Because the HITRUST CSF combines information from several regulatory standards, companies that implement HITRUST CSF controls and strive to meet HITRUST requirements are better equipped for audits and lower their regulatory risk.

What does HITRUST mean?

Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges. In collaboration with information security, business technology, and healthcare leaders, HITRUST developed the HITRUST Common Security Framework (CSF). The HITRUST CSF combines information from various standards, such as HIPAA, NIST, HITECH, and others, as a certified framework of controls mapped to these standards designed to help organizations achieve complete compliance.

**RELATED: ** *Get your complimentary copy of the condensed guide to the What, Why, and How of HITRUST; *HITRUST Explained for Everyone

How many HITRUST controls are there?

In contrast to HIPAA, the HITRUST CSF does not create broad buckets like Administrative and Security controls. The HITRUST CSF is divided into 19 different control domains:

1. Information Protection Program 11. Access Control
2. Endpoint Protection 12. Audit Logging & Monitoring
3. Portable Media Security 13. Education, Training and Awareness
4. Mobile Device Security 14. Third Party Assurance
5. Wireless Security 15. Incident Management
6. Configuration Management 16. Business Continuity & Disaster Recovery
7. Vulnerability Management 17. Risk Management
8. Network Protection 18. Physical & Environmental Security
9. Transmission Protection 19. Data Protection & Privacy
10. Password Management  

In addition to the domains above, HITRUST also has 75 control objectives and 156 specific controls.

What are the HITRUST requirements?

For each of the 156 controls defined by HITRUST, three distinct implementation levels exist. Each implementation level builds on the one below - level 2 includes all of level 1 plus additional requirements, level 3 includes all of level 2 plus additional requirements. Therefore, level 3 has the most stringent set of requirements. Implementation levels in the CSF are determined for each organization based on their risk profile, accounting for aspects like the size of an organization and the number of stored health records. Most organizations have varied levels of implementation for their controls from level 1, 2, or 3.

What is HITRUST compliance?

HITRUST compliance means that an organization has implemented the appropriate requirements from the HITRUST CSF. HITRUST compliance doesn’t look the same for every organization. Because there are three levels of implementation, some organizations may have stricter requirements for certain controls, while other organizations can comply by implementing less-stringent requirements for the same controls.

To achieve HITRUST compliance, an organization must comply with the requirements set forth for the organization’s specific implementation level for each control across all HITRUST domains.

Who requires HITRUST certification?

Healthcare organizations and business associates that want to prove their compliance with HIPAA and other relevant regulations may conduct a Self-Assessment, or they may opt to become HITRUST CSF Validated or HITRUST CSF Certified. These three options are known as Degrees of Assurance, or levels of confidence that an organization meets all relevant HITRUST requirements.

A Self-Assessment is the simplest Degree of Assurance to achieve. Using the HITRUST myCSF tool, organizations answer a series of questions to obtain a customized HITRUST assessment designed to evaluate the organization’s unique environment against the relevant compliance criteria. Through the assessment, areas for improvement are identified, as well as areas in which the organization is already compliant with HITRUST requirements.

Organizations that want additional compliance assurance following a Self-Assessment can obtain validation from a third-party CSF Assessor. This Degree of Assurance is known as CSF Validated.

Certification is the highest Degree of Assurance, and it requires the most effort and time to achieve. To obtain HITRUST CSF Certification, organizations send their validated assessment to HITRUST for review and certification. A HITRUST CSF Certification is valid for two years.

HITRUST certification is increasingly important as more healthcare organizations, such as health insurance providers, are requiring their business associates to be CSF Verified or CSF Certified.

Why does HITRUST matter?

Well, as healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state and third-party security mandates has become a feat that can quickly consume an organization’s resources. If that isn’t enough, getting through all the twists, turns, and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn’t it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that’s exactly what HITRUST has established in order to put the trust in data security.

Healthcare is complex and can seem overwhelming, but it doesn’t have to be. Whether you’re an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That’s where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?

HITRUST isn’t easy, and it shouldn’t be. The experience we’ve gained as a company and the extensive testing of our technology brings great value to our customers. For more information on HITRUST, visit the Datica Academy or Datica Blog. Additional questions? Contact one of our experts today.

tag Cloud Computing Healthcare Cloud Compliance HITRUST HIPAA


Who is HITRUST CSF Certified?

Grant Barrick

Vice President of Marketing

The HITRUST certification is the highest Degree of Assurance a company can obtain. The HITRUST certification is increasingly required of business associates by some entities, such as health insurance providers, in order to ensure that business associates have the adequate security controls and protections in...

event-note November 11, 2019

What is a HITRUST CSF Self-Assessment?

Grant Barrick

Vice President of Marketing

Here’s what you need to know about the HITRUST CSF Self-Assessment, how it works, and how to determine if the self-assessment option is sufficient for your organization.

event-note November 11, 2019

What is the HITRUST Framework?

Grant Barrick

Vice President of Marketing

Most don't realize HITRUST is not a framework at all, but an organization comprised of healthcare industry leaders. Let's dive into the HITRUST CSF Framework, developed by the HITRUST organization, in partner with other technology and information security leaders.

event-note November 11, 2019


Grant Barrick

Vice President of Marketing

HITRUST and HIPAA are two critical topics in healthcare, but do you know how they differ? Let's break it down and explore additional resources to learn more.

event-note November 11, 2019