HIPAA vs HITRUST
HITRUST and HIPAA are two critical topics in healthcare, but do you know how they differ? Let's break it down and explore additional resources to learn more.
Master the complexities of cloud compliance with expert resources and relevant insights.
Most don't realize HITRUST is not a framework at all, but an organization comprised of healthcare industry leaders. Let's dive into the HITRUST CSF Framework, developed by the HITRUST organization, in partner with other technology and information security leaders.
A common security framework is a set of policies and procedures that guide the development, implementation, and management of an organization's security. Common security frameworks are often used to improve an organization's security posture and to aid organizations in meeting regulatory requirements and maintain compliance with various regulations and standards.
The CSF, currently in version nine, is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF and varying state requirements. Privacy controls were added to version seven of the HITRUST CSF. Version 9.1, released on March 1, 2018, incorporated the From the HITRUST Alliance, an interim release of HITRUST CSF v9.1 included the EU General Data Protection Regulation (GDPR) as well as New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). . This interim release also mapped There are also mappings of the CSF's privacy and security requirements (versions eight and nine) to the 2016 AICPA Trust Services Criteria for Privacy, and the HITRUST CSF version nine is mapped to the 2017 AICPA Trust Services Criteria.
The HITRUST CSF v9.4, released on June 22, 2020, incorporates the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) v1.0 and NY DOH Office of Health Insurance Programs SSP v3.1. HITRUST CSF v9.4 also includes updated mappings of the NIST SP 800-171 r2 to ensure continued alignment.
By utilizing this framework, HITRUST constructed a system infrastructure roadmap so that any organization in a highly regulated industry can certify that they securely create, access, store or transmit in a compliant manner.
The Health Information Trust Alliance (since rebranded as HITRUST) is a privately held company based in Texas that was founded in 2007. The company includes both a for-profit division, HITRUST Services Corp., and a not-for-profit division, the HITRUST Alliance. It’s governed by an Executive Council comprised of industry leaders from organizations such as Highmark, Anthem, Inc., Kaiser Permanente, UnitedHealth Group, and others. The current version of the HITRUST CSF is v9.4, with v10 expected to be released in 2022.
The CSF does not create broad buckets like Administrative and Security controls. The HITRUST framework is divided into 19 different control domains. The 19 HITRUST CSF domains include:
Information Protection Program
Endpoint Protection
Portable Media Security
Mobile Device Security
Wireless Security
Configuration Management
Vulnerability Management
Network Protection
Transmission Protection
Password Management
Access Control
Audit Logging & Monitoring
Education, Training and Awareness
Third Party Assurance
Incident Management
Business Continuity & Disaster Recovery
Risk Management
Physical & Environmental Security
Data Protection & Privacy
The HITRUST framework includes 156 controls and 75 control objectives. Each HITRUST control has three implementation levels: level one, level two, and level three. The requirements for each level build on the requirements of the previous level. Level two includes all the requirements of level one plus additional requirements, and level three includes all the requirements of level two plus additional requirements. Level three has the most stringent set of requirements with the largest number of controls and HITRUST compliance requirements.
Within each domain there are one or more security objectives, or groups of controls that have a common purpose. Each control includes a control specification as well as implementation requirements for each of the three implementation levels. Implementation requirements address policies, practices, procedures, guidelines, or organizational structures.
Implementation requirements for each level of implementation are integrated from various regulatory sources and practice frameworks, such as HIPAA, NIST, PCI-DSS, and others. The appropriate implementation level for each specification is based on the organization's organizational, system, and regulatory risk factors.
Organizations that want to prove compliance with regulations such as HIPAA may choose to become HITRUST CSF Certified. HITRUST CSF certification indicates that an organization meets all requirements for the applicable HITRUST controls at the appropriate implementation level. It's a several-step certification process that begins with a HITRUST CSF Self-Assessment which is then verified by a third-party CSF Assessor. The results of the self-assessment and third-party verification are then sent to HITRUST for certification. HITRUST certification is issued for two years. HITRUST certification is costly, but more organizations are pursuing certification as a growing number of providers and other organizations are requiring their business associates to be certified.
As healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state, and third-party security mandates has become a feat that can quickly consume an organization's resources. If that isn't enough, getting through all the twists, turns and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn't it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that's exactly what HITRUST has established in order to put the trust in data security.
Healthcare is complex and can seem overwhelming, but it doesn't have to be. Whether you're an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That's where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?
For more information on HITRUST, check out the Datica Blog. Additional questions? Contact one of our experts today.
HITRUST and HIPAA are two critical topics in healthcare, but do you know how they differ? Let's break it down and explore additional resources to learn more.
The HITRUST CSF is a framework designed and created to streamline regulatory compliance. Companies that implement HITRUST CSF controls and strive to meet HITRUST requirements are better equipped for audits and lower their regulatory risk, but what are those requirements?
Here’s what you need to know about the HITRUST CSF Self-Assessment, how it works, and how to determine if the self-assessment option is sufficient for your organization.