Datica Blog

November 11, 2019

Who is HITRUST CSF Certified?

Grant Barrick

Vice President of Marketing

The HITRUST certification is the highest Degree of Assurance a company can obtain. The HITRUST certification is increasingly required of business associates by some entities, such as health insurance providers, in order to ensure that business associates have the adequate security controls and protections in place to protect sensitive personal data.

What does it mean to be HITRUST certified?

Organizations that are HITRUST certified have gone through a rigorous certification process, including a comprehensive self-assessment that assesses the security measures an organization has in place against the 156 controls and associated requirements of the HITRUST CSF. These controls are grouped into 19 domains encompassing every facet of an organization's security posture.

Controls are mapped to specifications and requirements of various regulations and frameworks, such as HIPAA, NIST, PCI, ISO, and others. Within each control, there are three levels of implementation with increasingly stringent requirements. The appropriate implementation level is based on the organization's size and other risk factors, such as the number of health records the organization handles. Through a series of scoping questions, self-assessments are customized to the needs of the organization, resulting in a report that reveals areas in which the organization is compliant as well as non-compliance issues. From this assessment, organizations can create a corrective plan of action to address areas of non-compliance.

Those who are compliant with all applicable requirements move on to the next phase, a HITRUST CSF verification. In this phase, a third-party CSF assessor evaluates the organization's assessment report and verifies it. Following verification, organizations seeking formal certification provide their assessment and verification, along with supporting information, which is reviewed and certified by HITECH.

Who requires HITRUST certification?

If your organization wants to do business with a covered entity or business associate that requires HITRUST certification, you'll need to get HITRUST certified in order to work with that entity. For example, Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group require their business associates to obtain HITRUST certified. Those that were not certified when the companies announced their decision had to obtain HITRUST certification within 24 months following the announcement.

Why work with HITRUST CSF certified companies?

For these insurance providers, as well as other companies that now make HITRUST certification a requirement, it's a means of reducing third-party risk. Organizations that are HITRUST certified have demonstrated that they have effective security and privacy practices in place that are in line with strict healthcare industry regulations like HIPAA (as well as all the requirements of the HITRUST CSF). Because covered entities may be liable for their business associates' or subcontractors' violations, a HITRUST certification serves as an additional layer of regulatory protection for healthcare organizations. Thus, HITRUST certified companies have more opportunities to partner with healthcare organizations that must meet stringent regulatory requirements, such as HIPAA.

Who is HITRUST CSF certified?

Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges. HITRUST, in partner with other technology and information security leaders, created and maintains the Common Security Framework (CSF). To become HITRUST CSF certified is regarded to be the pinnacle of compliance because:

  • There is no “secret sauce” to achieving HITRUST Certification. Simply put, certification is the result of intensive detailed preparation, exceedingly long hours, exceptionally talented individuals and being willing to learn every step of the way.
  • The process is incredibly laborious and consumed time and resources beyond our wildest expectations, even with a team that has experienced HIPAA from all imaginable angles - technical auditors, mobile app vendors, clinicians, compliant platform vendors, etc.

So how do you find out who is HITRUST CSF certified? Ask them for proof of certification.

Why does HITRUST matter?

As healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state, and third-party security mandates has become a feat that can quickly consume an organization’s resources. If that isn’t enough, getting through all the twists, turns and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn’t it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that’s exactly what HITRUST has established in order to put the trust in data security.

Healthcare is complex and can seem overwhelming, but it doesn't have to be. Whether you're an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That's where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?

For more information on HITRUST, check out the Datica Academy or Datica Blog. Additional questions? Contact one of our experts today.

Learn more with Datica's definitive HITRUST guide. This comprehensive guide details the journey to HITRUST CSF Certification, explains why HITRUST matters, describes the structure of the HITRUST framework, details the associated costs of certification, and more.

Related Reading