The Health Information Trust Alliance, known as HITRUST, was founded in 2007. HITRUST aims to help organizations manage risk and compliance with the HITRUST Common Security Framework or HITRUST CSF. Jump to resource links -->

What is the HITRUST CSF?

The HITRUST CSF brings HIPAA compliance together with other security and privacy frameworks, such as NIST and ISO, to ensure organizations are properly conforming to HIPAA and other regulations. The certifiable framework is designed to provide a comprehensive yet flexible approach to regulatory compliance and risk management. It enables organizations with different risk profiles to customize security and privacy baselines based on organization type and size, as well as systems and regulatory requirements. Due to its flexibility and alignment with a variety of national and international regulations and standards, the HITRUST CSF has become a widely used privacy and security framework across all industries. It’s the most widely adopted security control framework in the U.S. healthcare industry, with more than 80 percent of hospitals and health plans having implemented it.

What is HITRUST Certification?

Because there is no true HIPAA certification, many organizations required to comply with HIPAA opt to pursue HITRUST CSF Certification. There are three stages in the HITRUST certification process:

  1. Self-assessment – In the first phase in the HITRUST certification process, organizations conduct an initial self-assessment to identify the applicable categories of control requirements that impact their organization among the 19 total categories. Organizations then identify gaps, or areas in which they’re currently falling short of meeting requirements, rank them according to risk level, and implement changes to address them. Organizations can also conduct a self-audit using the HITRUST Alliance’s MyCSF tool or opt for a facilitated self-assessment with the help of an assessor.
  2. Validated assessment – The validated assessment is conducted by a certified CSF assessor or an independent third-party who evaluates each control requirement and rates the organization’s compliance with each control.
  3. HITRUST certification – After the validated assessment is complete, the assessor submits the validated assessment to HITRUST for review and validation. If the review determines that the organization adequately meets the relevant control requirements, HITRUST issues a certification specific to the factors outlined in the scope. HITRUST certification is valid for two years given a successful interim review, which takes place 12 months from the date of the original assessment.

Why is HITRUST Compliance Important?

Given that the HITRUST CSF is the most widely used security framework in the healthcare industry, several industry leaders now require HITRUST compliance of their Business Associates. As a result, HITRUST compliance is essential for businesses that partner with or provide services to many of the major companies in the healthcare sector.

Even for those that don’t require HITRUST compliance, having a HITRUST certification is a major selling point for companies seeking to do business in the healthcare industry, as it provides added reassurance that your company is compliant with not just HIPAA but also other relevant regulatory requirements and frameworks. No healthcare organization wants to put its patients’ sensitive data at risk, so partnering with and utilizing the services of companies that have proven HITRUST compliance is a smart and strategic business decision.

Lyniate Acquires Integrate from Datica