The Health Insurance Portability and Availability Act (HIPAA) establishes a set of security controls that govern information security in the healthcare industry. Healthcare organizations and their business associates are legally required to protect certain types of patient information from data breaches. A HIPAA compliance violation can lead to fines and jail time, depending on how the protected health information (PHI) or electronic PHI (ePHI) disclosure or unauthorized access occurs.
The HIPAA Security Rule governs security standards regarding ePHI. Although the regulation does not prescribe controls, it details standards and regulations as guiding principles, including but not limited to COBIT, ISO, NIST, and PCI DSS. Thus, meeting these requirements can flummox healthcare organizations trying to establish controls to achieve compliance.
The Health Information Trust Alliance (HITRUST) established the HITRUST Common Security Framework (CSF) that assists companies attempting to meet the high HIPAA compliance standard. The HITRUST CSF aggregates all the suggested controls into a framework that makes it easier for an organization to be HIPAA compliant, although it is not part of the HIPAA regulation.
As a framework rather than a regulation, the HITRUST CSF creates a process that begins with establishing a risk management program that includes a self-assessment, asset inventory, risk assessment, risk analysis, risk tolerance considerations, risk mitigation process, and monitoring control effectiveness. HITRUST certification also requires the organization to undergo an external audit from a HITRUST CSF certified assessor. The CSF assessor reviews the risk management program and control monitoring to determine whether the organization appropriately completed the HITRUST assessment.
Although HITRUST CSF certification differs from HIPAA compliance, it allows an organization to create a more streamlined approach to meeting the Security Rule requirements.