Healthcare organizations and their business associates need to prove that they maintain the integrity, confidentiality, and accessibility of protected health information (PHI) and electronic PHI (ePHI). However, if you’re trying to establish security controls in a way that meets the requirements of the Health Insurance Portability and Accountability Act (HIPAA), you might find yourself overwhelmed. The HITRUST Alliance established the HITRUST Cybersecurity Framework (CSF). Understanding the HITRUST certification process can allow you to become compliant in ways that best align with your organizational needs.

HiTrust Assessment & Certification Process

Who is the HITRUST Alliance?

The Health Information Trust Alliance, abbreviated as HITRUST Alliance, incorporates a variety of leaders from across the healthcare industry. Uniquely situated to assess the information security risks facing the healthcare industry, they work to enable collaboration with cybersecurity and risk management leaders to create ways to manage and assess risks to health information.

Why choose HITRUST CSF?

The HITRUST CSF brings together the healthcare relevant requirements from ISO, NIST, PCI, HIPAA, and other information security standards to help create a fully integrated single standard for the healthcare industry.

While all of the standards enable HIPAA compliance, ISO, NIST, and PCI do not adequately respond to unique healthcare information protection requirements. In the HITRUST CSF comparison whitepaper, the organization reviewed the ways in which its framework could fill in the gaps facing healthcare providers and their business associates.

For example, HIPAA compliance requires ISO 27001 based review, but ISO 27001 only enables third-party assurance. Meanwhile, NIST SP 800-53 is not ISO 27001 based but provides a prescriptive framework allowing for controlled tailoring, compliance-based control, certification, assessment guidance, and tool support.
The HITRUST CSF is an ISO 27001 based common security framework focusing on healthcare specific standards. Its prescriptive nature allows for controlled scaling and tailoring while also creating a compliance-based control framework allowing for organizational certification and third-party assurance. It provides tool support and assessment guidance.

Is HITRUST risk-based or compliance based?

The HITRUST CSF is a risk-based model. However, as part of the risk management process, organizations need to implement the specified controls to mitigate residual risk. In other words, you’re taking a compliance-based approach to risk management.

While this sounds counter-intuitive, the process allows you to start with the individual risks inherent in your business operations and then tells you specific controls you need to implement to mitigate those risks.

What is a HITRUST Assessment?

HITRUST offers varying levels of engagement with the CSF. The engagement level then dictates the type of assessment required to meet your organizational needs.
HITRUST defines the engagement levels as:

Self-Assessment: organizations who only want to review their controls and do not intend to obtain a CSF Validated assessment or seek CSF Certification.
Validated Assessment: Organizations who want to perform the Self-Assessment and then get a CSF Validated Assessment or intend to become CSF Certified.
Adopter: Organizations who want to use the HITRUST CSF to establish their privacy and security controls.

Each engagement level requires you to access different CSF provided tools and work with different levels of overarching program assurance.

What is the difference?

Smaller organizations may choose to complete the CSF Self-Assessment process for internal tracking and monitoring. Those organizations should definitely purchase a CSF Assessment Report and may find subscribing to the MyCSF program useful.
However, becoming CSF Validated or CSF Certified requires purchasing the CSF Assessment Report, engaging a CSF Assessor Organization, and may find subscribing to MyCSF useful.

How do I complete a CSF Self-Assessment?

The Self-Assessment process starts with the risk-based questionnaire that indicates your organization’s maturity level across a series of categories. These categories include:

Having a policy or standard
Processes and procedures to support the policy
Implementation of the policy
Management tests and measures operation
Corrective actions are taken as needed

Within these categories, organizations define their level of compliance as

Non-compliance
Somewhat compliant
Partially compliant
Mostly compliant
Fully compliant

Once you’ve completed the self-assessment, you forward the questionnaire to HITRUST.

Who needs to be CSF Validated or CSF Certified?

Business Associates may find that being CSF Validated or Certified enable them to provide the documentation necessary to gain customer trust. While SOC reports often provide this as well, CSF Validation or Certification proactively align to HIPAA specific requirements.

What is the difference between HITRUST CSF Certification and Validation?

Both validation and certification required you to find a HITRUST CSF Assessor. The HITRUST Certification process starts with the Self-Assessment then brings in a HITRUST CSF Assessor to review and validate the effectiveness of the controls.
A CSF Assessor engages in an on-site review using HITRUST’s MyCSF Tool. You will answer the assessment questions within the tool, and then the Assessor will compare the supporting documentation as well as engage in testing. The report your CSF Assessor generates is the CSF Validated Report.

That Validation report then goes to HITRUST for certification. Once HITRUST certifies the report, your certification remains active for 24 months, unless you report a breach to the Department of Health and Human Services. In the case of a breach, you must perform the appropriate analysis, including forensics to determine what technical controls failed.

In the event of a control failure or misrepresentation of a control, HITRUST may decertify your organization.

Any HITRUST CSF Certified organization experiencing a data breach will be required to undergo an annual assessment for the two years after the breach occurs.

How ZenGRC Enables HITRUST Certification

If you are not currently HITRUST Certified, you can use ZenGRC to enable a gap analysis to determine how your current controls align to HITRUST CSF. If you are presently NIST and ISO compliant, you can document your controls based on those, and then engage in an analysis to determine additional controls necessary for HITRUST certification.

Since ZenGRC provides real-time visibility into your compliance and risk posture, your CISO can assign remediation tasks and work to prevent breaches to maintain certification.

Finally, ZenGRC acts as a single-source-of-truth enabling an easier validation and testing experience. With all your documentation stored in a single location, you can more easily provide your CSF Assessor with the information supporting your risk-based analysis and control decisions.

For more information or to schedule a demo, contact us today.

2017 acted as a call to action for those in the healthcare industry. Patient Health Information (PHI) incorporates everything hackers need to steal identities and compromise an organization’s reputation. Therefore, protecting PHI, and more importantly, electronic patient health information (ePHI) means that healthcare organizations need to be more diligent ensuring that their daily compliance activities match their policies.

Healthcare Regulatory Compliance

What Regulatory Compliance Requirements Affect Healthcare

Although the Health Insurance Portability and Accountability Act (HIPAA) gets the most screen time, organizations involved in healthcare need to incorporate the Health Information Technology for Economic and Clinical Health Act( HITECH) compliance as well. Although interrelated, 2009’s HITECH specifically intended to promote information technology while protecting privacy and security concerns regarding ePHI.

HITECH modified not only HIPAA but also the Social Security Act. Thus, understanding how the different regulatory compliance puzzle pieces fit together became more difficult.

How HIPAA and HITECH Are Similar

The Health and Human Services Department (HHS) oversees both HIPAA and HITECH compliance.

Healthcare organizations most often focus on HIPAA compliance because it established the Privacy Rule setting national standards regarding medical record and PHI protection. Since the Privacy Rule’s adoption in 2000, HHS made only one modification 2002 thus establishing it as one of the first information security and privacy regulations.

The Office of the National Coordinator for Health Information Technology (ONC) promotes healthcare quality by promoting health IT and establishing guidelines for electronic health records (EHRs) and securing ePHI to protect privacy.

Thus, while HIPAA and HITECH integrate with one another, they come with distinct foci. HIPAA focuses on protecting privacy and expands beyond information systems. Meanwhile. HITECH focuses specifically on information technology and preserving electronic information.

How HIPAA and HITECH Differ

While HIPAA and HITECH have many similarities, they also differ on several important details.

Although HITECH extended HIPAA, HIPAA remains focused on breach notification and privacy to protect against fraud and identity theft.

Meanwhile, HITECH distinguishes itself from HIPAA since it created restructured civil and criminal compliance penalties. Moreover, it extended the breach notifications requirement beyond covered entities and incorporated business associates.
Finally, from an information technology perspective, compliance managers should focus on the importance of effective encryption. Even should a malicious actor breach the ePHI, effective encryption mitigates rule violations. Thus, if the encryption effectively makes the information unreadable, the organization breached may not be fined.

However, proving effective encryption additionally means being in compliance with the NIST Federal Information Process Standard. Thus, healthcare regulatory compliance requires understanding your organization’s IT architecture.

How HITECH’s Compliance of Medicare and Medicaid Impact HIPAA Business Associates

Understanding healthcare regulatory compliance requires understanding overlaps between business associates, their information, and how that can impact the overall supply chain.

The definition of Business Associate incorporates and person or entity not covered entity’s workforce member who provides services to or performs functions or activities for a covered entity.

Traditionally, the Omnibus Rule’s definition of Business Associate brings healthcare management companies, healthcare plans, and healthcare payment organizations under the arc of HIPAA and HITECH. However, for those working with Medicaid, additional services may be incorporated under these compliance requirements.
For example, HITECH and HIPAA consider Medicaid’s Non-Emergency Medical Transportation (NEMT) to be a Business Associate under the Omnibus Rule. Thus, despite being nothing more than a network of transportation brokers, information collected remains subject to these healthcare regulations.

Thus, organizations need to determine their location in the supply chain to ensure no HIPAA or HITRUST violations as well as to decide whether or not they want to assume the regulatory compliance risk if they choose to scale.

What the Board of Directors Needs to Know

Organizations looking to shift into the healthcare sector need to ensure that their Board recognizes the compliance implications. Providing the appropriate level of Board oversight requires visibility into both the healthcare landscape as well as the organization’s current compliance environment. Moreover, should an organization decide to incorporate healthcare providers or their vendors as part of its business plan, the Board of Directors needs to understand how they fit into that supply chain.

Under HIPAA, vendor risk creates corporate risk. Thus, whether your company sits at the top of the supply chain, in the middle, or at the bottom, any interaction with HIPAA regulated entities means you need to be compliant also.

Thinking about HIPAA and HITECH violations as dominoes in a row, if one domino falls so do all the others. Thus, vendor management’s importance may increase if you decide to expand into the healthcare industry.

How Automation Eases the Healthcare Regulatory Compliance Burden

ZenGRC’s SaaS platform enables organizations to visualize compliance gaps. Regulatory compliance no longer needs to act as a barrier to new markets. As you map controls to a particular standard or framework, ZenGRC allows you to assign that control to other standards or frameworks that it satisfies.

The first step for successful implementation of the Health Information Trust Alliance Cybersecurity Framework (HITRUST CSF) is to engage in a CSF Self-Assessment with the help of a CSF assessor. CSF assessors are consulting firms that HITRUST approved to perform the assessment. Using this information, you can gauge your system and regulatory requirements to help determine your risk and scope.
For example, an organization currently ISO 27001 compliant may be using a firewall. If you choose to incorporate PCI DSS compliance, a firewall is also an accepted control. Assuming that you want to expand to acting as a healthcare provider payment processor, you need to determine whether this control maps to HIPAA and HITECH compliance.

Once you set up your controls in ZenGRC, it automatically maps current controls to new standards as you add them. This means that your ISO 27001 controls will be mapped to your new PCI DSS compliance framework. All you need to do now is determine what additional controls you need to incorporate.

The HHS Office of the Inspector General (OIG) offers a guideline that discusses all the parties involved in your compliance efforts, from your employees to your Board of Directors. Automation helps you better communicate with your organization’s various stakeholders, providing them with the right information for their needs.
A HIPAA compliance audit is similar in that an audit management software that provides a single source of truth can help you save time. Saving time saves money because your employees can focus on securing your environment.

With an automation tool like ZenGRC, you can monitor your compliance while storing all your necessary documentation in one place.

ZenGRC’s compliance management software provides a risk dashboard that gives insight into the effectiveness of your ongoing monitoring so that you can meet internal audit standards.

Not only does this simplify incorporating new standards into your overall landscape, but it also means that you can expand your business into revenue streams that seemed too onerous before.

Understanding the HiTrust Certification Process