8 Things You Need to Know About HITRUST Compliance

Posted by Ken Reiher

Gerry Blass, President & CEO, ComplyAssistant

HITRUST is an organization that developed a cybersecurity framework – on a proprietary platform called MyCSF® – that incorporates existing public domain frameworks such as HIPAA, NIST, ISO, GDPR and PCI. The purpose of HITRUST compliance is to provide healthcare and other verticals with guidance on reaching information security and cybersecurity maturity levels based on size and scope.

Similar to public domain frameworks such as HIPAA and NIST CSF, HITRUST is designed to provide healthcare organizations with a step-by-step process to achieving what is referred to as “HITRUST Certification.”

If you’re considering HITRUST compliance as one of your organization’s cybersecurity frameworks, here is a list of the top 8 points you should consider before moving ahead.

  1. HITRUST compliance is typically considered by larger healthcare organizations and their business associates. Small healthcare organizations and providers generally do not require more than HIPAA and NIST CSF. However, HITRUST has recently added scoping to its process as a way to align the scope of its audit with the needs and size of the organization.
  2. Because HITRUST is a blended framework, it is very comprehensive and can be overwhelming, especially for smaller providers. This is where scoping comes in handy. Depending on the size and operational structure of the organization, some things in the framework may not even apply. So, the first thing is to scope the assessment in order to know how much of it applies to you.
  3. Since its inception, an increasing number of private payers now require certain types of healthcare organizations to become HITRUST certified. Determine in advance if this is a requirement for your organization.
  4. Having HITRUST certification does not mean that an organization is immune to a breach incident, especially if enough time has passed since the last HITRUST certification audit was completed. The term “due diligence” more accurately describes what a healthcare organization needs to accomplish; due diligence indicates that the organization has a risk-based mitigation process in place and is not negligent.
  5. The U.S. Department of Health & Human Services (HHS) and the Office for Civil Rights (OCR) conduct audits based on HIPAA and NIST protocols, so most healthcare organizations can demonstrate compliance and due diligence without being HITRUST certified, as long as they are not mandated to be.
  6. All healthcare organizations, except when mandated to be HITRUST certified, can choose to invest in any cybersecurity framework (or any combination of multiple frameworks). We recommend that whatever framework you choose, stay consistent from year to year so that trends and progress can be more easily measured.
  7. Unlike other cybersecurity frameworks, HITRUST compliance and becoming certified does require a fairly significant upfront investment. This needs to be included in the evaluation and budgeting process, as it can be a barrier for some organizations.
  8. What you don’t want is to invest in HITRUST only to fail the assessment and certification. Working with a HIPAA and NIST healthcare compliance consultant in advance can help your organization prepare in advance of going through HITRUST compliance. Likewise, using a GRC solution to document your processes, evidence and controls can help you prepare a roadmap and get your organization ready so you can achieve HITRUST certification the first time around.

HITRUST compliance and becoming certified is sensible to consider for any healthcare organization as it is extremely comprehensive. Do your homework in advance, though. Does certification make sense for your size and operations? If so, take steps to prepare a roadmap that will ensure certification and maximize your investment.

Want more? Check out ComplyAssistant’s HITRUST compliance software.