IT managers and CIOs in the healthcare industry are constantly working to find new ways to protect patient data. As one of those diligent healthcare information technology stewards, you understand the goals, as well as the struggles and frustrations of it all.

Like every industry that relies heavily on digital records—and what industry doesn’t these days—the healthcare community must adopt and implement data security measures to protect customers’ sensitive information.

You work to cover all the bases, but you may often be left wondering, “Have I done enough to protection our patients’ electronic data?”

The HITRUST CSF® outlines data security measures that serve to protect healthcare consumers’ private data. Adopting the HITRUST Approach™ and maintaining certification, in turn, protects the organization’s reputation among patients and industry peers. The positive impact of HITRUST® also leads healthcare organizations to the broad adoption of advanced technologies to safeguard patient information, while also saving administrative time and resources.

Why HITRUST CSF Certification? Why Now?

In 2020, the threat of cyberattacks has increased drastically in the medical and life sciences sector. And health care organizations have become justifiably more concerned about third-party risk. Business associates have been a clear weak link enabling health care data breaches in the past.

It’s no wonder that an increasing number of organizations are now requiring all business associates (BA), including external service and goods providers, to obtain HITRUST CSF Certification. For HIPAA covered entities, the HITRUST CSF Assurance Program™ provides greater understanding of an organization’s risk and facilitates a proactive third-party risk management. The HITRUST CSF has been designed specifically to provide security for organizations handling sensitive data and prevent healthcare data breaches.

Is HITRUST Certification Right for Your Organization? Find out with This Quick Quiz.

Which Healthcare Organizations Require HITRUST CSF Certification from Their BAs?

You may wonder just who has adopted mandatory HITRUST CSF Certification in the industry. Just a few of the ever-increasing number of major healthcare organizations that require HITRUST CSF Certification from their business associates include:

  • Anthem, Inc.
  • Health Care Services Corp.
  • Highmark
  • Hospital Corporation of America
  • IMS Health
  • Kaiser Permanente
  • United Health Group
  • CVS Caremark
  • Humana, Inc.

Why Would My Organization Need to Use HITRUST for a Third Party?

Starting in 2015, HITRUST expanded the use of the HITRUST CSF Assurance Program in support of the organization’s efforts to manage the third-party assurance process. This added layer of protection is intended for BAs, or third-party providers, to demonstrate effective security and privacy practices when doing business with healthcare organizations.

The HITRUST CSF allows covered entities to monitor their own, as well as their BAs’, information security programs’ maturity across a spectrum of assurance levels, which go far beyond HIPAA requirements. It streamlines the third-party risk management process for the many and varied contractors that your organization does business with.

It helps the organization and insurer cut the time and expense of assessing HIPAA compliance and the effectiveness of security controls. “We decided to require BAs to earn HITRUST CSF Certification so the insurer can better determine that its vendors are taking specific measures to safeguard patient data,” explains Ray Biondo, the CISO for Health Care Services Corp.

Who Is Considered a Business Associate?

Hospitals, clinics, and private medical practices all must work with outside entities and individuals to serve their patients. In performing their necessary functions, those entities may need to use or disclose PHI on behalf of, or in service to, a covered entity. Anyone, or any business that falls under this description, is considered a business associate. Any contractor that will come into contact with PHI is required by HIPAA to sign a Business Associate Agreement (BAA).

A few entities that are commonly considered BAs, as indicated by the U.S. Department of Health and Human Services, include those providing the following services:

  • Insurance claims processing or administration,
  • Data analysis, processing or administration,
  • Quality assurance,
  • Billing,
  • Benefits management,
  • Practice management,
  • Legal,
  • Actuarial,
  • Accounting,
  • Consulting,
  • Data aggregation,
  • Accreditation,
  • Financial.

Therefore, your CPAs, attorneys, claims processors, and cloud service provider are some of the BAs with which you do business and may need to pursue HITRUST CSF Certification.

Get more expert help here: the HITRUST Glossary of Terms.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


Do I Have to Use HITRUST When Working with a Third Party?

While it is not necessary for a third -party to use HITRUST, it’s important that you understand the risks involved with working outside of the HITRUST assurance umbrella.

Penalties and fines for HIPPA violations involving BAs can be severe. As of last year, the HHS was enforcing penalties of up to $1.5 million per instance, per year according to the requirements of the HITECH Act. Doing business with a BA, that has access to PHI but does not hold a valid BAA, is a punishable violation.

Apart from the expense of potential compliance violations, not requiring solid security attestation leaves your company more vulnerable to cybersecurity attacks and data breaches, which have their own pricey consequences. It also puts the reputation of the company at risk and can be detrimental to its ability to continue doing business.

What Are the Benefits of Ensuring That My BA Is HITRUST CSF Certified?

Ensuring that your BA is HITRUST CSF Certified provides benefits to both of you. For healthcare organizations and contractors, it’s greatly a matter of reducing costs and complexity, managing risk, and simplifying compliance.

Instead of continuously having to fill out one questionnaire after another, covered entities can verify compliance of all BAs within single framework. On the other hand, external entities can demonstrate compliance for multiple clients and various regulatory standards with a single assessment and certification process.

Learn more about the Valuable Advantages of HITRUST Certification.

Does HITRUST CSF Certification Replace a BAA?

No, they are different things. The BAA has long been a way to ensure that third-party BAs understand the parameters of their relationship with a given healthcare organization.

HITRUST CSF Certification is a simplified way for healthcare companies to vet their third-party business associates. Instead of modifying BAAs, they can use the HITRUST CSF Certification requirement to weed out vendors as contracts expire. At that point, they can either require their BAs to obtain certification, or it gives them a chance to make new business partnerships with HITRUST CSF Certified contractors.

Why Should BAs Aim for HITRUST CSF Certification?

When business associates hold HITRUST CSF Certification, they become more attractive suppliers for healthcare organizations. One major company that embraced HITRUST CSF Certification specifically with the intention to gain more clients in the healthcare industry was Microsoft, which earned certification in 2015. Other vendors that became early adopters of the framework include the medical billing company, Eligible, TigerText, and Catalyze.

What Can I Do If My BA Is Not HITRUST CSF Certified?

Your BA may simply not understand the concept of HITRUST CSF Certification and believe that a BAA is sufficient. At one point, that was probably true, but with the constantly increasing data risks in today’s environment, it always helps to add an extra layer of protection for your patients’ confidential data.

There are a few actions your organization can take if a BA is not HITRUST CSF Certified:

  • You can inform your BAs that they must obtain HITRUST CSF Certification within a given time frame, such as 24 months.
  • You can inform your BAs that, upon the expiration of their BAA, they must have achieved HITRUST CSF Certification, or you will seek a new partnership.
  • You can help your BA learn more about the benefits of HITRUST CSF Certification for them.

How Can My BA Get HITRUST CSF Certified?

Working with a trusted auditing, accounting and assurance firm, like I.S. Partners, is one effective way to get your BAs HITRUST CSF Certified. Our team of assessors will walk your BAs through the entire readiness and validated assessment phases.

Why Is HITRUST CSF Assurance Program the Best Choice?

A standardized approach to patient data protection with HITRUST CSF Certification benefits everyone involved. The HITRUST CSF Assurance Program offers BAs a centralized system to help guide them to keep their computing environment up to standards to protect your patients, your healthcare organization’s reputation and their own.

HITRUST notes that BAs are becoming increasingly concerned about the time and effort involved in compliance, especially compliance with multiple frameworks. Now, they are often the ones urging healthcare organizations to accept HITRUST CSF Assessment Reports. The unified framework helps BAs to minimize duplication, costs, and other inefficiencies related to compliance efforts.

Find out How the HITRUST CSF is Expanding Beyond Healthcare.

Learn How We Can Help Your BAs Achieve HITRUST CSF Certification

At I.S. Partners, LLC., our team is here to help your BAs achieve HITRUST CSF Certification to help you keep your valuable patient data safe.

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top