Who Is HITRUST?
Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.
HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit www.HITRUSTalliance.net
What is the advantage of getting a HITRUST certification?
An organization that creates, accesses, stores or exchanges Protected Health Information (“PHI”) can use its HITRUST CSF certification to demonstrate that they meet the high standards of security prescribed within the CSF. Many companies now accept a HITRUST Certification as evidence of compliance, thus relieving them of the obligation to audit their vendors. Companies such as Highmark, Humana, United Health Group, HCSC and Anthem now require their vendors to undergo a HITRUST CSF assessment. The CSF incorporates all major information security-related requirements and best practices, and provides scalable cyber security measures based on different risks and exposures.
Is the CSF similar to SOC report requirements?
A SOC 2 is a reporting format, while the HITRUST CSF is a security framework. A SOC 2 examination examines the internal controls at a service organization as they relate to one or more of the Trust Services Principles of Security, Availability, Confidentiality, Processing Integrity and Privacy. The SOC 2 reporting model and the HITRUST security framework are complementary since both are facilitated through the efficient assessment and implementation of controls to satisfy the CSF.
As a result, HITRUST and the American Institute of Certified Public Accountants (AICPA) have collaborated to align the Trust Services Principles to the HITRUST CSF, which provides standard and comparable requirements for use in SOC 2 reporting. For companies requiring both a HITRUST certification and a SOC 2 audit, this approach improves efficiency and reduces costs.
How can I.S. Partners help my organization manage risk?
I.S. Partners, LLC will perform a HITRUST readiness, certification, and remediation services for healthcare organizations and their business associates to assess compliance with industry security requirements and standards, and create solutions that help organizations align with the HITRUST CSF. If your company requires both a HITRUST certification and a SOC 2 report, I.S. Partners can leverage the efficiencies between both sets of requirements, thus lowering the time and expense of effective risk management.