Among other mandates, Title II of HIPAA defined policies and procedures and provided guidelines for maintaining the privacy and security of individually identifiable health information. Its Administrative Simplification (AS) rules directed the Department of Health and Human Services (HHS) to draft rules aimed at streamlining the health care industry in the use and dissemination of health care information. HHS drafted five (5) baseline rules that make up HIPAA: The Privacy Rule, Transaction and Code Set Rule, the Security Rule, the Unique Identifier Rule, and the Enforcement Rule.
In 2009, HIPAA was supplemented by the Health Information Technology for Economic and Clinical Health Act (HITECH). Its purpose was to direct HHS to promote and expand the adoption of health information technology. It incentivized “meaningful use” of electronic health records systems by healthcare providers as well as improved the Privacy and Security provisions as promulgated by HIPAA.
While both legislative acts made significant and positive changes to the health care industry by providing a baseline standard framework for the portability and security of protected health information, HIPAA/HITECH does not reflect the most rigorous tools and procedures. In response to this deficiency, an alliance of leaders in the healthcare industry developed a certifiable security framework that raised the standards of security policy and procedure. This framework provided stricter controls and mandate the implementation of more comprehensive policies that ensures the security integrity of protected health information.
HITRUST is a United States organization that, in collaboration with healthcare, technology and information security leaders, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards, including HIPAA, and PCI. HITRUST is primarily focused on providing a stronger security framework for the healthcare industry than what is mandated by HIPAA/HITECH, PCI, NIST, Joint Commission, FTC, Cloud Security Alliance, and COBIT.
The CSF is organized into 13 control categories, which contain 42 Control Objectives and 135 Control Specifications, with each Control Specification consisting of three implementations based on organizational, system and regulatory factors. Despite the seemingly large Control set, not all Control Specifications are applicable to every company. The CSF seeks to address a wide range of health care companies and so has sought to account for any business model. The 13 control categories attempt to normalize the various security standards for healthcare organizations incorporating federal, state, third party and government implementations.
The legislative landscape is ever-evolving. To demonstrate compliance with HIPAA, numerous state regulations, and other industry requirements, many companies benefit from implementing the CSF to integrate information security risk management into overarching enterprise risk management programs. Further, there is no ‘HIPAA certification’ in spite of the fact that many healthcare and health tech companies claim that they are indeed, certified. HITRUST can provide your company with a third-party assessment to verify that your company has met all of the industry-defined certification requirements of the CSF.
Benefits of this certification can include:
- Reduce time dedicated to audits
- Reduce or eliminate time needed to fill out security questionnaires for prospective or current clients
- Competitive advantage provided by a third party certification
While the HITRUST process takes time, for many organizations the effort is well worth the time spent in the long run.