By: Michael A. Sciortino, Esq., Trevor Wade, and Abdul Nazeeruddin
Achieving a HITRUST CSF Certification is an important way show your organization’s commitment to privacy, security, and risk management. In today’s healthcare climate, covered entities including hospitals, health systems, clinicians, insurance companies, and other third-party clinical administrators, are increasing the requirements for their business associates to prove consistent and overall compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Insurance Technology for Economic and Clinical Health Act (“HITECH”). A HITRUST CSF Certification is perhaps the best way to demonstrate an organization’s dedication to compliance and risk management as HITRUST CSF is the leading information security framework for the healthcare industry. It truly is the gold standard in the healthcare industry for evaluating privacy, security, and risk management.
According to the Health Information Trust Alliance, the HITRUST CSF (common security framework) was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations through a comprehensive and flexible framework of prescriptive and scalable security controls. HITRUST CSF combines a multitude of federal, state and healthcare standards and regulations including HIPAA, HITECH, NIST, ISO, and other national and international standards.
How can your organization become HITRUST certified?
It is important to note that the HITRUST CSF Certification process is extremely thorough. An attempt to obtain a HITRUST CSF Certification could take a significant amount of time, labor, and resources. Most often the process consists of the following steps:
Self-Assessment of Internal Operations – You will identify the scope of your audit including which of the 19 HITRUST CSF domains, 135 system controls, and 700+ potential requirements are applicable to the organization/business line. Once the scope is clear, you will review all applicable requirements and audit your policies, procedures, processes, workflows, and documentation to ensure you meet all requirements.
Remediate and Implement the CSF – Any gaps identified in step one will be remediated here. Policies, procedures, processes, and workflows will be amended to include all HITRUST CSF requirements. Workforce is then trained, and new privacy and security procedures are implemented as required.
Audit and Assessment/Evaluation – If any new procedures were implemented, then a bake-in/control period of 90-days will be required before audit and overall assessment/evaluation. This allows time to exercise the new procedures and document evidence for the upcoming audit. When the audit begins, you will provide documentation and evidence proving that you are following all applicable requirements within the HITRUST domains and system controls that are in the scope of your audit. After a period of evaluation and deliberation by the certified assessment team your score will be determined, and the results of the audit and assessment will be sent to the HITRUST CSF governing body for final evaluation and approval.
Benefit – Covered entities are increasingly wary of cybercrime and privacy breaches, leading to drastically increased scrutiny of business associates. Many covered entities are no longer satisfied with a self-attestation of security and privacy compliance. A rigorous third-party attestation such as HITRUST CSF – one benchmarked against a recognized controls framework specifically designed to fully address the letter and spirit of HIPAA and HITECH – can lend your security program both credibility and prestige. Once HITRUST CSF Certified, your organization will be able to advertise its compliance and security, with the badge of certification to back it up.
By attaining this gold standard level of HITRUST CSF Certification, eHealth Technologies has been able to offer its clients the added assurance of knowing that personal and protected health information is handled with the highest levels of privacy and security.
Interested in learning more about how we use this certification to best serve our clients and improve the lives of hundreds of thousands of patients every year? Visit www.ehealthtechnologies.com.
Michael is an executive leader and corporate officer representing eHealth Technologies with general business legal and strategic global matters, contract negotiations, intellectual property, regulatory requirements, and ensuring compliance with federal and state health privacy and security laws. Michael is also in private practice as a trial lawyer and has represented businesses in healthcare, labor and employment matters, commercial and corporate litigation, municipalities, and individuals in medical malpractice, personal injury litigation, and criminal defense, in state and federal court. In addition, Michael is currently a Judge of the Parma Town Court in Monroe County, Acting City Court Judge in Rochester City Court, and is currently a Trustee and Past-President of the Monroe County Magistrates Association. Michael has also served as an Arbitrator with the Better Business Bureau resolving commercial disputes between businesses and consumers.