FAQs to Help you Navigate HITRUST

July 7, 2016 Greg Miller

As spending and data collection and creation in the healthcare industry increase, healthcare organizations are under immense pressure to improve quality, reduce complexity, and keep patient data secure. 

The HITRUST Common Security Framework (CSF) was created to help healthcare organizations navigate these security, privacy, and regulatory challenges. During a recent Schellman webinar, our experts—along with Michael Frederick, HITRUST VP of Assurance Services and Product Development—discussed what you need to know to get ready for HITRUST by 2017. They also answered some of the most frequently asked questions about the framework.

What is a HITRUST business associate?
A business associate is any organization that is doing business with healthcare providers or the people who are dealing directly with patients. These organizations usually have electronic or hard copy access to patient information.

Is HITRUST certification mandatory?
HITRUST certification is mandatory for businesses that are associates of healthcare organizations.

What’s the timeframe for HITRUST certification?
It varies. It can take about about six months to complete the self-assessment, 18 months to complete a third-party assessment, but 24 months to become fully certified.

What does a HITRUST scope look like?
Scopes vary from business to business and can include the items you choose. It can include the entire organization, a specific business unit or an application, for example. Once your scope is defined, there are four main types of assessments: a security assessment, a privacy assessment, a comprehensive security assessment, and a comprehensive security and privacy assessment. The popular choice for most businesses is the security assessment.

What are implementation levels?
Implementation requirements come in levels of 1, 2 or 3. Each implementation requirement carries its own level, being Level 1 the baseline. The higher the level, the higher the number of controls.

What are some of the state privacy laws such as California?
Version 7 has identified Massachusetts, Nevada, and Texas. The states that are called out in the regulatory factors are states that have legislation on the security side of the HIPAA rule. On the privacy front, HITRUST has focused on the federal level because of the wide range of privacy legislation either on the books or pending on a state-by-state basis. The organization is working to get more of the states called out, with the exception of Texas, where part of the certification relies heavily on privacy concepts. HITRUST is pulling in some laws from California for Version 8 or 9.

Will HITRUST replace HIPAA?
HITRUST isn’t meant to replace HIPAA. Instead, it’s meant to expand on HIPAA policies. Some of the input into HITRUST’s CSF includes HITECH, PCI, and SOC 2, so its focus is on overall health care-specific IT best practices.

Is HITRUST intended for hospitals and large organizations or just smaller caregivers?
HITRUST is intended for any business associates within the healthcare sector, whether that’s a hospital chain, a SaaS provider or a smaller clinic. The applicability is for larger and smaller organizations. The size of your organization—the staff involved, what you outsource—will determine how large of an undertaking the certification is.

About the Author

Greg Miller

Greg Miller is a Principal at Schellman. Greg leads the HITRUST service line. Greg has more than 20 years of combined audit experience in both public accounting and private industry.

More Content by Greg Miller
Previous Flipbook
The Top 15 HITRUST Questions Answered
The Top 15 HITRUST Questions Answered

Next Article
The FIVE Hurdles to HITRUST
The FIVE Hurdles to HITRUST

As larger players in the healthcare industry like Anthem, Humana, and UnitedHealth Group begin to embrace t...