With growing scrutiny in healthcare and a record number of breaches increasing at an alarming rate, healthcare organizations are taking preventive measures in order to avoid breaches and possible fines. However, healthcare organizations are confused on what measures they need to take in order to protect healthcare information.
HITRUST and HIPAA are two unique types of assessments that share the common objective of safeguarding protected healthcare information, but otherwise are different in how they are setup. HITRUST takes a risk based approach and HIPAA takes a compliance based approach.
HIPAA - (Health Insurance Portability and Accountability Act), was enacted by Congress in 1996 which included the Security Rule, which established a national set of security standards for protecting (ePHI) otherwise known as electronic protected health information. The HIPAA security rule is subdivided into three types of safeguards (physical, technical, and administrative). Following the safeguards there are the organizational requirements, policies and procedures, and documentation requirements, each having their own subset of requirements. The HIPAA security rule was created to provide healthcare organizations such as small practices to large hospitals a way to address specific risks associated with integrity, confidentiality, and availability of (ePHI). Furthermore, some standards are required while others are addressable, meaning that organizations have the ability to not implement certain standards if reasoning is provided (ex. Lack of funds to update technology).
HITRUST, which is the Health Information Trust Alliance was established in 2007 for the purpose that information security should be a core pillar of health information systems and exchanges by addressing certain challenges such as the large concern over breaches, multiple types of requirements with lots of inconsistencies, and the growing risk and liability that comes with information security in the healthcare world. The HITRUST created a common security framework (CSF) that consists of 14 control categories, 45 control objectives, and 149 control specifications with each control specification consisting of as many as three implementation levels based on the organization, some apply while others do not. Furthermore, it is built upon regulations and standards from more than 19 multiple frameworks that apply to healthcare.
With both assessment types in perspective, the HITRUST CSF framework provides a robust and prescriptive common security framework which makes it scalable and tailored according to the organization type/size, system, regulatory rules that apply, whereas HIPAA is not prescriptive, which makes it open to interpretation and difficult to apply, leaving organizations wondering and unsure of what constitutes “reasonable and appropriate” protections.
For example, there are multiple size organizations such as large cancer centers with multiple physicians or billing organizations with multiple employees and several doctors for MRA coding. Both of these types of organizations have a different set of needs with regard to HIPAA, and applying the general HIPAA standards can be confusing. On the other hand, the HITRUST CSF would be applied according to the organization type and scaled from there and customized accordingly.
Furthermore, with HIPAA, specific standards make up HIPAA whereas with the HITRUST CSF framework, there is more than 19 authoritative sources and frameworks encompassed including HIPAA (Security, Breach, and Privacy), SO/IEC 27001, 27799, CFR Part 1, COBIT 4.1 and 5, NIST SP 800-53 Rev 4 and NIST 800-66, NIST Cyber Security Framework, PCI DSS ver 3, FTC Red Flags Rule, JCAHO IM, HHS Secretary Guidance, CMS IS ARS, MARS-E v1, IRS 1075, Texas Health and Safety Code (THSC) 181, Title 1 Texas Administrative Code (TAC) 390.2, 201 CMR 17.00 (State of Mass.), NRS 603A (State of Nev.), CSA Cloud Control Matrix v1. This provides organizations to meet the ever growing number of requirements -- otherwise there are multiple bodies of requirements for CMS, HHS, and requirements from specific states that make it difficult to follow one standard.
When it comes to certification, HIPAA provides no certification process for healthcare organizations and after performing a risk analysis, it is not reviewed by an authoritative body and relies on the healthcare organizations to implement the regulations, whereas with the HITRUST common security framework, there are a number of options available to implement the common security framework including self and validated assessments, and an option to attain the requirements of certification. More importantly, assessments can be reviewed by a third party, specifically a certified common security frame practitioner (CCSFP) at HITRUST.
So in conclusion, if an organization has attained the HITRUST certification, is it in compliance with HIPAA? Yes, the HITRUST common security framework has 3 implementation levels and the HIPAA requirements are met at almost every instance at the level 1 implementation within the CSF framework. Furthermore, as the implementation level goes to 2 and 3, the requirements are more comprehensive and detailed and involve the NIST 800-53 standards along with other regulatory frameworks which exceed HIPAA requirements. So in essence, the CSF covers all the controls that the HIPAA Security Rule consists of while providing a more rigorous and comprehensive framework that aligns with healthcare industry requirements that is consistent, structured, and prescriptive to the specific organization.