The FIVE Hurdles to HITRUST®

As larger players in the healthcare industry like Anthem, Humana, and UnitedHealth Group have continued to embrace the HITRUST CSF® in an attempt to manage the ever-evolving compliance landscape, the desire for HITRUST certification has increased exponentially. However, for many organizations, the road to certification is a long one.

Below are some of the common challenges encountered along the way, and the necessary considerations you should take before embarking on your journey.

Choosing the right assessment

Choosing between a Readiness Assessment and Validated Assessment is relatively straightforward. Readiness Assessments are a more cost-effective option for your organization to assess its current compliance level. Validated Assessments by a HITRUST Authorized External Assessor is the rigorous option for your organization. However, it is the only path to achieving certification. There are four different types of validated assessments, which is one source of confusion for many organizations. HITRUST allows you to be certified with a Security Assessment, a Comprehensive Security Assessment, a Security and Privacy Assessment, or a Comprehensive Security & Privacy Assessment. The major difference between the four? Level of assurance. For many organizations using HITRUST to evidence HIPAA Security Rule compliance, the Security Assessment may be all you need.

Getting the right buy-in

Compliance is an organizational effort and a full-time job. All too often compliance is a shared effort across several departments that frequently results in finger-pointing and confusion during the assessment process. Is it Information Technology’s responsibility? Legal’s? Or is it Privacy’s? One of your first steps should be sitting down with key stakeholders to determine who is responsible for compliance in your organization. Next, you should ensure that an appropriate budget and amount of resources are allocated to compliance efforts.

Finding balance between patient care and compliance

Healthcare is an industry where the desire to help improve patient care frequently causes a ripple effect across the organization therefore security and other initiatives take a backseat because they are viewed as a roadblock to productivity. Examples of this include purchasing applications that don’t support audit functionality, or turning off security events to improve system performance. However, with the rise in data breaches, it has become not so much a question of how but when a breach will occur. That is why it is essential for every organization to make security and compliance a significant part of their culture.

Evaluating your high-risk controls

The HITRUST framework includes many different standards and regulations including, but not limited to, HIPAA, Multiple NIST standards, PCI DSS, AICPA Trust Services Criteria, ISO 27001, PCI, and COBIT. This makes HITRUST highly comprehensive and prescriptive. As such, some of the controls included within the framework are very specific and may be applicable to standards that your organization has not previously considered. There may also be instances when the risk assigned to a control requirement by HITRUST misaligns with your organization’s own risk designation. It is important to appropriately evaluate the risk, impact, and cost-effectiveness of implementing each control in order to achieve the overall maturity of 3 required in each domain for Certification.

Managing your policies and procedures

One of the most frequently missed pieces is strong policy and procedural documentation management. Policies and procedures are typically the first things requested to evidence the existence of a control. Robust documentation helps organizations avoid redundancy in effort, decrease knowledge loss, provide consistency, and establish process ownership. Even if you have everything else in place, missing policy and procedural documentation can be the difference between the issuance of a HITRUST CSF Certification or only a HITRUST CSF Validated Assessment Report.

While HITRUST certification can undoubtedly be challenging and costly to achieve, careful planning and evaluation of your organization’s current environment will help make the certification process as efficient as possible.

About the Author

Schellman & Company

Schellman & Company, LLC (Schellman) is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

More Content by Schellman & Company
Previous Article
HIPAA Misconceptions Still Plague Healthcare Providers
HIPAA Misconceptions Still Plague Healthcare Providers

Even after years of living with HIPAA and its many requirements, healthcare providers still labo...

Next Article
Have No Fear: HITRUST® Validated Assessment Process is Here
Have No Fear: HITRUST® Validated Assessment Process is Here

Healthcare service providers are being told that they must begin their HITRUST Validated Assessment process...