Certification is not required by any regulatory body, nor has any regulatory body sanctioned certification as a mechanism to provide safe harbor in the event of a breach. This is true not just for the HITRUST CSF but for other standards and frameworks as they apply to regulatory compliance requirements (e.g., NIST, ISO, and PCI). However, OCR recently stated that credentialing/accreditation programs like the CSF can help organizations build strong compliance programs. “OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/ accreditation program or on its own, would have that taken into account when determining past compliance.”
Certification is one of the best ways regulators have to determine if an organization has made a good faith effort to meet their legal and regulatory requirements (i.e., provide a mitigating factor when considering financial penalties or other punitive or corrective actions). A HITRUST Certification can convey to third parties (e.g., regulators, auditors, business partners, customers) in a standard, structured and clear way that controls are in place, to what level they are applied, and how they were chosen, including any risk management decisions for risk acceptance or the use of alternate (i.e., compensating) controls.
For more information on risk vs. compliance, refer to the HITRUST whitepaper Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.