In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats. In practice, organizations that want to demonstrate HIPAA compliance must generally show that it has addressed each standard and implementation specification in the Security Rule, including risk analysis. Organizations must therefore design or select multiple information security controls to provide the level of prescription necessary for implementation in the system or within the organization.
HITRUST helps organizations select these controls via its extensive mapping of the CSF controls to the HIPAA Security Rule’s standards and implementation specifications. Many of the HIPAA requirements are mapped to multiple controls, and the CSF controls themselves consist of multiple, specific protection requirements contained in multiple levels. By implementing the HITRUST CSF control requirements that are applicable to an organization based on its specific organizational, system and regulatory risk factors, each and every standard and implementation specification in the Security Rule is addressed in a very complete and robust way.
However, CSF certification is based on an assessment of a subset of the controls an organization is expected to implement. These controls were selected based on an analysis of past breach data and the need to address each and every standard and implementation specification in the HIPAA Security Rule. NIST supports the use of such targeted assessments to answer specific questions like this, and the use of a targeted assessment for CSF certification ensures relying organizations receive reasonable assurances at a reasonable cost.
DHHS specifically references HITRUST and the CSF with respect to risk management and risk assessment in its Guidance on Risk Analysis Requirements under the HIPAA Security Rule, and OCR has stated entities with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance. Implementation of the CSF as the basis for an organization’s information protection program and subsequent use of CSF validated or certified assessments has been previously accepted by OCR as evidence of its compliance with the HIPAA Security Rule, assuming the assessment addresses the appropriate scope relevant to OCR’s audit or investigation. The CSF and CSF Assurance Program has also been used in past resolution agreements with OCR.
References: HIPAA is King (article) and HITRUST CSF Streamlines and Enhances NIST to Achieve HIPAA Compliance (article)