By Leslie Weinstein, Solutions Director, HITRUST
With many years of experience in cybersecurity, I can say with confidence that health information security is not easy. HITRUST has supported thousands of Covered Entities and Business Associates with its Health Insurance Portability and Accountability Act (HIPAA) compliance programs since the first release of the HITRUST CSF in 2009. More than 80% of U.S. hospitals, 85% of U.S. health insurers, and many other Covered Entities and Business Associates leverage the HITRUST Approach today to support their HIPAA compliance initiatives and HIPAA-related audits in addition to their information risk management programs.
We continually look at ways to aid organizations in complying with HIPAA through innovations to the HITRUST Approach, which make it easier for our customers to manage risk and compliance. I discuss one of these innovations below in the context of HIPAA compliance and audits—the HITRUST MyCSF Compliance and Reporting Pack for HIPAA.
What is HIPAA?
As most of you know, HIPAA includes rules for organizations regarding privacy and security, as well as reporting breaches of unsecured Protected Health Information (PHI). The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures of such information without patient authorization. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. Those that must comply are called Covered Entities and Business Associates, which are organizations such as healthcare providers, health plans, pharmacies, healthcare clearinghouses, and vendors who have access to PHI, to name a few. The tricky part about HIPAA is that it is a regulation and not a standard, which introduces certain nuances in what is required to comply and how to demonstrate compliance that will be able to be relied upon by others, including those in government who are responsible for enforcement.
What is a HIPAA Audit?
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is charged with auditing Covered Entities and Business Associates for their compliance with the HIPAA Rules, as well as investigating complaints filed against Covered Entities. Additional information about the specifics of the audit process can be found in OCR materials and many articles found on the HHS and OCR websites.
For those audits relating to demonstrating compliance and responding to evidence requests, the OCR will notify an organization of its intent to audit and expects they submit requested information within a reasonable amount of time. All documents are required in digital form and must be submitted electronically. Entities must provide only the specified documents, not compendiums of all entity policies or procedures. The evidentiary documentation must be clear and pertinent—the auditor will not search for relevant documentation that may be contained within such compilations.
This is where having performed an appropriate risk analysis and assessment pays off, as having already organized the evidence and associated documentation makes responding to audit requests much less resource- and time-intensive. Another big benefit is that it makes passing audits much more likely.
MyCSF Compliance and Reporting Pack for HIPAA
The HITRUST CSF Assessment is the gold standard for information assurance reports. It is commonly used by organizations that need to comply with HIPAA and has been successfully used to demonstrate compliance during OCR audits. It also provides many advantages over other assessment reports as it offers Rely-Ability, something most other assurance reports can’t deliver, yet is so important for a report to be relied upon—including during an OCR audit. That’s not the topic of this blog, but something worth understanding, and more information can be found here.
In the HITRUST MyCSF, our innovative SaaS platform, the Compliance and Reporting Pack for HIPAA collects specific information during the HITRUST CSF Assessment process that is needed to comply with HIPAA and regularly requested during audits or investigations. The information is already collected as part of the HITRUST CSF Assessment, and MyCSF automatically compiles evidence from your assessment and streamlines your audit by:
- Generating a report, formatted by HIPAA control, that maps the applicable HIPAA requirements to your HITRUST CSF Assessment,
- Providing only the evidence that the OCR is requesting, and
- Mapping each requirement to your corresponding policies and evidence for submission to the OCR.
This feature is a game-changer because it saves countless hours in gathering information and preparing reports associated with an OCR audit. The MyCSF Compliance and Reporting Pack for HIPAA will be available in the next release of MyCSF, scheduled for mid-August 2021.
HITRUST Can Help!
We encourage existing MyCSF subscribers to take advantage of HITRUST resources to address HIPAA compliance requirements by reaching out to their HITRUST Customer Success Manager. For more information:
Make sure to visit HITRUST Booth #7401 at the HIMSS Global Health Conference & Exhibition in Las Vegas, August 9-13, 2021!