Written by HITRUST Independent Security Journalist Sean Martin. 

Given the complex regulatory and standards environment – albeit, designed to raise the level of an organization’s security posture – many organizations find that trying to figure out what assessments, actions, controls, audits, and reports are required can sometimes be a very daunting and confusing venture.

As one example, there can often be a misunderstanding surrounding what’s required when it comes to meeting the HIPAA requirements from a Department of Health and Human Service’s Office for Civil Rights (OCR) perspective.

In one particular case, we saw a tweet from Charlotte Tschider from Cyber Simple Security, where she accurately points out that:

“The HITRUST certification, although valuable and great framework, has not been approved by @HHSGov as default covering #HIPAA obligations. This is a misconception by companies pursuing HITRUST; you still have to demonstrate compliance during an OCR audit.”

In the spirit of helping to clarify what’s required from the OCR, Charlotte is correct in that the OCR does not endorse any credentialing or accreditation program, including their own: NIST. However, this should not deter organizations looking for the best possible way to address their compliance requirements, evaluating their information security posture and managing information risk.

To further this point, we can reference the article, How Texas is Boosting HIPAA Compliance, by Marianne Kolbasuk McGee (@HealthInfoSec) where, in the article, an OCR spokeswoman told Information Security Media Group: “While OCR does not endorse any particular credentialing or accreditation program, we certainly encourage covered entities and business associates to build strong compliance programs internally. Many of these credentialing/accreditation programs can help them do so.”

The spokeswoman further added: “OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance.”

As a standards organization, HITRUST® has spent the last ten years integrating and harmonizing regulatory requirements (such as HIPAA), industry and government standards (such as NIST) and other related best practices to help organizations manage their information security risk management and compliance requirements. This, of course, includes the HIPAA risk analysis requirement.

In fact, the HITRUST CSF is the leading controls standard in the healthcare industry (HIMSS survey). When coupled with its robust assessment and assurance program HITRUST can help organizations build the strong HIPAA compliance program OCR is looking for when conducting an audit or investigation.

As an organization driven to help the healthcare industry deliver better patient care through improved and streamlined risk management and compliance processes, the HITRUST framework and assurance methodology has been defined and built—and continues to be updated—to meet the requirements and gives organizations the documentation to support an OCR audit. This is demonstrated by the thousands of assessments completed and use of the HITRUST CSF by both state and federal regulators.

So, while the OCR does apply additional requirements to fulfill the letter of the law for HIPAA, HITRUST provides the substantiation that an organization can use to support their full HIPAA compliance. Our ultimate goal is to bring these efficiencies beyond HIPAA to enable organizations apply a single framework with a single assessment to multiple standards and regulations, further we raise the bar in terms of managing their cyber and information risk.