Published on: August 22, 2014
By: Kurt Hagerman

When it comes to compliance for healthcare IT, the go-to word on everyone’s tongue is HIPAA. Technologies keep evolving, compliance keeps getting more complex, and healthcare IT workers can get lost trying to manage the security requirements needed to meet compliance standards from federal and state agencies. Given that the compliance rule book comes from HIPAA, it’s no surprise that this is where teams turn for prescriptive guidance. Yet HIPAA guidelines can be so vague that many teams are unsure of what constitutes “reasonable and appropriate” protections.

As a result they sometimes fail to implement the right controls or go too far in the other direction, investing in unnecessary safeguards. While HIPAA guidelines allow organizations to factor in their own size, complexity, and capabilities, this doesn’t provide additional clarity but only muddies the water further.

Does this sound familiar? If so, I’d like to suggest that you consider the benefits of the HITRUST Common Security Framework (CSF). As a trustworthy benchmark, HITRUST lets teams effectively manage and assess their own compliance efforts. Founded on the expertise and best practices of leading healthcare IT experts, the HITRUST CSF offers a defined set of controls and standardized guidance that ultimately simplifies compliance. In doing so, it can eliminate the inconsistencies so common in healthcare compliance.

Let me be clear; HIPAA is still the king of healthcare compliance. But HITRUST CSF can be used as a clear and industry-managed approach to meeting HIPAA requirements for the Security and Breach Notification rules. Here’s how it works. The HITRUST CSF translates HIPAA and HITECH requirements into an actionable roadmap that is cross-referenced to other security and data privacy regulations. In this way, organizations can develop controls to manage compliance across a broad range of regulatory requirements. Their risk is reduced; so is their compliance complexity and cost. It’s one simplified compliance process that covers a range of needs.

Consider everything the CSF does:

• Simplifies HIPAA compliance
• Scales according to your organization’s size, type and complexity
• Provides clear and prescriptive guidance
• Incorporates existing, globally recognized standards such as HIPAA, NIST, ISO, PCI, FTC Red Flag and COBIT
• Evolves according to changes in the healthcare industry and the regulatory environment

Finally, there’s the benefit of a HITRUST certification. Because no true formal HIPAA status exists, it’s just not possible to claim that you’ve been verified as “certified HIPAA-compliant.” Yet HITRUST offers a third-party assessment that can attest that your organization has met the relevant requirements within the CSF.

The consolidated controls view from the CSF provides visibility into the controls overlap among multiple regulatory requirements, which empowers you to demonstrate how your controls program is meeting the combined requirements. That means that only one assessment allows you to generate multiple reports addressing multiple legislative, regulatory or best practice frameworks such as HIPAA, PCI or NIST. This can be a colossal help when it comes to saving time and money on audits.

Another benefit: the added luster to your brand reputation. Given the all-too-frequent breach stories in the news, patients are more than aware of cybercrime. These days they’re often cynical when it comes to promises to protect their data. Yet a third-party certification can lend your organization a new credibility. Becoming HITRUST CSF certified allows your team to rightfully proclaim its own compliance and security – a competitive advantage in this insecure age – and ideally spend more time focusing on projects that optimize patient care. That’s a goal every healthcare organization can get behind.