HITRUST collaborates with Microsoft and customers and partners to pilot new global healthcare compliance reporting capabilities
CHICAGO - April 18, 2023- HITRUST, the information risk management, standards, and certification body, today announced its global compliance reporting program, called Compliance Insights. The program is designed to streamline organizations’ compliance reporting and support Microsoft’s Global Healthcare Compliance Scale Initiative, created with healthcare partners and customers to accelerate compliance, solution adoption, and time-to-value globally.
Healthcare compliance concerns often impede solution adoption globally. HITRUST will make available a HIPAA Compliance Insights Report to HITRUST customers who complete assessments using versions 9.5 and later of the HITRUST CSF. It also identifies compliance requirements that are met by Microsoft and partners through shared responsibilities and inheritance, and any remaining requirements that are the healthcare organization’s responsibility. This helps alleviate compliance concerns and accelerate healthcare solution adoption.
HITRUST and Microsoft partners and customers joined a pilot program to preview the approach and initial Compliance Insights Report, specific to HIPAA, and to provide feedback on these as well as other authoritative sources to incorporate into HITRUST’s product roadmap for future compliance reporting capabilities both across the US and globally.
HITRUST’s Compliance Insights Report will deliver a context-rich assessment in a clear and concise format that allows assessed entities to more easily understand and communicate their state of compliance with a standard or regulation, as well as identify controls that can be inherited from Microsoft and other inheritance partners to improve security and compliance. Reports may be shared with relying parties to demonstrate compliance or help organizations prepare to meet compliance requirements.
The Compliance Insights capability further builds on the HITRUST promise to enable organizations to ‘Assess Once, Report Many’ by creating a standardized process and report templates for compliance information across multiple industries and geographies, allowing customers to quickly and easily produce security and compliance reports based on their HITRUST assessments. Customers can expand this approach globally and into other markets with a repeatable process to demonstrate proof of compliance. Such an approach will help streamline compliance efforts, improve clarity on compliance requirements to help alleviate concerns, and accelerate solution adoption.
During the pilot, organizations have voiced their prioritization needs for other compliance reporting requirements. HITRUST will deliver Compliance Insight Reports for PHIPA and GDPR next.
“Compliance concerns are often the biggest hurdle to healthcare solution adoption. With HITRUST’s HIPAA Compliance Insights Report, HITRUST and Microsoft partners and customers will be able to take advantage of a new, standardized process that provides clarity to compliance requirements and allows organizations to report their compliance information globally to accelerate solution adoption.” – Blake Sutherland, Executive Vice President, Market Engagement, HITRUST
“Overall, the program appears to be well designed and provides immense value to organizations that are required to satisfy HIPAA Compliance. We are looking forward to this service to include other major authoritative sources.” - A-LIGN
“Any opportunity for requirement-level inheritance is a major benefit to us. The HIPAA Compliance Insights Report clarifies requirements that are already met by Teladoc Health, Microsoft or other partners. This can be especially helpful when doing business across multiple countries.” - Teladoc Health
“The HIPAA Compliance Insights Report provides thorough details and accurate descriptions of the HIPAA regulatory requirements. The language sufficiently outlines the scoping dependencies that can impact regulatory compliance requirements. This is very important given there is often client confusion on what the HITRUST certification covers from a regulatory perspective.” – Coalfire
"As an external assessor for HITRUST assessments, the HIPAA Compliance Insights Report is a value-add service for our customers seeking HITRUST certification while leveraging the shared responsibility provided by vendors such as Microsoft.” - Schellman
“The HIPAA Compliance Insights Report brings clarity in terms of HIPAA regulatory requirements and provides an itemized list of criteria under HIPAA security rules. The report makes it clear the unmet requirements and responsibilities organizations need to meet full compliance.” - Smile Digital Health
"Compliance concerns can impede healthcare solution adoption globally. The Compliance Insights capability aligns with the Microsoft Global Healthcare Compliance Scale Initiative and brings clarity to compliance with local regulations, data protection laws, and privacy & security standards, alleviating compliance concerns, and enabling accelerated healthcare solution adoption and time-to-value globally.” – David Houlding, Director, Global Healthcare Business Strategy, Microsoft
HITRUST created and maintains the HITRUST CSF, a certifiable framework to help healthcare organizations and their partners demonstrate their security and compliance in a consistent and streamlined manner. HITRUST has mapped the CSF to 50+ authoritative sources worldwide, and the new Compliance Insights capability leverages the CSF and these mappings to enable HITRUST assessment results to be projected into local authoritative sources. HITRUST Certification is used across Microsoft Azure, Microsoft Dynamics 365, Microsoft 365, and the Microsoft Power Platform and their ecosystem of partners and healthcare organization.
The HITRUST Shared Responsibility and Inheritance Program allows organizations to place reliance on shared information protection controls that are available from internal shared IT services and external third-party organizations, including service providers, vendors, and suppliers of cloud-enabled applications and technology platforms (SaaS and IaaS/PaaS), colocation (colo) data center hosting services, and other managed services.
The Compliance Insights Report for HIPAA can be used in conjunction with the HITRUST HIPAA Compliance Pack, which organizes and assembles needed documentation in support of a HIPAA audit.
For more information about the HITRUST Shared Responsibility and Inheritance Program and to learn how your organization can manage cyber risk more effectively visit https://hitrustalliance.net/hitrust-srm-inheritance-program/